Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need help removing Google redirect...please


  • This topic is locked This topic is locked
34 replies to this topic

#1 stargirl6878

stargirl6878

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Florida
  • Local time:08:58 PM

Posted 19 April 2012 - 01:04 AM

Hello,

Need help removing malware from my laptop.

Symptoms are Google redirects in Firefox to varied web addresses, including shoppingcove.com and happili.com. Also, sometimes new tabs open by themselves and load random websites as well. I can only access other websites thru bookmarks and/or typing directly into web address bar in browser.

This malware does not seem to be affecting IE at the moment. GMER caused a BSOD, was not able to get a log of it. Please help me get rid of this annoying infection.


.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Jeffrey Rivera at 22:25:35 on 2012-04-18
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1534.571 [GMT -4:00]
.
AV: Norton Security Suite *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Security Suite *Disabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\ctfmon.exe
svchost.exe
C:\Program Files\comcasttb\ComcastSpywareScan\ComcastAntiSpyService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\dllhost.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uDefault_Page_URL = hxxp://everythingy.com/ie/home
uSearch Bar = hxxp://toolbar.inbox.com/search/dispatcher.aspx?tp=aus&qkw=%s&tbid=%tb_id&%language
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>;*.local
uURLSearchHooks: H - No File
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\ConduitEngine.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: Updater For XFIN_PORTAL: {bb46be07-13eb-4c49-b0f0-fc78b9ea4983} - c:\program files\xfin_portal\auxi\comcastAu.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\ConduitEngine.dll
TB: {D7E97865-918F-41E4-9CD0-25AB1C574CE8} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [<NO NAME>]
mRun: [Cpqset] c:\program files\hpq\default settings\cpqset.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil11g_ActiveX.exe -update activex
IE: &Google Search - c:\program files\google\GoogleToolbar1.dll/cmsearch.html
IE: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?s=100000347&p=ZQxdm012YYUS&si=118724&a=g6JMaN9LtAnZnz2cB.fzuA&n=2010110101
IE: &Translate English Word - c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\google\GoogleToolbar1.dll/cmtrans.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
LSP: mswsock.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{998C6861-A6AB-4BBC-8160-EDC6449BA6FD} : DhcpNameServer = 192.168.1.1
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\jeffrey rivera\application data\mozilla\firefox\profiles\8xr1dd44.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.111\npGoogleUpdate3.dll
FF - plugin: c:\program files\microsoft silverlight\4.1.10111.0\npctrlui.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
.
============= SERVICES / DRIVERS ===============
.
R2 AntiSpywareService;Comcast AntiSpyware;c:\program files\comcasttb\comcastspywarescan\ComcastAntiSpyService.exe [2009-6-17 616408]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-6 99328]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [2005-8-22 231424]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-10-15 136176]
S2 Intel Usb3;Intel USB3 Service;c:\windows\system32\svchost.exe -k IntelUsb3S [2004-8-10 14336]
S2 ioloSystemService;iolo System Service;"c:\program files\iolo\common\lib\ioloservicemanager.exe" --> c:\program files\iolo\common\lib\ioloServiceManager.exe [?]
S2 Wmipse;Wmipse;c:\windows\system32\svchost.exe -k netsvcs [2004-8-10 14336]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-10-15 136176]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2012-4-16 40776]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2004-8-10 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== File Associations ===============
.
JSEFile=NOTEPAD.EXE %1
VBEFile=NOTEPAD.EXE %1
VBSFile=NOTEPAD.EXE %1
.
=============== Created Last 30 ================
.
2012-04-17 23:14:56 -------- d-----w- c:\program files\Runtime Software
2012-04-16 22:31:20 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-04-16 22:31:19 -------- d-----w- c:\documents and settings\jeffrey rivera\application data\Malwarebytes
2012-04-15 07:41:09 -------- d-----w- c:\documents and settings\jeffrey rivera\application data\AVG2012
2012-04-15 07:32:58 -------- d--h--w- c:\documents and settings\all users\application data\Common Files
2012-04-15 07:31:11 -------- d-----w- c:\documents and settings\all users\application data\AVG2012
2012-04-15 07:29:45 -------- d-----w- c:\program files\AVG
2012-04-15 06:50:33 -------- d-----w- c:\documents and settings\all users\application data\MFAData
2012-04-14 18:47:14 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2012-04-14 03:37:48 57344 ----a-w- c:\windows\system32\wscsvv32.dll
2012-04-14 01:37:38 57344 ----a-w- c:\windows\system32\WmdmPv32.dll
2012-04-13 23:37:30 57344 ----a-w- c:\windows\system32\nsvciv32.dll
2012-04-13 21:37:19 57344 ----a-w- c:\windows\system32\atksgv32.dll
2012-04-13 17:37:14 57344 ----a-w- c:\windows\system32\Nwsapv32.dll
2012-04-13 15:37:11 57344 ----a-w- c:\windows\system32\NWCWov32.dll
2012-04-07 05:47:21 57344 ----a-w- c:\windows\system32\Irmonv32.dll
2012-04-07 03:47:16 57344 ----a-w- c:\windows\system32\Ipripv32.dll
2012-04-05 06:40:36 0 --sha-w- c:\windows\system32\dds_trash_log.cmd
2012-03-30 07:22:19 592824 ----a-w- c:\program files\mozilla firefox\gkmedias.dll
2012-03-30 07:22:19 44472 ----a-w- c:\program files\mozilla firefox\mozglue.dll
.
==================== Find3M ====================
.
2012-03-07 04:40:18 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-03-01 11:01:32 916992 ----a-w- c:\windows\system32\wininet.dll
2012-03-01 11:01:32 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-03-01 11:01:32 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-02-29 14:10:16 177664 ----a-w- c:\windows\system32\wintrust.dll
2012-02-29 14:10:16 148480 ----a-w- c:\windows\system32\imagehlp.dll
2012-02-29 12:17:40 385024 ----a-w- c:\windows\system32\html.iec
2012-02-03 09:22:18 1860096 ----a-w- c:\windows\system32\win32k.sys
2012-01-27 21:42:07 74703 ----a-w- c:\windows\system32\mfc45.dll
.
============= FINISH: 22:27:47.21 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:58 PM

Posted 19 April 2012 - 11:48 PM

Hello and Welcome to Bleeping Computer!!

My name is Gringo and I'll be glad to help you with your computer problems.

I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of us

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the Watch Topic Button, select Immediate Notification, and click on Proceed. This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of hartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

Security Check

  • Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.



Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 stargirl6878

stargirl6878
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Florida
  • Local time:08:58 PM

Posted 20 April 2012 - 10:26 PM

Hi Gringo...thanks in advance for your help!

Computer seems to be running better now. Google searches in Firefox are no longer redirecting :)

Question, should I activate windows firewall again and also install an antivirus program at this point or should i wait?
If so, what program would you suggest? AVG, Avast, Avira? Thanks...


Here are the logs you requested below...




Results of screen317's Security Check version 0.99.32
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

