Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

infected with cryptic trojan, threats pop-up


  • This topic is locked This topic is locked
20 replies to this topic

#1 geraldlezebre

geraldlezebre

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:26 PM

Posted 29 April 2012 - 07:58 AM

AVG scan says i have cryptic trojan. Scan in safe mode found a certain number of threats, but problem persists. Now many threat windows keep coming up. Here's my info:


.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421
Run by Philibert at 19:51:37 on 2012-04-28
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.2.1033.18.2037.779 [GMT -4:00]
.
AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\PROGRA~1\AVG\AVG2012\avgrsx.exe
C:\Program Files\AVG\AVG2012\avgcsrvx.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG2012\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\AVG\AVG2012\avgnsx.exe
C:\Program Files\AVG\AVG2012\avgemcx.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Hp\QuickPlay\QPService.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Hp\HP Software Update\hpwuschd2.exe
C:\Program Files\AVG\AVG2012\avgtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
C:\Users\Philibert\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Philibert\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Philibert\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Philibert\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\rundll32.exe
C:\Users\Philibert\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Users\Philibert\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\taskeng.exe
C:\Windows\ehome\mcupdate.EXE
C:\Windows\system32\Macromed\Flash\FlashUtil32_11_2_202_233_ActiveX.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\conime.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\RacAgent.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.ca/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=73&bd=Pavilion&pf=laptop
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>;*.local
uURLSearchHooks: H - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg2012\avgssie.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - No File
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
TB: {BA14329E-9550-4989-B3F2-9732E92D17CC} - No File
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [Google Update] "c:\users\philibert\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [omgoli] rundll32.exe "c:\users\philib~1\appdata\local\temp\omgoli.dll",WriteFileStamp
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"
mRun: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
mRun: [HP Health Check Scheduler] c:\program files\hewlett-packard\hp health check\HPHC_Scheduler.exe
mRun: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
mRun: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [AdobeCS5ServiceManager] "c:\program files\common files\adobe\cs5servicemanager\CS5ServiceManager.exe" -launchedbylogin
mRun: [AVG_TRAY] "c:\program files\avg\avg2012\avgtray.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [<NO NAME>]
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SwitchBoard] c:\program files\common files\adobe\switchboard\SwitchBoard.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\programs\partygaming\partypoker\RunApp.exe
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
LSP: mswsock.dll
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/5/b/0/5b0d4654-aa20-495c-b89f-c1c34c691085/LegitCheckControl.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w3/resources/VistaMSNPUpldfr-ca.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CFCDAA03-8BE4-11CF-B84B-0020AFBBCCFA} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 24.200.243.189 24.200.210.241 24.200.228.113
TCP: Interfaces\{C9E535B5-3EE7-411E-BFF9-ECE2E1F9141A} : DhcpNameServer = 24.200.243.189 24.200.210.241 24.200.228.113
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg2012\avgpp.dll
Notify: igfxcui - igfxdev.dll
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2011-7-11 23120]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2011-9-13 32592]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2011-10-7 230608]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-8-8 40016]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2011-7-11 295248]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2011-7-11 134736]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2011-7-11 24272]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2011-10-4 16720]
.
=============== Created Last 30 ================
.
2012-04-28 19:10:43 0 --sha-w- c:\windows\system32\dds_trash_log.cmd
2012-04-28 19:10:09 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-04-28 19:09:24 -------- d-----w- c:\programdata\F4D55F32007726CB03AEAB7B570F1C8B
2012-04-12 07:13:33 5120 ----a-w- c:\windows\system32\wmi.dll
2012-04-12 07:13:33 172032 ----a-w- c:\windows\system32\wintrust.dll
2012-04-12 07:13:33 157696 ----a-w- c:\windows\system32\imagehlp.dll
2012-04-12 07:13:33 12800 ----a-w- c:\windows\system32\drivers\fs_rec.sys
2012-04-12 07:12:19 3602816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-04-12 07:12:19 3550080 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-04-12 04:55:33 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
2012-04-11 00:07:35 -------- d-----w- C:\PFiles
2012-04-04 05:53:56 182160 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll
2012-04-02 18:51:26 274944 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\hpzpp64X.dll
.
==================== Find3M ====================
.
2012-04-28 19:10:09 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-02-28 01:18:55 1799168 ----a-w- c:\windows\system32\jscript9.dll
2012-02-28 01:11:21 1427456 ----a-w- c:\windows\system32\inetcpl.cpl
2012-02-28 01:11:07 1127424 ----a-w- c:\windows\system32\wininet.dll
2012-02-28 01:03:16 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-02-15 12:08:52 1288192 ----a-w- c:\windows\system32\VSFilter.dll
2012-02-14 15:45:30 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
2012-02-14 15:45:30 160768 ----a-w- c:\windows\system32\d3d10_1.dll
2012-02-13 22:26:30 3350528 ----a-w- c:\windows\system32\ffdshow.ax
2012-02-13 22:24:56 4407808 ----a-w- c:\windows\system32\ffmpeg.dll
2012-02-13 14:12:08 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
2012-02-13 13:47:57 683008 ----a-w- c:\windows\system32\d2d1.dll
2012-02-13 13:44:40 1068544 ----a-w- c:\windows\system32\DWrite.dll
2012-02-12 14:20:46 461824 ----a-w- c:\windows\system32\LAVSplitter.ax
2012-02-12 14:20:42 562176 ----a-w- c:\windows\system32\LAVVideo.ax
2012-02-12 14:20:38 215040 ----a-w- c:\windows\system32\LAVAudio.ax
2012-02-12 14:20:36 172032 ----a-w- c:\windows\system32\libbluray.dll
2012-02-12 12:33:30 360729 ----a-w- c:\windows\system32\swscale-lav-2.dll
2012-02-12 12:33:30 203818 ----a-w- c:\windows\system32\avutil-lav-51.dll
2012-02-12 12:33:30 1143059 ----a-w- c:\windows\system32\avformat-lav-53.dll
2012-02-12 12:33:28 6414616 ----a-w- c:\windows\system32\avcodec-lav-53.dll
2012-02-12 12:33:28 138774 ----a-w- c:\windows\system32\avfilter-lav-2.dll
2012-02-12 12:16:48 147456 ----a-w- c:\windows\system32\IntelQuickSyncDecoder.dll
2012-02-08 22:53:06 79360 ----a-w- c:\windows\system32\ff_vfw.dll
2012-02-08 22:52:02 260608 ----a-w- c:\windows\system32\TomsMoComp_ff.dll
2012-02-08 22:51:54 99840 ----a-w- c:\windows\system32\ff_wmv9.dll
2012-02-08 22:51:54 158720 ----a-w- c:\windows\system32\ff_unrar.dll
2012-02-08 22:51:52 1525248 ----a-w- c:\windows\system32\ff_samplerate.dll
2012-02-08 22:51:52 146944 ----a-w- c:\windows\system32\ff_libmad.dll
2012-02-08 22:51:50 212480 ----a-w- c:\windows\system32\ff_libdts.dll
2012-02-08 22:51:50 115200 ----a-w- c:\windows\system32\ff_liba52.dll
2012-02-08 22:51:48 328704 ----a-w- c:\windows\system32\ff_libfaad2.dll
2012-02-08 22:51:48 137728 ----a-w- c:\windows\system32\libmpeg2_ff.dll
2012-02-07 15:02:40 1070352 ----a-w- c:\windows\system32\MSCOMCTL.OCX
2012-02-02 15:16:25 2044416 ----a-w- c:\windows\system32\win32k.sys
2012-01-30 22:29:24 381440 ----a-w- c:\windows\system32\cdxareader.ax
2012-01-30 22:29:08 445440 ----a-w- c:\windows\system32\FLVSplitter.ax
.
============= FINISH: 19:57:43.99 ===============

Thanks in advance!

Attached Files



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:26 PM

Posted 29 April 2012 - 07:59 AM

Hello and Welcome to Bleeping Computer!!

My name is Gringo and I'll be glad to help you with your computer problems.

I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of us

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the Watch Topic Button, select Immediate Notification, and click on Proceed. This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of hartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

Security Check

  • Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.



Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:26 PM

Posted 02 May 2012 - 12:15 AM

Hello

48 Hour bump

It has been more than 48 hours since my last post.

  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#4 geraldlezebre

geraldlezebre
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:26 PM

Posted 03 May 2012 - 06:03 AM

I ran security check,the log is posted under. After that, I tried disabling avg 2012, but couldn't stop all the processes, so i had to disinstall it. After that i tried running combofix. After 2 hours, i left the computer alone only to come back with : windows has recovered from an unexpected shutdown with that info: Problem signature:
Problem Event Name: BlueScreen
OS Version: 6.0.6002.2.2.0.768.3
Locale ID: 4105

Additional information about the problem:
BCCode: a
BCP1: B7FBFAD8
BCP2: 00000002
BCP3: 00000000
BCP4: 82663722
OS Version: 6_0_6002
Service Pack: 2_0
Product: 768_1

Files that help describe the problem:
C:\Windows\Minidump\Mini050312-01.dmp
C:\Users\Philibert\AppData\Local\temp\WER-165938-0.sysdata.xml
C:\Users\Philibert\AppData\Local\temp\WER5762.tmp.version.txt


here's tho log:


Results of screen317's Security Check version 0.99.32
Windows Vista Service Pack 2 x86 (UAC is enabled)
Internet Explorer 9
``````````````````````````````
Antivirus/Firewall Check:

Windows Security Center service is not running! This report may not be accurate!
AVG 2012
WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware
Java™ 6 Update 26
Java version out of date!
Adobe Flash Player 10.0.32.18 Flash Player out of Date!
Adobe Reader X (10.1.3)
````````````````````````````````
Process Check:
objlist.exe by Laurent

