Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Smooth2o: Infected with TDL4? or JS/IFrameref or Win32/winwebsee


  • This topic is locked This topic is locked
20 replies to this topic

#1 smooth2o

smooth2o

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:10:00 PM

Posted 09 April 2012 - 03:00 PM

Ran MSE Quick Scan and found:
Trojan: JS/IframeRef detected.
Said removed and succeeded after removal

Ran MSE Quick Scan and found:
Rogue: Win32/winwebsee detected.
Said removed and succeeded after removal

Ran MSE Quick Scan and found:
No threats.


Before the current modifications of TSE it wasn't possible to run MSE. It appeared that infections were messing with MSE operation.

svchost.exe process keeps eating memory and is up to 1.4GB of 4GB total after about 1/2 hour of operation. At this point, the system becomes inoperative. I can get the system to be responsive only by deleting the svchost.exe process that is gaining so much memory. Nothing bad seems to happen when I do this except that the system becomes responsive again.

Also, the IE browser window I am working in seems to change unexpectedly. I'm not sure if this is a mouse problem or not. It is solved by reclicking in the window in which I was working.

System is very slow to bring up apps and IE. System is basically inoperative but getting a little better.

DDS file below and attach.txt and ark.txt files attached.

DDS.txt file:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by cewell at 15:19:36 on 2012-04-09
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2037.1357 [GMT -4:00]
.
AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\DELL\Dell Laser Printer 1110\LocalSM\ssmsrvc.exe
C:\Program Files\Secunia\PSI\PSIA.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\DELL\Dell Laser Printer 1110\LocalSM\dellsm.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Secunia\PSI\sua.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Secunia\PSI\psi_tray.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Brother\Brmfcmon\BrMfimon.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\Program Files\Internet Explorer\iexplore.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.anglersportgroup.com/
uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=2071017
uSearch Bar =
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=2071017
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
mWinlogon: Userinit=c:\windows\system32\userinit.exe
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [dscactivate] c:\dell\dsca.exe 3
mRun: [PaperPort PTD] "c:\program files\scansoft\paperport\pptd40nt.exe"
mRun: [PPort11reminder] "c:\program files\scansoft\paperport\ereg\ereg.exe" -r "c:\documents and settings\all users\application data\scansoft\paperport\11\config\ereg\Ereg.ini"
mRun: [BrMfcWnd] c:\program files\brother\brmfcmon\BrMfcWnd.exe /AUTORUN
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
dRun: [msdrm] msdrm.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\secuni~1.lnk - c:\program files\secunia\psi\psi_tray.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {53F6FCCD-9E22-4d71-86EA-6E43136192AB}
IE: {925DAB62-F9AC-4221-806A-057BFB1014AA}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
Trusted Zone: orvis.com\supplierzone
Trusted Zone: orvis.com\test.supplierzone
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab
DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file:///C:/Program%20Files/Letters%20from%20Nowhere%202/Images/stg_drm.ocx
DPF: {64CD313F-F079-4D93-959F-4D28B5519449} - hxxp://www.worldwinner.com/games/v56/jeopardy/jeopardy.cab
DPF: {6A4F3A11-99B7-4BD1-AF88-B7354D1DAECD} - hxxp://downloads.freehandmusic.com/soleromusiccontrol.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - hxxp://www.worldwinner.com/games/shared/wwlaunch.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {A52FBD2B-7AB3-4F6B-90E3-91C772C5D00F} - hxxp://www.worldwinner.com/games/v57/wof/wof.cab
DPF: {CAFEEFAC-0015-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file:///C:/Program%20Files/Letters%20from%20Nowhere/Images/armhelper.ocx
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 192.168.16.2
TCP: Interfaces\{DBD71031-CF33-4EDF-B642-DA9B0027BE13} : DhcpNameServer = 192.168.16.2
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: igfxcui - igfxdev.dll
Notify: LMIinit - LMIinit.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
.
============= SERVICES / DRIVERS ===============
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2012-1-17 64512]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2011-4-18 165648]
R1 MpKslab7a7087;MpKslab7a7087;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{5457ce96-8a94-49db-aec6-04fa48b4e39d}\MpKslab7a7087.sys [2012-4-9 29904]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2011-12-23 2152152]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\logmein\x86\LMIGuardianSvc.exe [2010-9-30 374152]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2007-9-12 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2007-10-25 47640]
R2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\secunia\psi\psia.exe [2011-10-14 994360]
R2 Secunia Update Agent;Secunia Update Agent;c:\program files\secunia\psi\sua.exe [2011-10-14 399416]
R3 radpms;Driver for RADPMS Device;c:\windows\system32\drivers\radpms.sys [2007-9-12 13408]
RUnknown MpKsl105c1811;MpKsl105c1811; [x]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-3 253600]
S3 Dell1110_FUService;Dell 1110 Status Monitor Service;"c:\program files\dell\dell laser printer 1110\localsm\ssmsrvc /service --> c:\program files\dell\dell laser printer 1110\localsm\ssmsrvc [?]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\common files\symantec shared\eengine\eraserutilrebootdrv.sys --> c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [?]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2011-12-23 15232]
S3 NPF;WinPcap Packet Driver (NPF);c:\windows\system32\drivers\npf.sys [2012-4-5 50704]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2010-9-1 15544]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
.
=============== Created Last 30 ================
.
2012-04-09 17:05:58 29904 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{5457ce96-8a94-49db-aec6-04fa48b4e39d}\MpKslab7a7087.sys
2012-04-09 16:36:53 56200 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{5457ce96-8a94-49db-aec6-04fa48b4e39d}\offreg.dll
2012-04-09 16:14:18 29904 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{5457ce96-8a94-49db-aec6-04fa48b4e39d}\MpKsl105c1811.sys
2012-04-09 12:48:04 6582328 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2012-04-09 12:45:05 6582328 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{5457ce96-8a94-49db-aec6-04fa48b4e39d}\mpengine.dll
2012-04-05 16:43:36 -------- dc----w- c:\documents and settings\all users\application data\F4D55F3E000435DB0021E136D151FC4E
2012-04-05 16:12:45 -------- d-----w- c:\program files\ESET
2012-04-05 15:04:04 50704 ----a-w- c:\windows\system32\drivers\npf.sys
2012-04-05 15:04:04 281104 ----a-w- c:\windows\system32\wpcap.dll
2012-04-05 15:04:04 100880 ----a-w- c:\windows\system32\Packet.dll
2012-04-04 20:03:42 -------- d-----w- c:\program files\Microsoft Security Client
2012-04-04 14:50:07 -------- d--h--w- c:\windows\system32\GroupPolicy
2012-04-03 12:43:44 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-04-02 16:11:47 -------- dc----w- c:\documents and settings\cewell\local settings\application data\Threat Expert
2012-04-02 15:11:42 -------- d-----w- c:\program files\PC Tools
2012-04-02 15:04:05 185560 ----a-w- c:\windows\system32\drivers\PCTSD.sys
2012-04-02 15:04:01 -------- d-----w- c:\program files\common files\PC Tools
2012-04-02 15:03:06 -------- dc----w- c:\documents and settings\all users\application data\PC Tools
2012-04-02 15:03:03 -------- dc----w- c:\documents and settings\cewell\application data\TestApp
2012-03-28 18:01:51 -------- d-sh--w- C:\found.000
.
==================== Find3M ====================
.
2012-04-04 18:57:24 26112 ----a-w- c:\windows\system32\userinit.exe
2012-04-03 12:43:44 70304 -c--a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-02-23 14:18:36 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-02-07 13:16:22 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2012-02-07 13:16:22 52096 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\LMIproc.dll
2012-02-07 13:16:20 87424 ----a-w- c:\windows\system32\LMIinit.dll
2012-02-07 13:16:20 30592 ----a-w- c:\windows\system32\LMIport.dll
2012-01-17 17:41:53 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2012-01-17 17:41:52 16432 ----a-w- c:\windows\system32\lsdelete.exe
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD800JD-75MSA3 rev.10.01E04 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x89ED649F]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x89edd740]; MOV EAX, [0x89edd8b4]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8A589AB8]
3 CLASSPNP[0xBA0E8FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\00000067[0x8A5D1390]
5 ACPI[0xB9F7F620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8A593D98]
\Driver\atapi[0x8A4CCB10] -> IRP_MJ_CREATE -> 0x89ED649F
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x89ED62C6
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 15:21:49.51 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:00 PM

Posted 09 April 2012 - 11:32 PM

Hello and Welcome to Bleeping Computer!!

My name is Gringo and I'll be glad to help you with your computer problems.

I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of us

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the Watch Topic Button, select Immediate Notification, and click on Proceed. This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of hartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 smooth2o

smooth2o
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:10:00 PM

Posted 10 April 2012 - 03:20 PM

Hey Gringo! Thanks for taking this task. Much appreciated.

Prior to running the Combofix, I deleted various infection finding apps:
Adaware
CCleaner
Eset Online Scanner
Malwarebytes
Spybot

And some of them could not be turned off as they were free versions.

Status after Combofix

Combofix said it found Rootkit.ZeroAccess infection.

svchost.exe process keeps eating memory and is up to 1.4GB of 4GB total after about 1/2 hour of operation. At this point, the system becomes inoperative. I can get the system to be responsive only by deleting the svchost.exe process that is gaining so much memory. Nothing bad seems to happen when I do this except that the system becomes responsive again.

System is very slow to bring up apps and IE. System is basically inoperative but getting a little better.

Also, I cannot connect to the network (intranet) although that may be not related. Internet is fine.

Have a great day.


