Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit Advice


  • This topic is locked This topic is locked
33 replies to this topic

#1 Clickeroo

Clickeroo

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:28 PM

Posted 01 May 2012 - 05:51 PM

Hi Bleeping Comp Team,

First let me explain what happen I had a file on a thumb drive that was downloaded on a MAC then I transfered that to another WIN XP based comp the file scanned as clean so this thing hides well. I use ESET NOD32 AV v5 one of the better programs in my opin but still did not detect the file as bad just yet.

Ok so I clicked the file and this is when it all began now NOD saw viral activity and flagged it as a ROOTKIT great why did it not see it in the WinZiped file? anywho I do feel NOD stopped it from progressing as it did attack and quarantine and try to clean some files immediately but not all.

This little nasty launched into memory where NOD couldn't get at it, I have some experience with malware removal tools and decided to try and cleanup the mess on my own good or bad idea I have achieved what appears pretty clean but I now want some advice and a clean bill of health check from some experts on this.

Parts of this infection flagged as win32sirefef.da and virus.win32.zaccess.k


So we are all in sync I will try and explain what I did so far.

I new that I had a restore point before this all happen so I attempted to go back a few days the system was then restored to before the Virus, however it still was in mem as NOD flagged it again ... my hope is that at the very least the last restore point would be a bit cleaner. You can tell me if that helped or not as it was just an attempt I made hoping to make things a little better not worse. I did not want to post here originally as I know you guys are very busy with others who may be worse off then me.


Let me also explain while doing all this the comp was not connected to the net at all, so if it tried to send data to its creators it could not.

I broke out some tools Gmer RootKit scanner, TDSSKILLER, and Mbam ... I also have but did not run HJT from the original coder not the new one now owned by Trend.

The Gmer scan confirmed rootkit type activity as NOD also flagged it first.

I had a real old version of the TDSKILLER Tool by Kaspersky I had used on a friends comp long ago to clean up his mess, so I decided to dl a new version on a clean comp so I could try it on my other infected one.

Now this did indeed cure some files afd.sys and removed the kit from memory, so far so good, the system rebooted and was now a bit cleaner. But knowing that a ROOTKIT is tricky I ran Mbam with slighly older sig and it found one down loader trojan still hiding in the comp and allowed me to select it for removal it then rebooted and seems to be gone.

Now I decided to re-connect this comp to the net now that I had this a lot cleaner and let Mbam get the latest version and sigs. then I disconnected the comp from the net and let Mbam re-scan with the new sigs this time it came up with nothing.

Now not satisfied just yet I ran TDSSKILLER again it did not find any more HighRisk junk but still did find some MediumRisk unsigned SERVICE files Staropen,ASCTRM,Wanminiport I did not delete them as they could be ok I try and never remove what I am not sure should be removed I read some may be part of AOL that is installed on this comp, but need to make sure they should remain.

So this is my last resort just to make sure what I did has worked correctly.


This comp is important but is not the main use comp yet I am in a transition, it is running XP Pro w sp3.

Hope all this will help make this a speedy process and not waist any experts time, my hope is that all is good and if not I just need to know what else to do to ensure this comp is clean and safe. It works fine now but I need to know all is good.

BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:28 PM

Posted 02 May 2012 - 12:24 AM

Hello and Welcome to Bleeping Computer!!

My name is Gringo and I'll be glad to help you with your computer problems.

I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of us

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the Watch Topic Button, select Immediate Notification, and click on Proceed. This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of hartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.


DeFogger:

  • Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger may ask you to reboot the machine, if it does - click OK
Do not re-enable these drivers until otherwise instructed.


Security Check

  • Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.


Download DDS:

  • Please download DDS by sUBs from one of the links below and save it to your desktop:

    Posted Image
    Download DDS and save it to your desktop

    Link1
    Link2
    Link3

    Please disable any anti-malware program that will block scripts from running before running DDS.

    • Double-Click on dds.scr and a command window will appear. This is normal.
    • Shortly after two logs will appear:
    • DDS.txt
    • Attach.txt
  • A window will open instructing you save & post the logs
  • Save the logs to a convenient place such as your desktop
  • Copy the contents of both logs & post in your next reply

information and logs:

  • In your next post I need the following

  • .logs from DDS
  • let me know of any problems you may have had

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 Clickeroo

Clickeroo
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:28 PM

Posted 03 May 2012 - 11:39 PM

Hi Gringo,

I just noticed you responded I don't have access to the comp that I was trying to clean at this time. I will have access tomorrow, sorry for the delay just responding to let you know so you do not think I dropped this.

I will DL the files on my clean comp tonight. The other computer works fine but I still want to make sure that it is really clean ... quick question the 3 files that TDSSKiller flagged as unsigned Staropen,ASCTRM,Wanminiport. Any idea what they are? as I said I read one may be part of AOL but not sure, so I am not taking any chances and thats why I want this looked into by those experts on this like yourself.

I appreciate the help.

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:28 PM

Posted 03 May 2012 - 11:47 PM

being unsigned does not mean they are bad - but it is a good place to start looking


I will need more scans to tell if they are bad anyway


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 Clickeroo

Clickeroo
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:28 PM

Posted 04 May 2012 - 10:35 AM

Hi Gringo,
Here are the reports requested ...

defogger_disable by jpshortstuff (23.02.10.1)
Log created at 11:12 on 04/05/2012 (Administrator)

Checking for autostart values...
HKCU\~\Run values retrieved.
HKLM\~\Run values retrieved.

Checking for services/drivers...


-=E.O.F=-


Results of screen317's Security Check version 0.99.32
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Enabled!
ESET NOD32 Antivirus
Antivirus up to date! (On Access scanning disabled!)
```````````````````````````````
Anti-malware/Other Utilities Check:

CCleaner
Java™ 6 Update 22
Java version out of date!
Adobe Flash Player 11.2.202.233
Adobe Reader X (10.1.3)
Mozilla Firefox (3.6.28) Firefox out of Date!
Mozilla Thunderbird (x86 en-US..)
````````````````````````````````
Process Check:
objlist.exe by Laurent

