Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google redirect - can't run dds or gmer


  • This topic is locked This topic is locked
27 replies to this topic

#1 Freewaydawg

Freewaydawg

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:35 PM

Posted 10 May 2012 - 05:49 PM

Hey guys
my google searches keep redirecting. Seems to take a long time to do a search but everything else is fast.
I ran tdss killer and it found a rootkit but cannot remove or quarantine it.
tried running rkill but would not stop the process. malware bytes finds nothing
tried running a dds scan but it hangs up and does not complete.
ran defogger and after it finished it did not ask me to reboot.
gmer shows an error message that says - LoadDriver( "C\DOCUME~1\StanLOCALS~1\Temp\pxtdypob.sys") errorOxCOOOO1OE: Cannot create stable subkeyunder a volatible parent key.
and gmer will not let me check all the boxes you want checked all it will let me check is services registry and files. I will post what it came up with.
I even tried combofix and it never goes into it's different checks.
hope you can help I will post all the logs i have

thanks Stan
----------------------------------
Defogger

defogger_disable by jpshortstuff (23.02.10.1)
Log created at 15:49 on 10/05/2012 (Stan)

Checking for autostart values...
HKCU\~\Run values retrieved.
HKLM\~\Run values retrieved.

Checking for services/drivers...


-=E.O.F=-

---------------------------------------

dds would not complete

----------------------------------------

Gmer log

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-05-10 18:22:37
Windows 5.1.2600 Service Pack 3
Running: wobqp3xb.exe; Driver: C:\DOCUME~1\Stan\LOCALS~1\Temp\pxtdypog.sys


---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@RequireSignedAppInit_DLLs 1
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{3C149F45-5C51-EA12-C9F5-E017498646E2}
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{3C149F45-5C51-EA12-C9F5-E017498646E2}@napdbkjfgbodgkeeamgiffghllgf 0x69 0x61 0x6B 0x6C ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{3C149F45-5C51-EA12-C9F5-E017498646E2}@mafekjdjpmnachfnfcodicakdb 0x69 0x61 0x6B 0x6C ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{3C149F45-5C51-EA12-C9F5-E017498646E2}@oaddiifbmejghgekhnbcopihlchnik 0x61 0x61 0x00 0x00
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{3C149F45-5C51-EA12-C9F5-E017498646E2}@naddiifbmejghgekhnafmoeigcjl 0x61 0x61 0x00 0x00
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{3C149F45-5C51-EA12-C9F5-E017498646E2}@oaddiifbmejghgekhncfjhjplcabgn 0x61 0x61 0x00 0x00