Here is the Combofix log:
ComboFix 12-04-10.01 - cewell 04/10/2012 15:29:35.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2037.1611 [GMT -4:00]
Running from: c:\documents and settings\cewell\Desktop\carlas trojan fixes\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\Carla\WINDOWS
c:\documents and settings\cewell\Application Data\PriceGong
c:\documents and settings\cewell\Application Data\PriceGong\Data\1.xml
c:\documents and settings\cewell\Application Data\PriceGong\Data\a.xml
c:\documents and settings\cewell\Application Data\PriceGong\Data\b.xml
c:\documents and settings\cewell\Application Data\PriceGong\Data\c.xml
c:\documents and settings\cewell\Application Data\PriceGong\Data\d.xml
c:\documents and settings\cewell\Application Data\PriceGong\Data\e.xml
c:\documents and settings\cewell\Application Data\PriceGong\Data\f.xml
c:\documents and settings\cewell\Application Data\PriceGong\Data\g.xml
c:\documents and settings\cewell\Application Data\PriceGong\Data\h.xml
c:\documents and settings\cewell\Application Data\PriceGong\Data\i.xml
c:\documents and settings\cewell\Application Data\PriceGong\Data\J.xml
c:\documents and settings\cewell\Application Data\PriceGong\Data\k.xml
c:\documents and settings\cewell\Application Data\PriceGong\Data\l.xml
c:\documents and settings\cewell\Application Data\PriceGong\Data\m.xml
c:\documents and settings\cewell\Application Data\PriceGong\Data\mru.xml
c:\documents and settings\cewell\Application Data\PriceGong\Data\n.xml
c:\documents and settings\cewell\Application Data\PriceGong\Data\o.xml
c:\documents and settings\cewell\Application Data\PriceGong\Data\p.xml
c:\documents and settings\cewell\Application Data\PriceGong\Data\q.xml
c:\documents and settings\cewell\Application Data\PriceGong\Data\r.xml
c:\documents and settings\cewell\Application Data\PriceGong\Data\s.xml
c:\documents and settings\cewell\Application Data\PriceGong\Data\t.xml
c:\documents and settings\cewell\Application Data\PriceGong\Data\u.xml
c:\documents and settings\cewell\Application Data\PriceGong\Data\v.xml
c:\documents and settings\cewell\Application Data\PriceGong\Data\w.xml
c:\documents and settings\cewell\Application Data\PriceGong\Data\x.xml
c:\documents and settings\cewell\Application Data\PriceGong\Data\y.xml
c:\documents and settings\cewell\Application Data\PriceGong\Data\z.xml
c:\documents and settings\cewell\WINDOWS
c:\windows\$NtUninstallKB31631$
c:\windows\$NtUninstallKB31631$\3393030721
c:\windows\system32\dllcache\dlimport.exe
c:\windows\system32\drivers\npf.sys
c:\windows\system32\Packet.dll
c:\windows\system32\wpcap.dll
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_NPF
-------\Service_NPF
.
.
((((((((((((((((((((((((( Files Created from 2012-03-10 to 2012-04-10 )))))))))))))))))))))))))))))))
.
.
2012-04-10 17:22 . 2012-03-20 07:53 6582328 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{34839257-8589-48B3-B1D8-3B46C9FA22E8}\mpengine.dll
2012-04-09 12:48 . 2012-03-20 07:53 6582328 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-04-05 16:43 . 2012-04-09 16:55 -------- dc----w- c:\documents and settings\All Users\Application Data\F4D55F3E000435DB0021E136D151FC4E
2012-04-05 15:03 . 2012-04-05 15:06 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2012-04-04 20:03 . 2012-04-04 20:04 -------- d-----w- c:\program files\Microsoft Security Client
2012-04-04 14:50 . 2012-04-04 14:50 -------- d--h--w- c:\windows\system32\GroupPolicy
2012-04-03 12:43 . 2012-04-03 12:43 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-04-02 16:11 . 2012-04-02 16:11 -------- dc----w- c:\documents and settings\cewell\Local Settings\Application Data\Threat Expert
2012-04-02 15:11 . 2012-04-02 15:11 -------- d-----w- c:\program files\PC Tools
2012-04-02 15:04 . 2012-02-24 14:36 185560 ----a-w- c:\windows\system32\drivers\PCTSD.sys
2012-04-02 15:04 . 2012-04-09 15:48 -------- d-----w- c:\program files\Common Files\PC Tools
2012-04-02 15:03 . 2012-04-09 15:45 -------- dc----w- c:\documents and settings\All Users\Application Data\PC Tools
2012-04-02 15:03 . 2012-04-02 15:03 -------- dc----w- c:\documents and settings\cewell\Application Data\TestApp
2012-03-28 18:01 . 2012-03-28 18:01 -------- d-----w- C:\found.000
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-04 18:57 . 2004-08-11 22:00 26112 ----a-w- c:\windows\system32\userinit.exe
2012-04-03 12:43 . 2011-10-06 13:06 70304 -c--a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-02-23 14:18 . 2012-01-16 17:59 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-02-07 13:16 . 2007-10-25 19:40 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2012-02-07 13:16 . 2007-10-25 19:40 52096 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\LMIproc.dll
2012-02-07 13:16 . 2007-10-25 19:40 30592 ----a-w- c:\windows\system32\LMIport.dll
2012-02-07 13:16 . 2007-10-25 19:40 87424 ----a-w- c:\windows\system32\LMIinit.dll
2012-01-17 17:41 . 2012-01-17 17:41 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2012-01-13 14:41 . 2012-01-13 14:41 45056 -c--a-r- c:\documents and settings\cewell\Application Data\Microsoft\Installer\{42929F0F-CE14-47AF-9FC7-FF297A603021}\NewShortcut1_42929F0FCE1447AF9FC7FF297A603021_1.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-06-14 142104]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-06-14 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-06-14 138008]
"RTHDCPL"="RTHDCPL.EXE" [2007-06-14 16132608]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2007-09-12 63048]
"dscactivate"="c:\dell\dsca.exe" [2007-07-30 16384]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2008-07-10 29984]
"PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-08-31 328992]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2008-11-12 1122304]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-10-24 421888]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Secunia PSI Tray.lnk - c:\program files\Secunia\PSI\psi_tray.exe [2011-10-14 291896]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2012-02-07 13:16 87424 ----a-w- c:\windows\system32\LMIinit.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Dell Network Assistant.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Dell Network Assistant.lnk
backup=c:\windows\pss\Dell Network Assistant.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Pervasive.SQL Workstation Engine.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Pervasive.SQL Workstation Engine.lnk
backup=c:\windows\pss\Pervasive.SQL Workstation Engine.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Secunia PSI Tray.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Secunia PSI Tray.lnk
backup=c:\windows\pss\Secunia PSI Tray.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2011-03-30 01:59 937920 -c--a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-08-31 01:57 40368 -c--a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
2008-09-26 16:02 2356088 -c--a-r- c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ControlCenter2.0]
2008-08-12 15:24 114688 -c--a-w- c:\program files\Brother\ControlCenter2\BrCtrCen.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ControlCenter3]
2008-08-12 15:24 114688 -c----w- c:\program files\Brother\ControlCenter3\BrCtrCen.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ECenter]
2007-05-24 12:03 17920 -c--a-w- c:\dell\E-Center\EULALauncher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2009-02-26 22:36 30040 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch]
2008-07-10 03:05 46368 -c--a-w- c:\program files\ScanSoft\PaperPort\IndexSearch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2005-02-16 20:15 81920 -c--a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]
2008-07-10 03:07 29984 ----a-w- c:\program files\ScanSoft\PaperPort\pptd40nt.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2011-10-24 19:28 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
2006-10-25 13:03 210472 -c--a-w- c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-02-18 15:43 248040 -c--a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
.
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [9/30/2010 7:59 AM 374152]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [9/12/2007 10:21 AM 12856]
R2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\Secunia\PSI\psia.exe [10/14/2011 2:01 AM 994360]
R2 Secunia Update Agent;Secunia Update Agent;c:\program files\Secunia\PSI\sua.exe [10/14/2011 2:01 AM 399416]
R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [9/1/2010 4:30 AM 15544]
R3 radpms;Driver for RADPMS Device;c:\windows\system32\drivers\radpms.sys [9/12/2007 10:20 AM 13408]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [4/3/2012 8:43 AM 253600]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [?]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys --> c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys [?]
.
Contents of the 'Scheduled Tasks' folder
.
2012-04-10 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-03 12:43]
.
2012-04-10 c:\windows\Tasks\Carla's Backup New.job
- c:\windows\system32\ntbackup.exe [2004-08-11 00:12]
.
2012-04-10 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2011-04-27 19:39]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.anglersportgroup.com/
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=2071017
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: orvis.com\supplierzone
Trusted Zone: orvis.com\test.supplierzone
TCP: DhcpNameServer = 192.168.16.2
DPF: {6A4F3A11-99B7-4BD1-AF88-B7354D1DAECD} - hxxp://downloads.freehandmusic.com/soleromusiccontrol.cab
.
- - - - ORPHANS REMOVED - - - -
.
HKU-Default-Run-msdrm - msdrm.exe
SafeBoot-21399306.sys
MSConfigStartUp-DellSupport - c:\program files\DellSupport\DSAgnt.exe
MSConfigStartUp-Google Desktop Search - c:\program files\Google\Google Desktop Search\GoogleDesktop.exe
MSConfigStartUp-PDVDDXSrv - c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
MSConfigStartUp-RoxioDragToDisc - c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe
MSConfigStartUp-RoxWatchTray - c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
MSConfigStartUp-SpybotSD TeaTimer - c:\program files\Spybot - Search & Destroy\TeaTimer.exe
MSConfigStartUp-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-04-10 15:46
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD800JD-75MSA3 rev.10.01E04 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x89ED92C6
user & kernel MBR OK
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(720)
c:\windows\system32\WININET.dll
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll
.
- - - - - - - > 'lsass.exe'(780)
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(468)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\LogMeIn\x86\RaMaint.exe
c:\program files\LogMeIn\x86\LogMeIn.exe
c:\windows\system32\wdfmgr.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\igfxsrvc.exe
c:\program files\Brother\Brmfcmon\BrMfimon.exe
.
**************************************************************************
.
Completion time: 2012-04-10 15:59:29 - machine was rebooted
ComboFix-quarantined-files.txt 2012-04-10 19:59
.
Pre-Run: 57,041,039,360 bytes free
Post-Run: 57,030,840,320 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - E818FAA144786FDF8FC53313FA6445EC

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:00 PM

Posted 10 April 2012 - 06:19 PM

Greetings

I want you to run these next,

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • it will ask to download extra definitions - ALLOW IT
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

If you have any problems running either one come back and let me know

please reply with the reports from TDSSKiller and aswMBR

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 smooth2o

smooth2o
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:10:00 PM

Posted 11 April 2012 - 11:16 AM

Found the computer on today and "svschost had mem usage topping 1,000,000 kb.

