Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Happili Redirect and weird behavior


  • This topic is locked This topic is locked
18 replies to this topic

#1 Tcomny

Tcomny

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:28 PM

Posted 30 April 2012 - 09:59 AM

Hello,

I'm new to the site but have heard many great things about this community. Looked around to find this being a pretty common problem, and a lot of success in fixing it, so I'm hopeful we can fix mine as well :)

Like others, I started to get browser redirects for search results. Not proud to admit it, but I knew it was a problem then but just dismissed it as a minor nuisance. Lately the computer’s exhibiting more severe symptoms like slowness and certain programs no longer opening. I’ve run Spybot and MBAM on a number of occasions with little success.


Let me know what I need to run and what logs need to be posted to assist. Thank you in advance for the help!

BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:28 PM

Posted 30 April 2012 - 10:40 AM

Hello and Welcome to Bleeping Computer!!

My name is Gringo and I'll be glad to help you with your computer problems.

I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of us

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the Watch Topic Button, select Immediate Notification, and click on Proceed. This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of hartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.


DeFogger:

  • Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger may ask you to reboot the machine, if it does - click OK
Do not re-enable these drivers until otherwise instructed.


Security Check

  • Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.


Download DDS:

  • Please download DDS by sUBs from one of the links below and save it to your desktop:

    Posted Image
    Download DDS and save it to your desktop

    Link1
    Link2
    Link3

    Please disable any anti-malware program that will block scripts from running before running DDS.

    • Double-Click on dds.scr and a command window will appear. This is normal.
    • Shortly after two logs will appear:
    • DDS.txt
    • Attach.txt
  • A window will open instructing you save & post the logs
  • Save the logs to a convenient place such as your desktop
  • Copy the contents of both logs & post in your next reply

information and logs:

  • In your next post I need the following

  • .logs from DDS
  • let me know of any problems you may have had

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 Tcomny

Tcomny
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:28 PM

Posted 30 April 2012 - 11:02 AM

Thank you for your prompt response! Here are the requested logs:




Results of screen317's Security Check version 0.99.32
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

Windows Security Center service is not running! This report may not be accurate!
Windows Firewall Enabled!
Symantec Endpoint Protection
Antivirus up to date!
```````````````````````````````
Anti-malware/Other Utilities Check:

Spybot - Search & Destroy
Java™ 6 Update 29
Java version out of date!
Adobe Reader 9 Adobe Reader out of date!
Mozilla Firefox (6.0.2)
````````````````````````````````
Process Check:
objlist.exe by Laurent

