Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows Antivirus 2012 infection


  • This topic is locked This topic is locked
18 replies to this topic

#1 dcvh

dcvh

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:44 PM

Posted 28 April 2012 - 05:18 PM

While browsing Google news with Firefox 12.0 I clicked on a news story and got the following popup message..."This page @ http://controltroganssupervision.info says: Windows Antivirus 2012 has found a critical process activity on your PC and will perform a fast scan of system files."
I can't remember exactly what I did next but I got one of those run boxes with an exe. file that I somehow deleted.
With the news page and the above popup still on the screen I pressed the x and got a popup named "Are You Sure" with the following message..."This page is asking you to confirm you want to leave." with two buttons on the bottom of the popup... Leave and a Stay on page. I pushed the Leave button and the Google News page was deleted.
That's when I came to BleepingComputer


.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 10.3.1
Run by Owner at 11:34:26 on 2012-04-28
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2030.952 [GMT -4:00]
.
AV: Avira Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
AV: Lavasoft Ad-Aware *Enabled/Updated* {964FCE60-0B18-4D30-ADD6-EB178909041C}
FW: Lavasoft Ad-Aware *Disabled*
FW: ZoneAlarm Free Firewall *Enabled*
.
============== Running Processes ===============
.
C:\Program Files\IObit\Advanced SystemCare 5\ASCService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\Program Files\CheckPoint\ZoneAlarm\vsmon.exe
C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Ad-Aware Antivirus\AdAwareService.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\WINDOWS\ATKKBService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\system32\svchost.exe -k HPService
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Java\jre7\bin\jqs.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Nero\Update\NASvc.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Secunia\PSI\PSIA.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Secunia\PSI\sua.exe
C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\CheckPoint\ZoneAlarm\zatray.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Quicknote\Quicknote.exe
C:\Program Files\Secunia\PSI\psi_tray.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\PROGRA~1\AD-AWA~1\AdAware.exe
C:\Program Files\Ad-Aware Antivirus\Engine\SBAMSvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Avira\AntiVir Desktop\avscan.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
mWinlogon: UIHost=c:\windows\system32\logonuiX.exe
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: SpywareGuardDLBLOCK.CBrowserHelper: {4a368e80-174f-4872-96b5-0b27ddd11db2} - c:\program files\spywareguard\dlprotect.dll
BHO: ZoneAlarm Security Engine Registrar: {8a4a36c2-0535-4d2c-bd3d-496cb7eed6e3} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll
BHO: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - No File
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: ZoneAlarm Security Engine: {ee2ac4e5-b0b0-4ec6-88a9-bca1a32ab107} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
TB: {1BB22D38-A411-4B13-A746-C2A4F4EC7344} - No File
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [Quicknote] c:\program files\quicknote\Quicknote.exe
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [ZoneAlarm] "c:\program files\checkpoint\zonealarm\zatray.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot
mRun: [ISW] "c:\program files\checkpoint\zaforcefield\ForceField.exe" /icon="hidden"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Ad-Aware Antivirus] "c:\program files\ad-aware antivirus\AdAwareLauncher" --windows-run
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [<NO NAME>]
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\spywar~1.lnk - c:\program files\spywareguard\sgmain.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\secuni~1.lnk - c:\program files\secunia\psi\psi_tray.exe
IE: Free YouTube Download - c:\documents and settings\owner\application data\dvdvideosoftiehelpers\freeyoutubedownload.htm
IE: Free YouTube to Mp3 Converter - c:\documents and settings\owner\application data\dvdvideosoftiehelpers\freeyoutubetomp3converter.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1177491347281
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_03-windows-i586.cab
DPF: {CAFEEFAC-0017-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_03-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_03-windows-i586.cab
DPF: {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_intel_4.4.24.0.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: Interfaces\{1FF3CA48-028C-4092-9E3D-C07BC4E77A54} : NameServer = 8.8.8.8,8.8.4.4
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: igfxcui - igfxdev.dll
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SpywareGuard.Handler: {81559c35-8464-49f7-bb0e-07a383bef910} - c:\program files\spywareguard\spywareguard.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\owner\application data\mozilla\firefox\profiles\ua7tehb1.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2645238&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://news.google.com/nwshp?client=firefox-a&rls=org.mozilla:en-US:official&hl=en&tab=wn
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&ilc=12&type=685749&p=
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprpchromebrowserrecordext.dll
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\documents and settings\owner\application data\mozilla\firefox\profiles\ua7tehb1.default\extensions\devicedetection@logitech.com\plugins\npLogitechDeviceDetection.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\canon\easy-photoprint ex\NPEZFFPI.DLL
FF - plugin: c:\program files\checkpoint\zaforcefield\trustchecker\bin\npFFApi.dll
FF - plugin: c:\program files\gamespy\comrade\npcomrade.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.2432.1652\npCIDetect14.dll
FF - plugin: c:\program files\google\update\1.3.21.111\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\5.0.61118.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdjvu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll
FF - plugin: c:\program files\oracle\javafx 2.0 runtime\bin\plugin2\npjp2.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_2_202_233.dll
FF - plugin: c:\windows\system32\npdeployJava1.dll
FF - plugin: c:\windows\system32\npptools.dll
.
============= SERVICES / DRIVERS ===============
.
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [2011-12-30 36000]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [2012-3-31 21592]
R1 SbFw;SbFw;c:\windows\system32\drivers\SbFw.sys [2012-3-31 332248]
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [2011-4-29 101720]
R1 Vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2011-12-18 525840]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-11 116608]
R2 Ad-Aware Service;Ad-Aware Service;c:\program files\ad-aware antivirus\AdAwareService.exe [2012-3-29 1161072]
R2 AdvancedSystemCareService5;Advanced SystemCare Service 5;c:\program files\iobit\advanced systemcare 5\ASCService.exe [2011-11-30 913752]
R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-12-30 86224]
R2 AntiVirService;Avira Realtime Protection;c:\program files\avira\antivir desktop\avguard.exe [2011-12-30 110032]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-12-30 74640]
R2 cpuz135;cpuz135;c:\windows\system32\drivers\cpuz135_x32.sys [2011-8-29 21992]
R2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\checkpoint\zaforcefield\ISWKL.sys [2011-11-3 27016]
R2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\checkpoint\zaforcefield\ISWSVC.exe [2011-11-3 497280]
R2 LANPkt;Realtek LANPkt Protocol Driver;c:\windows\system32\drivers\LANPkt.sys [2010-9-25 8960]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2009-11-8 10384]
R2 NAUpdate;@c:\program files\nero\update\nasvc.exe,-200;c:\program files\nero\update\NASvc.exe [2010-5-4 503080]
R2 ocster_backup;Ocster Backup;c:\program files\ocster backup\bin\backupService-ox.exe [2011-6-29 18200]
R2 PStrip;PStrip;c:\windows\system32\drivers\pstrip.sys [2007-7-14 27992]
R2 SBAMSvc;Ad-Aware;c:\program files\ad-aware antivirus\engine\SBAMSvc.exe [2011-5-17 2804280]
R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [2012-3-31 74968]
R2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\secunia\psi\psia.exe [2011-10-14 994360]
R2 Secunia Update Agent;Secunia Update Agent;c:\program files\secunia\psi\sua.exe [2011-10-14 399416]
R2 vsmon;TrueVector Internet Monitor;c:\program files\checkpoint\zonealarm\vsmon.exe -service --> c:\program files\checkpoint\zonealarm\vsmon.exe -service [?]
R3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdXP3.sys [2012-3-20 100368]
R3 iatmunin;iatmunin;c:\docume~1\owner\locals~1\temp\iatmunin.sys [2006-3-24 31744]
R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2010-9-1 15544]
R3 SBFWIMCLMP;Sunbelt Software Firewall NDIS IM Filter Miniport;c:\windows\system32\drivers\SbFwIm.sys [2012-3-31 69208]
S0 Lbd;Lbd;c:\windows\system32\drivers\lbd.sys --> c:\windows\system32\drivers\Lbd.sys [?]
S1 SbTis;SbTis;c:\windows\system32\drivers\sbtis.sys [2012-3-31 212568]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate1c987bc5de93bdc;Google Update Service (gupdate1c987bc5de93bdc);c:\program files\google\update\GoogleUpdate.exe [2009-2-5 133104]
S3 Abyssus03;Razer Abyssus USB Filter Driver;c:\windows\system32\drivers\abyssus.sys --> c:\windows\system32\drivers\Abyssus.sys [?]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-3-31 253088]
S3 cpudrv;cpudrv;c:\program files\systemrequirementslab\cpudrv.sys [2009-12-18 11336]
S3 Diag69xp;Diag69xp;c:\windows\system32\drivers\diag69xp.sys [2010-9-25 11264]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-2-5 133104]
S3 hidkmdf;Filter Driver Service for HID-KMDF Interface layer;c:\windows\system32\drivers\hidkmdf.sys [2011-12-2 6656]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-4-24 129976]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2010-6-25 35088]
S3 PORTMON;PORTMON;\??\c:\documents and settings\owner\desktop\sysinternal\sysinternalssuite\portmsys.sys --> c:\documents and settings\owner\desktop\sysinternal\sysinternalssuite\PORTMSYS.SYS [?]
S3 RTLVLAN;Realtek VLAN Intermediate Driver;c:\windows\system32\drivers\RTLVLAN.SYS [2010-9-25 16640]
S3 SBFWIMCL;Sunbelt Software Firewall NDIS IM Filter Service;c:\windows\system32\drivers\SbFwIm.sys [2012-3-31 69208]
S3 sbhips;sbhips;c:\windows\system32\drivers\sbhips.sys [2012-3-31 94040]
S3 VKbms;Virtual HID Minidriver;c:\windows\system32\drivers\VKbms.sys [2011-12-2 10240]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2012-04-26 16:47:39 2557952 ----a-w- c:\windows\system32\QtCore4.dll
2012-04-26 16:47:12 405176 ----a-w- c:\windows\system32\Newtonsoft.Json.Net20.dll
2012-04-24 19:24:12 -------- d-----w- c:\program files\Mozilla Maintenance Service
2012-04-24 19:23:55 157352 ----a-w- c:\program files\mozilla firefox\maintenanceservice_installer.exe
2012-04-24 19:23:55 129976 ----a-w- c:\program files\mozilla firefox\maintenanceservice.exe
2012-04-19 15:56:52 -------- d-----w- c:\windows\Hewlett-Packard
2012-04-04 05:53:56 182160 ----a-w- c:\program files\mozilla firefox\plugins\nppdf32.dll
2012-04-04 05:53:56 182160 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll
2012-04-01 00:50:53 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-04-01 00:38:42 -------- d-----w- c:\documents and settings\owner\local settings\application data\adaware
2012-04-01 00:38:35 74968 ----a-w- c:\windows\system32\drivers\sbapifs.sys
2012-04-01 00:38:35 21592 ----a-w- c:\windows\system32\drivers\sbaphd.sys
2012-04-01 00:38:32 -------- d-----w- c:\program files\Ad-Aware Antivirus
2012-03-31 23:04:31 -------- d-----w- c:\program files\iPod
2012-03-31 14:10:40 -------- d-----w- c:\documents and settings\all users\application data\Ad-Aware Browsing Protection
2012-03-31 13:34:51 94040 ----a-w- c:\windows\system32\drivers\sbhips.sys
2012-03-31 13:34:51 212568 ----a-w- c:\windows\system32\drivers\sbtis.sys
2012-03-31 13:34:41 69208 ----a-w- c:\windows\system32\drivers\SbFwIm.sys
2012-03-31 13:34:41 332248 ----a-w- c:\windows\system32\drivers\SbFw.sys
2012-03-31 13:25:16 -------- d-----w- c:\documents and settings\owner\application data\Ad-Aware Antivirus
.
==================== Find3M ====================
.
2012-04-25 22:45:35 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll
2012-04-24 14:51:15 196608 ----a-w- c:\windows\system32\drivers\nVivid.bin
2012-04-18 13:15:40 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-03-18 16:03:08 499712 ----a-w- c:\windows\system32\msvcp71.dll
2012-03-18 16:03:08 348160 ----a-w- c:\windows\system32\msvcr71.dll
2012-03-01 11:01:32 916992 ----a-w- c:\windows\system32\wininet.dll
2012-03-01 11:01:32 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-03-01 11:01:32 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2012-02-29 14:10:16 177664 ----a-w- c:\windows\system32\wintrust.dll
2012-02-29 14:10:16 148480 ----a-w- c:\windows\system32\imagehlp.dll
2012-02-29 12:17:40 385024 ----a-w- c:\windows\system32\html.iec
2012-02-19 23:49:45 141312 ----a-w- c:\windows\system32\javacpl.cpl
2012-02-15 03:44:58 7585792 ----a-w- c:\windows\system32\drivers\ati2mtag.sys
2012-02-15 03:41:52 311296 ----a-w- c:\windows\system32\atiiiexx.dll
2012-02-15 03:09:30 19611648 ----a-w- c:\windows\system32\atioglxx.dll
2012-02-15 02:56:20 442368 ----a-w- c:\windows\system32\ATIDEMGX.dll
2012-02-15 02:55:12 305152 ----a-w- c:\windows\system32\ati2dvag.dll
2012-02-15 02:52:08 5358080 ----a-w- c:\windows\system32\ati3duag.dll
2012-02-15 02:43:02 956160 ----a-w- c:\windows\system32\ativvamv.dll
2012-02-15 02:34:32 212992 ----a-w- c:\windows\system32\atipdlxx.dll
2012-02-15 02:34:18 159744 ----a-w- c:\windows\system32\Oemdspif.dll
2012-02-15 02:34:10 26112 ----a-w- c:\windows\system32\Ati2mdxx.exe
2012-02-15 02:34:02 43520 ----a-w- c:\windows\system32\ati2edxx.dll
2012-02-15 02:33:50 192512 ----a-w- c:\windows\system32\ati2evxx.dll
2012-02-15 02:32:36 643072 ----a-w- c:\windows\system32\ati2evxx.exe
2012-02-15 02:31:52 4155648 ----a-w- c:\windows\system32\ativvaxx.dll
2012-02-15 02:31:16 53248 ----a-w- c:\windows\system32\ATIDDC.DLL
2012-02-15 02:29:38 159744 ----a-w- c:\windows\system32\atiapfxx.exe
2012-02-15 02:25:10 847872 ----a-w- c:\windows\system32\atikvmag.dll
2012-02-15 02:21:52 634880 ----a-w- c:\windows\system32\atiok3x2.dll
2012-02-15 02:20:04 237568 ----a-w- c:\windows\system32\atiadlxx.dll
2012-02-15 02:19:40 17408 ----a-w- c:\windows\system32\atitvo32.dll
2012-02-15 02:13:44 909312 ----a-w- c:\windows\system32\ati2cqag.dll
2012-02-15 02:12:50 53248 ----a-w- c:\windows\system32\drivers\ati2erec.dll
2012-02-15 02:12:34 65024 ----a-w- c:\windows\system32\atimpc32.dll
2012-02-15 02:12:34 65024 ----a-w- c:\windows\system32\amdpcom32.dll
2012-02-03 09:22:18 1860096 ----a-w- c:\windows\system32\win32k.sys
.
============= FINISH: 11:38:19.35 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:44 PM

Posted 28 April 2012 - 11:26 PM

Hello and Welcome to Bleeping Computer!!

My name is Gringo and I'll be glad to help you with your computer problems.

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the Watch Topic Button, select Immediate Notification, and click on Proceed. This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of hartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

:multiple Anti Virus programs:

It looks like you are operating your computer with multiple Anti Virus programs running in memory at once:

AV: Avira Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
AV: Lavasoft Ad-Aware *Enabled/Updated* {964FCE60-0B18-4D30-ADD6-EB178909041C}


Anti-virus programs take up an enormous amount of your computer's resources when they are actively scanning your computer. Having two anti-virus programs running at the same time can cause your computer to run very slow, become unstable and even, in rare cases, crash.

Please remove all but one of them.

Security Check

  • Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.



Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:44 PM

Posted 02 May 2012 - 12:14 AM

Hello

48 Hour bump

It has been more than 48 hours since my last post.