I ran TDSSKiller twice - the first time it detected an infected file and Cured it. It required a reboot... I rebooted and I ran it again... this time no issues. Here is the log from the 1st running. I assume you don't need the 2nd one.


11:46:47.0921 3248 TDSS rootkit removing tool 2.7.28.0 Apr 10 2012 16:54:05
11:46:48.0328 3248 ============================================================
11:46:48.0328 3248 Current date / time: 2012/04/11 11:46:48.0328
11:46:48.0328 3248 SystemInfo:
11:46:48.0328 3248
11:46:48.0328 3248 OS Version: 5.1.2600 ServicePack: 3.0
11:46:48.0328 3248 Product type: Workstation
11:46:48.0328 3248 ComputerName: INVOICING
11:46:48.0328 3248 UserName: cewell
11:46:48.0328 3248 Windows directory: C:\WINDOWS
11:46:48.0328 3248 System windows directory: C:\WINDOWS
11:46:48.0328 3248 Processor architecture: Intel x86
11:46:48.0328 3248 Number of processors: 2
11:46:48.0328 3248 Page size: 0x1000
11:46:48.0328 3248 Boot type: Normal boot
11:46:48.0328 3248 ============================================================
11:46:52.0609 3248 Drive \Device\Harddisk0\DR0 - Size: 0x12A05F2000 (74.51 Gb), SectorSize: 0x200, Cylinders: 0x25FE, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
11:46:52.0765 3248 \Device\Harddisk0\DR0:
11:46:52.0765 3248 MBR used
11:46:52.0765 3248 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x17886, BlocksNum 0x94E7137
11:46:52.0796 3248 Initialize success
11:46:52.0796 3248 ============================================================
11:46:58.0234 5392 ============================================================
11:46:58.0234 5392 Scan started
11:46:58.0234 5392 Mode: Manual;
11:46:58.0234 5392 ============================================================
11:46:58.0921 5392 Abiosdsk - ok
11:46:58.0968 5392 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
11:46:58.0968 5392 abp480n5 - ok
11:46:59.0046 5392 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
11:46:59.0046 5392 ACPI - ok
11:46:59.0078 5392 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
11:46:59.0078 5392 ACPIEC - ok
11:46:59.0171 5392 AdobeFlashPlayerUpdateSvc (0d4c486a24a711a45fd83acdf4d18506) C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
11:46:59.0171 5392 AdobeFlashPlayerUpdateSvc - ok
11:46:59.0203 5392 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
11:46:59.0203 5392 adpu160m - ok
11:46:59.0250 5392 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
11:46:59.0250 5392 aec - ok
11:46:59.0296 5392 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
11:46:59.0312 5392 AFD - ok
11:46:59.0343 5392 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
11:46:59.0343 5392 agp440 - ok
11:46:59.0421 5392 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
11:46:59.0421 5392 agpCPQ - ok
11:46:59.0453 5392 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
11:46:59.0453 5392 Aha154x - ok
11:46:59.0468 5392 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
11:46:59.0468 5392 aic78u2 - ok
11:46:59.0484 5392 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
11:46:59.0484 5392 aic78xx - ok
11:46:59.0531 5392 Alerter (a9a3daa780ca6c9671a19d52456705b4) C:\WINDOWS\system32\alrsvc.dll
11:46:59.0531 5392 Alerter - ok
11:46:59.0562 5392 ALG (8c515081584a38aa007909cd02020b3d) C:\WINDOWS\System32\alg.exe
11:46:59.0562 5392 ALG - ok
11:46:59.0593 5392 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
11:46:59.0593 5392 AliIde - ok
11:46:59.0609 5392 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys
11:46:59.0609 5392 alim1541 - ok
11:46:59.0625 5392 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys
11:46:59.0625 5392 amdagp - ok
11:46:59.0640 5392 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
11:46:59.0640 5392 amsint - ok
11:46:59.0765 5392 Apple Mobile Device (557f35d1ca42aea14a6690e21887a31f) C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
11:46:59.0765 5392 Apple Mobile Device - ok
11:46:59.0859 5392 AppMgmt (d8849f77c0b66226335a59d26cb4edc6) C:\WINDOWS\System32\appmgmts.dll
11:46:59.0875 5392 AppMgmt - ok
11:46:59.0953 5392 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
11:46:59.0953 5392 asc - ok
11:47:00.0015 5392 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
11:47:00.0015 5392 asc3350p - ok
11:47:00.0015 5392 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
11:47:00.0015 5392 asc3550 - ok
11:47:00.0125 5392 aspnet_state (e1a1206a4fb19b675e947b29ccd25fba) C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe
11:47:00.0125 5392 aspnet_state - ok
11:47:00.0171 5392 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
11:47:00.0171 5392 AsyncMac - ok
11:47:00.0187 5392 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
11:47:00.0203 5392 atapi - ok
11:47:00.0218 5392 Atdisk - ok
11:47:00.0250 5392 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
11:47:00.0250 5392 Atmarpc - ok
11:47:00.0296 5392 AudioSrv (def7a7882bec100fe0b2ce2549188f9d) C:\WINDOWS\System32\audiosrv.dll
11:47:00.0296 5392 AudioSrv - ok
11:47:00.0343 5392 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
11:47:00.0343 5392 audstub - ok
11:47:00.0359 5392 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
11:47:00.0359 5392 Beep - ok
11:47:00.0406 5392 BITS (574738f61fca2935f5265dc4e5691314) C:\WINDOWS\system32\qmgr.dll
11:47:00.0453 5392 BITS - ok
11:47:00.0531 5392 Browser (a06ce3399d16db864f55faeb1f1927a9) C:\WINDOWS\System32\browser.dll
11:47:00.0531 5392 Browser - ok
11:47:00.0531 5392 catchme - ok
11:47:00.0562 5392 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
11:47:00.0562 5392 cbidf - ok
11:47:00.0578 5392 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
11:47:00.0578 5392 cbidf2k - ok
11:47:00.0609 5392 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
11:47:00.0609 5392 cd20xrnt - ok
11:47:00.0625 5392 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
11:47:00.0625 5392 Cdaudio - ok
11:47:00.0656 5392 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
11:47:00.0656 5392 Cdfs - ok
11:47:00.0687 5392 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
11:47:00.0687 5392 Cdrom - ok
11:47:00.0687 5392 Changer - ok
11:47:00.0718 5392 CiSvc (1cfe720eb8d93a7158a4ebc3ab178bde) C:\WINDOWS\system32\cisvc.exe
11:47:00.0718 5392 CiSvc - ok
11:47:00.0750 5392 ClipSrv (34cbe729f38138217f9c80212a2a0c82) C:\WINDOWS\system32\clipsrv.exe
11:47:00.0750 5392 ClipSrv - ok
11:47:00.0828 5392 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
11:47:00.0828 5392 CmdIde - ok
11:47:00.0859 5392 COMSysApp - ok
11:47:00.0890 5392 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
11:47:00.0890 5392 Cpqarray - ok
11:47:00.0937 5392 CryptSvc (3d4e199942e29207970e04315d02ad3b) C:\WINDOWS\System32\cryptsvc.dll
11:47:00.0937 5392 CryptSvc - ok
11:47:00.0968 5392 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
11:47:00.0968 5392 dac2w2k - ok
11:47:01.0031 5392 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
11:47:01.0031 5392 dac960nt - ok
11:47:01.0109 5392 DcomLaunch (6b27a5c03dfb94b4245739065431322c) C:\WINDOWS\system32\rpcss.dll
11:47:01.0125 5392 DcomLaunch - ok
11:47:01.0171 5392 Dhcp (5e38d7684a49cacfb752b046357e0589) C:\WINDOWS\System32\dhcpcsvc.dll
11:47:01.0171 5392 Dhcp - ok
11:47:01.0218 5392 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
11:47:01.0218 5392 Disk - ok
11:47:01.0234 5392 dmadmin - ok
11:47:01.0265 5392 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
11:47:01.0281 5392 dmboot - ok
11:47:01.0328 5392 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
11:47:01.0328 5392 dmio - ok
11:47:01.0343 5392 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
11:47:01.0343 5392 dmload - ok
11:47:01.0359 5392 dmserver (57edec2e5f59f0335e92f35184bc8631) C:\WINDOWS\System32\dmserver.dll
11:47:01.0359 5392 dmserver - ok
11:47:01.0359 5392 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
11:47:01.0375 5392 DMusic - ok
11:47:01.0406 5392 Dnscache (5f7e24fa9eab896051ffb87f840730d2) C:\WINDOWS\System32\dnsrslvr.dll
11:47:01.0406 5392 Dnscache - ok
11:47:01.0515 5392 Dot3svc (0f0f6e687e5e15579ef4da8dd6945814) C:\WINDOWS\System32\dot3svc.dll
11:47:01.0515 5392 Dot3svc - ok
11:47:01.0546 5392 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
11:47:01.0546 5392 dpti2o - ok
11:47:01.0578 5392 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
11:47:01.0578 5392 drmkaud - ok
11:47:01.0609 5392 E100B (3fca03cbca11269f973b70fa483c88ef) C:\WINDOWS\system32\DRIVERS\e100b325.sys
11:47:01.0609 5392 E100B - ok
11:47:01.0656 5392 e1express (34aaa3b298a852b3663e6e0d94d12945) C:\WINDOWS\system32\DRIVERS\e1e5132.sys
11:47:01.0656 5392 e1express - ok
11:47:01.0765 5392 EapHost (2187855a7703adef0cef9ee4285182cc) C:\WINDOWS\System32\eapsvc.dll
11:47:01.0765 5392 EapHost - ok