---- EOF - GMER 1.0.15 ----

----------------------------------------------------------------

TDSS Killer

2012/05/10 17:53:16.0109 TDSS rootkit removing tool 2.4.7.0 Nov 8 2010 10:52:22
2012/05/10 17:53:16.0109 ================================================================================
2012/05/10 17:53:16.0109 SystemInfo:
2012/05/10 17:53:16.0109
2012/05/10 17:53:16.0109 OS Version: 5.1.2600 ServicePack: 3.0
2012/05/10 17:53:16.0109 Product type: Workstation
2012/05/10 17:53:16.0109 ComputerName: STAN1
2012/05/10 17:53:16.0109 UserName: Stan
2012/05/10 17:53:16.0109 Windows directory: C:\WINDOWS
2012/05/10 17:53:16.0109 System windows directory: C:\WINDOWS
2012/05/10 17:53:16.0109 Processor architecture: Intel x86
2012/05/10 17:53:16.0109 Number of processors: 2
2012/05/10 17:53:16.0109 Page size: 0x1000
2012/05/10 17:53:16.0109 Boot type: Normal boot
2012/05/10 17:53:16.0109 ================================================================================
2012/05/10 17:53:16.0234 Initialize success
2012/05/10 17:53:18.0703 ================================================================================
2012/05/10 17:53:18.0703 Scan started
2012/05/10 17:53:18.0703 Mode: Manual;
2012/05/10 17:53:18.0703 ================================================================================
2012/05/10 17:53:19.0578 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2012/05/10 17:53:19.0625 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2012/05/10 17:53:19.0687 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2012/05/10 17:53:19.0734 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
2012/05/10 17:53:19.0859 Ambfilt (f6af59d6eee5e1c304f7f73706ad11d8) C:\WINDOWS\system32\drivers\Ambfilt.sys
2012/05/10 17:53:19.0953 ASPI32 (31ed89badd47130ad57cce8c8dfb5b27) C:\WINDOWS\system32\drivers\ASPI32.sys
2012/05/10 17:53:19.0984 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2012/05/10 17:53:20.0015 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2012/05/10 17:53:20.0031 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2012/05/10 17:53:20.0062 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2012/05/10 17:53:20.0093 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2012/05/10 17:53:20.0140 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2012/05/10 17:53:20.0187 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2012/05/10 17:53:20.0218 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2012/05/10 17:53:20.0234 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2012/05/10 17:53:20.0328 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2012/05/10 17:53:20.0375 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2012/05/10 17:53:20.0421 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2012/05/10 17:53:20.0437 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2012/05/10 17:53:20.0468 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2012/05/10 17:53:20.0484 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2012/05/10 17:53:20.0546 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2012/05/10 17:53:20.0578 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2012/05/10 17:53:20.0593 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2012/05/10 17:53:20.0640 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2012/05/10 17:53:20.0687 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2012/05/10 17:53:20.0750 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2012/05/10 17:53:20.0781 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2012/05/10 17:53:20.0812 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2012/05/10 17:53:20.0843 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2012/05/10 17:53:20.0859 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2012/05/10 17:53:20.0890 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2012/05/10 17:53:20.0937 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\drivers\i8042prt.sys
2012/05/10 17:53:21.0078 ialm (0f68e2ec713f132ffb19e45415b09679) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
2012/05/10 17:53:21.0109 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2012/05/10 17:53:21.0218 InCDfs (580a81790cd0a48d85da322267da7ac4) C:\WINDOWS\system32\drivers\InCDFs.sys
2012/05/10 17:53:21.0390 InCDPass (aaa2789d2ce21b31be9406ba1ceb7285) C:\WINDOWS\system32\drivers\InCDPass.sys
2012/05/10 17:53:21.0453 InCDrec (4d022577e9072b5d22e0a383a7806bbb) C:\WINDOWS\system32\drivers\InCDrec.sys
2012/05/10 17:53:21.0468 incdrm (c258e57321a3c3737f4fa815fa69ee0b) C:\WINDOWS\system32\drivers\InCDRm.sys
2012/05/10 17:53:21.0593 IntcAzAudAddService (3a3a539d7db808fad3b55740474a6d02) C:\WINDOWS\system32\drivers\RtkHDAud.sys
2012/05/10 17:53:21.0640 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2012/05/10 17:53:21.0671 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2012/05/10 17:53:21.0734 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2012/05/10 17:53:21.0765 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2012/05/10 17:53:21.0796 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2012/05/10 17:53:21.0843 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2012/05/10 17:53:21.0843 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2012/05/10 17:53:21.0859 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2012/05/10 17:53:21.0875 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2012/05/10 17:53:21.0921 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2012/05/10 17:53:21.0937 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2012/05/10 17:53:21.0968 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2012/05/10 17:53:22.0015 MBAMProtector (fb097bbc1a18f044bd17bd2fccf97865) C:\WINDOWS\system32\drivers\mbam.sys
2012/05/10 17:53:22.0062 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2012/05/10 17:53:22.0109 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2012/05/10 17:53:22.0187 Monfilt (9fa7207d1b1adead88ae8eed9cdbbaa5) C:\WINDOWS\system32\drivers\Monfilt.sys
2012/05/10 17:53:22.0234 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2012/05/10 17:53:22.0250 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2012/05/10 17:53:22.0281 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2012/05/10 17:53:22.0328 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2012/05/10 17:53:22.0359 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2012/05/10 17:53:22.0375 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2012/05/10 17:53:22.0421 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2012/05/10 17:53:22.0437 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2012/05/10 17:53:22.0437 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2012/05/10 17:53:22.0484 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2012/05/10 17:53:22.0500 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