  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:44 PM

Posted 05 May 2012 - 12:22 AM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:44 PM

Posted 07 May 2012 - 07:53 AM

This topic has been re-opened at the request of the person who originally posted.
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#6 dcvh

dcvh
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:44 PM

Posted 07 May 2012 - 01:43 PM

ComboFix Log


ComboFix 12-05-06.04 - Owner 05/06/2012 23:23:03.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2030.1433 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: Avira Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
FW: ZoneAlarm Free Firewall *Disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\All Users\Application Data\TEMP\AVG\avi7.avg
c:\documents and settings\All Users\Application Data\TEMP\AVG\crt_x64.msi
c:\documents and settings\All Users\Application Data\TEMP\AVG\files.dat
c:\documents and settings\All Users\Application Data\TEMP\AVG\incavi.avm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_cz.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_da.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_fr.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_ge.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_hu.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_id.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_in.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_it.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_jp.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_ko.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_ms.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_nl.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_pb.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_pl.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_pt.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_ru.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_sc.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_sk.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_sp.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_tr.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_us.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_zh.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_zt.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\microavi.avg
c:\documents and settings\All Users\Application Data\TEMP\AVG\miniavi.avg
c:\documents and settings\All Users\Application Data\TEMP\AVG\setup.dat
c:\documents and settings\All Users\Application Data\TEMP\AVG\setup.exe
c:\documents and settings\All Users\Application Data\TEMP\AVG\setup.ini
c:\documents and settings\All Users\Application Data\TEMP\AVG\setupcz.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\setupda.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\setupfr.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\setupge.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\setuphu.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\setupid.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\setupin.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\setupit.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\setupjp.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\setupko.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\setupms.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\setupnl.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\setuppb.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\setuppl.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\setuppt.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\setupru.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\setupsc.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\setupsk.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\setupsp.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\setuptr.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\setupus.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\setupzh.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\setupzt.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\trialkey.dat
c:\documents and settings\All Users\Application Data\TEMP\AVG\vcredis1.cab
c:\documents and settings\All Users\Application Data\TEMP\AVG\vcredist.msi
c:\documents and settings\Owner\Application Data\install_flash_player.exe
c:\documents and settings\Owner\Application Data\mIRC\logs\status.log
c:\documents and settings\Owner\WINDOWS
c:\windows\explorer(2).exe
.
.
((((((((((((((((((((((((( Files Created from 2012-04-07 to 2012-05-07 )))))))))))))))))))))))))))))))
.
.
2012-04-26 16:47 . 2012-03-22 17:43 2557952 ----a-w- c:\windows\system32\QtCore4.dll
2012-04-26 16:47 . 2012-04-18 17:49 405176 ----a-w- c:\windows\system32\Newtonsoft.Json.Net20.dll
2012-04-24 19:24 . 2012-04-24 19:24 -------- d-----w- c:\program files\Mozilla Maintenance Service
2012-04-24 19:23 . 2012-04-24 19:23 157352 ----a-w- c:\program files\Mozilla Firefox\maintenanceservice_installer.exe
2012-04-24 19:23 . 2012-04-24 19:23 129976 ----a-w- c:\program files\Mozilla Firefox\maintenanceservice.exe
2012-04-19 15:56 . 2012-04-19 15:56 -------- d-----w- c:\windows\Hewlett-Packard
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-05-05 06:25 . 2012-04-01 00:50 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-05-05 06:25 . 2011-06-09 04:02 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-05-04 03:01 . 2010-10-29 03:01 196608 ----a-w- c:\windows\system32\drivers\nVivid.bin
2012-04-29 20:20 . 2007-09-11 05:43 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll
2012-04-04 19:56 . 2010-07-18 04:26 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-03-18 16:03 . 2010-04-29 09:47 348160 ----a-w- c:\windows\system32\msvcr71.dll
2012-03-18 16:03 . 2003-03-19 00:14 499712 ----a-w- c:\windows\system32\msvcp71.dll
2012-03-01 11:01 . 2006-02-28 12:00 916992 ----a-w- c:\windows\system32\wininet.dll
2012-03-01 11:01 . 2006-02-28 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-03-01 11:01 . 2006-02-28 12:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2012-02-29 14:10 . 2006-02-28 12:00 177664 ----a-w- c:\windows\system32\wintrust.dll
2012-02-29 14:10 . 2006-02-28 12:00 148480 ----a-w- c:\windows\system32\imagehlp.dll
2012-02-29 12:17 . 2006-02-28 12:00 385024 ----a-w- c:\windows\system32\html.iec
2012-02-23 20:02 . 2009-03-16 22:51 101727 ----a-w- C:\MGlogs.zip
2012-02-19 23:49 . 2012-02-19 23:49 141312 ----a-w- c:\windows\system32\javacpl.cpl
2012-02-15 23:28 . 2011-12-31 00:39 137416 ----a-w- c:\windows\system32\drivers\avipbb.sys
2012-02-15 03:44 . 2006-12-17 02:50 7585792 ----a-w- c:\windows\system32\drivers\ati2mtag.sys
2012-02-15 03:41 . 2009-02-25 21:09 311296 ----a-w- c:\windows\system32\atiiiexx.dll
2012-02-15 03:09 . 2009-02-25 21:30 19611648 ----a-w- c:\windows\system32\atioglxx.dll
2012-02-15 02:56 . 2009-02-25 21:42 442368 ----a-w- c:\windows\system32\ATIDEMGX.dll
2012-02-15 02:55 . 2007-07-28 03:30 305152 ----a-w- c:\windows\system32\ati2dvag.dll
2012-02-15 02:52 . 2007-07-28 03:12 5358080 ----a-w- c:\windows\system32\ati3duag.dll
2012-02-15 02:43 . 2011-04-24 22:31 956160 ----a-w- c:\windows\system32\ativvamv.dll
2012-02-15 02:34 . 2009-02-25 21:30 212992 ----a-w- c:\windows\system32\atipdlxx.dll
2012-02-15 02:34 . 2009-02-25 21:29 159744 ----a-w- c:\windows\system32\Oemdspif.dll
2012-02-15 02:34 . 2009-02-25 21:29 26112 ----a-w- c:\windows\system32\Ati2mdxx.exe
2012-02-15 02:34 . 2009-02-25 21:29 43520 ----a-w- c:\windows\system32\ati2edxx.dll
2012-02-15 02:33 . 2009-02-25 21:29 192512 ----a-w- c:\windows\system32\ati2evxx.dll
2012-02-15 02:32 . 2009-02-25 21:27 643072 ----a-w- c:\windows\system32\ati2evxx.exe
2012-02-15 02:31 . 2007-07-28 03:01 4155648 ----a-w- c:\windows\system32\ativvaxx.dll
2012-02-15 02:31 . 2009-02-25 21:26 53248 ----a-w- c:\windows\system32\ATIDDC.DLL
2012-02-15 02:29 . 2010-08-04 05:27 159744 ----a-w- c:\windows\system32\atiapfxx.exe
2012-02-15 02:25 . 2009-02-25 20:40 847872 ----a-w- c:\windows\system32\atikvmag.dll
2012-02-15 02:21 . 2009-02-25 20:35 634880 ----a-w- c:\windows\system32\atiok3x2.dll
2012-02-15 02:20 . 2009-02-25 20:38 237568 ----a-w- c:\windows\system32\atiadlxx.dll
2012-02-15 02:19 . 2009-02-25 20:38 17408 ----a-w- c:\windows\system32\atitvo32.dll
2012-02-15 02:13 . 2007-07-28 02:40 909312 ----a-w- c:\windows\system32\ati2cqag.dll
2012-02-15 02:12 . 2009-02-25 20:37 53248 ----a-w- c:\windows\system32\drivers\ati2erec.dll
2012-02-15 02:12 . 2010-10-29 02:43 65024 ----a-w- c:\windows\system32\atimpc32.dll
2012-02-15 02:12 . 2009-02-25 20:44 65024 ----a-w- c:\windows\system32\amdpcom32.dll
2012-02-11 03:56 . 1999-10-06 01:38 640 ----a-w- c:\windows\Fonts\readme.txt
2012-04-24 19:23 . 2011-03-23 23:00 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Quicknote"="c:\program files\Quicknote\Quicknote.exe" [2007-12-02 1183744]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2009-06-17 55824]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-02-12 174872]
"ZoneAlarm"="c:\program files\CheckPoint\ZoneAlarm\zatray.exe" [2011-12-19 73360]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-12-15 258512]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2012-02-24 328800]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-03-27 421736]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2011-05-10 49208]
.
c:\documents and settings\Owner\Start Menu\Programs\Startup\
SpywareGuard.lnk - c:\program files\SpywareGuard\sgmain.exe [2003-8-29 360448]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Secunia PSI Tray.lnk - c:\program files\Secunia\PSI\psi_tray.exe [2011-10-14 291896]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\windows\system32\logonuiX.exe"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2009-07-20 17:28 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"ArcSoft Connection Service"=c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"c:\\Program Files\\Ares\\Ares.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\Zapu\\Zapu Accelerator\\wDivi.exe"=
"c:\\Program Files\\Ubisoft\\Ubisoft Game Launcher\\UbisoftGameLauncher.exe"=
"c:\\Ubisoft\\Silent Hunter 5\\sh5.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\battlefield 2\\BF2.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\battlefield 2\\support\\EA Help\\Electronic_Arts_Technical_Support.htm"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpfcCopy.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\Hp\\HP Software Update\\hpwucli.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\smart web printing\\SmartWebPrintExe.exe"=
"c:\\Program Files\\Daum\\PotPlayer\\PotPlayerMini.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
.
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [12/30/2011 8:39 PM 36000]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 12:27 PM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 5:55 PM 67664]
R1 SbFw;SbFw;c:\windows\system32\drivers\SbFw.sys [3/31/2012 9:34 AM 332248]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [8/11/2011 7:38 PM 116608]
R2 AdvancedSystemCareService5;Advanced SystemCare Service 5;c:\program files\IObit\Advanced SystemCare 5\ASCService.exe [11/30/2011 6:13 PM 913752]
R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [12/30/2011 8:39 PM 86224]
R2 cpuz135;cpuz135;c:\windows\system32\drivers\cpuz135_x32.sys [8/29/2011 10:06 PM 21992]
R2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [11/3/2011 10:44 AM 27016]
R2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [11/3/2011 10:44 AM 497280]
R2 LANPkt;Realtek LANPkt Protocol Driver;c:\windows\system32\drivers\LANPkt.sys [9/25/2010 2:42 PM 8960]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [11/8/2009 2:45 AM 10384]
R2 NAUpdate;@c:\program files\Nero\Update\NASvc.exe,-200;c:\program files\Nero\Update\NASvc.exe [5/4/2010 12:07 PM 503080]
R2 ocster_backup;Ocster Backup;c:\program files\Ocster Backup\bin\backupService-ox.exe [6/29/2011 12:16 PM 18200]
R2 PStrip;PStrip;c:\windows\system32\drivers\pstrip.sys [7/14/2007 10:37 PM 27992]
R2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\Secunia\PSI\psia.exe [10/14/2011 2:01 AM 994360]
R2 Secunia Update Agent;Secunia Update Agent;c:\program files\Secunia\PSI\sua.exe [10/14/2011 2:01 AM 399416]
R3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdXP3.sys [3/20/2012 1:54 PM 100368]
R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [9/1/2010 4:30 AM 15544]
R3 SBFWIMCLMP;Sunbelt Software Firewall NDIS IM Filter Miniport;c:\windows\system32\drivers\SbFwIm.sys [3/31/2012 9:34 AM 69208]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S1 SBRE;SBRE;\??\c:\windows\system32\drivers\SBREdrv.sys --> c:\windows\system32\drivers\SBREdrv.sys [?]
S1 SbTis;SbTis;c:\windows\system32\drivers\sbtis.sys [3/31/2012 9:34 AM 212568]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 2:16 PM 130384]
S2 gupdate1c987bc5de93bdc;Google Update Service (gupdate1c987bc5de93bdc);c:\program files\Google\Update\GoogleUpdate.exe [2/5/2009 2:05 PM 133104]
S3 Abyssus03;Razer Abyssus USB Filter Driver;c:\windows\system32\Drivers\Abyssus.sys --> c:\windows\system32\Drivers\Abyssus.sys [?]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [3/31/2012 8:50 PM 257696]
S3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [12/18/2009 10:58 AM 11336]
S3 Diag69xp;Diag69xp;c:\windows\system32\drivers\diag69xp.sys [9/25/2010 2:43 PM 11264]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2/5/2009 2:05 PM 133104]
S3 hidkmdf;Filter Driver Service for HID-KMDF Interface layer;c:\windows\system32\drivers\hidkmdf.sys [12/2/2011 8:20 PM 6656]
S3 iatmunin;iatmunin;\??\c:\docume~1\Owner\LOCALS~1\Temp\iatmunin.sys --> c:\docume~1\Owner\LOCALS~1\Temp\iatmunin.sys [?]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [4/24/2012 3:24 PM 129976]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [6/25/2010 1:07 PM 35088]
S3 PORTMON;PORTMON;\??\c:\documents and settings\Owner\Desktop\sysinternal\SysinternalsSuite\PORTMSYS.SYS --> c:\documents and settings\Owner\Desktop\sysinternal\SysinternalsSuite\PORTMSYS.SYS [?]
S3 RTLVLAN;Realtek VLAN Intermediate Driver;c:\windows\system32\drivers\RTLVLAN.SYS [9/25/2010 2:42 PM 16640]
S3 SBFWIMCL;Sunbelt Software Firewall NDIS IM Filter Service;c:\windows\system32\drivers\SbFwIm.sys [3/31/2012 9:34 AM 69208]
S3 sbhips;sbhips;c:\windows\system32\drivers\sbhips.sys [3/31/2012 9:34 AM 94040]
S3 VKbms;Virtual HID Minidriver;c:\windows\system32\drivers\VKbms.sys [12/2/2011 8:20 PM 10240]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 2:16 PM 753504]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - ndiszapu
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2012-05-07 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-01 06:25]
.
2012-05-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]
.
2012-05-07 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2009-11-10 00:33]
.
2012-05-06 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-02-05 02:49]
.
2012-05-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-05 18:05]
.
2012-05-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-05 18:05]
.
2012-05-07 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1343024091-562591055-725345543-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-01-30 21:45]
.
2012-05-06 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1343024091-562591055-725345543-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-01-30 21:45]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: Free YouTube Download - c:\documents and settings\Owner\Application Data\DVDVideoSoftIEHelpers\freeyoutubedownload.htm
IE: Free YouTube to Mp3 Converter - c:\documents and settings\Owner\Application Data\DVDVideoSoftIEHelpers\freeyoutubetomp3converter.htm
TCP: Interfaces\{1FF3CA48-028C-4092-9E3D-C07BC4E77A54}: NameServer = 8.8.8.8,8.8.4.4
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ua7tehb1.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2645238&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://news.google.com/nwshp?client=firefox-a&rls=org.mozilla:en-US:official&hl=en&tab=wn
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&ilc=12&type=685749&p=
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-ISW - (no file)
AddRemove-{E2883E8F-472F-4fb0-9522-AC9BF37916A7} - c:\program files\NOS\bin\getPlus_Helper.dll
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-05-06 23:31
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1343024091-562591055-725345543-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_USERS\S-1-5-21-1343024091-562591055-725345543-1003\Software\SecuROM\License information*]
"datasecu"=hex:1a,2b,da,be,c5,b5,4a,7b,1f,ea,e7,ca,e1,e9,b0,e4,f8,e8,06,9a,47,
53,05,40,96,70,aa,af,c8,9e,77,05,3f,23,24,75,bb,04,cd,f8,f8,b4,07,dd,98,ca,\
"rkeysecu"=hex:1d,e8,50,f2,ea,14,52,98,35,bb,06,c5,15,2a,d0,5a
.
[HKEY_LOCAL_MACHINE\software\Microsoft\DbgagD\1*]
"value"="?\0a\05\07\17\07\1e?"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1436)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\atiadlxx.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
.
- - - - - - - > 'lsass.exe'(1492)
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
.
Completion time: 2012-05-06 23:36:37
ComboFix-quarantined-files.txt 2012-05-07 03:36
.
Pre-Run: 170,200,809,472 bytes free
Post-Run: 170,943,561,728 bytes free
.
- - End Of File - - C042A6C8B0B09A9412DC2D9206550ACD