Windows Security Center service is not running! This report may not be accurate!
Windows Firewall Enabled!
Antivirus up to date! (On Access scanning disabled!)
```````````````````````````````
Anti-malware/Other Utilities Check:

Adobe Flash Player 11.1.102.63
Mozilla Firefox (11.0.)
````````````````````````````````
Process Check:
objlist.exe by Laurent

``````````End of Log````````````


ComboFix 12-04-20.03 - Jeffrey Rivera 04/20/2012 15:54:37.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1534.1123 [GMT -4:00]
Running from: c:\documents and settings\Jeffrey Rivera\My Documents\Downloads\clean it\ComboFix.exe
AV: Norton Security Suite *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Security Suite *Disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Jeff\g2mdlhlpx.exe
c:\documents and settings\Jeffrey Rivera\Application Data\inst.exe
c:\documents and settings\Jeffrey Rivera\Application Data\PriceGong
c:\documents and settings\Jeffrey Rivera\Application Data\PriceGong\Data\1.xml
c:\documents and settings\Jeffrey Rivera\Application Data\PriceGong\Data\a.xml
c:\documents and settings\Jeffrey Rivera\Application Data\PriceGong\Data\b.xml
c:\documents and settings\Jeffrey Rivera\Application Data\PriceGong\Data\c.xml
c:\documents and settings\Jeffrey Rivera\Application Data\PriceGong\Data\d.xml
c:\documents and settings\Jeffrey Rivera\Application Data\PriceGong\Data\e.xml
c:\documents and settings\Jeffrey Rivera\Application Data\PriceGong\Data\f.xml
c:\documents and settings\Jeffrey Rivera\Application Data\PriceGong\Data\g.xml
c:\documents and settings\Jeffrey Rivera\Application Data\PriceGong\Data\h.xml
c:\documents and settings\Jeffrey Rivera\Application Data\PriceGong\Data\i.xml
c:\documents and settings\Jeffrey Rivera\Application Data\PriceGong\Data\J.xml
c:\documents and settings\Jeffrey Rivera\Application Data\PriceGong\Data\k.xml
c:\documents and settings\Jeffrey Rivera\Application Data\PriceGong\Data\l.xml
c:\documents and settings\Jeffrey Rivera\Application Data\PriceGong\Data\m.xml
c:\documents and settings\Jeffrey Rivera\Application Data\PriceGong\Data\mru.xml
c:\documents and settings\Jeffrey Rivera\Application Data\PriceGong\Data\n.xml
c:\documents and settings\Jeffrey Rivera\Application Data\PriceGong\Data\o.xml
c:\documents and settings\Jeffrey Rivera\Application Data\PriceGong\Data\p.xml
c:\documents and settings\Jeffrey Rivera\Application Data\PriceGong\Data\q.xml
c:\documents and settings\Jeffrey Rivera\Application Data\PriceGong\Data\r.xml
c:\documents and settings\Jeffrey Rivera\Application Data\PriceGong\Data\s.xml
c:\documents and settings\Jeffrey Rivera\Application Data\PriceGong\Data\t.xml
c:\documents and settings\Jeffrey Rivera\Application Data\PriceGong\Data\u.xml
c:\documents and settings\Jeffrey Rivera\Application Data\PriceGong\Data\v.xml
c:\documents and settings\Jeffrey Rivera\Application Data\PriceGong\Data\w.xml
c:\documents and settings\Jeffrey Rivera\Application Data\PriceGong\Data\x.xml
c:\documents and settings\Jeffrey Rivera\Application Data\PriceGong\Data\y.xml
c:\documents and settings\Jeffrey Rivera\Application Data\PriceGong\Data\z.xml
c:\documents and settings\Jeffrey Rivera\Application Data\vso_ts_preview.xml
c:\documents and settings\Jeffrey Rivera\Local Settings\Application Data\feetljjemx.exe
c:\windows\$NtUninstallKB62280$\1271915273
c:\windows\$NtUninstallKB62280$\485945278\@
c:\windows\$NtUninstallKB62280$\485945278\cfg.ini
c:\windows\$NtUninstallKB62280$\485945278\Desktop.ini
c:\windows\$NtUninstallKB62280$\485945278\L\yareyiwi
c:\windows\$NtUninstallKB62280$\485945278\oemid
c:\windows\$NtUninstallKB62280$\485945278\U\00000001.@
c:\windows\$NtUninstallKB62280$\485945278\U\00000002.@
c:\windows\$NtUninstallKB62280$\485945278\U\00000004.@
c:\windows\$NtUninstallKB62280$\485945278\U\80000000.@
c:\windows\$NtUninstallKB62280$\485945278\U\80000004.@
c:\windows\$NtUninstallKB62280$\485945278\U\80000032.@
c:\windows\$NtUninstallKB62280$\485945278\version
c:\windows\system32\61883.dll
c:\windows\system32\aexnsclient.dll
c:\windows\system32\ATSWPDRV.dll
c:\windows\system32\botcbs.dll
c:\windows\system32\BUFADPT.dll
c:\windows\system32\dds_trash_log.cmd
c:\windows\system32\dptrackerd.dll
c:\windows\system32\FontCache3.0.0.0..dll
c:\windows\system32\Ipripv32.dll
c:\windows\system32\Irmonv32.dll
c:\windows\system32\ispwdsvc.dll
c:\windows\system32\netw4x32.dll
c:\windows\system32\NWCWov32.dll
c:\windows\system32\olregcap.dll
c:\windows\system32\plugplay.dll
c:\windows\system32\retroexplauncher.dll
c:\windows\system32\rmedia.dll
c:\windows\system32\roboot.exe
c:\windows\system32\s117unic.dll
c:\windows\system32\SABProcEnum.dll
c:\windows\system32\SQTECH905C.dll
c:\windows\system32\sysmonlog.dll
c:\windows\system32\uhcd.dll
c:\windows\system32\Xyz777b.dll
c:\windows\system32\zebrbus.dll
c:\windows\system32\zpnodecollector.dll
D:\Autorun.inf
c:\windows\$NtUninstallKB62280$ . . . . Failed to delete
.
.
((((((((((((((((((((((((( Files Created from 2012-03-20 to 2012-04-20 )))))))))))))))))))))))))))))))
.
.
2012-04-20 19:51 . 2008-04-14 02:04 36463 ----a-w- c:\windows\system32\dllcache\ati1tuxx.sys
2012-04-20 19:51 . 2008-04-14 02:04 34735 ----a-w- c:\windows\system32\dllcache\ati1xsxx.sys
2012-04-17 23:14 . 2012-04-17 23:14 -------- d-----w- c:\program files\Runtime Software
2012-04-16 22:31 . 2012-04-17 07:18 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-04-16 22:31 . 2012-04-16 22:31 -------- d-----w- c:\documents and settings\Jeffrey Rivera\Application Data\Malwarebytes
2012-04-15 07:41 . 2012-04-15 07:41 -------- d-----w- c:\documents and settings\Jeffrey Rivera\Application Data\AVG2012
2012-04-15 07:32 . 2012-04-15 07:32 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2012-04-15 07:31 . 2012-04-17 07:14 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG2012
2012-04-15 07:29 . 2012-04-15 07:29 -------- d-----w- c:\program files\AVG
2012-04-15 06:50 . 2012-04-17 07:04 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2012-04-14 18:47 . 2012-04-14 18:47 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2012-04-14 18:47 . 2012-04-14 18:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-04-14 03:37 . 2012-04-14 03:37 57344 ----a-w- c:\windows\system32\wscsvv32.dll
2012-04-14 01:37 . 2012-04-14 01:37 57344 ----a-w- c:\windows\system32\WmdmPv32.dll
2012-04-14 00:28 . 2012-04-14 00:28 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2012-04-13 23:37 . 2012-04-13 23:37 57344 ----a-w- c:\windows\system32\nsvciv32.dll
2012-04-13 21:37 . 2012-04-13 21:37 57344 ----a-w- c:\windows\system32\atksgv32.dll
2012-04-13 17:37 . 2012-04-13 17:37 57344 ----a-w- c:\windows\system32\Nwsapv32.dll
2012-04-13 17:02 . 2012-04-13 17:02 -------- d-----w- c:\documents and settings\Jeffrey Rivera\Application Data\Sonic
2012-04-11 20:01 . 2012-04-11 20:01 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2012-04-11 20:01 . 2012-04-11 20:01 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2012-04-06 04:41 . 2012-04-06 04:41 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2012-03-30 07:22 . 2012-03-30 07:22 592824 ----a-w- c:\program files\Mozilla Firefox\gkmedias.dll
2012-03-30 07:22 . 2012-03-30 07:22 44472 ----a-w- c:\program files\Mozilla Firefox\mozglue.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-03-07 04:40 . 2011-06-01 15:50 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-03-01 11:01 . 2004-08-10 15:00 916992 ----a-w- c:\windows\system32\wininet.dll
2012-03-01 11:01 . 2004-08-10 15:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-03-01 11:01 . 2004-08-10 15:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-02-29 14:10 . 2004-08-10 15:00 177664 ----a-w- c:\windows\system32\wintrust.dll
2012-02-29 14:10 . 2004-08-10 15:00 148480 ----a-w- c:\windows\system32\imagehlp.dll
2012-02-29 12:17 . 2004-08-10 15:00 385024 ----a-w- c:\windows\system32\html.iec
2012-02-03 09:22 . 2004-08-10 15:00 1860096 ----a-w- c:\windows\system32\win32k.sys
2012-01-27 21:42 . 2012-01-27 21:42 74703 ----a-w- c:\windows\system32\mfc45.dll
2012-03-30 07:22 . 2012-03-07 02:53 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
2010-10-18 17:26 3908192 ----a-w- c:\program files\ConduitEngine\ConduitEngine.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files\ConduitEngine\ConduitEngine.dll" [2010-10-18 3908192]
.
[HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files\ConduitEngine\ConduitEngine.dll" [2010-10-18 3908192]
.
[HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-11-11 344064]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2010-03-12 49208]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-09-15 1015808]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2005-08-01 233534]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil11g_ActiveX.exe" [2012-03-06 250528]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ApnUpdater]
2011-08-24 02:20 887976 ----a-w- c:\program files\Ask.com\Updater\Updater.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ComcastAntispyClient]
2009-08-19 17:25 1589208 ----a-w- c:\program files\comcasttb\ComcastSpywareScan\ComcastAntiSpy.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2005-08-06 04:56 64512 ----a-w- c:\windows\ehome\ehtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpWirelessAssistant]
2005-12-13 21:45 507904 ----a-w- c:\program files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MaxMenuMgr]
2009-09-26 04:31 185640 ----a-w- c:\program files\Seagate\SeagateManager\FreeAgent Status\stxmenumgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RecGuard]
2005-10-11 17:23 1187840 ----a-w- c:\windows\SMINST\Recguard.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
2003-04-02 02:20 12288 ----a-w- c:\program files\Winamp\winampa.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"RasMan"=3 (0x3)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
.
R2 AntiSpywareService;Comcast AntiSpyware;c:\program files\comcasttb\ComcastSpywareScan\ComcastAntiSpyService.exe [6/17/2009 1:49 PM 616408]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [8/22/2005 5:06 AM 231424]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 2:16 PM 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [10/15/2010 7:12 PM 136176]
S2 Intel Usb3;Intel USB3 Service;c:\windows\System32\svchost.exe -k IntelUsb3S [8/10/2004 11:00 AM 14336]
S2 ioloSystemService;iolo System Service;"c:\program files\iolo\Common\Lib\ioloServiceManager.exe" --> c:\program files\iolo\Common\Lib\ioloServiceManager.exe [?]
S2 Wmipse;Wmipse;c:\windows\System32\svchost.exe -k netsvcs [8/10/2004 11:00 AM 14336]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [10/15/2010 7:12 PM 136176]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [4/16/2012 6:31 PM 40776]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [8/10/2004 11:00 AM 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 2:16 PM 753504]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
IntelUsb3S REG_MULTI_SZ Intel Usb3
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
atksgt
nsvcip
aaksrv
_iomega_active_disk_service_
serialkeys
pdlndldl
filechecker
Wmipse
.
Contents of the 'Scheduled Tasks' folder
.
2012-04-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-15 23:12]
.