2012/05/10 17:53:22.0609 NAVENG (c34e2a884ccca8b5567d0c2752527073) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20110502.002\naveng.sys
2012/05/10 17:53:22.0640 NAVEX15 (b3916eeec738dd4178f4fd6a44a32e36) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20110502.002\navex15.sys
2012/05/10 17:53:22.0703 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2012/05/10 17:53:22.0750 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2012/05/10 17:53:22.0765 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2012/05/10 17:53:22.0781 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2012/05/10 17:53:22.0812 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2012/05/10 17:53:22.0859 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2012/05/10 17:53:22.0875 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2012/05/10 17:53:22.0921 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2012/05/10 17:53:22.0953 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2012/05/10 17:53:22.0984 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2012/05/10 17:53:23.0031 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2012/05/10 17:53:23.0031 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2012/05/10 17:53:23.0093 ONSIO (2e76a0c21fe51b239529e7752db897a9) C:\WINDOWS\SYSTEM32\DRIVERS\ONSIO.SYS
2012/05/10 17:53:23.0140 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2012/05/10 17:53:23.0156 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2012/05/10 17:53:23.0203 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2012/05/10 17:53:23.0203 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2012/05/10 17:53:23.0250 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2012/05/10 17:53:23.0281 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2012/05/10 17:53:23.0375 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2012/05/10 17:53:23.0375 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2012/05/10 17:53:23.0406 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2012/05/10 17:53:23.0484 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2012/05/10 17:53:23.0500 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2012/05/10 17:53:23.0500 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2012/05/10 17:53:23.0515 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2012/05/10 17:53:23.0531 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2012/05/10 17:53:23.0546 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2012/05/10 17:53:23.0546 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2012/05/10 17:53:23.0593 RDPWD (5b3055daa788bd688594d2f5981f2a83) C:\WINDOWS\system32\drivers\RDPWD.sys
2012/05/10 17:53:23.0625 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2012/05/10 17:53:23.0671 Revoflt (8b5b8a11306190c6963d3473f052d3c8) C:\WINDOWS\system32\DRIVERS\revoflt.sys
2012/05/10 17:53:23.0718 RTLE8023xp (e47c52f0380f0950e2bc9f1bcdc0de9b) C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys
2012/05/10 17:53:23.0828 SASDIFSV (a3281aec37e0720a2bc28034c2df2a56) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
2012/05/10 17:53:23.0828 SASKUTIL (61db0d0756a99506207fd724e3692b25) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
2012/05/10 17:53:23.0890 SAVRT (c8023be4dda22a52cd2f60d9cb9b3985) C:\Program Files\Symantec AntiVirus\savrt.sys
2012/05/10 17:53:23.0890 SAVRTPEL (30547fd7692dc799a0b397b2b918a158) C:\Program Files\Symantec AntiVirus\Savrtpel.sys
2012/05/10 17:53:23.0953 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2012/05/10 17:53:24.0015 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2012/05/10 17:53:24.0015 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2012/05/10 17:53:24.0046 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2012/05/10 17:53:24.0093 SMPLSCSI (f6545ded3308642899a72c8a1789b029) C:\WINDOWS\system32\drivers\SMPLSCSI.SYS
2012/05/10 17:53:24.0156 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2012/05/10 17:53:24.0171 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2012/05/10 17:53:24.0203 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
2012/05/10 17:53:24.0250 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2012/05/10 17:53:24.0265 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2012/05/10 17:53:24.0421 SymEvent (42123611a49c33536ab29bdd852a9f5e) C:\Program Files\Symantec\SYMEVENT.SYS
2012/05/10 17:53:24.0453 SYMREDRV (145eaae477f5b56f2621956150a143b0) C:\WINDOWS\System32\Drivers\SYMREDRV.SYS
2012/05/10 17:53:24.0468 SYMTDI (926efafc087d356bba50bdf6e640bc13) C:\WINDOWS\System32\Drivers\SYMTDI.SYS
2012/05/10 17:53:24.0515 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2012/05/10 17:53:24.0562 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2012/05/10 17:53:24.0625 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2012/05/10 17:53:24.0656 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2012/05/10 17:53:24.0687 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2012/05/10 17:53:24.0718 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2012/05/10 17:53:24.0781 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2012/05/10 17:53:24.0828 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2012/05/10 17:53:24.0843 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2012/05/10 17:53:24.0890 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2012/05/10 17:53:24.0937 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2012/05/10 17:53:24.0968 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2012/05/10 17:53:24.0984 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2012/05/10 17:53:25.0031 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2012/05/10 17:53:25.0078 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2012/05/10 17:53:25.0093 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2012/05/10 17:53:25.0156 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2012/05/10 17:53:25.0203 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
2012/05/10 17:53:25.0406 \HardDisk0 - detected Rootkit.Win32.BackBoot.gen (1)
2012/05/10 17:53:25.0406 ================================================================================
2012/05/10 17:53:25.0406 Scan finished
2012/05/10 17:53:25.0406 ================================================================================
2012/05/10 17:53:25.0421 Detected object count: 1
2012/05/10 17:53:48.0625 Rootkit.Win32.BackBoot.gen(\HardDisk0) - User select action: Skip
2012/05/10 17:53:58.0203 Deinitialize success