#7 dcvh

dcvh
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:44 PM

Posted 07 May 2012 - 01:45 PM

ComboFix Log


ComboFix 12-05-06.04 - Owner 05/06/2012 23:23:03.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2030.1433 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: Avira Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
FW: ZoneAlarm Free Firewall *Disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\All Users\Application Data\TEMP\AVG\avi7.avg
c:\documents and settings\All Users\Application Data\TEMP\AVG\crt_x64.msi
c:\documents and settings\All Users\Application Data\TEMP\AVG\files.dat
c:\documents and settings\All Users\Application Data\TEMP\AVG\incavi.avm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_cz.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_da.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_fr.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_ge.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_hu.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_id.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_in.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_it.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_jp.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_ko.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_ms.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_nl.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_pb.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_pl.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_pt.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_ru.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_sc.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_sk.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_sp.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_tr.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_us.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_zh.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_zt.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\microavi.avg
c:\documents and settings\All Users\Application Data\TEMP\AVG\miniavi.avg
c:\documents and settings\All Users\Application Data\TEMP\AVG\setup.dat
c:\documents and settings\All Users\Application Data\TEMP\AVG\setup.exe
c:\documents and settings\All Users\Application Data\TEMP\AVG\setup.ini
c:\documents and settings\All Users\Application Data\TEMP\AVG\setupcz.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\setupda.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\setupfr.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\setupge.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\setuphu.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\setupid.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\setupin.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\setupit.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\setupjp.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\setupko.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\setupms.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\setupnl.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\setuppb.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\setuppl.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\setuppt.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\setupru.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\setupsc.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\setupsk.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\setupsp.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\setuptr.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\setupus.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\setupzh.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\setupzt.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\trialkey.dat
c:\documents and settings\All Users\Application Data\TEMP\AVG\vcredis1.cab
c:\documents and settings\All Users\Application Data\TEMP\AVG\vcredist.msi
c:\documents and settings\Owner\Application Data\install_flash_player.exe
c:\documents and settings\Owner\Application Data\mIRC\logs\status.log
c:\documents and settings\Owner\WINDOWS
c:\windows\explorer(2).exe
.
.
((((((((((((((((((((((((( Files Created from 2012-04-07 to 2012-05-07 )))))))))))))))))))))))))))))))
.
.
2012-04-26 16:47 . 2012-03-22 17:43 2557952 ----a-w- c:\windows\system32\QtCore4.dll
2012-04-26 16:47 . 2012-04-18 17:49 405176 ----a-w- c:\windows\system32\Newtonsoft.Json.Net20.dll
2012-04-24 19:24 . 2012-04-24 19:24 -------- d-----w- c:\program files\Mozilla Maintenance Service
2012-04-24 19:23 . 2012-04-24 19:23 157352 ----a-w- c:\program files\Mozilla Firefox\maintenanceservice_installer.exe
2012-04-24 19:23 . 2012-04-24 19:23 129976 ----a-w- c:\program files\Mozilla Firefox\maintenanceservice.exe
2012-04-19 15:56 . 2012-04-19 15:56 -------- d-----w- c:\windows\Hewlett-Packard
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-05-05 06:25 . 2012-04-01 00:50 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-05-05 06:25 . 2011-06-09 04:02 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-05-04 03:01 . 2010-10-29 03:01 196608 ----a-w- c:\windows\system32\drivers\nVivid.bin
2012-04-29 20:20 . 2007-09-11 05:43 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll
2012-04-04 19:56 . 2010-07-18 04:26 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-03-18 16:03 . 2010-04-29 09:47 348160 ----a-w- c:\windows\system32\msvcr71.dll
2012-03-18 16:03 . 2003-03-19 00:14 499712 ----a-w- c:\windows\system32\msvcp71.dll
2012-03-01 11:01 . 2006-02-28 12:00 916992 ----a-w- c:\windows\system32\wininet.dll
2012-03-01 11:01 . 2006-02-28 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-03-01 11:01 . 2006-02-28 12:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2012-02-29 14:10 . 2006-02-28 12:00 177664 ----a-w- c:\windows\system32\wintrust.dll
2012-02-29 14:10 . 2006-02-28 12:00 148480 ----a-w- c:\windows\system32\imagehlp.dll
2012-02-29 12:17 . 2006-02-28 12:00 385024 ----a-w- c:\windows\system32\html.iec
2012-02-23 20:02 . 2009-03-16 22:51 101727 ----a-w- C:\MGlogs.zip
2012-02-19 23:49 . 2012-02-19 23:49 141312 ----a-w- c:\windows\system32\javacpl.cpl
2012-02-15 23:28 . 2011-12-31 00:39 137416 ----a-w- c:\windows\system32\drivers\avipbb.sys
2012-02-15 03:44 . 2006-12-17 02:50 7585792 ----a-w- c:\windows\system32\drivers\ati2mtag.sys
2012-02-15 03:41 . 2009-02-25 21:09 311296 ----a-w- c:\windows\system32\atiiiexx.dll
2012-02-15 03:09 . 2009-02-25 21:30 19611648 ----a-w- c:\windows\system32\atioglxx.dll
2012-02-15 02:56 . 2009-02-25 21:42 442368 ----a-w- c:\windows\system32\ATIDEMGX.dll
2012-02-15 02:55 . 2007-07-28 03:30 305152 ----a-w- c:\windows\system32\ati2dvag.dll
2012-02-15 02:52 . 2007-07-28 03:12 5358080 ----a-w- c:\windows\system32\ati3duag.dll
2012-02-15 02:43 . 2011-04-24 22:31 956160 ----a-w- c:\windows\system32\ativvamv.dll
2012-02-15 02:34 . 2009-02-25 21:30 212992 ----a-w- c:\windows\system32\atipdlxx.dll
2012-02-15 02:34 . 2009-02-25 21:29 159744 ----a-w- c:\windows\system32\Oemdspif.dll
2012-02-15 02:34 . 2009-02-25 21:29 26112 ----a-w- c:\windows\system32\Ati2mdxx.exe
2012-02-15 02:34 . 2009-02-25 21:29 43520 ----a-w- c:\windows\system32\ati2edxx.dll
2012-02-15 02:33 . 2009-02-25 21:29 192512 ----a-w- c:\windows\system32\ati2evxx.dll
2012-02-15 02:32 . 2009-02-25 21:27 643072 ----a-w- c:\windows\system32\ati2evxx.exe
2012-02-15 02:31 . 2007-07-28 03:01 4155648 ----a-w- c:\windows\system32\ativvaxx.dll
2012-02-15 02:31 . 2009-02-25 21:26 53248 ----a-w- c:\windows\system32\ATIDDC.DLL
2012-02-15 02:29 . 2010-08-04 05:27 159744 ----a-w- c:\windows\system32\atiapfxx.exe
2012-02-15 02:25 . 2009-02-25 20:40 847872 ----a-w- c:\windows\system32\atikvmag.dll
2012-02-15 02:21 . 2009-02-25 20:35 634880 ----a-w- c:\windows\system32\atiok3x2.dll
2012-02-15 02:20 . 2009-02-25 20:38 237568 ----a-w- c:\windows\system32\atiadlxx.dll
2012-02-15 02:19 . 2009-02-25 20:38 17408 ----a-w- c:\windows\system32\atitvo32.dll
2012-02-15 02:13 . 2007-07-28 02:40 909312 ----a-w- c:\windows\system32\ati2cqag.dll
2012-02-15 02:12 . 2009-02-25 20:37 53248 ----a-w- c:\windows\system32\drivers\ati2erec.dll
2012-02-15 02:12 . 2010-10-29 02:43 65024 ----a-w- c:\windows\system32\atimpc32.dll
2012-02-15 02:12 . 2009-02-25 20:44 65024 ----a-w- c:\windows\system32\amdpcom32.dll
2012-02-11 03:56 . 1999-10-06 01:38 640 ----a-w- c:\windows\Fonts\readme.txt
2012-04-24 19:23 . 2011-03-23 23:00 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Quicknote"="c:\program files\Quicknote\Quicknote.exe" [2007-12-02 1183744]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2009-06-17 55824]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-02-12 174872]
"ZoneAlarm"="c:\program files\CheckPoint\ZoneAlarm\zatray.exe" [2011-12-19 73360]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-12-15 258512]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2012-02-24 328800]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-03-27 421736]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2011-05-10 49208]
.
c:\documents and settings\Owner\Start Menu\Programs\Startup\
SpywareGuard.lnk - c:\program files\SpywareGuard\sgmain.exe [2003-8-29 360448]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Secunia PSI Tray.lnk - c:\program files\Secunia\PSI\psi_tray.exe [2011-10-14 291896]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\windows\system32\logonuiX.exe"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2009-07-20 17:28 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"ArcSoft Connection Service"=c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"c:\\Program Files\\Ares\\Ares.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\Zapu\\Zapu Accelerator\\wDivi.exe"=
"c:\\Program Files\\Ubisoft\\Ubisoft Game Launcher\\UbisoftGameLauncher.exe"=
"c:\\Ubisoft\\Silent Hunter 5\\sh5.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\battlefield 2\\BF2.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\battlefield 2\\support\\EA Help\\Electronic_Arts_Technical_Support.htm"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpfcCopy.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\Hp\\HP Software Update\\hpwucli.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\smart web printing\\SmartWebPrintExe.exe"=
"c:\\Program Files\\Daum\\PotPlayer\\PotPlayerMini.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
.
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [12/30/2011 8:39 PM 36000]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 12:27 PM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 5:55 PM 67664]
R1 SbFw;SbFw;c:\windows\system32\drivers\SbFw.sys [3/31/2012 9:34 AM 332248]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [8/11/2011 7:38 PM 116608]
R2 AdvancedSystemCareService5;Advanced SystemCare Service 5;c:\program files\IObit\Advanced SystemCare 5\ASCService.exe [11/30/2011 6:13 PM 913752]
R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [12/30/2011 8:39 PM 86224]
R2 cpuz135;cpuz135;c:\windows\system32\drivers\cpuz135_x32.sys [8/29/2011 10:06 PM 21992]
R2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [11/3/2011 10:44 AM 27016]
R2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [11/3/2011 10:44 AM 497280]
R2 LANPkt;Realtek LANPkt Protocol Driver;c:\windows\system32\drivers\LANPkt.sys [9/25/2010 2:42 PM 8960]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [11/8/2009 2:45 AM 10384]
R2 NAUpdate;@c:\program files\Nero\Update\NASvc.exe,-200;c:\program files\Nero\Update\NASvc.exe [5/4/2010 12:07 PM 503080]
R2 ocster_backup;Ocster Backup;c:\program files\Ocster Backup\bin\backupService-ox.exe [6/29/2011 12:16 PM 18200]
R2 PStrip;PStrip;c:\windows\system32\drivers\pstrip.sys [7/14/2007 10:37 PM 27992]
R2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\Secunia\PSI\psia.exe [10/14/2011 2:01 AM 994360]
R2 Secunia Update Agent;Secunia Update Agent;c:\program files\Secunia\PSI\sua.exe [10/14/2011 2:01 AM 399416]
R3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdXP3.sys [3/20/2012 1:54 PM 100368]
R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [9/1/2010 4:30 AM 15544]
R3 SBFWIMCLMP;Sunbelt Software Firewall NDIS IM Filter Miniport;c:\windows\system32\drivers\SbFwIm.sys [3/31/2012 9:34 AM 69208]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S1 SBRE;SBRE;\??\c:\windows\system32\drivers\SBREdrv.sys --> c:\windows\system32\drivers\SBREdrv.sys [?]
S1 SbTis;SbTis;c:\windows\system32\drivers\sbtis.sys [3/31/2012 9:34 AM 212568]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 2:16 PM 130384]
S2 gupdate1c987bc5de93bdc;Google Update Service (gupdate1c987bc5de93bdc);c:\program files\Google\Update\GoogleUpdate.exe [2/5/2009 2:05 PM 133104]
S3 Abyssus03;Razer Abyssus USB Filter Driver;c:\windows\system32\Drivers\Abyssus.sys --> c:\windows\system32\Drivers\Abyssus.sys [?]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [3/31/2012 8:50 PM 257696]
S3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [12/18/2009 10:58 AM 11336]
S3 Diag69xp;Diag69xp;c:\windows\system32\drivers\diag69xp.sys [9/25/2010 2:43 PM 11264]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2/5/2009 2:05 PM 133104]
S3 hidkmdf;Filter Driver Service for HID-KMDF Interface layer;c:\windows\system32\drivers\hidkmdf.sys [12/2/2011 8:20 PM 6656]
S3 iatmunin;iatmunin;\??\c:\docume~1\Owner\LOCALS~1\Temp\iatmunin.sys --> c:\docume~1\Owner\LOCALS~1\Temp\iatmunin.sys [?]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [4/24/2012 3:24 PM 129976]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [6/25/2010 1:07 PM 35088]
S3 PORTMON;PORTMON;\??\c:\documents and settings\Owner\Desktop\sysinternal\SysinternalsSuite\PORTMSYS.SYS --> c:\documents and settings\Owner\Desktop\sysinternal\SysinternalsSuite\PORTMSYS.SYS [?]
S3 RTLVLAN;Realtek VLAN Intermediate Driver;c:\windows\system32\drivers\RTLVLAN.SYS [9/25/2010 2:42 PM 16640]
S3 SBFWIMCL;Sunbelt Software Firewall NDIS IM Filter Service;c:\windows\system32\drivers\SbFwIm.sys [3/31/2012 9:34 AM 69208]
S3 sbhips;sbhips;c:\windows\system32\drivers\sbhips.sys [3/31/2012 9:34 AM 94040]
S3 VKbms;Virtual HID Minidriver;c:\windows\system32\drivers\VKbms.sys [12/2/2011 8:20 PM 10240]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 2:16 PM 753504]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - ndiszapu
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2012-05-07 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-01 06:25]
.
2012-05-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]
.
2012-05-07 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2009-11-10 00:33]
.
2012-05-06 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-02-05 02:49]
.
2012-05-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-05 18:05]
.
2012-05-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-05 18:05]
.
2012-05-07 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1343024091-562591055-725345543-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-01-30 21:45]
.
2012-05-06 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1343024091-562591055-725345543-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-01-30 21:45]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: Free YouTube Download - c:\documents and settings\Owner\Application Data\DVDVideoSoftIEHelpers\freeyoutubedownload.htm
IE: Free YouTube to Mp3 Converter - c:\documents and settings\Owner\Application Data\DVDVideoSoftIEHelpers\freeyoutubetomp3converter.htm
TCP: Interfaces\{1FF3CA48-028C-4092-9E3D-C07BC4E77A54}: NameServer = 8.8.8.8,8.8.4.4
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ua7tehb1.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2645238&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://news.google.com/nwshp?client=firefox-a&rls=org.mozilla:en-US:official&hl=en&tab=wn
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&ilc=12&type=685749&p=
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-ISW - (no file)
AddRemove-{E2883E8F-472F-4fb0-9522-AC9BF37916A7} - c:\program files\NOS\bin\getPlus_Helper.dll
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-05-06 23:31
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1343024091-562591055-725345543-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_USERS\S-1-5-21-1343024091-562591055-725345543-1003\Software\SecuROM\License information*]
"datasecu"=hex:1a,2b,da,be,c5,b5,4a,7b,1f,ea,e7,ca,e1,e9,b0,e4,f8,e8,06,9a,47,
53,05,40,96,70,aa,af,c8,9e,77,05,3f,23,24,75,bb,04,cd,f8,f8,b4,07,dd,98,ca,\
"rkeysecu"=hex:1d,e8,50,f2,ea,14,52,98,35,bb,06,c5,15,2a,d0,5a
.
[HKEY_LOCAL_MACHINE\software\Microsoft\DbgagD\1*]
"value"="?\0a\05\07\17\07\1e?"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1436)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\atiadlxx.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
.
- - - - - - - > 'lsass.exe'(1492)
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
.
Completion time: 2012-05-06 23:36:37
ComboFix-quarantined-files.txt 2012-05-07 03:36
.
Pre-Run: 170,200,809,472 bytes free
Post-Run: 170,943,561,728 bytes free
.
- - End Of File - - C042A6C8B0B09A9412DC2D9206550ACD

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:44 PM

Posted 07 May 2012 - 02:37 PM

Greetings

I want you to run these next,

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • it will ask to download extra definitions - ALLOW IT
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