America Online 9.0 aoltray.exe
``````````End of Log````````````



.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_22
Run by Administrator at 11:21:13 on 2012-05-04
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1607 [GMT -4:00]
.
AV: ESET NOD32 Antivirus 5.0 *Disabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\America Online 9.0\aoltray.exe
svchost.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Metapad 3.6\metapad.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Metapad 3.6\metapad.exe
.
============== Pseudo HJT Report ===============
.
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: DebugBar BHO: {69fc0024-10eb-480a-bbf2-3bf4e78e17b1} - c:\program files\core services\debugbar\DebugInfoBar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: DebugBar (Toolbar): {3e1201f4-1707-409f-bb45-a5f192381da0} - c:\program files\core services\debugbar\DebugToolBar.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\americ~1.lnk - c:\program files\america online 9.0\aoltray.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
LSP: mswsock.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
Notify: igfxcui - igfxdev.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\administrator\application data\mozilla\firefox\profiles\xpmoahz5.default\
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_2_202_233.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Office Black: Office2007Black@JBBS - %profile%\extensions\Office2007Black@JBBS
FF - Ext: Vfox3-Basic: {b3f91530-1905-11de-8c30-0800200c9a66} - %profile%\extensions\{b3f91530-1905-11de-8c30-0800200c9a66}
.
============= SERVICES / DRIVERS ===============
.
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2011-8-4 118104]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2011-8-4 103112]
R2 ekrn;ESET Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2011-9-22 974944]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-6 253088]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2012-04-30 10:13:56 -------- d-----w- C:\TDSSKiller_Quarantine
2012-04-30 05:25:13 -------- d-----w- c:\windows\system32\wbem\repository\FS
2012-04-30 05:25:13 -------- d-----w- c:\windows\system32\wbem\Repository
2012-04-26 21:20:49 -------- d-----w- c:\documents and settings\administrator\application data\FabFilter
2012-04-26 21:13:25 -------- d-----w- c:\program files\FabFilter(2)
2012-04-26 02:27:55 -------- d-----w- c:\program files\common files\Digidesign
2012-04-26 02:25:57 -------- d-----w- c:\program files\Flux
2012-04-17 04:21:12 -------- d-----w- c:\program files\Metapad 3.6
2012-04-17 03:02:03 -------- d-sh--w- c:\documents and settings\administrator\IECompatCache
2012-04-15 02:18:33 4139680 ----a-w- c:\windows\system32\FlashPlayerInstaller.exe
2012-04-09 19:33:58 -------- d-----w- c:\program files\Speccy
2012-04-09 04:15:25 -------- d-----w- c:\documents and settings\administrator\local settings\application data\Temp
2012-04-09 02:23:01 -------- d-----w- c:\program files\Gadwin Systems
2012-04-08 02:06:33 -------- d-----w- c:\program files\Defraggler
2012-04-06 23:00:05 -------- d-----w- c:\documents and settings\administrator\local settings\application data\Identities
2012-04-06 20:31:39 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe
.
==================== Find3M ====================
.
2012-04-30 10:14:33 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2012-04-15 02:18:37 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-04-04 19:56:40 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-03-30 00:17:51 640957 ----a-w- c:\windows\unins000.exe
2012-03-29 16:29:58 105168 ----a-w- c:\windows\MozillaUninstall.exe
2012-03-29 16:29:48 105168 ----a-w- c:\windows\GREUninstall.exe
2012-03-28 04:03:23 10920 ----a-w- C:\aolconnfix.exe
2012-03-28 04:01:05 8552 ----a-w- c:\windows\system32\drivers\asctrm.sys
2012-03-28 04:01:01 24576 ----a-w- c:\windows\system32\prefscpl.cpl
2012-03-27 18:50:49 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-03-27 18:50:49 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-03-01 11:01:32 916992 ----a-w- c:\windows\system32\wininet.dll
2012-03-01 11:01:32 43520 ------w- c:\windows\system32\licmgr10.dll
2012-03-01 11:01:32 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-02-29 14:10:16 177664 ----a-w- c:\windows\system32\wintrust.dll
2012-02-29 14:10:16 148480 ----a-w- c:\windows\system32\imagehlp.dll
2012-02-29 12:17:40 385024 ------w- c:\windows\system32\html.iec
.
============= FINISH: 11:21:39.45 ===============


NOTES:
DDS report is from the one file it opened, I did not see 2 sep txt files.
This comp has been temp disconnected from the net all tests run are with no connection to the net all files have been downloaded from a sep clean comp then tranfered by usb thumb to the computer we are testing.

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:28 PM

Posted 04 May 2012 - 12:03 PM

Hello

I Would like you to do the following.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 Clickeroo

Clickeroo
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:28 PM

Posted 04 May 2012 - 12:55 PM

Hi Gringo,

I am running combo fix but I have to wait a bit as it wants a connection to the net to dl the Recovery Console, and I do not have that comp connected to the net at this time, so please stand by and I will get back to you shortly when I can get a connection to that comp.

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:28 PM

Posted 04 May 2012 - 02:20 PM

OK no problem and I will see you later


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 Clickeroo

Clickeroo
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:28 PM

Posted 04 May 2012 - 02:31 PM

Hi Gringo,


Ok I ran ComboFix and it installed the Recovery console it rebooted the machine then loded it self no problem there said something about ZeroAccess found and had inserted itself into the tcpip stack I said ok scan continued no problem, scan took less then 10 mins, again this comp is now disconnected from the net as I only allowed it to have access to get the Recovery Console as I shall take no chances.

Log is below.

ComboFix 12-05-04.03 - Administrator 05/04/2012 14:51:28.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1703 [GMT -4:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: ESET NOD32 Antivirus 5.0 *Disabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
* Resident AV is active
.
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\drvrtmp
.
.
((((((((((((((((((((((((( Files Created from 2012-04-04 to 2012-05-04 )))))))))))))))))))))))))))))))
.
.
2012-04-30 10:13 . 2012-04-30 10:13 -------- d-----w- C:\TDSSKiller_Quarantine
2012-04-30 05:25 . 2012-04-30 05:25 -------- d-----w- c:\windows\system32\wbem\Repository
2012-04-30 05:20 . 2012-04-30 05:20 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ESET
2012-04-26 21:20 . 2012-04-26 21:20 -------- d-----w- c:\documents and settings\Administrator\Application Data\FabFilter
2012-04-26 21:13 . 2012-04-30 05:25 -------- d-----w- c:\program files\FabFilter(2)
2012-04-26 02:27 . 2012-04-26 02:27 -------- d-----w- c:\program files\Common Files\Digidesign
2012-04-26 02:25 . 2012-04-26 02:25 -------- d-----w- c:\program files\Flux
2012-04-17 04:21 . 2012-04-17 04:21 -------- d-----w- c:\program files\Metapad 3.6
2012-04-17 03:02 . 2012-04-17 03:02 -------- d-sh--w- c:\documents and settings\Administrator\IECompatCache