Norton ccSvcHst.exe
``````````End of Log````````````



.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_29
Run by jwilde at 11:52:44 on 2012-04-30
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.1852 [GMT -4:00]
.
AV: Symantec Endpoint Protection *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Kaseya\LNDCTR59245140935448\AgentMon.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\Xobni\XobniService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\Kaseya\LNDCTR59245140935448\KaUsrTsk.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\jwilde\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Program Files\Microsoft SQL Server\100\Tools\Binn\VSShell\Common7\IDE\Ssms.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Notepad++\notepad++.exe
C:\Program Files\Internet Explorer\iexplore.exe
.
============== Pseudo HJT Report ===============
.
uInternet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
BHO: MRI_DISABLED - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: MRI_DISABLED - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [attcm.exe] c:\program files\at&t\at&t communication manager\attcm.exe
uRun: [Google Update] "c:\documents and settings\jwilde\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [Apple Computer] RUNDLL32.EXE "c:\documents and settings\jwilde\local settings\application data\apple computer\rtkhydbq.dll",OsNmGetAliasPath
uRun: [Adobe] rundll32.exe "c:\documents and settings\jwilde\local settings\application data\apple\adobe\rjfiya.dll",DllRegisterServer
mRun: [KASHLNDCTR59245140935448] "c:\program files\kaseya\lndctr59245140935448\KaUsrTsk.exe"
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [RIMBBLaunchAgent.exe] c:\program files\common files\research in motion\usb drivers\RIMBBLaunchAgent.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
dRun: [Adobe] rundll32.exe "c:\documents and settings\jwilde\local settings\application data\apple\adobe\rjfiya.dll",DllRegisterServer
StartupFolder: c:\docume~1\jwilde\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office12\OUTLOOK.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{871df2be-41d2-4334-ac33-839af16fc8fe}\Icon3E5562ED7.ico
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: kaseyasp.dll
DPF: {62FA83F7-20EC-4D62-AC86-BAB705EE1CCD} - hxxps://ksnj01.landoctors.com/klc/resources/cab/LiveConnectX.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1268525777126
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1268525830700
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {AA299E98-6FB5-409F-99D3-D30D749F4864} - hxxp://ksnj01.landoctors.com/inc/kaxRemote.dll
DPF: {B25AB9F1-B8A2-4072-8964-00C7EDF99750} - hxxps://xchange.maximus.com/COM/MOVEitUploadWizard7.0.0.ocx
DPF: {B65B1DCC-D421-4F3C-8F8F-909BDD967120} - hxxp://ksnj01.landoctors.com/inc/PluginManager/PluginManager.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.201.15 192.168.201.5
TCP: Interfaces\{5E37E233-0C03-4B64-A209-BB8D24D957E7} : DhcpNameServer = 192.168.201.15 192.168.201.5
Notify: AtiExtEvent - Ati2evxx.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Authentication Packages = msv1_0 relog_ap
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\jwilde\application data\mozilla\firefox\profiles\5sm2lh5l.default\
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\common files\vmware\vmware vmrc plug-in\firefox\np-vmware-vmrc.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60531.0\npctrlui.dll
.
============= SERVICES / DRIVERS ===============
.
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2008-8-14 108392]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2008-8-14 108392]
R2 Iprip;RIP Listener;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336]
R2 KALNDCTR59245140935448;Kaseya Agent;c:\program files\kaseya\lndctr59245140935448\AgentMon.exe [2010-3-13 851968]
R2 MsDtsServer100;SQL Server Integration Services 10.0;c:\program files\microsoft sql server\100\dts\binn\MsDtsSrvr.exe [2011-4-24 214880]
R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2008-9-11 2436536]
R2 VMUSBArbService;VMware USB Arbitration Service;c:\program files\common files\vmware\usb\vmware-usbarbitrator.exe [2011-6-1 609904]
R2 XobniService;XobniService;c:\program files\xobni\XobniService.exe [2011-5-18 62184]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2012-4-13 106104]
R3 KAPFA;KAPFA;c:\windows\system32\drivers\KAPFA.sys [2010-3-13 17920]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20120429.009\NAVENG.SYS [2012-4-30 86136]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20120429.009\NAVEX15.SYS [2012-4-30 1576312]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [2011-8-11 91496]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-3-29 253600]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-1-12 23888]
S3 PciCon;PciCon;\??\d:\pcicon.sys --> d:\PciCon.sys [?]
S3 swiwdmbx;Sierra Wireless USB Bus Service;c:\windows\system32\drivers\swiwdmbx.sys --> c:\windows\system32\drivers\swiwdmbx.sys [?]
S3 SWNC8UA3;Sierra Wireless MUX NDIS Driver (UMTSA3);c:\windows\system32\drivers\swnc8ua3.sys [2011-9-29 209536]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2004-8-4 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\microsoft sql server\100\shared\sqladhlp.exe [2010-4-3 44896]
.
=============== Created Last 30 ================
.
2012-04-26 18:22:45 221184 ----a-r- c:\windows\atprs.exe
2012-04-26 18:22:41 -------- d-----w- c:\program files\HP
2012-04-26 18:19:42 -------- d-sh--w- c:\windows\ftpcache
2012-04-23 21:09:20 -------- d-----w- c:\documents and settings\jwilde\application data\Bullzip
2012-04-23 21:07:29 200704 ----a-w- c:\windows\system32\bzpdf.dll
2012-04-23 21:07:24 -------- d-----w- c:\program files\Bullzip
2012-04-13 13:35:24 91968 ----a-w- c:\windows\system32\drivers\SysPlant.sys
2012-04-13 13:34:56 60800 ----a-w- c:\windows\system32\S32EVNT1.DLL
2012-04-13 13:34:56 123952 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2012-04-13 13:34:30 -------- d-----w- c:\program files\Symantec
2012-04-09 15:36:22 -------- d-----w- c:\documents and settings\jwilde\application data\Blackberry Desktop
2012-04-09 15:28:21 -------- d-----w- c:\documents and settings\jwilde\local settings\application data\Research In Motion
2012-04-09 15:28:20 -------- d-----w- c:\documents and settings\jwilde\application data\Research In Motion
2012-04-09 15:27:48 14640 ------w- c:\windows\system32\spmsgXP_2k3.dll
2012-04-09 15:27:45 35328 ----a-r- c:\windows\system32\drivers\RimSerial.sys
2012-04-09 15:27:26 -------- d-----w- c:\documents and settings\all users\application data\Research In Motion
2012-04-09 15:27:11 -------- d-----w- c:\program files\Research In Motion
2012-04-09 15:27:11 -------- d-----w- c:\program files\common files\Research In Motion
2012-04-05 19:38:50 -------- d-----w- c:\documents and settings\all users\application data\boost_interprocess
.
==================== Find3M ====================
.
2012-04-04 19:56:40 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-03-29 13:02:46 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-03-29 13:02:46 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-03-01 11:01:32 916992 ----a-w- c:\windows\system32\wininet.dll
2012-03-01 11:01:32 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-03-01 11:01:32 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-02-29 14:10:16 177664 ----a-w- c:\windows\system32\wintrust.dll
2012-02-29 14:10:16 148480 ----a-w- c:\windows\system32\imagehlp.dll
2012-02-29 12:17:40 385024 ----a-w- c:\windows\system32\html.iec
2012-02-07 15:02:40 1070352 ----a-w- c:\windows\system32\MSCOMCTL.OCX
2012-02-03 09:22:18 1860096 ----a-w- c:\windows\system32\win32k.sys
.
============= FINISH: 11:55:14.01 ===============

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:28 PM

Posted 30 April 2012 - 11:12 AM

Hello and Welcome to Bleeping Computer!!

My name is Gringo and I'll be glad to help you with your computer problems.

I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of us

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the Watch Topic Button, select Immediate Notification, and click on Proceed. This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of hartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

Security Check

  • Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.



Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 Tcomny

Tcomny
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:28 PM

Posted 30 April 2012 - 12:14 PM

Gringo,

I didn't run the Security Check because I did so in the previous post; I thought maybe you might have missed that up top.

I tried to run the combofix, and it ended with a BSOD. It successfully installed the Recovery Console, and ran through a series of stages, then ended in the BSOD saying "Plug and Play detected an error most likely caused by a faulty driver."


I was afraid to run it again before posting my results. Unfortunately there is no log to post as it was interrupted. Awaiting your further instruction.

Thanks!

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:28 PM

Posted 30 April 2012 - 12:56 PM

Hello

Ok lets try this, I want you to run combofix in safe mode but it is very important that when combofix reboots the computer for you to direct it back into safe mode so it can finish the scan.

Boot into Safe Mode

Reboot your computer in Safe Mode.
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
  • Login on your usual account.

after combofix has finished its scan please post the report back here.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 Tcomny

Tcomny
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:28 PM

Posted 30 April 2012 - 01:42 PM

I restarted the computer in safe mode and had to log in as the local admin. I just copied the file from my desktop folder and placed it on the admin desktop. My network profile is a domain admin so I imagine there really shouldn't be any problem with rights issues but just wanted to make sure this wouldn't be cause for concern.


Combofix completed 50 stages in Safe Mode. I then restarted my computer normally to log on my user account. Upon startup, I got a pop-up message "RUNDLL - Error loading C:\Documents and Settings\jwilde\Local Settings\Application Data\Apple\Adobe\rjfiya.dll The specified module could not be found."


Also, I forgot to mention in my original post that I notice 2 instances of iexplore.exe in the task window that runs at all times, even if I haven't started IE and will restart itself if I try and terminate them. I imagine it's related to the problems I'm currently experiencing, and it's still happening after the ComboFix.


Here's the log:


ComboFix 12-04-31.02 - Administrator 04/30/2012 14:04:03.1.2 - x86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2955 [GMT -4:00]
Running from: c:\documents and settings\Administrator.LHA-DESKTOP99\Desktop\ComboFix.exe
AV: Symantec Endpoint Protection *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *Enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\jwilde\g2mdlhlpx.exe
c:\documents and settings\jwilde\Local Settings\Application Data\Apple\Adobe\rjfiya.dll
C:\install.exe
c:\windows\Fonts\usps4cb.TTF
c:\windows\system32\~8.tmp
.
.
((((((((((((((((((((((((( Files Created from 2012-03-28 to 2012-04-30 )))))))))))))))))))))))))))))))
.
.
2012-04-27 17:51 . 2012-04-27 17:59 -------- d-----w- c:\documents and settings\Administrator.LHA-DESKTOP99\Local Settings\Application Data\Crystal Reports
2012-04-26 18:22 . 2008-08-25 18:00 221184 ----a-r- c:\windows\atprs.exe
2012-04-26 18:22 . 2012-04-26 18:22 -------- d-----w- c:\program files\HP
2012-04-26 18:22 . 2012-04-26 18:22 -------- d-----w- c:\documents and settings\All Users\Application Data\HP
2012-04-26 18:19 . 2012-04-26 18:19 -------- d-sh--w- c:\windows\ftpcache
2012-04-23 21:09 . 2012-04-23 21:09 -------- d-----w- c:\documents and settings\jwilde\Application Data\Bullzip
2012-04-23 21:07 . 2007-10-13 16:11 200704 ----a-w- c:\windows\system32\bzpdf.dll
2012-04-23 21:07 . 2012-04-23 21:07 -------- d-----w- c:\program files\Bullzip
2012-04-23 14:20 . 2012-04-23 14:20 -------- d-----w- c:\documents and settings\Administrator\Application Data\Apple Computer
2012-04-13 13:35 . 2008-09-04 19:47 91968 ----a-w- c:\windows\system32\drivers\SysPlant.sys
2012-04-13 13:34 . 2012-04-13 13:35 60800 ----a-w- c:\windows\system32\S32EVNT1.DLL
2012-04-13 13:34 . 2012-04-13 13:35 123952 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2012-04-13 13:34 . 2012-04-13 13:35 -------- d-----w- c:\program files\Symantec
2012-04-10 14:31 . 2012-04-19 19:01 -------- d-----w- c:\documents and settings\jwilde\Application Data\VMware
2012-04-09 15:36 . 2012-04-09 15:36 -------- d-----w- c:\documents and settings\jwilde\Application Data\Blackberry Desktop
2012-04-09 15:28 . 2012-04-09 15:28 -------- d-----w- c:\documents and settings\jwilde\Local Settings\Application Data\Research In Motion
2012-04-09 15:28 . 2012-04-09 15:29 -------- d-----w- c:\documents and settings\jwilde\Application Data\Research In Motion
2012-04-09 15:27 . 2008-03-21 17:57 14640 ------w- c:\windows\system32\spmsgXP_2k3.dll
2012-04-09 15:27 . 2011-07-20 19:13 35328 ----a-r- c:\windows\system32\drivers\RimSerial.sys
2012-04-09 15:27 . 2012-04-09 15:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Research In Motion
2012-04-09 15:27 . 2012-04-09 15:27 -------- d-----w- c:\program files\Common Files\Research In Motion
2012-04-09 15:27 . 2012-04-09 15:27 -------- d-----w- c:\program files\Research In Motion
2012-04-05 19:39 . 2012-04-05 19:39 -------- d-----w- c:\documents and settings\LocalService\Application Data\TightVNC
2012-04-05 19:38 . 2012-04-05 19:38 -------- d-----w- c:\documents and settings\All Users\Application Data\boost_interprocess