If you have any problems running either one come back and let me know

please reply with the reports from TDSSKiller and aswMBR

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 dcvh

dcvh
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:44 PM

Posted 07 May 2012 - 07:18 PM

Hello,

TDSSKiller Log

18:58:19.0093 0880 TDSS rootkit removing tool 2.7.34.0 May 2 2012 09:59:18
18:58:21.0093 0880 ============================================================
18:58:21.0093 0880 Current date / time: 2012/05/07 18:58:21.0093
18:58:21.0093 0880 SystemInfo:
18:58:21.0093 0880
18:58:21.0093 0880 OS Version: 5.1.2600 ServicePack: 3.0
18:58:21.0093 0880 Product type: Workstation
18:58:21.0093 0880 ComputerName: DOUG1
18:58:21.0093 0880 UserName: Owner
18:58:21.0093 0880 Windows directory: C:\WINDOWS
18:58:21.0093 0880 System windows directory: C:\WINDOWS
18:58:21.0093 0880 Processor architecture: Intel x86
18:58:21.0093 0880 Number of processors: 2
18:58:21.0093 0880 Page size: 0x1000
18:58:21.0093 0880 Boot type: Normal boot
18:58:21.0093 0880 ============================================================
18:58:22.0515 0880 Drive \Device\Harddisk0\DR0 - Size: 0x7470C06000 (465.76 Gb), SectorSize: 0x200, Cylinders: 0xED81, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000050
18:58:22.0531 0880 Drive \Device\Harddisk1\DR1 - Size: 0x3A38B2E000 (232.89 Gb), SectorSize: 0x200, Cylinders: 0x76C1, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000050
18:58:22.0531 0880 ============================================================
18:58:22.0531 0880 \Device\Harddisk0\DR0:
18:58:22.0531 0880 MBR partitions:
18:58:22.0531 0880 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x3A384C02
18:58:22.0531 0880 \Device\Harddisk1\DR1:
18:58:22.0531 0880 MBR partitions:
18:58:22.0531 0880 \Device\Harddisk1\DR1\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x1D1C4542
18:58:22.0531 0880 ============================================================
18:58:22.0578 0880 C: <-> \Device\Harddisk0\DR0\Partition0
18:58:22.0609 0880 D: <-> \Device\Harddisk1\DR1\Partition0
18:58:22.0609 0880 ============================================================
18:58:22.0609 0880 Initialize success
18:58:22.0609 0880 ============================================================
18:58:48.0265 2476 ============================================================
18:58:48.0265 2476 Scan started
18:58:48.0265 2476 Mode: Manual;
18:58:48.0265 2476 ============================================================
18:58:49.0062 2476 !SASCORE (c0393eb99a6c72c6bef9bfc4a72b33a6) C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
18:58:49.0062 2476 !SASCORE - ok
18:58:49.0203 2476 6to4 (c07d5197410aab28d0d93f943f59656d) C:\WINDOWS\System32\6to4svc.dll
18:58:49.0203 2476 6to4 - ok
18:58:49.0218 2476 Abiosdsk - ok
18:58:49.0218 2476 abp480n5 - ok
18:58:49.0218 2476 Abyssus03 - ok
18:58:49.0312 2476 ACDaemon (35f57598f0589feb3c3abc1621bf329f) C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
18:58:49.0312 2476 ACDaemon - ok
18:58:49.0359 2476 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
18:58:49.0359 2476 ACPI - ok
18:58:49.0390 2476 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
18:58:49.0437 2476 ACPIEC - ok
18:58:49.0531 2476 AdobeFlashPlayerUpdateSvc (76d5a3d2a50402a0b9b6ed13c4371e79) C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
18:58:49.0531 2476 AdobeFlashPlayerUpdateSvc - ok
18:58:49.0531 2476 adpu160m - ok
18:58:49.0640 2476 AdvancedSystemCareService5 (b11c71b29fa69e4586f9b65560e6604d) C:\Program Files\IObit\Advanced SystemCare 5\ASCService.exe
18:58:49.0656 2476 AdvancedSystemCareService5 - ok
18:58:49.0703 2476 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
18:58:49.0703 2476 aec - ok
18:58:49.0718 2476 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
18:58:49.0734 2476 AFD - ok
18:58:49.0734 2476 Aha154x - ok
18:58:49.0734 2476 aic78u2 - ok
18:58:49.0734 2476 aic78xx - ok
18:58:49.0781 2476 Alerter (a9a3daa780ca6c9671a19d52456705b4) C:\WINDOWS\system32\alrsvc.dll
18:58:49.0781 2476 Alerter - ok
18:58:49.0812 2476 ALG (8c515081584a38aa007909cd02020b3d) C:\WINDOWS\System32\alg.exe
18:58:49.0812 2476 ALG - ok
18:58:49.0812 2476 AliIde - ok
18:58:49.0812 2476 amsint - ok
18:58:49.0937 2476 AntiVirSchedulerService (72709089a54bdc1c5b16bc4a4b926567) C:\Program Files\Avira\AntiVir Desktop\sched.exe
18:58:49.0937 2476 AntiVirSchedulerService - ok
18:58:50.0000 2476 AntiVirService (42f88bfbb76f7a63e381829479b18518) C:\Program Files\Avira\AntiVir Desktop\avguard.exe
18:58:50.0000 2476 AntiVirService - ok
18:58:50.0078 2476 Apple Mobile Device (7ef47644b74ebe721cc32211d3c35e76) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
18:58:50.0078 2476 Apple Mobile Device - ok
18:58:50.0078 2476 AppMgmt - ok
18:58:50.0187 2476 AresChatServer (eb7319da35fff406c2afd912f8268f4c) C:\Program Files\Ares\chatServer.exe
18:58:50.0203 2476 AresChatServer - ok
18:58:50.0218 2476 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
18:58:50.0218 2476 Arp1394 - ok
18:58:50.0234 2476 asc - ok
18:58:50.0234 2476 asc3350p - ok
18:58:50.0234 2476 asc3550 - ok
18:58:50.0250 2476 Aspi32 - ok
18:58:50.0359 2476 aspnet_state (776acefa0ca9df0faa51a5fb2f435705) C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe
18:58:50.0375 2476 aspnet_state - ok
18:58:50.0375 2476 asusgsb - ok
18:58:50.0437 2476 asuskbnt (b3b881eb81013aac11594a5400ada47a) C:\WINDOWS\system32\drivers\atkkbnt.sys
18:58:50.0437 2476 asuskbnt - ok
18:58:50.0468 2476 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
18:58:50.0484 2476 AsyncMac - ok
18:58:50.0500 2476 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
18:58:50.0515 2476 atapi - ok
18:58:50.0515 2476 Atdisk - ok
18:58:50.0578 2476 Ati HotKey Poller (c434b72352fadd9249d5541274021570) C:\WINDOWS\system32\Ati2evxx.exe
18:58:50.0593 2476 Ati HotKey Poller - ok
18:58:50.0687 2476 ATI Smart (72810c6a63076a480abce0e0ba0bc981) C:\WINDOWS\system32\ati2sgag.exe
18:58:50.0687 2476 ATI Smart - ok
18:58:51.0125 2476 ati2mtag (b4368b39a18630c3ec8d7f496f76f19b) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
18:58:51.0218 2476 ati2mtag - ok
18:58:51.0328 2476 AtiHDAudioService (bd9ca8136738040d3257363ed12be693) C:\WINDOWS\system32\drivers\AtihdXP3.sys
18:58:51.0328 2476 AtiHDAudioService - ok
18:58:51.0359 2476 AtiHdmiService (1cae756c8baefb2b25964baa639fdd5c) C:\WINDOWS\system32\drivers\AtiHdmi.sys
18:58:51.0406 2476 AtiHdmiService - ok
18:58:51.0437 2476 ATKKeyboardService (64b6a2d40cfecff1885f696612bba53f) C:\WINDOWS\ATKKBService.exe
18:58:53.0015 2476 ATKKeyboardService - ok
18:58:53.0062 2476 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
18:58:53.0093 2476 Atmarpc - ok
18:58:53.0140 2476 AudioSrv (def7a7882bec100fe0b2ce2549188f9d) C:\WINDOWS\System32\audiosrv.dll
18:58:53.0140 2476 AudioSrv - ok
18:58:53.0203 2476 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
18:58:53.0203 2476 audstub - ok
18:58:53.0265 2476 avgntflt (7713e4eb0276702faa08e52a6e23f2a6) C:\WINDOWS\system32\DRIVERS\avgntflt.sys
18:58:53.0265 2476 avgntflt - ok
18:58:53.0281 2476 avipbb (13b02b9b969dde270cd7c351203dad3c) C:\WINDOWS\system32\DRIVERS\avipbb.sys
18:58:53.0281 2476 avipbb - ok
18:58:53.0343 2476 avkmgr (271cfd1a989209b1964e24d969552bf7) C:\WINDOWS\system32\DRIVERS\avkmgr.sys
18:58:53.0343 2476 avkmgr - ok
18:58:53.0390 2476 BANTExt (5d7be7b19e827125e016325334e58ff1) C:\WINDOWS\System32\Drivers\BANTExt.sys
18:58:53.0390 2476 BANTExt - ok
18:58:53.0453 2476 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
18:58:53.0453 2476 Beep - ok
18:58:53.0484 2476 BITS (574738f61fca2935f5265dc4e5691314) C:\WINDOWS\system32\qmgr.dll
18:58:53.0500 2476 BITS - ok
18:58:53.0609 2476 Bonjour Service (db5bea73edaf19ac68b2c0fad0f92b1a) C:\Program Files\Bonjour\mDNSResponder.exe
18:58:53.0625 2476 Bonjour Service - ok
18:58:53.0671 2476 Browser (a06ce3399d16db864f55faeb1f1927a9) C:\WINDOWS\System32\browser.dll
18:58:53.0671 2476 Browser - ok
18:58:53.0843 2476 catchme - ok
18:58:53.0890 2476 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
18:58:53.0921 2476 cbidf2k - ok
18:58:53.0953 2476 CCDECODE (fdc06e2ada8c468ebb161624e03976cf) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
18:58:53.0984 2476 CCDECODE - ok
18:58:53.0984 2476 cd20xrnt - ok
18:58:54.0046 2476 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
18:58:54.0046 2476 Cdaudio - ok
18:58:54.0062 2476 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
18:58:54.0078 2476 Cdfs - ok
18:58:54.0109 2476 Cdrom (4b0a100eaf5c49ef3cca8c641431eacc) C:\WINDOWS\system32\DRIVERS\cdrom.sys
18:58:54.0109 2476 Cdrom - ok
18:58:54.0109 2476 Changer - ok
18:58:54.0156 2476 CiSvc (1cfe720eb8d93a7158a4ebc3ab178bde) C:\WINDOWS\system32\cisvc.exe
18:58:54.0156 2476 CiSvc - ok
18:58:54.0187 2476 ClipSrv (34cbe729f38138217f9c80212a2a0c82) C:\WINDOWS\system32\clipsrv.exe
18:58:54.0187 2476 ClipSrv - ok
18:58:54.0359 2476 clr_optimization_v2.0.50727_32 (d87acaed61e417bba546ced5e7e36d9c) C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
18:58:54.0437 2476 clr_optimization_v2.0.50727_32 - ok
18:58:54.0515 2476 clr_optimization_v4.0.30319_32 (c5a75eb48e2344abdc162bda79e16841) C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
18:58:54.0531 2476 clr_optimization_v4.0.30319_32 - ok
18:58:54.0531 2476 CmdIde - ok
18:58:54.0546 2476 COMSysApp - ok
18:58:54.0546 2476 Cpqarray - ok
18:58:54.0640 2476 cpudrv (d01f685f8b4598d144b0cce9ff95d8d5) C:\Program Files\SystemRequirementsLab\cpudrv.sys
18:58:54.0671 2476 cpudrv - ok
18:58:54.0703 2476 cpuz135 (c2eb4539a4f6ab6edd01bdc191619975) C:\WINDOWS\system32\drivers\cpuz135_x32.sys
18:58:54.0703 2476 cpuz135 - ok
18:58:54.0718 2476 CryptSvc (3d4e199942e29207970e04315d02ad3b) C:\WINDOWS\System32\cryptsvc.dll
18:58:54.0718 2476 CryptSvc - ok
18:58:54.0718 2476 dac2w2k - ok
18:58:54.0718 2476 dac960nt - ok
18:58:54.0796 2476 DcomLaunch (6b27a5c03dfb94b4245739065431322c) C:\WINDOWS\system32\rpcss.dll
18:58:54.0812 2476 DcomLaunch - ok
18:58:54.0859 2476 Dhcp (5e38d7684a49cacfb752b046357e0589) C:\WINDOWS\System32\dhcpcsvc.dll
18:58:54.0875 2476 Dhcp - ok
18:58:54.0875 2476 Diag69xp (a22d5a027f397e412cbb2d97e8661bff) C:\WINDOWS\system32\Drivers\Diag69xp.sys
18:58:54.0890 2476 Diag69xp - ok
18:58:54.0921 2476 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
18:58:54.0921 2476 Disk - ok
18:58:54.0921 2476 dmadmin - ok
18:58:54.0968 2476 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
18:58:55.0015 2476 dmboot - ok
18:58:55.0046 2476 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
18:58:55.0093 2476 dmio - ok
18:58:55.0125 2476 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
18:58:55.0140 2476 dmload - ok
18:58:55.0187 2476 dmserver (57edec2e5f59f0335e92f35184bc8631) C:\WINDOWS\System32\dmserver.dll
18:58:55.0187 2476 dmserver - ok
18:58:55.0234 2476 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
18:58:55.0234 2476 DMusic - ok
18:58:55.0265 2476 Dnscache (5f7e24fa9eab896051ffb87f840730d2) C:\WINDOWS\System32\dnsrslvr.dll
18:58:55.0265 2476 Dnscache - ok
18:58:55.0312 2476 Dot3svc (0f0f6e687e5e15579ef4da8dd6945814) C:\WINDOWS\System32\dot3svc.dll
18:58:55.0312 2476 Dot3svc - ok
18:58:55.0312 2476 dpti2o - ok
18:58:55.0312 2476 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
18:58:55.0328 2476 drmkaud - ok
18:58:55.0375 2476 e1express (6de32a9123ef60f9d423e9163af0e305) C:\WINDOWS\system32\DRIVERS\e1e5132.sys
18:58:55.0375 2476 e1express - ok
18:58:55.0390 2476 EapHost (2187855a7703adef0cef9ee4285182cc) C:\WINDOWS\System32\eapsvc.dll
18:58:55.0390 2476 EapHost - ok
18:58:55.0453 2476 EIO_XP (88b5b982d702cd81874731cecf6ba4db) C:\WINDOWS\system32\drivers\EIO_XP.sys
18:58:55.0453 2476 EIO_XP - ok
18:58:55.0468 2476 ERSvc (bc93b4a066477954555966d77fec9ecb) C:\WINDOWS\System32\ersvc.dll
18:58:55.0468 2476 ERSvc - ok
18:58:55.0515 2476 Eventlog (65df52f5b8b6e9bbd183505225c37315) C:\WINDOWS\system32\services.exe
18:58:55.0531 2476 Eventlog - ok
18:58:55.0562 2476 EventSystem (d4991d98f2db73c60d042f1aef79efae) C:\WINDOWS\system32\es.dll
18:58:55.0562 2476 EventSystem - ok
18:58:55.0609 2476 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
18:58:55.0609 2476 Fastfat - ok
18:58:55.0640 2476 FastUserSwitchingCompatibility (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
18:58:55.0656 2476 FastUserSwitchingCompatibility - ok
18:58:55.0656 2476 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
18:58:55.0656 2476 Fdc - ok
18:58:55.0671 2476 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
18:58:55.0671 2476 Fips - ok
18:58:55.0671 2476 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
18:58:55.0671 2476 Flpydisk - ok
18:58:55.0703 2476 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
18:58:55.0703 2476 FltMgr - ok
18:58:55.0859 2476 FontCache3.0.0.0 (8ba7c024070f2b7fdd98ed8a4ba41789) C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
18:58:55.0859 2476 FontCache3.0.0.0 - ok
18:58:55.0859 2476 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
18:58:55.0859 2476 Fs_Rec - ok
18:58:55.0875 2476 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
18:58:55.0875 2476 Ftdisk - ok
18:58:55.0890 2476 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
18:58:55.0890 2476 GEARAspiWDM - ok
18:58:55.0906 2476 getPlusHelper - ok
18:58:55.0921 2476 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
18:58:55.0921 2476 Gpc - ok
18:58:56.0000 2476 gupdate1c987bc5de93bdc (626a24ed1228580b9518c01930936df9) C:\Program Files\Google\Update\GoogleUpdate.exe
18:58:56.0000 2476 gupdate1c987bc5de93bdc - ok
18:58:56.0000 2476 gupdatem (626a24ed1228580b9518c01930936df9) C:\Program Files\Google\Update\GoogleUpdate.exe
18:58:56.0000 2476 gupdatem - ok
18:58:56.0046 2476 gusvc (408ddd80eede47175f6844817b90213e) C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
18:58:56.0046 2476 gusvc - ok
18:58:56.0078 2476 hamachi (d30b31375c40309425c21efe75db90bb) C:\WINDOWS\system32\DRIVERS\hamachi.sys
18:58:56.0109 2476 hamachi - ok
18:58:56.0140 2476 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
18:58:56.0140 2476 HDAudBus - ok
18:58:56.0171 2476 HECI (19e26d0402e6d29e67fa74650187567e) C:\WINDOWS\system32\DRIVERS\HECI.sys
18:58:56.0171 2476 HECI - ok
18:58:56.0250 2476 helpsvc (4fcca060dfe0c51a09dd5c3843888bcd) C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll
18:58:56.0250 2476 helpsvc - ok
18:58:56.0296 2476 hidkmdf (bb1822838c0714b3c03efe0f209d135d) C:\WINDOWS\system32\DRIVERS\hidkmdf.sys
18:58:56.0328 2476 hidkmdf - ok
18:58:56.0343 2476 HidServ (deb04da35cc871b6d309b77e1443c796) C:\WINDOWS\System32\hidserv.dll
18:58:56.0343 2476 HidServ - ok
18:58:56.0390 2476 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
18:58:56.0406 2476 HidUsb - ok
18:58:56.0453 2476 hkmsvc (8878bd685e490239777bfe51320b88e9) C:\WINDOWS\System32\kmsvc.dll
