Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win32/Sirefef.EB redirect infection


  • This topic is locked This topic is locked
23 replies to this topic

#1 Born Yesterday

Born Yesterday

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:39 PM

Posted 18 April 2012 - 01:35 PM

Howdy Bleeps,
My computer seems to be harboring a pesky application that my current security system (CA) can’t seem to get rid of (or conversely my computer is allowing entry of malware that CA can’t block). I don’t really know what is happening being that I am not too tech-savvy.
CA scans can detect the byproducts of this application, but I assume it can’t find the root of this Sirefef.EB infection itself because I keep getting virus alerts about it. For the last few weeks(?) whenever I turn on my computer, I quickly get a Virus Infection Alert from CA identifying the bad file (always located at C:\windows\system32\, but with a different .dll name).
I started getting these alerts after I made some online purchases (airline tickets, rental car, trail run registrations). Prior to this I had been experiencing some oddity where I would get frequent Window error messages saying there was a problem connecting to websites and the program (ie, the internet) would have to be closed. I found that if I did not click on the “Send Report/Don’t Send Report” and just moved that window off screen I could still navigate around the web, so I just ignored those messages.

Apart from these constant virus alerts, the only other apparent dysfunction from this infection has been website redirects. They seemed related to Google searches (I stopped clicking on search results and started copy/pasting the website URLs), but every now and then the redirects would happen after I clicked on a link in a website. It doesn’t seem like a life-threatening situation, but it is annoying.

Also, just as I started running the GMER scan, CA popped up a new type of alert window saying that it located a problem file and that I should start a scan for infections, but that window was only open for a few seconds before it closed of its own volition and I didn’t have time to really digest what it was telling me. Since I had already started GMER, I opted not to run the CA virus scan (maybe it was point out the GMER application?). Since CA, up to now, has been useless with ridding me of the Sirefef.EB issue, I thought I would continue working with you fine folks on this and do a CA scan later.

And some confusion with the instructions on how to make this post… the Ark.txt file starts by telling me not to attach the file unless it is specifically asked for, but the Preparation Guide For Use Before Using Malware Removal Tools And Requesting Help post tells me that I should attach the file when I ask for help. I will not attach or post it unless you tell me to.
Also, I did a search and found a topic on the Sirefef.EB bug, but I wasn’t sure that it would be okay or advisable to try and follow any recommendations mentioned in the post thinking maybe each infection is unique. If I am wrong about that, I apologize in advance for this post.

Thanks in advance for any attention you give this request and any help you might provide. It's selfless superheroes like you who give the little people a real sense of security and hope for humankind.
SCottB

Here is the DDS.txt content:
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Administrator at 6:57:23 on 2012-04-18
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1789.459 [GMT -6:00]
.
AV: CA Anti-Virus *Enabled/Updated* {17CFD1EA-56CF-40B5-A06B-BD3A27397C93}
FW: CA Personal Firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
svchost.exe
c:\Program Files\ActivIdentity\ActivClient\accoca.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\WINDOWS\System32\svchost.exe -k IntelUsb3S
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe
C:\WINDOWS\system32\AccelerometerSt.Exe
C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-6.0.1.33\QOELoader.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\Program Files\ActivIdentity\ActivClient\acevents.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
c:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\CA\CA Internet Security Suite\CA Website Inspector\Light\CAGlobalLight.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://forecast.weather.gov/MapClick.php?CityName=Helena&state=MT&site=TFX&textField1=46.5928&textField2=-112.035&e=1
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=all&pf=cmnb
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.7227.1100\swg.dll
BHO: CA Toolbar Helper: {fbf2401b-7447-4727-be5d-c19b2075ca84} - c:\program files\ca\ca internet security suite\ca website inspector\toolbar\CallingIDIE.dll
TB: CA Toolbar: {10134636-e7af-4ac5-a1dc-c7c44bb97d81} - c:\program files\ca\ca internet security suite\ca website inspector\toolbar\CallingIDIE.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [MsmqIntCert] regsvr32 /s mqrt.dll
mRun: [AccelerometerSysTrayApplet] c:\windows\system32\AccelerometerSt.Exe
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe"
mRun: [<NO NAME>]
mRun: [accrdsub] "c:\program files\actividentity\activclient\accrdsub.exe"
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [QlbCtrl.exe] c:\program files\hewlett-packard\hp quick launch buttons\QlbCtrl.exe /Start
mRun: [Cpqset] c:\program files\hewlett-packard\default settings\cpqset.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [SoundMAX] c:\program files\analog devices\soundmax\Smax4.exe /tray
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [hpbdfawep] c:\program files\hp\dfawep\bin\hpbdfawep.exe 1
mRun: [cctray] "c:\program files\ca\ca internet security suite\cctray\cctray.exe"
mRun: [CAVRID] "c:\program files\ca\ca internet security suite\ca anti-virus\CAVRID.exe"
mRun: [QOELOADER] "c:\program files\ca\ca internet security suite\ca anti-spam\qsp-6.0.1.33\QOELoader.exe"
mRun: [cafw] c:\program files\ca\ca internet security suite\ca personal firewall\cafw.exe -cl
mRun: [capfasem] c:\program files\ca\ca internet security suite\ca personal firewall\capfasem.exe
mRun: [capfupgrade] c:\program files\ca\ca internet security suite\ca personal firewall\capfupgrade.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mPolicies-explorer: EnableShellExecuteHooks = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_70C5B381380DB17F.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: c:\windows\system32\VetRedir.dll
LSP: mswsock.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 69.145.248.4 69.146.17.2 69.144.49.29
TCP: Interfaces\{F4D415CC-1A67-4AC2-AB06-E1BCF7F5420C} : DhcpNameServer = 69.145.248.4 69.146.17.2 69.144.49.29
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: ackpbsc - c:\windows\system32\ackpbsc.dll
Notify: acunlock - c:\program files\actividentity\activclient\acunlock.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: intelUsb3Sevices - USB3iw32.dll
Notify: PFW - UmxWnp.Dll
Notify: USB3iw32 - USB3iw32.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: ShellHook Class: {1869181a-9f50-4fcf-8bff-1b8588ecb85c} - c:\program files\ca\ca internet security suite\ca website inspector\linkadvisor\CIDLinkAdvisor.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
.
============= SERVICES / DRIVERS ===============
.
R0 ahcix86;ahcix86;c:\windows\system32\drivers\ahcix86.sys [2008-6-21 174600]
R0 Amddfltr;Amd Disk Lower Filter Driver;c:\windows\system32\drivers\Amddfltr.sys [2008-6-21 15416]
R0 KmxStart;KmxStart;c:\windows\system32\drivers\KmxStart.sys [2008-3-19 93712]
R0 SFAUDIO;Sonic Focus DSP Driver;c:\windows\system32\drivers\sfaudio.sys [2008-3-28 24064]
R1 KmxAgent;KmxAgent;c:\windows\system32\drivers\KmxAgent.sys [2008-3-21 63504]
R1 KmxFile;KmxFile;c:\windows\system32\drivers\KmxFile.sys [2008-3-21 45584]
R1 KmxFw;KmxFw;c:\windows\system32\drivers\KmxFw.sys [2008-3-19 115216]
R1 VET-FILT;VET File System Filter;c:\windows\system32\drivers\vet-filt.sys [2008-11-7 26352]
R1 VET-REC;VET File System Recognizer;c:\windows\system32\drivers\vet-rec.sys [2008-11-7 21104]
R1 VETEFILE;VET File Scan Engine;c:\windows\system32\drivers\vetefile.sys [2008-11-7 746216]
R1 VETFDDNT;VET Floppy Boot Sector Monitor;c:\windows\system32\drivers\vetfddnt.sys [2008-11-7 21488]
R1 VETMONNT;VET File Monitor;c:\windows\system32\drivers\vetmonnt.sys [2008-11-7 161008]
R2 accoca;ActivClient Middleware Service;c:\program files\actividentity\activclient\accoca.exe [2007-5-15 182576]
R2 CAISafe;CAISafe;c:\program files\ca\ca internet security suite\ca anti-virus\isafe.exe [2008-11-7 144696]
R2 Intel Usb3;Intel USB3 Service;c:\windows\system32\svchost.exe -k IntelUsb3S [2004-8-4 14336]
R2 KmxCF;KmxCF;c:\windows\system32\drivers\KmxCF.sys [2008-6-4 134648]
R2 KmxSbx;KmxSbx;c:\windows\system32\drivers\KmxSbx.sys [2008-3-21 66576]
R2 UmxAgent;HIPS Event Manager;c:\program files\ca\sharedcomponents\hipsengine\UmxAgent.exe [2007-10-18 1010192]
R2 UmxCfg;HIPS Configuration Interpreter;c:\program files\ca\sharedcomponents\hipsengine\UmxCfg.exe [2007-10-18 801296]
R2 UmxPol;HIPS Policy Manager;c:\program files\ca\sharedcomponents\hipsengine\UmxPol.exe [2008-4-15 281104]
R2 VETMSGNT;VET Message Service;c:\program files\ca\ca internet security suite\ca anti-virus\vetmsg.exe [2008-11-7 255312]
R3 ATSwpWDF;AuthenTec TruePrint USB WDF Driver;c:\windows\system32\drivers\ATSwpWDF.sys [2008-5-15 475520]
R3 Com4QLBEx;Com4QLBEx;c:\program files\hewlett-packard\hp quick launch buttons\Com4QLBEx.exe [2008-6-21 193840]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2007-4-4 41216]
R3 KmxCfg;KmxCfg;c:\windows\system32\drivers\KmxCfg.sys [2008-5-30 88816]
R3 PPCtlPriv;PPCtlPriv;c:\program files\ca\ca internet security suite\ca anti-spyware\PPCtlPriv.exe [2008-11-7 185680]
R3 VETEBOOT;VET Boot Scan Engine;c:\windows\system32\drivers\veteboot.sys [2008-11-7 130280]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-31 135664]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-1-31 135664]
.
=============== Created Last 30 ================
.
2012-04-05 18:12:27 38400 ----a-w- c:\windows\system32\USB3iw32.dll
2012-04-05 18:12:27 156672 ----a-w- c:\windows\system32\iusb3w32.dll
2012-03-30 02:51:07 -------- d-----w- c:\windows\system32\NtmsData
2012-03-27 01:45:33 0 --sha-w- c:\windows\system32\dds_trash_log.cmd
2012-03-26 04:51:37 -------- d-----w- c:\program files\iPod
.
==================== Find3M ====================
.
2012-03-01 11:01:32 916992 ----a-w- c:\windows\system32\wininet.dll
2012-03-01 11:01:32 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-03-01 11:01:32 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-02-29 14:10:16 177664 ----a-w- c:\windows\system32\wintrust.dll
2012-02-29 14:10:16 148480 ----a-w- c:\windows\system32\imagehlp.dll
2012-02-29 12:17:40 385024 ----a-w- c:\windows\system32\html.iec
2012-02-15 17:01:50 4547944 ----a-w- c:\windows\system32\usbaaplrc.dll
2012-02-15 17:01:50 43520 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2012-02-07 17:02:40 1070352 ----a-w- c:\windows\system32\MSCOMCTL.OCX
2012-02-03 09:22:18 1860096 ----a-w- c:\windows\system32\win32k.sys
.
============= FINISH: 6:59:01.87 ===============

Attached Files

  • Attached File  GMER.txt   32.63KB   0 downloads


BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:39 PM

Posted 18 April 2012 - 11:40 PM

Hello and Welcome to Bleeping Computer!!