2012-04-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-15 23:12]
.
2009-09-14 c:\windows\Tasks\HubTask 0 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0.job
- c:\program files\Common Files\Sonic Shared\Sonic Central\Main\Mediahub.exe [2005-11-30 09:04]
.
2012-04-13 c:\windows\Tasks\wrSpySweeper_L743D5E87900C4DABA123240E7013D08E.job
- c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2006-11-18 17:32]
.
2012-04-13 c:\windows\Tasks\wrSpySweeper_L743D5E87900C4DABA123240E7013D08E.job
- c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2006-11-18 17:32]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>;*.local
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\Google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\Jeffrey Rivera\Application Data\Mozilla\Firefox\Profiles\8xr1dd44.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: network.proxy.type - 0
.
.
------- File Associations -------
.
JSEFile=NOTEPAD.EXE %1
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
MSConfigStartUp-atcfg - c:\docume~1\JEFFRE~1\LOCALS~1\Temp\atcfg.dll
MSConfigStartUp-rocoun - c:\docume~1\JEFFRE~1\LOCALS~1\Temp\rocoun.dll
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-04-20 16:29
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????3?3?4?1??????? ???B?????????????hLC? ??????
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(840)
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'explorer.exe'(3080)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\HPZipm12.exe
c:\windows\system32\fxssvc.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2012-04-20 16:35:30 - machine was rebooted
ComboFix-quarantined-files.txt 2012-04-20 20:35
.
Pre-Run: 3,236,937,728 bytes free
Post-Run: 4,908,216,320 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
.
- - End Of File - - ADACFAAB11E3FC17818CC2225D8DFF1A

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:58 PM

Posted 21 April 2012 - 07:17 AM

Greetings

lets wait until we are done to install anything (I will give you a nice list when we are done) but you can activate the firewall while you are not actively scanning

I want you to run these next,

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • it will ask to download extra definitions - ALLOW IT
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

If you have any problems running either one come back and let me know

please reply with the reports from TDSSKiller and aswMBR

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 stargirl6878

stargirl6878
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Florida
  • Local time:08:58 PM

Posted 21 April 2012 - 03:24 PM

Hi again Gringo!

I ran TDSSkiller. No problems that I can remember. Log is below.

I tried running aswMBR twice, both times in normal windows mode. First time program crashed while scanning. Had to hard reboot. Second time program crashed on a different file, again had to hard reboot. This is all I could get of the name: C:\windows\assembly\gac\mscorcfg.resources\1.0.3300.0_zh-cht_b03f5f7f1. I believe there is more to the file name and location but I could not read the rest of it.

Please let me know what you would like me to do now. Thanks so much :)




12:36:13.0818 0516 TDSS rootkit removing tool 2.7.31.0 Apr 20 2012 19:49:47
12:36:14.0443 0516 ============================================================
12:36:14.0443 0516 Current date / time: 2012/04/21 12:36:14.0443
12:36:14.0443 0516 SystemInfo:
12:36:14.0443 0516
12:36:14.0443 0516 OS Version: 5.1.2600 ServicePack: 3.0
12:36:14.0443 0516 Product type: Workstation
12:36:14.0443 0516 ComputerName: RPB
12:36:14.0443 0516 UserName: Jeffrey Rivera
12:36:14.0443 0516 Windows directory: C:\WINDOWS
12:36:14.0443 0516 System windows directory: C:\WINDOWS
12:36:14.0443 0516 Processor architecture: Intel x86
12:36:14.0443 0516 Number of processors: 1
12:36:14.0443 0516 Page size: 0x1000
12:36:14.0443 0516 Boot type: Normal boot
12:36:14.0443 0516 ============================================================
12:36:16.0475 0516 Drive \Device\Harddisk0\DR0 - Size: 0x12A1F16000 (74.53 Gb), SectorSize: 0x200, Cylinders: 0x2601, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
12:36:16.0522 0516 \Device\Harddisk0\DR0:
12:36:16.0522 0516 MBR partitions:
12:36:16.0522 0516 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x7995EC1
12:36:16.0522 0516 \Device\Harddisk0\DR0\Partition1: MBR, Type 0xC, StartLBA 0x7999DC1, BlocksNum 0x1972A3D
12:36:16.0756 0516 C: <-> \Device\Harddisk0\DR0\Partition0
12:36:16.0772 0516 D: <-> \Device\Harddisk0\DR0\Partition1
12:36:16.0772 0516 Initialize success
12:36:16.0772 0516 ============================================================
12:36:46.0540 0956 ============================================================
12:36:46.0540 0956 Scan started
12:36:46.0540 0956 Mode: Manual;
12:36:46.0540 0956 ============================================================
12:36:46.0993 0956 aaksrv - ok
12:36:47.0056 0956 Abiosdsk - ok
12:36:47.0087 0956 abp480n5 - ok
12:36:47.0165 0956 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
12:36:47.0165 0956 ACPI - ok
12:36:47.0212 0956 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
12:36:47.0212 0956 ACPIEC - ok
12:36:47.0243 0956 adpu160m - ok
12:36:47.0322 0956 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
12:36:47.0322 0956 aec - ok
12:36:47.0384 0956 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
12:36:47.0384 0956 AFD - ok
12:36:47.0447 0956 Aha154x - ok
12:36:47.0478 0956 aic78u2 - ok
12:36:47.0493 0956 aic78xx - ok
12:36:47.0572 0956 Alerter (a9a3daa780ca6c9671a19d52456705b4) C:\WINDOWS\system32\alrsvc.dll
12:36:47.0572 0956 Alerter - ok
12:36:47.0650 0956 ALG (8c515081584a38aa007909cd02020b3d) C:\WINDOWS\System32\alg.exe
12:36:47.0650 0956 ALG - ok
12:36:47.0837 0956 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
12:36:47.0837 0956 AliIde - ok
12:36:47.0915 0956 AmdK8 (59301936898ae62245a6f09c0aba9475) C:\WINDOWS\system32\DRIVERS\AmdK8.sys
12:36:47.0915 0956 AmdK8 - ok
12:36:48.0056 0956 amsint - ok
12:36:48.0165 0956 AntiSpywareService (f9dac844b1d370da4c984d4c22f5e696) C:\Program Files\comcasttb\ComcastSpywareScan\ComcastAntiSpyService.exe
12:36:48.0181 0956 AntiSpywareService - ok
12:36:48.0322 0956 AppMgmt (d8849f77c0b66226335a59d26cb4edc6) C:\WINDOWS\System32\appmgmts.dll
12:36:48.0337 0956 AppMgmt - ok
12:36:48.0462 0956 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
12:36:48.0478 0956 Arp1394 - ok
12:36:48.0509 0956 asc - ok
12:36:48.0525 0956 asc3350p - ok
12:36:48.0556 0956 asc3550 - ok
12:36:48.0775 0956 aspnet_state (0e5e4957549056e2bf2c49f4f6b601ad) C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
12:36:48.0822 0956 aspnet_state - ok
12:36:49.0056 0956 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
12:36:49.0056 0956 AsyncMac - ok
12:36:49.0119 0956 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
12:36:49.0119 0956 atapi - ok
12:36:49.0150 0956 Atdisk - ok
12:36:49.0228 0956 Ati HotKey Poller (29ce0b7e8190d7ae278f94bbc43f496e) C:\WINDOWS\system32\Ati2evxx.exe
12:36:49.0244 0956 Ati HotKey Poller - ok
12:36:49.0400 0956 ati2mtag (bf278c2d512ef0d2748cdac641bb9649) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
12:36:49.0462 0956 ati2mtag - ok
12:36:49.0728 0956 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
12:36:49.0744 0956 Atmarpc - ok
12:36:49.0775 0956 AudioSrv (def7a7882bec100fe0b2ce2549188f9d) C:\WINDOWS\System32\audiosrv.dll
12:36:49.0775 0956 AudioSrv - ok
12:36:49.0822 0956 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
12:36:49.0822 0956 audstub - ok
12:36:49.0994 0956 BCM43XX (37f385a93c620cbe0f89c17e45f697a1) C:\WINDOWS\system32\DRIVERS\bcmwl5.sys
12:36:50.0056 0956 BCM43XX - ok
12:36:50.0322 0956 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
12:36:50.0338 0956 Beep - ok
12:36:50.0416 0956 BITS (574738f61fca2935f5265dc4e5691314) C:\WINDOWS\system32\qmgr.dll
12:36:50.0494 0956 BITS - ok
12:36:50.0603 0956 Bonjour Service (db5bea73edaf19ac68b2c0fad0f92b1a) C:\Program Files\Bonjour\mDNSResponder.exe
12:36:50.0619 0956 Bonjour Service - ok
12:36:50.0884 0956 Browser (a06ce3399d16db864f55faeb1f1927a9) C:\WINDOWS\System32\browser.dll
12:36:50.0884 0956 Browser - ok
12:36:51.0056 0956 BTWUSB - ok
12:36:51.0119 0956 CAMCAUD (c2ef37f09cfee9665e6cd7c0b0afb84f) C:\WINDOWS\system32\drivers\camc6aud.sys
12:36:51.0134 0956 CAMCAUD - ok
12:36:51.0181 0956 CAMCHALA (512df898de5c0654647acd5c82f0bd99) C:\WINDOWS\system32\drivers\camc6hal.sys
12:36:51.0181 0956 CAMCHALA - ok
12:36:51.0213 0956 catchme - ok
12:36:51.0494 0956 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
12:36:51.0494 0956 cbidf2k - ok
12:36:51.0588 0956 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
12:36:51.0588 0956 CCDECODE - ok
12:36:51.0619 0956 cd20xrnt - ok
12:36:51.0666 0956 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
12:36:51.0666 0956 Cdaudio - ok
12:36:51.0728 0956 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
12:36:51.0744 0956 Cdfs - ok
12:36:51.0806 0956 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
12:36:51.0806 0956 Cdrom - ok
12:36:51.0838 0956 Changer - ok
12:36:51.0885 0956 CiSvc (1cfe720eb8d93a7158a4ebc3ab178bde) C:\WINDOWS\system32\cisvc.exe
12:36:51.0885 0956 CiSvc - ok
12:36:51.0931 0956 ClipSrv (34cbe729f38138217f9c80212a2a0c82) C:\WINDOWS\system32\clipsrv.exe
12:36:51.0931 0956 ClipSrv - ok
12:36:52.0103 0956 clr_optimization_v2.0.50727_32 (d87acaed61e417bba546ced5e7e36d9c) C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
12:36:52.0166 0956 clr_optimization_v2.0.50727_32 - ok
12:36:52.0275 0956 clr_optimization_v4.0.30319_32 (c5a75eb48e2344abdc162bda79e16841) C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
12:36:52.0275 0956 clr_optimization_v4.0.30319_32 - ok
12:36:52.0525 0956 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
12:36:52.0525 0956 CmBatt - ok
12:36:52.0556 0956 CmdIde - ok
12:36:52.0588 0956 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
12:36:52.0588 0956 Compbatt - ok
12:36:52.0603 0956 COMSysApp - ok
12:36:52.0650 0956 Cpqarray - ok
12:36:52.0713 0956 CryptSvc (3d4e199942e29207970e04315d02ad3b) C:\WINDOWS\System32\cryptsvc.dll
12:36:52.0713 0956 CryptSvc - ok
12:36:52.0744 0956 dac2w2k - ok
12:36:52.0760 0956 dac960nt - ok
12:36:52.0838 0956 DcomLaunch (6b27a5c03dfb94b4245739065431322c) C:\WINDOWS\system32\rpcss.dll
12:36:52.0853 0956 DcomLaunch - ok
12:36:52.0916 0956 Dhcp (5e38d7684a49cacfb752b046357e0589) C:\WINDOWS\System32\dhcpcsvc.dll
12:36:52.0916 0956 Dhcp - ok
12:36:52.0978 0956 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
12:36:52.0978 0956 Disk - ok
12:36:52.0994 0956 dmadmin - ok
12:36:53.0072 0956 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
12:36:53.0103 0956 dmboot - ok
12:36:53.0150 0956 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
12:36:53.0150 0956 dmio - ok
12:36:53.0197 0956 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
12:36:53.0197 0956 dmload - ok
12:36:53.0260 0956 dmserver (57edec2e5f59f0335e92f35184bc8631) C:\WINDOWS\System32\dmserver.dll
12:36:53.0260 0956 dmserver - ok
12:36:53.0322 0956 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
12:36:53.0322 0956 DMusic - ok
12:36:53.0369 0956 Dnscache (5f7e24fa9eab896051ffb87f840730d2) C:\WINDOWS\System32\dnsrslvr.dll