11:47:01.0859 5392 eeCtrl - ok
11:47:01.0859 5392 EraserUtilRebootDrv - ok
11:47:01.0906 5392 ERSvc (bc93b4a066477954555966d77fec9ecb) C:\WINDOWS\System32\ersvc.dll
11:47:01.0906 5392 ERSvc - ok
11:47:01.0937 5392 Eventlog (65df52f5b8b6e9bbd183505225c37315) C:\WINDOWS\system32\services.exe
11:47:01.0937 5392 Eventlog - ok
11:47:01.0984 5392 EventSystem (d4991d98f2db73c60d042f1aef79efae) C:\WINDOWS\system32\es.dll
11:47:02.0000 5392 EventSystem - ok
11:47:02.0046 5392 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
11:47:02.0046 5392 Fastfat - ok
11:47:02.0109 5392 FastUserSwitchingCompatibility (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
11:47:02.0109 5392 FastUserSwitchingCompatibility - ok
11:47:02.0156 5392 Fax (e97d6a8684466df94ff3bc24fb787a07) C:\WINDOWS\system32\fxssvc.exe
11:47:02.0171 5392 Fax - ok
11:47:02.0187 5392 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
11:47:02.0187 5392 Fdc - ok
11:47:02.0203 5392 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
11:47:02.0218 5392 Fips - ok
11:47:02.0250 5392 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
11:47:02.0250 5392 Flpydisk - ok
11:47:02.0296 5392 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
11:47:02.0312 5392 FltMgr - ok
11:47:02.0312 5392 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
11:47:02.0328 5392 Fs_Rec - ok
11:47:02.0343 5392 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
11:47:02.0359 5392 Ftdisk - ok
11:47:02.0390 5392 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
11:47:02.0390 5392 Gpc - ok
11:47:02.0453 5392 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
11:47:02.0453 5392 HDAudBus - ok
11:47:02.0515 5392 helpsvc (4fcca060dfe0c51a09dd5c3843888bcd) C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll
11:47:02.0515 5392 helpsvc - ok
11:47:02.0531 5392 HidServ (deb04da35cc871b6d309b77e1443c796) C:\WINDOWS\System32\hidserv.dll
11:47:02.0546 5392 HidServ - ok
11:47:02.0578 5392 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
11:47:02.0578 5392 HidUsb - ok
11:47:02.0656 5392 hkmsvc (8878bd685e490239777bfe51320b88e9) C:\WINDOWS\System32\kmsvc.dll
11:47:02.0656 5392 hkmsvc - ok
11:47:02.0687 5392 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
11:47:02.0687 5392 hpn - ok
11:47:02.0812 5392 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
11:47:02.0812 5392 HTTP - ok
11:47:02.0875 5392 HTTPFilter (6100a808600f44d999cebdef8841c7a3) C:\WINDOWS\System32\w3ssl.dll
11:47:02.0875 5392 HTTPFilter - ok
11:47:02.0906 5392 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
11:47:02.0906 5392 i2omgmt - ok
11:47:02.0937 5392 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys
11:47:02.0937 5392 i2omp - ok
11:47:02.0953 5392 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
11:47:02.0953 5392 i8042prt - ok
11:47:03.0140 5392 ialm (28423512370705aeda6a652fedb25468) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
11:47:03.0296 5392 ialm - ok
11:47:03.0343 5392 iaStor (997e8f5939f2d12cd9f2e6b395724c16) C:\WINDOWS\system32\drivers\iaStor.sys
11:47:03.0359 5392 iaStor - ok
11:47:03.0484 5392 IDriverT (6f95324909b502e2651442c1548ab12f) C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
11:47:03.0484 5392 IDriverT - ok
11:47:03.0515 5392 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
11:47:03.0515 5392 Imapi - ok
11:47:03.0578 5392 ImapiService (30deaf54a9755bb8546168cfe8a6b5e1) C:\WINDOWS\system32\imapi.exe
11:47:03.0578 5392 ImapiService - ok
11:47:03.0609 5392 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
11:47:03.0609 5392 ini910u - ok
11:47:03.0796 5392 IntcAzAudAddService (17bbbabb21f86b650b2626045a9d016c) C:\WINDOWS\system32\drivers\RtkHDAud.sys
11:47:03.0921 5392 IntcAzAudAddService - ok
11:47:03.0953 5392 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
11:47:03.0968 5392 IntelIde - ok
11:47:04.0000 5392 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
11:47:04.0015 5392 intelppm - ok
11:47:04.0046 5392 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
11:47:04.0046 5392 Ip6Fw - ok
11:47:04.0062 5392 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
11:47:04.0062 5392 IpFilterDriver - ok
11:47:04.0078 5392 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
11:47:04.0078 5392 IpInIp - ok
11:47:04.0109 5392 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
11:47:04.0109 5392 IpNat - ok
11:47:04.0171 5392 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
11:47:04.0171 5392 IPSec - ok
11:47:04.0218 5392 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
11:47:04.0218 5392 IRENUM - ok
11:47:04.0218 5392 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
11:47:04.0234 5392 isapnp - ok
11:47:04.0343 5392 JavaQuickStarterService (74e30a41cdcf331c74bc4d97be40cc5b) C:\Program Files\Java\jre6\bin\jqs.exe
11:47:04.0343 5392 JavaQuickStarterService - ok
11:47:04.0359 5392 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
11:47:04.0375 5392 Kbdclass - ok
11:47:04.0375 5392 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
11:47:04.0375 5392 kbdhid - ok
11:47:04.0421 5392 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
11:47:04.0421 5392 kmixer - ok
11:47:04.0500 5392 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
11:47:04.0500 5392 KSecDD - ok
11:47:04.0593 5392 lanmanserver (3a7c3cbe5d96b8ae96ce81f0b22fb527) C:\WINDOWS\System32\srvsvc.dll
11:47:04.0593 5392 lanmanserver - ok
11:47:04.0671 5392 lanmanworkstation (a8888a5327621856c0cec4e385f69309) C:\WINDOWS\System32\wkssvc.dll
11:47:04.0671 5392 lanmanworkstation - ok
11:47:04.0718 5392 Lavasoft Kernexplorer - ok
11:47:04.0734 5392 lbrtfdc - ok
11:47:04.0828 5392 LmHosts (a7db739ae99a796d91580147e919cc59) C:\WINDOWS\System32\lmhsvc.dll
11:47:04.0828 5392 LmHosts - ok
11:47:04.0921 5392 LMIGuardianSvc (2375e7e01635fbccde2f796a9e078e07) C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
11:47:04.0921 5392 LMIGuardianSvc - ok
11:47:04.0984 5392 LMIInfo (4f69faaabb7db0d43e327c0b6aab40fc) C:\Program Files\LogMeIn\x86\RaInfo.sys
11:47:04.0984 5392 LMIInfo - ok
11:47:05.0000 5392 LMIMaint (b9c127273eaba403311854a8dcb6d0aa) C:\Program Files\LogMeIn\x86\RaMaint.exe
11:47:05.0000 5392 LMIMaint - ok
11:47:05.0031 5392 lmimirr (4477689e2d8ae6b78ba34c9af4cc1ed1) C:\WINDOWS\system32\DRIVERS\lmimirr.sys
11:47:05.0031 5392 lmimirr - ok
11:47:05.0046 5392 LMIRfsClientNP - ok
11:47:05.0062 5392 LMIRfsDriver (3faa563ddf853320f90259d455a01d79) C:\WINDOWS\system32\drivers\LMIRfsDriver.sys
11:47:05.0062 5392 LMIRfsDriver - ok
11:47:05.0109 5392 LogMeIn (432618fa75b61059d2c57d6a7e55147a) C:\Program Files\LogMeIn\x86\LogMeIn.exe
11:47:05.0125 5392 LogMeIn - ok
11:47:05.0171 5392 Messenger (986b1ff5814366d71e0ac5755c88f2d3) C:\WINDOWS\System32\msgsvc.dll
11:47:05.0171 5392 Messenger - ok
11:47:05.0265 5392 Microsoft Office Groove Audit Service (123271bd5237ab991dc5c21fdf8835eb) C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe
11:47:05.0265 5392 Microsoft Office Groove Audit Service - ok
11:47:05.0296 5392 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
11:47:05.0296 5392 mnmdd - ok
11:47:05.0343 5392 mnmsrvc (d18f1f0c101d06a1c1adf26eed16fcdd) C:\WINDOWS\system32\mnmsrvc.exe
11:47:05.0343 5392 mnmsrvc - ok
11:47:05.0390 5392 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
11:47:05.0390 5392 Modem - ok
11:47:05.0421 5392 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
11:47:05.0421 5392 Mouclass - ok
11:47:05.0468 5392 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
11:47:05.0468 5392 mouhid - ok
11:47:05.0468 5392 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
11:47:05.0468 5392 MountMgr - ok
11:47:05.0531 5392 MpFilter (fee0baded54222e9f1dae9541212aab1) C:\WINDOWS\system32\DRIVERS\MpFilter.sys
11:47:05.0531 5392 MpFilter - ok
11:47:05.0593 5392 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
11:47:05.0593 5392 mraid35x - ok
11:47:05.0593 5392 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
11:47:05.0609 5392 MRxDAV - ok
11:47:05.0609 5392 MRxSmb - ok
11:47:05.0656 5392 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
11:47:05.0656 5392 Msfs - ok
11:47:05.0671 5392 MSIServer - ok
11:47:05.0687 5392 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
11:47:05.0687 5392 MSKSSRV - ok
11:47:05.0734 5392 MsMpSvc (cfce43b70ca0cc4dcc8adb62b792b173) c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
11:47:05.0734 5392 MsMpSvc - ok
11:47:05.0828 5392 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
11:47:05.0828 5392 MSPCLOCK - ok
11:47:05.0843 5392 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
11:47:05.0843 5392 MSPQM - ok
11:47:05.0875 5392 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
11:47:05.0875 5392 mssmbios - ok
11:47:05.0921 5392 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