2012-04-15 02:18 . 2012-04-15 02:18 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2012-04-15 02:18 . 2012-04-15 02:18 4139680 ----a-w- c:\windows\system32\FlashPlayerInstaller.exe
2012-04-09 19:33 . 2012-04-09 19:34 -------- d-----w- c:\program files\Speccy
2012-04-09 04:15 . 2012-04-09 04:15 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Temp
2012-04-09 02:23 . 2012-04-09 02:23 -------- d-----w- c:\program files\Gadwin Systems
2012-04-08 02:06 . 2012-04-08 02:06 -------- d-----w- c:\program files\Defraggler
2012-04-08 01:45 . 2012-04-08 01:45 -------- d-----w- c:\documents and settings\Administrator\Application Data\Alien Skin
2012-04-06 23:00 . 2012-04-06 23:00 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Identities
2012-04-06 20:31 . 2012-04-15 02:18 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-30 10:14 . 2008-04-14 12:00 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2012-04-15 02:18 . 2012-03-27 20:08 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-04-04 19:56 . 2012-03-28 04:48 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-03-30 00:17 . 2012-03-30 00:18 640957 ----a-w- c:\windows\unins000.exe
2012-03-29 16:29 . 2012-03-29 16:29 105168 ----a-w- c:\windows\MozillaUninstall.exe
2012-03-29 16:29 . 2012-03-29 16:29 105168 ----a-w- c:\windows\GREUninstall.exe
2012-03-28 04:03 . 2012-03-28 04:03 10920 ----a-w- C:\aolconnfix.exe
2012-03-28 04:01 . 2012-03-28 04:01 8552 ----a-w- c:\windows\system32\drivers\asctrm.sys
2012-03-28 04:01 . 2012-03-28 04:01 24576 ----a-w- c:\windows\system32\prefscpl.cpl
2012-03-27 18:50 . 2012-03-27 18:50 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-03-27 18:50 . 2012-03-27 18:50 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-03-01 11:01 . 2008-04-14 12:00 916992 ----a-w- c:\windows\system32\wininet.dll
2012-03-01 11:01 . 2008-04-14 12:00 43520 ------w- c:\windows\system32\licmgr10.dll
2012-03-01 11:01 . 2008-04-14 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-02-29 14:10 . 2008-04-14 12:00 177664 ----a-w- c:\windows\system32\wintrust.dll
2012-02-29 14:10 . 2008-04-14 12:00 148480 ----a-w- c:\windows\system32\imagehlp.dll
2012-02-29 12:17 . 2008-04-14 12:00 385024 ------w- c:\windows\system32\html.iec
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"nwiz"="nwiz.exe" [2008-10-07 1630208]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-07 86016]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2011-09-22 3080264]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-08-10 421888]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-04-01 36352]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-01 421160]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
America Online 9.0 Tray Icon.lnk - c:\program files\America Online 9.0\aoltray.exe [2012-3-28 36954]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
2001-08-07 04:03 155648 ----a-w- c:\windows\system32\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
2012-03-28 04:01 26112 ----a-w- c:\program files\Real\RealPlayer\realplay.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Macromedia\\Dreamweaver MX\\Dreamweaver.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
.
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [8/4/2011 10:20 AM 118104]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [8/4/2011 10:20 AM 103112]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [9/22/2011 1:03 PM 974944]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [4/6/2012 4:31 PM 253088]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
Contents of the 'Scheduled Tasks' folder
.
2012-05-04 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-06 02:18]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\xpmoahz5.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Office Black: Office2007Black@JBBS - %profile%\extensions\Office2007Black@JBBS
FF - Ext: Vfox3-Basic: {b3f91530-1905-11de-8c30-0800200c9a66} - %profile%\extensions\{b3f91530-1905-11de-8c30-0800200c9a66}
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-29458283.sys
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-05-04 14:57
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-448539723-1060284298-1177238915-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,b8,85,f2,5d,a1,11,98,41,bb,4d,ad,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,b8,85,f2,5d,a1,11,98,41,bb,4d,ad,\
.
Completion time: 2012-05-04 14:58:56
ComboFix-quarantined-files.txt 2012-05-04 18:58
.
Pre-Run: 59,875,418,112 bytes free
Post-Run: 60,125,274,112 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 3EC173942B44EE44F52FE3C0B723E93A



What is our next step?

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:28 PM

Posted 04 May 2012 - 04:10 PM

Greetings

I want you to run these next,

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • it will ask to download extra definitions - ALLOW IT
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

If you have any problems running either one come back and let me know

please reply with the reports from TDSSKiller and aswMBR

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 Clickeroo

Clickeroo
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:28 PM

Posted 04 May 2012 - 05:00 PM

Ok currently scanning with aswMBR, about how long should this scan take to run? also the sig dl was rather big 50-60 MB. so I am wondering aprox how long it could take to complete ive been checking every 10 mins still going.

#12 Clickeroo

Clickeroo
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:28 PM

Posted 04 May 2012 - 05:52 PM

Hi Gringo,

Ok it finished takes a bit I take it.

NOTES: Logs form both tools below.
The info from TDSSKILLER without the extra 2 settings checked to scan unsigned and such as this was not asked. So I do not know it it will still flag the unsigned files it found orig whenI first came to this forum.


17:29:21.0156 2600 TDSS rootkit removing tool 2.7.34.0 May 2 2012 09:59:18
17:29:21.0343 2600 ============================================================
17:29:21.0343 2600 Current date / time: 2012/05/04 17:29:21.0343
17:29:21.0343 2600 SystemInfo:
17:29:21.0343 2600
17:29:21.0343 2600 OS Version: 5.1.2600 ServicePack: 3.0
17:29:21.0343 2600 Product type: Workstation
17:29:21.0343 2600 ComputerName: DC-1
17:29:21.0343 2600 UserName: Administrator
17:29:21.0343 2600 Windows directory: C:\WINDOWS
17:29:21.0343 2600 System windows directory: C:\WINDOWS
17:29:21.0343 2600 Processor architecture: Intel x86
17:29:21.0343 2600 Number of processors: 1
17:29:21.0343 2600 Page size: 0x1000
17:29:21.0343 2600 Boot type: Normal boot
17:29:21.0343 2600 ============================================================
17:29:22.0734 2600 Drive \Device\Harddisk0\DR0 - Size: 0x12A1F16000 (74.53 Gb), SectorSize: 0x200, Cylinders: 0x2601, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
17:29:22.0750 2600 Drive \Device\Harddisk1\DR6 - Size: 0x7BF80000 (1.94 Gb), SectorSize: 0x200, Cylinders: 0xFC, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'W'
17:29:22.0750 2600 ============================================================
17:29:22.0750 2600 \Device\Harddisk0\DR0:
17:29:22.0750 2600 MBR partitions:
17:29:22.0750 2600 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x950A5C1
17:29:22.0750 2600 \Device\Harddisk1\DR6:
17:29:22.0765 2600 MBR partitions:
17:29:22.0765 2600 \Device\Harddisk1\DR6\Partition0: MBR, Type 0x4, StartLBA 0x20, BlocksNum 0x3DFBE0
17:29:22.0765 2600 ============================================================
17:29:22.0765 2600 C: <-> \Device\Harddisk0\DR0\Partition0