AVG avgwdsvc.exe
AVG avgtray.exe
AVG avgrsx.exe
AVG avgnsx.exe
AVG avgemc.exe
``````````End of Log````````````


So what to do now?

#5 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:26 PM

Posted 03 May 2012 - 06:37 AM

Hello

Ok lets try this, I want you to run combofix in safe mode but it is very important that when combofix reboots the computer for you to direct it back into safe mode so it can finish the scan.

Boot into Safe Mode

Reboot your computer in Safe Mode.
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
  • Login on your usual account.

after combofix has finished its scan please post the report back here.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#6 geraldlezebre

geraldlezebre
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:26 PM

Posted 03 May 2012 - 05:14 PM

HEllo

Ran Combofix twice for at least half an hour, nothing happened. Booting in safe mode couldn't log me in my user account. I had to access my files through the folders in the computer and run combofix as administrator. Also, when i boot, it says recycle bin is corrupted. I'm runinng combofix again for a third time, hoping it will do something different. What's the next move?? I'm gonna post the log if it works...

Thanks

#7 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:26 PM

Posted 03 May 2012 - 10:37 PM

Greetings

I want you to run these next,

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • it will ask to download extra definitions - ALLOW IT
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

If you have any problems running either one come back and let me know

please reply with the reports from TDSSKiller and aswMBR

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#8 geraldlezebre

geraldlezebre
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:26 PM

Posted 04 May 2012 - 10:13 AM

Here you go, it went nicely:

09:22:27.0772 4008 TDSS rootkit removing tool 2.7.34.0 May 2 2012 09:59:18
09:22:28.0084 4008 ============================================================
09:22:28.0084 4008 Current date / time: 2012/05/04 09:22:28.0084
09:22:28.0084 4008 SystemInfo:
09:22:28.0084 4008
09:22:28.0084 4008 OS Version: 6.0.6002 ServicePack: 2.0
09:22:28.0084 4008 Product type: Workstation
09:22:28.0084 4008 ComputerName: PHILIBERT-PC
09:22:28.0084 4008 UserName: Philibert
09:22:28.0084 4008 Windows directory: C:\Windows
09:22:28.0084 4008 System windows directory: C:\Windows
09:22:28.0084 4008 Processor architecture: Intel x86
09:22:28.0084 4008 Number of processors: 2
09:22:28.0084 4008 Page size: 0x1000
09:22:28.0084 4008 Boot type: Normal boot
09:22:28.0084 4008 ============================================================
09:22:30.0331 4008 Drive \Device\Harddisk0\DR0 - Size: 0x2E93E36000 (186.31 Gb), SectorSize: 0x200, Cylinders: 0x5F01, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000050
09:22:30.0331 4008 ============================================================
09:22:30.0331 4008 \Device\Harddisk0\DR0:
09:22:30.0331 4008 MBR partitions:
09:22:30.0331 4008 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x166566DE
09:22:30.0331 4008 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x1665671D, BlocksNum 0xE476A4
09:22:30.0331 4008 ============================================================
09:22:30.0346 4008 C: <-> \Device\Harddisk0\DR0\Partition0
09:22:30.0487 4008 D: <-> \Device\Harddisk0\DR0\Partition1
09:22:30.0487 4008 ============================================================
09:22:30.0487 4008 Initialize success
09:22:30.0487 4008 ============================================================
09:22:41.0173 1032 ============================================================
09:22:41.0173 1032 Scan started
09:22:41.0173 1032 Mode: Manual;
09:22:41.0173 1032 ============================================================
09:22:44.0417 1032 ACPI (82b296ae1892fe3dbee00c9cf92f8ac7) C:\Windows\system32\drivers\acpi.sys
09:22:44.0417 1032 ACPI - ok
09:22:44.0839 1032 AdobeARMservice (62b7936f9036dd6ed36e6a7efa805dc0) C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
09:22:44.0839 1032 AdobeARMservice - ok
09:22:45.0463 1032 AdobeFlashPlayerUpdateSvc (459ac130c6ab892b1cd5d7544626efc5) C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
09:22:45.0494 1032 AdobeFlashPlayerUpdateSvc - ok
09:22:46.0336 1032 adp94xx (2edc5bbac6c651ece337bde8ed97c9fb) C:\Windows\system32\drivers\adp94xx.sys
09:22:46.0383 1032 adp94xx - ok
09:22:46.0617 1032 adpahci (b84088ca3cdca97da44a984c6ce1ccad) C:\Windows\system32\drivers\adpahci.sys
09:22:46.0664 1032 adpahci - ok
09:22:46.0711 1032 adpu160m (7880c67bccc27c86fd05aa2afb5ea469) C:\Windows\system32\drivers\adpu160m.sys
09:22:46.0789 1032 adpu160m - ok
09:22:46.0867 1032 adpu320 (9ae713f8e30efc2abccd84904333df4d) C:\Windows\system32\drivers\adpu320.sys
09:22:46.0867 1032 adpu320 - ok
09:22:46.0898 1032 adsexpb - ok
09:22:46.0929 1032 advservice - ok
09:22:46.0929 1032 aeaudio - ok
09:22:46.0976 1032 AeLookupSvc (9d1fda9e086ba64e3c93c9de32461bcf) C:\Windows\System32\aelupsvc.dll
09:22:46.0976 1032 AeLookupSvc - ok
09:22:47.0366 1032 AFD (3911b972b55fea0478476b2e777b29fa) C:\Windows\system32\drivers\afd.sys
09:22:47.0397 1032 AFD - ok
09:22:47.0553 1032 agp440 (ef23439cdd587f64c2c1b8825cead7d8) C:\Windows\system32\drivers\agp440.sys
09:22:47.0569 1032 agp440 - ok
09:22:47.0584 1032 agpcpq - ok
09:22:47.0631 1032 aic78xx (ae1fdf7bf7bb6c6a70f67699d880592a) C:\Windows\system32\drivers\djsvs.sys
09:22:47.0631 1032 aic78xx - ok
09:22:47.0678 1032 ALG (a1545b731579895d8cc44fc0481c1192) C:\Windows\System32\alg.exe
09:22:47.0693 1032 ALG - ok
09:22:47.0709 1032 aliide (90395b64600ebb4552e26e178c94b2e4) C:\Windows\system32\drivers\aliide.sys
09:22:47.0709 1032 aliide - ok
09:22:47.0725 1032 ALYac_PZSrv - ok
09:22:47.0771 1032 amdagp (2b13e304c9dfdfa5eb582f6a149fa2c7) C:\Windows\system32\drivers\amdagp.sys
09:22:47.0787 1032 amdagp - ok
09:22:47.0881 1032 amdide (0577df1d323fe75a739c787893d300ea) C:\Windows\system32\drivers\amdide.sys
09:22:47.0881 1032 amdide - ok
09:22:47.0974 1032 AmdK7 (dc487885bcef9f28eece6fac0e5ddfc5) C:\Windows\system32\drivers\amdk7.sys
09:22:47.0974 1032 AmdK7 - ok
09:22:48.0021 1032 AmdK8 (0ca0071da4315b00fc1328ca86b425da) C:\Windows\system32\drivers\amdk8.sys
09:22:48.0021 1032 AmdK8 - ok
09:22:48.0130 1032 Appinfo (c6d704c7f0434dc791aac37cac4b6e14) C:\Windows\System32\appinfo.dll
09:22:48.0146 1032 Appinfo - ok
09:22:48.0364 1032 Apple Mobile Device (20f6f19fe9e753f2780dc2fa083ad597) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
09:22:48.0364 1032 Apple Mobile Device - ok
09:22:48.0427 1032 arc (5f673180268bb1fdb69c99b6619fe379) C:\Windows\system32\drivers\arc.sys
09:22:48.0427 1032 arc - ok
09:22:48.0489 1032 arcsas (957f7540b5e7f602e44648c7de5a1c05) C:\Windows\system32\drivers\arcsas.sys
09:22:48.0489 1032 arcsas - ok
09:22:48.0520 1032 aspi32 - ok
09:22:48.0614 1032 AsyncMac (53b202abee6455406254444303e87be1) C:\Windows\system32\DRIVERS\asyncmac.sys
09:22:48.0645 1032 AsyncMac - ok
09:22:48.0645 1032 atalk - ok
09:22:48.0692 1032 atapi (1f05b78ab91c9075565a9d8a4b880bc4) C:\Windows\system32\drivers\atapi.sys
09:22:48.0692 1032 atapi - ok
09:22:48.0941 1032 AudioEndpointBuilder (68e2a1a0407a66cf50da0300852424ab) C:\Windows\System32\Audiosrv.dll
09:22:48.0941 1032 AudioEndpointBuilder - ok
09:22:48.0957 1032 Audiosrv (68e2a1a0407a66cf50da0300852424ab) C:\Windows\System32\Audiosrv.dll
09:22:48.0957 1032 Audiosrv - ok
09:22:48.0957 1032 avcgbfl - ok
09:22:49.0019 1032 b57w2k - ok
09:22:49.0487 1032 BCM43XV (cf6a67c90951e3e763d2135dede44b85) C:\Windows\system32\DRIVERS\bcmwl6.sys
09:22:49.0534 1032 BCM43XV - ok
09:22:49.0597 1032 Beep (67e506b75bd5326a3ec7b70bd014dfb6) C:\Windows\system32\drivers\Beep.sys
09:22:49.0597 1032 Beep - ok
09:22:51.0016 1032 BITS (93952506c6d67330367f7e7934b6a02f) C:\Windows\system32\qmgr.dll
09:22:51.0079 1032 BITS - ok
09:22:51.0079 1032 blbdrive - ok
09:22:51.0110 1032 BlueletAudio - ok
09:22:51.0125 1032 BlueletSCOAudio - ok
09:22:51.0422 1032 Bonjour Service (1c87705ccb2f60172b0fc86b5d82f00d) C:\Program Files\Bonjour\mDNSResponder.exe
09:22:51.0422 1032 Bonjour Service - ok
09:22:51.0765 1032 bowser (35f376253f687bde63976ccb3f2108ca) C:\Windows\system32\DRIVERS\bowser.sys
09:22:51.0765 1032 bowser - ok
09:22:51.0812 1032 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\drivers\brfiltlo.sys
09:22:51.0827 1032 BrFiltLo - ok
09:22:51.0827 1032 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\drivers\brfiltup.sys
09:22:51.0843 1032 BrFiltUp - ok
09:22:51.0874 1032 Browser (a3629a0c4226f9e9c72faaeebc3ad33c) C:\Windows\System32\browser.dll
09:22:51.0874 1032 Browser - ok
09:22:52.0093 1032 Brserid (b304e75cff293029eddf094246747113) C:\Windows\system32\drivers\brserid.sys
09:22:52.0139 1032 Brserid - ok
09:22:52.0171 1032 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\system32\drivers\brserwdm.sys
09:22:52.0171 1032 BrSerWdm - ok
09:22:52.0202 1032 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\system32\drivers\brusbmdm.sys
09:22:52.0202 1032 BrUsbMdm - ok
09:22:52.0233 1032 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\system32\drivers\brusbser.sys
09:22:52.0233 1032 BrUsbSer - ok
09:22:52.0264 1032 BT - ok
09:22:52.0311 1032 BthEnum (6d39c954799b63ba866910234cf7d726) C:\Windows\system32\DRIVERS\BthEnum.sys
09:22:52.0311 1032 BthEnum - ok
09:22:52.0327 1032 BTHidEnum - ok
09:22:52.0327 1032 BTHidMgr - ok
09:22:52.0373 1032 BTHMODEM (ad07c1ec6665b8b35741ab91200c6b68) C:\Windows\system32\drivers\bthmodem.sys
09:22:52.0373 1032 BTHMODEM - ok
09:22:52.0405 1032 BthPan (5904efa25f829bf84ea6fb045134a1d8) C:\Windows\system32\DRIVERS\bthpan.sys
09:22:52.0405 1032 BthPan - ok
09:22:52.0810 1032 BTHPORT (611ff3f2f095c8d4a6d4cfd9dcc09793) C:\Windows\system32\Drivers\BTHport.sys
09:22:52.0826 1032 BTHPORT - ok
09:22:52.0857 1032 BthServ (a4c8377fa4a994e07075107dbe2e3dce) C:\Windows\System32\bthserv.dll
09:22:52.0857 1032 BthServ - ok
09:22:52.0888 1032 BTHUSB (d330803eab2a15caec7f011f1d4cb30e) C:\Windows\system32\Drivers\BTHUSB.sys
09:22:52.0888 1032 BTHUSB - ok
09:22:53.0169 1032 btwaudio (27798380a88ffedb4a99ea805fcfd20e) C:\Windows\system32\drivers\btwaudio.sys
09:22:53.0169 1032 btwaudio - ok
09:22:53.0216 1032 btwavdt (751cbe2edc33c58a6278e2ebbc7d964a) C:\Windows\system32\drivers\btwavdt.sys
09:22:53.0216 1032 btwavdt - ok
09:22:53.0231 1032 btwrchid (01ce69ab974bba289755ae8c87f4079c) C:\Windows\system32\DRIVERS\btwrchid.sys
09:22:53.0231 1032 btwrchid - ok
09:22:53.0341 1032 catchme - ok
09:22:53.0434 1032 cdfs (7add03e75beb9e6dd102c3081d29840a) C:\Windows\system32\DRIVERS\cdfs.sys
09:22:53.0434 1032 cdfs - ok
09:22:53.0528 1032 cdrom (701890a9962d3a6bcaf479901f2d2a1c) C:\Windows\system32\DRIVERS\cdrom.sys
09:22:53.0528 1032 Suspicious file (Forged): C:\Windows\system32\DRIVERS\cdrom.sys. Real md5: 701890a9962d3a6bcaf479901f2d2a1c, Fake md5: 6b4bffb9becd728097024276430db314
09:22:53.0528 1032 cdrom ( Virus.Win32.ZAccess.c ) - infected
09:22:53.0528 1032 cdrom - detected Virus.Win32.ZAccess.c (0)
09:22:53.0590 1032 CertPropSvc (312ec3e37a0a1f2006534913e37b4423) C:\Windows\System32\certprop.dll
09:22:53.0606 1032 CertPropSvc - ok
09:22:53.0637 1032 circlass (da8e0afc7baa226c538ef53ac2f90897) C:\Windows\system32\drivers\circlass.sys
09:22:53.0637 1032 circlass - ok
09:22:54.0370 1032 CLCapSvc (16356e5a3d7be77b2010be72c36e944c) C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
09:22:54.0386 1032 CLCapSvc - ok
09:22:54.0464 1032 CLFS (d7659d3b5b92c31e84e53c1431f35132) C:\Windows\system32\CLFS.sys
09:22:54.0479 1032 CLFS - ok
09:22:54.0901 1032 clr_optimization_v2.0.50727_32 (8ee772032e2fe80a924f3b8dd5082194) C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
09:22:54.0947 1032 clr_optimization_v2.0.50727_32 - ok
09:22:55.0384 1032 clr_optimization_v4.0.30319_32 (c5a75eb48e2344abdc162bda79e16841) C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
09:22:55.0493 1032 clr_optimization_v4.0.30319_32 - ok
09:22:55.0556 1032 CLSched (e97d797af6c2e64bfc22eeb7fa58bb63) C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe
09:22:55.0571 1032 CLSched - ok
09:22:55.0618 1032 CmBatt (99afc3795b58cc478fbbbcdc658fcb56) C:\Windows\system32\DRIVERS\CmBatt.sys
09:22:55.0618 1032 CmBatt - ok
09:22:55.0665 1032 cmdide (45201046c776ffdaf3fc8a0029c581c8) C:\Windows\system32\drivers\cmdide.sys
09:22:55.0665 1032 cmdide - ok
09:22:55.0759 1032 CnxtHdAudService (a4d44ab8423791db757b38150ec599a4) C:\Windows\system32\drivers\CHDRT32.sys
09:22:55.0774 1032 CnxtHdAudService - ok
09:22:56.0024 1032 Com4Qlb (a5aaa656403e5e7afa9647ce73dbf944) C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe
09:22:56.0024 1032 Com4Qlb - ok
09:22:56.0102 1032 Compbatt (6afef0b60fa25de07c0968983ee4f60a) C:\Windows\system32\DRIVERS\compbatt.sys
09:22:56.0117 1032 Compbatt - ok
09:22:56.0117 1032 COMSysApp - ok
09:22:56.0164 1032 crcdisk (2a213ae086bbec5e937553c7d9a2b22c) C:\Windows\system32\drivers\crcdisk.sys
09:22:56.0164 1032 crcdisk - ok
09:22:56.0195 1032 Crusoe (22a7f883508176489f559ee745b5bf5d) C:\Windows\system32\drivers\crusoe.sys
09:22:56.0195 1032 Crusoe - ok
09:22:56.0305 1032 CryptSvc (fb27772beaf8e1d28ccd825c09da939b) C:\Windows\system32\cryptsvc.dll
09:22:56.0320 1032 CryptSvc - ok
09:22:56.0336 1032 cwafadminmonitor - ok
09:22:56.0336 1032 DC21x4 - ok
09:22:56.0851 1032 DcomLaunch (3b5b4d53fec14f7476ca29a20cc31ac9) C:\Windows\system32\rpcss.dll
09:22:56.0882 1032 DcomLaunch - ok
09:22:56.0991 1032 DfsC (622c41a07ca7e6dd91770f50d532cb6c) C:\Windows\system32\Drivers\dfsc.sys
09:22:56.0991 1032 DfsC - ok
09:22:59.0799 1032 DFSR (2cc3dcfb533a1035b13dcab6160ab38b) C:\Windows\system32\DFSR.exe
09:22:59.0955 1032 DFSR - ok
09:23:01.0967 1032 Dhcp (9028559c132146fb75eb7acf384b086a) C:\Windows\System32\dhcpcsvc.dll
09:23:01.0983 1032 Dhcp - ok
09:23:02.0186 1032 disk (5d4aefc3386920236a548271f8f1af6a) C:\Windows\system32\drivers\disk.sys
09:23:02.0201 1032 disk - ok
09:23:02.0233 1032 dlbx_device - ok
09:23:02.0233 1032 dns4meclient - ok