12:36:53.0369 0956 Dnscache - ok
12:36:53.0447 0956 Dot3svc (0f0f6e687e5e15579ef4da8dd6945814) C:\WINDOWS\System32\dot3svc.dll
12:36:53.0463 0956 Dot3svc - ok
12:36:53.0525 0956 dpti2o - ok
12:36:53.0603 0956 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
12:36:53.0603 0956 drmkaud - ok
12:36:53.0635 0956 eabfiltr - ok
12:36:53.0697 0956 EapHost (2187855a7703adef0cef9ee4285182cc) C:\WINDOWS\System32\eapsvc.dll
12:36:53.0697 0956 EapHost - ok
12:36:53.0791 0956 ehRecvr (5d1347aa5ae6e2f77d7f4f8372d95ac9) C:\WINDOWS\eHome\ehRecvr.exe
12:36:53.0791 0956 ehRecvr - ok
12:36:53.0869 0956 ehSched (a53243709439ac2a4c216b817f8d7411) C:\WINDOWS\eHome\ehSched.exe
12:36:53.0869 0956 ehSched - ok
12:36:54.0103 0956 ERSvc (bc93b4a066477954555966d77fec9ecb) C:\WINDOWS\System32\ersvc.dll
12:36:54.0103 0956 ERSvc - ok
12:36:54.0197 0956 Eventlog (65df52f5b8b6e9bbd183505225c37315) C:\WINDOWS\system32\services.exe
12:36:54.0229 0956 Eventlog - ok
12:36:54.0338 0956 EventSystem (d4991d98f2db73c60d042f1aef79efae) C:\WINDOWS\system32\es.dll
12:36:54.0354 0956 EventSystem - ok
12:36:54.0432 0956 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
12:36:54.0447 0956 Fastfat - ok
12:36:54.0510 0956 FastUserSwitchingCompatibility (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
12:36:54.0510 0956 FastUserSwitchingCompatibility - ok
12:36:54.0635 0956 Fax (e97d6a8684466df94ff3bc24fb787a07) C:\WINDOWS\system32\fxssvc.exe
12:36:54.0650 0956 Fax - ok
12:36:54.0838 0956 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
12:36:54.0838 0956 Fdc - ok
12:36:54.0869 0956 filechecker - ok
12:36:54.0900 0956 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
12:36:54.0916 0956 Fips - ok
12:36:54.0963 0956 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
12:36:54.0963 0956 Flpydisk - ok
12:36:55.0041 0956 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
12:36:55.0041 0956 FltMgr - ok
12:36:55.0213 0956 FontCache3.0.0.0 (8ba7c024070f2b7fdd98ed8a4ba41789) C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
12:36:55.0213 0956 FontCache3.0.0.0 - ok
12:36:55.0463 0956 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
12:36:55.0463 0956 Fs_Rec - ok
12:36:55.0510 0956 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
12:36:55.0526 0956 Ftdisk - ok
12:36:55.0557 0956 GEARAspiWDM - ok
12:36:55.0635 0956 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
12:36:55.0635 0956 Gpc - ok
12:36:55.0791 0956 gupdate (f02a533f517eb38333cb12a9e8963773) C:\Program Files\Google\Update\GoogleUpdate.exe
12:36:55.0791 0956 gupdate - ok
12:36:55.0807 0956 gupdatem (f02a533f517eb38333cb12a9e8963773) C:\Program Files\Google\Update\GoogleUpdate.exe
12:36:55.0822 0956 gupdatem - ok
12:36:55.0963 0956 helpsvc - ok
12:36:56.0197 0956 HidServ (deb04da35cc871b6d309b77e1443c796) C:\WINDOWS\System32\hidserv.dll
12:36:56.0197 0956 HidServ - ok
12:36:56.0276 0956 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
12:36:56.0276 0956 HidUsb - ok
12:36:56.0354 0956 hkmsvc (8878bd685e490239777bfe51320b88e9) C:\WINDOWS\System32\kmsvc.dll
12:36:56.0354 0956 hkmsvc - ok
12:36:56.0416 0956 hpn - ok
12:36:56.0557 0956 hpqwmiex (16cf6f0847c36ff3a85930ecbc4d3c43) C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
12:36:56.0557 0956 hpqwmiex - ok
12:36:56.0838 0956 HPZid412 (9f1d80908658eb7f1bf70809e0b51470) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
12:36:56.0854 0956 HPZid412 - ok
12:36:56.0901 0956 HPZipr12 (f7e3e9d50f9cd3de28085a8fdaa0a1c3) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
12:36:56.0901 0956 HPZipr12 - ok
12:36:56.0963 0956 HPZius12 (cf1b7951b4ec8d13f3c93b74bb2b461b) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
12:36:56.0963 0956 HPZius12 - ok
12:36:57.0026 0956 HSFHWATI (14794f142befc962ab142584607a6631) C:\WINDOWS\system32\DRIVERS\HSFHWATI.sys
12:36:57.0041 0956 HSFHWATI - ok
12:36:57.0166 0956 HSF_DP (f99bb4e2b462198b2b0a82d0949f0c41) C:\WINDOWS\system32\DRIVERS\HSF_DP.sys
12:36:57.0244 0956 HSF_DP - ok
12:36:57.0401 0956 HSF_DPV (0e44af3828111d4c3e73c33ac95226d8) C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys
12:36:57.0463 0956 HSF_DPV - ok
12:36:57.0541 0956 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
12:36:57.0557 0956 HTTP - ok
12:36:57.0619 0956 HTTPFilter (6100a808600f44d999cebdef8841c7a3) C:\WINDOWS\System32\w3ssl.dll
12:36:57.0635 0956 HTTPFilter - ok
12:36:57.0682 0956 i2omgmt - ok
12:36:57.0713 0956 i2omp - ok
12:36:57.0791 0956 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
12:36:57.0807 0956 i8042prt - ok
12:36:57.0963 0956 IDriverT (6f95324909b502e2651442c1548ab12f) C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
12:36:57.0979 0956 IDriverT - ok
12:36:58.0198 0956 idsvc (c01ac32dc5c03076cfb852cb5da5229c) C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
12:36:58.0229 0956 idsvc - ok
12:36:58.0479 0956 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
12:36:58.0479 0956 Imapi - ok
12:36:58.0541 0956 ImapiService (30deaf54a9755bb8546168cfe8a6b5e1) C:\WINDOWS\system32\imapi.exe
12:36:58.0557 0956 ImapiService - ok
12:36:58.0588 0956 ini910u - ok
12:36:58.0635 0956 Intel Usb3 - ok
12:36:58.0713 0956 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
12:36:58.0713 0956 IntelIde - ok
12:36:58.0776 0956 ioloSystemService - ok
12:36:58.0823 0956 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
12:36:58.0823 0956 Ip6Fw - ok
12:36:58.0870 0956 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
12:36:58.0870 0956 IpFilterDriver - ok
12:36:58.0901 0956 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
12:36:58.0901 0956 IpInIp - ok
12:36:58.0948 0956 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
12:36:58.0963 0956 IpNat - ok
12:36:58.0995 0956 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
12:36:58.0995 0956 IPSec - ok
12:36:59.0041 0956 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
12:36:59.0041 0956 IRENUM - ok
12:36:59.0088 0956 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
12:36:59.0104 0956 isapnp - ok
12:36:59.0166 0956 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
12:36:59.0166 0956 Kbdclass - ok
12:36:59.0229 0956 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
12:36:59.0229 0956 kbdhid - ok
12:36:59.0291 0956 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
12:36:59.0291 0956 kmixer - ok
12:36:59.0370 0956 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
12:36:59.0370 0956 KSecDD - ok
12:36:59.0448 0956 lanmanserver (3a7c3cbe5d96b8ae96ce81f0b22fb527) C:\WINDOWS\System32\srvsvc.dll
12:36:59.0448 0956 lanmanserver - ok
12:36:59.0495 0956 lanmanworkstation (a8888a5327621856c0cec4e385f69309) C:\WINDOWS\System32\wkssvc.dll
12:36:59.0495 0956 lanmanworkstation - ok
12:36:59.0557 0956 lbrtfdc - ok
12:36:59.0682 0956 LightScribeService (258caca1daade43978e2ecc9bdc94e1c) C:\Program Files\Common Files\LightScribe\LSSrvc.exe
12:36:59.0682 0956 LightScribeService - ok
12:36:59.0948 0956 LmHosts (a7db739ae99a796d91580147e919cc59) C:\WINDOWS\System32\lmhsvc.dll
12:36:59.0948 0956 LmHosts - ok
12:37:00.0057 0956 MBAMSwissArmy (0db7527db188c7d967a37bb51bbf3963) C:\WINDOWS\system32\drivers\mbamswissarmy.sys
12:37:00.0057 0956 MBAMSwissArmy - ok
12:37:00.0167 0956 McrdSvc (df0a511f38f16016bf658fca0090cb87) C:\WINDOWS\ehome\mcrdsvc.exe
12:37:00.0167 0956 McrdSvc - ok
12:37:00.0323 0956 MDM (11f714f85530a2bd134074dc30e99fca) C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
12:37:00.0338 0956 MDM - ok
12:37:00.0604 0956 mdmxsdk - ok
12:37:00.0667 0956 Messenger (986b1ff5814366d71e0ac5755c88f2d3) C:\WINDOWS\System32\msgsvc.dll
12:37:00.0667 0956 Messenger - ok
12:37:00.0745 0956 MHN (b7521f69c0a9b29d356157229376fb21) C:\WINDOWS\System32\mhn.dll
12:37:00.0760 0956 MHN - ok
12:37:00.0839 0956 MHNDRV (7f2f1d2815a6449d346fcccbc569fbd6) C:\WINDOWS\system32\DRIVERS\mhndrv.sys
12:37:00.0839 0956 MHNDRV - ok
12:37:00.0885 0956 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
12:37:00.0885 0956 mnmdd - ok
12:37:00.0932 0956 mnmsrvc (d18f1f0c101d06a1c1adf26eed16fcdd) C:\WINDOWS\system32\mnmsrvc.exe
12:37:00.0932 0956 mnmsrvc - ok
12:37:01.0026 0956 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
12:37:01.0026 0956 Modem - ok
12:37:01.0089 0956 motmodem (fe80c18ba448ddd76b7bead9eb203d37) C:\WINDOWS\system32\DRIVERS\motmodem.sys
12:37:01.0089 0956 motmodem - ok
12:37:01.0151 0956 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
12:37:01.0151 0956 Mouclass - ok
12:37:01.0214 0956 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
12:37:01.0214 0956 mouhid - ok
12:37:01.0276 0956 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
12:37:01.0276 0956 MountMgr - ok
12:37:01.0323 0956 mraid35x - ok
12:37:01.0370 0956 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
12:37:01.0385 0956 MRxDAV - ok
12:37:01.0448 0956 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
12:37:01.0464 0956 MRxSmb - ok
12:37:01.0557 0956 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
12:37:01.0557 0956 Msfs - ok
12:37:01.0589 0956 MSIServer - ok
12:37:01.0635 0956 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
12:37:01.0635 0956 MSKSSRV - ok
12:37:01.0714 0956 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
12:37:01.0714 0956 MSPCLOCK - ok
12:37:01.0745 0956 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
12:37:01.0745 0956 MSPQM - ok
12:37:01.0792 0956 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
12:37:01.0792 0956 mssmbios - ok
12:37:01.0870 0956 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
12:37:01.0870 0956 MSTEE - ok
12:37:01.0948 0956 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
12:37:01.0948 0956 Mup - ok
12:37:02.0276 0956 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
12:37:02.0276 0956 NABTSFEC - ok
12:37:02.0339 0956 napagent (0102140028fad045756796e1c685d695) C:\WINDOWS\System32\qagentrt.dll
12:37:02.0354 0956 napagent - ok
12:37:02.0417 0956 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
12:37:02.0417 0956 NDIS - ok
12:37:02.0511 0956 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
12:37:02.0511 0956 NdisIP - ok
12:37:02.0589 0956 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
12:37:02.0589 0956 NdisTapi - ok
12:37:02.0636 0956 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
12:37:02.0636 0956 Ndisuio - ok
12:37:02.0714 0956 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
12:37:02.0729 0956 NdisWan - ok
12:37:02.0776 0956 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
12:37:02.0776 0956 NDProxy - ok
12:37:02.0854 0956 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
12:37:02.0854 0956 NetBIOS - ok
12:37:02.0917 0956 NetBT (687424de8867fcabd4af118418f1649c) C:\WINDOWS\system32\DRIVERS\netbt.sys
12:37:02.0932 0956 NetBT ( Virus.Win32.ZAccess.k ) - infected
12:37:02.0932 0956 NetBT - detected Virus.Win32.ZAccess.k (0)
12:37:02.0979 0956 NetDDE (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe
12:37:02.0995 0956 NetDDE - ok
12:37:02.0995 0956 NetDDEdsdm (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe
12:37:03.0011 0956 NetDDEdsdm - ok
12:37:03.0136 0956 Netlogon (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
12:37:03.0136 0956 Netlogon - ok