17:29:22.0765 2600 ============================================================
17:29:22.0765 2600 Initialize success
17:29:22.0765 2600 ============================================================
17:30:19.0640 3612 ============================================================
17:30:19.0640 3612 Scan started
17:30:19.0640 3612 Mode: Manual;
17:30:19.0640 3612 ============================================================
17:30:20.0031 3612 Abiosdsk - ok
17:30:20.0031 3612 abp480n5 - ok
17:30:20.0093 3612 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
17:30:20.0093 3612 ACPI - ok
17:30:20.0125 3612 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
17:30:20.0140 3612 ACPIEC - ok
17:30:20.0218 3612 AdobeFlashPlayerUpdateSvc (459ac130c6ab892b1cd5d7544626efc5) C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
17:30:20.0218 3612 AdobeFlashPlayerUpdateSvc - ok
17:30:20.0234 3612 adpu160m - ok
17:30:20.0265 3612 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
17:30:20.0281 3612 aec - ok
17:30:20.0328 3612 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
17:30:20.0328 3612 AFD - ok
17:30:20.0328 3612 Aha154x - ok
17:30:20.0343 3612 aic78u2 - ok
17:30:20.0359 3612 aic78xx - ok
17:30:20.0390 3612 Alerter (a9a3daa780ca6c9671a19d52456705b4) C:\WINDOWS\system32\alrsvc.dll
17:30:20.0390 3612 Alerter - ok
17:30:20.0421 3612 ALG (8c515081584a38aa007909cd02020b3d) C:\WINDOWS\System32\alg.exe
17:30:20.0421 3612 ALG - ok
17:30:20.0421 3612 AliIde - ok
17:30:20.0437 3612 amsint - ok
17:30:20.0625 3612 AOL ACS (52e82740fdf434a625fe0ac5e119a51f) C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
17:30:20.0640 3612 AOL ACS - ok
17:30:20.0687 3612 Apple Mobile Device (7ef47644b74ebe721cc32211d3c35e76) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
17:30:20.0687 3612 Apple Mobile Device - ok
17:30:20.0765 3612 AppMgmt (d8849f77c0b66226335a59d26cb4edc6) C:\WINDOWS\System32\appmgmts.dll
17:30:20.0765 3612 AppMgmt - ok
17:30:20.0781 3612 asc - ok
17:30:20.0781 3612 asc3350p - ok
17:30:20.0796 3612 asc3550 - ok
17:30:20.0843 3612 ASCTRM (d880831279ed91f9a4190a2db9539ea9) C:\WINDOWS\system32\drivers\ASCTRM.sys
17:30:20.0843 3612 ASCTRM - ok
17:30:20.0921 3612 aspnet_state (776acefa0ca9df0faa51a5fb2f435705) C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe
17:30:20.0921 3612 aspnet_state - ok
17:30:20.0937 3612 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
17:30:20.0937 3612 AsyncMac - ok
17:30:20.0984 3612 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
17:30:20.0984 3612 atapi - ok
17:30:20.0984 3612 Atdisk - ok
17:30:21.0031 3612 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
17:30:21.0031 3612 Atmarpc - ok
17:30:21.0062 3612 AudioSrv (def7a7882bec100fe0b2ce2549188f9d) C:\WINDOWS\System32\audiosrv.dll
17:30:21.0062 3612 AudioSrv - ok
17:30:21.0109 3612 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
17:30:21.0109 3612 audstub - ok
17:30:21.0140 3612 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
17:30:21.0140 3612 Beep - ok
17:30:21.0203 3612 BITS (574738f61fca2935f5265dc4e5691314) C:\WINDOWS\system32\qmgr.dll
17:30:21.0218 3612 BITS - ok
17:30:21.0296 3612 Bonjour Service (db5bea73edaf19ac68b2c0fad0f92b1a) C:\Program Files\Bonjour\mDNSResponder.exe
17:30:21.0296 3612 Bonjour Service - ok
17:30:21.0312 3612 Browser (a06ce3399d16db864f55faeb1f1927a9) C:\WINDOWS\System32\browser.dll
17:30:21.0312 3612 Browser - ok
17:30:21.0421 3612 catchme - ok
17:30:21.0437 3612 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
17:30:21.0437 3612 cbidf2k - ok
17:30:21.0453 3612 cd20xrnt - ok
17:30:21.0484 3612 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
17:30:21.0484 3612 Cdaudio - ok
17:30:21.0531 3612 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
17:30:21.0531 3612 Cdfs - ok
17:30:21.0562 3612 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
17:30:21.0578 3612 Cdrom - ok
17:30:21.0578 3612 Changer - ok
17:30:21.0609 3612 CiSvc (1cfe720eb8d93a7158a4ebc3ab178bde) C:\WINDOWS\system32\cisvc.exe
17:30:21.0609 3612 CiSvc - ok
17:30:21.0625 3612 ClipSrv (34cbe729f38138217f9c80212a2a0c82) C:\WINDOWS\system32\clipsrv.exe
17:30:21.0625 3612 ClipSrv - ok
17:30:21.0703 3612 clr_optimization_v4.0.30319_32 (c5a75eb48e2344abdc162bda79e16841) C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
17:30:21.0703 3612 clr_optimization_v4.0.30319_32 - ok
17:30:21.0703 3612 CmdIde - ok
17:30:21.0718 3612 COMSysApp - ok
17:30:21.0750 3612 Cpqarray - ok
17:30:21.0796 3612 CryptSvc (3d4e199942e29207970e04315d02ad3b) C:\WINDOWS\System32\cryptsvc.dll
17:30:21.0796 3612 CryptSvc - ok
17:30:21.0812 3612 dac2w2k - ok
17:30:21.0812 3612 dac960nt - ok
17:30:21.0875 3612 DcomLaunch (6b27a5c03dfb94b4245739065431322c) C:\WINDOWS\system32\rpcss.dll
17:30:21.0890 3612 DcomLaunch - ok
17:30:21.0906 3612 Dhcp (5e38d7684a49cacfb752b046357e0589) C:\WINDOWS\System32\dhcpcsvc.dll
17:30:21.0906 3612 Dhcp - ok
17:30:21.0968 3612 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
17:30:21.0968 3612 Disk - ok
17:30:21.0968 3612 dmadmin - ok
17:30:22.0046 3612 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
17:30:22.0046 3612 dmboot - ok
17:30:22.0078 3612 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
17:30:22.0078 3612 dmio - ok
17:30:22.0093 3612 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
17:30:22.0093 3612 dmload - ok
17:30:22.0125 3612 dmserver (57edec2e5f59f0335e92f35184bc8631) C:\WINDOWS\System32\dmserver.dll
17:30:22.0125 3612 dmserver - ok
17:30:22.0171 3612 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
17:30:22.0171 3612 DMusic - ok
17:30:22.0203 3612 Dnscache (5f7e24fa9eab896051ffb87f840730d2) C:\WINDOWS\System32\dnsrslvr.dll
17:30:22.0218 3612 Dnscache - ok
17:30:22.0250 3612 Dot3svc (0f0f6e687e5e15579ef4da8dd6945814) C:\WINDOWS\System32\dot3svc.dll
17:30:22.0250 3612 Dot3svc - ok
17:30:22.0265 3612 dpti2o - ok
17:30:22.0281 3612 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
17:30:22.0281 3612 drmkaud - ok
17:30:22.0328 3612 E100B (7d91dc6342248369f94d6eba0cf42e99) C:\WINDOWS\system32\DRIVERS\e100b325.sys
17:30:22.0328 3612 E100B - ok
17:30:22.0375 3612 eamon (9309c5c9831203436e64cf2ae605c5d7) C:\WINDOWS\system32\DRIVERS\eamon.sys
17:30:22.0375 3612 eamon - ok
17:30:22.0406 3612 EapHost (2187855a7703adef0cef9ee4285182cc) C:\WINDOWS\System32\eapsvc.dll
17:30:22.0406 3612 EapHost - ok
17:30:22.0437 3612 ehdrv (deff87f04ab5f6dd5edf2b80853bbe10) C:\WINDOWS\system32\DRIVERS\ehdrv.sys
17:30:22.0437 3612 ehdrv - ok
17:30:22.0609 3612 ekrn (c7bb95cf9631aa401e4aded1648f6af7) C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
17:30:22.0609 3612 ekrn - ok
17:30:22.0625 3612 epfwtdir (06c65ac0a703cf8eea4f284d901a1550) C:\WINDOWS\system32\DRIVERS\epfwtdir.sys
17:30:22.0625 3612 epfwtdir - ok
17:30:22.0640 3612 ERSvc (bc93b4a066477954555966d77fec9ecb) C:\WINDOWS\System32\ersvc.dll
17:30:22.0640 3612 ERSvc - ok
17:30:22.0687 3612 Eventlog (65df52f5b8b6e9bbd183505225c37315) C:\WINDOWS\system32\services.exe
17:30:22.0703 3612 Eventlog - ok
17:30:22.0734 3612 EventSystem (d4991d98f2db73c60d042f1aef79efae) C:\WINDOWS\system32\es.dll
17:30:22.0734 3612 EventSystem - ok
17:30:22.0781 3612 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
17:30:22.0781 3612 Fastfat - ok
17:30:22.0828 3612 FastUserSwitchingCompatibility (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
17:30:22.0828 3612 FastUserSwitchingCompatibility - ok
17:30:22.0843 3612 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
17:30:22.0843 3612 Fdc - ok