09:23:02.0389 1032 Dnscache (57d762f6f5974af0da2be88a3349baaa) C:\Windows\System32\dnsrslvr.dll
09:23:02.0389 1032 Dnscache - ok
09:23:02.0435 1032 dot3svc (324fd74686b1ef5e7c19a8af49e748f6) C:\Windows\System32\dot3svc.dll
09:23:02.0467 1032 dot3svc - ok
09:23:02.0529 1032 Dot4 (4f59c172c094e1a1d46463a8dc061cbd) C:\Windows\system32\DRIVERS\Dot4.sys
09:23:02.0545 1032 Dot4 - ok
09:23:02.0591 1032 Dot4Print (80bf3ba09f6f2523c8f6b7cc6dbf7bd5) C:\Windows\system32\DRIVERS\Dot4Prt.sys
09:23:02.0591 1032 Dot4Print - ok
09:23:02.0623 1032 dot4usb (c55004ca6b419b6695970dfe849b122f) C:\Windows\system32\DRIVERS\dot4usb.sys
09:23:02.0623 1032 dot4usb - ok
09:23:02.0685 1032 DPS (a622e888f8aa2f6b49e9bc466f0e5def) C:\Windows\system32\dps.dll
09:23:02.0701 1032 DPS - ok
09:23:02.0747 1032 drmkaud (97fef831ab90bee128c9af390e243f80) C:\Windows\system32\drivers\drmkaud.sys
09:23:02.0747 1032 drmkaud - ok
09:23:02.0747 1032 dtscsi - ok
09:23:03.0059 1032 DXGKrnl (c68ac676b0ef30cfbb1080adce49eb1f) C:\Windows\System32\drivers\dxgkrnl.sys
09:23:03.0059 1032 DXGKrnl - ok
09:23:03.0200 1032 E100B (ac9cf17ee2ae003c98eb4f5336c38058) C:\Windows\system32\DRIVERS\e100b325.sys
09:23:03.0200 1032 E100B - ok
09:23:03.0340 1032 E1G60 (f88fb26547fd2ce6d0a5af2985892c48) C:\Windows\system32\DRIVERS\E1G60I32.sys
09:23:03.0340 1032 E1G60 - ok
09:23:03.0371 1032 eabfiltr (e88b0cfcecf745211bba87f44f85d0dd) C:\Windows\system32\DRIVERS\eabfiltr.sys
09:23:03.0371 1032 eabfiltr - ok
09:23:03.0418 1032 EapHost (c0b95e40d85cd807d614e264248a45b9) C:\Windows\System32\eapsvc.dll
09:23:03.0418 1032 EapHost - ok
09:23:03.0527 1032 Ecache (7f64ea048dcfac7acf8b4d7b4e6fe371) C:\Windows\system32\drivers\ecache.sys
09:23:03.0543 1032 Ecache - ok
09:23:03.0730 1032 ehRecvr (9be3744d295a7701eb425332014f0797) C:\Windows\ehome\ehRecvr.exe
09:23:03.0746 1032 ehRecvr - ok
09:23:03.0793 1032 ehSched (ad1870c8e5d6dd340c829e6074bf3c3f) C:\Windows\ehome\ehsched.exe
09:23:03.0793 1032 ehSched - ok
09:23:03.0808 1032 ehstart (c27c4ee8926e74aa72efcab24c5242c3) C:\Windows\ehome\ehstart.dll
09:23:03.0808 1032 ehstart - ok
09:23:03.0886 1032 elxstor (e8f3f21a71720c84bcf423b80028359f) C:\Windows\system32\drivers\elxstor.sys
09:23:03.0886 1032 elxstor - ok
09:23:04.0261 1032 EMDMgmt (4e6b23dfc917ea39306b529b773950f4) C:\Windows\system32\emdmgmt.dll
09:23:04.0292 1032 EMDMgmt - ok
09:23:04.0619 1032 EventSystem (67058c46504bc12d821f38cf99b7b28f) C:\Windows\system32\es.dll
09:23:04.0635 1032 EventSystem - ok
09:23:04.0697 1032 exfat (22b408651f9123527bcee54b4f6c5cae) C:\Windows\system32\drivers\exfat.sys
09:23:04.0697 1032 exfat - ok
09:23:04.0869 1032 fastfat (1e9b9a70d332103c52995e957dc09ef8) C:\Windows\system32\drivers\fastfat.sys
09:23:04.0916 1032 fastfat - ok
09:23:04.0978 1032 fdc (63bdada84951b9c03e641800e176898a) C:\Windows\system32\DRIVERS\fdc.sys
09:23:04.0978 1032 fdc - ok
09:23:05.0025 1032 fdPHost (6629b5f0e98151f4afdd87567ea32ba3) C:\Windows\system32\fdPHost.dll
09:23:05.0025 1032 fdPHost - ok
09:23:05.0056 1032 FDResPub (89ed56dce8e47af40892778a5bd31fd2) C:\Windows\system32\fdrespub.dll
09:23:05.0056 1032 FDResPub - ok
09:23:05.0181 1032 FileInfo (a8c0139a884861e3aae9cfe73b208a9f) C:\Windows\system32\drivers\fileinfo.sys
09:23:05.0181 1032 FileInfo - ok
09:23:05.0228 1032 Filetrace (0ae429a696aecbc5970e3cf2c62635ae) C:\Windows\system32\drivers\filetrace.sys
09:23:05.0228 1032 Filetrace - ok
09:23:05.0243 1032 flpydisk (6603957eff5ec62d25075ea8ac27de68) C:\Windows\system32\DRIVERS\flpydisk.sys
09:23:05.0243 1032 flpydisk - ok
09:23:05.0290 1032 FltMgr (01334f9ea68e6877c4ef05d3ea8abb05) C:\Windows\system32\drivers\fltmgr.sys
09:23:05.0306 1032 FltMgr - ok
09:23:05.0462 1032 FontCache (8ce364388c8eca59b14b539179276d44) C:\Windows\system32\FntCache.dll
09:23:05.0493 1032 FontCache - ok
09:23:05.0633 1032 FontCache3.0.0.0 (c7fbdd1ed42f82bfa35167a5c9803ea3) C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
09:23:05.0633 1032 FontCache3.0.0.0 - ok
09:23:05.0680 1032 Fs_Rec (b972a66758577e0bfd1de0f91aaa27b5) C:\Windows\system32\drivers\Fs_Rec.sys
09:23:05.0680 1032 Fs_Rec - ok
09:23:05.0789 1032 gagp30kx (4e1cd0a45c50a8882616cae5bf82f3c5) C:\Windows\system32\drivers\gagp30kx.sys
09:23:05.0805 1032 gagp30kx - ok
09:23:05.0914 1032 gdihook5 (11028c6a84a967070cb1286550f2058f) C:\Windows\system32\sisidex.dll
09:23:05.0930 1032 gdihook5 ( Backdoor.Multi.ZAccess.gen ) - infected
09:23:05.0930 1032 gdihook5 - detected Backdoor.Multi.ZAccess.gen (0)
09:23:06.0008 1032 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\Windows\system32\Drivers\GEARAspiWDM.sys
09:23:06.0008 1032 GEARAspiWDM - ok
09:23:06.0008 1032 gmer - ok
09:23:06.0476 1032 gpsvc (cd5d0aeee35dfd4e986a5aa1500a6e66) C:\Windows\System32\gpsvc.dll
09:23:06.0507 1032 gpsvc - ok
09:23:06.0647 1032 gupdate (f02a533f517eb38333cb12a9e8963773) C:\Program Files\Google\Update\GoogleUpdate.exe
09:23:06.0647 1032 gupdate - ok
09:23:06.0647 1032 gupdatem (f02a533f517eb38333cb12a9e8963773) C:\Program Files\Google\Update\GoogleUpdate.exe
09:23:06.0663 1032 gupdatem - ok
09:23:06.0694 1032 HBtnKey (de15777902a5d9121857d155873a1d1b) C:\Windows\system32\DRIVERS\cpqbttn.sys
09:23:06.0725 1032 HBtnKey - ok
09:23:06.0881 1032 HdAudAddService (3aeee05bb25b8cc72b6e9aec0e6f394b) C:\Windows\system32\drivers\CHDART.sys
09:23:06.0928 1032 HdAudAddService - ok
09:23:07.0209 1032 HDAudBus (062452b7ffd68c8c042a6261fe8dff4a) C:\Windows\system32\DRIVERS\HDAudBus.sys
09:23:07.0225 1032 HDAudBus - ok
09:23:07.0271 1032 HidBth (1338520e78d90154ed6be8f84de5fceb) C:\Windows\system32\drivers\hidbth.sys
09:23:07.0271 1032 HidBth - ok
09:23:07.0287 1032 HidIr (ff3160c3a2445128c5a6d9b076da519e) C:\Windows\system32\drivers\hidir.sys
09:23:07.0303 1032 HidIr - ok
09:23:07.0318 1032 hidserv (84067081f3318162797385e11a8f0582) C:\Windows\System32\hidserv.dll
09:23:07.0334 1032 hidserv - ok
09:23:07.0396 1032 HidUsb (cca4b519b17e23a00b826c55716809cc) C:\Windows\system32\DRIVERS\hidusb.sys
09:23:07.0412 1032 HidUsb - ok
09:23:07.0443 1032 hkmsvc (d8ad255b37da92434c26e4876db7d418) C:\Windows\system32\kmsvc.dll
09:23:07.0459 1032 hkmsvc - ok
09:23:07.0615 1032 HP Health Check Service (89f9e1984c1cd9e5f4fe39642d886e11) c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
09:23:07.0615 1032 HP Health Check Service - ok
09:23:07.0661 1032 HpCISSs (df353b401001246853763c4b7aaa6f50) C:\Windows\system32\drivers\hpcisss.sys
09:23:07.0661 1032 HpCISSs - ok
09:23:08.0145 1032 hpqcxs08 (e4e285a3766b4a57401feeaf66cb07b5) C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqcxs08.dll
09:23:08.0207 1032 hpqcxs08 - ok
09:23:08.0254 1032 hpqddsvc (ee4c7a4cf2316701ffde90f404520265) C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqddsvc.dll
09:23:08.0270 1032 hpqddsvc - ok
09:23:08.0457 1032 hpqwmiex (04c1dcbb226c6ae647b794833ce3ceb6) C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
09:23:08.0473 1032 hpqwmiex - ok
09:23:08.0644 1032 HSFHWAZL (46d67209550973257601a533e2ac5785) C:\Windows\system32\DRIVERS\VSTAZL3.SYS
09:23:08.0644 1032 HSFHWAZL - ok
09:23:09.0845 1032 HSF_DPV (0d7a055a840c3099c37d576573a42cd5) C:\Windows\system32\DRIVERS\HSX_DPV.sys
09:23:09.0892 1032 HSF_DPV - ok
09:23:10.0017 1032 HSXHWAZL (bcc074692882c056b0e1ac97f3331a02) C:\Windows\system32\DRIVERS\HSXHWAZL.sys
09:23:10.0235 1032 HSXHWAZL - ok
09:23:10.0438 1032 HTTP (f870aa3e254628ebeafe754108d664de) C:\Windows\system32\drivers\HTTP.sys
09:23:10.0469 1032 HTTP - ok
09:23:10.0501 1032 i2omp (324c2152ff2c61abae92d09f3cca4d63) C:\Windows\system32\drivers\i2omp.sys
09:23:10.0516 1032 i2omp - ok
09:23:10.0579 1032 i8042prt (22d56c8184586b7a1f6fa60be5f5a2bd) C:\Windows\system32\DRIVERS\i8042prt.sys
09:23:10.0579 1032 i8042prt - ok
09:23:11.0873 1032 ialm (dbb0588936e43c5f16b643f90f53c06d) C:\Windows\system32\DRIVERS\igdkmd32.sys
09:23:11.0936 1032 ialm - ok
09:23:13.0839 1032 iaStorV (c957bf4b5d80b46c5017bf0101e6c906) C:\Windows\system32\drivers\iastorv.sys
09:23:13.0886 1032 iaStorV - ok
09:23:13.0901 1032 ibmasrex - ok
09:23:13.0901 1032 id2scaps - ok
09:23:14.0182 1032 IDriverT (6f95324909b502e2651442c1548ab12f) C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
09:23:14.0354 1032 IDriverT - ok
09:23:15.0914 1032 idsvc (98477b08e61945f974ed9fdc4cb6bdab) C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
09:23:16.0023 1032 idsvc - ok
09:23:19.0330 1032 igfx (dbb0588936e43c5f16b643f90f53c06d) C:\Windows\system32\DRIVERS\igdkmd32.sys
09:23:19.0330 1032 igfx - ok
09:23:21.0592 1032 iirsp (2d077bf86e843f901d8db709c95b49a5) C:\Windows\system32\drivers\iirsp.sys
09:23:21.0608 1032 iirsp - ok
09:23:22.0388 1032 IKEEXT (9908d8a397b76cd8d31d0d383c5773c9) C:\Windows\System32\ikeext.dll
09:23:22.0622 1032 IKEEXT - ok
09:23:22.0840 1032 intelide (83aa759f3189e6370c30de5dc5590718) C:\Windows\system32\drivers\intelide.sys
09:23:22.0840 1032 intelide - ok
09:23:22.0903 1032 intelppm (224191001e78c89dfa78924c3ea595ff) C:\Windows\system32\DRIVERS\intelppm.sys
09:23:22.0903 1032 intelppm - ok
09:23:23.0605 1032 IPBusEnum (9ac218c6e6105477484c6fdbe7d409a4) C:\Windows\system32\ipbusenum.dll
09:23:23.0651 1032 IPBusEnum - ok
09:23:23.0979 1032 IpFilterDriver (62c265c38769b864cb25b4bcf62df6c3) C:\Windows\system32\DRIVERS\ipfltdrv.sys
09:23:23.0979 1032 IpFilterDriver - ok
09:23:24.0291 1032 iphlpsvc (1998bd97f950680bb55f55a7244679c2) C:\Windows\System32\iphlpsvc.dll
09:23:24.0291 1032 iphlpsvc - ok
09:23:24.0307 1032 IpInIp - ok
09:23:24.0525 1032 IPMIDRV (40f34f8aba2a015d780e4b09138b6c17) C:\Windows\system32\drivers\ipmidrv.sys
09:23:24.0525 1032 IPMIDRV - ok
09:23:24.0790 1032 IPNAT (8793643a67b42cec66490b2a0cf92d68) C:\Windows\system32\DRIVERS\ipnat.sys
09:23:24.0790 1032 IPNAT - ok
09:23:26.0771 1032 iPod Service (3a6d4d8abacf64292d060c9e06d2050d) C:\Program Files\iPod\bin\iPodService.exe
09:23:26.0959 1032 iPod Service - ok
09:23:26.0959 1032 ipsec - ok
09:23:27.0177 1032 IRENUM (109c0dfb82c3632fbd11949b73aeeac9) C:\Windows\system32\drivers\irenum.sys
09:23:27.0177 1032 IRENUM - ok
09:23:27.0239 1032 isapnp (350fca7e73cf65bcef43fae1e4e91293) C:\Windows\system32\drivers\isapnp.sys
09:23:27.0239 1032 isapnp - ok
09:23:27.0785 1032 iScsiPrt (232fa340531d940aac623b121a595034) C:\Windows\system32\DRIVERS\msiscsi.sys
09:23:27.0785 1032 iScsiPrt - ok
09:23:27.0926 1032 iteatapi (bced60d16156e428f8df8cf27b0df150) C:\Windows\system32\drivers\iteatapi.sys
09:23:27.0926 1032 iteatapi - ok
09:23:27.0957 1032 iteraid (06fa654504a498c30adca8bec4e87e7e) C:\Windows\system32\drivers\iteraid.sys
09:23:27.0973 1032 iteraid - ok
09:23:27.0988 1032 jtagserver - ok
09:23:27.0988 1032 k750mdm - ok
09:23:28.0441 1032 kbdclass (37605e0a8cf00cbba538e753e4344c6e) C:\Windows\system32\DRIVERS\kbdclass.sys
09:23:28.0456 1032 kbdclass - ok
09:23:28.0721 1032 kbdhid (ede59ec70e25c24581add1fbec7325f7) C:\Windows\system32\DRIVERS\kbdhid.sys
09:23:28.0721 1032 kbdhid - ok
09:23:28.0753 1032 KeyIso (a3e186b4b935905b829219502557314e) C:\Windows\system32\lsass.exe
09:23:28.0753 1032 KeyIso - ok
09:23:29.0096 1032 KSecDD (2b2f1638466e8cb091400c9019cc730e) C:\Windows\system32\Drivers\ksecdd.sys
09:23:29.0143 1032 KSecDD - ok
09:23:29.0673 1032 KtmRm (8078f8f8f7a79e2e6b494523a828c585) C:\Windows\system32\msdtckrm.dll
09:23:29.0798 1032 KtmRm - ok
09:23:29.0860 1032 LanmanServer (1bf5eebfd518dd7298434d8c862f825d) C:\Windows\System32\srvsvc.dll
09:23:29.0860 1032 LanmanServer - ok
09:23:29.0907 1032 LanmanWorkstation (1db69705b695b987082c8baec0c6b34f) C:\Windows\System32\wkssvc.dll
09:23:29.0907 1032 LanmanWorkstation - ok
09:23:30.0063 1032 LightScribeService (559c9b7800fac92fc515cd0003d7c631) C:\Program Files\Common Files\LightScribe\LSSrvc.exe
09:23:30.0063 1032 LightScribeService - ok
09:23:30.0469 1032 lltdio (d1c5883087a0c3f1344d9d55a44901f6) C:\Windows\system32\DRIVERS\lltdio.sys
09:23:30.0484 1032 lltdio - ok
09:23:30.0656 1032 lltdsvc (2d5a428872f1442631d0959a34abff63) C:\Windows\System32\lltdsvc.dll
09:23:30.0671 1032 lltdsvc - ok
09:23:30.0765 1032 lmhosts (35d40113e4a5b961b6ce5c5857702518) C:\Windows\System32\lmhsvc.dll
09:23:30.0765 1032 lmhosts - ok
09:23:30.0937 1032 LSI_FC (a2262fb9f28935e862b4db46438c80d2) C:\Windows\system32\drivers\lsi_fc.sys
09:23:30.0937 1032 LSI_FC - ok
09:23:30.0968 1032 LSI_SAS (30d73327d390f72a62f32c103daf1d6d) C:\Windows\system32\drivers\lsi_sas.sys
09:23:30.0983 1032 LSI_SAS - ok
09:23:31.0015 1032 LSI_SCSI (e1e36fefd45849a95f1ab81de0159fe3) C:\Windows\system32\drivers\lsi_scsi.sys
09:23:31.0015 1032 LSI_SCSI - ok
09:23:31.0093 1032 luafv (8f5c7426567798e62a3b3614965d62cc) C:\Windows\system32\drivers\luafv.sys
09:23:31.0093 1032 luafv - ok
09:23:31.0264 1032 mcdbus (af61a1c34e2d3f7543f9ccfc323170b8) C:\Windows\system32\DRIVERS\mcdbus.sys
09:23:31.0311 1032 mcdbus - ok
09:23:31.0639 1032 Mcx2Svc (aef9babb8a506bc4ce0451a64aaded46) C:\Windows\system32\Mcx2svc.dll
09:23:31.0654 1032 Mcx2Svc - ok
09:23:31.0826 1032 mdmxsdk (0cea2d0d3fa284b85ed5b68365114f76) C:\Windows\system32\DRIVERS\mdmxsdk.sys
09:23:31.0826 1032 mdmxsdk - ok
09:23:31.0951 1032 megasas (d153b14fc6598eae8422a2037553adce) C:\Windows\system32\drivers\megasas.sys
09:23:31.0966 1032 megasas - ok
09:23:31.0966 1032 mfcom - ok
09:23:31.0982 1032 mfeapfk - ok
09:23:32.0075 1032 MMCSS (1076ffcffaae8385fd62dfcb25ac4708) C:\Windows\system32\mmcss.dll
09:23:32.0075 1032 MMCSS - ok
09:23:32.0153 1032 Modem (e13b5ea0f51ba5b1512ec671393d09ba) C:\Windows\system32\drivers\modem.sys
09:23:32.0185 1032 Modem - ok
09:23:32.0309 1032 monitor (0a9bb33b56e294f686abb7c1e4e2d8a8) C:\Windows\system32\DRIVERS\monitor.sys
09:23:32.0325 1032 monitor - ok
09:23:32.0434 1032 mouclass (5bf6a1326a335c5298477754a506d263) C:\Windows\system32\DRIVERS\mouclass.sys
09:23:32.0434 1032 mouclass - ok
09:23:32.0481 1032 mouhid (93b8d4869e12cfbe663915502900876f) C:\Windows\system32\DRIVERS\mouhid.sys
09:23:32.0481 1032 mouhid - ok
09:23:32.0653 1032 MountMgr (bdafc88aa6b92f7842416ea6a48e1600) C:\Windows\system32\drivers\mountmgr.sys
09:23:32.0668 1032 MountMgr - ok
09:23:32.0855 1032 mpio (583a41f26278d9e0ea548163d6139397) C:\Windows\system32\drivers\mpio.sys
09:23:32.0855 1032 mpio - ok