12:37:03.0214 0956 Netman (13e67b55b3abd7bf3fe7aae5a0f9a9de) C:\WINDOWS\System32\netman.dll
12:37:03.0214 0956 Netman - ok
12:37:03.0370 0956 NetTcpPortSharing (d34612c5d02d026535b3095d620626ae) C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
12:37:03.0386 0956 NetTcpPortSharing - ok
12:37:03.0667 0956 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
12:37:03.0667 0956 NIC1394 - ok
12:37:03.0729 0956 Nla (943337d786a56729263071623bbb9de5) C:\WINDOWS\System32\mswsock.dll
12:37:03.0745 0956 Nla - ok
12:37:03.0792 0956 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
12:37:03.0792 0956 Npfs - ok
12:37:03.0886 0956 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
12:37:03.0901 0956 Ntfs - ok
12:37:03.0964 0956 NtLmSsp (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
12:37:03.0964 0956 NtLmSsp - ok
12:37:04.0042 0956 NtmsSvc (156f64a3345bd23c600655fb4d10bc08) C:\WINDOWS\system32\ntmssvc.dll
12:37:04.0058 0956 NtmsSvc - ok
12:37:04.0151 0956 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
12:37:04.0151 0956 Null - ok
12:37:04.0183 0956 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
12:37:04.0183 0956 NwlnkFlt - ok
12:37:04.0229 0956 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
12:37:04.0229 0956 NwlnkFwd - ok
12:37:04.0292 0956 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
12:37:04.0292 0956 ohci1394 - ok
12:37:04.0448 0956 ose (7a56cf3e3f12e8af599963b16f50fb6a) C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
12:37:04.0448 0956 ose - ok
12:37:04.0792 0956 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
12:37:04.0792 0956 Parport - ok
12:37:04.0870 0956 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
12:37:04.0870 0956 PartMgr - ok
12:37:04.0948 0956 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
12:37:04.0948 0956 ParVdm - ok
12:37:04.0995 0956 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
12:37:04.0995 0956 PCI - ok
12:37:05.0026 0956 PCIDump - ok
12:37:05.0058 0956 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
12:37:05.0073 0956 PCIIde - ok
12:37:05.0105 0956 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
12:37:05.0105 0956 Pcmcia - ok
12:37:05.0136 0956 PDCOMP - ok
12:37:05.0167 0956 PDFRAME - ok
12:37:05.0198 0956 pdlndldl - ok
12:37:05.0230 0956 PDRELI - ok
12:37:05.0261 0956 PDRFRAME - ok
12:37:05.0292 0956 perc2 - ok
12:37:05.0323 0956 perc2hib - ok
12:37:05.0417 0956 PlugPlay (65df52f5b8b6e9bbd183505225c37315) C:\WINDOWS\system32\services.exe
12:37:05.0433 0956 PlugPlay - ok
12:37:05.0495 0956 Pml Driver HPZ12 (2d091a99624fb9e7eef0a86d872ec0c3) C:\WINDOWS\system32\HPZipm12.exe
12:37:05.0495 0956 Pml Driver HPZ12 - ok
12:37:05.0558 0956 PolicyAgent (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
12:37:05.0558 0956 PolicyAgent - ok
12:37:05.0636 0956 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
12:37:05.0636 0956 PptpMiniport - ok
12:37:05.0683 0956 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
12:37:05.0683 0956 Processor - ok
12:37:05.0714 0956 ProtectedStorage (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
12:37:05.0714 0956 ProtectedStorage - ok
12:37:05.0776 0956 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
12:37:05.0776 0956 PSched - ok
12:37:05.0823 0956 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
12:37:05.0823 0956 Ptilink - ok
12:37:05.0855 0956 PxHelp20 - ok
12:37:05.0886 0956 ql1080 - ok
12:37:05.0901 0956 Ql10wnt - ok
12:37:05.0933 0956 ql12160 - ok
12:37:05.0964 0956 ql1240 - ok
12:37:05.0995 0956 ql1280 - ok
12:37:06.0058 0956 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
12:37:06.0058 0956 RasAcd - ok
12:37:06.0105 0956 RasAuto (ad188be7bdf94e8df4ca0a55c00a5073) C:\WINDOWS\System32\rasauto.dll
12:37:06.0105 0956 RasAuto - ok
12:37:06.0152 0956 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
12:37:06.0152 0956 Rasl2tp - ok
12:37:06.0214 0956 RasMan (76a9a3cbeadd68cc57cda5e1d7448235) C:\WINDOWS\System32\rasmans.dll
12:37:06.0214 0956 RasMan - ok
12:37:06.0245 0956 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
12:37:06.0245 0956 RasPppoe - ok
12:37:06.0308 0956 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
12:37:06.0308 0956 Raspti - ok
12:37:06.0386 0956 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
12:37:06.0386 0956 Rdbss - ok
12:37:06.0417 0956 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
12:37:06.0417 0956 RDPCDD - ok
12:37:06.0480 0956 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
12:37:06.0480 0956 rdpdr - ok
12:37:06.0573 0956 RDPWD (5b3055daa788bd688594d2f5981f2a83) C:\WINDOWS\system32\drivers\RDPWD.sys
12:37:06.0589 0956 RDPWD - ok
12:37:06.0652 0956 RDSessMgr (3c37bf86641bda977c3bf8a840f3b7fa) C:\WINDOWS\system32\sessmgr.exe
12:37:06.0667 0956 RDSessMgr - ok
12:37:06.0730 0956 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
12:37:06.0730 0956 redbook - ok
12:37:06.0808 0956 RemoteAccess (7e699ff5f59b5d9de5390e3c34c67cf5) C:\WINDOWS\System32\mprdim.dll
12:37:06.0823 0956 RemoteAccess - ok
12:37:06.0886 0956 RemoteRegistry (5b19b557b0c188210a56a6b699d90b8f) C:\WINDOWS\system32\regsvc.dll
12:37:06.0886 0956 RemoteRegistry - ok
12:37:06.0980 0956 RimUsb (f17713d108aca124a139fde877eef68a) C:\WINDOWS\system32\Drivers\RimUsb.sys
12:37:06.0980 0956 RimUsb - ok
12:37:07.0042 0956 RpcLocator (aaed593f84afa419bbae8572af87cf6a) C:\WINDOWS\system32\locator.exe
12:37:07.0042 0956 RpcLocator - ok
12:37:07.0120 0956 RpcSs (6b27a5c03dfb94b4245739065431322c) C:\WINDOWS\System32\rpcss.dll
12:37:07.0136 0956 RpcSs - ok
12:37:07.0198 0956 RSVP (471b3f9741d762abe75e9deea4787e47) C:\WINDOWS\system32\rsvp.exe
12:37:07.0198 0956 RSVP - ok
12:37:07.0339 0956 RTL8023xp (eacd871fdbe85393d112782896c2d7dd) C:\WINDOWS\system32\DRIVERS\Rtnicxp.sys
12:37:07.0339 0956 RTL8023xp - ok
12:37:07.0402 0956 rtl8139 (d507c1400284176573224903819ffda3) C:\WINDOWS\system32\DRIVERS\RTL8139.SYS
12:37:07.0402 0956 rtl8139 - ok
12:37:07.0464 0956 SamSs (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
12:37:07.0464 0956 SamSs - ok
12:37:07.0527 0956 SCardSvr (86d007e7a654b9a71d1d7d856b104353) C:\WINDOWS\System32\SCardSvr.exe
12:37:07.0542 0956 SCardSvr - ok
12:37:07.0589 0956 Schedule (0a9a7365a1ca4319aa7c1d6cd8e4eafa) C:\WINDOWS\system32\schedsvc.dll
12:37:07.0605 0956 Schedule - ok
12:37:07.0714 0956 sdbus (8d04819a3ce51b9eb47e5689b44d43c4) C:\WINDOWS\system32\DRIVERS\sdbus.sys
12:37:07.0714 0956 sdbus - ok
12:37:07.0777 0956 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
12:37:07.0777 0956 Secdrv - ok
12:37:07.0839 0956 seclogon (cbe612e2bb6a10e3563336191eda1250) C:\WINDOWS\System32\seclogon.dll
12:37:07.0839 0956 seclogon - ok
12:37:07.0886 0956 SENS (7fdd5d0684eca8c1f68b4d99d124dcd0) C:\WINDOWS\system32\sens.dll
12:37:07.0902 0956 SENS - ok
12:37:07.0980 0956 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
12:37:07.0980 0956 Serial - ok
12:37:08.0058 0956 serialkeys - ok
12:37:08.0214 0956 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
12:37:08.0214 0956 Sfloppy - ok
12:37:08.0277 0956 SharedAccess (83f41d0d89645d7235c051ab1d9523ac) C:\WINDOWS\System32\ipnathlp.dll
12:37:08.0292 0956 SharedAccess - ok
12:37:08.0370 0956 ShellHWDetection (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
12:37:08.0370 0956 ShellHWDetection - ok
12:37:08.0433 0956 Simbad - ok
12:37:08.0511 0956 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
12:37:08.0511 0956 SLIP - ok
12:37:08.0574 0956 Sparrow - ok
12:37:08.0605 0956 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
12:37:08.0605 0956 splitter - ok
12:37:08.0808 0956 Spooler (60784f891563fb1b767f70117fc2428f) C:\WINDOWS\system32\spoolsv.exe
12:37:08.0808 0956 Spooler - ok
12:37:08.0996 0956 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
12:37:08.0996 0956 sr - ok
12:37:09.0074 0956 srservice (3805df0ac4296a34ba4bf93b346cc378) C:\WINDOWS\system32\srsvc.dll
12:37:09.0074 0956 srservice - ok
12:37:09.0136 0956 SRTSP - ok
12:37:09.0214 0956 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
12:37:09.0230 0956 Srv - ok
12:37:09.0277 0956 SSDPSRV (0a5679b3714edab99e357057ee88fca6) C:\WINDOWS\System32\ssdpsrv.dll
12:37:09.0277 0956 SSDPSRV - ok
12:37:09.0402 0956 StillCam (a9573045baa16eab9b1085205b82f1ed) C:\WINDOWS\system32\DRIVERS\serscan.sys
12:37:09.0402 0956 StillCam - ok
12:37:09.0480 0956 stisvc (8bad69cbac032d4bbacfce0306174c30) C:\WINDOWS\system32\wiaservc.dll
12:37:09.0496 0956 stisvc - ok
12:37:09.0589 0956 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
12:37:09.0589 0956 streamip - ok
12:37:09.0699 0956 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
12:37:09.0699 0956 swenum - ok
12:37:09.0730 0956 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
12:37:09.0730 0956 swmidi - ok
12:37:09.0761 0956 SwPrv - ok
12:37:09.0792 0956 symc810 - ok
12:37:09.0824 0956 symc8xx - ok
12:37:09.0855 0956 sym_hi - ok
12:37:09.0886 0956 sym_u3 - ok
12:37:09.0949 0956 SynTP (0f332c0ba9b968ebc8cbb906416f8597) C:\WINDOWS\system32\DRIVERS\SynTP.sys
12:37:09.0964 0956 SynTP - ok
12:37:10.0011 0956 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
12:37:10.0011 0956 sysaudio - ok
12:37:10.0074 0956 SysmonLog (c7abbc59b43274b1109df6b24d617051) C:\WINDOWS\system32\smlogsvc.exe
12:37:10.0074 0956 SysmonLog - ok
12:37:10.0152 0956 TapiSrv (3cb78c17bb664637787c9a1c98f79c38) C:\WINDOWS\System32\tapisrv.dll
12:37:10.0168 0956 TapiSrv - ok
12:37:10.0261 0956 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
12:37:10.0261 0956 Tcpip - ok
12:37:10.0324 0956 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
12:37:10.0324 0956 TDPIPE - ok
12:37:10.0355 0956 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
12:37:10.0371 0956 TDTCP - ok
12:37:10.0402 0956 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
12:37:10.0418 0956 TermDD - ok
12:37:10.0480 0956 TermService (ff3477c03be7201c294c35f684b3479f) C:\WINDOWS\System32\termsrv.dll
12:37:10.0496 0956 TermService - ok
12:37:10.0558 0956 Themes (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
12:37:10.0558 0956 Themes - ok
12:37:10.0652 0956 tifm21 (9179e07503630d6fb2e4162ff0196191) C:\WINDOWS\system32\drivers\tifm21.sys
12:37:10.0652 0956 tifm21 - ok
12:37:10.0777 0956 TlntSvr (db7205804759ff62c34e3efd8a4cc76a) C:\WINDOWS\system32\tlntsvr.exe
12:37:10.0777 0956 TlntSvr - ok
12:37:10.0808 0956 TosIde - ok
12:37:10.0886 0956 TrkWks (55bca12f7f523d35ca3cb833c725f54e) C:\WINDOWS\system32\trkwks.dll
12:37:10.0886 0956 TrkWks - ok
12:37:10.0964 0956 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
12:37:10.0964 0956 Udfs - ok
12:37:10.0996 0956 ultra - ok
12:37:11.0043 0956 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
12:37:11.0058 0956 Update - ok
12:37:11.0121 0956 upnphost (1ebafeb9a3fbdc41b8d9c7f0f687ad91) C:\WINDOWS\System32\upnphost.dll
12:37:11.0136 0956 upnphost - ok
12:37:11.0168 0956 UPS (05365fb38fca1e98f7a566aaaf5d1815) C:\WINDOWS\System32\ups.exe
12:37:11.0183 0956 UPS - ok
12:37:11.0246 0956 USBAAPL - ok
12:37:11.0308 0956 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
12:37:11.0308 0956 usbccgp - ok
12:37:11.0355 0956 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
12:37:11.0355 0956 usbehci - ok
12:37:11.0465 0956 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
12:37:11.0465 0956 usbhub - ok