My name is Gringo and I'll be glad to help you with your computer problems.

I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of us

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the Watch Topic Button, select Immediate Notification, and click on Proceed. This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of hartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

Security Check

  • Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.



Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 Born Yesterday

Born Yesterday
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:39 PM

Posted 20 April 2012 - 12:32 AM

Howdy Gringo,
Thanks for the quick response.
I ran Security check (checkup.txt pasted below), but Combofix is having a problem with me. I did everything I thought I needed to do to shut down my CA anti-virus program short of uninstalling the whole thing and Combofix kept refusing to run (it would start up and list a whole bunch of "Extractions" it was doing, then it would list an "Output", and all of a sudden it would minimize and return with a warning that the CA anti-virus was still there). I had even disabled all the pieces of the CA system (Anti-virus, spyware, personal firewall) AND asked it to Snooze the anti-virus tool.
When I turned it all back on to come back online and type this reply, a new CA alert popped up telling me my computer was now infected with the js/iframe!exploit virus (talk about adding insult to injury!).
Currently my computer is working much much more slowly loading web pages (I can almost play an entire game of solitaire waiting for a page to load).
I would go ahead and just uninstall CA, but I don't know how easy it would be to get it back - I would search the website of the company that installed my internet, but the way things are now that would take a chunk of time and it is way past my bedtime. I thought if things just totally fall apart, I should at least get this reply out so you know I am stil here. I will come back and try Combofix on Saturday, maybe.

For what it's worth, here's the checkup.txt report:


Results of screen317's Security Check version 0.99.32
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

Windows Security Center service is not running! This report may not be accurate!
CA Anti-Virus
Antivirus up to date!
```````````````````````````````
Anti-malware/Other Utilities Check:

CA Anti-Spyware
Java™ 6 Update 7
Java version out of date!
Adobe Reader 9 Adobe Reader out of date!
````````````````````````````````
Process Check:
objlist.exe by Laurent