17:30:22.0859 3612 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
17:30:22.0859 3612 Fips - ok
17:30:22.0875 3612 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
17:30:22.0875 3612 Flpydisk - ok
17:30:22.0906 3612 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
17:30:22.0906 3612 FltMgr - ok
17:30:22.0953 3612 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
17:30:22.0953 3612 Fs_Rec - ok
17:30:22.0984 3612 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
17:30:22.0984 3612 Ftdisk - ok
17:30:23.0015 3612 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
17:30:23.0015 3612 GEARAspiWDM - ok
17:30:23.0031 3612 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
17:30:23.0031 3612 Gpc - ok
17:30:23.0078 3612 helpsvc (4fcca060dfe0c51a09dd5c3843888bcd) C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll
17:30:23.0078 3612 helpsvc - ok
17:30:23.0093 3612 HidServ (deb04da35cc871b6d309b77e1443c796) C:\WINDOWS\System32\hidserv.dll
17:30:23.0093 3612 HidServ - ok
17:30:23.0125 3612 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
17:30:23.0125 3612 hidusb - ok
17:30:23.0171 3612 hkmsvc (8878bd685e490239777bfe51320b88e9) C:\WINDOWS\System32\kmsvc.dll
17:30:23.0171 3612 hkmsvc - ok
17:30:23.0187 3612 hpn - ok
17:30:23.0234 3612 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
17:30:23.0234 3612 HTTP - ok
17:30:23.0265 3612 HTTPFilter (6100a808600f44d999cebdef8841c7a3) C:\WINDOWS\System32\w3ssl.dll
17:30:23.0265 3612 HTTPFilter - ok
17:30:23.0281 3612 i2omgmt - ok
17:30:23.0281 3612 i2omp - ok
17:30:23.0312 3612 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
17:30:23.0312 3612 i8042prt - ok
17:30:23.0421 3612 ialm (9a883c3c4d91292c0d09de7c728e781c) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
17:30:23.0437 3612 ialm - ok
17:30:23.0484 3612 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
17:30:23.0484 3612 Imapi - ok
17:30:23.0500 3612 ImapiService (30deaf54a9755bb8546168cfe8a6b5e1) C:\WINDOWS\system32\imapi.exe
17:30:23.0500 3612 ImapiService - ok
17:30:23.0515 3612 ini910u - ok
17:30:23.0562 3612 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
17:30:23.0562 3612 IntelIde - ok
17:30:23.0609 3612 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
17:30:23.0609 3612 intelppm - ok
17:30:23.0625 3612 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
17:30:23.0625 3612 Ip6Fw - ok
17:30:23.0671 3612 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
17:30:23.0671 3612 IpFilterDriver - ok
17:30:23.0687 3612 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
17:30:23.0687 3612 IpInIp - ok
17:30:23.0718 3612 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
17:30:23.0718 3612 IpNat - ok
17:30:23.0828 3612 iPod Service (dcb3796e0169419618c72f0ce34c68ed) C:\Program Files\iPod\bin\iPodService.exe
17:30:23.0828 3612 iPod Service - ok
17:30:23.0875 3612 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
17:30:23.0875 3612 IPSec - ok
17:30:23.0906 3612 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
17:30:23.0906 3612 IRENUM - ok
17:30:23.0953 3612 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
17:30:23.0953 3612 isapnp - ok
17:30:24.0046 3612 JavaQuickStarterService (9ae07549a0d691a103faf8946554bdb7) C:\Program Files\Java\jre6\bin\jqs.exe
17:30:24.0046 3612 JavaQuickStarterService - ok
17:30:24.0093 3612 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
17:30:24.0093 3612 Kbdclass - ok
17:30:24.0125 3612 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
17:30:24.0125 3612 kbdhid - ok
17:30:24.0187 3612 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
17:30:24.0187 3612 kmixer - ok
17:30:24.0218 3612 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
17:30:24.0218 3612 KSecDD - ok
17:30:24.0265 3612 LanmanServer (3a7c3cbe5d96b8ae96ce81f0b22fb527) C:\WINDOWS\System32\srvsvc.dll
17:30:24.0265 3612 LanmanServer - ok
17:30:24.0312 3612 lanmanworkstation (a8888a5327621856c0cec4e385f69309) C:\WINDOWS\System32\wkssvc.dll
17:30:24.0312 3612 lanmanworkstation - ok
17:30:24.0328 3612 lbrtfdc - ok
17:30:24.0375 3612 LmHosts (a7db739ae99a796d91580147e919cc59) C:\WINDOWS\System32\lmhsvc.dll
17:30:24.0375 3612 LmHosts - ok
17:30:24.0406 3612 Messenger (986b1ff5814366d71e0ac5755c88f2d3) C:\WINDOWS\System32\msgsvc.dll
17:30:24.0406 3612 Messenger - ok
17:30:24.0421 3612 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
17:30:24.0421 3612 mnmdd - ok
17:30:24.0453 3612 mnmsrvc (d18f1f0c101d06a1c1adf26eed16fcdd) C:\WINDOWS\system32\mnmsrvc.exe
17:30:24.0453 3612 mnmsrvc - ok
17:30:24.0468 3612 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
17:30:24.0468 3612 Modem - ok
17:30:24.0515 3612 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
17:30:24.0515 3612 Mouclass - ok
17:30:24.0531 3612 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
17:30:24.0531 3612 MountMgr - ok
17:30:24.0546 3612 mraid35x - ok
17:30:24.0562 3612 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
17:30:24.0562 3612 MRxDAV - ok
17:30:24.0625 3612 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
17:30:24.0625 3612 MRxSmb - ok
17:30:24.0687 3612 MSDTC (a137f1470499a205abbb9aafb3b6f2b1) C:\WINDOWS\system32\msdtc.exe
17:30:24.0687 3612 MSDTC - ok
17:30:24.0703 3612 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
17:30:24.0703 3612 Msfs - ok
17:30:24.0703 3612 MSIServer - ok
17:30:24.0750 3612 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
17:30:24.0750 3612 MSKSSRV - ok
17:30:24.0781 3612 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
17:30:24.0781 3612 MSPCLOCK - ok
17:30:24.0781 3612 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
17:30:24.0781 3612 MSPQM - ok
17:30:24.0812 3612 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
17:30:24.0812 3612 mssmbios - ok
17:30:24.0859 3612 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
17:30:24.0859 3612 Mup - ok
17:30:24.0890 3612 napagent (0102140028fad045756796e1c685d695) C:\WINDOWS\System32\qagentrt.dll
17:30:24.0890 3612 napagent - ok
17:30:24.0937 3612 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
17:30:24.0937 3612 NDIS - ok
17:30:24.0968 3612 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
17:30:24.0968 3612 NdisTapi - ok
17:30:25.0000 3612 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
17:30:25.0000 3612 Ndisuio - ok
17:30:25.0031 3612 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
17:30:25.0031 3612 NdisWan - ok
17:30:25.0062 3612 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
17:30:25.0062 3612 NDProxy - ok
17:30:25.0078 3612 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
17:30:25.0078 3612 NetBIOS - ok
17:30:25.0109 3612 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
17:30:25.0109 3612 NetBT - ok
17:30:25.0156 3612 NetDDE (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe
17:30:25.0156 3612 NetDDE - ok
17:30:25.0156 3612 NetDDEdsdm (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe
17:30:25.0156 3612 NetDDEdsdm - ok
17:30:25.0203 3612 Netlogon (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
17:30:25.0203 3612 Netlogon - ok
17:30:25.0234 3612 Netman (13e67b55b3abd7bf3fe7aae5a0f9a9de) C:\WINDOWS\System32\netman.dll
17:30:25.0250 3612 Netman - ok
17:30:25.0328 3612 NetTcpPortSharing (d22cd77d4f0d63d1169bb35911bff12d) C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe
17:30:25.0328 3612 NetTcpPortSharing - ok
17:30:25.0375 3612 Nla (943337d786a56729263071623bbb9de5) C:\WINDOWS\System32\mswsock.dll
17:30:25.0375 3612 Nla - ok