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-04 19:56 . 2011-07-14 15:55 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-03-29 13:02 . 2012-03-29 13:02 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-03-29 13:02 . 2011-07-06 12:57 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-03-14 13:12 . 2010-05-24 19:03 18368 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\VSA\9.0\1033\ResourceCache.dll
2012-03-14 13:12 . 2011-06-29 13:54 127456 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\VisualStudio\9.0\1033\ResourceCache.dll
2012-03-14 13:08 . 2010-05-24 19:03 2379552 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\VisualStudio\10.0\1033\ResourceCache.dll
2012-03-01 11:01 . 2006-03-04 03:33 916992 ----a-w- c:\windows\system32\wininet.dll
2012-03-01 11:01 . 2004-08-04 10:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-03-01 11:01 . 2004-08-04 10:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-02-29 14:10 . 2004-08-04 10:00 177664 ----a-w- c:\windows\system32\wintrust.dll
2012-02-29 14:10 . 2004-08-04 10:00 148480 ----a-w- c:\windows\system32\imagehlp.dll
2012-02-29 12:17 . 2004-08-04 10:00 385024 ----a-w- c:\windows\system32\html.iec
2012-02-07 15:02 . 2012-02-07 15:02 1070352 ----a-w- c:\windows\system32\MSCOMCTL.OCX
2012-02-03 09:22 . 2004-08-04 10:00 1860096 ----a-w- c:\windows\system32\win32k.sys
2011-09-03 06:01 . 2011-09-08 10:35 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"KASHLNDCTR59245140935448"="c:\program files\Kaseya\LNDCTR59245140935448\KaUsrTsk.exe" [2011-08-24 409600]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-08-26 1753192]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-10-16 110696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-10-16 13933160]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-03-27 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-10-24 421888]
"RIMBBLaunchAgent.exe"="c:\program files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe" [2011-09-01 90448]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-08-14 115560]
.
c:\documents and settings\tt\Start Menu\Programs\Startup\
testBAT.bat [2011-12-8 674]
.
c:\documents and settings\jwilde\Start Menu\Programs\Startup\
Microsoft Office Outlook.lnk - c:\program files\Microsoft Office\Office12\OUTLOOK.EXE [2011-8-3 12997488]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
VPN Client.lnk - c:\windows\Installer\{871DF2BE-41D2-4334-AC33-839AF16FC8FE}\Icon3E5562ED7.ico [2011-10-17 6144]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KALNDCTR59245140935448]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^Documents and Settings^jwilde^Start Menu^Programs^Startup^MagicDisc.lnk]
path=c:\documents and settings\jwilde\Start Menu\Programs\Startup\MagicDisc.lnk
backup=c:\windows\pss\MagicDisc.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service]
2009-02-25 05:30 140568 ----a-w- c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcronisTimounterMonitor]
2009-02-25 05:39 884928 ----a-w- c:\program files\Acronis\TrueImageServer\TimounterMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-01-02 15:07 843712 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2012-03-27 12:41 37296 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
2008-08-14 18:45 115560 ----a-w- c:\program files\Common Files\Symantec Shared\ccApp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 10:42 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2008-08-18 18:59 170520 ----a-w- c:\windows\system32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2008-08-18 19:00 150040 ----a-w- c:\windows\system32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2008-08-18 18:59 141848 ----a-w- c:\windows\system32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2011-10-24 18:28 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2007-08-01 19:52 1036288 ----a-w- c:\program files\Analog Devices\Core\smax4pnp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
2009-07-15 01:25 98304 ----a-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2011-06-09 17:06 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrueImageMonitor.exe]
2009-02-25 05:28 1285488 ----a-w- c:\program files\Acronis\TrueImageServer\TrueImageMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Apple Mobile Device"=2 (0x2)
"WZCSVC"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"Symantec AntiVirus"=2 (0x2)
"SNAC"=3 (0x3)
"SmcService"=2 (0x2)
"LiveUpdate"=3 (0x3)
"iPod Service"=3 (0x3)
"idsvc"=3 (0x3)
"ccSetMgr"=2 (0x2)
"ccEvtMgr"=2 (0x2)
"Bonjour Service"=2 (0x2)
"ATI Smart"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\RealVNC\\VNC4\\winvnc4.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"5900:TCP"= 5900:TCP:RealVNC
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 0 (0x0)
.
R2 KALNDCTR59245140935448;Kaseya Agent;c:\program files\Kaseya\LNDCTR59245140935448\AgentMon.exe [3/13/2010 9:01 PM 851968]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S2 Iprip;RIP Listener;c:\windows\System32\svchost.exe -k netsvcs [8/4/2004 6:00 AM 14336]
S2 MsDtsServer100;SQL Server Integration Services 10.0;c:\program files\Microsoft SQL Server\100\DTS\Binn\MsDtsSrvr.exe [4/24/2011 1:35 AM 214880]
S2 VMUSBArbService;VMware USB Arbitration Service;c:\program files\Common Files\VMware\USB\vmware-usbarbitrator.exe [6/1/2011 1:09 PM 609904]
S2 XobniService;XobniService;c:\program files\Xobni\XobniService.exe [5/18/2011 1:26 PM 62184]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [3/29/2012 9:02 AM 253600]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [1/12/2008 6:32 PM 23888]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [4/13/2012 9:41 AM 106104]
S3 KAPFA;KAPFA;c:\windows\system32\drivers\KAPFA.sys [3/13/2010 9:01 PM 17920]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [8/11/2011 2:45 PM 91496]
S3 PciCon;PciCon;\??\d:\pcicon.sys --> d:\PciCon.sys [?]
S3 swiwdmbx;Sierra Wireless USB Bus Service;c:\windows\system32\DRIVERS\swiwdmbx.sys --> c:\windows\system32\DRIVERS\swiwdmbx.sys [?]
S3 SWNC8UA3;Sierra Wireless MUX NDIS Driver (UMTSA3);c:\windows\system32\drivers\swnc8ua3.sys [9/29/2011 12:26 PM 209536]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [8/4/2004 6:00 AM 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe [4/3/2010 11:56 AM 44896]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - SRTSPL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2012-04-30 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-29 13:02]
.
2012-04-30 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2011-08-22 22:47]
.
2012-04-30 c:\windows\Tasks\User_Feed_Synchronization-{10139EAA-51C8-4A75-8932-7F246B89E481}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 09:31]
.
.
------- Supplementary Scan -------
.
LSP: kaseyasp.dll
TCP: DhcpNameServer = 192.168.201.15 192.168.201.5
DPF: {62FA83F7-20EC-4D62-AC86-BAB705EE1CCD} - hxxps://ksnj01.landoctors.com/klc/resources/cab/LiveConnectX.cab
DPF: {B25AB9F1-B8A2-4072-8964-00C7EDF99750} - hxxps://xchange.maximus.com/COM/MOVEitUploadWizard7.0.0.ocx
DPF: {B65B1DCC-D421-4F3C-8F8F-909BDD967120} - hxxp://ksnj01.landoctors.com/inc/PluginManager/PluginManager.cab
FF - ProfilePath - c:\documents and settings\jwilde\Application Data\Mozilla\Firefox\Profiles\5sm2lh5l.default\
.
- - - - ORPHANS REMOVED - - - -
.
HKU-Default-Run-Adobe - c:\documents and settings\jwilde\Local Settings\Application Data\Apple\Adobe\rjfiya.dll
SafeBoot-Symantec Antvirus
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-04-30 14:15
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(320)
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'lsass.exe'(376)
c:\windows\system32\relog_ap.dll
.
Completion time: 2012-04-30 14:18:40
ComboFix-quarantined-files.txt 2012-04-30 18:18
.
Pre-Run: 26,394,279,936 bytes free
Post-Run: 27,161,591,808 bytes free
.
- - End Of File - - 3B9317FEBE48D909E6DAF887EF63B559

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:28 PM

Posted 30 April 2012 - 03:07 PM

Greetings

I want you to run these next,

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • it will ask to download extra definitions - ALLOW IT
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

If you have any problems running either one come back and let me know

please reply with the reports from TDSSKiller and aswMBR

Gringo

Edited by gringo_pr, 30 April 2012 - 03:07 PM.

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 Tcomny

Tcomny
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:28 PM

Posted 30 April 2012 - 03:43 PM

16:13:57.0477 6064 TDSS rootkit removing tool 2.7.33.0 Apr 24 2012 18:43:43
16:13:57.0727 6064 ============================================================
16:13:57.0727 6064 Current date / time: 2012/04/30 16:13:57.0727
16:13:57.0727 6064 SystemInfo:
16:13:57.0727 6064
16:13:57.0727 6064 OS Version: 5.1.2600 ServicePack: 3.0
16:13:57.0727 6064 Product type: Workstation
16:13:57.0727 6064 ComputerName: LHA-DESKTOP99
16:13:57.0727 6064 UserName: jwilde
16:13:57.0727 6064 Windows directory: C:\WINDOWS
16:13:57.0727 6064 System windows directory: C:\WINDOWS
16:13:57.0727 6064 Processor architecture: Intel x86
16:13:57.0727 6064 Number of processors: 2
16:13:57.0727 6064 Page size: 0x1000
16:13:57.0727 6064 Boot type: Normal boot
16:13:57.0727 6064 ============================================================
16:13:58.0243 6064 Drive \Device\Harddisk0\DR0 - Size: 0x12A05F2000 (74.51 Gb), SectorSize: 0x200, Cylinders: 0x25FE, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000050
16:13:58.0243 6064 ============================================================
16:13:58.0243 6064 \Device\Harddisk0\DR0:
16:13:58.0243 6064 MBR partitions:
16:13:58.0243 6064 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x94FE97E
16:13:58.0243 6064 ============================================================
16:13:58.0290 6064 C: <-> \Device\Harddisk0\DR0\Partition0
16:13:58.0290 6064 ============================================================
16:13:58.0290 6064 Initialize success
16:13:58.0290 6064 ============================================================
16:14:01.0055 4936 ============================================================
16:14:01.0055 4936 Scan started
16:14:01.0055 4936 Mode: Manual;
16:14:01.0055 4936 ============================================================
16:14:02.0852 4936 6to4 (c07d5197410aab28d0d93f943f59656d) C:\WINDOWS\System32\6to4svc.dll
16:14:02.0852 4936 6to4 - ok
16:14:02.0868 4936 Abiosdsk - ok
16:14:02.0884 4936 abp480n5 - ok
16:14:02.0946 4936 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
16:14:02.0946 4936 ACPI - ok
16:14:02.0977 4936 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
16:14:02.0993 4936 ACPIEC - ok
16:14:03.0102 4936 AcrSch2Svc (31e0d4f9cf6c91c4f38b43a2207bc82e) C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
16:14:03.0118 4936 AcrSch2Svc - ok
16:14:03.0180 4936 ADIHdAudAddService (0f0a69496989912351284bb1baa2ce57) C:\WINDOWS\system32\drivers\ADIHdAud.sys
16:14:03.0227 4936 ADIHdAudAddService - ok
16:14:03.0321 4936 AdobeFlashPlayerUpdateSvc (0d4c486a24a711a45fd83acdf4d18506) C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
16:14:03.0368 4936 AdobeFlashPlayerUpdateSvc - ok
16:14:03.0368 4936 adpu160m - ok
16:14:03.0430 4936 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
16:14:03.0430 4936 aec - ok
16:14:03.0477 4936 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
16:14:03.0493 4936 AFD - ok
16:14:03.0493 4936 Aha154x - ok
16:14:03.0493 4936 aic78u2 - ok
16:14:03.0493 4936 aic78xx - ok
16:14:03.0555 4936 Alerter (a9a3daa780ca6c9671a19d52456705b4) C:\WINDOWS\system32\alrsvc.dll
16:14:03.0555 4936 Alerter - ok
16:14:03.0602 4936 ALG (8c515081584a38aa007909cd02020b3d) C:\WINDOWS\System32\alg.exe
16:14:03.0602 4936 ALG - ok
16:14:03.0602 4936 AliIde - ok
16:14:03.0602 4936 amsint - ok
16:14:03.0665 4936 AppMgmt (d8849f77c0b66226335a59d26cb4edc6) C:\WINDOWS\System32\appmgmts.dll
16:14:03.0665 4936 AppMgmt - ok
16:14:03.0665 4936 asc - ok
16:14:03.0665 4936 asc3350p - ok
16:14:03.0680 4936 asc3550 - ok
16:14:03.0852 4936 aspnet_state (776acefa0ca9df0faa51a5fb2f435705) C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe
16:14:03.0915 4936 aspnet_state - ok
16:14:03.0977 4936 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
16:14:03.0977 4936 AsyncMac - ok
16:14:04.0009 4936 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
16:14:04.0024 4936 atapi - ok
16:14:04.0024 4936 Atdisk - ok
16:14:04.0087 4936 Ati HotKey Poller (bbc6a3dec3f51336e8dfc9bf955b4c36) C:\WINDOWS\system32\Ati2evxx.exe
16:14:04.0165 4936 Ati HotKey Poller - ok
16:14:04.0243 4936 ATI Smart (df105c92c9e2a9f3d4e55ace3da13a9f) C:\WINDOWS\system32\ati2sgag.exe
16:14:04.0290 4936 ATI Smart - ok
16:14:04.0493 4936 ati2mtag (97129408c8760f3421c1551ba3f3899d) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
16:14:04.0634 4936 ati2mtag - ok
16:14:04.0837 4936 AtiHdmiService (f661f01e990b84c58519c1ff43c2108f) C:\WINDOWS\system32\drivers\AtiHdmi.sys
16:14:04.0837 4936 AtiHdmiService - ok
16:14:04.0868 4936 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
16:14:04.0884 4936 Atmarpc - ok
16:14:04.0915 4936 AudioSrv (def7a7882bec100fe0b2ce2549188f9d) C:\WINDOWS\System32\audiosrv.dll
16:14:04.0915 4936 AudioSrv - ok
16:14:04.0977 4936 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
16:14:04.0977 4936 audstub - ok
16:14:05.0040 4936 b57w2k (d0692f7b8217e3b82d2bfac535816117) C:\WINDOWS\system32\DRIVERS\b57xp32.sys
16:14:05.0040 4936 b57w2k - ok
16:14:05.0102 4936 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
16:14:05.0102 4936 Beep - ok
16:14:05.0165 4936 BITS (574738f61fca2935f5265dc4e5691314) C:\WINDOWS\system32\qmgr.dll
16:14:05.0243 4936 BITS - ok