CA CA Internet Security Suite CA Anti-Virus CAVRID.exe
CA CA Internet Security Suite CA Anti-Virus ISafe.exe
CA CA Internet Security Suite CA Anti-Virus VetMsg.exe
CA CA Internet Security Suite CA Personal Firewall capfsem.exe
CA CA Internet Security Suite CA Personal Firewall capfasem.exe
``````````End of Log````````````

SCottB

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:39 PM

Posted 20 April 2012 - 01:02 AM

Hello


CA does not play nice with CF so it would be best to uninstall it anyway


I can give you a good free antivirus if you can't get CA back on the computer

Microsoft Security Essentials


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 Born Yesterday

Born Yesterday
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:39 PM

Posted 22 April 2012 - 09:29 PM

Howdy Back,
Today I uninstalled my CA Anti-virus and ran ComboFix. Prior to Combofix, I ran another Security Check for the heck of it. Here's the second checkup.txt:
Results of screen317's Security Check version 0.99.32
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:

Java™ 6 Update 7
Java version out of date!
Adobe Reader 9 Adobe Reader out of date!
````````````````````````````````
Process Check:
objlist.exe by Laurent

``````````End of Log````````````

I started Combofix in the afternoon (my stupid brain thinks it was around 1:30 or 2:00) and it appeared to go into a scan of the computer (it didn't get hung up since CA was gone). I returned to my computer at 8:00 to see what was up. I didn't have any idea how long Combofix would take.
My computer appeared to be in some sort of sleep mode - the screen was dark and there was no indication of any activity (that light with the stacked discs in the front of my computer was not flashing and clicking away). I could not wake the computer up using any and all sorts of key combinations, so I held the power switch until it turned off.
When I turned it back on, my computer flew through the start up screens (the HP logo, the Windows logo, the Windows "Welcome" window) like it had never flown before. It was so fast, I hope if my computer is fixed it always starts up that fast. I was expecting a window telling me that Windows was shut down unexpectedly and that I could reboot in safety mode (not that I would know how to use that), but that never happened.
So, thanks to all that, I don't know if Combofix finished what it was supposed to do and I don't know where it would have put a report if it produced one. There is a Combofix icon in the C:\ root(?) and when I click on it, it gives me a window "Files stored on this computer" with a couple of folders (Shared Documents, Administrator) and icons for the C:\, D:\, and E:\ drives. Maybe that means something to you? The only other file on C:\ that looks odd to me is a folder called Qoobox which contains subfolders named BackEnv, LastRun, Quarantine, Test and TestC. The only document in these folders is in Quarantine and it is called Catchme.txt and all it says is this:

-------- 2012-04-22 - 15:44:02 -------------


Sorry my stupid brain didn't seem to be able to do this right. Let me know if I should rerun Combofix or if you know where Combofix tends to store it's reports (if it stores them somewhere without me having to save it).
Thanks, as always,
SCottB

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:39 PM

Posted 22 April 2012 - 09:35 PM

There is a Combofix icon in the C:\ root(?) and when I click on it, it gives me a window "Files stored on this computer" with a couple of folders (Shared Documents, Administrator) and icons for the C:\, D:\, and E:\ drives

sounds like it did .not finish so I would like you to try it again please


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 Born Yesterday

Born Yesterday
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:39 PM

Posted 24 April 2012 - 12:10 AM

Howdy Again,
Well, I don’t think ComboFix really proceeded the way it was ‘supposed’ to, but somehow I ended up with a log.txt. CF had a huge problem rebooting my computer (in that it couldn’t), but in spite of the warnings that told me NOT to manually reboot my computer it appears that’s what I needed to do to move things along.
I started the second run at 12:30pm and babysat the computer for a few minutes to see what it would do. I had removed all time-outs that would cause the computer to go to stand-by so that I could see where CF ended up when I returned home after work. In the ten or fifteen minutes I sat watching it CF popped up with a message that I had some rootkit virus (I did not take down the exact wording) embedded in some deep recess that would be difficult to get rid of. Then the first message from CF about rebooting came up (let CF do it, don’t do it manually). All the icons on my desktop disappeared, but that was it.
When I came back from work, there was a screen saver of my photos running, well, not running as the last image that came up was just frozen there. The computer appeared inactive and no key tapping or mouse clicking could wake it up, so I held the power button down until it shut off.
When I turned it back on and it rebooted, CF automatically began processing again. It ran through and completed some 50 plus “stages”, then it deleted 15 files and after a few minutes the window cleared and CF displayed another message that it was rebooting and I should NOT manually reboot. I took the dogs for a walk and hoped for something positive when I got back.
When I returned to the computer a couple of hours later it was still displaying the rebooting message. Again, no key or button would change the computer status (that is, totally inactive), so I held down the power key and turned the computer off.
When I turned it back on and it rebooted, CF automatically began processing again. This time it displayed the message that it was preparing the log and that I should not run any programs. When I came back an hour or so later, the log.txt was up on the screen.
I would have wished for a ‘clean’ process, but if this actually worked then good enough. Here’s the text of the log CF produced:
ComboFix 12-04-19.02 - Administrator 04/23/2012 17:56:07.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1789.1393 [GMT -6:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\$NtUninstallKB62280$\203167144
c:\windows\$NtUninstallKB62280$\485945278\@
c:\windows\$NtUninstallKB62280$\485945278\cfg.ini
c:\windows\$NtUninstallKB62280$\485945278\Desktop.ini
c:\windows\$NtUninstallKB62280$\485945278\L\nqrupmok
c:\windows\$NtUninstallKB62280$\485945278\oemid
c:\windows\$NtUninstallKB62280$\485945278\U\00000001.@
c:\windows\$NtUninstallKB62280$\485945278\U\00000002.@
c:\windows\$NtUninstallKB62280$\485945278\U\00000004.@
c:\windows\$NtUninstallKB62280$\485945278\U\80000000.@
c:\windows\$NtUninstallKB62280$\485945278\U\80000004.@
c:\windows\$NtUninstallKB62280$\485945278\U\80000032.@
c:\windows\$NtUninstallKB62280$\485945278\version
c:\windows\system32\dds_trash_log.cmd
c:\windows\system32\oracle_load_balancer_60_client-forms6i.dll
c:\windows\$NtUninstallKB62280$\485945278\cfg.ini . . . . Failed to delete
.
Infected copy of c:\windows\system32\drivers\cdrom.sys was found and disinfected
Restored copy from - The cat found it :)
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_smartwiservice
-------\Service_smartwiservice
.
.
((((((((((((((((((((((((( Files Created from 2012-03-24 to 2012-04-24 )))))))))))))))))))))))))))))))
.
.
2012-04-23 18:46 . 2008-04-14 06:10 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys
2012-04-05 22:12 . 2012-04-05 22:12 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2012-04-05 18:12 . 2012-04-05 18:12 38400 ----a-w- c:\windows\system32\USB3iw32.dll
2012-04-05 18:12 . 2012-04-05 18:12 156672 ----a-w- c:\windows\system32\iusb3w32.dll
2012-03-30 02:51 . 2012-03-30 03:01 -------- d-----w- c:\windows\system32\NtmsData
2012-03-27 01:59 . 2012-03-27 01:59 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2012-03-26 04:51 . 2012-03-26 04:51 -------- d-----w- c:\program files\iPod
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-03-01 11:01 . 2004-08-04 08:00 916992 ----a-w- c:\windows\system32\wininet.dll
2012-03-01 11:01 . 2004-08-04 08:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-03-01 11:01 . 2004-08-04 08:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-02-29 14:10 . 2004-08-04 08:00 177664 ----a-w- c:\windows\system32\wintrust.dll
2012-02-29 14:10 . 2004-08-04 08:00 148480 ----a-w- c:\windows\system32\imagehlp.dll
2012-02-29 12:17 . 2004-08-04 08:00 385024 ----a-w- c:\windows\system32\html.iec
2012-02-15 17:01 . 2011-03-07 04:31 4547944 ----a-w- c:\windows\system32\usbaaplrc.dll
2012-02-15 17:01 . 2011-03-07 04:31 43520 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2012-02-07 17:02 . 2012-02-07 17:02 1070352 ----a-w- c:\windows\system32\MSCOMCTL.OCX
2012-02-03 09:22 . 2004-08-04 08:00 1860096 ----a-w- c:\windows\system32\win32k.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-11-23 68856]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsmqIntCert"="mqrt.dll" [2008-04-14 177152]
"AccelerometerSysTrayApplet"="c:\windows\system32\AccelerometerSt.Exe" [2008-06-09 82224]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]
"accrdsub"="c:\program files\ActivIdentity\ActivClient\accrdsub.exe" [2007-05-15 293168]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-03-27 1040384]
"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2008-05-14 177456]
"Cpqset"="c:\program files\Hewlett-Packard\Default Settings\cpqset.exe" [2008-05-14 61440]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2008-04-04 1044480]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"hpbdfawep"="c:\program files\HP\Dfawep\bin\hpbdfawep.exe" [2007-04-25 954368]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-27 30040]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-30 421888]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-01-04 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-03-07 421736]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ackpbsc]
2007-05-15 23:08 112640 ----a-w- c:\windows\system32\ackpbsc.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\acunlock]
2007-05-15 23:08 281088 ----a-w- c:\program files\ActivIdentity\ActivClient\acunlock.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\intelUsb3Sevices]
2012-04-05 18:12 38400 ----a-w- c:\windows\system32\USB3iw32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\USB3iw32]
2012-04-05 18:12 38400 ----a-w- c:\windows\system32\USB3iw32.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mqsvc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
R0 ahcix86;ahcix86;c:\windows\system32\drivers\ahcix86.sys [6/21/2008 9:24 PM 174600]
R0 Amddfltr;Amd Disk Lower Filter Driver;c:\windows\system32\drivers\Amddfltr.sys [6/21/2008 9:49 PM 15416]
R0 SFAUDIO;Sonic Focus DSP Driver;c:\windows\system32\drivers\sfaudio.sys [3/28/2008 4:14 AM 24064]
R2 accoca;ActivClient Middleware Service;c:\program files\ActivIdentity\ActivClient\accoca.exe [5/15/2007 5:08 PM 182576]
R2 Intel Usb3;Intel USB3 Service;c:\windows\System32\svchost.exe -k IntelUsb3S [8/4/2004 2:00 AM 14336]
R3 ATSwpWDF;AuthenTec TruePrint USB WDF Driver;c:\windows\system32\drivers\ATSwpWDF.sys [5/15/2008 2:29 PM 475520]
R3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [6/21/2008 10:50 PM 193840]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [4/4/2007 1:16 PM 41216]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/31/2010 4:20 PM 135664]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [1/31/2010 4:20 PM 135664]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
IntelUsb3S REG_MULTI_SZ Intel Usb3
.
NETSVCS REQUIRES REPAIRS - current entries shown
6to4
AppMgmt
AudioSrv
Browser
CryptSvc
DMServer
DHCP
ERSvc
EventSystem
FastUserSwitchingCompatibility
HidServ
Ias
Iprip
Irmon
LanmanServer
LanmanWorkstation
Messenger
Netman
Nla
Ntmssvc
NWCWorkstation
Nwsapagent
Rasauto
aspi32
SndTDriverV32
tfsnifs
X4HSX32
backupexecjobengine
bobo
wdelmgr20
owstimer
tsmapip
sglogplayer
mi-raysat_3dsmax9_32
yediex
sysmgmthp
SymIMMP
ET5Drv
ood2000
DLARTL_M
bgs_sdservice
sonypvs1
roxmediadb9
smartlinkservice
webupdate
ISODrive
xusb21