18:58:56.0453 2476 hkmsvc - ok
18:58:56.0453 2476 hpn - ok
18:58:56.0546 2476 hpqcxs08 (5da42d24712e00728cea2342a65009b2) C:\Program Files\HP\Digital Imaging\bin\hpqcxs08.dll
18:58:56.0546 2476 hpqcxs08 - ok
18:58:56.0578 2476 hpqddsvc (d86a39bf100069444d026d22d9a6e555) C:\Program Files\HP\Digital Imaging\bin\hpqddsvc.dll
18:58:56.0578 2476 hpqddsvc - ok
18:58:56.0625 2476 HPSLPSVC (a04f4ac48895774a2cf9d1c9eaaacef0) C:\Program Files\HP\Digital Imaging\bin\HPSLPSVC32.DLL
18:58:56.0640 2476 HPSLPSVC - ok
18:58:56.0671 2476 HPZid412 (d03d10f7ded688fecf50f8fbf1ea9b8a) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
18:58:56.0687 2476 HPZid412 - ok
18:58:56.0687 2476 HPZipr12 (89f41658929393487b6b7d13c8528ce3) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
18:58:56.0687 2476 HPZipr12 - ok
18:58:56.0687 2476 HPZius12 (abcb05ccdbf03000354b9553820e39f8) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
18:58:56.0687 2476 HPZius12 - ok
18:58:56.0765 2476 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
18:58:56.0765 2476 HTTP - ok
18:58:56.0796 2476 HTTPFilter (6100a808600f44d999cebdef8841c7a3) C:\WINDOWS\System32\w3ssl.dll
18:58:56.0796 2476 HTTPFilter - ok
18:58:56.0796 2476 i2omgmt - ok
18:58:56.0796 2476 i2omp - ok
18:58:56.0828 2476 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
18:58:56.0843 2476 i8042prt - ok
18:58:56.0859 2476 IAANTMON (582f2d900a3ac34c98fbdc2c0abef6b9) C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
18:58:56.0968 2476 IAANTMON - ok
18:58:57.0046 2476 ialm (88164ba0e3fc4172ff3a1bd82b756454) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
18:58:57.0078 2476 ialm - ok
18:58:57.0109 2476 iaStor (fd7f9d74c2b35dbda400804a3f5ed5d8) C:\WINDOWS\system32\drivers\iaStor.sys
18:58:57.0109 2476 iaStor - ok
18:58:57.0281 2476 iatmunin - ok
18:58:57.0406 2476 IDriverT (1cf03c69b49acb70c722df92755c0c8c) C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
18:58:57.0406 2476 IDriverT - ok
18:58:57.0593 2476 idsvc (c01ac32dc5c03076cfb852cb5da5229c) C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
18:58:57.0609 2476 idsvc - ok
18:58:57.0703 2476 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
18:58:57.0718 2476 Imapi - ok
18:58:57.0781 2476 ImapiService (30deaf54a9755bb8546168cfe8a6b5e1) C:\WINDOWS\system32\imapi.exe
18:58:57.0781 2476 ImapiService - ok
18:58:57.0781 2476 ini910u - ok
18:58:57.0781 2476 IntelIde - ok
18:58:57.0843 2476 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
18:58:57.0843 2476 intelppm - ok
18:58:57.0859 2476 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
18:58:57.0859 2476 Ip6Fw - ok
18:58:57.0890 2476 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
18:58:57.0921 2476 IpFilterDriver - ok
18:58:57.0953 2476 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
18:58:57.0984 2476 IpInIp - ok
18:58:58.0015 2476 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
18:58:58.0015 2476 IpNat - ok
18:58:58.0109 2476 iPod Service (57edb35ea2feca88f8b17c0c095c9a56) C:\Program Files\iPod\bin\iPodService.exe
18:58:58.0125 2476 iPod Service - ok
18:58:58.0187 2476 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
18:58:58.0187 2476 IPSec - ok
18:58:58.0218 2476 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
18:58:58.0250 2476 IRENUM - ok
18:58:58.0265 2476 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
18:58:58.0281 2476 isapnp - ok
18:58:58.0343 2476 ISWKL (157294f7076a05fad34281bb50d8e58c) C:\Program Files\CheckPoint\ZAForceField\ISWKL.sys
18:58:58.0343 2476 ISWKL - ok
18:58:58.0406 2476 IswSvc (43d08527663d7f2155876416cf191f9b) C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
18:58:58.0500 2476 IswSvc - ok
18:58:58.0578 2476 JavaQuickStarterService (d9b1e929f2464d4c23fa9cb47df4a1d4) C:\Program Files\Java\jre7\bin\jqs.exe
18:58:58.0578 2476 JavaQuickStarterService - ok
18:58:58.0640 2476 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
18:58:58.0640 2476 Kbdclass - ok
18:58:58.0656 2476 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
18:58:58.0656 2476 kbdhid - ok
18:58:58.0671 2476 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
18:58:58.0671 2476 kmixer - ok
18:58:58.0703 2476 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
18:58:58.0703 2476 KSecDD - ok
18:58:58.0703 2476 L8042Kbd (0c6e346cde730cf1356dd69ad6e9bc42) C:\WINDOWS\system32\DRIVERS\L8042Kbd.sys
18:58:58.0750 2476 L8042Kbd - ok
18:58:58.0781 2476 L8042mou (8a5993705add14352c9a279fa8338334) C:\WINDOWS\system32\DRIVERS\L8042mou.Sys
18:58:58.0812 2476 L8042mou - ok
18:58:58.0843 2476 lanmanserver (3a7c3cbe5d96b8ae96ce81f0b22fb527) C:\WINDOWS\System32\srvsvc.dll
18:58:58.0843 2476 lanmanserver - ok
18:58:58.0906 2476 lanmanworkstation (a8888a5327621856c0cec4e385f69309) C:\WINDOWS\System32\wkssvc.dll
18:58:58.0906 2476 lanmanworkstation - ok
18:58:58.0953 2476 LANPkt (8f5795b166cbb50966e29982f8cdb310) C:\WINDOWS\system32\DRIVERS\LANPkt.sys
18:58:58.0968 2476 LANPkt - ok
18:58:58.0968 2476 Lbd - ok
18:58:59.0015 2476 LBeepKE (9ffd1cf2a782f2560e78eec4b8b8689e) C:\WINDOWS\system32\Drivers\LBeepKE.sys
18:58:59.0015 2476 LBeepKE - ok
18:58:59.0015 2476 lbrtfdc - ok
18:58:59.0093 2476 LBTServ (3af6b73a3ad1fc37c5933441f66ceb91) C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
18:58:59.0093 2476 LBTServ - ok
18:58:59.0109 2476 LHidFilt (7f9c7b28cf1c859e1c42619eea946dc8) C:\WINDOWS\system32\DRIVERS\LHidFilt.Sys
18:58:59.0140 2476 LHidFilt - ok
18:58:59.0187 2476 LmHosts (a7db739ae99a796d91580147e919cc59) C:\WINDOWS\System32\lmhsvc.dll
18:58:59.0187 2476 LmHosts - ok
18:58:59.0187 2476 LMouFilt (ab33792a87285344f43b5ce23421bab0) C:\WINDOWS\system32\DRIVERS\LMouFilt.Sys
18:58:59.0203 2476 LMouFilt - ok
18:58:59.0234 2476 LMouKE (9837e55673818ecd8febb47f7f77521a) C:\WINDOWS\system32\DRIVERS\LMouKE.Sys
18:58:59.0234 2476 LMouKE - ok
18:58:59.0296 2476 McciCMService (a4225ba7b4ee5b8cdf8a808858dba437) C:\Program Files\Common Files\Motive\McciCMService.exe
18:58:59.0296 2476 McciCMService - ok
18:58:59.0359 2476 Messenger (986b1ff5814366d71e0ac5755c88f2d3) C:\WINDOWS\System32\msgsvc.dll
18:58:59.0359 2476 Messenger - ok
18:58:59.0390 2476 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
18:58:59.0390 2476 mnmdd - ok
18:58:59.0421 2476 mnmsrvc (d18f1f0c101d06a1c1adf26eed16fcdd) C:\WINDOWS\system32\mnmsrvc.exe
18:58:59.0437 2476 mnmsrvc - ok
18:58:59.0468 2476 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
18:58:59.0484 2476 Modem - ok
18:58:59.0531 2476 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
18:58:59.0531 2476 Mouclass - ok
18:58:59.0531 2476 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
18:58:59.0546 2476 mouhid - ok
18:58:59.0593 2476 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
18:58:59.0593 2476 MountMgr - ok
18:58:59.0640 2476 MozillaMaintenance (96aa8ba23142cc8e2b30f3cae0c80254) C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe
18:58:59.0656 2476 MozillaMaintenance - ok
18:58:59.0656 2476 mraid35x - ok
18:58:59.0703 2476 MREMP50 (9bd4dcb5412921864a7aacdedfbd1923) C:\PROGRA~1\COMMON~1\Motive\MREMP50.SYS
18:58:59.0718 2476 MREMP50 - ok
18:58:59.0718 2476 MREMP50a64 - ok
18:58:59.0734 2476 MREMPR5 - ok
18:58:59.0734 2476 MRENDIS5 - ok
18:58:59.0750 2476 MRESP50 (07c02c892e8e1a72d6bf35004f0e9c5e) C:\PROGRA~1\COMMON~1\Motive\MRESP50.SYS
18:58:59.0765 2476 MRESP50 - ok
18:58:59.0765 2476 MRESP50a64 - ok
18:58:59.0781 2476 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
18:58:59.0781 2476 MRxDAV - ok
18:58:59.0843 2476 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
18:58:59.0843 2476 MRxSmb - ok
18:58:59.0859 2476 MSDTC (a137f1470499a205abbb9aafb3b6f2b1) C:\WINDOWS\system32\msdtc.exe
18:58:59.0859 2476 MSDTC - ok
18:58:59.0890 2476 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
18:58:59.0890 2476 Msfs - ok
18:58:59.0890 2476 MSIServer - ok
18:58:59.0921 2476 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
18:58:59.0953 2476 MSKSSRV - ok
18:58:59.0968 2476 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
18:59:00.0000 2476 MSPCLOCK - ok
18:59:00.0046 2476 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
18:59:00.0062 2476 MSPQM - ok
18:59:00.0125 2476 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
18:59:00.0125 2476 mssmbios - ok
18:59:00.0156 2476 MSTEE (d5059366b361f0e1124753447af08aa2) C:\WINDOWS\system32\drivers\MSTEE.sys
18:59:00.0187 2476 MSTEE - ok
18:59:00.0203 2476 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
18:59:00.0203 2476 Mup - ok
18:59:00.0203 2476 NABTSFEC (ac31b352ce5e92704056d409834beb74) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
18:59:00.0218 2476 NABTSFEC - ok
18:59:00.0265 2476 napagent (0102140028fad045756796e1c685d695) C:\WINDOWS\System32\qagentrt.dll
18:59:00.0281 2476 napagent - ok
18:59:00.0375 2476 NAUpdate (9d1cce440552500ded3a62f9d779cdb4) C:\Program Files\Nero\Update\NASvc.exe
18:59:00.0390 2476 NAUpdate - ok
18:59:00.0406 2476 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
18:59:00.0406 2476 NDIS - ok
18:59:00.0406 2476 NdisIP (abd7629cf2796250f315c1dd0b6cf7a0) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
18:59:00.0468 2476 NdisIP - ok
18:59:00.0515 2476 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
18:59:00.0515 2476 NdisTapi - ok
18:59:00.0562 2476 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
18:59:00.0578 2476 Ndisuio - ok
18:59:00.0578 2476 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
18:59:00.0578 2476 NdisWan - ok
18:59:00.0640 2476 ndiszapu (b1c3bc0738a69268e944ced10f6c10c0) C:\WINDOWS\system32\drivers\ndiszapu.sys
18:59:00.0640 2476 ndiszapu - ok
18:59:00.0656 2476 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
18:59:00.0656 2476 NDProxy - ok
18:59:00.0703 2476 Net Driver HPZ12 (a081cb6fb9a12668f233eb5414be3a0e) C:\WINDOWS\system32\HPZinw12.dll
18:59:00.0703 2476 Net Driver HPZ12 - ok
18:59:00.0703 2476 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
18:59:00.0703 2476 NetBIOS - ok
18:59:00.0765 2476 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
18:59:00.0765 2476 NetBT - ok
18:59:00.0828 2476 NetDDE (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe
18:59:00.0828 2476 NetDDE - ok
18:59:00.0828 2476 NetDDEdsdm (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe
18:59:00.0828 2476 NetDDEdsdm - ok
18:59:00.0859 2476 Netlogon (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
18:59:00.0859 2476 Netlogon - ok
18:59:00.0906 2476 Netman (13e67b55b3abd7bf3fe7aae5a0f9a9de) C:\WINDOWS\System32\netman.dll
18:59:00.0921 2476 Netman - ok
18:59:01.0031 2476 NetTcpPortSharing (d22cd77d4f0d63d1169bb35911bff12d) C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe
18:59:01.0046 2476 NetTcpPortSharing - ok
18:59:01.0078 2476 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
18:59:01.0109 2476 NIC1394 - ok
18:59:01.0171 2476 Nla (943337d786a56729263071623bbb9de5) C:\WINDOWS\System32\mswsock.dll
18:59:01.0171 2476 Nla - ok
18:59:01.0187 2476 nm (1e421a6bcf2203cc61b821ada9de878b) C:\WINDOWS\system32\DRIVERS\NMnt.sys
18:59:01.0218 2476 nm - ok
18:59:01.0265 2476 NPF (b48dc6abcd3aeff8618350ccbdc6b09a) C:\WINDOWS\system32\drivers\npf.sys
18:59:01.0328 2476 NPF - ok
18:59:01.0343 2476 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
18:59:01.0343 2476 Npfs - ok
18:59:01.0390 2476 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
18:59:01.0406 2476 Ntfs - ok
18:59:01.0406 2476 NtLmSsp (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
18:59:01.0406 2476 NtLmSsp - ok
18:59:01.0453 2476 NtmsSvc (156f64a3345bd23c600655fb4d10bc08) C:\WINDOWS\system32\ntmssvc.dll
18:59:01.0453 2476 NtmsSvc - ok
18:59:01.0484 2476 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
18:59:01.0500 2476 Null - ok
18:59:01.0531 2476 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
18:59:01.0562 2476 NwlnkFlt - ok
18:59:01.0562 2476 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
18:59:01.0578 2476 NwlnkFwd - ok
18:59:01.0781 2476 ocster_backup (59006cac860d2710f464e7fade95af1a) c:\Program Files\Ocster Backup\bin\backupService-ox.exe
18:59:01.0781 2476 ocster_backup - ok
18:59:01.0796 2476 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
18:59:01.0796 2476 ohci1394 - ok
18:59:01.0843 2476 ose (7a56cf3e3f12e8af599963b16f50fb6a) C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
18:59:01.0843 2476 ose - ok
18:59:01.0890 2476 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
18:59:01.0890 2476 Parport - ok
18:59:01.0890 2476 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
18:59:01.0890 2476 PartMgr - ok
18:59:01.0906 2476 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
18:59:01.0906 2476 ParVdm - ok
18:59:01.0906 2476 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
18:59:01.0906 2476 PCI - ok
18:59:01.0906 2476 PCIDump - ok
18:59:01.0937 2476 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
18:59:01.0937 2476 PCIIde - ok
18:59:01.0953 2476 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
18:59:02.0000 2476 Pcmcia - ok
18:59:02.0000 2476 PDCOMP - ok
18:59:02.0000 2476 PDFRAME - ok
18:59:02.0000 2476 PDRELI - ok
18:59:02.0000 2476 PDRFRAME - ok
18:59:02.0015 2476 perc2 - ok
18:59:02.0015 2476 perc2hib - ok
18:59:02.0062 2476 PlugPlay (65df52f5b8b6e9bbd183505225c37315) C:\WINDOWS\system32\services.exe
18:59:02.0062 2476 PlugPlay - ok
18:59:02.0125 2476 Pml Driver HPZ12 (65bc271f337637731d3c71455ae1f476) C:\WINDOWS\system32\HPZipm12.dll
18:59:02.0125 2476 Pml Driver HPZ12 - ok
18:59:02.0187 2476 PnkBstrA (a1dd33d16f277ce34124ee52ab2c0f14) C:\WINDOWS\system32\PnkBstrA.exe
18:59:02.0203 2476 PnkBstrA - ok
18:59:02.0203 2476 PolicyAgent (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
18:59:02.0203 2476 PolicyAgent - ok
18:59:02.0281 2476 PORTMON - ok
18:59:02.0296 2476 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
18:59:02.0296 2476 PptpMiniport - ok
18:59:02.0296 2476 ProtectedStorage (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
18:59:02.0296 2476 ProtectedStorage - ok
18:59:02.0296 2476 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
18:59:02.0312 2476 PSched - ok
18:59:02.0328 2476 PSI (d24dfd16a1e2a76034df5aa18125c35d) C:\WINDOWS\system32\DRIVERS\psi_mf.sys
18:59:02.0328 2476 PSI - ok
18:59:02.0343 2476 PStrip (bcf8d075fad718fea8ef6e281331a56e) C:\WINDOWS\system32\drivers\pstrip.sys
18:59:02.0343 2476 PStrip - ok
18:59:02.0343 2476 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
18:59:02.0343 2476 Ptilink - ok
18:59:02.0375 2476 PxHelp20 (e42e3433dbb4cffe8fdd91eab29aea8e) C:\WINDOWS\system32\Drivers\PxHelp20.sys
18:59:02.0375 2476 PxHelp20 - ok
18:59:02.0375 2476 ql1080 - ok
18:59:02.0375 2476 Ql10wnt - ok
18:59:02.0390 2476 ql12160 - ok
18:59:02.0390 2476 ql1240 - ok
18:59:02.0390 2476 ql1280 - ok
18:59:02.0437 2476 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
18:59:02.0437 2476 RasAcd - ok