11:47:05.0921 5392 Mup - ok
11:47:05.0968 5392 napagent (0102140028fad045756796e1c685d695) C:\WINDOWS\System32\qagentrt.dll
11:47:05.0984 5392 napagent - ok
11:47:06.0000 5392 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
11:47:06.0000 5392 NDIS - ok
11:47:06.0078 5392 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
11:47:06.0078 5392 NdisTapi - ok
11:47:06.0125 5392 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
11:47:06.0125 5392 Ndisuio - ok
11:47:06.0125 5392 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
11:47:06.0140 5392 NdisWan - ok
11:47:06.0156 5392 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
11:47:06.0156 5392 NDProxy - ok
11:47:06.0171 5392 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
11:47:06.0171 5392 NetBIOS - ok
11:47:06.0203 5392 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
11:47:06.0203 5392 NetBT - ok
11:47:06.0250 5392 NetDDE (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe
11:47:06.0265 5392 NetDDE - ok
11:47:06.0265 5392 NetDDEdsdm (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe
11:47:06.0265 5392 NetDDEdsdm - ok
11:47:06.0312 5392 Netlogon (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
11:47:06.0312 5392 Netlogon - ok
11:47:06.0359 5392 Netman (13e67b55b3abd7bf3fe7aae5a0f9a9de) C:\WINDOWS\System32\netman.dll
11:47:06.0359 5392 Netman - ok
11:47:06.0421 5392 Nla (943337d786a56729263071623bbb9de5) C:\WINDOWS\System32\mswsock.dll
11:47:06.0421 5392 Nla - ok
11:47:06.0437 5392 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
11:47:06.0437 5392 Npfs - ok
11:47:06.0515 5392 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
11:47:06.0531 5392 Ntfs - ok
11:47:06.0640 5392 NtLmSsp (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
11:47:06.0640 5392 NtLmSsp - ok
11:47:06.0687 5392 NtmsSvc (156f64a3345bd23c600655fb4d10bc08) C:\WINDOWS\system32\ntmssvc.dll
11:47:06.0703 5392 NtmsSvc - ok
11:47:06.0734 5392 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
11:47:06.0734 5392 Null - ok
11:47:06.0875 5392 nv (2b298519edbfcf451d43e0f1e8f1006d) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
11:47:06.0953 5392 nv - ok
11:47:07.0000 5392 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
11:47:07.0000 5392 NwlnkFlt - ok
11:47:07.0015 5392 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
11:47:07.0015 5392 NwlnkFwd - ok
11:47:07.0265 5392 odserv (785f487a64950f3cb8e9f16253ba3b7b) C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE
11:47:07.0281 5392 odserv - ok
11:47:07.0343 5392 ose (5a432a042dae460abe7199b758e8606c) C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
11:47:07.0343 5392 ose - ok
11:47:07.0484 5392 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
11:47:07.0484 5392 Parport - ok
11:47:07.0515 5392 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
11:47:07.0515 5392 PartMgr - ok
11:47:07.0562 5392 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
11:47:07.0562 5392 ParVdm - ok
11:47:07.0625 5392 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
11:47:07.0625 5392 PCI - ok
11:47:07.0640 5392 PCIDump - ok
11:47:07.0687 5392 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
11:47:07.0687 5392 PCIIde - ok
11:47:07.0718 5392 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
11:47:07.0734 5392 Pcmcia - ok
11:47:07.0734 5392 PDCOMP - ok
11:47:07.0750 5392 PDFRAME - ok
11:47:07.0750 5392 PDRELI - ok
11:47:07.0765 5392 PDRFRAME - ok
11:47:07.0796 5392 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
11:47:07.0796 5392 perc2 - ok
11:47:07.0843 5392 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
11:47:07.0843 5392 perc2hib - ok
11:47:07.0906 5392 PlugPlay (65df52f5b8b6e9bbd183505225c37315) C:\WINDOWS\system32\services.exe
11:47:07.0921 5392 PlugPlay - ok
11:47:07.0937 5392 PolicyAgent (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
11:47:07.0937 5392 PolicyAgent - ok
11:47:07.0984 5392 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
11:47:07.0984 5392 PptpMiniport - ok
11:47:07.0984 5392 ProtectedStorage (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
11:47:07.0984 5392 ProtectedStorage - ok
11:47:08.0000 5392 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
11:47:08.0000 5392 PSched - ok
11:47:08.0062 5392 PSI (d24dfd16a1e2a76034df5aa18125c35d) C:\WINDOWS\system32\DRIVERS\psi_mf.sys
11:47:08.0078 5392 PSI - ok
11:47:08.0109 5392 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
11:47:08.0109 5392 Ptilink - ok
11:47:08.0125 5392 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
11:47:08.0125 5392 ql1080 - ok
11:47:08.0140 5392 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
11:47:08.0140 5392 Ql10wnt - ok
11:47:08.0156 5392 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
11:47:08.0156 5392 ql12160 - ok
11:47:08.0156 5392 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
11:47:08.0171 5392 ql1240 - ok
11:47:08.0171 5392 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
11:47:08.0187 5392 ql1280 - ok
11:47:08.0265 5392 radpms (b953369c5ef43615f1bfa9cea69fc9aa) C:\WINDOWS\system32\DRIVERS\radpms.sys
11:47:08.0265 5392 radpms - ok
11:47:08.0281 5392 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
11:47:08.0296 5392 RasAcd - ok
11:47:08.0343 5392 RasAuto (ad188be7bdf94e8df4ca0a55c00a5073) C:\WINDOWS\System32\rasauto.dll
11:47:08.0343 5392 RasAuto - ok
11:47:08.0359 5392 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
11:47:08.0375 5392 Rasl2tp - ok
11:47:08.0421 5392 RasMan (76a9a3cbeadd68cc57cda5e1d7448235) C:\WINDOWS\System32\rasmans.dll
11:47:08.0421 5392 RasMan - ok
11:47:08.0546 5392 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
11:47:08.0546 5392 RasPppoe - ok
11:47:08.0546 5392 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
11:47:08.0546 5392 Raspti - ok
11:47:08.0593 5392 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
11:47:08.0593 5392 Rdbss - ok
11:47:08.0625 5392 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
11:47:08.0640 5392 RDPCDD - ok
11:47:08.0718 5392 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
11:47:08.0718 5392 rdpdr - ok
11:47:08.0765 5392 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
11:47:08.0781 5392 RDPWD - ok
11:47:08.0828 5392 RDSessMgr (3c37bf86641bda977c3bf8a840f3b7fa) C:\WINDOWS\system32\sessmgr.exe
11:47:08.0843 5392 RDSessMgr - ok
11:47:08.0875 5392 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
11:47:08.0875 5392 redbook - ok
11:47:08.0921 5392 RemoteAccess (7e699ff5f59b5d9de5390e3c34c67cf5) C:\WINDOWS\System32\mprdim.dll
11:47:08.0921 5392 RemoteAccess - ok
11:47:08.0984 5392 RemoteRegistry (5b19b557b0c188210a56a6b699d90b8f) C:\WINDOWS\system32\regsvc.dll
11:47:08.0984 5392 RemoteRegistry - ok
11:47:08.0984 5392 RpcLocator (aaed593f84afa419bbae8572af87cf6a) C:\WINDOWS\system32\locator.exe
11:47:09.0000 5392 RpcLocator - ok
11:47:09.0046 5392 RpcSs (6b27a5c03dfb94b4245739065431322c) C:\WINDOWS\System32\rpcss.dll
11:47:09.0062 5392 RpcSs - ok
11:47:09.0140 5392 RSVP (471b3f9741d762abe75e9deea4787e47) C:\WINDOWS\system32\rsvp.exe
11:47:09.0140 5392 RSVP - ok
11:47:09.0187 5392 SamSs (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
11:47:09.0187 5392 SamSs - ok
11:47:09.0203 5392 SCardSvr (86d007e7a654b9a71d1d7d856b104353) C:\WINDOWS\System32\SCardSvr.exe
11:47:09.0203 5392 SCardSvr - ok
11:47:09.0250 5392 Schedule (0a9a7365a1ca4319aa7c1d6cd8e4eafa) C:\WINDOWS\system32\schedsvc.dll
11:47:09.0265 5392 Schedule - ok
11:47:09.0312 5392 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
11:47:09.0312 5392 Secdrv - ok
11:47:09.0343 5392 seclogon (cbe612e2bb6a10e3563336191eda1250) C:\WINDOWS\System32\seclogon.dll
11:47:09.0359 5392 seclogon - ok
11:47:09.0500 5392 Secunia PSI Agent (5b66db4877bbac9f7493aa8d84421e49) C:\Program Files\Secunia\PSI\PSIA.exe
11:47:09.0531 5392 Secunia PSI Agent - ok
11:47:09.0593 5392 Secunia Update Agent (0e88fdf474f2cdd370a4a6ce77d018f0) C:\Program Files\Secunia\PSI\sua.exe
11:47:09.0609 5392 Secunia Update Agent - ok
11:47:09.0734 5392 SENS (7fdd5d0684eca8c1f68b4d99d124dcd0) C:\WINDOWS\system32\sens.dll
11:47:09.0734 5392 SENS - ok
11:47:09.0812 5392 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
11:47:09.0812 5392 serenum - ok
11:47:09.0859 5392 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
11:47:09.0859 5392 Serial - ok
11:47:09.0906 5392 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
11:47:09.0906 5392 Sfloppy - ok
11:47:09.0953 5392 SharedAccess (83f41d0d89645d7235c051ab1d9523ac) C:\WINDOWS\System32\ipnathlp.dll
11:47:09.0968 5392 SharedAccess - ok
11:47:10.0000 5392 ShellHWDetection (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
11:47:10.0000 5392 ShellHWDetection - ok
11:47:10.0015 5392 Simbad - ok