12:37:11.0511 0956 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
12:37:11.0511 0956 usbohci - ok
12:37:11.0855 0956 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
12:37:11.0855 0956 usbprint - ok
12:37:11.0902 0956 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
12:37:11.0902 0956 usbscan - ok
12:37:11.0949 0956 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
12:37:11.0949 0956 USBSTOR - ok
12:37:12.0136 0956 usbvideo (63bbfca7f390f4c49ed4b96bfb1633e0) C:\WINDOWS\system32\Drivers\usbvideo.sys
12:37:12.0136 0956 usbvideo - ok
12:37:12.0230 0956 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
12:37:12.0230 0956 VgaSave - ok
12:37:12.0261 0956 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
12:37:12.0261 0956 ViaIde - ok
12:37:12.0340 0956 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
12:37:12.0340 0956 VolSnap - ok
12:37:12.0402 0956 VSS (7a9db3a67c333bf0bd42e42b8596854b) C:\WINDOWS\System32\vssvc.exe
12:37:12.0418 0956 VSS - ok
12:37:12.0480 0956 W32Time (54af4b1d5459500ef0937f6d33b1914f) C:\WINDOWS\system32\w32time.dll
12:37:12.0480 0956 W32Time - ok
12:37:12.0574 0956 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
12:37:12.0590 0956 Wanarp - ok
12:37:12.0683 0956 Wdf01000 (fd47474bd21794508af449d9d91af6e6) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
12:37:12.0699 0956 Wdf01000 - ok
12:37:12.0730 0956 WDICA - ok
12:37:12.0777 0956 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
12:37:12.0793 0956 wdmaud - ok
12:37:12.0855 0956 WebClient (77a354e28153ad2d5e120a5a8687bc06) C:\WINDOWS\System32\webclnt.dll
12:37:12.0855 0956 WebClient - ok
12:37:13.0012 0956 winachsf (214bc3ad84907ad6ad655ac5465f449a) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
12:37:13.0043 0956 winachsf - ok
12:37:13.0152 0956 winmgmt (2d0e4ed081963804ccc196a0929275b5) C:\WINDOWS\system32\wbem\WMIsvc.dll
12:37:13.0168 0956 winmgmt - ok
12:37:13.0262 0956 WinRM (18f347402da544a780949b8fdf83351b) C:\WINDOWS\system32\WsmSvc.dll
12:37:13.0340 0956 WinRM - ok
12:37:13.0418 0956 WmdmPmSN (c51b4a5c05a5475708e3c81c7765b71d) C:\WINDOWS\system32\MsPMSNSv.dll
12:37:13.0433 0956 WmdmPmSN - ok
12:37:13.0527 0956 Wmi (e76f8807070ed04e7408a86d6d3a6137) C:\WINDOWS\System32\advapi32.dll
12:37:13.0558 0956 Wmi - ok
12:37:13.0652 0956 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
12:37:13.0652 0956 WmiAcpi - ok
12:37:13.0762 0956 WmiApSrv (e0673f1106e62a68d2257e376079f821) C:\WINDOWS\system32\wbem\wmiapsrv.exe
12:37:13.0777 0956 WmiApSrv - ok
12:37:13.0965 0956 WMPNetworkSvc (f74e3d9a7fa9556c3bbb14d4e5e63d3b) C:\Program Files\Windows Media Player\WMPNetwk.exe
12:37:14.0012 0956 WMPNetworkSvc - ok
12:37:14.0309 0956 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys
12:37:14.0309 0956 WpdUsb - ok
12:37:14.0496 0956 WPFFontCache_v0400 (dcf3e3edf5109ee8bc02fe6e1f045795) C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe
12:37:14.0543 0956 WPFFontCache_v0400 - ok
12:37:14.0793 0956 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
12:37:14.0793 0956 WS2IFSL - ok
12:37:14.0855 0956 wscsvc (7c278e6408d1dce642230c0585a854d5) C:\WINDOWS\system32\wscsvc.dll
12:37:14.0855 0956 wscsvc - ok
12:37:14.0902 0956 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
12:37:14.0902 0956 WSTCODEC - ok
12:37:14.0965 0956 wuauserv (35321fb577cdc98ce3eb3a3eb9e4610a) C:\WINDOWS\system32\wuauserv.dll
12:37:14.0965 0956 wuauserv - ok
12:37:15.0043 0956 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
12:37:15.0059 0956 WudfPf - ok
12:37:15.0106 0956 WUDFRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\WUDFRd.sys
12:37:15.0106 0956 WUDFRd - ok
12:37:15.0168 0956 WudfSvc (05231c04253c5bc30b26cbaae680ed89) C:\WINDOWS\System32\WUDFSvc.dll
12:37:15.0184 0956 WudfSvc - ok
12:37:15.0262 0956 WZCSVC (81dc3f549f44b1c1fff022dec9ecf30b) C:\WINDOWS\System32\wzcsvc.dll
12:37:15.0277 0956 WZCSVC - ok
12:37:15.0340 0956 xmlprov (295d21f14c335b53cb8154e5b1f892b9) C:\WINDOWS\System32\xmlprov.dll
12:37:15.0356 0956 xmlprov - ok
12:37:15.0371 0956 _iomega_active_disk_service_ - ok
12:37:15.0449 0956 MBR (0x1B8) (5ae5a393505cffd37fe98c4a7922908d) \Device\Harddisk0\DR0
12:37:15.0481 0956 \Device\Harddisk0\DR0 - ok
12:37:15.0496 0956 Boot (0x1200) (9d3707c41ee74ac95f797e8816e5be6f) \Device\Harddisk0\DR0\Partition0
12:37:15.0496 0956 \Device\Harddisk0\DR0\Partition0 - ok
12:37:15.0527 0956 Boot (0x1200) (e3f2edb4feee8cd0c74ae60134ed2295) \Device\Harddisk0\DR0\Partition1
12:37:15.0527 0956 \Device\Harddisk0\DR0\Partition1 - ok
12:37:15.0527 0956 ============================================================
12:37:15.0527 0956 Scan finished
12:37:15.0527 0956 ============================================================
12:37:15.0543 3956 Detected object count: 1
12:37:15.0543 3956 Actual detected object count: 1
12:37:31.0982 3956 C:\WINDOWS\system32\DRIVERS\netbt.sys - copied to quarantine
12:37:32.0123 3956 VerifyFileNameVersionInfo: GetFileVersionInfoSizeW(C:\WINDOWS\system32\drivers\netbt.sys) error 1813
12:37:38.0342 3956 Backup copy found, using it..
12:37:38.0389 3956 C:\WINDOWS\system32\DRIVERS\netbt.sys - will be cured on reboot
12:37:40.0780 3956 NetBT ( Virus.Win32.ZAccess.k ) - User select action: Cure
12:37:49.0578 2252 Deinitialize success

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:58 PM

Posted 21 April 2012 - 03:29 PM

Hello


Let me know how the computer is doing



:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::
KillAll::
Folder::
c:\program files\ConduitEngine

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 stargirl6878

stargirl6878
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Florida
  • Local time:08:58 PM

Posted 22 April 2012 - 12:24 PM



Hi again Gringo :)

PC is running good. Still no redirecting. Below is the new Combofix log that you requested.



ComboFix 12-04-20.03 - Jeffrey Rivera 04/22/2012 4:39.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1534.1131 [GMT -4:00]
Running from: c:\documents and settings\Jeffrey Rivera\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Jeffrey Rivera\Desktop\CFScript.txt
AV: Norton Security Suite *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Security Suite *Disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\ConduitEngine
c:\program files\ConduitEngine\appContextMenu.xml
c:\program files\ConduitEngine\ConduitEngine.dll
c:\program files\ConduitEngine\ConduitEngineHelper.exe
c:\program files\ConduitEngine\ConduitEngineUninstall.exe
c:\program files\ConduitEngine\engineContextMenu.xml
c:\program files\ConduitEngine\EngineSettings.json
c:\program files\ConduitEngine\INSTALL.LOG
c:\program files\ConduitEngine\toolbar.cfg
.
.
((((((((((((((((((((((((( Files Created from 2012-03-22 to 2012-04-22 )))))))))))))))))))))))))))))))
.
.
2012-04-21 16:37 . 2012-04-21 16:37 -------- dc----w- C:\TDSSKiller_Quarantine
2012-04-20 19:51 . 2008-04-14 02:04 36463 ----a-w- c:\windows\system32\dllcache\ati1tuxx.sys
2012-04-20 19:51 . 2008-04-14 02:04 34735 ----a-w- c:\windows\system32\dllcache\ati1xsxx.sys
2012-04-17 23:14 . 2012-04-17 23:14 -------- d-----w- c:\program files\Runtime Software
2012-04-16 22:31 . 2012-04-17 07:18 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-04-16 22:31 . 2012-04-16 22:31 -------- d-----w- c:\documents and settings\Jeffrey Rivera\Application Data\Malwarebytes
2012-04-15 07:41 . 2012-04-15 07:41 -------- d-----w- c:\documents and settings\Jeffrey Rivera\Application Data\AVG2012
2012-04-15 07:32 . 2012-04-15 07:32 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2012-04-15 07:31 . 2012-04-17 07:14 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG2012
2012-04-15 07:29 . 2012-04-15 07:29 -------- d-----w- c:\program files\AVG
2012-04-15 06:50 . 2012-04-17 07:04 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2012-04-14 18:47 . 2012-04-14 18:47 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2012-04-14 18:47 . 2012-04-14 18:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-04-14 03:37 . 2012-04-14 03:37 57344 ----a-w- c:\windows\system32\wscsvv32.dll
2012-04-14 01:37 . 2012-04-14 01:37 57344 ----a-w- c:\windows\system32\WmdmPv32.dll
2012-04-14 00:28 . 2012-04-14 00:28 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2012-04-13 23:37 . 2012-04-13 23:37 57344 ----a-w- c:\windows\system32\nsvciv32.dll
2012-04-13 21:37 . 2012-04-13 21:37 57344 ----a-w- c:\windows\system32\atksgv32.dll
2012-04-13 17:37 . 2012-04-13 17:37 57344 ----a-w- c:\windows\system32\Nwsapv32.dll
2012-04-13 17:02 . 2012-04-13 17:02 -------- d-----w- c:\documents and settings\Jeffrey Rivera\Application Data\Sonic
2012-04-11 20:01 . 2012-04-11 20:01 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2012-04-11 20:01 . 2012-04-11 20:01 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2012-04-06 04:41 . 2012-04-06 04:41 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2012-03-30 07:22 . 2012-03-30 07:22 592824 ----a-w- c:\program files\Mozilla Firefox\gkmedias.dll
2012-03-30 07:22 . 2012-03-30 07:22 44472 ----a-w- c:\program files\Mozilla Firefox\mozglue.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-21 16:38 . 2004-08-10 15:00 162816 ----a-w- c:\windows\system32\drivers\netbt.sys
2012-03-07 04:40 . 2011-06-01 15:50 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-03-01 11:01 . 2004-08-10 15:00 916992 ----a-w- c:\windows\system32\wininet.dll
2012-03-01 11:01 . 2004-08-10 15:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-03-01 11:01 . 2004-08-10 15:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-02-29 14:10 . 2004-08-10 15:00 177664 ----a-w- c:\windows\system32\wintrust.dll
2012-02-29 14:10 . 2004-08-10 15:00 148480 ----a-w- c:\windows\system32\imagehlp.dll
2012-02-29 12:17 . 2004-08-10 15:00 385024 ----a-w- c:\windows\system32\html.iec
2012-02-03 09:22 . 2004-08-10 15:00 1860096 ----a-w- c:\windows\system32\win32k.sys
2012-01-27 21:42 . 2012-01-27 21:42 74703 ----a-w- c:\windows\system32\mfc45.dll
2012-03-30 07:22 . 2012-03-07 02:53 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-04-20_20.29.04 )))))))))))))))))))))))))))))))))))))))))
.
- 2005-08-17 17:21 . 2012-04-20 20:23 82146 c:\windows\system32\perfc009.dat
+ 2005-08-17 17:21 . 2012-04-22 08:58 82146 c:\windows\system32\perfc009.dat
+ 2005-08-17 17:21 . 2012-04-22 08:58 487072 c:\windows\system32\perfh009.dat
- 2005-08-17 17:21 . 2012-04-20 20:23 487072 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-11-11 344064]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2010-03-12 49208]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-09-15 1015808]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2005-08-01 233534]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil11g_ActiveX.exe" [2012-03-06 250528]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ApnUpdater]
2011-08-24 02:20 887976 ----a-w- c:\program files\Ask.com\Updater\Updater.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ComcastAntispyClient]
2009-08-19 17:25 1589208 ----a-w- c:\program files\comcasttb\ComcastSpywareScan\ComcastAntiSpy.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2005-08-06 04:56 64512 ----a-w- c:\windows\ehome\ehtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpWirelessAssistant]
2005-12-13 21:45 507904 ----a-w- c:\program files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MaxMenuMgr]