nvcap
qconsvc
lemsgt
cmuda
PQNTDrv
vvoice
bdpredir
DivisCTP
Uim_IM
smartwiservice
nwcworkstation
retrolauncher
avgtdi
cpuz132
se59unic
rfcomm
deltafw
sprtsvc_ddoctorv2
se58mdm
cxusb
pimsgss
SiRemFil
SANDRA
w22n51
cpqarry2
nvnforce
nvrd64
ami0nt
WmaCDriverV32
adpu320
FETNDISB
umwdf
lxrjd31s
drvmcdb
RapiMgr
ufad-ws60
SE26mdm
BCMTPM
awservice
sbpci
pageserver
CSDriver
Rasman
Remoteaccess
Schedule
Seclogon
SENS
Sharedaccess
SRService
Tapisrv
Themes
TrkWks
W32Time
WZCSVC
Wmi
WmdmPmSp
winmgmt
wscsvc
xmlprov
BITS
wuauserv
ShellHWDetection
helpsvc
WmdmPmSN
napagent
hkmsvc
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 19:34]
.
2012-04-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-31 22:20]
.
2012-04-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-31 22:20]
.
2012-04-24 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-05-06 04:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://forecast.weather.gov/MapClick.php?CityName=Helena&state=MT&site=TFX&textField1=46.5928&textField2=-112.035&e=1
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_70C5B381380DB17F.dll/cmsidewiki.html
TCP: DhcpNameServer = 69.145.248.4 69.146.17.2 69.144.49.29
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-04-23 22:05
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\Hewlett-Packard\Default Settings\cpqset.exe???????????????????????|?M?|?????M?|??@
.
scanning hidden files ...
.
.
c:\windows\$NtUninstallKB62280$:SummaryInformation 0 bytes hidden from API
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-797339378-3992607010-2023527187-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,de,27,1f,7c,fd,b1,35,48,8f,6b,7a,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,de,27,1f,7c,fd,b1,35,48,8f,6b,7a,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(912)
c:\windows\system32\ackpbsc.dll
c:\windows\system32\aclog.dll
c:\windows\system32\ACLIBEAY.dll
c:\windows\system32\acevtsub.dll
c:\windows\system32\asphat32.dll
c:\windows\system32\acerrmes.dll
c:\windows\system32\aspcom.dll
c:\program files\ActivIdentity\ActivClient\Resources\Merged\acerrmrc.dll
c:\program files\ActivIdentity\ActivClient\Resources\Merged\asphatrc.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\USB3iw32.dll
c:\program files\ActivIdentity\ActivClient\acunlock.dll
c:\windows\system32\aipingui.dll
c:\program files\ActivIdentity\ActivClient\Resources\Merged\aipinguirc.dll
c:\program files\ActivIdentity\ActivClient\resources\acCobAPIrc.dll
c:\program files\ActivIdentity\ActivClient\Resources\Merged\acunlockrc.dll
.
- - - - - - - > 'explorer.exe'(6652)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\ActivIdentity\ActivClient\acevents.exe
c:\windows\System32\SCardSvr.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\msdtc.exe
c:\windows\system32\agrsmsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\mqsvc.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\mqtgsvc.exe
c:\windows\system32\wscntfy.exe
c:\program files\ActivIdentity\ActivClient\acevents.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
c:\windows\System32\spool\DRIVERS\W32X86\3\HP1006MC.EXE
.
**************************************************************************
.
Completion time: 2012-04-23 22:18:29 - machine was rebooted
ComboFix-quarantined-files.txt 2012-04-24 04:18
.
Pre-Run: 88,454,004,736 bytes free
Post-Run: 89,539,362,816 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /usepmtimer
.
- - End Of File - - C3CECE8E88A805CE981ACC9DEE895169

I hope this is a useful thing (and that I don’t have to do it too many more times…).
Thanks for your attention.
SCottB

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:39 PM

Posted 24 April 2012 - 12:23 AM

Greetings

I want you to run these next,

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • it will ask to download extra definitions - ALLOW IT
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

If you have any problems running either one come back and let me know

please reply with the reports from TDSSKiller and aswMBR

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 Born Yesterday

Born Yesterday
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:39 PM

Posted 25 April 2012 - 12:23 AM

Howdy,
No problem with these scans. Quick, too.
Here are the logs:
TDSSKiller -
23:03:38.0546 3676 TDSS rootkit removing tool 2.7.32.0 Apr 23 2012 19:12:34
23:03:38.0984 3676 ============================================================
23:03:38.0984 3676 Current date / time: 2012/04/24 23:03:38.0984
23:03:38.0984 3676 SystemInfo:
23:03:38.0984 3676
23:03:38.0984 3676 OS Version: 5.1.2600 ServicePack: 3.0
23:03:38.0984 3676 Product type: Workstation
23:03:38.0984 3676 ComputerName: YOUR-A9279112E3
23:03:38.0984 3676 UserName: Administrator
23:03:38.0984 3676 Windows directory: C:\WINDOWS
23:03:38.0984 3676 System windows directory: C:\WINDOWS
23:03:38.0984 3676 Processor architecture: Intel x86
23:03:38.0984 3676 Number of processors: 2
23:03:38.0984 3676 Page size: 0x1000
23:03:38.0984 3676 Boot type: Normal boot
23:03:38.0984 3676 ============================================================
23:03:40.0890 3676 Drive \Device\Harddisk0\DR0 - Size: 0x1BF2976000 (111.79 Gb), SectorSize: 0x200, Cylinders: 0x3901, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000058
23:03:40.0890 3676 ============================================================
23:03:40.0890 3676 \Device\Harddisk0\DR0:
23:03:40.0890 3676 MBR partitions:
23:03:40.0890 3676 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0xDD8DBFE
23:03:40.0890 3676 \Device\Harddisk0\DR0\Partition1: MBR, Type 0xC, StartLBA 0xDD91AFE, BlocksNum 0x201CC3
23:03:40.0890 3676 ============================================================
23:03:41.0203 3676 C: <-> \Device\Harddisk0\DR0\Partition0
23:03:41.0218 3676 D: <-> \Device\Harddisk0\DR0\Partition1
23:03:41.0218 3676 ============================================================
23:03:41.0218 3676 Initialize success
23:03:41.0218 3676 ============================================================
23:03:43.0859 3108 ============================================================
23:03:43.0859 3108 Scan started
23:03:43.0859 3108 Mode: Manual;
23:03:43.0859 3108 ============================================================
23:03:44.0734 3108 Abiosdsk - ok
23:03:44.0734 3108 abp480n5 - ok
23:03:44.0781 3108 Accelerometer (a0baabb7d3549460e3f8c5ad6f778683) C:\WINDOWS\system32\DRIVERS\Accelerometer.sys
23:03:44.0781 3108 Accelerometer - ok
23:03:44.0828 3108 accoca (ec4a5d4e36a8e49261cd823450e0ba51) c:\Program Files\ActivIdentity\ActivClient\accoca.exe
23:03:44.0828 3108 accoca - ok
23:03:44.0875 3108 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
23:03:44.0890 3108 ACPI - ok
23:03:44.0906 3108 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
23:03:44.0906 3108 ACPIEC - ok
23:03:44.0953 3108 ADIHdAudAddService (ff60db2aca88543c025eacba25cee5c1) C:\WINDOWS\system32\drivers\ADIHdAud.sys
23:03:44.0953 3108 ADIHdAudAddService - ok
23:03:44.0968 3108 adpu160m - ok
23:03:45.0000 3108 AEAudio (fff87a9b1ab36ee4b7bec98a4cb01b79) C:\WINDOWS\system32\drivers\AEAudio.sys
23:03:45.0000 3108 AEAudio - ok
23:03:45.0031 3108 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
23:03:45.0031 3108 aec - ok
23:03:45.0078 3108 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
23:03:45.0078 3108 AFD - ok
23:03:45.0125 3108 AgereModemAudio (8ed60797908fd394eee0d6949f493224) C:\WINDOWS\system32\agrsmsvc.exe
23:03:45.0125 3108 AgereModemAudio - ok
23:03:45.0234 3108 AgereSoftModem (38325c6aa8eae011897d61ce48ec6435) C:\WINDOWS\system32\DRIVERS\AGRSM.sys
23:03:45.0406 3108 AgereSoftModem - ok
23:03:45.0406 3108 Aha154x - ok
23:03:45.0609 3108 ahcix86 (15da079ff09be5fa6602041ee286de80) C:\WINDOWS\system32\DRIVERS\ahcix86.sys
23:03:45.0625 3108 ahcix86 - ok
23:03:45.0625 3108 aic78u2 - ok
23:03:45.0640 3108 aic78xx - ok
23:03:45.0671 3108 Alerter (a9a3daa780ca6c9671a19d52456705b4) C:\WINDOWS\system32\alrsvc.dll
23:03:45.0671 3108 Alerter - ok
23:03:45.0687 3108 ALG (8c515081584a38aa007909cd02020b3d) C:\WINDOWS\System32\alg.exe
23:03:45.0703 3108 ALG - ok
23:03:45.0734 3108 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
23:03:45.0734 3108 AliIde - ok
23:03:45.0765 3108 Amddfltr (c26488bfb5278b3d357f99d3bbc790c9) C:\WINDOWS\system32\DRIVERS\Amddfltr.sys
23:03:45.0765 3108 Amddfltr - ok
23:03:45.0796 3108 AmdPPM (033448d435e65c4bd72e70521fd05c76) C:\WINDOWS\system32\DRIVERS\AmdPPM.sys
23:03:45.0796 3108 AmdPPM - ok
23:03:45.0796 3108 amsint - ok
23:03:45.0906 3108 Apple Mobile Device (7ef47644b74ebe721cc32211d3c35e76) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
23:03:45.0906 3108 Apple Mobile Device - ok
23:03:45.0953 3108 AppMgmt (d8849f77c0b66226335a59d26cb4edc6) C:\WINDOWS\System32\appmgmts.dll
23:03:45.0968 3108 AppMgmt - ok
23:03:46.0000 3108 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
23:03:46.0000 3108 Arp1394 - ok
23:03:46.0015 3108 asc - ok
23:03:46.0015 3108 asc3350p - ok
23:03:46.0031 3108 asc3550 - ok
23:03:46.0140 3108 aspnet_state (0e5e4957549056e2bf2c49f4f6b601ad) C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
23:03:46.0171 3108 aspnet_state - ok
23:03:46.0203 3108 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
23:03:46.0203 3108 AsyncMac - ok
23:03:46.0234 3108 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
23:03:46.0234 3108 atapi - ok
23:03:46.0250 3108 Atdisk - ok
23:03:46.0343 3108 Ati HotKey Poller (3be397289c3f0773829598e7c093c362) C:\WINDOWS\system32\Ati2evxx.exe
23:03:46.0343 3108 Ati HotKey Poller - ok
23:03:46.0593 3108 ati2mtag (bc1030fa3b251b3915d6076018586f92) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
23:03:46.0640 3108 ati2mtag - ok
23:03:46.0828 3108 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
23:03:46.0828 3108 Atmarpc - ok
23:03:46.0906 3108 ATSwpWDF (a9f9d1d24441889beb1aa2b917457e23) C:\WINDOWS\system32\Drivers\ATSwpWDF.sys
23:03:46.0906 3108 ATSwpWDF - ok
23:03:46.0953 3108 AudioSrv (def7a7882bec100fe0b2ce2549188f9d) C:\WINDOWS\System32\audiosrv.dll
23:03:46.0953 3108 AudioSrv - ok
23:03:47.0000 3108 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
23:03:47.0000 3108 audstub - ok
23:03:47.0031 3108 b57w2k (a9d0f6efc61d1ff69b55c495f85dd868) C:\WINDOWS\system32\DRIVERS\b57xp32.sys
23:03:47.0031 3108 b57w2k - ok
23:03:47.0171 3108 BCM43XX (9208c78bd9283f79a30252ad954c77a2) C:\WINDOWS\system32\DRIVERS\bcmwl5.sys
23:03:47.0250 3108 BCM43XX - ok
23:03:47.0250 3108 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
23:03:47.0265 3108 Beep - ok
23:03:47.0312 3108 BITS (574738f61fca2935f5265dc4e5691314) C:\WINDOWS\system32\qmgr.dll
23:03:47.0359 3108 BITS - ok
23:03:47.0453 3108 Bonjour Service (db5bea73edaf19ac68b2c0fad0f92b1a) C:\Program Files\Bonjour\mDNSResponder.exe
23:03:47.0468 3108 Bonjour Service - ok
23:03:47.0515 3108 Browser (a06ce3399d16db864f55faeb1f1927a9) C:\WINDOWS\System32\browser.dll
23:03:47.0515 3108 Browser - ok
23:03:47.0562 3108 catchme - ok
23:03:47.0593 3108 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
23:03:47.0593 3108 cbidf2k - ok
23:03:47.0640 3108 CCALib8 (8ef654045e518ac00e52e7a1e2d3ad70) C:\Program Files\Canon\CAL\CALMAIN.exe
23:03:47.0640 3108 CCALib8 - ok
23:03:47.0656 3108 cd20xrnt - ok
23:03:47.0671 3108 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
23:03:47.0671 3108 Cdaudio - ok
23:03:47.0703 3108 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
23:03:47.0718 3108 Cdfs - ok
23:03:47.0750 3108 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
23:03:47.0750 3108 Cdrom - ok
23:03:47.0750 3108 Changer - ok
23:03:47.0765 3108 CiSvc (1cfe720eb8d93a7158a4ebc3ab178bde) C:\WINDOWS\system32\cisvc.exe
23:03:47.0781 3108 CiSvc - ok
23:03:47.0781 3108 ClipSrv (34cbe729f38138217f9c80212a2a0c82) C:\WINDOWS\system32\clipsrv.exe
23:03:47.0781 3108 ClipSrv - ok
23:03:47.0859 3108 clr_optimization_v2.0.50727_32 (d87acaed61e417bba546ced5e7e36d9c) C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
23:03:47.0906 3108 clr_optimization_v2.0.50727_32 - ok
23:03:47.0937 3108 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
23:03:47.0937 3108 CmBatt - ok
23:03:47.0937 3108 CmdIde - ok
23:03:48.0015 3108 Com4QLBEx (7795f8cebc284a426b53f541e538695f) C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