11:47:10.0046 5392 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys
11:47:10.0062 5392 sisagp - ok
11:47:10.0125 5392 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
11:47:10.0125 5392 Sparrow - ok
11:47:10.0171 5392 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
11:47:10.0171 5392 splitter - ok
11:47:10.0218 5392 Spooler (60784f891563fb1b767f70117fc2428f) C:\WINDOWS\system32\spoolsv.exe
11:47:10.0218 5392 Spooler - ok
11:47:10.0265 5392 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
11:47:10.0265 5392 sr - ok
11:47:10.0296 5392 srservice (3805df0ac4296a34ba4bf93b346cc378) C:\WINDOWS\system32\srsvc.dll
11:47:10.0296 5392 srservice - ok
11:47:10.0343 5392 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
11:47:10.0343 5392 Srv - ok
11:47:10.0375 5392 SSDPSRV (0a5679b3714edab99e357057ee88fca6) C:\WINDOWS\System32\ssdpsrv.dll
11:47:10.0390 5392 SSDPSRV - ok
11:47:10.0437 5392 StillCam (a9573045baa16eab9b1085205b82f1ed) C:\WINDOWS\system32\DRIVERS\serscan.sys
11:47:10.0437 5392 StillCam - ok
11:47:10.0484 5392 stisvc (8bad69cbac032d4bbacfce0306174c30) C:\WINDOWS\system32\wiaservc.dll
11:47:10.0500 5392 stisvc - ok
11:47:10.0546 5392 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
11:47:10.0546 5392 swenum - ok
11:47:10.0593 5392 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
11:47:10.0593 5392 swmidi - ok
11:47:10.0671 5392 SwPrv - ok
11:47:10.0687 5392 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
11:47:10.0687 5392 symc810 - ok
11:47:10.0718 5392 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
11:47:10.0718 5392 symc8xx - ok
11:47:10.0796 5392 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
11:47:10.0812 5392 sym_hi - ok
11:47:10.0859 5392 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
11:47:10.0859 5392 sym_u3 - ok
11:47:10.0906 5392 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
11:47:10.0906 5392 sysaudio - ok
11:47:10.0937 5392 SysmonLog (c7abbc59b43274b1109df6b24d617051) C:\WINDOWS\system32\smlogsvc.exe
11:47:10.0937 5392 SysmonLog - ok
11:47:10.0968 5392 TapiSrv (3cb78c17bb664637787c9a1c98f79c38) C:\WINDOWS\System32\tapisrv.dll
11:47:10.0968 5392 TapiSrv - ok
11:47:11.0015 5392 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
11:47:11.0031 5392 Tcpip - ok
11:47:11.0078 5392 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
11:47:11.0078 5392 TDPIPE - ok
11:47:11.0093 5392 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
11:47:11.0093 5392 TDTCP - ok
11:47:11.0125 5392 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
11:47:11.0125 5392 TermDD - ok
11:47:11.0187 5392 TermService (ff3477c03be7201c294c35f684b3479f) C:\WINDOWS\System32\termsrv.dll
11:47:11.0203 5392 TermService - ok
11:47:11.0250 5392 Themes (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
11:47:11.0250 5392 Themes - ok
11:47:11.0296 5392 TlntSvr (db7205804759ff62c34e3efd8a4cc76a) C:\WINDOWS\system32\tlntsvr.exe
11:47:11.0296 5392 TlntSvr - ok
11:47:11.0328 5392 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys
11:47:11.0328 5392 TosIde - ok
11:47:11.0359 5392 TrkWks (55bca12f7f523d35ca3cb833c725f54e) C:\WINDOWS\system32\trkwks.dll
11:47:11.0375 5392 TrkWks - ok
11:47:11.0390 5392 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
11:47:11.0390 5392 Udfs - ok
11:47:11.0453 5392 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
11:47:11.0453 5392 ultra - ok
11:47:11.0500 5392 UMWdf (ab0a7ca90d9e3d6a193905dc1715ded0) C:\WINDOWS\system32\wdfmgr.exe
11:47:11.0500 5392 UMWdf - ok
11:47:11.0562 5392 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
11:47:11.0578 5392 Update - ok
11:47:11.0687 5392 upnphost (1ebafeb9a3fbdc41b8d9c7f0f687ad91) C:\WINDOWS\System32\upnphost.dll
11:47:11.0687 5392 upnphost - ok
11:47:11.0734 5392 UPS (05365fb38fca1e98f7a566aaaf5d1815) C:\WINDOWS\System32\ups.exe
11:47:11.0734 5392 UPS - ok
11:47:11.0828 5392 USBAAPL (1df89c499bf45d878b87ebd4421d462d) C:\WINDOWS\system32\Drivers\usbaapl.sys
11:47:11.0828 5392 USBAAPL - ok
11:47:11.0875 5392 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
11:47:11.0875 5392 usbccgp - ok
11:47:11.0906 5392 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
11:47:11.0906 5392 usbehci - ok
11:47:11.0921 5392 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
11:47:11.0937 5392 usbhub - ok
11:47:11.0968 5392 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
11:47:11.0968 5392 usbprint - ok
11:47:11.0984 5392 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
11:47:11.0984 5392 USBSTOR - ok
11:47:12.0000 5392 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
11:47:12.0000 5392 usbuhci - ok
11:47:12.0000 5392 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
11:47:12.0000 5392 VgaSave - ok
11:47:12.0046 5392 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys
11:47:12.0046 5392 viaagp - ok
11:47:12.0078 5392 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
11:47:12.0078 5392 ViaIde - ok
11:47:12.0109 5392 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
11:47:12.0109 5392 VolSnap - ok
11:47:12.0156 5392 VSS (7a9db3a67c333bf0bd42e42b8596854b) C:\WINDOWS\System32\vssvc.exe
11:47:12.0171 5392 VSS - ok
11:47:12.0203 5392 w32time (54af4b1d5459500ef0937f6d33b1914f) C:\WINDOWS\system32\w32time.dll
11:47:12.0203 5392 w32time - ok
11:47:12.0218 5392 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
11:47:12.0218 5392 Wanarp - ok
11:47:12.0218 5392 WDICA - ok
11:47:12.0250 5392 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
11:47:12.0250 5392 wdmaud - ok
11:47:12.0281 5392 WebClient (77a354e28153ad2d5e120a5a8687bc06) C:\WINDOWS\System32\webclnt.dll
11:47:12.0281 5392 WebClient - ok
11:47:12.0421 5392 winmgmt (2d0e4ed081963804ccc196a0929275b5) C:\WINDOWS\system32\wbem\WMIsvc.dll
11:47:12.0421 5392 winmgmt - ok
11:47:12.0515 5392 WmdmPmSN (140ef97b64f560fd78643cae2cdad838) C:\WINDOWS\system32\mspmsnsv.dll
11:47:12.0515 5392 WmdmPmSN - ok
11:47:12.0578 5392 Wmi (e76f8807070ed04e7408a86d6d3a6137) C:\WINDOWS\System32\advapi32.dll
11:47:12.0609 5392 Wmi - ok
11:47:12.0687 5392 WmiApSrv (e0673f1106e62a68d2257e376079f821) C:\WINDOWS\system32\wbem\wmiapsrv.exe
11:47:12.0687 5392 WmiApSrv - ok
11:47:12.0734 5392 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
11:47:12.0734 5392 WS2IFSL - ok
11:47:12.0781 5392 wscsvc (7c278e6408d1dce642230c0585a854d5) C:\WINDOWS\system32\wscsvc.dll
11:47:12.0781 5392 wscsvc - ok
11:47:12.0843 5392 wuauserv (35321fb577cdc98ce3eb3a3eb9e4610a) C:\WINDOWS\system32\wuauserv.dll
11:47:12.0843 5392 wuauserv - ok
11:47:12.0921 5392 WZCSVC (81dc3f549f44b1c1fff022dec9ecf30b) C:\WINDOWS\System32\wzcsvc.dll
11:47:12.0937 5392 WZCSVC - ok
11:47:12.0984 5392 xmlprov (295d21f14c335b53cb8154e5b1f892b9) C:\WINDOWS\System32\xmlprov.dll
11:47:12.0984 5392 xmlprov - ok
11:47:13.0000 5392 MBR (0x1B8) (faee7e40dfb0440ad2cfc39befa1f4c2) \Device\Harddisk0\DR0
11:47:13.0031 5392 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - infected
11:47:13.0031 5392 \Device\Harddisk0\DR0 - detected Rootkit.Boot.Pihar.b (0)
11:47:13.0062 5392 Boot (0x1200) (0aefae90035821fde248cda051118309) \Device\Harddisk0\DR0\Partition0
11:47:13.0062 5392 \Device\Harddisk0\DR0\Partition0 - ok
11:47:13.0062 5392 ============================================================
11:47:13.0062 5392 Scan finished
11:47:13.0062 5392 ============================================================
11:47:13.0078 5860 Detected object count: 1
11:47:13.0078 5860 Actual detected object count: 1
11:51:30.0515 5860 \Device\Harddisk0\DR0\# - copied to quarantine
11:51:30.0515 5860 \Device\Harddisk0\DR0 - copied to quarantine
11:51:30.0984 5860 \Device\Harddisk0\DR0\TDLFS\phm - copied to quarantine
11:51:31.0015 5860 \Device\Harddisk0\DR0\TDLFS\ph.dll - copied to quarantine
11:51:31.0031 5860 \Device\Harddisk0\DR0\TDLFS\phx.dll - copied to quarantine
11:51:31.0031 5860 \Device\Harddisk0\DR0\TDLFS\sub.dll - copied to quarantine
11:51:31.0031 5860 \Device\Harddisk0\DR0\TDLFS\subx.dll - copied to quarantine
11:51:31.0046 5860 \Device\Harddisk0\DR0\TDLFS\phd - copied to quarantine
11:51:31.0046 5860 \Device\Harddisk0\DR0\TDLFS\phdata - copied to quarantine
11:51:31.0046 5860 \Device\Harddisk0\DR0\TDLFS\phdx - copied to quarantine
11:51:31.0078 5860 \Device\Harddisk0\DR0\TDLFS\phs - copied to quarantine
11:51:31.0140 5860 \Device\Harddisk0\DR0\TDLFS\phld - copied to quarantine
11:51:31.0140 5860 \Device\Harddisk0\DR0\TDLFS\phln - copied to quarantine
11:51:31.0140 5860 \Device\Harddisk0\DR0\TDLFS\phlx - copied to quarantine
11:51:31.0187 5860 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - will be cured on reboot
11:51:31.0187 5860 \Device\Harddisk0\DR0 - ok
11:51:31.0421 5860 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - User select action: Cure
11:53:50.0187 5780 Deinitialize success