09:23:32.0949 1032 mpsdrv (22241feba9b2defa669c8cb0a8dd7d2e) C:\Windows\system32\drivers\mpsdrv.sys
09:23:32.0965 1032 mpsdrv - ok
09:23:32.0980 1032 Mraid35x (4fbbb70d30fd20ec51f80061703b001e) C:\Windows\system32\drivers\mraid35x.sys
09:23:32.0980 1032 Mraid35x - ok
09:23:33.0323 1032 MRxDAV (82cea0395524aacfeb58ba1448e8325c) C:\Windows\system32\drivers\mrxdav.sys
09:23:33.0323 1032 MRxDAV - ok
09:23:33.0386 1032 mrxsmb (1e94971c4b446ab2290deb71d01cf0c2) C:\Windows\system32\DRIVERS\mrxsmb.sys
09:23:33.0401 1032 mrxsmb - ok
09:23:33.0698 1032 mrxsmb10 (4fccb34d793b116423209c0f8b7a3b03) C:\Windows\system32\DRIVERS\mrxsmb10.sys
09:23:33.0729 1032 mrxsmb10 - ok
09:23:33.0760 1032 mrxsmb20 (c3cb1b40ad4a0124d617a1199b0b9d7c) C:\Windows\system32\DRIVERS\mrxsmb20.sys
09:23:33.0776 1032 mrxsmb20 - ok
09:23:33.0807 1032 msahci (5457dcfa7c0da43522f4d9d4049c1472) C:\Windows\system32\drivers\msahci.sys
09:23:33.0807 1032 msahci - ok
09:23:33.0901 1032 msdsm (3fc82a2ae4cc149165a94699183d3028) C:\Windows\system32\drivers\msdsm.sys
09:23:33.0901 1032 msdsm - ok
09:23:33.0994 1032 MSDTC (fd7520cc3a80c5fc8c48852bb24c6ded) C:\Windows\System32\msdtc.exe
09:23:34.0072 1032 MSDTC - ok
09:23:34.0166 1032 Msfs (a9927f4a46b816c92f461acb90cf8515) C:\Windows\system32\drivers\Msfs.sys
09:23:34.0166 1032 Msfs - ok
09:23:34.0228 1032 msisadrv (0f400e306f385c56317357d6dea56f62) C:\Windows\system32\drivers\msisadrv.sys
09:23:34.0244 1032 msisadrv - ok
09:23:34.0665 1032 MSiSCSI (85466c0757a23d9a9aecdc0755203cb2) C:\Windows\system32\iscsiexe.dll
09:23:34.0665 1032 MSiSCSI - ok
09:23:34.0681 1032 msiserver - ok
09:23:34.0821 1032 MSKSSRV (d8c63d34d9c9e56c059e24ec7185cc07) C:\Windows\system32\drivers\MSKSSRV.sys
09:23:34.0837 1032 MSKSSRV - ok
09:23:34.0868 1032 MSPCLOCK (1d373c90d62ddb641d50e55b9e78d65e) C:\Windows\system32\drivers\MSPCLOCK.sys
09:23:34.0868 1032 MSPCLOCK - ok
09:23:34.0899 1032 MSPQM (b572da05bf4e098d4bba3a4734fb505b) C:\Windows\system32\drivers\MSPQM.sys
09:23:34.0899 1032 MSPQM - ok
09:23:35.0024 1032 MsRPC (b49456d70555de905c311bcda6ec6adb) C:\Windows\system32\drivers\MsRPC.sys
09:23:35.0024 1032 MsRPC - ok
09:23:35.0071 1032 mssmbios (e384487cb84be41d09711c30ca79646c) C:\Windows\system32\DRIVERS\mssmbios.sys
09:23:35.0071 1032 mssmbios - ok
09:23:35.0117 1032 MSTEE (7199c1eec1e4993caf96b8c0a26bd58a) C:\Windows\system32\drivers\MSTEE.sys
09:23:35.0133 1032 MSTEE - ok
09:23:35.0164 1032 Mup (6a57b5733d4cb702c8ea4542e836b96c) C:\Windows\system32\Drivers\mup.sys
09:23:35.0164 1032 Mup - ok
09:23:35.0429 1032 napagent (e4eaf0c5c1b41b5c83386cf212ca9584) C:\Windows\system32\qagentRT.dll
09:23:35.0476 1032 napagent - ok
09:23:35.0539 1032 NativeWifiP (85c44fdff9cf7e72a40dcb7ec06a4416) C:\Windows\system32\DRIVERS\nwifi.sys
09:23:35.0539 1032 NativeWifiP - ok
09:23:35.0929 1032 NDIS (1357274d1883f68300aeadd15d7bbb42) C:\Windows\system32\drivers\ndis.sys
09:23:36.0100 1032 NDIS - ok
09:23:36.0178 1032 NdisTapi (0e186e90404980569fb449ba7519ae61) C:\Windows\system32\DRIVERS\ndistapi.sys
09:23:36.0178 1032 NdisTapi - ok
09:23:36.0209 1032 Ndisuio (d6973aa34c4d5d76c0430b181c3cd389) C:\Windows\system32\DRIVERS\ndisuio.sys
09:23:36.0209 1032 Ndisuio - ok
09:23:36.0397 1032 NdisWan (818f648618ae34f729fdb47ec68345c3) C:\Windows\system32\DRIVERS\ndiswan.sys
09:23:36.0412 1032 NdisWan - ok
09:23:36.0443 1032 NDProxy (71dab552b41936358f3b541ae5997fb3) C:\Windows\system32\drivers\NDProxy.sys
09:23:36.0443 1032 NDProxy - ok
09:23:36.0490 1032 Net Driver HPZ12 (51c6d8bfbd4ea5b62a1ba7f4469250d3) C:\Windows\system32\HPZinw12.dll
09:23:36.0506 1032 Net Driver HPZ12 - ok
09:23:36.0553 1032 NetBIOS (bcd093a5a6777cf626434568dc7dba78) C:\Windows\system32\DRIVERS\netbios.sys
09:23:36.0553 1032 NetBIOS - ok
09:23:36.0849 1032 netbt (ecd64230a59cbd93c85f1cd1cab9f3f6) C:\Windows\system32\DRIVERS\netbt.sys
09:23:36.0865 1032 netbt - ok
09:23:37.0036 1032 Netlogon (a3e186b4b935905b829219502557314e) C:\Windows\system32\lsass.exe
09:23:37.0052 1032 Netlogon - ok
09:23:37.0208 1032 Netman (c8052711daecc48b982434c5116ca401) C:\Windows\System32\netman.dll
09:23:37.0239 1032 Netman - ok
09:23:37.0442 1032 netprofm (2ef3bbe22e5a5acd1428ee387a0d0172) C:\Windows\System32\netprofm.dll
09:23:37.0457 1032 netprofm - ok
09:23:37.0645 1032 NetTcpPortSharing (d6c4e4a39a36029ac0813d476fbd0248) C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
09:23:37.0645 1032 NetTcpPortSharing - ok
09:23:40.0234 1032 NETw3v32 (ea30bd026a7d1b745a37516880c4ac1b) C:\Windows\system32\DRIVERS\NETw3v32.sys
09:23:40.0312 1032 NETw3v32 - ok
09:23:43.0963 1032 NETw4v32 (38d720e0c8b0ecb9a019980265679798) C:\Windows\system32\DRIVERS\NETw4v32.sys
09:23:44.0446 1032 NETw4v32 - ok
09:23:46.0162 1032 nfrd960 (2e7fb731d4790a1bc6270accefacb36e) C:\Windows\system32\drivers\nfrd960.sys
09:23:46.0178 1032 nfrd960 - ok
09:23:46.0349 1032 NlaSvc (2997b15415f9bbe05b5a4c1c85e0c6a2) C:\Windows\System32\nlasvc.dll
09:23:46.0396 1032 NlaSvc - ok
09:23:46.0412 1032 nmindexingservice - ok
09:23:46.0412 1032 nmsaccess - ok
09:23:46.0459 1032 Npfs (d36f239d7cce1931598e8fb90a0dbc26) C:\Windows\system32\drivers\Npfs.sys
09:23:46.0459 1032 Npfs - ok
09:23:46.0552 1032 nsi (8bb86f0c7eea2bded6fe095d0b4ca9bd) C:\Windows\system32\nsisvc.dll
09:23:46.0568 1032 nsi - ok
09:23:46.0599 1032 nsiproxy (609773e344a97410ce4ebf74a8914fcf) C:\Windows\system32\drivers\nsiproxy.sys
09:23:46.0599 1032 nsiproxy - ok
09:23:46.0615 1032 NSNDIS5 - ok
09:23:47.0426 1032 Ntfs (6a4a98cee84cf9e99564510dda4baa47) C:\Windows\system32\drivers\Ntfs.sys
09:23:47.0504 1032 Ntfs - ok
09:23:47.0551 1032 ntrigdigi (e875c093aec0c978a90f30c9e0dfbb72) C:\Windows\system32\drivers\ntrigdigi.sys
09:23:47.0551 1032 ntrigdigi - ok
09:23:47.0629 1032 Null (c5dbbcda07d780bda9b685df333bb41e) C:\Windows\system32\drivers\Null.sys
09:23:47.0722 1032 Null - ok
09:23:47.0722 1032 nv - ok
09:23:47.0738 1032 NvNdis - ok
09:23:47.0909 1032 nvraid (e69e946f80c1c31c53003bfbf50cbb7c) C:\Windows\system32\drivers\nvraid.sys
09:23:47.0909 1032 nvraid - ok
09:23:47.0909 1032 nvsmu - ok
09:23:47.0941 1032 nvstor (9e0ba19a28c498a6d323d065db76dffc) C:\Windows\system32\drivers\nvstor.sys
09:23:47.0941 1032 nvstor - ok
09:23:47.0972 1032 nv_agp (07c186427eb8fcc3d8d7927187f260f7) C:\Windows\system32\drivers\nv_agp.sys
09:23:47.0972 1032 nv_agp - ok
09:23:47.0987 1032 NwlnkFlt - ok
09:23:47.0987 1032 NwlnkFwd - ok
09:23:48.0331 1032 odserv (785f487a64950f3cb8e9f16253ba3b7b) C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE
09:23:48.0455 1032 odserv - ok
09:23:48.0580 1032 ohci1394 (6f310e890d46e246e0e261a63d9b36b4) C:\Windows\system32\DRIVERS\ohci1394.sys
09:23:48.0596 1032 ohci1394 - ok
09:23:48.0596 1032 oracleformsserver-forms60server-oraform - ok
09:23:48.0658 1032 oracleorahome92tnslistener (11028c6a84a967070cb1286550f2058f) C:\Windows\system32\idisw2km.dll
09:23:48.0689 1032 oracleorahome92tnslistener ( Backdoor.Multi.ZAccess.gen ) - infected
09:23:48.0689 1032 oracleorahome92tnslistener - detected Backdoor.Multi.ZAccess.gen (0)
09:23:48.0955 1032 ose (5a432a042dae460abe7199b758e8606c) C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
09:23:48.0986 1032 ose - ok
09:23:49.0298 1032 p2pimsvc (0c8e8e61ad1eb0b250b846712c917506) C:\Windows\system32\p2psvc.dll
09:23:49.0313 1032 p2pimsvc - ok
09:23:49.0329 1032 p2psvc (0c8e8e61ad1eb0b250b846712c917506) C:\Windows\system32\p2psvc.dll
09:23:49.0329 1032 p2psvc - ok
09:23:49.0454 1032 p3 (11028c6a84a967070cb1286550f2058f) C:\Windows\system32\NWFILTER.dll
09:23:49.0469 1032 p3 ( Backdoor.Multi.ZAccess.gen ) - infected
09:23:49.0469 1032 p3 - detected Backdoor.Multi.ZAccess.gen (0)
09:23:49.0610 1032 pae_1394 (11028c6a84a967070cb1286550f2058f) C:\Windows\system32\procexp111.dll
09:23:49.0610 1032 pae_1394 ( Backdoor.Multi.ZAccess.gen ) - infected
09:23:49.0610 1032 pae_1394 - detected Backdoor.Multi.ZAccess.gen (0)
09:23:49.0813 1032 Parport (0fa9b5055484649d63c303fe404e5f4d) C:\Windows\system32\drivers\parport.sys
09:23:49.0813 1032 Parport - ok
09:23:49.0859 1032 partmgr (57389fa59a36d96b3eb09d0cb91e9cdc) C:\Windows\system32\drivers\partmgr.sys
09:23:49.0906 1032 partmgr - ok
09:23:49.0937 1032 Parvdm (4f9a6a8a31413180d0fcb279ad5d8112) C:\Windows\system32\drivers\parvdm.sys
09:23:49.0953 1032 Parvdm - ok
09:23:50.0047 1032 PcaSvc (c6276ad11f4bb49b58aa1ed88537f14a) C:\Windows\System32\pcasvc.dll
09:23:50.0047 1032 PcaSvc - ok
09:23:50.0203 1032 pci (941dc1d19e7e8620f40bbc206981efdb) C:\Windows\system32\drivers\pci.sys
09:23:50.0218 1032 pci - ok
09:23:50.0249 1032 pciide (3b1901e401473e03eb8c874271e50c26) C:\Windows\system32\drivers\pciide.sys
09:23:50.0249 1032 pciide - ok
09:23:50.0249 1032 pclepci - ok
09:23:50.0390 1032 pcmcia (e6f3fb1b86aa519e7698ad05e58b04e5) C:\Windows\system32\drivers\pcmcia.sys
09:23:50.0390 1032 pcmcia - ok
09:23:50.0390 1032 pcx1nd5 - ok
09:23:50.0842 1032 PEAUTH (6349f6ed9c623b44b52ea3c63c831a92) C:\Windows\system32\drivers\peauth.sys
09:23:50.0889 1032 PEAUTH - ok
09:23:51.0638 1032 pla (b1689df169143f57053f795390c99db3) C:\Windows\system32\pla.dll
09:23:51.0997 1032 pla - ok
09:23:53.0089 1032 PlugPlay (c5e7f8a996ec0a82d508fd9064a5569e) C:\Windows\system32\umpnpmgr.dll
09:23:53.0151 1032 PlugPlay - ok
09:23:53.0447 1032 Pml Driver HPZ12 (79834aa2fbf9fe81eebb229024f6f7fc) C:\Windows\system32\HPZipm12.dll
09:23:53.0447 1032 Pml Driver HPZ12 - ok
09:23:53.0447 1032 PNDIS5 - ok
09:23:53.0744 1032 PNRPAutoReg (0c8e8e61ad1eb0b250b846712c917506) C:\Windows\system32\p2psvc.dll
09:23:53.0744 1032 PNRPAutoReg - ok
09:23:53.0759 1032 PNRPsvc (0c8e8e61ad1eb0b250b846712c917506) C:\Windows\system32\p2psvc.dll
09:23:53.0775 1032 PNRPsvc - ok
09:23:53.0947 1032 PolicyAgent (d0494460421a03cd5225cca0059aa146) C:\Windows\System32\ipsecsvc.dll
09:23:53.0962 1032 PolicyAgent - ok
09:23:54.0103 1032 PptpMiniport (ecfffaec0c1ecd8dbc77f39070ea1db1) C:\Windows\system32\DRIVERS\raspptp.sys
09:23:54.0103 1032 PptpMiniport - ok
09:23:54.0165 1032 Processor (0e3cef5d28b40cf273281d620c50700a) C:\Windows\system32\drivers\processr.sys
09:23:54.0165 1032 Processor - ok
09:23:54.0555 1032 ProfSvc (0508faa222d28835310b7bfca7a77346) C:\Windows\system32\profsvc.dll
09:23:54.0571 1032 ProfSvc - ok
09:23:54.0602 1032 ProtectedStorage (a3e186b4b935905b829219502557314e) C:\Windows\system32\lsass.exe
09:23:54.0602 1032 ProtectedStorage - ok
09:23:54.0602 1032 proxyserverservice - ok
09:23:54.0727 1032 PSched (99514faa8df93d34b5589187db3aa0ba) C:\Windows\system32\DRIVERS\pacer.sys
09:23:54.0727 1032 PSched - ok
09:23:54.0742 1032 pxfhmdfl - ok
09:23:55.0163 1032 ql2300 (ccdac889326317792480c0a67156a1ec) C:\Windows\system32\drivers\ql2300.sys
09:23:55.0241 1032 ql2300 - ok
09:23:55.0288 1032 ql40xx (81a7e5c076e59995d54bc1ed3a16e60b) C:\Windows\system32\drivers\ql40xx.sys
09:23:55.0288 1032 ql40xx - ok
09:23:55.0382 1032 QWAVE (e9ecae663f47e6cb43962d18ab18890f) C:\Windows\system32\qwave.dll
09:23:55.0382 1032 QWAVE - ok
09:23:55.0475 1032 QWAVEdrv (9f5e0e1926014d17486901c88eca2db7) C:\Windows\system32\drivers\qwavedrv.sys
09:23:55.0475 1032 QWAVEdrv - ok
09:23:55.0553 1032 RasAcd (147d7f9c556d259924351feb0de606c3) C:\Windows\system32\DRIVERS\rasacd.sys
09:23:55.0553 1032 RasAcd - ok
09:23:55.0600 1032 RasAuto (f6a452eb4ceadbb51c9e0ee6b3ecef0f) C:\Windows\System32\rasauto.dll
09:23:55.0600 1032 RasAuto - ok
09:23:55.0631 1032 Rasl2tp (a214adbaf4cb47dd2728859ef31f26b0) C:\Windows\system32\DRIVERS\rasl2tp.sys
09:23:55.0647 1032 Rasl2tp - ok
09:23:55.0803 1032 RasMan (75d47445d70ca6f9f894b032fbc64fcf) C:\Windows\System32\rasmans.dll
09:23:55.0834 1032 RasMan - ok
09:23:55.0881 1032 RasPppoe (509a98dd18af4375e1fc40bc175f1def) C:\Windows\system32\DRIVERS\raspppoe.sys
09:23:55.0881 1032 RasPppoe - ok
09:23:55.0928 1032 RasSstp (2005f4a1e05fa09389ac85840f0a9e4d) C:\Windows\system32\DRIVERS\rassstp.sys
09:23:55.0959 1032 RasSstp - ok
09:23:56.0037 1032 raysat3_4_6_18server (11028c6a84a967070cb1286550f2058f) C:\Windows\system32\modemcsa.dll
09:23:56.0037 1032 raysat3_4_6_18server ( Backdoor.Multi.ZAccess.gen ) - infected
09:23:56.0037 1032 raysat3_4_6_18server - detected Backdoor.Multi.ZAccess.gen (0)
09:23:56.0302 1032 rdbss (b14c9d5b9add2f84f70570bbbfaa7935) C:\Windows\system32\DRIVERS\rdbss.sys
09:23:56.0318 1032 rdbss - ok
09:23:56.0349 1032 RDPCDD (89e59be9a564262a3fb6c4f4f1cd9899) C:\Windows\system32\DRIVERS\RDPCDD.sys
09:23:56.0349 1032 RDPCDD - ok
09:23:56.0552 1032 rdpdr (e8bd98d46f2ed77132ba927fccb47d8b) C:\Windows\system32\drivers\rdpdr.sys
09:23:56.0567 1032 rdpdr - ok
09:23:56.0567 1032 RDPENCDD (9d91fe5286f748862ecffa05f8a0710c) C:\Windows\system32\drivers\rdpencdd.sys
09:23:56.0567 1032 RDPENCDD - ok
09:23:56.0848 1032 RDPWD (79c6df8477250f5c54f7c5ae1d6b814e) C:\Windows\system32\drivers\RDPWD.sys
09:23:56.0911 1032 RDPWD - ok
09:23:56.0957 1032 regmanserv (11028c6a84a967070cb1286550f2058f) C:\Windows\system32\PID_PEPI.dll
09:23:56.0957 1032 regmanserv ( Backdoor.Multi.ZAccess.gen ) - infected
09:23:56.0957 1032 regmanserv - detected Backdoor.Multi.ZAccess.gen (0)
09:23:57.0004 1032 RemoteAccess (bcdd6b4804d06b1f7ebf29e53a57ece9) C:\Windows\System32\mprdim.dll
09:23:57.0004 1032 RemoteAccess - ok
09:23:57.0051 1032 RemoteRegistry (9e6894ea18daff37b63e1005f83ae4ab) C:\Windows\system32\regsvc.dll
09:23:57.0067 1032 RemoteRegistry - ok
09:23:57.0285 1032 RFCOMM (6482707f9f4da0ecbab43b2e0398a101) C:\Windows\system32\DRIVERS\rfcomm.sys
09:23:57.0301 1032 RFCOMM - ok
09:23:57.0363 1032 rimmptsk (d85e3fa9f5b1f29bb4ed185c450d1470) C:\Windows\system32\DRIVERS\rimmptsk.sys
09:23:57.0363 1032 rimmptsk - ok
09:23:57.0472 1032 rimsptsk (db8eb01c58c9fada00c70b1775278ae0) C:\Windows\system32\DRIVERS\rimsptsk.sys
09:23:57.0503 1032 rimsptsk - ok
09:23:57.0566 1032 RimUsb (f17713d108aca124a139fde877eef68a) C:\Windows\system32\Drivers\RimUsb.sys
09:23:57.0581 1032 RimUsb - ok
09:23:57.0628 1032 RimVSerPort (d9b34325ee5df78b8f28a3de9f577c7d) C:\Windows\system32\DRIVERS\RimSerial.sys
09:23:57.0628 1032 RimVSerPort - ok
09:23:57.0675 1032 rismxdp (6c1f93c0760c9f79a1869d07233df39d) C:\Windows\system32\DRIVERS\rixdptsk.sys
09:23:57.0675 1032 rismxdp - ok