23:03:48.0031 3108 Com4QLBEx - ok
23:03:48.0031 3108 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
23:03:48.0031 3108 Compbatt - ok
23:03:48.0046 3108 COMSysApp - ok
23:03:48.0062 3108 Cpqarray - ok
23:03:48.0109 3108 CryptSvc (3d4e199942e29207970e04315d02ad3b) C:\WINDOWS\System32\cryptsvc.dll
23:03:48.0125 3108 CryptSvc - ok
23:03:48.0125 3108 dac2w2k - ok
23:03:48.0125 3108 dac960nt - ok
23:03:48.0203 3108 DcomLaunch (6b27a5c03dfb94b4245739065431322c) C:\WINDOWS\system32\rpcss.dll
23:03:48.0234 3108 DcomLaunch - ok
23:03:48.0281 3108 Dhcp (5e38d7684a49cacfb752b046357e0589) C:\WINDOWS\System32\dhcpcsvc.dll
23:03:48.0281 3108 Dhcp - ok
23:03:48.0296 3108 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
23:03:48.0296 3108 Disk - ok
23:03:48.0312 3108 dmadmin - ok
23:03:48.0390 3108 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
23:03:48.0437 3108 dmboot - ok
23:03:48.0453 3108 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
23:03:48.0453 3108 dmio - ok
23:03:48.0468 3108 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
23:03:48.0468 3108 dmload - ok
23:03:48.0484 3108 dmserver (57edec2e5f59f0335e92f35184bc8631) C:\WINDOWS\System32\dmserver.dll
23:03:48.0484 3108 dmserver - ok
23:03:48.0515 3108 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
23:03:48.0515 3108 DMusic - ok
23:03:48.0578 3108 Dnscache (5f7e24fa9eab896051ffb87f840730d2) C:\WINDOWS\System32\dnsrslvr.dll
23:03:48.0578 3108 Dnscache - ok
23:03:48.0609 3108 Dot3svc (0f0f6e687e5e15579ef4da8dd6945814) C:\WINDOWS\System32\dot3svc.dll
23:03:48.0609 3108 Dot3svc - ok
23:03:48.0625 3108 dpti2o - ok
23:03:48.0640 3108 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
23:03:48.0656 3108 drmkaud - ok
23:03:48.0671 3108 EapHost (2187855a7703adef0cef9ee4285182cc) C:\WINDOWS\System32\eapsvc.dll
23:03:48.0671 3108 EapHost - ok
23:03:48.0703 3108 ERSvc (bc93b4a066477954555966d77fec9ecb) C:\WINDOWS\System32\ersvc.dll
23:03:48.0703 3108 ERSvc - ok
23:03:48.0765 3108 Eventlog (65df52f5b8b6e9bbd183505225c37315) C:\WINDOWS\system32\services.exe
23:03:48.0765 3108 Eventlog - ok
23:03:48.0843 3108 EventSystem (d4991d98f2db73c60d042f1aef79efae) C:\WINDOWS\system32\es.dll
23:03:48.0843 3108 EventSystem - ok
23:03:48.0875 3108 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
23:03:48.0875 3108 Fastfat - ok
23:03:48.0906 3108 FastUserSwitchingCompatibility (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
23:03:48.0906 3108 FastUserSwitchingCompatibility - ok
23:03:48.0937 3108 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
23:03:48.0937 3108 Fdc - ok
23:03:48.0968 3108 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
23:03:48.0968 3108 Fips - ok
23:03:49.0000 3108 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
23:03:49.0000 3108 Flpydisk - ok
23:03:49.0015 3108 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
23:03:49.0015 3108 FltMgr - ok
23:03:49.0140 3108 FontCache3.0.0.0 (8ba7c024070f2b7fdd98ed8a4ba41789) c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
23:03:49.0140 3108 FontCache3.0.0.0 - ok
23:03:49.0187 3108 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
23:03:49.0187 3108 Fs_Rec - ok
23:03:49.0203 3108 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
23:03:49.0203 3108 Ftdisk - ok
23:03:49.0234 3108 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
23:03:49.0234 3108 GEARAspiWDM - ok
23:03:49.0250 3108 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
23:03:49.0250 3108 Gpc - ok
23:03:49.0375 3108 gupdate (8f0de4fef8201e306f9938b0905ac96a) C:\Program Files\Google\Update\GoogleUpdate.exe
23:03:49.0375 3108 gupdate - ok
23:03:49.0390 3108 gupdatem (8f0de4fef8201e306f9938b0905ac96a) C:\Program Files\Google\Update\GoogleUpdate.exe
23:03:49.0390 3108 gupdatem - ok
23:03:49.0437 3108 gusvc (cc839e8d766cc31a7710c9f38cf3e375) C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
23:03:49.0453 3108 gusvc - ok
23:03:49.0484 3108 HBtnKey (407e41ddb2bfece109132aec296e0d98) C:\WINDOWS\system32\DRIVERS\cpqbttn.sys
23:03:49.0484 3108 HBtnKey - ok
23:03:49.0515 3108 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
23:03:49.0515 3108 HDAudBus - ok
23:03:49.0593 3108 helpsvc (4fcca060dfe0c51a09dd5c3843888bcd) C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll
23:03:49.0593 3108 helpsvc - ok
23:03:49.0593 3108 HidServ - ok
23:03:49.0640 3108 hkmsvc (8878bd685e490239777bfe51320b88e9) C:\WINDOWS\System32\kmsvc.dll
23:03:49.0640 3108 hkmsvc - ok
23:03:49.0671 3108 hpdskflt (9f620e11b80b74f4dab50a81a5df357f) C:\WINDOWS\system32\DRIVERS\hpdskflt.sys
23:03:49.0687 3108 hpdskflt - ok
23:03:49.0687 3108 hpn - ok
23:03:49.0718 3108 HpqKbFiltr (35956140e686d53bf676cf0c778880fc) C:\WINDOWS\system32\DRIVERS\HpqKbFiltr.sys
23:03:49.0718 3108 HpqKbFiltr - ok
23:03:49.0828 3108 hpqwmiex (1665c7121a026df10c903db9bc5e9d43) C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
23:03:49.0828 3108 hpqwmiex - ok
23:03:49.0890 3108 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
23:03:49.0890 3108 HTTP - ok
23:03:49.0937 3108 HTTPFilter (6100a808600f44d999cebdef8841c7a3) C:\WINDOWS\System32\w3ssl.dll
23:03:49.0937 3108 HTTPFilter - ok
23:03:49.0937 3108 i2omgmt - ok
23:03:49.0953 3108 i2omp - ok
23:03:50.0000 3108 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
23:03:50.0000 3108 i8042prt - ok
23:03:50.0078 3108 IDriverT (6f95324909b502e2651442c1548ab12f) C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
23:03:50.0078 3108 IDriverT - ok
23:03:50.0265 3108 idsvc (c01ac32dc5c03076cfb852cb5da5229c) c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
23:03:50.0296 3108 idsvc - ok
23:03:50.0328 3108 IFXTPM (667cfdb801df771f47b7c39373c2d850) C:\WINDOWS\system32\DRIVERS\IFXTPM.SYS
23:03:50.0328 3108 IFXTPM - ok
23:03:50.0375 3108 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
23:03:50.0375 3108 Imapi - ok
23:03:50.0437 3108 ImapiService (30deaf54a9755bb8546168cfe8a6b5e1) C:\WINDOWS\system32\imapi.exe
23:03:50.0437 3108 ImapiService - ok
23:03:50.0453 3108 ini910u - ok
23:03:50.0515 3108 Intel Usb3 (6ca3486892775128e4ceff307adab3ea) C:\WINDOWS\system32\iusb3w32.dll
23:03:50.0515 3108 Intel Usb3 - ok
23:03:50.0531 3108 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
23:03:50.0531 3108 IntelIde - ok
23:03:50.0578 3108 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
23:03:50.0578 3108 Ip6Fw - ok
23:03:50.0609 3108 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
23:03:50.0609 3108 IpFilterDriver - ok
23:03:50.0625 3108 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
23:03:50.0640 3108 IpInIp - ok
23:03:50.0687 3108 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
23:03:50.0687 3108 IpNat - ok
23:03:50.0843 3108 iPod Service (ce004777b92dea56fe14ec900d20baa4) C:\Program Files\iPod\bin\iPodService.exe
23:03:50.0890 3108 iPod Service - ok
23:03:50.0906 3108 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
23:03:50.0921 3108 IPSec - ok
23:03:50.0937 3108 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
23:03:50.0937 3108 IRENUM - ok
23:03:50.0953 3108 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
23:03:50.0953 3108 isapnp - ok
23:03:50.0984 3108 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
23:03:50.0984 3108 Kbdclass - ok
23:03:51.0000 3108 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
23:03:51.0000 3108 kbdhid - ok
23:03:51.0046 3108 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
23:03:51.0046 3108 kmixer - ok
23:03:51.0093 3108 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
23:03:51.0093 3108 KSecDD - ok
23:03:51.0140 3108 lanmanserver (3a7c3cbe5d96b8ae96ce81f0b22fb527) C:\WINDOWS\System32\srvsvc.dll
23:03:51.0156 3108 lanmanserver - ok
23:03:51.0203 3108 lanmanworkstation (a8888a5327621856c0cec4e385f69309) C:\WINDOWS\System32\wkssvc.dll
23:03:51.0203 3108 lanmanworkstation - ok
23:03:51.0218 3108 lbrtfdc - ok
23:03:51.0250 3108 LmHosts (a7db739ae99a796d91580147e919cc59) C:\WINDOWS\System32\lmhsvc.dll
23:03:51.0265 3108 LmHosts - ok
23:03:51.0281 3108 Messenger (986b1ff5814366d71e0ac5755c88f2d3) C:\WINDOWS\System32\msgsvc.dll
23:03:51.0281 3108 Messenger - ok
23:03:51.0437 3108 Microsoft Office Groove Audit Service (123271bd5237ab991dc5c21fdf8835eb) C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe
23:03:51.0437 3108 Microsoft Office Groove Audit Service - ok
23:03:51.0468 3108 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
23:03:51.0468 3108 mnmdd - ok
23:03:51.0515 3108 mnmsrvc (d18f1f0c101d06a1c1adf26eed16fcdd) C:\WINDOWS\system32\mnmsrvc.exe
23:03:51.0515 3108 mnmsrvc - ok
23:03:51.0515 3108 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
23:03:51.0515 3108 Modem - ok
23:03:51.0546 3108 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
23:03:51.0546 3108 Mouclass - ok
23:03:51.0562 3108 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
23:03:51.0562 3108 MountMgr - ok
23:03:51.0796 3108 MQAC (70c14f5cca5cf73f8a645c73a01d8726) C:\WINDOWS\system32\drivers\mqac.sys
23:03:51.0843 3108 MQAC - ok
23:03:51.0843 3108 mraid35x - ok
23:03:51.0890 3108 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
23:03:51.0906 3108 MRxDAV - ok
23:03:51.0984 3108 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
23:03:52.0031 3108 MRxSmb - ok
23:03:52.0062 3108 MSDTC (a137f1470499a205abbb9aafb3b6f2b1) C:\WINDOWS\system32\msdtc.exe
23:03:52.0062 3108 MSDTC - ok
23:03:52.0093 3108 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
23:03:52.0093 3108 Msfs - ok
23:03:52.0125 3108 MSIServer - ok
23:03:52.0156 3108 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
23:03:52.0156 3108 MSKSSRV - ok
23:03:52.0203 3108 MSMQ (afb909b537aae1beae7bbdb6a36d40b0) C:\WINDOWS\system32\mqsvc.exe
23:03:52.0203 3108 MSMQ - ok
23:03:52.0234 3108 MSMQTriggers (7f955ff3b1bb93376ebe75d5accdc6db) C:\WINDOWS\system32\mqtgsvc.exe
23:03:52.0234 3108 MSMQTriggers - ok
23:03:52.0265 3108 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
23:03:52.0265 3108 MSPCLOCK - ok
23:03:52.0281 3108 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
23:03:52.0281 3108 MSPQM - ok
23:03:52.0312 3108 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
23:03:52.0312 3108 mssmbios - ok
23:03:52.0359 3108 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
23:03:52.0359 3108 Mup - ok
23:03:52.0421 3108 napagent (0102140028fad045756796e1c685d695) C:\WINDOWS\System32\qagentrt.dll
23:03:52.0437 3108 napagent - ok
23:03:52.0484 3108 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
23:03:52.0484 3108 NDIS - ok
23:03:52.0531 3108 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
23:03:52.0531 3108 NdisTapi - ok
23:03:52.0578 3108 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
23:03:52.0578 3108 Ndisuio - ok
23:03:52.0593 3108 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
23:03:52.0593 3108 NdisWan - ok
23:03:52.0640 3108 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
23:03:52.0640 3108 NDProxy - ok
23:03:52.0640 3108 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
23:03:52.0640 3108 NetBIOS - ok
23:03:52.0687 3108 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
23:03:52.0687 3108 NetBT - ok
23:03:52.0750 3108 NetDDE (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe
23:03:52.0750 3108 NetDDE - ok
23:03:52.0765 3108 NetDDEdsdm (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe
23:03:52.0765 3108 NetDDEdsdm - ok
23:03:52.0796 3108 Netlogon (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
23:03:52.0796 3108 Netlogon - ok
23:03:52.0843 3108 Netman (13e67b55b3abd7bf3fe7aae5a0f9a9de) C:\WINDOWS\System32\netman.dll
23:03:52.0843 3108 Netman - ok
23:03:52.0937 3108 NetTcpPortSharing (d34612c5d02d026535b3095d620626ae) c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
23:03:52.0953 3108 NetTcpPortSharing - ok
23:03:52.0968 3108 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
23:03:52.0984 3108 NIC1394 - ok
23:03:53.0031 3108 Nla (943337d786a56729263071623bbb9de5) C:\WINDOWS\System32\mswsock.dll
23:03:53.0046 3108 Nla - ok
23:03:53.0046 3108 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
23:03:53.0046 3108 Npfs - ok
23:03:53.0109 3108 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