18:59:02.0484 2476 RasAuto (ad188be7bdf94e8df4ca0a55c00a5073) C:\WINDOWS\System32\rasauto.dll
18:59:02.0484 2476 RasAuto - ok
18:59:02.0484 2476 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
18:59:02.0484 2476 Rasl2tp - ok
18:59:02.0515 2476 RasMan (76a9a3cbeadd68cc57cda5e1d7448235) C:\WINDOWS\System32\rasmans.dll
18:59:02.0515 2476 RasMan - ok
18:59:02.0515 2476 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
18:59:02.0531 2476 RasPppoe - ok
18:59:02.0531 2476 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
18:59:02.0531 2476 Raspti - ok
18:59:02.0546 2476 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
18:59:02.0546 2476 Rdbss - ok
18:59:02.0578 2476 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
18:59:02.0578 2476 RDPCDD - ok
18:59:02.0656 2476 RDPWD (5b3055daa788bd688594d2f5981f2a83) C:\WINDOWS\system32\drivers\RDPWD.sys
18:59:02.0656 2476 RDPWD - ok
18:59:02.0687 2476 RDSessMgr (3c37bf86641bda977c3bf8a840f3b7fa) C:\WINDOWS\system32\sessmgr.exe
18:59:02.0687 2476 RDSessMgr - ok
18:59:02.0687 2476 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
18:59:02.0687 2476 redbook - ok
18:59:02.0687 2476 RemoteAccess (7e699ff5f59b5d9de5390e3c34c67cf5) C:\WINDOWS\System32\mprdim.dll
18:59:02.0703 2476 RemoteAccess - ok
18:59:02.0812 2476 rpcapd (b60f58f175de20a6739194e85b035178) C:\Program Files\WinPcap\rpcapd.exe
18:59:02.0812 2476 rpcapd - ok
18:59:02.0812 2476 RpcLocator (aaed593f84afa419bbae8572af87cf6a) C:\WINDOWS\system32\locator.exe
18:59:02.0812 2476 RpcLocator - ok
18:59:02.0875 2476 RpcSs (6b27a5c03dfb94b4245739065431322c) C:\WINDOWS\System32\rpcss.dll
18:59:02.0875 2476 RpcSs - ok
18:59:02.0906 2476 RSVP (471b3f9741d762abe75e9deea4787e47) C:\WINDOWS\system32\rsvp.exe
18:59:02.0906 2476 RSVP - ok
18:59:02.0953 2476 RTL8023xp (b4a166449464a4bf4a8ba0ccc0c00e16) C:\WINDOWS\system32\DRIVERS\Rtnicxp.sys
18:59:02.0968 2476 RTL8023xp - ok
18:59:03.0015 2476 RTLVLAN (b9ca69921379ea2931c4450fe975bce7) C:\WINDOWS\system32\DRIVERS\RTLVLAN.SYS
18:59:03.0031 2476 RTLVLAN - ok
18:59:03.0046 2476 SamSs (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
18:59:03.0046 2476 SamSs - ok
18:59:03.0062 2476 SANDRA - ok
18:59:03.0140 2476 SASDIFSV (39763504067962108505bff25f024345) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
18:59:03.0140 2476 SASDIFSV - ok
18:59:03.0140 2476 SASKUTIL (77b9fc20084b48408ad3e87570eb4a85) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
18:59:03.0156 2476 SASKUTIL - ok
18:59:03.0218 2476 SbFw (eb4a2b5faa3decd33ed682a5569e287f) C:\WINDOWS\system32\drivers\SbFw.sys
18:59:03.0218 2476 SbFw - ok
18:59:03.0250 2476 SBFWIMCL (f27b38d70b7621378161d6f48be04d2c) C:\WINDOWS\system32\DRIVERS\sbfwim.sys
18:59:03.0250 2476 SBFWIMCL - ok
18:59:03.0250 2476 SBFWIMCLMP (f27b38d70b7621378161d6f48be04d2c) C:\WINDOWS\system32\DRIVERS\SBFWIM.sys
18:59:03.0250 2476 SBFWIMCLMP - ok
18:59:03.0296 2476 sbhips (ba5fce28fc80355d59b3328baecc1ead) C:\WINDOWS\system32\drivers\sbhips.sys
18:59:03.0296 2476 Suspicious file (Forged): C:\WINDOWS\system32\drivers\sbhips.sys. Real md5: ba5fce28fc80355d59b3328baecc1ead, Fake md5: 4a8f6b7224cba84eeddcbeebf1c4db71
18:59:03.0296 2476 sbhips ( ForgedFile.Multi.Generic ) - warning
18:59:03.0296 2476 sbhips - detected ForgedFile.Multi.Generic (1)
18:59:03.0312 2476 SBRE - ok
18:59:03.0359 2476 SbTis (c9e5e5edc6671d8c626d510690c8a653) C:\WINDOWS\system32\drivers\sbtis.sys
18:59:03.0359 2476 Suspicious file (Forged): C:\WINDOWS\system32\drivers\sbtis.sys. Real md5: c9e5e5edc6671d8c626d510690c8a653, Fake md5: 39da0d12a4f4ce3ab327af5d99a2591e
18:59:03.0359 2476 SbTis ( ForgedFile.Multi.Generic ) - warning
18:59:03.0359 2476 SbTis - detected ForgedFile.Multi.Generic (1)
18:59:03.0375 2476 SCardSvr (86d007e7a654b9a71d1d7d856b104353) C:\WINDOWS\System32\SCardSvr.exe
18:59:03.0375 2476 SCardSvr - ok
18:59:03.0406 2476 Schedule (0a9a7365a1ca4319aa7c1d6cd8e4eafa) C:\WINDOWS\system32\schedsvc.dll
18:59:03.0421 2476 Schedule - ok
18:59:03.0453 2476 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
18:59:03.0484 2476 Secdrv - ok
18:59:03.0500 2476 seclogon (cbe612e2bb6a10e3563336191eda1250) C:\WINDOWS\System32\seclogon.dll
18:59:03.0500 2476 seclogon - ok
18:59:03.0609 2476 Secunia PSI Agent (5b66db4877bbac9f7493aa8d84421e49) C:\Program Files\Secunia\PSI\PSIA.exe
18:59:03.0671 2476 Secunia PSI Agent - ok
18:59:03.0750 2476 Secunia Update Agent (0e88fdf474f2cdd370a4a6ce77d018f0) C:\Program Files\Secunia\PSI\sua.exe
18:59:03.0750 2476 Secunia Update Agent - ok
18:59:03.0796 2476 SENS (7fdd5d0684eca8c1f68b4d99d124dcd0) C:\WINDOWS\system32\sens.dll
18:59:03.0796 2476 SENS - ok
18:59:03.0828 2476 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
18:59:03.0828 2476 serenum - ok
18:59:03.0843 2476 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
18:59:03.0843 2476 Serial - ok
18:59:03.0906 2476 sfdrv01 (00de597b81b381053cb5b21a7f20e365) C:\WINDOWS\system32\drivers\sfdrv01.sys
18:59:03.0906 2476 sfdrv01 - ok
18:59:03.0906 2476 sfhlp02 (64b9ab76f1b16eb059cb6cdd906c067a) C:\WINDOWS\system32\drivers\sfhlp02.sys
18:59:03.0906 2476 sfhlp02 - ok
18:59:03.0921 2476 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
18:59:03.0921 2476 Sfloppy - ok
18:59:03.0921 2476 sfng32 (5fe18fff6fbcf218290042009eab023d) C:\WINDOWS\system32\drivers\sfng32.sys
18:59:03.0921 2476 sfng32 - ok
18:59:03.0953 2476 sfsync02 (798d918d8f20380008277ce3ce5319d1) C:\WINDOWS\system32\drivers\sfsync02.sys
18:59:03.0953 2476 sfsync02 - ok
18:59:03.0984 2476 SharedAccess (83f41d0d89645d7235c051ab1d9523ac) C:\WINDOWS\System32\ipnathlp.dll
18:59:03.0984 2476 SharedAccess - ok
18:59:04.0031 2476 ShellHWDetection (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
18:59:04.0046 2476 ShellHWDetection - ok
18:59:04.0046 2476 Simbad - ok
18:59:04.0093 2476 SLIP (1ffc44d6787ec1ea9a2b1440a90fa5c1) C:\WINDOWS\system32\DRIVERS\SLIP.sys
18:59:04.0125 2476 SLIP - ok
18:59:04.0156 2476 SONYPVU1 (a1eceeaa5c5e74b2499eb51d38185b84) C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS
18:59:04.0218 2476 SONYPVU1 - ok
18:59:04.0218 2476 Sparrow - ok
18:59:04.0234 2476 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
18:59:04.0234 2476 splitter - ok
18:59:04.0281 2476 Spooler (60784f891563fb1b767f70117fc2428f) C:\WINDOWS\system32\spoolsv.exe
18:59:04.0281 2476 Spooler - ok
18:59:04.0281 2476 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
18:59:04.0281 2476 sr - ok
18:59:04.0312 2476 srservice (3805df0ac4296a34ba4bf93b346cc378) C:\WINDOWS\system32\srsvc.dll
18:59:04.0312 2476 srservice - ok
18:59:04.0375 2476 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
18:59:04.0390 2476 Srv - ok
18:59:04.0406 2476 SSDPSRV (0a5679b3714edab99e357057ee88fca6) C:\WINDOWS\System32\ssdpsrv.dll
18:59:04.0406 2476 SSDPSRV - ok
18:59:04.0453 2476 ssmdrv (a36ee93698802cd899f98bfd553d8185) C:\WINDOWS\system32\DRIVERS\ssmdrv.sys
18:59:04.0453 2476 ssmdrv - ok
18:59:04.0515 2476 STHDA (8990440e4b2a7ca5a56a1833b03741fd) C:\WINDOWS\system32\drivers\sthda.sys
18:59:04.0531 2476 STHDA - ok
18:59:04.0578 2476 stisvc (8bad69cbac032d4bbacfce0306174c30) C:\WINDOWS\system32\wiaservc.dll
18:59:04.0593 2476 stisvc - ok
18:59:04.0625 2476 streamip (a9f9fd0212e572b84edb9eb661f6bc04) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
18:59:04.0656 2476 streamip - ok
18:59:04.0671 2476 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
18:59:04.0671 2476 swenum - ok
18:59:04.0687 2476 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
18:59:04.0687 2476 swmidi - ok
18:59:04.0687 2476 SwPrv - ok
18:59:04.0703 2476 symc810 - ok
18:59:04.0703 2476 symc8xx - ok
18:59:04.0703 2476 sym_hi - ok
18:59:04.0703 2476 sym_u3 - ok
18:59:04.0750 2476 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
18:59:04.0750 2476 sysaudio - ok
18:59:04.0765 2476 SysmonLog (c7abbc59b43274b1109df6b24d617051) C:\WINDOWS\system32\smlogsvc.exe
18:59:04.0765 2476 SysmonLog - ok
18:59:04.0796 2476 TapiSrv (3cb78c17bb664637787c9a1c98f79c38) C:\WINDOWS\System32\tapisrv.dll
18:59:04.0796 2476 TapiSrv - ok
18:59:04.0843 2476 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
18:59:04.0843 2476 Tcpip - ok
18:59:04.0890 2476 Tcpip6 (4e53bbcc4be37d7a4bd6ef1098c89ff7) C:\WINDOWS\system32\DRIVERS\tcpip6.sys
18:59:04.0890 2476 Tcpip6 - ok
18:59:04.0921 2476 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
18:59:04.0953 2476 TDPIPE - ok
18:59:04.0968 2476 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
18:59:04.0984 2476 TDTCP - ok
18:59:05.0000 2476 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
18:59:05.0000 2476 TermDD - ok
18:59:05.0031 2476 TermService (ff3477c03be7201c294c35f684b3479f) C:\WINDOWS\System32\termsrv.dll
18:59:05.0031 2476 TermService - ok
18:59:05.0078 2476 Themes (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
18:59:05.0078 2476 Themes - ok
18:59:05.0078 2476 TosIde - ok
18:59:05.0093 2476 TrkWks (55bca12f7f523d35ca3cb833c725f54e) C:\WINDOWS\system32\trkwks.dll
18:59:05.0093 2476 TrkWks - ok
18:59:05.0156 2476 tunmp (8f861eda21c05857eb8197300a92501c) C:\WINDOWS\system32\DRIVERS\tunmp.sys
18:59:05.0156 2476 tunmp - ok
18:59:05.0187 2476 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
18:59:05.0203 2476 Udfs - ok
18:59:05.0203 2476 ultra - ok
18:59:05.0234 2476 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
18:59:05.0234 2476 Update - ok
18:59:05.0265 2476 upnphost (1ebafeb9a3fbdc41b8d9c7f0f687ad91) C:\WINDOWS\System32\upnphost.dll
18:59:05.0265 2476 upnphost - ok
18:59:05.0281 2476 UPS (05365fb38fca1e98f7a566aaaf5d1815) C:\WINDOWS\System32\ups.exe
18:59:05.0281 2476 UPS - ok
18:59:05.0312 2476 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
18:59:05.0343 2476 usbaudio - ok
18:59:05.0359 2476 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
18:59:05.0359 2476 usbccgp - ok
18:59:05.0421 2476 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
18:59:05.0421 2476 usbehci - ok
18:59:05.0421 2476 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
18:59:05.0421 2476 usbhub - ok
18:59:05.0453 2476 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
18:59:05.0468 2476 usbprint - ok
18:59:05.0468 2476 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
18:59:05.0468 2476 usbscan - ok
18:59:05.0468 2476 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
18:59:05.0468 2476 USBSTOR - ok
18:59:05.0484 2476 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
18:59:05.0484 2476 usbuhci - ok
18:59:05.0500 2476 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
18:59:05.0500 2476 VgaSave - ok
18:59:05.0500 2476 ViaIde - ok
18:59:05.0531 2476 Video3D (8643da4a6c83da6c10fcab1e5ab6632d) C:\WINDOWS\system32\Drivers\Video3D32.sys
18:59:05.0531 2476 Video3D - ok
18:59:05.0562 2476 VKbms (07c20e596a0838809bc5ff5de5a65973) C:\WINDOWS\system32\DRIVERS\VKbms.sys
18:59:05.0593 2476 VKbms - ok
18:59:05.0609 2476 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
18:59:05.0609 2476 VolSnap - ok
18:59:05.0671 2476 Vsdatant (b0d3c4497d1ed91628dc56f592aebef4) C:\WINDOWS\system32\vsdatant.sys
18:59:05.0687 2476 Vsdatant - ok
18:59:05.0796 2476 vsmon - ok
18:59:05.0828 2476 VSS (7a9db3a67c333bf0bd42e42b8596854b) C:\WINDOWS\System32\vssvc.exe
18:59:05.0828 2476 VSS - ok
18:59:05.0843 2476 W32Time (54af4b1d5459500ef0937f6d33b1914f) C:\WINDOWS\system32\w32time.dll
18:59:05.0859 2476 W32Time - ok
18:59:05.0859 2476 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
18:59:05.0890 2476 Wanarp - ok
18:59:05.0937 2476 Wdf01000 (d918617b46457b9ac28027722e30f647) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
18:59:05.0984 2476 Wdf01000 - ok
18:59:05.0984 2476 WDICA - ok
18:59:06.0000 2476 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
18:59:06.0015 2476 wdmaud - ok
18:59:06.0015 2476 WebClient (77a354e28153ad2d5e120a5a8687bc06) C:\WINDOWS\System32\webclnt.dll
18:59:06.0015 2476 WebClient - ok
18:59:06.0140 2476 winmgmt (2d0e4ed081963804ccc196a0929275b5) C:\WINDOWS\system32\wbem\WMIsvc.dll
18:59:06.0140 2476 winmgmt - ok
18:59:06.0187 2476 WmdmPmSN (051b1bdecd6dee18c771b5d5ec7f044d) C:\WINDOWS\system32\MsPMSNSv.dll
18:59:06.0187 2476 WmdmPmSN - ok
18:59:06.0218 2476 WmiApSrv (e0673f1106e62a68d2257e376079f821) C:\WINDOWS\system32\wbem\wmiapsrv.exe
18:59:06.0218 2476 WmiApSrv - ok
18:59:06.0281 2476 WMPNetworkSvc (6bab4dc65515a098505f8b3d01fb6fe5) C:\Program Files\Windows Media Player\WMPNetwk.exe
18:59:06.0296 2476 WMPNetworkSvc - ok
18:59:06.0484 2476 WPFFontCache_v0400 (dcf3e3edf5109ee8bc02fe6e1f045795) C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe
18:59:06.0515 2476 WPFFontCache_v0400 - ok
18:59:06.0578 2476 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
18:59:06.0609 2476 WS2IFSL - ok
18:59:06.0671 2476 wscsvc (7c278e6408d1dce642230c0585a854d5) C:\WINDOWS\system32\wscsvc.dll
18:59:06.0671 2476 wscsvc - ok
18:59:06.0734 2476 WSTCODEC (233cdd1c06942115802eb7ce6669e099) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
18:59:06.0734 2476 WSTCODEC - ok
18:59:06.0781 2476 wuauserv (35321fb577cdc98ce3eb3a3eb9e4610a) C:\WINDOWS\system32\wuauserv.dll
18:59:06.0781 2476 wuauserv - ok
18:59:06.0828 2476 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
18:59:06.0843 2476 WudfPf - ok
18:59:06.0859 2476 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
18:59:06.0859 2476 WudfRd - ok
18:59:06.0875 2476 WudfSvc (05231c04253c5bc30b26cbaae680ed89) C:\WINDOWS\System32\WUDFSvc.dll
18:59:06.0875 2476 WudfSvc - ok
18:59:06.0921 2476 WZCSVC (81dc3f549f44b1c1fff022dec9ecf30b) C:\WINDOWS\System32\wzcsvc.dll
18:59:06.0937 2476 WZCSVC - ok
18:59:06.0968 2476 xmlprov (295d21f14c335b53cb8154e5b1f892b9) C:\WINDOWS\System32\xmlprov.dll
18:59:06.0968 2476 xmlprov - ok
18:59:07.0000 2476 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
18:59:07.0187 2476 \Device\Harddisk0\DR0 - ok
18:59:07.0203 2476 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk1\DR1
18:59:07.0203 2476 \Device\Harddisk1\DR1 - ok
18:59:07.0203 2476 Boot (0x1200) (b891c9f796030d8067e838a165df3072) \Device\Harddisk0\DR0\Partition0
18:59:07.0203 2476 \Device\Harddisk0\DR0\Partition0 - ok
18:59:07.0203 2476 Boot (0x1200) (5d59a4e8ad68a12619b43c00c0ba39cc) \Device\Harddisk1\DR1\Partition0
18:59:07.0203 2476 \Device\Harddisk1\DR1\Partition0 - ok
18:59:07.0203 2476 ============================================================
18:59:07.0203 2476 Scan finished
18:59:07.0203 2476 ============================================================
18:59:07.0218 1168 Detected object count: 2
18:59:07.0218 1168 Actual detected object count: 2
18:59:34.0656 1168 sbhips ( ForgedFile.Multi.Generic ) - skipped by user
18:59:34.0656 1168 sbhips ( ForgedFile.Multi.Generic ) - User select action: Skip
18:59:34.0656 1168 SbTis ( ForgedFile.Multi.Generic ) - skipped by user
18:59:34.0656 1168 SbTis ( ForgedFile.Multi.Generic ) - User select action: Ski