09:23:57.0753 1032 ROOTMODEM (75e8a6bfa7374aba833ae92bf41ae4e6) C:\Windows\system32\Drivers\RootMdm.sys
09:23:57.0753 1032 ROOTMODEM - ok
09:23:57.0940 1032 RoxLiveShare9 - ok
09:23:58.0003 1032 RpcLocator (5123f83cbc4349d065534eeb6bbdc42b) C:\Windows\system32\locator.exe
09:23:58.0018 1032 RpcLocator - ok
09:23:58.0330 1032 RpcSs (3b5b4d53fec14f7476ca29a20cc31ac9) C:\Windows\system32\rpcss.dll
09:23:58.0330 1032 RpcSs - ok
09:23:58.0439 1032 rspndr (9c508f4074a39e8b4b31d27198146fad) C:\Windows\system32\DRIVERS\rspndr.sys
09:23:58.0439 1032 rspndr - ok
09:23:58.0455 1032 RushTopDevice - ok
09:23:58.0611 1032 s24eventmonitor (11028c6a84a967070cb1286550f2058f) C:\Windows\system32\usnjsvc.dll
09:23:58.0611 1032 s24eventmonitor ( Backdoor.Multi.ZAccess.gen ) - infected
09:23:58.0611 1032 s24eventmonitor - detected Backdoor.Multi.ZAccess.gen (0)
09:23:58.0751 1032 s3psddr (11028c6a84a967070cb1286550f2058f) C:\Windows\system32\c-dillacdac11ba.dll
09:23:58.0751 1032 s3psddr ( Backdoor.Multi.ZAccess.gen ) - infected
09:23:58.0751 1032 s3psddr - detected Backdoor.Multi.ZAccess.gen (0)
09:23:58.0767 1032 s616mdm - ok
09:23:58.0798 1032 SamSs (a3e186b4b935905b829219502557314e) C:\Windows\system32\lsass.exe
09:23:58.0798 1032 SamSs - ok
09:23:58.0907 1032 sbp2port (3ce8f073a557e172b330109436984e30) C:\Windows\system32\drivers\sbp2port.sys
09:23:58.0923 1032 sbp2port - ok
09:23:59.0017 1032 SCardSvr (77b7a11a0c3d78d3386398fbbea1b632) C:\Windows\System32\SCardSvr.dll
09:23:59.0017 1032 SCardSvr - ok
09:23:59.0297 1032 Schedule (1a58069db21d05eb2ab58ee5753ebe8d) C:\Windows\system32\schedsvc.dll
09:23:59.0329 1032 Schedule - ok
09:23:59.0469 1032 SCPolicySvc (312ec3e37a0a1f2006534913e37b4423) C:\Windows\System32\certprop.dll
09:23:59.0469 1032 SCPolicySvc - ok
09:23:59.0516 1032 sdbus (8f36b54688c31eed4580129040c6a3d3) C:\Windows\system32\DRIVERS\sdbus.sys
09:23:59.0516 1032 sdbus - ok
09:23:59.0578 1032 SDRSVC (716313d9f6b0529d03f726d5aaf6f191) C:\Windows\System32\SDRSVC.dll
09:23:59.0578 1032 SDRSVC - ok
09:23:59.0578 1032 se45nd5 - ok
09:23:59.0594 1032 se58mdfl - ok
09:23:59.0641 1032 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys
09:23:59.0641 1032 secdrv - ok
09:23:59.0687 1032 seclogon (fd5199d4d8a521005e4b5ee7fe00fa9b) C:\Windows\system32\seclogon.dll
09:23:59.0703 1032 seclogon - ok
09:23:59.0719 1032 SENS (a9bbab5759771e523f55563d6cbe140f) C:\Windows\system32\sens.dll
09:23:59.0719 1032 SENS - ok
09:23:59.0765 1032 SeratoUsb - ok
09:23:59.0859 1032 Serenum (68e44e331d46f0fb38f0863a84cd1a31) C:\Windows\system32\DRIVERS\serenum.sys
09:23:59.0875 1032 Serenum - ok
09:24:00.0124 1032 Serial (c70d69a918b178d3c3b06339b40c2e1b) C:\Windows\system32\drivers\serial.sys
09:24:00.0140 1032 Serial - ok
09:24:00.0187 1032 sermouse (8af3d28a879bf75db53a0ee7a4289624) C:\Windows\system32\drivers\sermouse.sys
09:24:00.0202 1032 sermouse - ok
09:24:00.0405 1032 SessionEnv (d2193326f729b163125610dbf3e17d57) C:\Windows\system32\sessenv.dll
09:24:00.0421 1032 SessionEnv - ok
09:24:00.0514 1032 sffdisk (3efa810bdca87f6ecc24f9832243fe86) C:\Windows\system32\DRIVERS\sffdisk.sys
09:24:00.0514 1032 sffdisk - ok
09:24:00.0592 1032 sffp_mmc (8fd08a310645fe872eeec6e08c6bf3ee) C:\Windows\system32\drivers\sffp_mmc.sys
09:24:00.0608 1032 sffp_mmc - ok
09:24:00.0655 1032 sffp_sd (9f66a46c55d6f1ccabc79bb7afccc545) C:\Windows\system32\DRIVERS\sffp_sd.sys
09:24:00.0670 1032 sffp_sd - ok
09:24:00.0748 1032 sfloppy (46ed8e91793b2e6f848015445a0ac188) C:\Windows\system32\drivers\sfloppy.sys
09:24:00.0764 1032 sfloppy - ok
09:24:01.0185 1032 SharedAccess (e1499bd0ff76b1b2fbbf1af339d91165) C:\Windows\System32\ipnathlp.dll
09:24:01.0279 1032 SharedAccess - ok
09:24:01.0669 1032 ShellHWDetection (c7230fbee14437716701c15be02c27b8) C:\Windows\System32\shsvcs.dll
09:24:01.0715 1032 ShellHWDetection - ok
09:24:01.0715 1032 shuttleengine - ok
09:24:01.0731 1032 Si3132r5 - ok
09:24:01.0731 1032 sigfilt - ok
09:24:01.0840 1032 sisagp (d2a595d6eebeeaf4334f8e50efbc9931) C:\Windows\system32\drivers\sisagp.sys
09:24:01.0840 1032 sisagp - ok
09:24:01.0934 1032 SiSRaid2 (cedd6f4e7d84e9f98b34b3fe988373aa) C:\Windows\system32\drivers\sisraid2.sys
09:24:01.0965 1032 SiSRaid2 - ok
09:24:02.0152 1032 SiSRaid4 (df843c528c4f69d12ce41ce462e973a7) C:\Windows\system32\drivers\sisraid4.sys
09:24:02.0168 1032 SiSRaid4 - ok
09:24:10.0280 1032 slsvc (862bb4cbc05d80c5b45be430e5ef872f) C:\Windows\system32\SLsvc.exe
09:24:10.0405 1032 slsvc - ok
09:24:10.0857 1032 SLUINotify (6edc422215cd78aa8a9cde6b30abbd35) C:\Windows\system32\SLUINotify.dll
09:24:10.0857 1032 SLUINotify - ok
09:24:11.0122 1032 Smb (7b75299a4d201d6a6533603d6914ab04) C:\Windows\system32\DRIVERS\smb.sys
09:24:11.0138 1032 Smb - ok
09:24:11.0216 1032 SNMPTRAP (2a146a055b4401c16ee62d18b8e2a032) C:\Windows\System32\snmptrap.exe
09:24:11.0216 1032 SNMPTRAP - ok
09:24:11.0887 1032 SNP2UVC (279c771ed7d5d6132d7fe08efc781fa4) C:\Windows\system32\DRIVERS\snp2uvc.sys
09:24:11.0965 1032 SNP2UVC - ok
09:24:12.0979 1032 spldr (7aebdeef071fe28b0eef2cdd69102bff) C:\Windows\system32\drivers\spldr.sys
09:24:12.0994 1032 spldr - ok
09:24:13.0041 1032 Spooler (8554097e5136c3bf9f69fe578a1b35f4) C:\Windows\System32\spoolsv.exe
09:24:13.0103 1032 Spooler - ok
09:24:13.0556 1032 sptd (71e276f6d189413266ea22171806597b) C:\Windows\system32\Drivers\sptd.sys
09:24:13.0556 1032 Suspicious file (NoAccess): C:\Windows\system32\Drivers\sptd.sys. md5: 71e276f6d189413266ea22171806597b
09:24:13.0556 1032 sptd ( LockedFile.Multi.Generic ) - warning
09:24:13.0556 1032 sptd - detected LockedFile.Multi.Generic (1)
09:24:13.0977 1032 srv (41987f9fc0e61adf54f581e15029ad91) C:\Windows\system32\DRIVERS\srv.sys
09:24:14.0008 1032 srv - ok
09:24:14.0383 1032 srv2 (ff33aff99564b1aa534f58868cbe41ef) C:\Windows\system32\DRIVERS\srv2.sys
09:24:14.0414 1032 srv2 - ok
09:24:14.0476 1032 srvdpi (11028c6a84a967070cb1286550f2058f) C:\Windows\system32\nsysaudm.dll
09:24:14.0492 1032 srvdpi ( Backdoor.Multi.ZAccess.gen ) - infected
09:24:14.0492 1032 srvdpi - detected Backdoor.Multi.ZAccess.gen (0)
09:24:14.0554 1032 srvnet (7605c0e1d01a08f3ecd743f38b834a44) C:\Windows\system32\DRIVERS\srvnet.sys
09:24:14.0554 1032 srvnet - ok
09:24:14.0804 1032 SSDPSRV (03d50b37234967433a5ea5ba72bc0b62) C:\Windows\System32\ssdpsrv.dll
09:24:14.0944 1032 SSDPSRV - ok
09:24:15.0350 1032 SstpSvc (6f1a32e7b7b30f004d9a20afadb14944) C:\Windows\system32\sstpsvc.dll
09:24:15.0381 1032 SstpSvc - ok
09:24:15.0428 1032 StillCam (ef70b3d22b4bffda6ea851ecb063efaa) C:\Windows\system32\DRIVERS\serscan.sys
09:24:15.0428 1032 StillCam - ok
09:24:15.0755 1032 stisvc (5de7d67e49b88f5f07f3e53c4b92a352) C:\Windows\System32\wiaservc.dll
09:24:15.0787 1032 stisvc - ok
09:24:15.0818 1032 stllssvr - ok
09:24:15.0896 1032 swenum (7ba58ecf0c0a9a69d44b3dca62becf56) C:\Windows\system32\DRIVERS\swenum.sys
09:24:15.0896 1032 swenum - ok
09:24:16.0379 1032 SwitchBoard (f577910a133a592234ebaad3f3afa258) C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
09:24:16.0473 1032 SwitchBoard - ok
09:24:16.0613 1032 swprv (f21fd248040681cca1fb6c9a03aaa93d) C:\Windows\System32\swprv.dll
09:24:16.0629 1032 swprv - ok
09:24:16.0738 1032 Symc8xx (192aa3ac01df071b541094f251deed10) C:\Windows\system32\drivers\symc8xx.sys
09:24:16.0738 1032 Symc8xx - ok
09:24:16.0738 1032 SymIM - ok
09:24:16.0769 1032 Sym_hi (8c8eb8c76736ebaf3b13b633b2e64125) C:\Windows\system32\drivers\sym_hi.sys
09:24:16.0769 1032 Sym_hi - ok
09:24:16.0785 1032 Sym_u3 (8072af52b5fd103bbba387a1e49f62cb) C:\Windows\system32\drivers\sym_u3.sys
09:24:16.0785 1032 Sym_u3 - ok
09:24:16.0863 1032 SynTP (f5d926807bd9bc0af68f9376144de425) C:\Windows\system32\DRIVERS\SynTP.sys
09:24:16.0879 1032 SynTP - ok
09:24:17.0003 1032 SysMain (9a51b04e9886aa4ee90093586b0ba88d) C:\Windows\system32\sysmain.dll
09:24:17.0019 1032 SysMain - ok
09:24:17.0050 1032 TabletInputService (2dca225eae15f42c0933e998ee0231c3) C:\Windows\System32\TabSvc.dll
09:24:17.0066 1032 TabletInputService - ok
09:24:17.0113 1032 taphss (0c3b2a9c4bd2dd9a6c2e4084314dd719) C:\Windows\system32\DRIVERS\taphss.sys
09:24:17.0113 1032 taphss - ok
09:24:17.0222 1032 TapiSrv (d7673e4b38ce21ee54c59eeeb65e2483) C:\Windows\System32\tapisrv.dll
09:24:17.0237 1032 TapiSrv - ok
09:24:17.0300 1032 tapvpn (27a2c318cd28cfb3eb2200fd96af1e58) C:\Windows\system32\DRIVERS\tapvpn.sys
09:24:17.0300 1032 tapvpn - ok
09:24:17.0409 1032 TBS (cb05822cd9cc6c688168e113c603dbe7) C:\Windows\System32\tbssvc.dll
09:24:17.0425 1032 TBS - ok
09:24:17.0815 1032 Tcpip (814a1c66fbd4e1b310a517221f1456bf) C:\Windows\system32\drivers\tcpip.sys
09:24:17.0893 1032 Tcpip - ok
09:24:17.0908 1032 Tcpip6 (814a1c66fbd4e1b310a517221f1456bf) C:\Windows\system32\DRIVERS\tcpip.sys
09:24:17.0924 1032 Tcpip6 - ok
09:24:18.0033 1032 tcpipreg (608c345a255d82a6289c2d468eb41fd7) C:\Windows\system32\drivers\tcpipreg.sys
09:24:18.0033 1032 tcpipreg - ok
09:24:18.0064 1032 TDPIPE (5dcf5e267be67a1ae926f2df77fbcc56) C:\Windows\system32\drivers\tdpipe.sys
09:24:18.0080 1032 TDPIPE - ok
09:24:18.0111 1032 TDTCP (389c63e32b3cefed425b61ed92d3f021) C:\Windows\system32\drivers\tdtcp.sys
09:24:18.0111 1032 TDTCP - ok
09:24:18.0173 1032 tdx (76b06eb8a01fc8624d699e7045303e54) C:\Windows\system32\DRIVERS\tdx.sys
09:24:18.0173 1032 tdx - ok
09:24:18.0329 1032 TermDD (3cad38910468eab9a6479e2f01db43c7) C:\Windows\system32\DRIVERS\termdd.sys
09:24:18.0329 1032 TermDD - ok
09:24:18.0485 1032 TermService (bb95da09bef6e7a131bff3ba5032090d) C:\Windows\System32\termsrv.dll
09:24:18.0563 1032 TermService - ok
09:24:18.0579 1032 tfsndrct - ok
09:24:18.0704 1032 Themes (c7230fbee14437716701c15be02c27b8) C:\Windows\system32\shsvcs.dll
09:24:18.0704 1032 Themes - ok
09:24:18.0829 1032 THREADORDER (1076ffcffaae8385fd62dfcb25ac4708) C:\Windows\system32\mmcss.dll
09:24:18.0829 1032 THREADORDER - ok
09:24:18.0829 1032 TMBUS - ok
09:24:18.0844 1032 TMKEmu - ok
09:24:18.0875 1032 tomcatcws3 (11028c6a84a967070cb1286550f2058f) C:\Windows\system32\ATIBTCAP.dll
09:24:18.0875 1032 tomcatcws3 ( Backdoor.Multi.ZAccess.gen ) - infected
09:24:18.0875 1032 tomcatcws3 - detected Backdoor.Multi.ZAccess.gen (0)
09:24:18.0891 1032 TrkWks (ec74e77d0eb004bd3a809b5f8fb8c2ce) C:\Windows\System32\trkwks.dll
09:24:18.0907 1032 TrkWks - ok
09:24:18.0985 1032 TrustedInstaller (97d9d6a04e3ad9b6c626b9931db78dba) C:\Windows\servicing\TrustedInstaller.exe
09:24:18.0985 1032 TrustedInstaller - ok
09:24:19.0031 1032 tssecsrv (dcf0f056a2e4f52287264f5ab29cf206) C:\Windows\system32\DRIVERS\tssecsrv.sys
09:24:19.0031 1032 tssecsrv - ok
09:24:19.0078 1032 tunmp (caecc0120ac49e3d2f758b9169872d38) C:\Windows\system32\DRIVERS\tunmp.sys
09:24:19.0078 1032 tunmp - ok
09:24:19.0125 1032 tunnel (300db877ac094feab0be7688c3454a9c) C:\Windows\system32\DRIVERS\tunnel.sys
09:24:19.0125 1032 tunnel - ok
09:24:19.0172 1032 uagp35 (c3ade15414120033a36c0f293d4a4121) C:\Windows\system32\drivers\uagp35.sys
09:24:19.0172 1032 uagp35 - ok
09:24:19.0265 1032 udfs (d9728af68c4c7693cb100b8441cbdec6) C:\Windows\system32\DRIVERS\udfs.sys
09:24:19.0281 1032 udfs - ok
09:24:19.0312 1032 UI0Detect (ecef404f62863755951e09c802c94ad5) C:\Windows\system32\UI0Detect.exe
09:24:19.0328 1032 UI0Detect - ok
09:24:19.0328 1032 UIUSys - ok
09:24:19.0375 1032 uliagpkx (75e6890ebfce0841d3291b02e7a8bdb0) C:\Windows\system32\drivers\uliagpkx.sys
09:24:19.0375 1032 uliagpkx - ok
09:24:19.0421 1032 uliahci (3cd4ea35a6221b85dcc25daa46313f8d) C:\Windows\system32\drivers\uliahci.sys
09:24:19.0437 1032 uliahci - ok
09:24:19.0499 1032 UlSata (8514d0e5cd0534467c5fc61be94a569f) C:\Windows\system32\drivers\ulsata.sys
09:24:19.0515 1032 UlSata - ok
09:24:19.0546 1032 ulsata2 (38c3c6e62b157a6bc46594fada45c62b) C:\Windows\system32\drivers\ulsata2.sys
09:24:19.0546 1032 ulsata2 - ok
09:24:19.0593 1032 umbus (32cff9f809ae9aed85464492bf3e32d2) C:\Windows\system32\DRIVERS\umbus.sys
09:24:19.0593 1032 umbus - ok
09:24:19.0718 1032 upnphost (68308183f4ae0be7bf8ecd07cb297999) C:\Windows\System32\upnphost.dll
09:24:19.0718 1032 upnphost - ok
09:24:19.0811 1032 USBAAPL (83cafcb53201bbac04d822f32438e244) C:\Windows\system32\Drivers\usbaapl.sys
09:24:19.0811 1032 USBAAPL - ok
09:24:19.0967 1032 usbccgp (caf811ae4c147ffcd5b51750c7f09142) C:\Windows\system32\DRIVERS\usbccgp.sys
09:24:19.0967 1032 usbccgp - ok
09:24:20.0077 1032 usbcir (e9476e6c486e76bc4898074768fb7131) C:\Windows\system32\drivers\usbcir.sys
09:24:20.0077 1032 usbcir - ok
09:24:20.0295 1032 usbehci (79e96c23a97ce7b8f14d310da2db0c9b) C:\Windows\system32\DRIVERS\usbehci.sys
09:24:20.0326 1032 usbehci - ok
09:24:20.0404 1032 usbhub (4673bbcb006af60e7abddbe7a130ba42) C:\Windows\system32\DRIVERS\usbhub.sys
09:24:20.0420 1032 usbhub - ok
09:24:20.0435 1032 usbohci (38dbc7dd6cc5a72011f187425384388b) C:\Windows\system32\drivers\usbohci.sys
09:24:20.0435 1032 usbohci - ok
09:24:20.0513 1032 usbprint (e75c4b5269091d15a2e7dc0b6d35f2f5) C:\Windows\system32\DRIVERS\usbprint.sys
09:24:20.0513 1032 usbprint - ok
09:24:20.0560 1032 usbscan (a508c9bd8724980512136b039bba65e9) C:\Windows\system32\DRIVERS\usbscan.sys
09:24:20.0560 1032 usbscan - ok
09:24:20.0607 1032 USBSTOR (be3da31c191bc222d9ad503c5224f2ad) C:\Windows\system32\DRIVERS\USBSTOR.SYS
09:24:20.0607 1032 USBSTOR - ok
09:24:20.0638 1032 usbuhci (814d653efc4d48be3b04a307eceff56f) C:\Windows\system32\DRIVERS\usbuhci.sys
09:24:20.0638 1032 usbuhci - ok
09:24:20.0888 1032 usbvideo (e67998e8f14cb0627a769f6530bcb352) C:\Windows\system32\Drivers\usbvideo.sys
09:24:20.0935 1032 usbvideo - ok
09:24:20.0950 1032 UVCFTR - ok
09:24:20.0981 1032 UxSms (1509e705f3ac1d474c92454a5c2dd81f) C:\Windows\System32\uxsms.dll
09:24:20.0997 1032 UxSms - ok
09:24:20.0997 1032 VComm - ok
09:24:20.0997 1032 VcommMgr - ok
09:24:21.0481 1032 vds (cd88d1b7776dc17a119049742ec07eb4) C:\Windows\System32\vds.exe
09:24:21.0527 1032 vds - ok
09:24:21.0574 1032 vga (7d92be0028ecdedec74617009084b5ef) C:\Windows\system32\DRIVERS\vgapnp.sys
09:24:21.0574 1032 vga - ok
09:24:21.0621 1032 VgaSave (2e93ac0a1d8c79d019db6c51f036636c) C:\Windows\System32\drivers\vga.sys
09:24:21.0637 1032 VgaSave - ok