23:03:53.0140 3108 Ntfs - ok
23:03:53.0140 3108 NtLmSsp (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
23:03:53.0140 3108 NtLmSsp - ok
23:03:53.0203 3108 NtmsSvc (156f64a3345bd23c600655fb4d10bc08) C:\WINDOWS\system32\ntmssvc.dll
23:03:53.0234 3108 NtmsSvc - ok
23:03:53.0265 3108 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
23:03:53.0265 3108 Null - ok
23:03:53.0281 3108 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
23:03:53.0281 3108 NwlnkFlt - ok
23:03:53.0296 3108 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
23:03:53.0312 3108 NwlnkFwd - ok
23:03:53.0484 3108 odserv (785f487a64950f3cb8e9f16253ba3b7b) C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE
23:03:53.0484 3108 odserv - ok
23:03:53.0531 3108 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
23:03:53.0531 3108 ohci1394 - ok
23:03:53.0578 3108 ose (5a432a042dae460abe7199b758e8606c) C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
23:03:53.0593 3108 ose - ok
23:03:53.0625 3108 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
23:03:53.0625 3108 Parport - ok
23:03:53.0640 3108 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
23:03:53.0640 3108 PartMgr - ok
23:03:53.0671 3108 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
23:03:53.0671 3108 ParVdm - ok
23:03:53.0687 3108 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
23:03:53.0687 3108 PCI - ok
23:03:53.0687 3108 PCIDump - ok
23:03:53.0703 3108 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
23:03:53.0703 3108 PCIIde - ok
23:03:53.0734 3108 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
23:03:53.0734 3108 Pcmcia - ok
23:03:53.0750 3108 PDCOMP - ok
23:03:53.0750 3108 PDFRAME - ok
23:03:53.0765 3108 PDRELI - ok
23:03:53.0781 3108 PDRFRAME - ok
23:03:53.0781 3108 perc2 - ok
23:03:53.0796 3108 perc2hib - ok
23:03:53.0859 3108 PlugPlay (65df52f5b8b6e9bbd183505225c37315) C:\WINDOWS\system32\services.exe
23:03:53.0875 3108 PlugPlay - ok
23:03:53.0890 3108 PolicyAgent (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
23:03:53.0890 3108 PolicyAgent - ok
23:03:53.0921 3108 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
23:03:53.0921 3108 PptpMiniport - ok
23:03:53.0937 3108 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
23:03:53.0937 3108 Processor - ok
23:03:53.0953 3108 ProtectedStorage (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
23:03:53.0953 3108 ProtectedStorage - ok
23:03:53.0968 3108 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
23:03:53.0968 3108 PSched - ok
23:03:53.0968 3108 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
23:03:53.0968 3108 Ptilink - ok
23:03:53.0984 3108 ql1080 - ok
23:03:53.0984 3108 Ql10wnt - ok
23:03:54.0000 3108 ql12160 - ok
23:03:54.0015 3108 ql1240 - ok
23:03:54.0015 3108 ql1280 - ok
23:03:54.0046 3108 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
23:03:54.0046 3108 RasAcd - ok
23:03:54.0078 3108 RasAuto (ad188be7bdf94e8df4ca0a55c00a5073) C:\WINDOWS\System32\rasauto.dll
23:03:54.0078 3108 RasAuto - ok
23:03:54.0093 3108 Rasirda (0207d26ddf796a193ccd9f83047bb5fc) C:\WINDOWS\system32\DRIVERS\rasirda.sys
23:03:54.0093 3108 Rasirda - ok
23:03:54.0109 3108 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
23:03:54.0109 3108 Rasl2tp - ok
23:03:54.0156 3108 RasMan (76a9a3cbeadd68cc57cda5e1d7448235) C:\WINDOWS\System32\rasmans.dll
23:03:54.0171 3108 RasMan - ok
23:03:54.0171 3108 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
23:03:54.0171 3108 RasPppoe - ok
23:03:54.0187 3108 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
23:03:54.0187 3108 Raspti - ok
23:03:54.0218 3108 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
23:03:54.0234 3108 Rdbss - ok
23:03:54.0234 3108 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
23:03:54.0234 3108 RDPCDD - ok
23:03:54.0296 3108 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
23:03:54.0312 3108 rdpdr - ok
23:03:54.0359 3108 RDPWD (5b3055daa788bd688594d2f5981f2a83) C:\WINDOWS\system32\drivers\RDPWD.sys
23:03:54.0359 3108 RDPWD - ok
23:03:54.0390 3108 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
23:03:54.0390 3108 redbook - ok
23:03:54.0421 3108 RemoteAccess (7e699ff5f59b5d9de5390e3c34c67cf5) C:\WINDOWS\System32\mprdim.dll
23:03:54.0421 3108 RemoteAccess - ok
23:03:54.0453 3108 RemoteRegistry (5b19b557b0c188210a56a6b699d90b8f) C:\WINDOWS\system32\regsvc.dll
23:03:54.0453 3108 RemoteRegistry - ok
23:03:54.0515 3108 RMCAST (96f7a9a7bf0c9c0440a967440065d33c) C:\WINDOWS\system32\drivers\RMCast.sys
23:03:54.0515 3108 RMCAST - ok
23:03:54.0546 3108 RpcLocator (aaed593f84afa419bbae8572af87cf6a) C:\WINDOWS\system32\locator.exe
23:03:54.0562 3108 RpcLocator - ok
23:03:54.0625 3108 RpcSs (6b27a5c03dfb94b4245739065431322c) C:\WINDOWS\System32\rpcss.dll
23:03:54.0640 3108 RpcSs - ok
23:03:54.0687 3108 RSVP (471b3f9741d762abe75e9deea4787e47) C:\WINDOWS\system32\rsvp.exe
23:03:54.0687 3108 RSVP - ok
23:03:54.0734 3108 SamSs (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
23:03:54.0734 3108 SamSs - ok
23:03:54.0765 3108 SCardSvr (86d007e7a654b9a71d1d7d856b104353) C:\WINDOWS\System32\SCardSvr.exe
23:03:54.0765 3108 SCardSvr - ok
23:03:54.0828 3108 Schedule (0a9a7365a1ca4319aa7c1d6cd8e4eafa) C:\WINDOWS\system32\schedsvc.dll
23:03:54.0828 3108 Schedule - ok
23:03:54.0890 3108 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
23:03:54.0890 3108 Secdrv - ok
23:03:54.0921 3108 seclogon (cbe612e2bb6a10e3563336191eda1250) C:\WINDOWS\System32\seclogon.dll
23:03:54.0921 3108 seclogon - ok
23:03:54.0937 3108 SENS (7fdd5d0684eca8c1f68b4d99d124dcd0) C:\WINDOWS\system32\sens.dll
23:03:54.0953 3108 SENS - ok
23:03:54.0968 3108 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
23:03:54.0968 3108 serenum - ok
23:03:55.0000 3108 Serial (2e2fc3a9d9f5f9a938cf3e1af52ce8f2) C:\WINDOWS\system32\DRIVERS\serial.sys
23:03:55.0000 3108 Serial ( Virus.Win32.ZAccess.c ) - infected
23:03:55.0000 3108 Serial - detected Virus.Win32.ZAccess.c (0)
23:03:55.0046 3108 SFAUDIO (b6401608579b6431994425ba7653f774) C:\WINDOWS\system32\drivers\sfaudio.sys
23:03:55.0046 3108 SFAUDIO - ok
23:03:55.0062 3108 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
23:03:55.0062 3108 Sfloppy - ok
23:03:55.0156 3108 SharedAccess (83f41d0d89645d7235c051ab1d9523ac) C:\WINDOWS\System32\ipnathlp.dll
23:03:55.0156 3108 SharedAccess - ok
23:03:55.0218 3108 ShellHWDetection (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
23:03:55.0218 3108 ShellHWDetection - ok
23:03:55.0218 3108 Simbad - ok
23:03:55.0234 3108 SMCIRDA - ok
23:03:55.0250 3108 Sparrow - ok
23:03:55.0265 3108 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
23:03:55.0265 3108 splitter - ok
23:03:55.0312 3108 Spooler (60784f891563fb1b767f70117fc2428f) C:\WINDOWS\system32\spoolsv.exe
23:03:55.0312 3108 Spooler - ok
23:03:55.0343 3108 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
23:03:55.0343 3108 sr - ok
23:03:55.0390 3108 srservice (3805df0ac4296a34ba4bf93b346cc378) C:\WINDOWS\system32\srsvc.dll
23:03:55.0390 3108 srservice - ok
23:03:55.0468 3108 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
23:03:55.0468 3108 Srv - ok
23:03:55.0515 3108 SSDPSRV (0a5679b3714edab99e357057ee88fca6) C:\WINDOWS\System32\ssdpsrv.dll
23:03:55.0531 3108 SSDPSRV - ok
23:03:55.0593 3108 stisvc (8bad69cbac032d4bbacfce0306174c30) C:\WINDOWS\system32\wiaservc.dll
23:03:55.0609 3108 stisvc - ok
23:03:55.0625 3108 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
23:03:55.0625 3108 swenum - ok
23:03:55.0671 3108 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
23:03:55.0671 3108 swmidi - ok
23:03:55.0687 3108 SwPrv - ok
23:03:55.0687 3108 symc810 - ok
23:03:55.0703 3108 symc8xx - ok
23:03:55.0718 3108 sym_hi - ok
23:03:55.0734 3108 sym_u3 - ok
23:03:55.0796 3108 SynTP (926e0bb4cac05d9a0c3b59dc16fe2f1c) C:\WINDOWS\system32\DRIVERS\SynTP.sys
23:03:55.0796 3108 SynTP - ok
23:03:55.0828 3108 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
23:03:55.0828 3108 sysaudio - ok
23:03:55.0875 3108 SysmonLog (c7abbc59b43274b1109df6b24d617051) C:\WINDOWS\system32\smlogsvc.exe
23:03:55.0875 3108 SysmonLog - ok
23:03:55.0906 3108 TapiSrv (3cb78c17bb664637787c9a1c98f79c38) C:\WINDOWS\System32\tapisrv.dll
23:03:55.0906 3108 TapiSrv - ok
23:03:55.0968 3108 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
23:03:56.0000 3108 Tcpip - ok
23:03:56.0031 3108 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
23:03:56.0031 3108 TDPIPE - ok
23:03:56.0046 3108 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
23:03:56.0046 3108 TDTCP - ok
23:03:56.0078 3108 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
23:03:56.0078 3108 TermDD - ok
23:03:56.0140 3108 TermService (ff3477c03be7201c294c35f684b3479f) C:\WINDOWS\System32\termsrv.dll
23:03:56.0140 3108 TermService - ok
23:03:56.0187 3108 Themes (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
23:03:56.0187 3108 Themes - ok
23:03:56.0234 3108 TlntSvr (db7205804759ff62c34e3efd8a4cc76a) C:\WINDOWS\system32\tlntsvr.exe
23:03:56.0250 3108 TlntSvr - ok
23:03:56.0250 3108 TosIde - ok
23:03:56.0281 3108 TrkWks (55bca12f7f523d35ca3cb833c725f54e) C:\WINDOWS\system32\trkwks.dll
23:03:56.0296 3108 TrkWks - ok
23:03:56.0328 3108 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
23:03:56.0328 3108 Udfs - ok
23:03:56.0328 3108 ultra - ok
23:03:56.0390 3108 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
23:03:56.0390 3108 Update - ok
23:03:56.0421 3108 upnphost (1ebafeb9a3fbdc41b8d9c7f0f687ad91) C:\WINDOWS\System32\upnphost.dll
23:03:56.0437 3108 upnphost - ok
23:03:56.0453 3108 UPS (05365fb38fca1e98f7a566aaaf5d1815) C:\WINDOWS\System32\ups.exe
23:03:56.0468 3108 UPS - ok
23:03:56.0500 3108 USBAAPL (eafe1e00739afe6c51487a050e772e17) C:\WINDOWS\system32\Drivers\usbaapl.sys
23:03:56.0500 3108 USBAAPL - ok
23:03:56.0531 3108 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
23:03:56.0531 3108 usbehci - ok
23:03:56.0562 3108 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
23:03:56.0562 3108 usbhub - ok
23:03:56.0593 3108 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
23:03:56.0593 3108 usbohci - ok
23:03:56.0625 3108 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
23:03:56.0625 3108 usbprint - ok
23:03:56.0687 3108 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
23:03:56.0687 3108 usbscan - ok
23:03:56.0734 3108 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
23:03:56.0734 3108 USBSTOR - ok
23:03:56.0750 3108 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
23:03:56.0750 3108 usbuhci - ok
23:03:56.0781 3108 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
23:03:56.0781 3108 VgaSave - ok
23:03:56.0796 3108 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
23:03:56.0796 3108 ViaIde - ok
23:03:56.0796 3108 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
23:03:56.0812 3108 VolSnap - ok
23:03:56.0875 3108 VSS (7a9db3a67c333bf0bd42e42b8596854b) C:\WINDOWS\System32\vssvc.exe
23:03:56.0890 3108 VSS - ok
23:03:56.0921 3108 W32Time (54af4b1d5459500ef0937f6d33b1914f) C:\WINDOWS\system32\w32time.dll
23:03:56.0937 3108 W32Time - ok
23:03:56.0953 3108 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
23:03:56.0953 3108 Wanarp - ok
23:03:57.0031 3108 Wdf01000 (fd47474bd21794508af449d9d91af6e6) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
23:03:57.0046 3108 Wdf01000 - ok
23:03:57.0046 3108 WDICA - ok
23:03:57.0093 3108 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
23:03:57.0093 3108 wdmaud - ok
23:03:57.0125 3108 WebClient (77a354e28153ad2d5e120a5a8687bc06) C:\WINDOWS\System32\webclnt.dll
23:03:57.0125 3108 WebClient - ok
23:03:57.0218 3108 winmgmt (2d0e4ed081963804ccc196a0929275b5) C:\WINDOWS\system32\wbem\WMIsvc.dll
23:03:57.0234 3108 winmgmt - ok
23:03:57.0281 3108 WmdmPmSN (c51b4a5c05a5475708e3c81c7765b71d) C:\WINDOWS\system32\MsPMSNSv.dll
23:03:57.0281 3108 WmdmPmSN - ok
23:03:57.0375 3108 Wmi (e76f8807070ed04e7408a86d6d3a6137) C:\WINDOWS\System32\advapi32.dll
23:03:57.0390 3108 Wmi - ok
23:03:57.0406 3108 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
23:03:57.0406 3108 WmiAcpi - ok
23:03:57.0437 3108 WmiApSrv (e0673f1106e62a68d2257e376079f821) C:\WINDOWS\system32\wbem\wmiapsrv.exe
23:03:57.0437 3108 WmiApSrv - ok