16:14:05.0337 4936 Bonjour Service (5ab58c337ac65837fe404462ad6265ab) C:\Program Files\Bonjour\mDNSResponder.exe
16:14:05.0430 4936 Bonjour Service - ok
16:14:05.0493 4936 Browser (a06ce3399d16db864f55faeb1f1927a9) C:\WINDOWS\System32\browser.dll
16:14:05.0509 4936 Browser - ok
16:14:05.0665 4936 catchme - ok
16:14:05.0681 4936 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
16:14:05.0696 4936 cbidf2k - ok
16:14:05.0806 4936 ccEvtMgr (93a45b3f2403670a6d14a0b466d97698) C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
16:14:05.0806 4936 ccEvtMgr - ok
16:14:05.0806 4936 ccSetMgr (93a45b3f2403670a6d14a0b466d97698) C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
16:14:05.0806 4936 ccSetMgr - ok
16:14:05.0821 4936 cd20xrnt - ok
16:14:05.0868 4936 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
16:14:05.0868 4936 Cdaudio - ok
16:14:05.0915 4936 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
16:14:05.0931 4936 Cdfs - ok
16:14:05.0962 4936 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
16:14:05.0962 4936 Cdrom - ok
16:14:06.0024 4936 cercsr6 (84853b3fd012251690570e9e7e43343f) C:\WINDOWS\system32\drivers\cercsr6.sys
16:14:06.0024 4936 cercsr6 - ok
16:14:06.0024 4936 Changer - ok
16:14:06.0071 4936 CiSvc (1cfe720eb8d93a7158a4ebc3ab178bde) C:\WINDOWS\system32\cisvc.exe
16:14:06.0071 4936 CiSvc - ok
16:14:06.0118 4936 ClipSrv (34cbe729f38138217f9c80212a2a0c82) C:\WINDOWS\system32\clipsrv.exe
16:14:06.0134 4936 ClipSrv - ok
16:14:06.0227 4936 clr_optimization_v2.0.50727_32 (d87acaed61e417bba546ced5e7e36d9c) c:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
16:14:06.0306 4936 clr_optimization_v2.0.50727_32 - ok
16:14:06.0399 4936 clr_optimization_v4.0.30319_32 (c5a75eb48e2344abdc162bda79e16841) C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
16:14:06.0477 4936 clr_optimization_v4.0.30319_32 - ok
16:14:06.0493 4936 CmdIde - ok
16:14:06.0524 4936 COH_Mon (6186b6b953bdc884f0f379b84b3e3a98) C:\WINDOWS\system32\Drivers\COH_Mon.sys
16:14:06.0524 4936 COH_Mon - ok
16:14:06.0524 4936 COMSysApp - ok
16:14:06.0540 4936 Cpqarray - ok
16:14:06.0587 4936 CryptSvc (3d4e199942e29207970e04315d02ad3b) C:\WINDOWS\System32\cryptsvc.dll
16:14:06.0602 4936 CryptSvc - ok
16:14:06.0634 4936 CVirtA (b5ecadf7708960f1818c7fa015f4c239) C:\WINDOWS\system32\DRIVERS\CVirtA.sys
16:14:06.0649 4936 CVirtA - ok
16:14:06.0743 4936 CVPND (f432260e59aae3284ed7e795264c16d0) C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
16:14:06.0790 4936 CVPND - ok
16:14:06.0993 4936 CVPNDRVA (8a15d7bd4cf1a8ccd7c65f7349f22e35) C:\WINDOWS\system32\Drivers\CVPNDRVA.sys
16:14:07.0009 4936 CVPNDRVA - ok
16:14:07.0009 4936 dac2w2k - ok
16:14:07.0024 4936 dac960nt - ok
16:14:07.0087 4936 DcomLaunch (6b27a5c03dfb94b4245739065431322c) C:\WINDOWS\system32\rpcss.dll
16:14:07.0134 4936 DcomLaunch - ok
16:14:07.0196 4936 Dhcp (5e38d7684a49cacfb752b046357e0589) C:\WINDOWS\System32\dhcpcsvc.dll
16:14:07.0196 4936 Dhcp - ok
16:14:07.0243 4936 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
16:14:07.0243 4936 Disk - ok
16:14:07.0243 4936 dmadmin - ok
16:14:07.0321 4936 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
16:14:07.0368 4936 dmboot - ok
16:14:07.0415 4936 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
16:14:07.0415 4936 dmio - ok
16:14:07.0446 4936 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
16:14:07.0446 4936 dmload - ok
16:14:07.0477 4936 dmserver (57edec2e5f59f0335e92f35184bc8631) C:\WINDOWS\System32\dmserver.dll
16:14:07.0477 4936 dmserver - ok
16:14:07.0540 4936 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
16:14:07.0540 4936 DMusic - ok
16:14:07.0587 4936 DNE (7b4fdfbe97c047175e613aa96f3de987) C:\WINDOWS\system32\DRIVERS\dne2000.sys
16:14:07.0587 4936 DNE - ok
16:14:07.0634 4936 Dnscache (5f7e24fa9eab896051ffb87f840730d2) C:\WINDOWS\System32\dnsrslvr.dll
16:14:07.0634 4936 Dnscache - ok
16:14:07.0681 4936 Dot3svc (0f0f6e687e5e15579ef4da8dd6945814) C:\WINDOWS\System32\dot3svc.dll
16:14:07.0681 4936 Dot3svc - ok
16:14:07.0696 4936 dpti2o - ok
16:14:07.0743 4936 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
16:14:07.0743 4936 drmkaud - ok
16:14:07.0790 4936 EapHost (2187855a7703adef0cef9ee4285182cc) C:\WINDOWS\System32\eapsvc.dll
16:14:07.0790 4936 EapHost - ok
16:14:07.0946 4936 eeCtrl (579a6b6135d32b857faf0e3a974535d8) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
16:14:07.0962 4936 eeCtrl - ok
16:14:08.0009 4936 EraserUtilRebootDrv (028d50f059bd0d2ccb209e9011b9a9a4) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
16:14:08.0009 4936 EraserUtilRebootDrv - ok
16:14:08.0056 4936 ERSvc (bc93b4a066477954555966d77fec9ecb) C:\WINDOWS\System32\ersvc.dll
16:14:08.0056 4936 ERSvc - ok
16:14:08.0118 4936 Eventlog (65df52f5b8b6e9bbd183505225c37315) C:\WINDOWS\system32\services.exe
16:14:08.0118 4936 Eventlog - ok
16:14:08.0181 4936 EventSystem (d4991d98f2db73c60d042f1aef79efae) C:\WINDOWS\system32\es.dll
16:14:08.0196 4936 EventSystem - ok
16:14:08.0227 4936 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
16:14:08.0243 4936 Fastfat - ok
16:14:08.0290 4936 FastUserSwitchingCompatibility (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
16:14:08.0306 4936 FastUserSwitchingCompatibility - ok
16:14:08.0337 4936 Fax (e97d6a8684466df94ff3bc24fb787a07) C:\WINDOWS\system32\fxssvc.exe
16:14:08.0384 4936 Fax - ok
16:14:08.0399 4936 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
16:14:08.0415 4936 Fdc - ok
16:14:08.0462 4936 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
16:14:08.0462 4936 Fips - ok
16:14:08.0462 4936 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
16:14:08.0477 4936 Flpydisk - ok
16:14:08.0540 4936 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
16:14:08.0540 4936 FltMgr - ok
16:14:08.0681 4936 FontCache3.0.0.0 (8ba7c024070f2b7fdd98ed8a4ba41789) c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
16:14:08.0696 4936 FontCache3.0.0.0 - ok
16:14:08.0727 4936 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
16:14:08.0743 4936 Fs_Rec - ok
16:14:08.0774 4936 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
16:14:08.0774 4936 Ftdisk - ok
16:14:08.0837 4936 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
16:14:08.0837 4936 Gpc - ok
16:14:08.0884 4936 hcmon (1c51e9db4a24c4a6b7ad5be4bc4b19a6) C:\WINDOWS\system32\drivers\hcmon.sys
16:14:08.0884 4936 hcmon - ok
16:14:08.0899 4936 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
16:14:08.0899 4936 HDAudBus - ok
16:14:09.0009 4936 helpsvc (4fcca060dfe0c51a09dd5c3843888bcd) C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll
16:14:09.0009 4936 helpsvc - ok
16:14:09.0071 4936 HidServ (deb04da35cc871b6d309b77e1443c796) C:\WINDOWS\System32\hidserv.dll
16:14:09.0071 4936 HidServ - ok
16:14:09.0118 4936 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
16:14:09.0118 4936 hidusb - ok
16:14:09.0165 4936 hkmsvc (8878bd685e490239777bfe51320b88e9) C:\WINDOWS\System32\kmsvc.dll
16:14:09.0165 4936 hkmsvc - ok
16:14:09.0165 4936 hpn - ok
16:14:09.0227 4936 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
16:14:09.0243 4936 HTTP - ok
16:14:09.0290 4936 HTTPFilter (6100a808600f44d999cebdef8841c7a3) C:\WINDOWS\System32\w3ssl.dll
16:14:09.0321 4936 HTTPFilter - ok
16:14:09.0337 4936 i2omgmt - ok
16:14:09.0337 4936 i2omp - ok
16:14:09.0384 4936 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\drivers\i8042prt.sys
16:14:09.0384 4936 i8042prt - ok
16:14:09.0681 4936 ialm (b2768350bb50469aeb1afe694372b613) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
16:14:09.0852 4936 ialm - ok
16:14:10.0056 4936 iastor (2358c53f30cb9dcd1d3843c4e2f299b2) C:\WINDOWS\system32\DRIVERS\iaStor.sys
16:14:10.0056 4936 iastor - ok
16:14:10.0227 4936 idsvc (c01ac32dc5c03076cfb852cb5da5229c) c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
16:14:10.0352 4936 idsvc - ok
16:14:10.0399 4936 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
16:14:10.0399 4936 Imapi - ok
16:14:10.0462 4936 ImapiService (30deaf54a9755bb8546168cfe8a6b5e1) C:\WINDOWS\system32\imapi.exe
16:14:10.0477 4936 ImapiService - ok
16:14:10.0477 4936 ini910u - ok
16:14:10.0477 4936 IntelIde - ok
16:14:10.0540 4936 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
16:14:10.0540 4936 intelppm - ok
16:14:10.0587 4936 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
16:14:10.0587 4936 Ip6Fw - ok
16:14:10.0634 4936 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
16:14:10.0649 4936 IpFilterDriver - ok
16:14:10.0665 4936 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
16:14:10.0665 4936 IpInIp - ok
16:14:10.0712 4936 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
16:14:10.0712 4936 IpNat - ok
16:14:10.0774 4936 Iprip (f08d74ec300b8ba60ca953c58a24d19e) C:\WINDOWS\System32\iprip.dll
16:14:10.0774 4936 Iprip - ok
16:14:10.0790 4936 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
16:14:10.0790 4936 IPSec - ok
16:14:10.0806 4936 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
16:14:10.0821 4936 IRENUM - ok
16:14:10.0852 4936 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
16:14:10.0852 4936 isapnp - ok
16:14:11.0087 4936 JavaQuickStarterService (381b25dc8e958d905b33130d500bbf29) C:\Program Files\Java\jre6\bin\jqs.exe
16:14:11.0087 4936 JavaQuickStarterService - ok
16:14:11.0181 4936 KALNDCTR59245140935448 (c7dd03de3946175bcb66f63058d9c1cb) C:\Program Files\Kaseya\LNDCTR59245140935448\AgentMon.exe
16:14:11.0227 4936 KALNDCTR59245140935448 - ok
16:14:11.0290 4936 KAPFA (f0c4a6d81d30866aaf8cfa983d9d13d7) C:\WINDOWS\system32\drivers\KAPFA.SYS
16:14:11.0290 4936 KAPFA - ok
16:14:11.0337 4936 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
16:14:11.0352 4936 Kbdclass - ok
16:14:11.0352 4936 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
16:14:11.0352 4936 kbdhid - ok
16:14:11.0399 4936 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
16:14:11.0415 4936 kmixer - ok
16:14:11.0462 4936 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
16:14:11.0462 4936 KSecDD - ok
16:14:11.0509 4936 lanmanserver (3a7c3cbe5d96b8ae96ce81f0b22fb527) C:\WINDOWS\System32\srvsvc.dll
16:14:11.0509 4936 lanmanserver - ok
16:14:11.0556 4936 lanmanworkstation (a8888a5327621856c0cec4e385f69309) C:\WINDOWS\System32\wkssvc.dll
16:14:11.0571 4936 lanmanworkstation - ok
16:14:11.0571 4936 lbrtfdc - ok
16:14:11.0868 4936 LiveUpdate (e553c4b4b7b4b86cd71a2dfee1b58131) C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
16:14:12.0024 4936 LiveUpdate - ok
16:14:12.0212 4936 LmHosts (a7db739ae99a796d91580147e919cc59) C:\WINDOWS\System32\lmhsvc.dll
16:14:12.0212 4936 LmHosts - ok
16:14:12.0259 4936 mcdbus (8fd868e32459ece2a1bb0169f513d31e) C:\WINDOWS\system32\DRIVERS\mcdbus.sys
16:14:12.0259 4936 mcdbus - ok
16:14:12.0306 4936 Messenger (986b1ff5814366d71e0ac5755c88f2d3) C:\WINDOWS\System32\msgsvc.dll
16:14:12.0321 4936 Messenger - ok
16:14:12.0368 4936 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
16:14:12.0368 4936 mnmdd - ok
16:14:12.0431 4936 mnmsrvc (d18f1f0c101d06a1c1adf26eed16fcdd) C:\WINDOWS\system32\mnmsrvc.exe
16:14:12.0446 4936 mnmsrvc - ok
16:14:12.0509 4936 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
16:14:12.0509 4936 Modem - ok
16:14:12.0524 4936 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
16:14:12.0524 4936 Mouclass - ok
16:14:12.0571 4936 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
16:14:12.0571 4936 mouhid - ok
16:14:12.0571 4936 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
16:14:12.0571 4936 MountMgr - ok
16:14:12.0571 4936 mraid35x - ok
16:14:12.0618 4936 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
16:14:12.0618 4936 MRxDAV - ok
16:14:12.0665 4936 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
16:14:12.0681 4936 MRxSmb - ok
16:14:12.0806 4936 MSDTC (a137f1470499a205abbb9aafb3b6f2b1) C:\WINDOWS\system32\msdtc.exe
16:14:12.0806 4936 MSDTC - ok
16:14:13.0071 4936 MsDtsServer100 (8335dff2e4c337ccac2b08b88ea7a763) C:\Program Files\Microsoft SQL Server\100\DTS\Binn\MsDtsSrvr.exe
16:14:13.0118 4936 MsDtsServer100 - ok
16:14:13.0134 4936 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
16:14:13.0134 4936 Msfs - ok
16:14:13.0134 4936 MSIServer - ok
16:14:13.0196 4936 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
16:14:13.0196 4936 MSKSSRV - ok
16:14:13.0212 4936 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
16:14:13.0228 4936 MSPCLOCK - ok
16:14:13.0243 4936 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
16:14:13.0243 4936 MSPQM - ok
16:14:13.0290 4936 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
16:14:13.0290 4936 mssmbios - ok
16:14:13.0337 4936 MSSQLServerADHelper100 (8e8e74c953eb0c4f8828d99d6f27fd6f) c:\Program Files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE
16:14:13.0353 4936 MSSQLServerADHelper100 - ok
16:14:13.0603 4936 msvsmon90 (70e994d23895df6b1ee1e70145299fcf) C:\Program Files\Microsoft Visual Studio 9.0\Common7\IDE\Remote Debugger\x86\msvsmon.exe
16:14:13.0759 4936 msvsmon90 - ok
16:14:13.0962 4936 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
16:14:13.0962 4936 Mup - ok
16:14:14.0024 4936 napagent (0102140028fad045756796e1c685d695) C:\WINDOWS\System32\qagentrt.dll
16:14:14.0056 4936 napagent - ok
16:14:14.0259 4936 NAVENG (862f55824ac81295837b0ab63f91071f) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20120429.009\NAVENG.SYS
16:14:14.0259 4936 NAVENG - ok
16:14:14.0353 4936 NAVEX15 (529d571b551cb9da44237389b936f1ae) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20120429.009\NAVEX15.SYS
16:14:14.0446 4936 NAVEX15 - ok
16:14:14.0603 4936 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
16:14:14.0603 4936 NDIS - ok
16:14:14.0649 4936 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
16:14:14.0649 4936 NdisTapi - ok
16:14:14.0665 4936 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