09:24:21.0652 1032 viaagp (045d9961e591cf0674a920b6ba3ba5cb) C:\Windows\system32\drivers\viaagp.sys
09:24:21.0652 1032 viaagp - ok
09:24:21.0793 1032 ViaC7 (56a4de5f02f2e88182b0981119b4dd98) C:\Windows\system32\drivers\viac7.sys
09:24:21.0793 1032 ViaC7 - ok
09:24:21.0808 1032 viaide (fd2e3175fcada350c7ab4521dca187ec) C:\Windows\system32\drivers\viaide.sys
09:24:21.0808 1032 viaide - ok
09:24:21.0824 1032 vmkbd - ok
09:24:21.0855 1032 volmgr (69503668ac66c77c6cd7af86fbdf8c43) C:\Windows\system32\drivers\volmgr.sys
09:24:21.0855 1032 volmgr - ok
09:24:21.0964 1032 volmgrx (23e41b834759917bfd6b9a0d625d0c28) C:\Windows\system32\drivers\volmgrx.sys
09:24:21.0964 1032 volmgrx - ok
09:24:22.0027 1032 volsnap (147281c01fcb1df9252de2a10d5e7093) C:\Windows\system32\drivers\volsnap.sys
09:24:22.0027 1032 volsnap - ok
09:24:22.0042 1032 VRADFIL - ok
09:24:22.0105 1032 vsbus (11028c6a84a967070cb1286550f2058f) C:\Windows\system32\epoxusdm.dll
09:24:22.0120 1032 vsbus ( Backdoor.Multi.ZAccess.gen ) - infected
09:24:22.0120 1032 vsbus - detected Backdoor.Multi.ZAccess.gen (0)
09:24:22.0214 1032 vsmraid (d984439746d42b30fc65a4c3546c6829) C:\Windows\system32\drivers\vsmraid.sys
09:24:22.0229 1032 vsmraid - ok
09:24:23.0415 1032 VSS (db3d19f850c6eb32bdcb9bc0836acddb) C:\Windows\system32\vssvc.exe
09:24:23.0477 1032 VSS - ok
09:24:25.0209 1032 vvdsvc (9e8c7a7b8a98e4f6ccbbf9f88a1c111f) C:\Windows\system32\Nagasoft\vjocx.dll
09:24:25.0287 1032 vvdsvc - ok
09:24:26.0707 1032 W32Time (96ea68b9eb310a69c25ebb0282b2b9de) C:\Windows\system32\w32time.dll
09:24:26.0753 1032 W32Time - ok
09:24:26.0909 1032 WacomPen (48dfee8f1af7c8235d4e626f0c4fe031) C:\Windows\system32\drivers\wacompen.sys
09:24:26.0909 1032 WacomPen - ok
09:24:26.0956 1032 Wanarp (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
09:24:26.0972 1032 Wanarp - ok
09:24:26.0972 1032 Wanarpv6 (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
09:24:26.0972 1032 Wanarpv6 - ok
09:24:26.0972 1032 WaveEnrollmentService - ok
09:24:27.0549 1032 wcncsvc (a3cd60fd826381b49f03832590e069af) C:\Windows\System32\wcncsvc.dll
09:24:27.0580 1032 wcncsvc - ok
09:24:27.0611 1032 WcsPlugInService (11bcb7afcdd7aadacb5746f544d3a9c7) C:\Windows\System32\WcsPlugInService.dll
09:24:27.0627 1032 WcsPlugInService - ok
09:24:27.0674 1032 Wd (afc5ad65b991c1e205cf25cfdbf7a6f4) C:\Windows\system32\drivers\wd.sys
09:24:27.0689 1032 Wd - ok
09:24:28.0126 1032 Wdf01000 (b6f0a7ad6d4bd325fbcd8bac96cd8d96) C:\Windows\system32\drivers\Wdf01000.sys
09:24:28.0173 1032 Wdf01000 - ok
09:24:28.0204 1032 WdiServiceHost (abfc76b48bb6c96e3338d8943c5d93b5) C:\Windows\system32\wdi.dll
09:24:28.0235 1032 WdiServiceHost - ok
09:24:28.0251 1032 WdiSystemHost (abfc76b48bb6c96e3338d8943c5d93b5) C:\Windows\system32\wdi.dll
09:24:28.0251 1032 WdiSystemHost - ok
09:24:28.0407 1032 WebClient (04c37d8107320312fbae09926103d5e2) C:\Windows\System32\webclnt.dll
09:24:28.0423 1032 WebClient - ok
09:24:28.0485 1032 websenseuserservice (11028c6a84a967070cb1286550f2058f) C:\Windows\system32\iPassPeriodicUpdateService.dll
09:24:28.0516 1032 websenseuserservice ( Backdoor.Multi.ZAccess.gen ) - infected
09:24:28.0516 1032 websenseuserservice - detected Backdoor.Multi.ZAccess.gen (0)
09:24:28.0797 1032 Wecsvc (ae3736e7e8892241c23e4ebbb7453b60) C:\Windows\system32\wecsvc.dll
09:24:28.0844 1032 Wecsvc - ok
09:24:29.0093 1032 wercplsupport (670ff720071ed741206d69bd995ea453) C:\Windows\System32\wercplsupport.dll
09:24:29.0109 1032 wercplsupport - ok
09:24:29.0203 1032 WerSvc (32b88481d3b326da6deb07b1d03481e7) C:\Windows\System32\WerSvc.dll
09:24:29.0234 1032 WerSvc - ok
09:24:29.0920 1032 winachsf (3b4522d0e750bac8fe7ae61622a57014) C:\Windows\system32\DRIVERS\HSX_CNXT.sys
09:24:29.0983 1032 winachsf - ok
09:24:30.0809 1032 WinDefend (4575aa12561c5648483403541d0d7f2b) C:\Program Files\Windows Defender\mpsvc.dll
09:24:30.0872 1032 WinDefend - ok
09:24:30.0887 1032 WinHttpAutoProxySvc - ok
09:24:31.0808 1032 Winmgmt (6b2a1d0e80110e3d04e6863c6e62fd8a) C:\Windows\system32\wbem\WMIsvc.dll
09:24:31.0823 1032 Winmgmt - ok
09:24:33.0212 1032 WinRM (7cfe68bdc065e55aa5e8421607037511) C:\Windows\system32\WsmSvc.dll
09:24:33.0290 1032 WinRM - ok
09:24:33.0586 1032 Wlansvc (c008405e4feeb069e30da1d823910234) C:\Windows\System32\wlansvc.dll
09:24:33.0617 1032 Wlansvc - ok
09:24:33.0633 1032 wltwo51b - ok
09:24:33.0805 1032 WmiAcpi (2e7255d172df0b8283cdfb7b433b864e) C:\Windows\system32\DRIVERS\wmiacpi.sys
09:24:33.0805 1032 WmiAcpi - ok
09:24:34.0304 1032 wmiApSrv (43be3875207dcb62a85c8c49970b66cc) C:\Windows\system32\wbem\WmiApSrv.exe
09:24:34.0366 1032 wmiApSrv - ok
09:24:34.0366 1032 WMIService - ok
09:24:35.0287 1032 WMPNetworkSvc (3978704576a121a9204f8cc49a301a9b) C:\Program Files\Windows Media Player\wmpnetwk.exe
09:24:35.0349 1032 WMPNetworkSvc - ok
09:24:35.0505 1032 WPCSvc (cfc5a04558f5070cee3e3a7809f3ff52) C:\Windows\System32\wpcsvc.dll
09:24:35.0521 1032 WPCSvc - ok
09:24:35.0567 1032 WPDBusEnum (801fbdb89d472b3c467eb112a0fc9246) C:\Windows\system32\wpdbusenum.dll
09:24:35.0567 1032 WPDBusEnum - ok
09:24:35.0848 1032 WpdUsb (de9d36f91a4df3d911626643debf11ea) C:\Windows\system32\DRIVERS\wpdusb.sys
09:24:35.0848 1032 WpdUsb - ok
09:24:36.0925 1032 WPFFontCache_v0400 (dcf3e3edf5109ee8bc02fe6e1f045795) C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe
09:24:36.0971 1032 WPFFontCache_v0400 - ok
09:24:37.0018 1032 ws2ifsl (e3a3cb253c0ec2494d4a61f5e43a389c) C:\Windows\system32\drivers\ws2ifsl.sys
09:24:37.0018 1032 ws2ifsl - ok
09:24:37.0268 1032 wscsvc (1ca6c40261ddc0425987980d0cd2aaab) C:\Windows\system32\wscsvc.dll
09:24:37.0268 1032 wscsvc - ok
09:24:37.0283 1032 WSearch - ok
09:24:38.0890 1032 wuauserv (6298277b73c77fa99106b271a7525163) C:\Windows\system32\wuaueng.dll
09:24:38.0968 1032 wuauserv - ok
09:24:39.0748 1032 WUDFRd (ac13cb789d93412106b0fb6c7eb2bcb6) C:\Windows\system32\DRIVERS\WUDFRd.sys
09:24:39.0764 1032 WUDFRd - ok
09:24:39.0811 1032 wudfsvc (575a4190d989f64732119e4114045a4f) C:\Windows\System32\WUDFSvc.dll
09:24:39.0811 1032 wudfsvc - ok
09:24:39.0857 1032 XAudio (88af537264f2b818da15479ceeaf5d7c) C:\Windows\system32\DRIVERS\xaudio.sys
09:24:39.0873 1032 XAudio - ok
09:24:39.0951 1032 XAudioService (15a317674a08df26be65164d959e9203) C:\Windows\system32\DRIVERS\xaudio.exe
09:24:39.0967 1032 XAudioService - ok
09:24:39.0967 1032 zebrmdm - ok
09:24:40.0029 1032 MBR (0x1B8) (1a1a06f62e891045814007163c1c76c3) \Device\Harddisk0\DR0
09:24:40.0123 1032 \Device\Harddisk0\DR0 - ok
09:24:40.0138 1032 Boot (0x1200) (cd03a0587904dcfb3d804d5f70a7d038) \Device\Harddisk0\DR0\Partition0
09:24:40.0138 1032 \Device\Harddisk0\DR0\Partition0 - ok
09:24:40.0154 1032 Boot (0x1200) (8ce5909b4f1ae0c29c5122b86f917681) \Device\Harddisk0\DR0\Partition1
09:24:40.0169 1032 \Device\Harddisk0\DR0\Partition1 - ok
09:24:40.0169 1032 ============================================================
09:24:40.0169 1032 Scan finished
09:24:40.0169 1032 ============================================================
09:24:40.0185 1540 Detected object count: 14
09:24:40.0185 1540 Actual detected object count: 14
09:24:59.0498 1540 C:\Windows\system32\DRIVERS\cdrom.sys - copied to quarantine
09:24:59.0498 1540 C:\Windows\$NtUninstallKB62280$\485945278\@ - copied to quarantine
09:24:59.0498 1540 C:\Windows\$NtUninstallKB62280$\485945278\cfg.ini - copied to quarantine
09:24:59.0498 1540 C:\Windows\$NtUninstallKB62280$\485945278\Desktop.ini - copied to quarantine
09:24:59.0513 1540 C:\Windows\$NtUninstallKB62280$\485945278\L\qnbwvoto - copied to quarantine
09:24:59.0810 1540 Backup copy found, using it..
09:24:59.0825 1540 C:\Windows\system32\DRIVERS\cdrom.sys - will be cured on reboot
09:25:14.0458 1540 C:\Windows\$NtUninstallKB62280$\485945278\@ - will be deleted on reboot
09:25:14.0458 1540 C:\Windows\$NtUninstallKB62280$\485945278\cfg.ini - will be deleted on reboot
09:25:14.0458 1540 C:\Windows\$NtUninstallKB62280$\485945278\Desktop.ini - will be deleted on reboot
09:25:14.0458 1540 C:\Windows\$NtUninstallKB62280$\548981368 - will be deleted on reboot
09:25:14.0458 1540 cdrom ( Virus.Win32.ZAccess.c ) - User select action: Cure
09:25:14.0521 1540 C:\Windows\system32\sisidex.dll - copied to quarantine
09:25:14.0536 1540 HKLM\SYSTEM\ControlSet001\services\gdihook5 - will be deleted on reboot
09:25:14.0567 1540 HKLM\SYSTEM\ControlSet003\services\gdihook5 - will be deleted on reboot
09:25:14.0583 1540 C:\Windows\system32\sisidex.dll - will be deleted on reboot
09:25:14.0583 1540 gdihook5 ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete
09:25:14.0661 1540 C:\Windows\system32\idisw2km.dll - copied to quarantine
09:25:14.0661 1540 HKLM\SYSTEM\ControlSet001\services\oracleorahome92tnslistener - will be deleted on reboot
09:25:14.0661 1540 HKLM\SYSTEM\ControlSet003\services\oracleorahome92tnslistener - will be deleted on reboot
09:25:14.0661 1540 C:\Windows\system32\idisw2km.dll - will be deleted on reboot
09:25:14.0661 1540 oracleorahome92tnslistener ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete
09:25:14.0801 1540 C:\Windows\system32\NWFILTER.dll - copied to quarantine
09:25:14.0801 1540 HKLM\SYSTEM\ControlSet001\services\p3 - will be deleted on reboot
09:25:14.0801 1540 HKLM\SYSTEM\ControlSet003\services\p3 - will be deleted on reboot
09:25:14.0801 1540 C:\Windows\system32\NWFILTER.dll - will be deleted on reboot
09:25:14.0801 1540 p3 ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete
09:25:14.0911 1540 C:\Windows\system32\procexp111.dll - copied to quarantine
09:25:14.0911 1540 HKLM\SYSTEM\ControlSet001\services\pae_1394 - will be deleted on reboot
09:25:14.0911 1540 HKLM\SYSTEM\ControlSet003\services\pae_1394 - will be deleted on reboot
09:25:14.0926 1540 C:\Windows\system32\procexp111.dll - will be deleted on reboot
09:25:14.0926 1540 pae_1394 ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete
09:25:15.0004 1540 C:\Windows\system32\modemcsa.dll - copied to quarantine
09:25:15.0004 1540 HKLM\SYSTEM\ControlSet001\services\raysat3_4_6_18server - will be deleted on reboot
09:25:15.0004 1540 HKLM\SYSTEM\ControlSet003\services\raysat3_4_6_18server - will be deleted on reboot
09:25:15.0020 1540 C:\Windows\system32\modemcsa.dll - will be deleted on reboot
09:25:15.0020 1540 raysat3_4_6_18server ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete
09:25:15.0082 1540 C:\Windows\system32\PID_PEPI.dll - copied to quarantine
09:25:15.0082 1540 HKLM\SYSTEM\ControlSet001\services\regmanserv - will be deleted on reboot
09:25:15.0082 1540 HKLM\SYSTEM\ControlSet003\services\regmanserv - will be deleted on reboot
09:25:15.0082 1540 C:\Windows\system32\PID_PEPI.dll - will be deleted on reboot
09:25:15.0082 1540 regmanserv ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete
09:25:15.0129 1540 C:\Windows\system32\usnjsvc.dll - copied to quarantine
09:25:15.0129 1540 HKLM\SYSTEM\ControlSet001\services\s24eventmonitor - will be deleted on reboot
09:25:15.0129 1540 HKLM\SYSTEM\ControlSet003\services\s24eventmonitor - will be deleted on reboot
09:25:15.0129 1540 C:\Windows\system32\usnjsvc.dll - will be deleted on reboot
09:25:15.0129 1540 s24eventmonitor ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete
09:25:15.0191 1540 C:\Windows\system32\c-dillacdac11ba.dll - copied to quarantine
09:25:15.0191 1540 HKLM\SYSTEM\ControlSet001\services\s3psddr - will be deleted on reboot
09:25:15.0191 1540 HKLM\SYSTEM\ControlSet003\services\s3psddr - will be deleted on reboot
09:25:15.0207 1540 C:\Windows\system32\c-dillacdac11ba.dll - will be deleted on reboot
09:25:15.0207 1540 s3psddr ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete
09:25:15.0207 1540 sptd ( LockedFile.Multi.Generic ) - skipped by user
09:25:15.0207 1540 sptd ( LockedFile.Multi.Generic ) - User select action: Skip
09:25:15.0301 1540 C:\Windows\system32\nsysaudm.dll - copied to quarantine
09:25:15.0301 1540 HKLM\SYSTEM\ControlSet001\services\srvdpi - will be deleted on reboot
09:25:15.0301 1540 HKLM\SYSTEM\ControlSet003\services\srvdpi - will be deleted on reboot
09:25:15.0316 1540 C:\Windows\system32\nsysaudm.dll - will be deleted on reboot
09:25:15.0316 1540 srvdpi ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete
09:25:15.0379 1540 C:\Windows\system32\ATIBTCAP.dll - copied to quarantine
09:25:15.0394 1540 HKLM\SYSTEM\ControlSet001\services\tomcatcws3 - will be deleted on reboot
09:25:15.0394 1540 HKLM\SYSTEM\ControlSet003\services\tomcatcws3 - will be deleted on reboot
09:25:15.0394 1540 C:\Windows\system32\ATIBTCAP.dll - will be deleted on reboot
09:25:15.0394 1540 tomcatcws3 ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete
09:25:15.0488 1540 C:\Windows\system32\epoxusdm.dll - copied to quarantine
09:25:15.0488 1540 HKLM\SYSTEM\ControlSet001\services\vsbus - will be deleted on reboot
09:25:15.0488 1540 HKLM\SYSTEM\ControlSet003\services\vsbus - will be deleted on reboot
09:25:15.0488 1540 C:\Windows\system32\epoxusdm.dll - will be deleted on reboot
09:25:15.0488 1540 vsbus ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete
09:25:15.0581 1540 C:\Windows\system32\iPassPeriodicUpdateService.dll - copied to quarantine
09:25:15.0581 1540 HKLM\SYSTEM\ControlSet001\services\websenseuserservice - will be deleted on reboot
09:25:15.0581 1540 HKLM\SYSTEM\ControlSet003\services\websenseuserservice - will be deleted on reboot
09:25:15.0581 1540 C:\Windows\system32\iPassPeriodicUpdateService.dll - will be deleted on reboot
09:25:15.0581 1540 websenseuserservice ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete
09:25:30.0542 3624 Deinitialize success


and...



aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-05-04 09:29:18
-----------------------------
09:29:18.857 OS Version: Windows 6.0.6002 Service Pack 2
09:29:18.857 Number of processors: 2 586 0xE0C
09:29:18.857 ComputerName: PHILIBERT-PC UserName: Philibert
09:30:12.116 Initialize success
09:35:59.005 AVAST engine defs: 12050400
09:36:11.813 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-2
09:36:11.813 Disk 0 Vendor: TOSHIBA_MK2035GSS DK020C Size: 190782MB BusType: 3
09:36:11.891 Disk 0 MBR read successfully
09:36:11.906 Disk 0 MBR scan