17:30:25.0468 3612 NMSAccess (7aea4df1ca68fd45dd4bbe1f0243ce7f) C:\Program Files\CDBurnerXP\NMSAccessU.exe
17:30:25.0468 3612 NMSAccess - ok
17:30:25.0484 3612 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
17:30:25.0484 3612 Npfs - ok
17:30:25.0531 3612 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
17:30:25.0546 3612 Ntfs - ok
17:30:25.0546 3612 NtLmSsp (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
17:30:25.0546 3612 NtLmSsp - ok
17:30:25.0593 3612 NtmsSvc (156f64a3345bd23c600655fb4d10bc08) C:\WINDOWS\system32\ntmssvc.dll
17:30:25.0593 3612 NtmsSvc - ok
17:30:25.0625 3612 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
17:30:25.0625 3612 Null - ok
17:30:26.0000 3612 nv (83780f3a86d2804912f22f6e37cd2254) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
17:30:26.0031 3612 nv - ok
17:30:26.0140 3612 NVSvc (42321ac5448078131903b272e6c49024) C:\WINDOWS\system32\nvsvc32.exe
17:30:26.0156 3612 NVSvc - ok
17:30:26.0187 3612 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
17:30:26.0187 3612 NwlnkFlt - ok
17:30:26.0203 3612 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
17:30:26.0203 3612 NwlnkFwd - ok
17:30:26.0234 3612 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
17:30:26.0234 3612 Parport - ok
17:30:26.0281 3612 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
17:30:26.0281 3612 PartMgr - ok
17:30:26.0328 3612 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
17:30:26.0328 3612 ParVdm - ok
17:30:26.0359 3612 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
17:30:26.0359 3612 PCI - ok
17:30:26.0359 3612 PCIDump - ok
17:30:26.0375 3612 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
17:30:26.0375 3612 PCIIde - ok
17:30:26.0406 3612 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
17:30:26.0406 3612 Pcmcia - ok
17:30:26.0421 3612 PDCOMP - ok
17:30:26.0437 3612 PDFRAME - ok
17:30:26.0437 3612 PDRELI - ok
17:30:26.0453 3612 PDRFRAME - ok
17:30:26.0468 3612 perc2 - ok
17:30:26.0484 3612 perc2hib - ok
17:30:26.0562 3612 PlugPlay (65df52f5b8b6e9bbd183505225c37315) C:\WINDOWS\system32\services.exe
17:30:26.0578 3612 PlugPlay - ok
17:30:26.0609 3612 PolicyAgent (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
17:30:26.0609 3612 PolicyAgent - ok
17:30:26.0640 3612 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
17:30:26.0640 3612 PptpMiniport - ok
17:30:26.0640 3612 ProtectedStorage (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
17:30:26.0656 3612 ProtectedStorage - ok
17:30:26.0656 3612 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
17:30:26.0656 3612 PSched - ok
17:30:26.0703 3612 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
17:30:26.0703 3612 Ptilink - ok
17:30:26.0734 3612 PxHelp20 (d86b4a68565e444d76457f14172c875a) C:\WINDOWS\system32\Drivers\PxHelp20.sys
17:30:26.0734 3612 PxHelp20 - ok
17:30:26.0750 3612 ql1080 - ok
17:30:26.0750 3612 Ql10wnt - ok
17:30:26.0765 3612 ql12160 - ok
17:30:26.0781 3612 ql1240 - ok
17:30:26.0796 3612 ql1280 - ok
17:30:26.0828 3612 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
17:30:26.0828 3612 RasAcd - ok
17:30:26.0859 3612 RasAuto (ad188be7bdf94e8df4ca0a55c00a5073) C:\WINDOWS\System32\rasauto.dll
17:30:26.0859 3612 RasAuto - ok
17:30:26.0890 3612 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
17:30:26.0890 3612 Rasl2tp - ok
17:30:26.0921 3612 RasMan (76a9a3cbeadd68cc57cda5e1d7448235) C:\WINDOWS\System32\rasmans.dll
17:30:26.0921 3612 RasMan - ok
17:30:26.0937 3612 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
17:30:26.0937 3612 RasPppoe - ok
17:30:26.0953 3612 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
17:30:26.0953 3612 Raspti - ok
17:30:27.0000 3612 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
17:30:27.0000 3612 Rdbss - ok
17:30:27.0015 3612 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
17:30:27.0015 3612 RDPCDD - ok
17:30:27.0062 3612 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
17:30:27.0062 3612 rdpdr - ok
17:30:27.0109 3612 RDPWD (5b3055daa788bd688594d2f5981f2a83) C:\WINDOWS\system32\drivers\RDPWD.sys
17:30:27.0109 3612 RDPWD - ok
17:30:27.0140 3612 RDSessMgr (3c37bf86641bda977c3bf8a840f3b7fa) C:\WINDOWS\system32\sessmgr.exe
17:30:27.0156 3612 RDSessMgr - ok
17:30:27.0187 3612 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
17:30:27.0187 3612 redbook - ok
17:30:27.0234 3612 RemoteAccess (7e699ff5f59b5d9de5390e3c34c67cf5) C:\WINDOWS\System32\mprdim.dll
17:30:27.0234 3612 RemoteAccess - ok
17:30:27.0265 3612 RemoteRegistry (5b19b557b0c188210a56a6b699d90b8f) C:\WINDOWS\system32\regsvc.dll
17:30:27.0265 3612 RemoteRegistry - ok
17:30:27.0312 3612 RpcLocator (aaed593f84afa419bbae8572af87cf6a) C:\WINDOWS\system32\locator.exe
17:30:27.0312 3612 RpcLocator - ok
17:30:27.0359 3612 RpcSs (6b27a5c03dfb94b4245739065431322c) C:\WINDOWS\System32\rpcss.dll
17:30:27.0359 3612 RpcSs - ok
17:30:27.0421 3612 RSVP (471b3f9741d762abe75e9deea4787e47) C:\WINDOWS\system32\rsvp.exe
17:30:27.0421 3612 RSVP - ok
17:30:27.0453 3612 SamSs (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
17:30:27.0453 3612 SamSs - ok
17:30:27.0484 3612 SCardSvr (86d007e7a654b9a71d1d7d856b104353) C:\WINDOWS\System32\SCardSvr.exe
17:30:27.0484 3612 SCardSvr - ok
17:30:27.0531 3612 Schedule (0a9a7365a1ca4319aa7c1d6cd8e4eafa) C:\WINDOWS\system32\schedsvc.dll
17:30:27.0531 3612 Schedule - ok
17:30:27.0562 3612 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
17:30:27.0562 3612 Secdrv - ok
17:30:27.0593 3612 seclogon (cbe612e2bb6a10e3563336191eda1250) C:\WINDOWS\System32\seclogon.dll
17:30:27.0593 3612 seclogon - ok
17:30:27.0671 3612 senfilt (b9c7617c1e8ab6fdff75d3c8dafcb4c8) C:\WINDOWS\system32\drivers\senfilt.sys
17:30:27.0687 3612 senfilt - ok
17:30:27.0687 3612 SENS (7fdd5d0684eca8c1f68b4d99d124dcd0) C:\WINDOWS\system32\sens.dll
17:30:27.0703 3612 SENS - ok
17:30:27.0734 3612 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
17:30:27.0734 3612 serenum - ok
17:30:27.0765 3612 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
17:30:27.0765 3612 Serial - ok
17:30:27.0796 3612 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
17:30:27.0796 3612 Sfloppy - ok
17:30:27.0843 3612 SharedAccess (83f41d0d89645d7235c051ab1d9523ac) C:\WINDOWS\System32\ipnathlp.dll
17:30:27.0859 3612 SharedAccess - ok
17:30:27.0906 3612 ShellHWDetection (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
17:30:27.0921 3612 ShellHWDetection - ok
17:30:27.0921 3612 Simbad - ok
17:30:27.0984 3612 smwdm (c6d9959e493682f872a639b6ec1b4a08) C:\WINDOWS\system32\drivers\smwdm.sys
17:30:27.0984 3612 smwdm - ok
17:30:27.0984 3612 Sparrow - ok
17:30:28.0000 3612 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
17:30:28.0000 3612 splitter - ok
17:30:28.0062 3612 Spooler (60784f891563fb1b767f70117fc2428f) C:\WINDOWS\system32\spoolsv.exe
17:30:28.0062 3612 Spooler - ok
17:30:28.0109 3612 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
17:30:28.0109 3612 sr - ok
17:30:28.0125 3612 srservice (3805df0ac4296a34ba4bf93b346cc378) C:\WINDOWS\system32\srsvc.dll
17:30:28.0140 3612 srservice - ok
17:30:28.0171 3612 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
17:30:28.0171 3612 Srv - ok
17:30:28.0218 3612 SSDPSRV (0a5679b3714edab99e357057ee88fca6) C:\WINDOWS\System32\ssdpsrv.dll
17:30:28.0218 3612 SSDPSRV - ok
17:30:28.0234 3612 StarOpen (e57b778208c783d8debab320c16a1b82) C:\WINDOWS\system32\drivers\StarOpen.sys
17:30:28.0250 3612 StarOpen - ok
17:30:28.0281 3612 stisvc (8bad69cbac032d4bbacfce0306174c30) C:\WINDOWS\system32\wiaservc.dll
17:30:28.0281 3612 stisvc - ok