end log



I'm going for asMBR now...

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:00 PM

Posted 11 April 2012 - 11:40 AM

OK let me know when you have the aswMBR report


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 smooth2o

smooth2o
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:10:00 PM

Posted 11 April 2012 - 11:53 AM

Ran aswMBR.exe and it worked ok...
here is the scan log...

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-04-11 12:22:57
-----------------------------
12:22:57.625 OS Version: Windows 5.1.2600 Service Pack 3
12:22:57.625 Number of processors: 2 586 0xF0D
12:22:57.625 ComputerName: INVOICING UserName: cewell
12:22:58.062 Initialize success
12:26:22.281 AVAST engine defs: 12041100
12:28:48.796 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
12:28:48.796 Disk 0 Vendor: WDC_WD800JD-75MSA3 10.01E04 Size: 76293MB BusType: 3
12:28:48.828 Disk 0 MBR read successfully
12:28:48.828 Disk 0 MBR scan
12:28:48.828 Disk 0 Windows XP default MBR code
12:28:48.828 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 47 MB offset 63
12:28:48.828 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 76238 MB offset 96390
12:28:48.843 Disk 0 scanning sectors +156232125
12:28:48.921 Disk 0 scanning C:\WINDOWS\system32\drivers
12:29:00.046 Service scanning
12:29:15.875 Modules scanning
12:29:20.265 Disk 0 trace - called modules:
12:29:20.296 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
12:29:20.296 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a589ab8]
12:29:20.296 3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> \Device\00000066[0x8a5d31c0]
12:29:20.296 5 ACPI.sys[b9f7f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x8a593940]
12:29:20.718 AVAST engine scan C:\WINDOWS
12:29:27.906 AVAST engine scan C:\WINDOWS\system32
12:31:36.828 AVAST engine scan C:\WINDOWS\system32\drivers
12:31:51.000 AVAST engine scan C:\Documents and Settings\cewell
12:39:30.375 AVAST engine scan C:\Documents and Settings\All Users
12:41:01.531 Scan finished successfully
12:48:23.250 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\cewell\Desktop\MBR.dat"
12:48:23.250 The log file has been saved successfully to "C:\Documents and Settings\cewell\Desktop\aswMBR.txt"

end log

a quick "Task Manager - processes" glance shows svchost.exe sitting at 44,164k Mem usage... (i had ended the task before when it was up over a million - pre-TDSSKiller)

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:00 PM

Posted 11 April 2012 - 11:58 AM

Greetings

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 smooth2o

smooth2o
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:10:00 PM

Posted 11 April 2012 - 12:37 PM

Ran CF Script inside Combofix -
Log.txt follows:

ComboFix 12-04-10.01 - cewell 04/11/2012 13:17:07.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2037.1490 [GMT -4:00]
Running from: c:\documents and settings\cewell\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\cewell\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
((((((((((((((((((((((((( Files Created from 2012-03-11 to 2012-04-11 )))))))))))))))))))))))))))))))
.
.
2012-04-11 15:51 . 2012-04-11 15:51 -------- dc----w- C:\TDSSKiller_Quarantine
2012-04-10 17:22 . 2012-03-20 07:53 6582328 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{34839257-8589-48B3-B1D8-3B46C9FA22E8}\mpengine.dll
2012-04-09 12:48 . 2012-03-20 07:53 6582328 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-04-05 16:43 . 2012-04-09 16:55 -------- dc----w- c:\documents and settings\All Users\Application Data\F4D55F3E000435DB0021E136D151FC4E
2012-04-05 15:03 . 2012-04-05 15:06 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2012-04-04 20:03 . 2012-04-04 20:04 -------- d-----w- c:\program files\Microsoft Security Client
2012-04-04 14:50 . 2012-04-04 14:50 -------- d--h--w- c:\windows\system32\GroupPolicy
2012-04-03 12:43 . 2012-04-03 12:43 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-04-02 16:11 . 2012-04-02 16:11 -------- dc----w- c:\documents and settings\cewell\Local Settings\Application Data\Threat Expert
2012-04-02 15:11 . 2012-04-02 15:11 -------- d-----w- c:\program files\PC Tools
2012-04-02 15:04 . 2012-02-24 14:36 185560 ----a-w- c:\windows\system32\drivers\PCTSD.sys
2012-04-02 15:04 . 2012-04-09 15:48 -------- d-----w- c:\program files\Common Files\PC Tools
2012-04-02 15:03 . 2012-04-09 15:45 -------- dc----w- c:\documents and settings\All Users\Application Data\PC Tools
2012-04-02 15:03 . 2012-04-02 15:03 -------- dc----w- c:\documents and settings\cewell\Application Data\TestApp
2012-03-28 18:01 . 2012-03-28 18:01 -------- d-----w- C:\found.000
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-04 18:57 . 2004-08-11 22:00 26112 ----a-w- c:\windows\system32\userinit.exe
2012-04-03 12:43 . 2011-10-06 13:06 70304 -c--a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-02-23 14:18 . 2012-01-16 17:59 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-02-07 13:16 . 2007-10-25 19:40 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2012-02-07 13:16 . 2007-10-25 19:40 52096 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\LMIproc.dll
2012-02-07 13:16 . 2007-10-25 19:40 30592 ----a-w- c:\windows\system32\LMIport.dll
2012-02-07 13:16 . 2007-10-25 19:40 87424 ----a-w- c:\windows\system32\LMIinit.dll
2012-01-17 17:41 . 2012-01-17 17:41 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2012-01-13 14:41 . 2012-01-13 14:41 45056 -c--a-r- c:\documents and settings\cewell\Application Data\Microsoft\Installer\{42929F0F-CE14-47AF-9FC7-FF297A603021}\NewShortcut1_42929F0FCE1447AF9FC7FF297A603021_1.exe
.
.
((((((((((((((((((((((((((((( SnapShot@2012-04-10_19.48.21 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-04-11 15:55 . 2012-04-11 15:55 16384 c:\windows\Temp\Perflib_Perfdata_710.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-06-14 142104]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-06-14 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-06-14 138008]
"RTHDCPL"="RTHDCPL.EXE" [2007-06-14 16132608]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2007-09-12 63048]
"dscactivate"="c:\dell\dsca.exe" [2007-07-30 16384]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2008-07-10 29984]
"PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-08-31 328992]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2008-11-12 1122304]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-10-24 421888]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Secunia PSI Tray.lnk - c:\program files\Secunia\PSI\psi_tray.exe [2011-10-14 291896]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2012-02-07 13:16 87424 ----a-w- c:\windows\system32\LMIinit.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Dell Network Assistant.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Dell Network Assistant.lnk
backup=c:\windows\pss\Dell Network Assistant.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Pervasive.SQL Workstation Engine.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Pervasive.SQL Workstation Engine.lnk
backup=c:\windows\pss\Pervasive.SQL Workstation Engine.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Secunia PSI Tray.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Secunia PSI Tray.lnk
backup=c:\windows\pss\Secunia PSI Tray.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2011-03-30 01:59 937920 -c--a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-08-31 01:57 40368 -c--a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
2008-09-26 16:02 2356088 -c--a-r- c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ControlCenter2.0]
2008-08-12 15:24 114688 -c--a-w- c:\program files\Brother\ControlCenter2\BrCtrCen.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ControlCenter3]
2008-08-12 15:24 114688 -c----w- c:\program files\Brother\ControlCenter3\BrCtrCen.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ECenter]
2007-05-24 12:03 17920 -c--a-w- c:\dell\E-Center\EULALauncher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2009-02-26 22:36 30040 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch]
2008-07-10 03:05 46368 -c--a-w- c:\program files\ScanSoft\PaperPort\IndexSearch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2005-02-16 20:15 81920 -c--a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]
2008-07-10 03:07 29984 ----a-w- c:\program files\ScanSoft\PaperPort\pptd40nt.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2011-10-24 19:28 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
2006-10-25 13:03 210472 -c--a-w- c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-02-18 15:43 248040 -c--a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
.
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [9/30/2010 7:59 AM 374152]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [9/12/2007 10:21 AM 12856]
R2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\Secunia\PSI\psia.exe [10/14/2011 2:01 AM 994360]
R2 Secunia Update Agent;Secunia Update Agent;c:\program files\Secunia\PSI\sua.exe [10/14/2011 2:01 AM 399416]
R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [9/1/2010 4:30 AM 15544]
R3 radpms;Driver for RADPMS Device;c:\windows\system32\drivers\radpms.sys [9/12/2007 10:20 AM 13408]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [4/3/2012 8:43 AM 253600]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [?]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys --> c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys [?]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - 30453981
*NewlyCreated* - ASWMBR
*Deregistered* - 30453981
*Deregistered* - aswMBR
.
Contents of the 'Scheduled Tasks' folder
.
2012-04-11 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-03 12:43]
.
2012-04-11 c:\windows\Tasks\Carla's Backup New.job
- c:\windows\system32\ntbackup.exe [2004-08-11 00:12]
.
2012-04-11 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2011-04-27 19:39]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.anglersportgroup.com/
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=2071017
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: orvis.com\supplierzone
Trusted Zone: orvis.com\test.supplierzone
TCP: DhcpNameServer = 192.168.16.2
DPF: {6A4F3A11-99B7-4BD1-AF88-B7354D1DAECD} - hxxp://downloads.freehandmusic.com/soleromusiccontrol.cab
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-04-11 13:24
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(716)
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll
.
- - - - - - - > 'explorer.exe'(2652)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2012-04-11 13:26:20
ComboFix-quarantined-files.txt 2012-04-11 17:26
ComboFix2.txt 2012-04-10 19:59
.
Pre-Run: 57,384,837,120 bytes free
Post-Run: 58,131,017,728 bytes free
.
- - End Of File - - 6C65B35A89F18E4C2349DAB60704EEAB


end log


I will now put PC through some paces...