16:14:14.0681 4936 Ndisuio - ok
16:14:14.0728 4936 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
16:14:14.0728 4936 NdisWan - ok
16:14:14.0774 4936 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
16:14:14.0774 4936 NDProxy - ok
16:14:14.0806 4936 Net Driver HPZ12 (a081cb6fb9a12668f233eb5414be3a0e) C:\WINDOWS\system32\HPZinw12.dll
16:14:14.0821 4936 Net Driver HPZ12 - ok
16:14:14.0853 4936 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
16:14:14.0853 4936 NetBIOS - ok
16:14:14.0868 4936 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
16:14:14.0868 4936 NetBT - ok
16:14:14.0931 4936 NetDDE (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe
16:14:14.0962 4936 NetDDE - ok
16:14:14.0962 4936 NetDDEdsdm (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe
16:14:14.0962 4936 NetDDEdsdm - ok
16:14:15.0009 4936 Netlogon (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
16:14:15.0009 4936 Netlogon - ok
16:14:15.0056 4936 Netman (13e67b55b3abd7bf3fe7aae5a0f9a9de) C:\WINDOWS\System32\netman.dll
16:14:15.0071 4936 Netman - ok
16:14:15.0196 4936 NetTcpPortSharing (d22cd77d4f0d63d1169bb35911bff12d) C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe
16:14:15.0228 4936 NetTcpPortSharing - ok
16:14:15.0259 4936 Nla (943337d786a56729263071623bbb9de5) C:\WINDOWS\System32\mswsock.dll
16:14:15.0306 4936 Nla - ok
16:14:15.0306 4936 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
16:14:15.0321 4936 Npfs - ok
16:14:15.0368 4936 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
16:14:15.0415 4936 Ntfs - ok
16:14:15.0415 4936 NtLmSsp (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
16:14:15.0415 4936 NtLmSsp - ok
16:14:15.0478 4936 NtmsSvc (156f64a3345bd23c600655fb4d10bc08) C:\WINDOWS\system32\ntmssvc.dll
16:14:15.0524 4936 NtmsSvc - ok
16:14:15.0556 4936 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
16:14:15.0556 4936 Null - ok
16:14:15.0978 4936 nv (58db5182356937e4a0f540b6cbcefe32) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
16:14:16.0243 4936 nv - ok
16:14:16.0431 4936 NVHDA (049aa7021e5406e77f3535be66635b74) C:\WINDOWS\system32\drivers\nvhda32.sys
16:14:16.0446 4936 NVHDA - ok
16:14:16.0478 4936 nvsvc (212b1c486898a9efb79fc4b3d169190b) C:\WINDOWS\system32\nvsvc32.exe
16:14:16.0493 4936 nvsvc - ok
16:14:16.0524 4936 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
16:14:16.0524 4936 NwlnkFlt - ok
16:14:16.0540 4936 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
16:14:16.0540 4936 NwlnkFwd - ok
16:14:16.0665 4936 odserv (785f487a64950f3cb8e9f16253ba3b7b) C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE
16:14:16.0728 4936 odserv - ok
16:14:16.0774 4936 ose (5a432a042dae460abe7199b758e8606c) C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
16:14:16.0868 4936 ose - ok
16:14:16.0915 4936 p2pgasvc (937a02981f11b2ce96b1d493c95aed2b) C:\WINDOWS\system32\p2pgasvc.dll
16:14:16.0915 4936 p2pgasvc - ok
16:14:16.0962 4936 p2pimsvc (4a1035cb8f0d57be41873b5183d96cf4) C:\WINDOWS\system32\p2psvc.dll
16:14:16.0993 4936 p2pimsvc - ok
16:14:17.0009 4936 p2psvc (4a1035cb8f0d57be41873b5183d96cf4) C:\WINDOWS\system32\p2psvc.dll
16:14:17.0009 4936 p2psvc - ok
16:14:17.0056 4936 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
16:14:17.0056 4936 Parport - ok
16:14:17.0071 4936 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
16:14:17.0071 4936 PartMgr - ok
16:14:17.0118 4936 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
16:14:17.0118 4936 ParVdm - ok
16:14:17.0149 4936 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
16:14:17.0149 4936 PCI - ok
16:14:17.0149 4936 PciCon - ok
16:14:17.0165 4936 PCIDump - ok
16:14:17.0165 4936 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
16:14:17.0165 4936 PCIIde - ok
16:14:17.0196 4936 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
16:14:17.0196 4936 Pcmcia - ok
16:14:17.0212 4936 PDCOMP - ok
16:14:17.0212 4936 PDFRAME - ok
16:14:17.0212 4936 PDRELI - ok
16:14:17.0212 4936 PDRFRAME - ok
16:14:17.0228 4936 perc2 - ok
16:14:17.0228 4936 perc2hib - ok
16:14:17.0290 4936 PlugPlay (65df52f5b8b6e9bbd183505225c37315) C:\WINDOWS\system32\services.exe
16:14:17.0290 4936 PlugPlay - ok
16:14:17.0337 4936 Pml Driver HPZ12 (65bc271f337637731d3c71455ae1f476) C:\WINDOWS\system32\HPZipm12.dll
16:14:17.0337 4936 Pml Driver HPZ12 - ok
16:14:17.0337 4936 PNRPSvc (4a1035cb8f0d57be41873b5183d96cf4) C:\WINDOWS\system32\p2psvc.dll
16:14:17.0353 4936 PNRPSvc - ok
16:14:17.0415 4936 PolicyAgent (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
16:14:17.0415 4936 PolicyAgent - ok
16:14:17.0415 4936 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
16:14:17.0415 4936 PptpMiniport - ok
16:14:17.0431 4936 ProtectedStorage (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
16:14:17.0431 4936 ProtectedStorage - ok
16:14:17.0431 4936 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
16:14:17.0431 4936 PSched - ok
16:14:17.0462 4936 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
16:14:17.0462 4936 Ptilink - ok
16:14:17.0462 4936 ql1080 - ok
16:14:17.0462 4936 Ql10wnt - ok
16:14:17.0478 4936 ql12160 - ok
16:14:17.0478 4936 ql1240 - ok
16:14:17.0478 4936 ql1280 - ok
16:14:17.0509 4936 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
16:14:17.0509 4936 RasAcd - ok
16:14:17.0540 4936 RasAuto (ad188be7bdf94e8df4ca0a55c00a5073) C:\WINDOWS\System32\rasauto.dll
16:14:17.0571 4936 RasAuto - ok
16:14:17.0603 4936 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
16:14:17.0603 4936 Rasl2tp - ok
16:14:17.0649 4936 RasMan (76a9a3cbeadd68cc57cda5e1d7448235) C:\WINDOWS\System32\rasmans.dll
16:14:17.0649 4936 RasMan - ok
16:14:17.0681 4936 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
16:14:17.0681 4936 RasPppoe - ok
16:14:17.0681 4936 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
16:14:17.0681 4936 Raspti - ok
16:14:17.0696 4936 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
16:14:17.0696 4936 Rdbss - ok
16:14:17.0743 4936 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
16:14:17.0743 4936 RDPCDD - ok
16:14:17.0759 4936 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
16:14:17.0774 4936 rdpdr - ok
16:14:17.0821 4936 RDPWD (5b3055daa788bd688594d2f5981f2a83) C:\WINDOWS\system32\drivers\RDPWD.sys
16:14:17.0821 4936 RDPWD - ok
16:14:17.0884 4936 RDSessMgr (3c37bf86641bda977c3bf8a840f3b7fa) C:\WINDOWS\system32\sessmgr.exe
16:14:17.0899 4936 RDSessMgr - ok
16:14:17.0915 4936 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
16:14:17.0915 4936 redbook - ok
16:14:17.0946 4936 RemoteAccess (7e699ff5f59b5d9de5390e3c34c67cf5) C:\WINDOWS\System32\mprdim.dll
16:14:17.0946 4936 RemoteAccess - ok
16:14:17.0993 4936 RemoteRegistry (5b19b557b0c188210a56a6b699d90b8f) C:\WINDOWS\system32\regsvc.dll
16:14:17.0993 4936 RemoteRegistry - ok
16:14:18.0040 4936 RimUsb (4f4a4c09cc5be58a76cac1c337e004e6) C:\WINDOWS\system32\Drivers\RimUsb.sys
16:14:18.0056 4936 RimUsb - ok
16:14:18.0087 4936 RimVSerPort (3a5633ad615e2b15291bd0b1b97ccd8a) C:\WINDOWS\system32\DRIVERS\RimSerial.sys
16:14:18.0087 4936 RimVSerPort - ok
16:14:18.0149 4936 ROOTMODEM (d8b0b4ade32574b2d9c5cc34dc0dbbe7) C:\WINDOWS\system32\Drivers\RootMdm.sys
16:14:18.0149 4936 ROOTMODEM - ok
16:14:18.0165 4936 RpcLocator (aaed593f84afa419bbae8572af87cf6a) C:\WINDOWS\system32\locator.exe
16:14:18.0165 4936 RpcLocator - ok
16:14:18.0259 4936 RpcSs (6b27a5c03dfb94b4245739065431322c) C:\WINDOWS\System32\rpcss.dll
16:14:18.0274 4936 RpcSs - ok
16:14:18.0290 4936 RSVP (471b3f9741d762abe75e9deea4787e47) C:\WINDOWS\system32\rsvp.exe
16:14:18.0306 4936 RSVP - ok
16:14:18.0384 4936 SamSs (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
16:14:18.0399 4936 SamSs - ok
16:14:18.0415 4936 SCardSvr (86d007e7a654b9a71d1d7d856b104353) C:\WINDOWS\System32\SCardSvr.exe
16:14:18.0431 4936 SCardSvr - ok
16:14:18.0462 4936 Schedule (0a9a7365a1ca4319aa7c1d6cd8e4eafa) C:\WINDOWS\system32\schedsvc.dll
16:14:18.0478 4936 Schedule - ok
16:14:18.0524 4936 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
16:14:18.0524 4936 Secdrv - ok
16:14:18.0571 4936 seclogon (cbe612e2bb6a10e3563336191eda1250) C:\WINDOWS\System32\seclogon.dll
16:14:18.0571 4936 seclogon - ok
16:14:18.0618 4936 SenFiltService (b6a6b409fda9d9ebd3aadb838d3d7173) C:\WINDOWS\system32\drivers\Senfilt.sys
16:14:18.0665 4936 SenFiltService - ok
16:14:18.0712 4936 SENS (7fdd5d0684eca8c1f68b4d99d124dcd0) C:\WINDOWS\system32\sens.dll
16:14:18.0728 4936 SENS - ok
16:14:18.0743 4936 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
16:14:18.0743 4936 serenum - ok
16:14:18.0790 4936 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
16:14:18.0790 4936 Serial - ok
16:14:18.0821 4936 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
16:14:18.0837 4936 Sfloppy - ok
16:14:18.0884 4936 SharedAccess (83f41d0d89645d7235c051ab1d9523ac) C:\WINDOWS\System32\ipnathlp.dll
16:14:18.0900 4936 SharedAccess - ok
16:14:18.0946 4936 ShellHWDetection (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
16:14:18.0946 4936 ShellHWDetection - ok
16:14:18.0946 4936 Simbad - ok
16:14:19.0009 4936 SimpTcp (32933b07fc16d9f778bee12545fa1b1a) C:\WINDOWS\system32\tcpsvcs.exe
16:14:19.0009 4936 SimpTcp - ok
16:14:19.0212 4936 SmcService (4f5deefb11bdf0b905bcce60674fc2b4) C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
16:14:19.0259 4936 SmcService - ok
16:14:19.0306 4936 SNAC (88b46aab883225b879bb17106d342181) C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
16:14:19.0415 4936 SNAC - ok
16:14:19.0603 4936 snapman380 (5ce1cf27620b144e212d407cdb14d339) C:\WINDOWS\system32\DRIVERS\snman380.sys
16:14:19.0603 4936 snapman380 - ok
16:14:19.0603 4936 Sparrow - ok
16:14:19.0696 4936 SPBBCDrv (77780509a16a1df7f2d8531d21ddb9b9) C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys
16:14:19.0712 4936 SPBBCDrv - ok
16:14:19.0712 4936 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
16:14:19.0712 4936 splitter - ok
16:14:19.0759 4936 Spooler (60784f891563fb1b767f70117fc2428f) C:\WINDOWS\system32\spoolsv.exe
16:14:19.0759 4936 Spooler - ok
16:14:19.0806 4936 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
16:14:19.0821 4936 sr - ok
16:14:19.0853 4936 srservice (3805df0ac4296a34ba4bf93b346cc378) C:\WINDOWS\system32\srsvc.dll
16:14:19.0900 4936 srservice - ok
16:14:19.0946 4936 SRTSP (5e4985a84f13abf5727bed3c50bd7031) C:\WINDOWS\system32\Drivers\SRTSP.SYS
16:14:19.0946 4936 SRTSP - ok
16:14:20.0009 4936 SRTSPL (8117dca2cdf9d11c441c473dc9631655) C:\WINDOWS\system32\Drivers\SRTSPL.SYS
16:14:20.0025 4936 SRTSPL - ok
16:14:20.0056 4936 SRTSPX (5e89104af0dc94b659ea8ec3e66c3eeb) C:\WINDOWS\system32\Drivers\SRTSPX.SYS
16:14:20.0056 4936 SRTSPX - ok
16:14:20.0134 4936 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
16:14:20.0150 4936 Srv - ok
16:14:20.0181 4936 SSDPSRV (0a5679b3714edab99e357057ee88fca6) C:\WINDOWS\System32\ssdpsrv.dll
16:14:20.0181 4936 SSDPSRV - ok
16:14:20.0243 4936 stisvc (8bad69cbac032d4bbacfce0306174c30) C:\WINDOWS\system32\wiaservc.dll
16:14:20.0259 4936 stisvc - ok
16:14:20.0275 4936 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
16:14:20.0275 4936 swenum - ok
16:14:20.0275 4936 swiwdmbx - ok
16:14:20.0337 4936 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
16:14:20.0337 4936 swmidi - ok
16:14:20.0368 4936 SWNC8UA3 (c0e3e9ab8289fa511ca9c339592d638f) C:\WINDOWS\system32\DRIVERS\swnc8ua3.sys
16:14:20.0400 4936 SWNC8UA3 - ok
16:14:20.0400 4936 SwPrv - ok
16:14:20.0603 4936 Symantec AntiVirus (2bd0ff900b443cf8eb30844f47a2b4a4) C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
16:14:20.0696 4936 Symantec AntiVirus - ok
16:14:20.0868 4936 symc810 - ok
16:14:20.0868 4936 symc8xx - ok
16:14:20.0884 4936 SymEvent (e03ee3ef1037099554d17bed99545a5e) C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
16:14:20.0900 4936 SymEvent - ok
16:14:20.0931 4936 SYMREDRV (be3c117150c055e50a4caf23e548c856) C:\WINDOWS\System32\Drivers\SYMREDRV.SYS
16:14:20.0931 4936 SYMREDRV - ok
16:14:20.0946 4936 SYMTDI (7b0af4e22b32f8c5bfba5a5d53522160) C:\WINDOWS\System32\Drivers\SYMTDI.SYS
16:14:20.0946 4936 SYMTDI - ok
16:14:20.0962 4936 sym_hi - ok
16:14:20.0962 4936 sym_u3 - ok
16:14:21.0040 4936 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
16:14:21.0040 4936 sysaudio - ok
16:14:21.0056 4936 SysmonLog (c7abbc59b43274b1109df6b24d617051) C:\WINDOWS\system32\smlogsvc.exe
16:14:21.0071 4936 SysmonLog - ok
16:14:21.0087 4936 SysPlant (f993e24ebbef8e9626fbea12a6b739f2) C:\WINDOWS\SYSTEM32\Drivers\SysPlant.sys
16:14:21.0087 4936 SysPlant - ok
16:14:21.0165 4936 TapiSrv (3cb78c17bb664637787c9a1c98f79c38) C:\WINDOWS\System32\tapisrv.dll
16:14:21.0165 4936 TapiSrv - ok
16:14:21.0228 4936 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
16:14:21.0243 4936 Tcpip - ok
16:14:21.0290 4936 Tcpip6 (4e53bbcc4be37d7a4bd6ef1098c89ff7) C:\WINDOWS\system32\DRIVERS\tcpip6.sys
16:14:21.0306 4936 Tcpip6 - ok
16:14:21.0337 4936 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
16:14:21.0337 4936 TDPIPE - ok
16:14:21.0368 4936 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
16:14:21.0384 4936 TDTCP - ok
16:14:21.0384 4936 Teefer2 (62f7d6e6f7f4ee9e300ed9a945534486) C:\WINDOWS\system32\DRIVERS\teefer2.sys
16:14:21.0384 4936 Teefer2 - ok
16:14:21.0400 4936 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
16:14:21.0400 4936 TermDD - ok
16:14:21.0462 4936 TermService (ff3477c03be7201c294c35f684b3479f) C:\WINDOWS\System32\termsrv.dll
16:14:21.0493 4936 TermService - ok
16:14:21.0540 4936 Themes (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
16:14:21.0540 4936 Themes - ok
16:14:21.0571 4936 tifsfilter (e52011ffe8e8947078ac797df216e5a6) C:\WINDOWS\system32\DRIVERS\tifsfilt.sys
16:14:21.0571 4936 tifsfilter - ok
16:14:21.0587 4936 timounter (f644b9eba05806eb5d6f2a8716ce0eee) C:\WINDOWS\system32\DRIVERS\timntr.sys