2009-09-26 04:31 185640 ----a-w- c:\program files\Seagate\SeagateManager\FreeAgent Status\stxmenumgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RecGuard]
2005-10-11 17:23 1187840 ----a-w- c:\windows\SMINST\Recguard.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
2003-04-02 02:20 12288 ----a-w- c:\program files\Winamp\winampa.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"RasMan"=3 (0x3)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
.
R2 AntiSpywareService;Comcast AntiSpyware;c:\program files\comcasttb\ComcastSpywareScan\ComcastAntiSpyService.exe [6/17/2009 1:49 PM 616408]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [8/22/2005 5:06 AM 231424]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 2:16 PM 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [10/15/2010 7:12 PM 136176]
S2 Intel Usb3;Intel USB3 Service;c:\windows\System32\svchost.exe -k IntelUsb3S [8/10/2004 11:00 AM 14336]
S2 ioloSystemService;iolo System Service;"c:\program files\iolo\Common\Lib\ioloServiceManager.exe" --> c:\program files\iolo\Common\Lib\ioloServiceManager.exe [?]
S2 Wmipse;Wmipse;c:\windows\System32\svchost.exe -k netsvcs [8/10/2004 11:00 AM 14336]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [10/15/2010 7:12 PM 136176]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [4/16/2012 6:31 PM 40776]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [8/10/2004 11:00 AM 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 2:16 PM 753504]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
IntelUsb3S REG_MULTI_SZ Intel Usb3
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
atksgt
nsvcip
aaksrv
_iomega_active_disk_service_
serialkeys
pdlndldl
filechecker
Wmipse
.
Contents of the 'Scheduled Tasks' folder
.
2012-04-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-15 23:12]
.
2012-04-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-15 23:12]
.
2009-09-14 c:\windows\Tasks\HubTask 0 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0.job
- c:\program files\Common Files\Sonic Shared\Sonic Central\Main\Mediahub.exe [2005-11-30 09:04]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>;*.local
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\Google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\Jeffrey Rivera\Application Data\Mozilla\Firefox\Profiles\8xr1dd44.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: network.proxy.type - 0
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{30F9B915-B755-4826-820B-08FBA6BD249D} - c:\program files\ConduitEngine\ConduitEngine.dll
Toolbar-{30F9B915-B755-4826-820B-08FBA6BD249D} - c:\program files\ConduitEngine\ConduitEngine.dll
WebBrowser-{30F9B915-B755-4826-820B-08FBA6BD249D} - c:\program files\ConduitEngine\ConduitEngine.dll
SafeBoot-70829501.sys
AddRemove-conduitEngine - c:\program files\ConduitEngine\ConduitEngineUninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-04-22 04:55
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????3?3?4?1??????? ???B?????????????hLC? ??????
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(836)
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'explorer.exe'(3824)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\HPZipm12.exe
c:\windows\system32\fxssvc.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\Ati2evxx.exe
.
**************************************************************************
.
Completion time: 2012-04-22 05:02:18 - machine was rebooted
ComboFix-quarantined-files.txt 2012-04-22 09:02
ComboFix2.txt 2012-04-20 20:35
.
Pre-Run: 4,220,891,136 bytes free
Post-Run: 4,335,337,472 bytes free
.
- - End Of File - - FA23FBFFAC4D469472EDECA92754AB18

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:58 PM

Posted 22 April 2012 - 01:18 PM

Greetings

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 stargirl6878

stargirl6878
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Florida
  • Local time:08:58 PM

Posted 22 April 2012 - 02:28 PM

Hi Gringo,

Combofix log you requested is below. As for "anything else that needs to be addressed", is there anything specific I should test or look for?

Computer still running good. No redirects. Although every time I run combofix it stills says that I have rootkit ZeroAccess. I don't know what to do. Any info. on why this may still be happening would be appreciated. Thanks :)




ComboFix 12-04-20.03 - Jeffrey Rivera 04/22/2012 15:06:51.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1534.1137 [GMT -4:00]
Running from: c:\documents and settings\Jeffrey Rivera\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Jeffrey Rivera\Desktop\CFScript.txt
AV: Norton Security Suite *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Security Suite *Disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.
.
((((((((((((((((((((((((( Files Created from 2012-03-22 to 2012-04-22 )))))))))))))))))))))))))))))))
.
.
2012-04-21 16:37 . 2012-04-21 16:37 -------- dc----w- C:\TDSSKiller_Quarantine
2012-04-20 19:51 . 2008-04-14 02:04 36463 ----a-w- c:\windows\system32\dllcache\ati1tuxx.sys
2012-04-20 19:51 . 2008-04-14 02:04 34735 ----a-w- c:\windows\system32\dllcache\ati1xsxx.sys
2012-04-17 23:14 . 2012-04-17 23:14 -------- d-----w- c:\program files\Runtime Software
2012-04-16 22:31 . 2012-04-17 07:18 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-04-16 22:31 . 2012-04-16 22:31 -------- d-----w- c:\documents and settings\Jeffrey Rivera\Application Data\Malwarebytes
2012-04-15 07:41 . 2012-04-15 07:41 -------- d-----w- c:\documents and settings\Jeffrey Rivera\Application Data\AVG2012
2012-04-15 07:32 . 2012-04-15 07:32 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2012-04-15 07:31 . 2012-04-17 07:14 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG2012
2012-04-15 07:29 . 2012-04-15 07:29 -------- d-----w- c:\program files\AVG
2012-04-15 06:50 . 2012-04-17 07:04 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2012-04-14 18:47 . 2012-04-14 18:47 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2012-04-14 18:47 . 2012-04-14 18:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-04-14 03:37 . 2012-04-14 03:37 57344 ----a-w- c:\windows\system32\wscsvv32.dll
2012-04-14 01:37 . 2012-04-14 01:37 57344 ----a-w- c:\windows\system32\WmdmPv32.dll
2012-04-14 00:28 . 2012-04-14 00:28 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2012-04-13 23:37 . 2012-04-13 23:37 57344 ----a-w- c:\windows\system32\nsvciv32.dll
2012-04-13 21:37 . 2012-04-13 21:37 57344 ----a-w- c:\windows\system32\atksgv32.dll
2012-04-13 17:37 . 2012-04-13 17:37 57344 ----a-w- c:\windows\system32\Nwsapv32.dll
2012-04-13 17:02 . 2012-04-13 17:02 -------- d-----w- c:\documents and settings\Jeffrey Rivera\Application Data\Sonic
2012-04-11 20:01 . 2012-04-11 20:01 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2012-04-11 20:01 . 2012-04-11 20:01 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2012-04-06 04:41 . 2012-04-06 04:41 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2012-03-30 07:22 . 2012-03-30 07:22 592824 ----a-w- c:\program files\Mozilla Firefox\gkmedias.dll
2012-03-30 07:22 . 2012-03-30 07:22 44472 ----a-w- c:\program files\Mozilla Firefox\mozglue.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-21 16:38 . 2004-08-10 15:00 162816 ----a-w- c:\windows\system32\drivers\netbt.sys
2012-03-07 04:40 . 2011-06-01 15:50 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-03-01 11:01 . 2004-08-10 15:00 916992 ----a-w- c:\windows\system32\wininet.dll
2012-03-01 11:01 . 2004-08-10 15:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-03-01 11:01 . 2004-08-10 15:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-02-29 14:10 . 2004-08-10 15:00 177664 ----a-w- c:\windows\system32\wintrust.dll
2012-02-29 14:10 . 2004-08-10 15:00 148480 ----a-w- c:\windows\system32\imagehlp.dll
2012-02-29 12:17 . 2004-08-10 15:00 385024 ----a-w- c:\windows\system32\html.iec
2012-02-03 09:22 . 2004-08-10 15:00 1860096 ----a-w- c:\windows\system32\win32k.sys
2012-01-27 21:42 . 2012-01-27 21:42 74703 ----a-w- c:\windows\system32\mfc45.dll
2012-03-30 07:22 . 2012-03-07 02:53 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-04-20_20.29.04 )))))))))))))))))))))))))))))))))))))))))
.
- 2005-08-17 17:21 . 2012-04-20 20:23 82146 c:\windows\system32\perfc009.dat
+ 2005-08-17 17:21 . 2012-04-22 19:10 82146 c:\windows\system32\perfc009.dat
+ 2005-08-17 17:21 . 2012-04-22 19:10 487072 c:\windows\system32\perfh009.dat
- 2005-08-17 17:21 . 2012-04-20 20:23 487072 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-11-11 344064]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2010-03-12 49208]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-09-15 1015808]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2005-08-01 233534]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil11g_ActiveX.exe" [2012-03-06 250528]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ApnUpdater]
2011-08-24 02:20 887976 ----a-w- c:\program files\Ask.com\Updater\Updater.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ComcastAntispyClient]
2009-08-19 17:25 1589208 ----a-w- c:\program files\comcasttb\ComcastSpywareScan\ComcastAntiSpy.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2005-08-06 04:56 64512 ----a-w- c:\windows\ehome\ehtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpWirelessAssistant]
2005-12-13 21:45 507904 ----a-w- c:\program files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MaxMenuMgr]
2009-09-26 04:31 185640 ----a-w- c:\program files\Seagate\SeagateManager\FreeAgent Status\stxmenumgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RecGuard]
2005-10-11 17:23 1187840 ----a-w- c:\windows\SMINST\Recguard.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
2003-04-02 02:20 12288 ----a-w- c:\program files\Winamp\winampa.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"RasMan"=3 (0x3)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
.
R2 AntiSpywareService;Comcast AntiSpyware;c:\program files\comcasttb\ComcastSpywareScan\ComcastAntiSpyService.exe [6/17/2009 1:49 PM 616408]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [8/22/2005 5:06 AM 231424]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 2:16 PM 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [10/15/2010 7:12 PM 136176]
S2 Intel Usb3;Intel USB3 Service;c:\windows\System32\svchost.exe -k IntelUsb3S [8/10/2004 11:00 AM 14336]
S2 ioloSystemService;iolo System Service;"c:\program files\iolo\Common\Lib\ioloServiceManager.exe" --> c:\program files\iolo\Common\Lib\ioloServiceManager.exe [?]
S2 Wmipse;Wmipse;c:\windows\System32\svchost.exe -k netsvcs [8/10/2004 11:00 AM 14336]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [10/15/2010 7:12 PM 136176]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [4/16/2012 6:31 PM 40776]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [8/10/2004 11:00 AM 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 2:16 PM 753504]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
IntelUsb3S REG_MULTI_SZ Intel Usb3
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
atksgt
nsvcip
aaksrv
_iomega_active_disk_service_
serialkeys
pdlndldl
filechecker
Wmipse
.
Contents of the 'Scheduled Tasks' folder