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:00 PM

Posted 11 April 2012 - 12:48 PM

These logs are looking allot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs

NOTE** Because of the cleanup process some of the programs I have listed may not be in add/remove anymore this is fine just move to the next item on the list.

You can remove these programs using add/remove or you can use the free uninstaller from Revo (Revo does allot better of a job)

Programs to remove

Adobe Reader 8.3.1
J2SE Runtime Environment 5.0 Update 7
Java™ 6 Update 19
[/list]


  • Please download and install Revo Uninstaller Free
  • Double click Revo Uninstaller to run it.
  • From the list of programs double click on The Program to remove
  • When prompted if you want to uninstall click Yes.
  • Be sure the Moderate option is selected then click Next.
  • The program will run, If prompted again click Yes
  • when the built-in uninstaller is finished click on Next.
  • Once the program has searched for leftovers click Next.
  • Check/tick the bolded items only on the list then click Delete
  • when prompted click on Yes and then on next.
  • put a check on any folders that are found and select delete
  • when prompted select yes then on next
  • Once done click Finish.
.

Update Adobe Reader

Recently there have been vulnerabilities detected in older versions of Adobe Reader. It is strongly suggested that you update to the current version.

You can download it from http://www.adobe.com/products/acrobat/readstep2.html
After installing the latest Adobe Reader, uninstall all previous versions.
If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

If you don't like Adobe Reader (53 MB), you can download Foxit PDF Reader(7 MB) from here. It's a much smaller file to download and uses a lot less resources than Adobe Reader.

Note: When installing FoxitReader, be careful not to install anything to do with AskBar.
[/list]

Install Java:

Please go here to install Java

  • click on the Free Java Download Button
  • click on Agree and start Free download
  • click on Run
  • click on run again
  • click on install
  • when install is complete click on close

Clean Out Temp Files

  • This small application you may want to keep and use once a week to keep the computer clean.

    Download CCleaner from here http://www.ccleaner.com/

  • Run the installer to install the application.
  • When it gives you the option to install Yahoo toolbar uncheck the box next to it.
  • Run CCleaner. (make sure under Windows tab all the boxes of Internet Explorer and Windows explorer are checked. Under System check Empty Recycle Bin and Temporary Files. Under Application tab all the boxes should be checked).
  • Click Run Cleaner.
  • Close CCleaner.

: Malwarebytes' Anti-Malware :

  • I would like you to rerun MBAM
  • Double-click mbam icon
  • go to the update tab at the top
  • click on check for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidentally close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Download HijackThis

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a log file button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the Analyze This button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

"information and logs"

  • In your next post I need the following

  • Log From MBAM
  • report from Hijackthis
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 smooth2o

smooth2o
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:10:00 PM

Posted 11 April 2012 - 01:13 PM

So far the svchost has stayed down in the 46,336K area...

I do not have access to my server via the "My Network Places"
I can see the main access folder but when I click on it I get the following error:

\\ASG1\asg_info2 is not accessible. You might not have permission to use this network resource. Contact the administrator of this server to find out if you have access permissions.

No network provider accepted the given network path --- followed by "OK " button ---


Also I cannot access our company's main accounting application which runs on our server... Get a error message that says: "You do not have a license to use this product" --- followed by "ok" button

sometimes, espicially when opening another application... If I move a window over on the screen I get video lag trails... but then they go away.

I opened up "Disk Cleanup" it offered Temp Internet files = 6,081K and WebClient/Publisher Temp Files = 258,727K that it could remove... I did NOT run it and they are still there.

I opened Microsof toutlook and sent myself a test e-mail... it came through a few minutes later fine.
I opened Microsoft word and opened a doc.. no issues I can see

I opened excell.. same - no issues

I opened up an image from a folder.. no issues

MSE is still off and showing RED House in tray...

svchost seems still to be holding at 46,000KB ish -- before it would steadily climb up over 1.4 Gig

End report

#12 smooth2o

smooth2o
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:10:00 PM

Posted 11 April 2012 - 01:32 PM

I printed out instructions and started following them.. I used "add/remove" locate din control panel and later saw your text about REVO... Your text said I could use either so... I hope that is ok.

1st I removed Adobe Reader 8.3.1 it required a reboot.. I rebooted ..
next I removed the other 2 and no reboot was required...

Now I am heading to update Adobe Reader

#13 smooth2o

smooth2o
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:10:00 PM

Posted 11 April 2012 - 02:53 PM

Ok loaded Adobe Reader X - no problems - required a reboot...

after rebooting I saw a message in the tray - said "could not reconnect all network drives - click here to open my computer and see the status of your network drives"

loaded Java™ 6 Update 31 - no problems - no reboot needed - note: no icons anywhere.. only see version in "add/remove" via control panel.

ran CCleaner - gave me a warning that "stored passwords were going to be removed" - but ran it any way
said ran to 100% complete - 5.988 seconds - 18.1 MB removed

Found that Malwarebytes had been removed from PC - located in a virus solutions folder we have an old version of "mbam-setup.exe" and launched it ...

It seemed to instal ok until very end... there was a final 2 check boxes that said - Create a desktop icon and Update & Run Malwarebytes after install... then it started final installing and then crashed... got a Microsoft "send error - don't send" errorr msg.

it said "malwarebytes 'anti-malware has encountered a problem and needs to close. We are sorry for the inconvenience" - "send error report - don't send" I did not send but noted a button that revealed a error report at the following location: C:\Documen~1\cewell\LOCALS~1\Temp\db77_appcompat.txt

I hit "don't send and tired installing again... this time it worked.

I ran "quick scan" and it found no issues... here is the log:


cewell :: INVOICING [administrator]

4/11/2012 3:11:54 PM
mbam-log-2012-04-11 (15-11-54).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 258323
Time elapsed: 3 minute(s), 29 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)


Now heading to do "hijack this"... computer seems to be running smooth through all this but for errors above...

#14 smooth2o

smooth2o
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:10:00 PM

Posted 11 April 2012 - 03:02 PM

ok here is "HijackThis" log:



Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 3:58:58 PM, on 4/11/2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\Secunia\PSI\PSIA.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Secunia\PSI\psi_tray.exe
C:\Program Files\Secunia\PSI\sua.exe
C:\Program Files\Brother\Brmfcmon\BrMfimon.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.anglersportgroup.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=2071017
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [dscactivate] c:\dell\dsca.exe 3
O4 - HKLM\..\Run: [PaperPort PTD] "C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe"
O4 - HKLM\..\Run: [PPort11reminder] "C:\Program Files\ScanSoft\PaperPort\Ereg\Ereg.exe" -r "C:\Documents and Settings\All Users\Application Data\ScanSoft\PaperPort\11\Config\Ereg\Ereg.ini"
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Secunia PSI Tray.lnk = C:\Program Files\Secunia\PSI\psi_tray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: (no name) - {53F6FCCD-9E22-4d71-86EA-6E43136192AB} - (no file)
O9 - Extra button: (no name) - {925DAB62-F9AC-4221-806A-057BFB1014AA} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://test.supplierzone.orvis.com
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Letters%20from%20Nowhere%202/Images/stg_drm.ocx
O16 - DPF: {64CD313F-F079-4D93-959F-4D28B5519449} (Jeopardy Control) - http://www.worldwinner.com/games/v56/jeopardy/jeopardy.cab
O16 - DPF: {6A4F3A11-99B7-4BD1-AF88-B7354D1DAECD} - http://downloads.freehandmusic.com/soleromusiccontrol.cab
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {A52FBD2B-7AB3-4F6B-90E3-91C772C5D00F} (WoF Control) - http://www.worldwinner.com/games/v57/wof/wof.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Letters%20from%20Nowhere/Images/armhelper.ocx
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = anglersportgroup.com
O17 - HKLM\Software\..\Telephony: DomainName = anglersportgroup.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = anglersportgroup.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = anglersportgroup.com
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LMIGuardianSvc - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: Secunia PSI Agent - Secunia - C:\Program Files\Secunia\PSI\PSIA.exe
O23 - Service: Secunia Update Agent - Secunia - C:\Program Files\Secunia\PSI\sua.exe

--
End of file - 9247 bytes


Computer seems to be running well...

#15 smooth2o

smooth2o
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:10:00 PM

Posted 11 April 2012 - 03:18 PM

My Boss - Rick (This is Scott) suggested I try to remove the Secunia program with your REVO that you showed me. Yesterday he tried to remove it and was not able to... I just tried and succeeded in removing it via Control Panel - "add/remove" - This took a re-boot ...

I am now standing by....




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users