17:30:28.0328 3612 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
17:30:28.0328 3612 swenum - ok
17:30:28.0375 3612 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
17:30:28.0375 3612 swmidi - ok
17:30:28.0375 3612 SwPrv - ok
17:30:28.0390 3612 symc810 - ok
17:30:28.0406 3612 symc8xx - ok
17:30:28.0421 3612 sym_hi - ok
17:30:28.0437 3612 sym_u3 - ok
17:30:28.0500 3612 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
17:30:28.0500 3612 sysaudio - ok
17:30:28.0531 3612 SysmonLog (c7abbc59b43274b1109df6b24d617051) C:\WINDOWS\system32\smlogsvc.exe
17:30:28.0546 3612 SysmonLog - ok
17:30:28.0578 3612 TapiSrv (3cb78c17bb664637787c9a1c98f79c38) C:\WINDOWS\System32\tapisrv.dll
17:30:28.0578 3612 TapiSrv - ok
17:30:28.0640 3612 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
17:30:28.0640 3612 Tcpip - ok
17:30:28.0687 3612 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
17:30:28.0687 3612 TDPIPE - ok
17:30:28.0703 3612 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
17:30:28.0703 3612 TDTCP - ok
17:30:28.0734 3612 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
17:30:28.0734 3612 TermDD - ok
17:30:28.0765 3612 TermService (ff3477c03be7201c294c35f684b3479f) C:\WINDOWS\System32\termsrv.dll
17:30:28.0765 3612 TermService - ok
17:30:28.0812 3612 Themes (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
17:30:28.0812 3612 Themes - ok
17:30:28.0843 3612 TlntSvr (db7205804759ff62c34e3efd8a4cc76a) C:\WINDOWS\system32\tlntsvr.exe
17:30:28.0843 3612 TlntSvr - ok
17:30:28.0859 3612 TosIde - ok
17:30:28.0890 3612 TrkWks (55bca12f7f523d35ca3cb833c725f54e) C:\WINDOWS\system32\trkwks.dll
17:30:28.0890 3612 TrkWks - ok
17:30:28.0921 3612 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
17:30:28.0921 3612 Udfs - ok
17:30:28.0937 3612 ultra - ok
17:30:28.0953 3612 UMWdf (ab0a7ca90d9e3d6a193905dc1715ded0) C:\WINDOWS\system32\wdfmgr.exe
17:30:28.0953 3612 UMWdf - ok
17:30:29.0000 3612 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
17:30:29.0015 3612 Update - ok
17:30:29.0046 3612 upnphost (1ebafeb9a3fbdc41b8d9c7f0f687ad91) C:\WINDOWS\System32\upnphost.dll
17:30:29.0062 3612 upnphost - ok
17:30:29.0078 3612 UPS (05365fb38fca1e98f7a566aaaf5d1815) C:\WINDOWS\System32\ups.exe
17:30:29.0078 3612 UPS - ok
17:30:29.0109 3612 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
17:30:29.0109 3612 usbccgp - ok
17:30:29.0140 3612 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
17:30:29.0140 3612 usbehci - ok
17:30:29.0156 3612 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
17:30:29.0156 3612 usbhub - ok
17:30:29.0203 3612 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
17:30:29.0203 3612 USBSTOR - ok
17:30:29.0250 3612 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
17:30:29.0250 3612 usbuhci - ok
17:30:29.0296 3612 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
17:30:29.0296 3612 VgaSave - ok
17:30:29.0296 3612 ViaIde - ok
17:30:29.0343 3612 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
17:30:29.0343 3612 VolSnap - ok
17:30:29.0390 3612 VSS (7a9db3a67c333bf0bd42e42b8596854b) C:\WINDOWS\System32\vssvc.exe
17:30:29.0406 3612 VSS - ok
17:30:29.0437 3612 W32Time (54af4b1d5459500ef0937f6d33b1914f) C:\WINDOWS\system32\w32time.dll
17:30:29.0437 3612 W32Time - ok
17:30:29.0453 3612 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
17:30:29.0453 3612 Wanarp - ok
17:30:29.0500 3612 wanatw (0a716c08cb13c3a8f4f51e882dbf7416) C:\WINDOWS\system32\DRIVERS\wanatw4.sys
17:30:29.0500 3612 wanatw - ok
17:30:29.0546 3612 WANMiniportService (eb9a99ab5d17b1727034ff191e6448d7) C:\WINDOWS\wanmpsvc.exe
17:30:29.0546 3612 WANMiniportService - ok
17:30:29.0562 3612 WDICA - ok
17:30:29.0593 3612 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
17:30:29.0593 3612 wdmaud - ok
17:30:29.0609 3612 WebClient (77a354e28153ad2d5e120a5a8687bc06) C:\WINDOWS\System32\webclnt.dll
17:30:29.0625 3612 WebClient - ok
17:30:29.0687 3612 winmgmt (2d0e4ed081963804ccc196a0929275b5) C:\WINDOWS\system32\wbem\WMIsvc.dll
17:30:29.0687 3612 winmgmt - ok
17:30:29.0734 3612 WmdmPmSN (140ef97b64f560fd78643cae2cdad838) C:\WINDOWS\system32\MsPMSNSv.dll
17:30:29.0734 3612 WmdmPmSN - ok
17:30:29.0812 3612 Wmi (e76f8807070ed04e7408a86d6d3a6137) C:\WINDOWS\System32\advapi32.dll
17:30:29.0812 3612 Wmi - ok
17:30:29.0859 3612 WmiApSrv (e0673f1106e62a68d2257e376079f821) C:\WINDOWS\system32\wbem\wmiapsrv.exe
17:30:29.0859 3612 WmiApSrv - ok
17:30:30.0000 3612 WPFFontCache_v0400 (dcf3e3edf5109ee8bc02fe6e1f045795) C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe
17:30:30.0015 3612 WPFFontCache_v0400 - ok
17:30:30.0046 3612 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
17:30:30.0062 3612 WS2IFSL - ok
17:30:30.0093 3612 wscsvc (7c278e6408d1dce642230c0585a854d5) C:\WINDOWS\system32\wscsvc.dll
17:30:30.0109 3612 wscsvc - ok
17:30:30.0156 3612 wuauserv (35321fb577cdc98ce3eb3a3eb9e4610a) C:\WINDOWS\system32\wuauserv.dll
17:30:30.0156 3612 wuauserv - ok
17:30:30.0203 3612 WZCSVC (81dc3f549f44b1c1fff022dec9ecf30b) C:\WINDOWS\System32\wzcsvc.dll
17:30:30.0203 3612 WZCSVC - ok
17:30:30.0234 3612 xmlprov (295d21f14c335b53cb8154e5b1f892b9) C:\WINDOWS\System32\xmlprov.dll
17:30:30.0234 3612 xmlprov - ok
17:30:30.0265 3612 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
17:30:30.0421 3612 \Device\Harddisk0\DR0 - ok
17:30:30.0468 3612 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk1\DR6
17:30:30.0484 3612 \Device\Harddisk1\DR6 - ok
17:30:30.0484 3612 Boot (0x1200) (706b03ec303601069eda504887df776e) \Device\Harddisk0\DR0\Partition0
17:30:30.0484 3612 \Device\Harddisk0\DR0\Partition0 - ok
17:30:30.0515 3612 Boot (0x1200) (f196a5f16d4c6a88abcf2bee6afbebd6) \Device\Harddisk1\DR6\Partition0
17:30:30.0515 3612 \Device\Harddisk1\DR6\Partition0 - ok
17:30:30.0515 3612 ============================================================
17:30:30.0515 3612 Scan finished
17:30:30.0515 3612 ============================================================
17:30:30.0531 2856 Detected object count: 0
17:30:30.0531 2856 Actual detected object count: 0
17:30:42.0703 2916 Deinitialize success



aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-05-04 17:33:15
-----------------------------
17:33:15.578 OS Version: Windows 5.1.2600 Service Pack 3
17:33:15.578 Number of processors: 1 586 0x401
17:33:15.578 ComputerName: DC-1 UserName:
17:33:16.000 Initialize success
17:39:56.718 AVAST engine defs: 12050401
17:40:42.453 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
17:40:42.453 Disk 0 Vendor: WDC_WD800AAJB-00J3A0 01.03E01 Size: 76319MB BusType: 3
17:40:42.468 Disk 0 MBR read successfully
17:40:42.468 Disk 0 MBR scan
17:40:42.515 Disk 0 Windows XP default MBR code
17:40:42.515 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 76308 MB offset 63
17:40:42.531 Disk 0 scanning sectors +156280320
17:40:42.609 Disk 0 scanning C:\WINDOWS\system32\drivers
17:40:55.765 Service scanning
17:41:10.921 Modules scanning
17:41:14.140 Disk 0 trace - called modules:
17:41:14.156 ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS
17:41:14.156 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x89bb6ab8]
17:41:14.656 3 CLASSPNP.SYS[f7637fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x89b9db00]
17:41:15.015 AVAST engine scan C:\WINDOWS
17:41:23.109 AVAST engine scan C:\WINDOWS\system32
17:43:42.656 AVAST engine scan C:\WINDOWS\system32\drivers
17:43:54.296 AVAST engine scan C:\Documents and Settings\Administrator
18:37:20.531 AVAST engine scan C:\Documents and Settings\All Users
18:38:34.671 Scan finished successfully