09:36:11.906 Disk 0 unknown MBR code
09:36:11.906 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 183468 MB offset 63
09:36:11.938 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 7310 MB offset 375744285
09:36:11.969 Disk 0 scanning sectors +390716865
09:36:12.078 Disk 0 scanning C:\Windows\system32\drivers
09:36:37.615 Service scanning
09:37:08.300 Service sptd C:\Windows\System32\Drivers\sptd.sys **LOCKED** 32
09:37:19.470 Modules scanning
09:37:40.702 Disk 0 trace - called modules:
09:37:41.248 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8487a1f8]<<
09:37:41.248 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x859a0ac8]
09:37:41.248 3 CLASSPNP.SYS[887ab8b3] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP1T0L0-2[0x852c0aa8]
09:37:41.263 \Driver\atapi[0x8527e960] -> IRP_MJ_CREATE -> 0x8487a1f8
09:37:43.603 AVAST engine scan C:\Windows
09:37:53.572 AVAST engine scan C:\Windows\system32
09:38:00.685 File: C:\Windows\system32\asctrm.dll **INFECTED** Win32:Sirefef-SM [Trj]
09:39:02.071 File: C:\Windows\system32\dlapoolm.dll **INFECTED** Win32:Sirefef-SM [Trj]
09:39:16.252 File: C:\Windows\system32\ELacpi.dll **INFECTED** Win32:Sirefef-SM [Trj]
09:40:13.925 File: C:\Windows\system32\LHidFilt.dll **INFECTED** Win32:Sirefef-SM [Trj]
09:42:21.704 File: C:\Windows\system32\smcirda.dll **INFECTED** Win32:Sirefef-SM [Trj]
09:45:21.760 AVAST engine scan C:\Windows\system32\drivers
09:45:51.197 AVAST engine scan C:\Users\Philibert
10:24:09.763 File: C:\Users\Philibert\AppData\Local\temp\awocnrsxem.exe **INFECTED** Win32:FakeAV-DEP [Trj]
10:27:10.130 File: C:\Users\Philibert\AppData\Local\temp\omgoli.dll **INFECTED** Win32:Medfos-B [Trj]
10:47:23.186 File: C:\Users\Philibert\Documents\Azureus Downloads\Power AMR MP3 WAV WMA M4A AC3 Audio Converter\Crack\audio.exe **INFECTED** Win32:Malware-gen
11:02:58.874 AVAST engine scan C:\ProgramData
11:10:26.407 Scan finished successfully
11:11:33.300 Disk 0 MBR has been saved successfully to "C:\Users\Philibert\Desktop\MBR.dat"
11:11:33.316 The log file has been saved successfully to "C:\Users\Philibert\Desktop\aswMBR.txt"

Thanks!

#9 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:26 PM

Posted 04 May 2012 - 01:11 PM

try and run combofix once more please


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#10 geraldlezebre

geraldlezebre
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:26 PM

Posted 04 May 2012 - 02:18 PM

It worked all the way this time. Computer runs well, but I'm not confident everything is gone. Here's the log:


ComboFix 12-05-04.03 - Philibert 04/05/2012 14:37:47.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.2.1033.18.2037.1380 [GMT -4:00]
Running from: c:\users\Philibert\Desktop\ComboFix.exe
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\PHILIB~1\AppData\Local\Temp\bjatf.dll
c:\users\PHILIB~1\AppData\Local\Temp\omgoli.dll
c:\windows\$NtUninstallKB62280$
c:\windows\$NtUninstallKB62280$\485945278\L\qnbwvoto
c:\windows\system32\~GLH000c.TMP
c:\windows\system32\asctrm.dll
c:\windows\system32\dds_trash_log.cmd
c:\windows\system32\dlapoolm.dll
c:\windows\system32\drivers\etc\hosts.ics
c:\windows\system32\ELacpi.dll
c:\windows\system32\LHidFilt.dll
c:\windows\system32\Nagasoft
c:\windows\system32\Nagasoft\Codecs\asyncflt.ax
c:\windows\system32\Nagasoft\Codecs\atrc.dll
c:\windows\system32\Nagasoft\Codecs\cook.dll
c:\windows\system32\Nagasoft\Codecs\drvc.dll
c:\windows\system32\Nagasoft\Codecs\raac.dll
c:\windows\system32\Nagasoft\Codecs\RealMediaSplitter.ax
c:\windows\system32\Nagasoft\Codecs\WMFDemux.dll
c:\windows\system32\Nagasoft\FFVJPlayer.exe
c:\windows\system32\Nagasoft\GifShower.dll
c:\windows\system32\Nagasoft\Uninstall.exe
c:\windows\system32\Nagasoft\vjocx.dll
c:\windows\system32\SET70F.tmp
c:\windows\system32\SETB95C.tmp
c:\windows\system32\smcirda.dll
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_vvdsvc
-------\Service_vvdsvc
.
.
((((((((((((((((((((((((( Files Created from 2012-04-04 to 2012-05-04 )))))))))))))))))))))))))))))))
.
.
2012-05-04 18:57 . 2012-05-04 19:03 -------- d-----w- c:\users\Philibert\AppData\Local\temp
2012-05-04 18:57 . 2012-05-04 18:57 -------- d-----w- c:\users\Public\AppData\Local\temp
2012-05-04 18:57 . 2012-05-04 18:57 -------- d-----w- c:\users\postgres\AppData\Local\temp
2012-05-04 18:57 . 2012-05-04 18:57 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-05-04 13:24 . 2012-05-04 13:24 -------- d-----w- C:\TDSSKiller_Quarantine
2012-05-03 00:22 . 2012-05-03 00:22 -------- d-----w- c:\users\Philibert\AppData\Local\{1F6F5E6A-94B6-11E1-826D-B8AC6F996F26}
2012-04-28 19:10 . 2012-04-28 19:10 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-04-28 19:09 . 2012-04-28 19:10 -------- d-----w- c:\programdata\F4D55F32007726CB03AEAB7B570F1C8B
2012-04-12 07:14 . 2012-02-28 01:03 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-04-12 07:14 . 2012-02-28 01:58 141112 ----a-w- c:\program files\Internet Explorer\sqmapi.dll
2012-04-12 07:14 . 2012-02-28 01:08 194048 ----a-w- c:\program files\Internet Explorer\IEShims.dll
2012-04-12 07:14 . 2012-02-28 01:18 1799168 ----a-w- c:\windows\system32\jscript9.dll
2012-04-12 07:14 . 2012-02-28 01:13 678912 ----a-w- c:\program files\Internet Explorer\iedvtool.dll
2012-04-12 07:14 . 2012-02-28 01:11 1427456 ----a-w- c:\windows\system32\inetcpl.cpl
2012-04-12 07:13 . 2012-02-29 15:09 157696 ----a-w- c:\windows\system32\imagehlp.dll
2012-04-12 07:13 . 2012-02-29 13:32 12800 ----a-w- c:\windows\system32\drivers\fs_rec.sys
2012-04-12 07:12 . 2012-03-06 06:39 3602816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-04-12 07:12 . 2012-03-06 06:39 3550080 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-04-12 04:55 . 2012-03-01 11:01 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2012-04-11 00:07 . 2012-04-11 00:07 -------- d-----w- C:\PFiles
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-05-04 13:26 . 2009-09-17 22:08 67072 ----a-w- c:\windows\system32\drivers\cdrom.sys
2012-04-28 19:10 . 2011-06-03 23:16 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-02-29 15:11 . 2012-04-12 07:13 5120 ----a-w- c:\windows\system32\wmi.dll
2012-02-29 15:11 . 2012-04-12 07:13 172032 ----a-w- c:\windows\system32\wintrust.dll
2012-02-28 01:11 . 2012-04-12 07:14 1127424 ----a-w- c:\windows\system32\wininet.dll
2012-02-15 12:08 . 2012-02-15 12:08 1288192 ----a-w- c:\windows\system32\VSFilter.dll
2012-02-14 15:45 . 2012-03-13 18:42 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
2012-02-14 15:45 . 2012-03-13 18:41 160768 ----a-w- c:\windows\system32\d3d10_1.dll
2012-02-13 22:26 . 2012-02-13 22:26 3350528 ----a-w- c:\windows\system32\ffdshow.ax
2012-02-13 22:24 . 2012-02-13 22:24 4407808 ----a-w- c:\windows\system32\ffmpeg.dll
2012-02-13 14:12 . 2012-03-13 18:42 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
2012-02-13 13:47 . 2012-03-13 18:41 683008 ----a-w- c:\windows\system32\d2d1.dll
2012-02-13 13:44 . 2012-03-13 18:42 1068544 ----a-w- c:\windows\system32\DWrite.dll
2012-02-12 14:20 . 2012-02-12 14:20 461824 ----a-w- c:\windows\system32\LAVSplitter.ax
2012-02-12 14:20 . 2012-02-12 14:20 562176 ----a-w- c:\windows\system32\LAVVideo.ax
2012-02-12 14:20 . 2012-02-12 14:20 215040 ----a-w- c:\windows\system32\LAVAudio.ax
2012-02-12 14:20 . 2012-02-12 14:20 172032 ----a-w- c:\windows\system32\libbluray.dll
2012-02-12 12:33 . 2012-02-12 12:33 360729 ----a-w- c:\windows\system32\swscale-lav-2.dll
2012-02-12 12:33 . 2012-02-12 12:33 203818 ----a-w- c:\windows\system32\avutil-lav-51.dll
2012-02-12 12:33 . 2012-02-12 12:33 1143059 ----a-w- c:\windows\system32\avformat-lav-53.dll
2012-02-12 12:33 . 2012-02-12 12:33 6414616 ----a-w- c:\windows\system32\avcodec-lav-53.dll
2012-02-12 12:33 . 2012-02-12 12:33 138774 ----a-w- c:\windows\system32\avfilter-lav-2.dll
2012-02-12 12:16 . 2012-02-12 12:16 147456 ----a-w- c:\windows\system32\IntelQuickSyncDecoder.dll
2012-02-08 22:53 . 2012-02-08 22:53 79360 ----a-w- c:\windows\system32\ff_vfw.dll
2012-02-08 22:52 . 2012-02-08 22:52 260608 ----a-w- c:\windows\system32\TomsMoComp_ff.dll
2012-02-08 22:51 . 2012-02-08 22:51 99840 ----a-w- c:\windows\system32\ff_wmv9.dll
2012-02-08 22:51 . 2012-02-08 22:51 158720 ----a-w- c:\windows\system32\ff_unrar.dll
2012-02-08 22:51 . 2012-02-08 22:51 1525248 ----a-w- c:\windows\system32\ff_samplerate.dll
2012-02-08 22:51 . 2012-02-08 22:51 146944 ----a-w- c:\windows\system32\ff_libmad.dll
2012-02-08 22:51 . 2012-02-08 22:51 212480 ----a-w- c:\windows\system32\ff_libdts.dll
2012-02-08 22:51 . 2012-02-08 22:51 115200 ----a-w- c:\windows\system32\ff_liba52.dll
2012-02-08 22:51 . 2012-02-08 22:51 328704 ----a-w- c:\windows\system32\ff_libfaad2.dll
2012-02-08 22:51 . 2012-02-08 22:51 137728 ----a-w- c:\windows\system32\libmpeg2_ff.dll
2012-02-07 15:02 . 2012-02-07 15:02 1070352 ----a-w- c:\windows\system32\MSCOMCTL.OCX
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-03-28 1045800]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-02-26 138008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-02-26 154392]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-02-26 133912]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2007-03-29 176128]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-02-13 159744]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-06-16 75008]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-03-01 472776]
"WAWifiMessage"="c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2007-01-10 317128]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2011-05-10 49208]
"AdobeCS5ServiceManager"="c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-02-22 406992]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-07-19 421736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-12-20 719664]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-28 253088]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
vvdsvc REG_MULTI_SZ vvdsvc
.
NETSVCS REQUIRES REPAIRS - current entries shown
AeLookupSvc
wercplsupport
Themes
CertPropSvc
SCPolicySvc
lanmanserver
gpsvc
IKEEXT
AudioSrv
FastUserSwitchingCompatibility
Ias
Irmon
Nla
Ntmssvc
NWCWorkstation
Nwsapagent
Rasauto
Rasman
Remoteaccess
SENS
Sharedaccess
SRService
avcgbfl
nmindexingservice
dtscsi
se58mdfl
CTEAPSFX.DLL
icraplus
klblmain
asmagent
elosystemservice
tones
snoopfree
tfsndrct
nv
dlbx_device
b57w2k
adsexpb
pcx1nd5
ipsec
pxfhmdfl
PNDIS5
DC21x4
agpcpq
VRADFIL
jtagserver
NvNdis
shuttleengine
gdihook5
gmer
oracleorahome92tnslistener
pae_1394
vsbus
SymIM
mfeapfk
aspi32
p3
WaveEnrollmentService
websenseuserservice
pclepci
regmanserv
s3psddr
s24eventmonitor
nmsaccess
id2scaps
advservice
proxyserverservice
tomcatcws3
atalk
mcdetect.exe
ALYac_PZSrv
s616mdm
se45nd5
srvdpi
vmkbd
UVCFTR
Si3132r5
oracleformsserver-forms60server-oraform
k750mdm
WMIService
aeaudio
dns4meclient
RushTopDevice
TMBUS
sigfilt
NSNDIS5
wltwo51b
zebrmdm
ibmasrex
nvsmu
TSHWMDTCP
sndsrvc
AtiPcie
DMUSBUSBDCam
mcods
lxbu_device
roammgr
SeratoUsb
cwafadminmonitor
TMKEmu
mfcom
Tapisrv
Wmi
WmdmPmSp
TermService
wuauserv
BITS
ShellHWDetection
LogonHours
PCAudit
helpsvc
uploadmgr
iphlpsvc
seclogon
AppInfo
msiscsi
MMCSS
ProfSvc
EapHost
winmgmt
schedule
SessionEnv
browser
hkmsvc
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-05-04 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-28 19:10]
.
2012-05-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-10-23 21:58]
.
2012-05-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-10-23 21:58]
.
2012-05-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-640678997-1985323279-69921091-1000Core.job
- c:\users\Philibert\AppData\Local\Google\Update\GoogleUpdate.exe [2011-09-10 20:47]
.
2012-05-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-640678997-1985323279-69921091-1000UA.job
- c:\users\Philibert\AppData\Local\Google\Update\GoogleUpdate.exe [2011-09-10 20:47]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=73&bd=Pavilion&pf=laptop
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>;*.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
TCP: DhcpNameServer = 24.200.243.189 24.200.210.241 24.200.228.113
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{ba14329e-9550-4989-b3f2-9732e92d17cc} - (no file)
WebBrowser-{BA14329E-9550-4989-B3F2-9732E92D17CC} - (no file)
HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
SafeBoot-22911990.sys
AddRemove-VexcastPlayer2.0 - c:\windows\system32\Nagasoft\Uninstall.exe
AddRemove-{7B63B2922B174135AFC0E1377DD81EC2} - c:\program files\DivX\DivXCodecUninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-05-04 15:05
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(3044)
c:\windows\system32\btncopy.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\program files\HP\QuickPlay\Kernel\TV\CLSched.exe
c:\windows\system32\conime.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\WIDCOMM\Bluetooth Software\BtStackServer.exe
c:\program files\Synaptics\SynTP\SynTPHelper.exe
c:\program files\Hewlett-Packard\Shared\HpqToaster.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Hewlett-Packard\HP Health Check\hphc_service.exe
c:\program files\Windows Media Player\wmpnetwk.exe
.
**************************************************************************
.
Completion time: 2012-05-04 15:12:39 - machine was rebooted
ComboFix-quarantined-files.txt 2012-05-04 19:12
ComboFix2.txt 2010-05-24 22:36
.
Pre-Run: 44,997,169,152 bytes free
Post-Run: 46,124,281,856 bytes free
.
- - End Of File - - 6F42C5B2845454C7D292796A21088282

thanks!

#11 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:26 PM

Posted 04 May 2012 - 04:07 PM

Greetings

I have attached a file to this post

I need you to download it and save it to the desktop

right click the file and select run as admin

when asked about merging into the registry ALLOW it

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

File::
C:\Windows\system32\asctrm.dll
C:\Windows\system32\dlapoolm.dll
C:\Windows\system32\ELacpi.dll
C:\Windows\system32\LHidFilt.dll
C:\Windows\system32\smcirda.dll
C:\Users\Philibert\AppData\Local\temp\awocnrsxem.exe