16:14:21.0650 4936 timounter - ok
16:14:21.0681 4936 TlntSvr (db7205804759ff62c34e3efd8a4cc76a) C:\WINDOWS\system32\tlntsvr.exe
16:14:21.0696 4936 TlntSvr - ok
16:14:21.0696 4936 TosIde - ok
16:14:21.0775 4936 TrkWks (55bca12f7f523d35ca3cb833c725f54e) C:\WINDOWS\system32\trkwks.dll
16:14:21.0790 4936 TrkWks - ok
16:14:21.0806 4936 tunmp (8f861eda21c05857eb8197300a92501c) C:\WINDOWS\system32\DRIVERS\tunmp.sys
16:14:21.0806 4936 tunmp - ok
16:14:21.0821 4936 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
16:14:21.0837 4936 Udfs - ok
16:14:21.0837 4936 ultra - ok
16:14:21.0868 4936 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
16:14:21.0915 4936 Update - ok
16:14:21.0993 4936 upnphost (1ebafeb9a3fbdc41b8d9c7f0f687ad91) C:\WINDOWS\System32\upnphost.dll
16:14:22.0025 4936 upnphost - ok
16:14:22.0056 4936 UPS (05365fb38fca1e98f7a566aaaf5d1815) C:\WINDOWS\System32\ups.exe
16:14:22.0071 4936 UPS - ok
16:14:22.0071 4936 USBAAPL - ok
16:14:22.0118 4936 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
16:14:22.0134 4936 usbaudio - ok
16:14:22.0165 4936 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
16:14:22.0165 4936 usbccgp - ok
16:14:22.0212 4936 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
16:14:22.0212 4936 usbehci - ok
16:14:22.0228 4936 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
16:14:22.0228 4936 usbhub - ok
16:14:22.0275 4936 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
16:14:22.0275 4936 usbscan - ok
16:14:22.0306 4936 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
16:14:22.0306 4936 USBSTOR - ok
16:14:22.0321 4936 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
16:14:22.0321 4936 usbuhci - ok
16:14:22.0337 4936 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
16:14:22.0337 4936 VgaSave - ok
16:14:22.0353 4936 ViaIde - ok
16:14:22.0525 4936 VMUSBArbService (6c551c8b0672c926b80fa8199c8682e7) C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe
16:14:22.0556 4936 VMUSBArbService - ok
16:14:22.0618 4936 vncmirror (3b8f222b23917c041e4da29ccc57e7d0) C:\WINDOWS\system32\DRIVERS\vncmirror.sys
16:14:22.0618 4936 vncmirror - ok
16:14:22.0634 4936 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
16:14:22.0634 4936 VolSnap - ok
16:14:22.0681 4936 VSS (7a9db3a67c333bf0bd42e42b8596854b) C:\WINDOWS\System32\vssvc.exe
16:14:22.0728 4936 VSS - ok
16:14:22.0775 4936 W32Time (54af4b1d5459500ef0937f6d33b1914f) C:\WINDOWS\system32\w32time.dll
16:14:22.0790 4936 W32Time - ok
16:14:22.0837 4936 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
16:14:22.0837 4936 Wanarp - ok
16:14:22.0900 4936 Wdf01000 (bbcfeab7e871cddac2d397ee7fa91fdc) C:\WINDOWS\system32\Drivers\wdf01000.sys
16:14:22.0946 4936 Wdf01000 - ok
16:14:22.0946 4936 WDICA - ok
16:14:23.0009 4936 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
16:14:23.0009 4936 wdmaud - ok
16:14:23.0025 4936 WebClient (77a354e28153ad2d5e120a5a8687bc06) C:\WINDOWS\System32\webclnt.dll
16:14:23.0025 4936 WebClient - ok
16:14:23.0150 4936 winmgmt (2d0e4ed081963804ccc196a0929275b5) C:\WINDOWS\system32\wbem\WMIsvc.dll
16:14:23.0150 4936 winmgmt - ok
16:14:23.0228 4936 WinRM (18f347402da544a780949b8fdf83351b) C:\WINDOWS\system32\WsmSvc.dll
16:14:23.0306 4936 WinRM - ok
16:14:23.0400 4936 WinVNC4 (45fbe420608d4e609d970b70fa238c31) C:\Program Files\RealVNC\VNC4\WinVNC4.exe
16:14:23.0446 4936 WinVNC4 - ok
16:14:23.0618 4936 WmdmPmSN (c51b4a5c05a5475708e3c81c7765b71d) C:\WINDOWS\system32\MsPMSNSv.dll
16:14:23.0618 4936 WmdmPmSN - ok
16:14:23.0681 4936 Wmi (e76f8807070ed04e7408a86d6d3a6137) C:\WINDOWS\System32\advapi32.dll
16:14:23.0696 4936 Wmi - ok
16:14:23.0759 4936 WmiApSrv (e0673f1106e62a68d2257e376079f821) C:\WINDOWS\system32\wbem\wmiapsrv.exe
16:14:23.0759 4936 WmiApSrv - ok
16:14:23.0946 4936 WMPNetworkSvc (f74e3d9a7fa9556c3bbb14d4e5e63d3b) C:\Program Files\Windows Media Player\WMPNetwk.exe
16:14:24.0040 4936 WMPNetworkSvc - ok
16:14:24.0103 4936 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys
16:14:24.0103 4936 WpdUsb - ok
16:14:24.0337 4936 WPFFontCache_v0400 (dcf3e3edf5109ee8bc02fe6e1f045795) C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe
16:14:24.0400 4936 WPFFontCache_v0400 - ok
16:14:24.0431 4936 WPS (e5788aeeb08055e006d5074adfa5e1e8) C:\WINDOWS\system32\drivers\wpsdrvnt.sys
16:14:24.0446 4936 WPS - ok
16:14:24.0462 4936 WpsHelper (ff983a25ae6f7d3f87f26bf51f02a201) C:\WINDOWS\system32\drivers\WpsHelper.sys
16:14:24.0478 4936 WpsHelper - ok
16:14:24.0509 4936 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
16:14:24.0509 4936 WS2IFSL - ok
16:14:24.0571 4936 wscsvc (7c278e6408d1dce642230c0585a854d5) C:\WINDOWS\system32\wscsvc.dll
16:14:24.0571 4936 wscsvc - ok
16:14:24.0618 4936 wuauserv (35321fb577cdc98ce3eb3a3eb9e4610a) C:\WINDOWS\system32\wuauserv.dll
16:14:24.0618 4936 wuauserv - ok
16:14:24.0681 4936 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
16:14:24.0681 4936 WudfPf - ok
16:14:24.0696 4936 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
16:14:24.0696 4936 WudfRd - ok
16:14:24.0759 4936 WudfSvc (05231c04253c5bc30b26cbaae680ed89) C:\WINDOWS\System32\WUDFSvc.dll
16:14:24.0759 4936 WudfSvc - ok
16:14:24.0837 4936 WZCSVC (81dc3f549f44b1c1fff022dec9ecf30b) C:\WINDOWS\System32\wzcsvc.dll
16:14:24.0853 4936 WZCSVC - ok
16:14:24.0900 4936 xmlprov (295d21f14c335b53cb8154e5b1f892b9) C:\WINDOWS\System32\xmlprov.dll
16:14:24.0915 4936 xmlprov - ok
16:14:25.0025 4936 XobniService (65df135cbd6b061309d95b570b27fd10) C:\Program Files\Xobni\XobniService.exe
16:14:25.0025 4936 XobniService - ok
16:14:25.0056 4936 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
16:14:25.0212 4936 \Device\Harddisk0\DR0 - ok
16:14:25.0212 4936 Boot (0x1200) (e0660955e5e2fd63ea0757595c182b5d) \Device\Harddisk0\DR0\Partition0
16:14:25.0212 4936 \Device\Harddisk0\DR0\Partition0 - ok
16:14:25.0212 4936 ============================================================
16:14:25.0212 4936 Scan finished
16:14:25.0212 4936 ============================================================
16:14:25.0228 6140 Detected object count: 0
16:14:25.0228 6140 Actual detected object count: 0





aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-04-30 16:15:23
-----------------------------
16:15:23.198 OS Version: Windows 5.1.2600 Service Pack 3
16:15:23.198 Number of processors: 2 586 0xF0D
16:15:23.198 ComputerName: LHA-DESKTOP99 UserName: jwilde
16:15:23.932 Initialize success
16:17:16.950 AVAST engine defs: 12043001
16:17:26.106 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
16:17:26.106 Disk 0 Vendor: WDC_WD80 10.0 Size: 76293MB BusType: 3
16:17:26.122 Disk 0 MBR read successfully
16:17:26.122 Disk 0 MBR scan
16:17:26.169 Disk 0 Windows XP default MBR code
16:17:26.169 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 76285 MB offset 63
16:17:26.169 Disk 0 scanning sectors +156232125
16:17:26.262 Disk 0 scanning C:\WINDOWS\system32\drivers
16:17:41.966 Service scanning
16:17:58.294 Service PciCon D:\PciCon.sys **LOCKED** 21
16:18:03.216 Service SysPlant C:\WINDOWS\SYSTEM32\Drivers\SysPlant.sys **LOCKED** 32
16:18:03.623 Service Teefer2 C:\WINDOWS\system32\DRIVERS\teefer2.sys **LOCKED** 32
16:18:07.201 Service WPS C:\WINDOWS\system32\drivers\wpsdrvnt.sys **LOCKED** 32
16:18:07.248 Service WpsHelper C:\WINDOWS\system32\drivers\WpsHelper.sys **LOCKED** 32
16:18:08.435 Modules scanning
16:18:15.248 Disk 0 trace - called modules:
16:18:15.279 ntkrnlpa.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll
16:18:15.279 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8af554a8]
16:18:15.279 3 CLASSPNP.SYS[f74c7fd7] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0x8aa05030]
16:18:15.545 AVAST engine scan C:\WINDOWS
16:18:43.795 AVAST engine scan C:\WINDOWS\system32
16:28:11.660 AVAST engine scan C:\WINDOWS\system32\drivers
16:28:34.438 AVAST engine scan C:\Documents and Settings\jwilde
16:36:36.947 File: C:\Documents and Settings\jwilde\Local Settings\Application Data\Apple\Adobe\taqptser.dll **INFECTED** Win32:Malware-gen
16:38:55.291 AVAST engine scan C:\Documents and Settings\All Users
16:41:40.135 Scan finished successfully
16:42:40.151 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\jwilde\Desktop\MBR.dat"
16:42:40.182 The log file has been saved successfully to "C:\Documents and Settings\jwilde\Desktop\aswMBR.txt"

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:28 PM

Posted 30 April 2012 - 04:01 PM

Greetings

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::
KillAll::

File::
C:\Documents and Settings\jwilde\Local Settings\Application Data\Apple\Adobe\taqptser.dll

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 Tcomny

Tcomny
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:28 PM

Posted 01 May 2012 - 08:43 AM

ComboFix had to restart my computer, but after that it looks as though it has addressed my 2 biggest concerns; search results are no longer being redirected and the 2 instances of iexplorer.exe are no longer starting on their own.

The only ill behavior I can still see on this computer is that every time I connect to another network computer via Remote Desktop Connection, I get 2 remote desktop redirected printer docs sent to two different printers. This has been an annoyance for quite some time, not sure if it's an actual virus or not so I don't know if there's something we can do about it.


Anyways, here's the log info:

ComboFix 12-04-31.02 - jwilde 04/30/2012 17:12:00.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2475 [GMT -4:00]
Running from: c:\documents and settings\jwilde\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\jwilde\Desktop\CFScript.txt
AV: Symantec Endpoint Protection *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *Disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
.
FILE ::
"c:\documents and settings\jwilde\Local Settings\Application Data\Apple\Adobe\taqptser.dll"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\jwilde\Local Settings\Application Data\Apple Computer\rtkhydbq.dll
c:\windows\system32\dllcache\dlimport.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-04-01 to 2012-05-01 )))))))))))))))))))))))))))))))
.
.
2012-04-27 17:51 . 2012-04-27 17:59 -------- d-----w- c:\documents and settings\Administrator.LHA-DESKTOP99\Local Settings\Application Data\Crystal Reports
2012-04-26 18:22 . 2008-08-25 18:00 221184 ----a-r- c:\windows\atprs.exe
2012-04-26 18:22 . 2012-04-26 18:22 -------- d-----w- c:\program files\HP
2012-04-26 18:22 . 2012-04-26 18:22 -------- d-----w- c:\documents and settings\All Users\Application Data\HP
2012-04-26 18:19 . 2012-04-26 18:19 -------- d-sh--w- c:\windows\ftpcache
2012-04-23 21:09 . 2012-04-23 21:09 -------- d-----w- c:\documents and settings\jwilde\Application Data\Bullzip
2012-04-23 21:07 . 2007-10-13 16:11 200704 ----a-w- c:\windows\system32\bzpdf.dll
2012-04-23 21:07 . 2012-04-23 21:07 -------- d-----w- c:\program files\Bullzip
2012-04-23 14:20 . 2012-04-23 14:20 -------- d-----w- c:\documents and settings\Administrator\Application Data\Apple Computer
2012-04-13 13:35 . 2008-09-04 19:47 91968 ----a-w- c:\windows\system32\drivers\SysPlant.sys
2012-04-13 13:34 . 2012-04-13 13:35 123952 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2012-04-13 13:34 . 2012-04-13 13:35 -------- d-----w- c:\program files\Symantec
2012-04-10 14:31 . 2012-04-19 19:01 -------- d-----w- c:\documents and settings\jwilde\Application Data\VMware
2012-04-09 15:36 . 2012-04-09 15:36 -------- d-----w- c:\documents and settings\jwilde\Application Data\Blackberry Desktop
2012-04-09 15:28 . 2012-04-09 15:28 -------- d-----w- c:\documents and settings\jwilde\Local Settings\Application Data\Research In Motion
2012-04-09 15:28 . 2012-04-09 15:29 -------- d-----w- c:\documents and settings\jwilde\Application Data\Research In Motion
2012-04-09 15:27 . 2011-07-20 19:13 35328 ----a-r- c:\windows\system32\drivers\RimSerial.sys
2012-04-09 15:27 . 2012-04-09 15:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Research In Motion
2012-04-09 15:27 . 2012-04-09 15:27 -------- d-----w- c:\program files\Common Files\Research In Motion
2012-04-09 15:27 . 2012-04-09 15:27 -------- d-----w- c:\program files\Research In Motion
2012-04-05 19:39 . 2012-04-05 19:39 -------- d-----w- c:\documents and settings\LocalService\Application Data\TightVNC
2012-04-05 19:38 . 2012-04-05 19:38 -------- d-----w- c:\documents and settings\All Users\Application Data\boost_interprocess
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-13 13:35 . 2012-04-13 13:34 60800 ----a-w- c:\windows\system32\S32EVNT1.DLL
2012-04-04 19:56 . 2011-07-14 15:55 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-03-29 13:02 . 2012-03-29 13:02 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-03-29 13:02 . 2011-07-06 12:57 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-03-14 13:12 . 2010-05-24 19:03 18368 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\VSA\9.0\1033\ResourceCache.dll
2012-03-14 13:12 . 2011-06-29 13:54 127456 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\VisualStudio\9.0\1033\ResourceCache.dll
2012-03-14 13:08 . 2010-05-24 19:03 2379552 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\VisualStudio\10.0\1033\ResourceCache.dll
2012-03-01 11:01 . 2006-03-04 03:33 916992 ----a-w- c:\windows\system32\wininet.dll
2012-03-01 11:01 . 2004-08-04 10:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-03-01 11:01 . 2004-08-04 10:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-02-29 14:10 . 2004-08-04 10:00 177664 ----a-w- c:\windows\system32\wintrust.dll
2012-02-29 14:10 . 2004-08-04 10:00 148480 ----a-w- c:\windows\system32\imagehlp.dll
2012-02-29 12:17 . 2004-08-04 10:00 385024 ----a-w- c:\windows\system32\html.iec
2012-02-07 15:02 . 2012-02-07 15:02 1070352 ----a-w- c:\windows\system32\MSCOMCTL.OCX