My antivirus (Avira) popped up the following message when I ran the MBR scan..."A virus or unwanted program was found in the file C:\Documents and Settings\owner\local settings\temp\avast4\unp11996848.tmp. Access to this file was denied"

I stopped the MBR scan, hit he remove button on the Avira popup and then restarted the MBR scan and another Avira popup with the same message as above only with a different ending number...unp151472846.tmp came up.

This time I hit the Avira remove button and let the MBR scan continue.

Not sure what all this means.

MBR scan log

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-05-07 19:23:44
-----------------------------
19:23:44.453 OS Version: Windows 5.1.2600 Service Pack 3
19:23:44.453 Number of processors: 2 586 0xF02
19:23:44.453 ComputerName: DOUG1 UserName: Owner
19:23:45.296 Initialize success
19:23:50.703 AVAST engine defs: 12050701
19:23:56.687 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
19:23:56.687 Disk 0 Vendor: WDC_WD50 05.0 Size: 476940MB BusType: 3
19:23:56.687 Disk 1 \Device\Harddisk1\DR1 -> \Device\Ide\IAAStorageDevice-2
19:23:56.687 Disk 1 Vendor: WDC_WD25 10.0 Size: 238475MB BusType: 3
19:23:56.703 Disk 0 MBR read successfully
19:23:56.718 Disk 0 MBR scan
19:23:56.734 Disk 0 Windows XP default MBR code
19:23:56.750 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 476937 MB offset 63
19:23:56.765 Disk 0 scanning sectors +976768065
19:23:56.812 Disk 0 scanning C:\WINDOWS\system32\drivers
19:24:15.437 Service scanning
19:24:34.906 Modules scanning
19:24:46.437 Disk 0 trace - called modules:
19:24:46.484 ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys sfsync02.sys hal.dll iaStor.sys
19:24:46.484 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x89db0030]
19:24:46.484 3 CLASSPNP.SYS[f74e7fd7] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0x8a1b5030]
19:24:47.593 AVAST engine scan C:\WINDOWS
19:25:26.750 AVAST engine scan C:\WINDOWS\system32
19:29:54.875 AVAST engine scan C:\WINDOWS\system32\drivers
19:30:42.187 AVAST engine scan C:\Documents and Settings\Owner
19:45:14.000 AVAST engine scan C:\Documents and Settings\All Users
19:48:24.968 Scan finished successfully
19:50:59.515 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Owner\Desktop\MBR.dat"
19:50:59.515 The log file has been saved successfully to "C:\Documents and Settings\Owner\Desktop\aswMBR.txt"

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:44 PM

Posted 08 May 2012 - 08:44 AM

Greetings

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

Firefox::
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ua7tehb1.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2645238&SearchSource=3&q={searchTerms}

Driver::
iatmunin

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 dcvh

dcvh
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:44 PM

Posted 08 May 2012 - 02:11 PM

ComboFix Log


ComboFix 12-05-08.01 - Owner 05/08/2012 10:34:48.4.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2030.1274 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: Avira Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
FW: ZoneAlarm Free Firewall *Disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_IATMUNIN
-------\Service_iatmunin
.
.
((((((((((((((((((((((((( Files Created from 2012-04-08 to 2012-05-08 )))))))))))))))))))))))))))))))
.
.
2012-04-26 16:47 . 2012-03-22 17:43 2557952 ----a-w- c:\windows\system32\QtCore4.dll
2012-04-26 16:47 . 2012-04-18 17:49 405176 ----a-w- c:\windows\system32\Newtonsoft.Json.Net20.dll
2012-04-24 19:24 . 2012-04-24 19:24 -------- d-----w- c:\program files\Mozilla Maintenance Service
2012-04-24 19:23 . 2012-04-24 19:23 157352 ----a-w- c:\program files\Mozilla Firefox\maintenanceservice_installer.exe
2012-04-24 19:23 . 2012-04-24 19:23 129976 ----a-w- c:\program files\Mozilla Firefox\maintenanceservice.exe
2012-04-19 15:56 . 2012-04-19 15:56 -------- d-----w- c:\windows\Hewlett-Packard
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-05-08 13:17 . 2011-12-31 00:39 83392 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2012-05-08 13:17 . 2011-12-31 00:39 137928 ----a-w- c:\windows\system32\drivers\avipbb.sys
2012-05-05 06:25 . 2012-04-01 00:50 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-05-05 06:25 . 2011-06-09 04:02 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-05-04 03:01 . 2010-10-29 03:01 196608 ----a-w- c:\windows\system32\drivers\nVivid.bin
2012-04-29 20:20 . 2007-09-11 05:43 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll
2012-04-04 19:56 . 2010-07-18 04:26 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-03-18 16:03 . 2010-04-29 09:47 348160 ----a-w- c:\windows\system32\msvcr71.dll
2012-03-18 16:03 . 2003-03-19 00:14 499712 ----a-w- c:\windows\system32\msvcp71.dll
2012-03-01 11:01 . 2006-02-28 12:00 916992 ----a-w- c:\windows\system32\wininet.dll
2012-03-01 11:01 . 2006-02-28 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-03-01 11:01 . 2006-02-28 12:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2012-02-29 14:10 . 2006-02-28 12:00 177664 ----a-w- c:\windows\system32\wintrust.dll
2012-02-29 14:10 . 2006-02-28 12:00 148480 ----a-w- c:\windows\system32\imagehlp.dll
2012-02-29 12:17 . 2006-02-28 12:00 385024 ----a-w- c:\windows\system32\html.iec
2012-02-23 20:02 . 2009-03-16 22:51 101727 ----a-w- C:\MGlogs.zip
2012-02-19 23:49 . 2012-02-19 23:49 141312 ----a-w- c:\windows\system32\javacpl.cpl
2012-02-15 03:44 . 2006-12-17 02:50 7585792 ----a-w- c:\windows\system32\drivers\ati2mtag.sys
2012-02-15 03:41 . 2009-02-25 21:09 311296 ----a-w- c:\windows\system32\atiiiexx.dll
2012-02-15 03:09 . 2009-02-25 21:30 19611648 ----a-w- c:\windows\system32\atioglxx.dll
2012-02-15 02:56 . 2009-02-25 21:42 442368 ----a-w- c:\windows\system32\ATIDEMGX.dll
2012-02-15 02:55 . 2007-07-28 03:30 305152 ----a-w- c:\windows\system32\ati2dvag.dll
2012-02-15 02:52 . 2007-07-28 03:12 5358080 ----a-w- c:\windows\system32\ati3duag.dll
2012-02-15 02:43 . 2011-04-24 22:31 956160 ----a-w- c:\windows\system32\ativvamv.dll
2012-02-15 02:34 . 2009-02-25 21:30 212992 ----a-w- c:\windows\system32\atipdlxx.dll
2012-02-15 02:34 . 2009-02-25 21:29 159744 ----a-w- c:\windows\system32\Oemdspif.dll
2012-02-15 02:34 . 2009-02-25 21:29 26112 ----a-w- c:\windows\system32\Ati2mdxx.exe
2012-02-15 02:34 . 2009-02-25 21:29 43520 ----a-w- c:\windows\system32\ati2edxx.dll
2012-02-15 02:33 . 2009-02-25 21:29 192512 ----a-w- c:\windows\system32\ati2evxx.dll
2012-02-15 02:32 . 2009-02-25 21:27 643072 ----a-w- c:\windows\system32\ati2evxx.exe
2012-02-15 02:31 . 2007-07-28 03:01 4155648 ----a-w- c:\windows\system32\ativvaxx.dll
2012-02-15 02:31 . 2009-02-25 21:26 53248 ----a-w- c:\windows\system32\ATIDDC.DLL
2012-02-15 02:29 . 2010-08-04 05:27 159744 ----a-w- c:\windows\system32\atiapfxx.exe
2012-02-15 02:25 . 2009-02-25 20:40 847872 ----a-w- c:\windows\system32\atikvmag.dll
2012-02-15 02:21 . 2009-02-25 20:35 634880 ----a-w- c:\windows\system32\atiok3x2.dll
2012-02-15 02:20 . 2009-02-25 20:38 237568 ----a-w- c:\windows\system32\atiadlxx.dll
2012-02-15 02:19 . 2009-02-25 20:38 17408 ----a-w- c:\windows\system32\atitvo32.dll
2012-02-15 02:13 . 2007-07-28 02:40 909312 ----a-w- c:\windows\system32\ati2cqag.dll
2012-02-15 02:12 . 2009-02-25 20:37 53248 ----a-w- c:\windows\system32\drivers\ati2erec.dll
2012-02-15 02:12 . 2010-10-29 02:43 65024 ----a-w- c:\windows\system32\atimpc32.dll
2012-02-15 02:12 . 2009-02-25 20:44 65024 ----a-w- c:\windows\system32\amdpcom32.dll
2012-02-11 03:56 . 1999-10-06 01:38 640 ----a-w- c:\windows\Fonts\readme.txt
2012-04-24 19:23 . 2011-03-23 23:00 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-05-07_03.31.55 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-05-08 14:45 . 2012-05-08 14:45 16384 c:\windows\Temp\Perflib_Perfdata_2b4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Quicknote"="c:\program files\Quicknote\Quicknote.exe" [2007-12-02 1183744]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2009-06-17 55824]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-02-12 174872]
"ZoneAlarm"="c:\program files\CheckPoint\ZoneAlarm\zatray.exe" [2011-12-19 73360]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2012-05-08 348624]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2012-02-24 328800]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-03-27 421736]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2011-05-10 49208]
"ISW"="c:\program files\CheckPoint\ZAForceField\ForceField.exe" [2012-01-06 738944]
.
c:\documents and settings\Owner\Start Menu\Programs\Startup\
SpywareGuard.lnk - c:\program files\SpywareGuard\sgmain.exe [2003-8-29 360448]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Secunia PSI Tray.lnk - c:\program files\Secunia\PSI\psi_tray.exe [2011-10-14 291896]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\windows\system32\logonuiX.exe"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2009-07-20 17:28 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"ArcSoft Connection Service"=c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"c:\\Program Files\\Ares\\Ares.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\Zapu\\Zapu Accelerator\\wDivi.exe"=
"c:\\Program Files\\Ubisoft\\Ubisoft Game Launcher\\UbisoftGameLauncher.exe"=
"c:\\Ubisoft\\Silent Hunter 5\\sh5.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\battlefield 2\\BF2.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\battlefield 2\\support\\EA Help\\Electronic_Arts_Technical_Support.htm"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpfcCopy.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\Hp\\HP Software Update\\hpwucli.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\smart web printing\\SmartWebPrintExe.exe"=
"c:\\Program Files\\Daum\\PotPlayer\\PotPlayerMini.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
.
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [12/30/2011 8:39 PM 36000]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 12:27 PM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 5:55 PM 67664]
R1 SbFw;SbFw;c:\windows\system32\drivers\SbFw.sys [3/31/2012 9:34 AM 332248]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [8/11/2011 7:38 PM 116608]
R2 AdvancedSystemCareService5;Advanced SystemCare Service 5;c:\program files\IObit\Advanced SystemCare 5\ASCService.exe [11/30/2011 6:13 PM 913752]
R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [12/30/2011 8:39 PM 86224]
R2 cpuz135;cpuz135;c:\windows\system32\drivers\cpuz135_x32.sys [8/29/2011 10:06 PM 21992]
R2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [11/3/2011 10:44 AM 27016]
R2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [11/3/2011 10:44 AM 497280]
R2 LANPkt;Realtek LANPkt Protocol Driver;c:\windows\system32\drivers\LANPkt.sys [9/25/2010 2:42 PM 8960]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [11/8/2009 2:45 AM 10384]
R2 NAUpdate;@c:\program files\Nero\Update\NASvc.exe,-200;c:\program files\Nero\Update\NASvc.exe [5/4/2010 12:07 PM 503080]
R2 ocster_backup;Ocster Backup;c:\program files\Ocster Backup\bin\backupService-ox.exe [6/29/2011 12:16 PM 18200]
R2 PStrip;PStrip;c:\windows\system32\drivers\pstrip.sys [7/14/2007 10:37 PM 27992]
R2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\Secunia\PSI\psia.exe [10/14/2011 2:01 AM 994360]
R2 Secunia Update Agent;Secunia Update Agent;c:\program files\Secunia\PSI\sua.exe [10/14/2011 2:01 AM 399416]
R3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdXP3.sys [3/20/2012 1:54 PM 100368]
R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [9/1/2010 4:30 AM 15544]
R3 SBFWIMCLMP;Sunbelt Software Firewall NDIS IM Filter Miniport;c:\windows\system32\drivers\SbFwIm.sys [3/31/2012 9:34 AM 69208]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S1 SBRE;SBRE;\??\c:\windows\system32\drivers\SBREdrv.sys --> c:\windows\system32\drivers\SBREdrv.sys [?]
S1 SbTis;SbTis;c:\windows\system32\drivers\sbtis.sys [3/31/2012 9:34 AM 212568]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 2:16 PM 130384]
S2 gupdate1c987bc5de93bdc;Google Update Service (gupdate1c987bc5de93bdc);c:\program files\Google\Update\GoogleUpdate.exe [2/5/2009 2:05 PM 133104]
S3 Abyssus03;Razer Abyssus USB Filter Driver;c:\windows\system32\Drivers\Abyssus.sys --> c:\windows\system32\Drivers\Abyssus.sys [?]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [3/31/2012 8:50 PM 257696]
S3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [12/18/2009 10:58 AM 11336]
S3 Diag69xp;Diag69xp;c:\windows\system32\drivers\diag69xp.sys [9/25/2010 2:43 PM 11264]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2/5/2009 2:05 PM 133104]
S3 hidkmdf;Filter Driver Service for HID-KMDF Interface layer;c:\windows\system32\drivers\hidkmdf.sys [12/2/2011 8:20 PM 6656]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [4/24/2012 3:24 PM 129976]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [6/25/2010 1:07 PM 35088]
S3 PORTMON;PORTMON;\??\c:\documents and settings\Owner\Desktop\sysinternal\SysinternalsSuite\PORTMSYS.SYS --> c:\documents and settings\Owner\Desktop\sysinternal\SysinternalsSuite\PORTMSYS.SYS [?]
S3 RTLVLAN;Realtek VLAN Intermediate Driver;c:\windows\system32\drivers\RTLVLAN.SYS [9/25/2010 2:42 PM 16640]
S3 SBFWIMCL;Sunbelt Software Firewall NDIS IM Filter Service;c:\windows\system32\drivers\SbFwIm.sys [3/31/2012 9:34 AM 69208]
S3 sbhips;sbhips;c:\windows\system32\drivers\sbhips.sys [3/31/2012 9:34 AM 94040]
S3 VKbms;Virtual HID Minidriver;c:\windows\system32\drivers\VKbms.sys [12/2/2011 8:20 PM 10240]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 2:16 PM 753504]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
*Deregistered* - ndiszapu
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2012-05-08 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-01 06:25]
.
2012-05-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]
.
2012-05-08 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2009-11-10 00:33]
.
2012-05-07 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-02-05 02:49]
.
2012-05-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-05 18:05]
.
2012-05-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-05 18:05]
.
2012-05-08 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1343024091-562591055-725345543-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-01-30 21:45]
.
2012-05-06 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1343024091-562591055-725345543-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-01-30 21:45]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: Free YouTube Download - c:\documents and settings\Owner\Application Data\DVDVideoSoftIEHelpers\freeyoutubedownload.htm
IE: Free YouTube to Mp3 Converter - c:\documents and settings\Owner\Application Data\DVDVideoSoftIEHelpers\freeyoutubetomp3converter.htm
TCP: Interfaces\{1FF3CA48-028C-4092-9E3D-C07BC4E77A54}: NameServer = 8.8.8.8,8.8.4.4
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ua7tehb1.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://news.google.com/nwshp?client=firefox-a&rls=org.mozilla:en-US:official&hl=en&tab=wn
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&ilc=12&type=685749&p=
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-05-08 10:48
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1343024091-562591055-725345543-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_USERS\S-1-5-21-1343024091-562591055-725345543-1003\Software\SecuROM\License information*]
"datasecu"=hex:1a,2b,da,be,c5,b5,4a,7b,1f,ea,e7,ca,e1,e9,b0,e4,f8,e8,06,9a,47,
53,05,40,96,70,aa,af,c8,9e,77,05,3f,23,24,75,bb,04,cd,f8,f8,b4,07,dd,98,ca,\
"rkeysecu"=hex:1d,e8,50,f2,ea,14,52,98,35,bb,06,c5,15,2a,d0,5a
.
[HKEY_LOCAL_MACHINE\software\Microsoft\DbgagD\1*]
"value"="?\0a\05\07\17\07\1e?"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1440)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\atiadlxx.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
.
- - - - - - - > 'lsass.exe'(1496)
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
.
- - - - - - - > 'explorer.exe'(2160)
c:\windows\system32\WININET.dll
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\program files\BillP Studios\WinPatrol\PATROLPRO.DLL
c:\program files\Windows Media Player\wmpband.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\windows\ATKKBService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\program files\Java\jre7\bin\jqs.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\Ocster Backup\bin\oxHelper.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\program files\SpywareGuard\sgbhp.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2012-05-08 10:54:45 - machine was rebooted
ComboFix-quarantined-files.txt 2012-05-08 14:54
ComboFix2.txt 2012-05-08 14:28
ComboFix3.txt 2012-05-07 03:36
.
Pre-Run: 171,837,423,616 bytes free
Post-Run: 171,660,943,360 bytes free
.
- - End Of File - - 785DBF2C51C537D5509642CDFF411797