C:\Users\Philibert\AppData\Local\temp\omgoli.dll
C:\Users\Philibert\Documents\Azureus Downloads\Power AMR MP3 WAV WMA M4A AC3 Audio Converter\Crack\audio.exe

DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>;*.local

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

Attached Files


I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#12 geraldlezebre

geraldlezebre
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:26 PM

Posted 05 May 2012 - 08:50 AM

Scan went fast, i had to restart because of the missing registries but after that it went well.
Here it is:


ComboFix 12-05-05.05 - Philibert 05/05/2012 9:25.3.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.2.1033.18.2037.1203 [GMT -4:00]
Running from: c:\users\Philibert\Desktop\ComboFix.exe
Command switches used :: c:\users\Philibert\Desktop\CFScript.txt
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
FILE ::
"c:\users\Philibert\AppData\Local\temp\awocnrsxem.exe"
"c:\users\Philibert\AppData\Local\temp\omgoli.dll"
"c:\users\Philibert\Documents\Azureus Downloads\Power AMR MP3 WAV WMA M4A AC3 Audio Converter\Crack\audio.exe"
"c:\windows\system32\asctrm.dll"
"c:\windows\system32\dlapoolm.dll"
"c:\windows\system32\ELacpi.dll"
"c:\windows\system32\LHidFilt.dll"
"c:\windows\system32\smcirda.dll"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Philibert\Documents\Azureus Downloads\Power AMR MP3 WAV WMA M4A AC3 Audio Converter\Crack\audio.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-04-05 to 2012-05-05 )))))))))))))))))))))))))))))))
.
.
2012-05-05 13:36 . 2012-05-05 13:36 -------- d-----w- c:\users\Philibert\AppData\Local\temp
2012-05-05 13:36 . 2012-05-05 13:36 -------- d-----w- c:\users\Public\AppData\Local\temp
2012-05-05 13:36 . 2012-05-05 13:36 -------- d-----w- c:\users\postgres\AppData\Local\temp
2012-05-05 13:36 . 2012-05-05 13:36 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-05-04 13:24 . 2012-05-04 13:24 -------- d-----w- C:\TDSSKiller_Quarantine
2012-05-03 00:22 . 2012-05-03 00:22 -------- d-----w- c:\users\Philibert\AppData\Local\{1F6F5E6A-94B6-11E1-826D-B8AC6F996F26}
2012-04-28 19:10 . 2012-04-28 19:10 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-04-28 19:09 . 2012-04-28 19:10 -------- d-----w- c:\programdata\F4D55F32007726CB03AEAB7B570F1C8B
2012-04-12 07:13 . 2012-02-29 15:11 5120 ----a-w- c:\windows\system32\wmi.dll
2012-04-12 07:13 . 2012-02-29 15:11 172032 ----a-w- c:\windows\system32\wintrust.dll
2012-04-12 07:13 . 2012-02-29 15:09 157696 ----a-w- c:\windows\system32\imagehlp.dll
2012-04-12 07:13 . 2012-02-29 13:32 12800 ----a-w- c:\windows\system32\drivers\fs_rec.sys
2012-04-12 07:12 . 2012-03-06 06:39 3602816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-04-12 07:12 . 2012-03-06 06:39 3550080 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-04-12 04:55 . 2012-03-01 11:01 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2012-04-11 00:07 . 2012-04-11 00:07 -------- d-----w- C:\PFiles
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-05-04 13:26 . 2009-09-17 22:08 67072 ----a-w- c:\windows\system32\drivers\cdrom.sys
2012-04-28 19:10 . 2011-06-03 23:16 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-02-15 12:08 . 2012-02-15 12:08 1288192 ----a-w- c:\windows\system32\VSFilter.dll
2012-02-14 15:45 . 2012-03-13 18:42 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
2012-02-14 15:45 . 2012-03-13 18:41 160768 ----a-w- c:\windows\system32\d3d10_1.dll
2012-02-13 22:26 . 2012-02-13 22:26 3350528 ----a-w- c:\windows\system32\ffdshow.ax
2012-02-13 22:24 . 2012-02-13 22:24 4407808 ----a-w- c:\windows\system32\ffmpeg.dll
2012-02-13 14:12 . 2012-03-13 18:42 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
2012-02-13 13:47 . 2012-03-13 18:41 683008 ----a-w- c:\windows\system32\d2d1.dll
2012-02-13 13:44 . 2012-03-13 18:42 1068544 ----a-w- c:\windows\system32\DWrite.dll
2012-02-12 14:20 . 2012-02-12 14:20 461824 ----a-w- c:\windows\system32\LAVSplitter.ax
2012-02-12 14:20 . 2012-02-12 14:20 562176 ----a-w- c:\windows\system32\LAVVideo.ax
2012-02-12 14:20 . 2012-02-12 14:20 215040 ----a-w- c:\windows\system32\LAVAudio.ax
2012-02-12 14:20 . 2012-02-12 14:20 172032 ----a-w- c:\windows\system32\libbluray.dll
2012-02-12 12:33 . 2012-02-12 12:33 360729 ----a-w- c:\windows\system32\swscale-lav-2.dll
2012-02-12 12:33 . 2012-02-12 12:33 203818 ----a-w- c:\windows\system32\avutil-lav-51.dll
2012-02-12 12:33 . 2012-02-12 12:33 1143059 ----a-w- c:\windows\system32\avformat-lav-53.dll
2012-02-12 12:33 . 2012-02-12 12:33 6414616 ----a-w- c:\windows\system32\avcodec-lav-53.dll
2012-02-12 12:33 . 2012-02-12 12:33 138774 ----a-w- c:\windows\system32\avfilter-lav-2.dll
2012-02-12 12:16 . 2012-02-12 12:16 147456 ----a-w- c:\windows\system32\IntelQuickSyncDecoder.dll
2012-02-08 22:53 . 2012-02-08 22:53 79360 ----a-w- c:\windows\system32\ff_vfw.dll
2012-02-08 22:52 . 2012-02-08 22:52 260608 ----a-w- c:\windows\system32\TomsMoComp_ff.dll
2012-02-08 22:51 . 2012-02-08 22:51 99840 ----a-w- c:\windows\system32\ff_wmv9.dll
2012-02-08 22:51 . 2012-02-08 22:51 158720 ----a-w- c:\windows\system32\ff_unrar.dll
2012-02-08 22:51 . 2012-02-08 22:51 1525248 ----a-w- c:\windows\system32\ff_samplerate.dll
2012-02-08 22:51 . 2012-02-08 22:51 146944 ----a-w- c:\windows\system32\ff_libmad.dll
2012-02-08 22:51 . 2012-02-08 22:51 212480 ----a-w- c:\windows\system32\ff_libdts.dll
2012-02-08 22:51 . 2012-02-08 22:51 115200 ----a-w- c:\windows\system32\ff_liba52.dll
2012-02-08 22:51 . 2012-02-08 22:51 328704 ----a-w- c:\windows\system32\ff_libfaad2.dll
2012-02-08 22:51 . 2012-02-08 22:51 137728 ----a-w- c:\windows\system32\libmpeg2_ff.dll
2012-02-07 15:02 . 2012-02-07 15:02 1070352 ----a-w- c:\windows\system32\MSCOMCTL.OCX
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-03-28 1045800]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-02-26 138008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-02-26 154392]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-02-26 133912]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2007-03-29 176128]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-02-13 159744]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-06-16 75008]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-03-01 472776]
"WAWifiMessage"="c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2007-01-10 317128]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2011-05-10 49208]
"AdobeCS5ServiceManager"="c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-02-22 406992]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-07-19 421736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-12-20 719664]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-28 253088]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
vvdsvc REG_MULTI_SZ vvdsvc
.
Contents of the 'Scheduled Tasks' folder
.
2012-05-05 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-28 19:10]
.
2012-05-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-10-23 21:58]
.
2012-05-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-10-23 21:58]
.
2012-05-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-640678997-1985323279-69921091-1000Core.job
- c:\users\Philibert\AppData\Local\Google\Update\GoogleUpdate.exe [2011-09-10 20:47]
.
2012-05-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-640678997-1985323279-69921091-1000UA.job
- c:\users\Philibert\AppData\Local\Google\Update\GoogleUpdate.exe [2011-09-10 20:47]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=73&bd=Pavilion&pf=laptop
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
TCP: DhcpNameServer = 24.200.243.189 24.200.210.241 24.200.228.113
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-05-05 09:36
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2012-05-05 09:39:26
ComboFix-quarantined-files.txt 2012-05-05 13:39
ComboFix2.txt 2012-05-04 19:12
ComboFix3.txt 2010-05-24 22:36
.
Pre-Run: 46,043,561,984 bytes free
Post-Run: 46,005,661,696 bytes free
.
- - End Of File - - FC2C3C635ACA4985D231656EF1ED8FC5

It seems to be running well. I'm downloading avast free antivirus now and I'll post anything infected it tells me about.

#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:26 PM

Posted 05 May 2012 - 03:16 PM

I would like you to rerun aswMBR please


  • Double click the aswMBR.exe icon to run it
  • it will ask to download extra definitions - ALLOW IT
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#14 geraldlezebre

geraldlezebre
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:26 PM

Posted 05 May 2012 - 06:05 PM

Here it is:
aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-05-05 16:33:18
-----------------------------
16:33:18.709 OS Version: Windows 6.0.6002 Service Pack 2
16:33:18.709 Number of processors: 2 586 0xE0C
16:33:18.710 ComputerName: PHILIBERT-PC UserName: Philibert
16:33:20.670 Initialize success
16:33:21.621 AVAST engine defs: 12050500
16:33:27.149 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-2
16:33:27.152 Disk 0 Vendor: TOSHIBA_MK2035GSS DK020C Size: 190782MB BusType: 3
16:33:27.168 Disk 0 MBR read successfully
16:33:27.172 Disk 0 MBR scan
16:33:27.176 Disk 0 unknown MBR code
16:33:27.179 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 183468 MB offset 63
16:33:27.213 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 7310 MB offset 375744285
16:33:27.261 Disk 0 scanning sectors +390716865
16:33:27.391 Disk 0 scanning C:\Windows\system32\drivers
16:33:52.541 Service scanning
16:34:26.377 Modules scanning
16:34:36.779 Disk 0 trace - called modules:
16:34:36.806 ntkrnlpa.exe CLASSPNP.SYS disk.sys ataport.SYS hal.dll PCIIDEX.SYS msahci.sys
16:34:36.813 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x85622968]
16:34:36.818 3 CLASSPNP.SYS[8839e8b3] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP1T0L0-2[0x8501b8a0]
16:34:38.265 AVAST engine scan C:\Windows
16:34:43.708 AVAST engine scan C:\Windows\system32
16:37:55.141 AVAST engine scan C:\Windows\system32\drivers
16:38:13.671 AVAST engine scan C:\Users\Philibert
17:44:26.429 AVAST engine scan C:\ProgramData
17:52:23.037 Scan finished successfully
19:04:08.789 Disk 0 MBR has been saved successfully to "C:\Users\Philibert\Desktop\MBR.dat"
19:04:08.796 The log file has been saved successfully to "C:\Users\Philibert\Desktop\aswMBR2.txt"

#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:26 PM

Posted 05 May 2012 - 08:27 PM

Hello

:P2P Warning!:

IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

Please note that as long as you are using any form of Peer-to-Peer networking and downloading files from non-documented sources, you can expect infestations of malware to occur
Once upon a time, P2P file sharing was fairly safe. That is no longer true. P2P programs form a direct conduit on to your computer, their security measures are easily circumvented and malware writers are increasingly exploiting them to spread their wares on to your computer. Further to that, if your P2P program is not configured correctly, your computer may be sharing more files than you realise. There have been cases where people's passwords, address books and other personal, private, and financial details have been exposed to a file sharing network by a badly configured program.

Please read these short reports on the dangers of peer-2-peer programs and file sharing.

FBI Cyber Education Letter
File sharing infects 500,000 computers
USAToday
infoworld


These logs are looking allot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs

NOTE** Because of the cleanup process some of the programs I have listed may not be in add/remove anymore this is fine just move to the next item on the list.

You can remove these programs using add/remove or you can use the free uninstaller from Revo (Revo does allot better of a job)

Programs to remove

Java™ 6 Update 26
Vuze
[/list]


  • Please download and install Revo Uninstaller Free
  • Double click Revo Uninstaller to run it.
  • From the list of programs double click on The Program to remove
  • When prompted if you want to uninstall click Yes.
  • Be sure the Moderate option is selected then click Next.
  • The program will run, If prompted again click Yes
  • when the built-in uninstaller is finished click on Next.
  • Once the program has searched for leftovers click Next.
  • Check/tick the bolded items only on the list then click Delete
  • when prompted click on Yes and then on next.
  • put a check on any folders that are found and select delete
  • when prompted select yes then on next
  • Once done click Finish.
.



Install Java:

Please go here to install Java

  • click on the Free Java Download Button
  • click on Agree and start Free download
  • click on Run
  • click on run again
  • click on install
  • when install is complete click on close

Clean Out Temp Files

  • This small application you may want to keep and use once a week to keep the computer clean.

    Download CCleaner from here http://www.ccleaner.com/

  • Run the installer to install the application.
  • When it gives you the option to install Yahoo toolbar uncheck the box next to it.
  • Run CCleaner. (make sure under Windows tab all the boxes of Internet Explorer and Windows explorer are checked. Under System check Empty Recycle Bin and Temporary Files. Under Application tab all the boxes should be checked).
  • Click Run Cleaner.
  • Close CCleaner.

: Malwarebytes' Anti-Malware :

  • I would like you to rerun MBAM
  • Double-click mbam icon
  • go to the update tab at the top
  • click on check for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidentally close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Download HijackThis

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a log file button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the Analyze This button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

"information and logs"

  • In your next post I need the following

  • Log From MBAM
  • report from Hijackthis
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users