2012-02-03 09:22 . 2004-08-04 10:00 1860096 ----a-w- c:\windows\system32\win32k.sys
2011-09-03 06:01 . 2011-09-08 10:35 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"KASHLNDCTR59245140935448"="c:\program files\Kaseya\LNDCTR59245140935448\KaUsrTsk.exe" [2011-08-24 409600]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-08-26 1753192]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-10-16 110696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-10-16 13933160]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-03-27 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-10-24 421888]
"RIMBBLaunchAgent.exe"="c:\program files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe" [2011-09-01 90448]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-08-14 115560]
.
c:\documents and settings\jwilde\Start Menu\Programs\Startup\
Microsoft Office Outlook.lnk - c:\program files\Microsoft Office\Office12\OUTLOOK.EXE [2011-8-3 12997488]
.
c:\documents and settings\tt\Start Menu\Programs\Startup\
testBAT.bat [2011-12-8 674]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
VPN Client.lnk - c:\windows\Installer\{871DF2BE-41D2-4334-AC33-839AF16FC8FE}\Icon3E5562ED7.ico [2011-10-17 6144]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KALNDCTR59245140935448]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^jwilde^Start Menu^Programs^Startup^MagicDisc.lnk]
path=c:\documents and settings\jwilde\Start Menu\Programs\Startup\MagicDisc.lnk
backup=c:\windows\pss\MagicDisc.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service]
2009-02-25 05:30 140568 ----a-w- c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcronisTimounterMonitor]
2009-02-25 05:39 884928 ----a-w- c:\program files\Acronis\TrueImageServer\TimounterMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-01-02 15:07 843712 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2012-03-27 12:41 37296 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
2008-08-14 18:45 115560 ----a-w- c:\program files\Common Files\Symantec Shared\ccApp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 10:42 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2008-08-18 18:59 170520 ----a-w- c:\windows\system32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2008-08-18 19:00 150040 ----a-w- c:\windows\system32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2008-08-18 18:59 141848 ----a-w- c:\windows\system32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2011-10-24 18:28 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2007-08-01 19:52 1036288 ----a-w- c:\program files\Analog Devices\Core\smax4pnp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
2009-07-15 01:25 98304 ----a-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2011-06-09 17:06 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrueImageMonitor.exe]
2009-02-25 05:28 1285488 ----a-w- c:\program files\Acronis\TrueImageServer\TrueImageMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Apple Mobile Device"=2 (0x2)
"WZCSVC"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"Symantec AntiVirus"=2 (0x2)
"SNAC"=3 (0x3)
"SmcService"=2 (0x2)
"LiveUpdate"=3 (0x3)
"iPod Service"=3 (0x3)
"idsvc"=3 (0x3)
"ccSetMgr"=2 (0x2)
"ccEvtMgr"=2 (0x2)
"Bonjour Service"=2 (0x2)
"ATI Smart"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\RealVNC\\VNC4\\winvnc4.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"5900:TCP"= 5900:TCP:RealVNC
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 0 (0x0)
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-29 253600]
R3 COH_Mon;COH_Mon;c:\windows\system32\Drivers\COH_Mon.sys [2008-07-30 23888]
R3 PciCon;PciCon;D:\PciCon.sys [x]
R3 swiwdmbx;Sierra Wireless USB Bus Service;c:\windows\system32\DRIVERS\swiwdmbx.sys [x]
R3 SWNC8UA3;Sierra Wireless MUX NDIS Driver (UMTSA3);c:\windows\system32\DRIVERS\swnc8ua3.sys [2011-05-28 209536]
R3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe [2008-04-14 14336]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE [2010-04-03 44896]
S2 Iprip;RIP Listener;c:\windows\System32\svchost.exe [2008-04-14 14336]
S2 KALNDCTR59245140935448;Kaseya Agent;c:\program files\Kaseya\LNDCTR59245140935448\AgentMon.exe [2011-08-24 851968]
S2 MsDtsServer100;SQL Server Integration Services 10.0;c:\program files\Microsoft SQL Server\100\DTS\Binn\MsDtsSrvr.exe [2011-04-24 214880]
S2 VMUSBArbService;VMware USB Arbitration Service;c:\program files\Common Files\VMware\USB\vmware-usbarbitrator.exe [2011-06-01 609904]
S2 XobniService;XobniService;c:\program files\Xobni\XobniService.exe [2011-05-18 62184]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2012-03-15 106104]
S3 KAPFA;KAPFA;c:\windows\system32\drivers\KAPFA.SYS [2011-06-23 17920]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [2010-10-22 91496]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2012-04-30 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-29 13:02]
.
2012-05-01 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2011-08-22 22:47]
.
2012-05-01 c:\windows\Tasks\User_Feed_Synchronization-{10139EAA-51C8-4A75-8932-7F246B89E481}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 09:31]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
LSP: kaseyasp.dll
TCP: DhcpNameServer = 192.168.201.15 192.168.201.5
DPF: {62FA83F7-20EC-4D62-AC86-BAB705EE1CCD} - hxxps://ksnj01.landoctors.com/klc/resources/cab/LiveConnectX.cab
DPF: {B25AB9F1-B8A2-4072-8964-00C7EDF99750} - hxxps://xchange.maximus.com/COM/MOVEitUploadWizard7.0.0.ocx
DPF: {B65B1DCC-D421-4F3C-8F8F-909BDD967120} - hxxp://ksnj01.landoctors.com/inc/PluginManager/PluginManager.cab
FF - ProfilePath - c:\documents and settings\jwilde\Application Data\Mozilla\Firefox\Profiles\5sm2lh5l.default\
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-attcm.exe - c:\program files\AT&T\AT&T Communication Manager\attcm.exe
HKCU-Run-Apple Computer - c:\documents and settings\jwilde\Local Settings\Application Data\Apple Computer\rtkhydbq.dll
HKCU-Run-Adobe - c:\documents and settings\jwilde\Local Settings\Application Data\Apple\Adobe\rjfiya.dll
SafeBoot-Wdf01000.sys
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-05-01 09:06
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Apple Computer = RUNDLL32.EXE "c:\documents and settings\jwilde\Local Settings\Application Data\Apple Computer\rtkhydbq.dll",OsNmGetAliasPath?0123456789
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1460)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\kaseyasp.dll
c:\windows\system32\igfxdev.dll
.
- - - - - - - > 'lsass.exe'(1516)
c:\windows\system32\relog_ap.dll
c:\windows\system32\kaseyasp.dll
.
- - - - - - - > 'explorer.exe'(3448)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\msi.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\kaseyasp.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\Symantec\Symantec Endpoint Protection\Smc.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\tcpsvcs.exe
c:\program files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
c:\program files\RealVNC\VNC4\WinVNC4.exe
c:\program files\Symantec\Symantec Endpoint Protection\SmcGui.exe
.
**************************************************************************
.
Completion time: 2012-05-01 09:27:20 - machine was rebooted
ComboFix-quarantined-files.txt 2012-05-01 13:27
ComboFix2.txt 2012-04-30 18:18
.
Pre-Run: 27,068,100,608 bytes free
Post-Run: 27,138,842,624 bytes free
.
- - End Of File - - 41C2395EDB5C26C05295401BBB2BEABB

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:28 PM

Posted 01 May 2012 - 08:48 PM

Hello

I get 2 remote desktop redirected printer docs sent to two different printers.

I have not heard of this before but you might ask in the network forum as they may have an answer for it

I would like to see a report that combofix makes.

extra combofix report

  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box
C:\Qoobox\Add-Remove Programs.txt
  • click ok

copy and paste the report into this topic for me to review

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 Tcomny

Tcomny
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:28 PM

Posted 02 May 2012 - 08:20 AM

I've tried a Google search of the printer documents I'm experiencing, obviously wasn't getting anywhere while infected :lmao:
It's only a minor annoyance, no documents actually get printed, and after a short time the documents clear out of the print queue on their own. My main concern is to get all the malware off this machine, the quirks I can deal with.

Here's the requested report:

2007 Microsoft Office Suite Service Pack 3 (SP3)
2007 Microsoft Office system
32 Bit HP CIO Components Installer
7-Zip 9.20
Acrobat.com
Acronis True Image Echo Server
Adobe AIR
Adobe Flash Player 11 ActiveX
Adobe Reader 9.5.1
Apple Application Support
Apple Software Update
AppTracker
ATI - Software Uninstall Utility
ATI AVIVO Codecs
ATI Catalyst Control Center
ATI Display Driver
ATI Problem Report Wizard
AusLogics Disk Defrag
BlackBerry Desktop Software 6.1
Bonjour
Broadcom Gigabit Integrated Controller
Bullzip PDF Printer 4.0.0.463
Catalyst Control Center - Branding
Catalyst Control Center Core Implementation
Catalyst Control Center Graphics Full Existing
Catalyst Control Center Graphics Full New
Catalyst Control Center Graphics Light
Catalyst Control Center Graphics Previews Common
Catalyst Control Center HydraVision Full
Catalyst Control Center Localization All
ccc-core-preinstall
ccc-core-static
ccc-utility
CCC Help Chinese Standard
CCC Help Chinese Traditional
CCC Help Czech
CCC Help Danish
CCC Help Dutch
CCC Help English
CCC Help Finnish
CCC Help French
CCC Help German
CCC Help Greek
CCC Help Hungarian
CCC Help Italian
CCC Help Japanese
CCC Help Korean
CCC Help Norwegian
CCC Help Polish
CCC Help Portuguese
CCC Help Russian
CCC Help Spanish
CCC Help Swedish
CCC Help Thai
CCC Help Turkish
Cisco Systems VPN Client 5.0.02.0090
Crystal Reports 8.5 Runtime
Crystal Reports for Visual Studio
Crystal Reports XI
Dotfuscator Software Services - Community Edition
EZ-CAP Self-Registering Files
FileZilla Client 3.5.1
GDR 1617 for SQL Server 2008 R2 (KB2494088)
Glary Utilities 2.36.0.1232
Google Chrome
GoToMeeting 4.8.0.723
GPL Ghostscript Lite 9.04
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Microsoft Visual Studio 2007 Tools for Applications - ENU (KB946040)
Hotfix for Microsoft Visual Studio 2007 Tools for Applications - ENU (KB946308)
Hotfix for Microsoft Visual Studio 2007 Tools for Applications - ENU (KB946344)
Hotfix for Microsoft Visual Studio 2007 Tools for Applications - ENU (KB947540)
Hotfix for Microsoft Visual Studio 2007 Tools for Applications - ENU (KB947789)
Hotfix for Microsoft Visual Studio 2010 Professional - ENU (KB2522890)
Hotfix for Microsoft Visual Studio 2010 Professional - ENU (KB2529927)
Hotfix for Microsoft Visual Studio 2010 Professional - ENU (KB2542054)
Hotfix for Microsoft Visual Studio 2010 Professional - ENU (KB2548139)
Hotfix for Microsoft Visual Studio 2010 Professional - ENU (KB2549864)
Hotfix for Microsoft Visual Studio 2010 Professional - ENU (KB2635973)
Hotfix for Visual C++ Standard 2010 Beta 1 - ENU (KB2280741)
Hotfix for Visual C++ Standard 2010 Beta 1 - ENU (KB2284668)
Hotfix for Visual C++ Standard 2010 Beta 1 - ENU (KB2295689)
Hotfix for Visual C++ Standard 2010 Beta 1 - ENU (KB2420513)
Hotfix for Visual C++ Standard 2010 Beta 1 - ENU (KB2452649)
Hotfix for Visual C++ Standard 2010 Beta 1 - ENU (KB2455033)
Hotfix for Visual C++ Standard 2010 Beta 1 - ENU (KB2485545)
Hotfix for Visual C++ Standard 2010 Beta 1 - ENU (KB982517)
Hotfix for Visual C++ Standard 2010 Beta 1 - ENU (KB982721)
Hotfix for Visual C++ Standard 2010 Beta 1 - ENU (KB983233)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB2570791)
Hotfix for Windows XP (KB2633952)
Hotfix for Windows XP (KB942288-v3)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB958655-v2)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
HyperCam 2
Intel® Graphics Media Accelerator Driver
Internet Information Services (IIS) 7 Manager
Java Auto Updater
Java™ 6 Update 29
Kaseya Agent (lha-desktop99.lha.full.ldi - ksnj01.landoctors.com)
LiveUpdate 3.3 (Symantec Corporation)
MagicDisc 2.7.106
MAILERS+4
Malwarebytes Anti-Malware version 1.61.0.1400
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Extended
Microsoft .NET Framework 4 Multi-Targeting Pack
Microsoft Application Error Reporting
Microsoft ASP.NET MVC 2
Microsoft ASP.NET MVC 2 - Visual Studio 2010 Tools
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Expression Design 4
Microsoft Expression Encoder 4
Microsoft Expression Encoder 4 Screen Capture Codec
Microsoft Expression Web 4
Microsoft Expression Web 4 Service Pack 2
Microsoft Help Viewer 1.1
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
Microsoft Office 2003 Web Components
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office File Validation Add-In
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional Hybrid 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Small Business 2007
Microsoft Office Word MUI (English) 2007
Microsoft Report Viewer Redistributable 2008 (KB971119)
Microsoft Report Viewer Redistributable 2008 SP1
Microsoft Silverlight
Microsoft Silverlight 3 SDK
Microsoft Silverlight 4 SDK
Microsoft Software Update for Web Folders (English) 12
Microsoft SQL Server 2008 R2
Microsoft SQL Server 2008 R2 Books Online
Microsoft SQL Server 2008 R2 Data-Tier Application Framework
Microsoft SQL Server 2008 R2 Data-Tier Application Project
Microsoft SQL Server 2008 R2 Management Objects
Microsoft SQL Server 2008 R2 Native Client
Microsoft SQL Server 2008 R2 Policies
Microsoft SQL Server 2008 R2 Setup (English)
Microsoft SQL Server 2008 R2 Transact-SQL Language Service
Microsoft SQL Server 2008 Setup Support Files