18:41:12.718 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\MBR.dat"
18:41:12.718 The log file has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\aswMBR.txt"

How are we doing at this point?

Edited by Clickeroo, 04 May 2012 - 05:53 PM.


#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:28 PM

Posted 04 May 2012 - 08:34 PM

Greetings


So far things have looked perfect.


:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#14 Clickeroo

Clickeroo
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:28 PM

Posted 04 May 2012 - 09:08 PM

When ComboFix started it detected ESET AV was running so I disabled it temporarily it then could continue and still said infected with ZeroAccess Ideas then after that continued rebooted and then did its scan.

UPDATE: There were no illegal operation errors when I dragged the file over to ComboFix. it only notified me that ESET was running so I temp disabled it.

I hope this was ok If not how can I disable ESET AV v5 and re enable it later it keeps re-enabling on reboot.


OK Log is as follows.

ComboFix 12-05-04.03 - Administrator 05/04/2012 21:51:15.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1705 [GMT -4:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
AV: ESET NOD32 Antivirus 5.0 *Disabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
* Resident AV is active
.
.
.
((((((((((((((((((((((((( Files Created from 2012-04-05 to 2012-05-05 )))))))))))))))))))))))))))))))
.
.
2012-04-30 10:13 . 2012-04-30 10:13 -------- d-----w- C:\TDSSKiller_Quarantine
2012-04-30 05:25 . 2012-04-30 05:25 -------- d-----w- c:\windows\system32\wbem\Repository
2012-04-30 05:20 . 2012-04-30 05:20 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ESET
2012-04-26 21:20 . 2012-04-26 21:20 -------- d-----w- c:\documents and settings\Administrator\Application Data\FabFilter
2012-04-26 21:13 . 2012-04-30 05:25 -------- d-----w- c:\program files\FabFilter(2)
2012-04-26 02:27 . 2012-04-26 02:27 -------- d-----w- c:\program files\Common Files\Digidesign
2012-04-26 02:25 . 2012-04-26 02:25 -------- d-----w- c:\program files\Flux
2012-04-17 04:21 . 2012-04-17 04:21 -------- d-----w- c:\program files\Metapad 3.6
2012-04-17 03:02 . 2012-04-17 03:02 -------- d-sh--w- c:\documents and settings\Administrator\IECompatCache
2012-04-15 02:18 . 2012-04-15 02:18 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2012-04-15 02:18 . 2012-04-15 02:18 4139680 ----a-w- c:\windows\system32\FlashPlayerInstaller.exe
2012-04-09 19:33 . 2012-04-09 19:34 -------- d-----w- c:\program files\Speccy
2012-04-09 04:15 . 2012-04-09 04:15 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Temp
2012-04-09 02:23 . 2012-04-09 02:23 -------- d-----w- c:\program files\Gadwin Systems
2012-04-08 02:06 . 2012-04-08 02:06 -------- d-----w- c:\program files\Defraggler
2012-04-08 01:45 . 2012-04-08 01:45 -------- d-----w- c:\documents and settings\Administrator\Application Data\Alien Skin
2012-04-06 23:00 . 2012-04-06 23:00 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Identities
2012-04-06 20:31 . 2012-04-15 02:18 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-30 10:14 . 2008-04-14 12:00 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2012-04-15 02:18 . 2012-03-27 20:08 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-04-04 19:56 . 2012-03-28 04:48 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-03-30 00:17 . 2012-03-30 00:18 640957 ----a-w- c:\windows\unins000.exe
2012-03-29 16:29 . 2012-03-29 16:29 105168 ----a-w- c:\windows\MozillaUninstall.exe
2012-03-29 16:29 . 2012-03-29 16:29 105168 ----a-w- c:\windows\GREUninstall.exe
2012-03-28 04:03 . 2012-03-28 04:03 10920 ----a-w- C:\aolconnfix.exe
2012-03-28 04:01 . 2012-03-28 04:01 8552 ----a-w- c:\windows\system32\drivers\asctrm.sys
2012-03-28 04:01 . 2012-03-28 04:01 24576 ----a-w- c:\windows\system32\prefscpl.cpl
2012-03-27 18:50 . 2012-03-27 18:50 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-03-27 18:50 . 2012-03-27 18:50 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-03-01 11:01 . 2008-04-14 12:00 916992 ----a-w- c:\windows\system32\wininet.dll
2012-03-01 11:01 . 2008-04-14 12:00 43520 ------w- c:\windows\system32\licmgr10.dll
2012-03-01 11:01 . 2008-04-14 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-02-29 14:10 . 2008-04-14 12:00 177664 ----a-w- c:\windows\system32\wintrust.dll
2012-02-29 14:10 . 2008-04-14 12:00 148480 ----a-w- c:\windows\system32\imagehlp.dll
2012-02-29 12:17 . 2008-04-14 12:00 385024 ------w- c:\windows\system32\html.iec
.
.
((((((((((((((((((((((((((((( SnapShot@2012-05-04_18.57.28 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-05-05 01:50 . 2012-05-05 01:50 16384 c:\windows\Temp\Perflib_Perfdata_dc.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"nwiz"="nwiz.exe" [2008-10-07 1630208]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-07 86016]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2011-09-22 3080264]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-08-10 421888]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-04-01 36352]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-01 421160]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
America Online 9.0 Tray Icon.lnk - c:\program files\America Online 9.0\aoltray.exe [2012-3-28 36954]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
2001-08-07 04:03 155648 ----a-w- c:\windows\system32\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
2012-03-28 04:01 26112 ----a-w- c:\program files\Real\RealPlayer\realplay.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Macromedia\\Dreamweaver MX\\Dreamweaver.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
.
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [8/4/2011 10:20 AM 118104]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [8/4/2011 10:20 AM 103112]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [9/22/2011 1:03 PM 974944]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [4/6/2012 4:31 PM 253088]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
.
Contents of the 'Scheduled Tasks' folder
.
2012-05-05 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-06 02:18]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\xpmoahz5.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Office Black: Office2007Black@JBBS - %profile%\extensions\Office2007Black@JBBS
FF - Ext: Vfox3-Basic: {b3f91530-1905-11de-8c30-0800200c9a66} - %profile%\extensions\{b3f91530-1905-11de-8c30-0800200c9a66}
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-05-04 21:57
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-448539723-1060284298-1177238915-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,b8,85,f2,5d,a1,11,98,41,bb,4d,ad,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,b8,85,f2,5d,a1,11,98,41,bb,4d,ad,\
.
Completion time: 2012-05-04 21:58:34
ComboFix-quarantined-files.txt 2012-05-05 01:58
ComboFix2.txt 2012-05-04 18:58
.
Pre-Run: 59,921,989,632 bytes free
Post-Run: 60,035,522,560 bytes free
.
- - End Of File - - E6C9D13383A0F5A28252C39FD8257377

Edited by Clickeroo, 04 May 2012 - 09:12 PM.


#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:28 PM

Posted 04 May 2012 - 09:27 PM

Hello

I would like to see a report that combofix makes.

extra combofix report

  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box
C:\Qoobox\Add-Remove Programs.txt
  • click ok

copy and paste the report into this topic for me to review

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users