23:03:57.0593 3108 WMPNetworkSvc (f74e3d9a7fa9556c3bbb14d4e5e63d3b) C:\Program Files\Windows Media Player\WMPNetwk.exe
23:03:57.0625 3108 WMPNetworkSvc - ok
23:03:57.0656 3108 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
23:03:57.0656 3108 WS2IFSL - ok
23:03:57.0703 3108 wscsvc (7c278e6408d1dce642230c0585a854d5) C:\WINDOWS\system32\wscsvc.dll
23:03:57.0703 3108 wscsvc - ok
23:03:57.0750 3108 wuauserv (35321fb577cdc98ce3eb3a3eb9e4610a) C:\WINDOWS\system32\wuauserv.dll
23:03:57.0750 3108 wuauserv - ok
23:03:57.0781 3108 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
23:03:57.0781 3108 WudfPf - ok
23:03:57.0796 3108 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
23:03:57.0796 3108 WudfRd - ok
23:03:57.0828 3108 WudfSvc (05231c04253c5bc30b26cbaae680ed89) C:\WINDOWS\System32\WUDFSvc.dll
23:03:57.0828 3108 WudfSvc - ok
23:03:57.0890 3108 WZCSVC (81dc3f549f44b1c1fff022dec9ecf30b) C:\WINDOWS\System32\wzcsvc.dll
23:03:57.0906 3108 WZCSVC - ok
23:03:57.0953 3108 xmlprov (295d21f14c335b53cb8154e5b1f892b9) C:\WINDOWS\System32\xmlprov.dll
23:03:57.0953 3108 xmlprov - ok
23:03:57.0984 3108 MBR (0x1B8) (e5fa06aca0d60ba9c870d0ef3d9898c9) \Device\Harddisk0\DR0
23:03:58.0218 3108 \Device\Harddisk0\DR0 - ok
23:03:58.0218 3108 Boot (0x1200) (8508ac198e50c1a7ebaf37c05b970640) \Device\Harddisk0\DR0\Partition0
23:03:58.0234 3108 \Device\Harddisk0\DR0\Partition0 - ok
23:03:58.0250 3108 Boot (0x1200) (bf626b0580d3d9e33dbcf78d603429e2) \Device\Harddisk0\DR0\Partition1
23:03:58.0250 3108 \Device\Harddisk0\DR0\Partition1 - ok
23:03:58.0265 3108 ============================================================
23:03:58.0265 3108 Scan finished
23:03:58.0265 3108 ============================================================
23:03:58.0281 3992 Detected object count: 1
23:03:58.0281 3992 Actual detected object count: 1
23:04:05.0375 3992 C:\WINDOWS\system32\DRIVERS\serial.sys - copied to quarantine
23:04:05.0921 3992 C:\WINDOWS\$NtUninstallKB62280$\485945278\cfg.ini - copied to quarantine
23:04:06.0953 3992 VerifyFileNameVersionInfo: GetFileVersionInfoSizeW(C:\WINDOWS\system32\drivers\serial.sys) error 1813
23:04:10.0687 3992 Backup copy found, using it..
23:04:10.0703 3992 C:\WINDOWS\system32\DRIVERS\serial.sys - will be cured on reboot
23:04:12.0921 3992 C:\WINDOWS\$NtUninstallKB62280$\2375232262 - will be deleted on reboot
23:04:12.0921 3992 C:\WINDOWS\$NtUninstallKB62280$\485945278\cfg.ini - will be deleted on reboot
23:04:13.0062 3992 Serial ( Virus.Win32.ZAccess.c ) - User select action: Cure
23:04:26.0765 2120 Deinitialize success

And here's aswMBR -

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-04-24 23:09:04
-----------------------------
23:09:04.953 OS Version: Windows 5.1.2600 Service Pack 3
23:09:04.953 Number of processors: 2 586 0x301
23:09:04.953 ComputerName: YOUR-A9279112E3 UserName: Administrator
23:09:05.625 Initialze error 0
23:13:49.359 AVAST engine defs: 12042401
23:13:53.640 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Scsi\ahcix861Port0Path0Target0Lun0
23:13:53.734 Disk 0 Vendor: FUJITSU_ 8909 Size: 114473MB BusType: 1
23:13:53.843 Disk 0 MBR read successfully
23:13:53.921 Disk 0 MBR scan
23:13:54.015 Disk 0 unknown MBR code
23:13:54.109 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 113435 MB offset 63
23:13:54.234 Disk 0 Partition 2 00 0C FAT32 LBA MSDOS5.0 1027 MB offset 232332030
23:13:54.343 Disk 0 scanning sectors +234436545
23:13:54.500 Disk 0 scanning C:\WINDOWS\system32\drivers
23:13:54.625 Service scanning
23:13:55.671 Modules scanning
23:14:15.390 Disk 0 trace - called modules:
23:14:15.656 ntkrnlpa.exe CLASSPNP.SYS disk.sys hpdskflt.sys hal.dll Amddfltr.sys ACPI.sys SCSIPORT.SYS ahcix86.sys
23:14:16.718 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a35c030]
23:14:16.906 3 CLASSPNP.SYS[f74e7fd7] -> nt!IofCallDriver -> [0x8a397a18]
23:14:17.093 5 hpdskflt.sys[f77184e6] -> nt!IofCallDriver -> [0x8a397ce0]
23:14:17.265 7 Amddfltr.sys[f77200b6] -> nt!IofCallDriver -> \Device\0000008a[0x8a43f8a0]
23:14:17.437 9 ACPI.sys[f7347620] -> nt!IofCallDriver -> \Device\Scsi\ahcix861Port0Path0Target0Lun0[0x8a386030]
23:14:17.656 AVAST engine scan C:\WINDOWS
23:14:17.875 AVAST engine scan C:\WINDOWS\system32
23:14:18.109 AVAST engine scan C:\WINDOWS\system32\drivers
23:14:18.328 AVAST engine scan C:\Documents and Settings\Administrator
23:14:18.546 AVAST engine scan C:\Documents and Settings\All Users
23:14:18.718 Scan finished successfully
23:14:26.906 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Administrator\My Documents\Bleep\MBR.dat"
23:14:27.109 The log file has been saved successfully to "C:\Documents and Settings\Administrator\My Documents\Bleep\aswMBR.txt"

Thanks for your attention,
SCottB

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:39 PM

Posted 25 April 2012 - 01:01 AM

Hello


I have attached a file - I would like you to download it and double click to run - when asked to merge allow it


At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 Born Yesterday

Born Yesterday
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:39 PM

Posted 25 April 2012 - 11:35 PM

Howdy Honorable Gringo,
You're maybe going to tell me to run ComboFix again, but I will wait for you to tell me so...
I dragged the .txt to the ComboFix icon like I was supposed to, but then two things happened. One, I had forgotten I had installed the Windows Security Whatever anti-virus you had included a link to in a prior post. Combofix told me it was there in a warning window. In a second warning window, CF said it could run, but I would be taking the risk that something bad might happen. Before I clicked "OK" to run CF, I unistalled the anti-virus.
Then (here's the second thing...) after I clicked "OK" to run CF, it put up another warning that it had expired and that if I asked it to continue with the scan it would do so with reduced functionality. Fine, go ahead, whatever. So, the scan was completed in the state of reduced functionality, whatever that means. Like I typed, maybe I will have to re-download CF, drag the .txt, and do this again?
Anyway, the scan was fast with no hiccups. Here's the log/report:

ComboFix 12-04-19.02 - Administrator 04/25/2012 22:21:15.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1789.1184 [GMT -6:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
- REDUCED FUNCTIONALITY MODE -
.
.
((((((((((((((((((((((((( Files Created from 2012-03-26 to 2012-04-26 )))))))))))))))))))))))))))))))
.
.
2012-04-25 05:18 . 2012-01-31 12:44 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-04-25 05:04 . 2012-04-25 05:04 -------- d-----w- C:\TDSSKiller_Quarantine
2012-04-23 18:46 . 2008-04-14 06:10 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys
2012-04-05 22:12 . 2012-04-05 22:12 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2012-04-05 18:12 . 2012-04-05 18:12 38400 ----a-w- c:\windows\system32\USB3iw32.dll
2012-03-30 02:51 . 2012-03-30 03:01 -------- d-----w- c:\windows\system32\NtmsData
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-25 05:05 . 2004-08-04 08:00 64512 ----a-w- c:\windows\system32\drivers\serial.sys
2012-03-01 11:01 . 2004-08-04 08:00 916992 ----a-w- c:\windows\system32\wininet.dll
2012-03-01 11:01 . 2004-08-04 08:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-03-01 11:01 . 2004-08-04 08:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-02-29 14:10 . 2004-08-04 08:00 177664 ----a-w- c:\windows\system32\wintrust.dll
2012-02-29 14:10 . 2004-08-04 08:00 148480 ----a-w- c:\windows\system32\imagehlp.dll
2012-02-29 12:17 . 2004-08-04 08:00 385024 ----a-w- c:\windows\system32\html.iec
2012-02-15 17:01 . 2011-03-07 04:31 4547944 ----a-w- c:\windows\system32\usbaaplrc.dll
2012-02-15 17:01 . 2011-03-07 04:31 43520 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2012-02-07 17:02 . 2012-02-07 17:02 1070352 ----a-w- c:\windows\system32\MSCOMCTL.OCX
2012-02-03 09:22 . 2004-08-04 08:00 1860096 ----a-w- c:\windows\system32\win32k.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-11-23 68856]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsmqIntCert"="mqrt.dll" [2008-04-14 177152]
"AccelerometerSysTrayApplet"="c:\windows\system32\AccelerometerSt.Exe" [2008-06-09 82224]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]
"accrdsub"="c:\program files\ActivIdentity\ActivClient\accrdsub.exe" [2007-05-15 293168]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-03-27 1040384]
"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2008-05-14 177456]
"Cpqset"="c:\program files\Hewlett-Packard\Default Settings\cpqset.exe" [2008-05-14 61440]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2008-04-04 1044480]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"hpbdfawep"="c:\program files\HP\Dfawep\bin\hpbdfawep.exe" [2007-04-25 954368]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-27 30040]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-30 421888]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-03-27 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-03-07 421736]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ackpbsc]
2007-05-15 23:08 112640 ----a-w- c:\windows\system32\ackpbsc.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\acunlock]
2007-05-15 23:08 281088 ----a-w- c:\program files\ActivIdentity\ActivClient\acunlock.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\intelUsb3Sevices]
2012-04-05 18:12 38400 ----a-w- c:\windows\system32\USB3iw32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\USB3iw32]
2012-04-05 18:12 38400 ----a-w- c:\windows\system32\USB3iw32.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mqsvc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
R0 ahcix86;ahcix86;c:\windows\system32\drivers\ahcix86.sys [6/21/2008 9:24 PM 174600]
R0 Amddfltr;Amd Disk Lower Filter Driver;c:\windows\system32\drivers\Amddfltr.sys [6/21/2008 9:49 PM 15416]
R0 SFAUDIO;Sonic Focus DSP Driver;c:\windows\system32\drivers\sfaudio.sys [3/28/2008 4:14 AM 24064]
R2 accoca;ActivClient Middleware Service;c:\program files\ActivIdentity\ActivClient\accoca.exe [5/15/2007 5:08 PM 182576]
R3 ATSwpWDF;AuthenTec TruePrint USB WDF Driver;c:\windows\system32\drivers\ATSwpWDF.sys [5/15/2008 2:29 PM 475520]
R3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [6/21/2008 10:50 PM 193840]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [4/4/2007 1:16 PM 41216]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/31/2010 4:20 PM 135664]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [1/31/2010 4:20 PM 135664]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
IntelUsb3S REG_MULTI_SZ Intel Usb3
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 19:34]
.
2012-04-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-31 22:20]
.
2012-04-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-31 22:20]
.
2012-04-26 c:\windows\Tasks\HP WEP.job
- c:\program files\HP\Dfawep\bin\hpbdfawep.exe [2007-04-25 20:28]
.
2012-04-26 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-05-06 04:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://forecast.weather.gov/MapClick.php?CityName=Helena&state=MT&site=TFX&textField1=46.5928&textField2=-112.035&e=1
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_70C5B381380DB17F.dll/cmsidewiki.html
TCP: DhcpNameServer = 69.145.248.4 69.146.17.2 69.144.49.29
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-40318825.sys
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-04-25 22:23
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\Hewlett-Packard\Default Settings\cpqset.exe???????????????????????|?M?|?????M?|??@
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-797339378-3992607010-2023527187-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,de,27,1f,7c,fd,b1,35,48,8f,6b,7a,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,de,27,1f,7c,fd,b1,35,48,8f,6b,7a,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(736)
c:\windows\system32\ackpbsc.dll
c:\windows\system32\aclog.dll
c:\windows\system32\ACLIBEAY.dll
c:\windows\system32\acevtsub.dll
c:\windows\system32\asphat32.dll
c:\windows\system32\acerrmes.dll
c:\windows\system32\aspcom.dll
c:\program files\ActivIdentity\ActivClient\Resources\Merged\acerrmrc.dll