Microsoft SQL Server Compact 3.5 SP2 ENU
Microsoft SQL Server Compact 3.5 SP2 Query Tools ENU
Microsoft SQL Server Database Publishing Wizard 1.4
Microsoft SQL Server System CLR Types
Microsoft Sync Framework Runtime v1.0 SP1 (x86)
Microsoft Sync Framework SDK v1.0 SP1
Microsoft Sync Framework Services v1.0 SP1 (x86)
Microsoft Sync Services for ADO.NET v2.0 SP1 (x86)
Microsoft Team Foundation Server 2010 Object Model - ENU
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ Compilers 2010 Standard - enu - x86
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4974
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual C++ 2010 x86 Runtime - 10.0.40219
Microsoft Visual F# 2.0 Runtime
Microsoft Visual J# 2.0 Redistributable Package - SE
Microsoft Visual Studio 2008 Shell (integrated mode) - ENU
Microsoft Visual Studio 2010 ADO.NET Entity Framework Tools
Microsoft Visual Studio 2010 Office Developer Tools (x86)
Microsoft Visual Studio 2010 Professional - ENU
Microsoft Visual Studio 2010 Service Pack 1
Microsoft Visual Studio 2010 SharePoint Developer Tools
Microsoft Visual Studio 2010 Tools for Office Runtime (x86)
Microsoft Visual Studio Macro Tools
Microsoft Visual Studio Tools for Applications 2.0 - ENU
Microsoft_VC90_CRT_x86
Mozilla Firefox 6.0.2 (x86 en-US)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Notepad++
NVIDIA Display Control Panel
NVIDIA Drivers
NVIDIA nView Desktop Manager
Octoshape add-in for Adobe Flash Player
OGA Notifier 2.0.0048.0
Paint.NET v3.5.10
QuickTime
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)
Security Update for Microsoft .NET Framework 4 Extended (KB2416472)
Security Update for Microsoft .NET Framework 4 Extended (KB2487367)
Security Update for Microsoft .NET Framework 4 Extended (KB2656351)
Security Update for Microsoft Expression Design 4 (KB2667730)
Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596871) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2598041) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition
Security Update for Microsoft Office Publisher 2007 (KB2596705) 32-Bit Edition
Security Update for Microsoft Visual Studio 2010 Professional - ENU (KB2645410)
Security Update for Microsoft Visual Studio Macro Tools (KB2669970)
Security Update for Microsoft Windows (KB2564958)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB2497640)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2530548)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2559049)
Security Update for Windows Internet Explorer 8 (KB2586448)
Security Update for Windows Internet Explorer 8 (KB2618444)
Security Update for Windows Internet Explorer 8 (KB2647516)
Security Update for Windows Internet Explorer 8 (KB2675157)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2491683)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2503665)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2536276)
Security Update for Windows XP (KB2544893-v2)
Security Update for Windows XP (KB2544893)
Security Update for Windows XP (KB2555917)
Security Update for Windows XP (KB2562937)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2567053)
Security Update for Windows XP (KB2567680)
Security Update for Windows XP (KB2570222)
Security Update for Windows XP (KB2570947)
Security Update for Windows XP (KB2584146)
Security Update for Windows XP (KB2585542)
Security Update for Windows XP (KB2592799)
Security Update for Windows XP (KB2598479)
Security Update for Windows XP (KB2603381)
Security Update for Windows XP (KB2618451)
Security Update for Windows XP (KB2619339)
Security Update for Windows XP (KB2620712)
Security Update for Windows XP (KB2621440)
Security Update for Windows XP (KB2624667)
Security Update for Windows XP (KB2631813)
Security Update for Windows XP (KB2633171)
Security Update for Windows XP (KB2639417)
Security Update for Windows XP (KB2641653)
Security Update for Windows XP (KB2646524)
Security Update for Windows XP (KB2647518)
Security Update for Windows XP (KB2653956)
Security Update for Windows XP (KB2660465)
Security Update for Windows XP (KB2661637)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165-v2)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
Shared Add-in Extensibility Update for Microsoft .NET Framework 2.0 (KB908002)
Shared Add-in Support Update for Microsoft .NET Framework 2.0 (KB908002)
SoundMAX
Spybot - Search & Destroy
SQL Server 2008 R2 BI Development Studio
SQL Server 2008 R2 Client Tools
SQL Server 2008 R2 Common Files
SQL Server 2008 R2 Database Engine Shared
SQL Server 2008 R2 Integration Services
SQL Server 2008 R2 Management Studio
Symantec Endpoint Protection
TeamViewer 6
TextPad 5
Trillian
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
Update for Microsoft .NET Framework 4 Extended (KB2468871)
Update for Microsoft .NET Framework 4 Extended (KB2533523)
Update for Microsoft .NET Framework 4 Extended (KB2600217)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office 2007 suites (KB2596651) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2596789) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2598306) 32-Bit Edition
Update for Microsoft Office Access 2007 Help (KB963663)
Update for Microsoft Office Excel 2007 (KB2596596) 32-Bit Edition
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Publisher 2007 Help (KB963667)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
Update for Microsoft Windows (KB971513)
Update for Windows Internet Explorer 8 (KB2362765)
Update for Windows Internet Explorer 8 (KB2447568)
Update for Windows Internet Explorer 8 (KB2598845)
Update for Windows Internet Explorer 8 (KB2632503)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB978506)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows Internet Explorer 8 (KB980302)
Update for Windows Internet Explorer 8 (KB982632)
Update for Windows Internet Explorer 8 (KB982664)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2492386)
Update for Windows XP (KB2541763)
Update for Windows XP (KB2607712)
Update for Windows XP (KB2616676)
Update for Windows XP (KB2641690)
Update for Windows XP (KB898461)
Update for Windows XP (KB943729)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update for Windows XP (KB978207)
Visual Studio 2010 Tools for SQL Server Compact 3.5 SP2 ENU
VMware vSphere Client 5.0
VNC Enterprise Edition E4.5.1
VNC Mirror Driver 1.8.0
WCF RIA Services V1.0 SP1
Web Deployment Tool
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 8
Windows Management Framework Core
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 9 Series SDK
Windows PowerShell™ 1.0 MUI pack
Windows XP Service Pack 3
Xobni
Xobni Core
Zoho CRM Plug-in for Microsoft Outlook

#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:28 PM

Posted 02 May 2012 - 08:30 AM

These logs are looking allot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs

NOTE** Because of the cleanup process some of the programs I have listed may not be in add/remove anymore this is fine just move to the next item on the list.

You can remove these programs using add/remove or you can use the free uninstaller from Revo (Revo does allot better of a job)

Programs to remove

Adobe Reader 9.5.1
Java™ 6 Update 29
[/list]


  • Please download and install Revo Uninstaller Free
  • Double click Revo Uninstaller to run it.
  • From the list of programs double click on The Program to remove
  • When prompted if you want to uninstall click Yes.
  • Be sure the Moderate option is selected then click Next.
  • The program will run, If prompted again click Yes
  • when the built-in uninstaller is finished click on Next.
  • Once the program has searched for leftovers click Next.
  • Check/tick the bolded items only on the list then click Delete
  • when prompted click on Yes and then on next.
  • put a check on any folders that are found and select delete
  • when prompted select yes then on next
  • Once done click Finish.
.

Update Adobe Reader

Recently there have been vulnerabilities detected in older versions of Adobe Reader. It is strongly suggested that you update to the current version.

You can download it from http://www.adobe.com/products/acrobat/readstep2.html
After installing the latest Adobe Reader, uninstall all previous versions.
If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

If you don't like Adobe Reader (53 MB), you can download Foxit PDF Reader(7 MB) from here. It's a much smaller file to download and uses a lot less resources than Adobe Reader.

Note: When installing FoxitReader, be careful not to install anything to do with AskBar.
[/list]

Install Java:

Please go here to install Java

  • click on the Free Java Download Button
  • click on Agree and start Free download
  • click on Run
  • click on run again
  • click on install
  • when install is complete click on close

Clean Out Temp Files

  • This small application you may want to keep and use once a week to keep the computer clean.

    Download CCleaner from here http://www.ccleaner.com/

  • Run the installer to install the application.
  • When it gives you the option to install Yahoo toolbar uncheck the box next to it.
  • Run CCleaner. (make sure under Windows tab all the boxes of Internet Explorer and Windows explorer are checked. Under System check Empty Recycle Bin and Temporary Files. Under Application tab all the boxes should be checked).
  • Click Run Cleaner.
  • Close CCleaner.

: Malwarebytes' Anti-Malware :

  • I would like you to rerun MBAM
  • Double-click mbam icon
  • go to the update tab at the top
  • click on check for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidentally close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Download HijackThis

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a log file button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the Analyze This button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

"information and logs"

  • In your next post I need the following

  • Log From MBAM
  • report from Hijackthis
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 Tcomny

Tcomny
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:28 PM

Posted 02 May 2012 - 01:41 PM

No problems performing what you requested.
Computer looks to be performing fine now.

Logs:
Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.05.02.04

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
jwilde :: LHA-DESKTOP99 [administrator]

05/02/2012 2:04:50 PM
mbam-log-2012-05-02 (14-04-50).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 424046
Time elapsed: 29 minute(s), 7 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)




Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 2:36:21 PM, on 05/02/2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Kaseya\LNDCTR59245140935448\AgentMon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\Xobni\XobniService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\Kaseya\LNDCTR59245140935448\KaUsrTsk.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\mstsc.exe
C:\Program Files\Trillian\trillian.exe
C:\Program Files\Microsoft SQL Server\100\Tools\Binn\VSShell\Common7\IDE\Ssms.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\mstsc.exe
C:\Program Files\Business Objects\Crystal Reports 11\crw32.exe
C:\WINDOWS\notepad.exe
C:\Documents and Settings\jwilde\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
O2 - BHO: (no name) - MRI_DISABLED - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [KASHLNDCTR59245140935448] "C:\Program Files\Kaseya\LNDCTR59245140935448\KaUsrTsk.exe"
O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe /installquiet
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RIMBBLaunchAgent.exe] C:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-21-940977993-1653947307-2805837931-3126\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - S-1-5-18 Startup: Microsoft Office Outlook.lnk = C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE (User 'SYSTEM')
O4 - .DEFAULT Startup: Microsoft Office Outlook.lnk = C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE (User 'Default user')
O4 - Startup: Microsoft Office Outlook.lnk = C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://c:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: kaseyasp.dll
O10 - Unknown file in Winsock LSP: kaseyasp.dll
O10 - Unknown file in Winsock LSP: kaseyasp.dll
O10 - Unknown file in Winsock LSP: kaseyasp.dll
O16 - DPF: {62FA83F7-20EC-4D62-AC86-BAB705EE1CCD} (SmartCode ViewerX VNC Control) - https://ksnj01.landoctors.com/klc/resources/cab/LiveConnectX.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1268525777126
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1268525830700
O16 - DPF: {AA299E98-6FB5-409F-99D3-D30D749F4864} (kasRmtHlp Class) - http://ksnj01.landoctors.com/inc/kaxRemote.dll
O16 - DPF: {B25AB9F1-B8A2-4072-8964-00C7EDF99750} (MOVEitUpDownWiz Class) - https://xchange.maximus.com/COM/MOVEitUploadWizard7.0.0.ocx
O16 - DPF: {B65B1DCC-D421-4F3C-8F8F-909BDD967120} (PluginManager Class) - http://ksnj01.landoctors.com/inc/PluginManager/PluginManager.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = LHA.local
O17 - HKLM\Software\..\Telephony: DomainName = LHA.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = LHA.local
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Kaseya Agent (KALNDCTR59245140935448) - Kaseya International Limited - C:\Program Files\Kaseya\LNDCTR59245140935448\AgentMon.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
O23 - Service: VMware USB Arbitration Service (VMUSBArbService) - VMware, Inc. - C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe
O23 - Service: XobniService - Xobni Corporation - C:\Program Files\Xobni\XobniService.exe

--
End of file - 9726 bytes




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users