PC is running much like normal now...before the fixes I experienced frequent lockups and loading times were anywhere from 10-20 seconds

It may be my miss-perception or it could be normal since I've lived so long with slow PC but occasionally it seems some loading times are a little longer than before running the script...maybe 3-5 seconds

Regardless, I'm very satisfied with current performance

You've been very helpful

I just made a donation

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:44 PM

Posted 08 May 2012 - 03:11 PM

Hello

:P2P Warning!:

IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

Please note that as long as you are using any form of Peer-to-Peer networking and downloading files from non-documented sources, you can expect infestations of malware to occur
Once upon a time, P2P file sharing was fairly safe. That is no longer true. P2P programs form a direct conduit on to your computer, their security measures are easily circumvented and malware writers are increasingly exploiting them to spread their wares on to your computer. Further to that, if your P2P program is not configured correctly, your computer may be sharing more files than you realise. There have been cases where people's passwords, address books and other personal, private, and financial details have been exposed to a file sharing network by a badly configured program.

Please read these short reports on the dangers of peer-2-peer programs and file sharing.

FBI Cyber Education Letter
File sharing infects 500,000 computers
USAToday
infoworld


These logs are looking allot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..


I want you to reset the DMA you can do this by this script here - Reset DMA

If you have problems when you click on the link try to right click on the link and select "Save Target As" and then save to your desktop.
Once it is on your desktop right click on the file and select "Run"

If you still can't run it then you can go here "Reset DMA" to see what I want to do




uninstall some programs

NOTE** Because of the cleanup process some of the programs I have listed may not be in add/remove anymore this is fine just move to the next item on the list.

You can remove these programs using add/remove or you can use the free uninstaller from Revo (Revo does allot better of a job)

Programs to remove

Vuze [/list]


  • Please download and install Revo Uninstaller Free
  • Double click Revo Uninstaller to run it.
  • From the list of programs double click on The Program to remove
  • When prompted if you want to uninstall click Yes.
  • Be sure the Moderate option is selected then click Next.
  • The program will run, If prompted again click Yes
  • when the built-in uninstaller is finished click on Next.
  • Once the program has searched for leftovers click Next.
  • Check/tick the bolded items only on the list then click Delete
  • when prompted click on Yes and then on next.
  • put a check on any folders that are found and select delete
  • when prompted select yes then on next
  • Once done click Finish.
.

Clean Out Temp Files

  • This small application you may want to keep and use once a week to keep the computer clean.

    Download CCleaner from here http://www.ccleaner.com/

  • Run the installer to install the application.
  • When it gives you the option to install Yahoo toolbar uncheck the box next to it.
  • Run CCleaner. (make sure under Windows tab all the boxes of Internet Explorer and Windows explorer are checked. Under System check Empty Recycle Bin and Temporary Files. Under Application tab all the boxes should be checked).
  • Click Run Cleaner.
  • Close CCleaner.

: Malwarebytes' Anti-Malware :

  • I would like you to rerun MBAM
  • Double-click mbam icon
  • go to the update tab at the top
  • click on check for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidentally close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Download HijackThis

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a log file button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the Analyze This button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

"information and logs"

  • In your next post I need the following

  • Log From MBAM
  • report from Hijackthis
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 dcvh

dcvh
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:44 PM

Posted 09 May 2012 - 10:34 AM

MBAM Log

Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.05.09.04

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Owner :: DOUG1 [administrator]

5/9/2012 11:07:58 AM
mbam-log-2012-05-09 (11-07-58).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 236672
Time elapsed: 6 minute(s), 9 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)


HijackThis Log

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:18:49 AM, on 5/9/2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\IObit\Advanced SystemCare 5\ASCService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CheckPoint\ZoneAlarm\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\CheckPoint\ZoneAlarm\zatray.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\ATKKBService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Quicknote\Quicknote.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Java\jre7\bin\jqs.exe
C:\Program Files\Secunia\PSI\psi_tray.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Nero\Update\NASvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Secunia\PSI\PSIA.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Secunia\PSI\sua.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\Owner\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: ZoneAlarm Security Engine Registrar - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - (no file)
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: ZoneAlarm Security Engine - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [ZoneAlarm] "C:\Program Files\CheckPoint\ZoneAlarm\zatray.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ISW] C:\Program Files\CheckPoint\ZAForceField\ForceField.exe /icon="hidden"
O4 - HKCU\..\Run: [Quicknote] C:\Program Files\Quicknote\Quicknote.exe
O4 - HKUS\S-1-5-21-1343024091-562591055-725345543-1007\..\Run: [ooVoo.exe] C:\Program Files\ooVoo\ooVoo.exe /minimized (User '_ocster_backup_')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Secunia PSI Tray.lnk = C:\Program Files\Secunia\PSI\psi_tray.exe
O8 - Extra context menu item: Free YouTube Download - C:\Documents and Settings\Owner\Application Data\DVDVideoSoftIEHelpers\freeyoutubedownload.htm
O8 - Extra context menu item: Free YouTube to Mp3 Converter - C:\Documents and Settings\Owner\Application Data\DVDVideoSoftIEHelpers\freeyoutubetomp3converter.htm
O9 - Extra button: Show or hide HP Smart Web Printing - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1177491347281
O16 - DPF: {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} (SysInfo Class) - http://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_intel_4.4.24.0.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1FF3CA48-028C-4092-9E3D-C07BC4E77A54}: NameServer = 8.8.8.8,8.8.4.4
O17 - HKLM\System\CS1\Services\Tcpip\..\{1FF3CA48-028C-4092-9E3D-C07BC4E77A54}: NameServer = 8.8.8.8,8.8.4.4
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: SAS Core Service (!SASCORE) - SUPERAntiSpyware.com - C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: Advanced SystemCare Service 5 (AdvancedSystemCareService5) - IObit - C:\Program Files\IObit\Advanced SystemCare 5\ASCService.exe
O23 - Service: Avira Scheduler (AntiVirSchedulerService) - Avira Operations GmbH & Co. KG - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira Realtime Protection (AntiVirService) - Avira Operations GmbH & Co. KG - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Update Service (gupdate1c987bc5de93bdc) (gupdate1c987bc5de93bdc) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ZoneAlarm Toolbar IswSvc (IswSvc) - Check Point Software Technologies - C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Oracle Corporation - C:\Program Files\Java\jre7\bin\jqs.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe
O23 - Service: @C:\Program Files\Nero\Update\NASvc.exe,-200 (NAUpdate) - Nero AG - C:\Program Files\Nero\Update\NASvc.exe
O23 - Service: Ocster Backup (ocster_backup) - Unknown owner - c:\Program Files\Ocster Backup\bin\backupService-ox.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies, Inc. - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Secunia PSI Agent - Secunia - C:\Program Files\Secunia\PSI\PSIA.exe
O23 - Service: Secunia Update Agent - Secunia - C:\Program Files\Secunia\PSI\sua.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\Program Files\CheckPoint\ZoneAlarm\vsmon.exe
O24 - Desktop Component 0: (no name) - (no file)
O24 - Desktop Component AutorunsDisabled: (no name) - (no file)

--
End of file - 11281 bytes


Ran CCleaner

Removed Vuze

No problems with PC

PC is still running good

#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:44 PM

Posted 09 May 2012 - 01:01 PM

Greetings

These logs are looking very good, we are almost done!!! Just one more scan to go.

:Remove unneeded start-up entries:

This part of the fix is purely optional
These are programs that start up when you turn on your computer but don't need to be, any of these programs you can click on their icons (or start from the control panel) and start the program when you need it. By stopping these programs you will boot up faster and your computer will work faster.

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Run HijackThis
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):

    • O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
      O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
      O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
      O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
      O4 - HKCU\..\Run: [Quicknote] C:\Program Files\Quicknote\Quicknote.exe
      O4 - HKUS\S-1-5-21-1343024091-562591055-725345543-1007\..\Run: [ooVoo.exe] C:\Program Files\ooVoo\ooVoo.exe /minimized (User '_ocster_backup_')
      O4 - Global Startup: Secunia PSI Tray.lnk = C:\Program Files\Secunia\PSI\psi_tray.exe
  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application.

    NOTE**You can research each of those lines >here< and see if you want to keep them or not
    just copy the name between the brackets and paste into the search space
    O4 - HKLM\..\Run: [IntelliPoint]


NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

Eset Online Scanner

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

Go Eset web page to run an online scanner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
  • When asked, allow the ActiveX control to install
    • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options
    Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • Click on copy to clipboard or copy and paste the results here in this topic

Copy and paste that log as a reply to this topic

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 dcvh

dcvh
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:44 PM

Posted 09 May 2012 - 06:33 PM

ESET Scan

C:\Documents and Settings\Owner\desktop\downloads\asc5-setup-aff.exe a variant of Win32/Toolbar.Widgi application
C:\Documents and Settings\Owner\desktop\downloads\gb3-setup.exe a variant of Win32/Toolbar.Widgi application
C:\Documents and Settings\Owner\desktop\downloads\hd2\Facemoods.exe probably a variant of Win32/InstallCore.A application
C:\Documents and Settings\Owner\desktop\downloads\hd2\hd2 patch\installer_hidden__dangerous_2_patch.exe multiple threats
C:\Documents and Settings\Owner\desktop\downloads\nero help\Nero-9.4.12.3d_free.exe Win32/Toolbar.AskSBar application
C:\Documents and Settings\Owner\desktop\downloads\revo\cnet_revosetup_exe.exe a variant of Win32/InstallCore.D application
C:\Documents and Settings\Owner\desktop\downloads\winamp\winamp5601_full_emusic-7plus_en-us.exe Win32/OpenCandy application
C:\Documents and Settings\Owner\desktop\downloads\winamp\winamp561_full_emusic-7plus_all.exe Win32/OpenCandy application
C:\Documents and Settings\Owner\desktop\downloads\winamp\winamp5623_full_emusic-7plus_all.exe Win32/OpenCandy application
C:\MGtools\Process.exe Win32/PrcView application
C:\System Volume Information\_restore{1C859638-3793-456C-ABCA-B4C314C48AB5}\RP107\A0021296.exe Win32/OpenCandy application
C:\System Volume Information\_restore{1C859638-3793-456C-ABCA-B4C314C48AB5}\RP68\A0016204.rbf a variant of Win32/Toolbar.Widgi application
C:\System Volume Information\_restore{1C859638-3793-456C-ABCA-B4C314C48AB5}\RP68\A0016205.rbf a variant of Win32/Toolbar.Widgi application
C:\System Volume Information\_restore{1C859638-3793-456C-ABCA-B4C314C48AB5}\RP68\A0016219.rbf probably a variant of Win32/Toolbar.Widgi application


Ran HijackThis and removed unneeded start-up entries

I was surprised to see ESET revealed 14 infections

PC still running well




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users