c:\program files\ActivIdentity\ActivClient\Resources\Merged\asphatrc.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\USB3iw32.dll
c:\program files\ActivIdentity\ActivClient\acunlock.dll
c:\windows\system32\aipingui.dll
c:\program files\ActivIdentity\ActivClient\Resources\Merged\aipinguirc.dll
c:\program files\ActivIdentity\ActivClient\resources\acCobAPIrc.dll
c:\program files\ActivIdentity\ActivClient\Resources\Merged\acunlockrc.dll
.
- - - - - - - > 'explorer.exe'(10784)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2012-04-25 22:24:54
ComboFix-quarantined-files.txt 2012-04-26 04:24
ComboFix2.txt 2012-04-24 04:18
.
Pre-Run: 89,206,816,768 bytes free
Post-Run: 89,265,127,424 bytes free
.
- - End Of File - - 7C60104709B014B80FAFCA54A5D67A9A

Let me know what you'd like me to do next.
THanks,
SCottB

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:39 PM

Posted 26 April 2012 - 12:42 AM

Hello

Things are starting to look real good - how are things running at this time?

I would like to see a report that combofix makes.

extra combofix report

  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box
C:\Qoobox\Add-Remove Programs.txt
  • click ok

copy and paste the report into this topic for me to review

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 Born Yesterday

Born Yesterday
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:39 PM

Posted 27 April 2012 - 11:02 PM

Hola Gringo,
For the little I have been using my computer it has been running well. I have cut back on usage since we started this effort so as not to get in the way and mess things up. For sure the start up is way faster. I used to turn my computer on and walk out of the room and do something else for a while because it started up so slowly. Now that fast start up appears to be the new norm, I suppose I won't be so forgiving of slowness in the future.

Here is the report from your last request:

ActivClient 6.1 x86
Adobe Flash Player 10 ActiveX
Adobe Reader 9.5.1
Agere Systems HDA Modem
AMD Driver Support for HP 3D DriverGuard
AMD Processor Driver
Apple Application Support
Apple Mobile Device Support
Apple Software Update
ATI Catalyst Control Center
ATI Display Driver
Bonjour
Canon Camera Access Library
Canon Camera Support Core Library
Canon G.726 WMP-Decoder
CANON iMAGE GATEWAY Task for ZoomBrowser EX
Canon Internet Library for ZoomBrowser EX
Canon MovieEdit Task for ZoomBrowser EX
Canon RAW Image Task for ZoomBrowser EX
Canon Utilities CameraWindow
Canon Utilities CameraWindow DC
Canon Utilities CameraWindow DC_DV 5 for ZoomBrowser EX
Canon Utilities CameraWindow DC_DV 6 for ZoomBrowser EX
Canon Utilities EOS Utility
Canon Utilities MyCamera
Canon Utilities MyCamera DC
Canon Utilities PhotoStitch
Canon Utilities RemoteCapture DC
Canon Utilities RemoteCapture Task for ZoomBrowser EX
Canon Utilities ZoomBrowser EX
Canon ZoomBrowser EX Memory Card Utility
Catalyst Control Center - Branding
Catalyst Control Center Core Implementation
Catalyst Control Center Graphics Full Existing
Catalyst Control Center Graphics Full New
Catalyst Control Center Graphics Light
Catalyst Control Center Localization Chinese Standard
Catalyst Control Center Localization Chinese Traditional
Catalyst Control Center Localization Czech
Catalyst Control Center Localization Danish
Catalyst Control Center Localization Dutch
Catalyst Control Center Localization Finnish
Catalyst Control Center Localization French
Catalyst Control Center Localization German
Catalyst Control Center Localization Greek
Catalyst Control Center Localization Hungarian
Catalyst Control Center Localization Italian
Catalyst Control Center Localization Japanese
Catalyst Control Center Localization Korean
Catalyst Control Center Localization Norwegian
Catalyst Control Center Localization Polish
Catalyst Control Center Localization Portuguese
Catalyst Control Center Localization Russian
Catalyst Control Center Localization Spanish
Catalyst Control Center Localization Swedish
Catalyst Control Center Localization Thai
Catalyst Control Center Localization Turkish
ccc-core-preinstall
ccc-core-static
ccc-utility
CCC Help Chinese Standard
CCC Help Chinese Traditional
CCC Help Czech
CCC Help Danish
CCC Help Dutch
CCC Help English
CCC Help Finnish
CCC Help French
CCC Help German
CCC Help Greek
CCC Help Hungarian
CCC Help Italian
CCC Help Japanese
CCC Help Korean
CCC Help Norwegian
CCC Help Polish
CCC Help Portuguese
CCC Help Russian
CCC Help Spanish
CCC Help Swedish
CCC Help Thai
CCC Help Turkish
Critical Update for Windows Media Player 11 (KB959772)
Google Toolbar for Internet Explorer
Google Update Helper
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB2570791)
Hotfix for Windows XP (KB2633952)
Hotfix for Windows XP (KB949764)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
HP 3D DriveGuard
HP LaserJet P1500 series
HP Quick Launch Buttons 6.40 E1
HPCarePackCore
HPCarePackProducts
hppMSRedist
hppusgP1500
iTunes
Java™ 6 Update 7
MarketResearch
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2656353)
Microsoft .NET Framework 1.1 Security Update (KB2656370)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft National Language Support Downlevel APIs
Microsoft Office 2007 Service Pack 3 (SP3)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office File Validation Add-In
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Software Update for Web Folders (English) 12
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
MrvlUsgTracking
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6.0 Parser (KB927977)
QuickTime
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596871) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2598041) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition
Security Update for Microsoft Office Publisher 2007 (KB2596705) 32-Bit Edition
Security Update for Microsoft Windows (KB2564958)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB2497640)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2530548)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2559049)
Security Update for Windows Internet Explorer 8 (KB2586448)
Security Update for Windows Internet Explorer 8 (KB2618444)
Security Update for Windows Internet Explorer 8 (KB2647516)
Security Update for Windows Internet Explorer 8 (KB2675157)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2503665)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2536276)
Security Update for Windows XP (KB2544893-v2)
Security Update for Windows XP (KB2544893)
Security Update for Windows XP (KB2555917)
Security Update for Windows XP (KB2562937)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2567053)
Security Update for Windows XP (KB2567680)
Security Update for Windows XP (KB2570222)
Security Update for Windows XP (KB2570947)
Security Update for Windows XP (KB2584146)
Security Update for Windows XP (KB2585542)
Security Update for Windows XP (KB2592799)
Security Update for Windows XP (KB2598479)
Security Update for Windows XP (KB2603381)
Security Update for Windows XP (KB2618451)
Security Update for Windows XP (KB2619339)
Security Update for Windows XP (KB2620712)
Security Update for Windows XP (KB2621440)
Security Update for Windows XP (KB2624667)
Security Update for Windows XP (KB2631813)
Security Update for Windows XP (KB2633171)
Security Update for Windows XP (KB2639417)
Security Update for Windows XP (KB2641653)
Security Update for Windows XP (KB2646524)
Security Update for Windows XP (KB2647518)
Security Update for Windows XP (KB2653956)
Security Update for Windows XP (KB2660465)
Security Update for Windows XP (KB2661637)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
Skins
SoundMAX
Synaptics Pointing Device Driver
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office 2007 suites (KB2596651) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2596789) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2598306) 32-Bit Edition
Update for Microsoft Office Excel 2007 (KB2596596) 32-Bit Edition
Update for Windows Internet Explorer 8 (KB971930)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB2541763)
Update for Windows XP (KB2607712)
Update for Windows XP (KB2616676)
Update for Windows XP (KB2641690)
Update for Windows XP (KB898461)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3

Thanks for your help. Now I can spend some tim on my computer and figure out my budget and see what all I can send along as a more practical gesture. I await further instructions.
SCottB

#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:39 PM

Posted 27 April 2012 - 11:12 PM

These logs are looking allot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs

NOTE** Because of the cleanup process some of the programs I have listed may not be in add/remove anymore this is fine just move to the next item on the list.

You can remove these programs using add/remove or you can use the free uninstaller from Revo (it does allot better of a job

Programs to remove

Adobe Reader 9.5.1
Java™ 6 Update 7
[/list]


  • Please download and install Revo Uninstaller Free
  • Double click Revo Uninstaller to run it.
  • From the list of programs double click on The Program to remove
  • When prompted if you want to uninstall click Yes.
  • Be sure the Moderate option is selected then click Next.
  • The program will run, If prompted again click Yes
  • when the built-in uninstaller is finished click on Next.
  • Once the program has searched for leftovers click Next.
  • Check/tick the bolded items only on the list then click Delete
  • when prompted click on Yes and then on next.
  • put a check on any folders that are found and select delete
  • when prompted select yes then on next
  • Once done click Finish.
.

Update Adobe Reader

Recently there have been vulnerabilities detected in older versions of Adobe Reader. It is strongly suggested that you update to the current version.

You can download it from http://www.adobe.com/products/acrobat/readstep2.html
After installing the latest Adobe Reader, uninstall all previous versions.
If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

If you don't like Adobe Reader (53 MB), you can download Foxit PDF Reader(7 MB) from here. It's a much smaller file to download and uses a lot less resources than Adobe Reader.

Note: When installing FoxitReader, be careful not to install anything to do with AskBar.
[/list]
Install Java:

Please go here to install Java

  • click on the Free Java Download Button
  • click on Agree and start Free download
  • click on Run
  • click on run again
  • click on install
  • when install is complete click on close

Clean Out Temp Files

  • This small application you may want to keep and use once a week to keep the computer clean.

    Download CCleaner from here http://www.ccleaner.com/

  • Run the installer to install the application.
  • When it gives you the option to install Yahoo toolbar uncheck the box next to it.
  • Run CCleaner. (make sure under Windows tab all the boxes of Internet Explorer and Windows explorer are checked. Under System check Empty Recycle Bin and Temporary Files. Under Application tab all the boxes should be checked).
  • Click Run Cleaner.
  • Close CCleaner.


: Malwarebytes' Anti-Malware :

  • Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to
    • Update Malwarebytes' Anti-Malware
    • and Launch Malwarebytes' Anti-Malware
  • then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Download HijackThis

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the AnalyseThis button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.


NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

"information and logs"

  • In your next post I need the following

  • Log From MBAM
  • report from Hijackthis
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:39 PM

Posted 30 April 2012 - 11:48 PM

Greetings


I have not heard from you in a couple of days so I am coming by to check on you to see if you are having problems or you just need some more time.

Also to remind you that it is very important that we finish the process completely so as to not get reinfected. I will let you know when we are complete and I will ask to remove our tools




Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users