.
2012-04-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-15 23:12]
.
2012-04-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-15 23:12]
.
2009-09-14 c:\windows\Tasks\HubTask 0 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0.job
- c:\program files\Common Files\Sonic Shared\Sonic Central\Main\Mediahub.exe [2005-11-30 09:04]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>;*.local
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\Google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\Jeffrey Rivera\Application Data\Mozilla\Firefox\Profiles\8xr1dd44.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: network.proxy.type - 0
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-04-22 15:20
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????3?3?4?1??????? ???B?????????????hLC? ??????
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(816)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2012-04-22 15:22:09
ComboFix-quarantined-files.txt 2012-04-22 19:22
ComboFix2.txt 2012-04-22 09:02
ComboFix3.txt 2012-04-20 20:35
.
Pre-Run: 4,814,401,536 bytes free
Post-Run: 4,819,759,104 bytes free
.
- - End Of File - - 3A4608F458595A1FE1834C06055893A1

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:58 PM

Posted 22 April 2012 - 03:35 PM

Hello

why combofix does that i don't know i even asked the guy that makes combofix and we have not come up with why

:P2P Warning!:

IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

Please note that as long as you are using any form of Peer-to-Peer networking and downloading files from non-documented sources, you can expect infestations of malware to occur
Once upon a time, P2P file sharing was fairly safe. That is no longer true. P2P programs form a direct conduit on to your computer, their security measures are easily circumvented and malware writers are increasingly exploiting them to spread their wares on to your computer. Further to that, if your P2P program is not configured correctly, your computer may be sharing more files than you realize. There have been cases where people's passwords, address books and other personal, private, and financial details have been exposed to a file sharing network by a badly configured program.

Please read these short reports on the dangers of peer-2-peer programs and file sharing.

FBI Cyber Education Letter
File sharing infects 500,000 computers
USAToday
infoworld


These logs are looking allot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs

NOTE** Because of the cleanup process some of the programs I have listed may not be in add/remove anymore this is fine just move to the next item on the list.

You can remove these programs using add/remove or you can use the free uninstaller from Revo (it does allot better of a job

Programs to remove

µTorrent
Adobe Reader 7.0
Conduit Engine
J2SE Runtime Environment 5.0 Update 6
[/list]


  • Please download and install Revo Uninstaller Free
  • Double click Revo Uninstaller to run it.
  • From the list of programs double click on The Program to remove
  • When prompted if you want to uninstall click Yes.
  • Be sure the Moderate option is selected then click Next.
  • The program will run, If prompted again click Yes
  • when the built-in uninstaller is finished click on Next.
  • Once the program has searched for leftovers click Next.
  • Check/tick the bolded items only on the list then click Delete
  • when prompted click on Yes and then on next.
  • put a check on any folders that are found and select delete
  • when prompted select yes then on next
  • Once done click Finish.
.

Update Adobe Reader

Recently there have been vulnerabilities detected in older versions of Adobe Reader. It is strongly suggested that you update to the current version.

You can download it from http://www.adobe.com/products/acrobat/readstep2.html
After installing the latest Adobe Reader, uninstall all previous versions.
If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

If you don't like Adobe Reader (53 MB), you can download Foxit PDF Reader(7 MB) from here. It's a much smaller file to download and uses a lot less resources than Adobe Reader.

Note: When installing FoxitReader, be careful not to install anything to do with AskBar.
[/list]
Install Java:

Please go here to install Java

  • click on the Free Java Download Button
  • click on Agree and start Free download
  • click on Run
  • click on run again
  • click on install
  • when install is complete click on close

Clean Out Temp Files

  • This small application you may want to keep and use once a week to keep the computer clean.

    Download CCleaner from here http://www.ccleaner.com/

  • Run the installer to install the application.
  • When it gives you the option to install Yahoo toolbar uncheck the box next to it.
  • Run CCleaner. (make sure under Windows tab all the boxes of Internet Explorer and Windows explorer are checked. Under System check Empty Recycle Bin and Temporary Files. Under Application tab all the boxes should be checked).
  • Click Run Cleaner.
  • Close CCleaner.


: Malwarebytes' Anti-Malware :

  • Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to
    • Update Malwarebytes' Anti-Malware
    • and Launch Malwarebytes' Anti-Malware
  • then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Download HijackThis

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the AnalyseThis button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.


NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

"information and logs"

  • In your next post I need the following

  • Log From MBAM
  • report from Hijackthis
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 stargirl6878

stargirl6878
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Florida
  • Local time:08:58 PM

Posted 24 April 2012 - 03:14 PM

Sorry Gringo. Been a little work to reply. Will work on getting these steps done asap, if not tonight :)

Once again, I appreciate all of your help.

I will post with the logs you requested as soon as I get a chance. Thanks.

P.S. Computer seems to be running fine.

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:58 PM

Posted 24 April 2012 - 10:18 PM

Ok see you around
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 stargirl6878

stargirl6878
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Florida
  • Local time:08:58 PM

Posted 26 April 2012 - 06:38 AM

Hi Gringo! Computer seems to be running pretty good. In the Hijackthis log I see comcast antispyware file. I do not know what that is or how to remove it. Please let me know what to do next. Thank you :)

Here are the logs you requested:




Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.04.26.01

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Jeffrey Rivera :: RPB [administrator]

4/26/2012 2:23:30 AM
mbam-log-2012-04-26 (02-23-30).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 231933
Time elapsed: 9 minute(s), 13 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)


Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 2:35:13 AM, on 4/26/2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\comcasttb\ComcastSpywareScan\ComcastAntiSpyService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\SNDVOL32.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\VideoLAN\VLC\vlc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - {D3D233D5-9F6D-436C-B6C7-E63F77503B30} - (no file)
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Updater For XFIN_PORTAL - {bb46be07-13eb-4c49-b0f0-fc78b9ea4983} - C:\Program Files\xfin_portal\auxi\comcastAu.dll (file missing)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil11g_ActiveX.exe -update activex (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil11g_ActiveX.exe -update activex (User 'Default user')
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=laptop
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Comcast AntiSpyware (AntiSpywareService) - Unknown owner - C:\Program Files\comcasttb\ComcastSpywareScan\ComcastAntiSpyService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Iolo_srv (cpqvcagent) - Unknown owner - \\.\globalrootC:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Orbpvr (epoxusdm) - Unknown owner - \\.\globalrootC:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: Tsscoreservice (icam4usb) - Unknown owner - \\.\globalrootC:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: W29n51 (IntelC52) - Unknown owner - \\.\globalrootC:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\Common\Lib\ioloServiceManager.exe (file missing)
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 7847 bytes

#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:58 PM

Posted 26 April 2012 - 07:12 AM

Greetings

These logs are looking very good, we are almost done!!! Just one more scan to go.

:Remove unneeded start-up entries:

This part of the fix is purely optional
These are programs that start up when you turn on your computer but don't need to be, any of these programs you can click on their icons (or start from the control panel) and start the program when you need it. By stopping these programs you will boot up faster and your computer will work faster.

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Run HijackThis
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):

    • O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
      O2 - BHO: Updater For XFIN_PORTAL - {bb46be07-13eb-4c49-b0f0-fc78b9ea4983} - C:\Program Files\xfin_portal\auxi\comcastAu.dll (file missing)
      O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
      O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
      O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
      O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
      O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil11g_ActiveX.exe -update activex (User 'SYSTEM')
      O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil11g_ActiveX.exe -update activex (User 'Default user')
  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application.

    NOTE**You can research each of those lines >here< and see if you want to keep them or not
    just copy the name between the brackets and paste into the search space
    O4 - HKLM\..\Run: [IntelliPoint]


NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

Eset Online Scanner

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

Go Eset web page to run an online scanner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
  • When asked, allow the ActiveX control to install
    • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options
    Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • Click on copy to clipboard or copy and paste the results here in this topic

Copy and paste that log as a reply to this topic

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 stargirl6878

stargirl6878
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Florida
  • Local time:08:58 PM

Posted 28 April 2012 - 02:23 PM

Hi Gringo!

Sorry its taken so long for me to reply. Work. Anyways, I will try to post the log from eset scan tonight. Thanks for all your help as always :)





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users