----------------------------------------------------------------------------------------

Hijack This log

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 6:24:01 PM, on 5/10/2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AGI\core\3.1\AGCoreService.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 0.0.0.0:00
O2 - BHO: agcore.AGUtils - {0bc6e3fa-78ef-4886-842c-5a1258c4455a} - mscoree.dll (file missing)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Nero\Nero 7\InCD\InCD.exe
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6886.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1255483012277
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: AG Core Services (AGCoreService) - AG Interactive - C:\Program Files\AGI\core\3.1\AGCoreService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: PIXMA Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 7494 bytes


-------------------------------------------------------------------------

I don't know what else to post - I sure hope you can help - Thanks again Stan

BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:35 PM

Posted 11 May 2012 - 12:34 AM

Hello and Welcome to Bleeping Computer!!

My name is Gringo and I'll be glad to help you with your computer problems.

I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of us

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the Watch Topic Button, select Immediate Notification, and click on Proceed. This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of hartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

The next thing I would like you to do is run this for me - http://download.bleepingcomputer.com/grinler/unhide.exe after it is complete restart the computer and continue with these steps

Security Check

  • Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.




Download and run OTL

Download OTL by Old Timer and save it to your Desktop.
  • Double click on OTL.exe to run it.
  • Under Output, ensure that Minimal Output is selected.
  • Under Extra Registry section, select Use SafeList.
  • Click the Scan All Users checkbox.
  • Under the Custom Scan box paste this in

    %TEMP%\smtmp\*.* /s

  • Click on Run Scan at the top left hand corner.
  • When done, two Notepad files will open.
    • OTL.txt <-- Will be opened and the that I need posted back here
    • Extra.txt <-- Will be minimized - save this one on your desktop in case I ask for it later
  • Please post the contents of OTListIt.txt in your next reply.


information and logs:

  • In your next post I need the following

  • .logs from OTL
  • let me know of any problems you may have had

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 Freewaydawg

Freewaydawg
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:35 PM

Posted 11 May 2012 - 11:19 AM

Thanks so much for your fast reply - No problems so far

Here are the logs you asked for

Unhide log -

Unhide by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2012 BleepingComputer.com
More Information about Unhide.exe can be found at this link:
http://www.bleepingcomputer.com/forums/topic405109.html

Program started at: 05/11/2012 11:36:59 AM
Windows Version: Windows XP

Please be patient while your files are made visible again.

Processing the A:\ drive
Finished processing the A:\ drive. 0 files processed.

Processing the C:\ drive
Finished processing the C:\ drive. 156426 files processed.

Restoring the Start Menu.
* 11 Shortcuts and Desktop items were restored.


Searching for Windows Registry changes made by FakeHDD rogues.
- Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
- Checking HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
- Checking HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
- Checking HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
No registry changes detected.

Restarting Explorer.exe in order to apply changes.

Program finished at: 05/11/2012 11:37:44 AM
Execution time: 0 hours(s), 0 minute(s), and 44 seconds(s)


--------------------------------------------------------------------------------------------------------

Security Check log -

Results of screen317's Security Check version 0.99.32
Windows XP Service Pack 3 x86
Internet Explorer 6 Out of date!
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Enabled!
ESET Online Scanner v3
Symantec AntiVirus
WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:

SpywareBlaster 4.4
SUPERAntiSpyware
CCleaner
Java™ 6 Update 23
Java version out of date!
Adobe Flash Player 11.2.202.233
Adobe Reader X (10.1.1)
Mozilla Firefox (11.0.)
````````````````````````````````
Process Check:
objlist.exe by Laurent

WinPatrol winpatrol.exe is disabled!
Malwarebytes' Anti-Malware mbamservice.exe
Malwarebytes' Anti-Malware mbamgui.exe
Symantec AntiVirus DefWatch.exe
Symantec AntiVirus Rtvscan.exe
``````````End of Log````````````


-------------------------------------------------------------------------

OTL Logs -

OTL

OTL logfile created on: 5/11/2012 12:03:30 PM - Run 1
OTL by OldTimer - Version 3.2.42.3 Folder = C:\Documents and Settings\Stan\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.99 Gb Total Physical Memory | 2.02 Gb Available Physical Memory | 67.62% Memory free
5.83 Gb Paging File | 5.07 Gb Available in Paging File | 86.99% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 149.04 Gb Total Space | 89.76 Gb Free Space | 60.23% Space Free | Partition Type: NTFS

Computer Name: STAN1 | User Name: Stan | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Stan\desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
PRC - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation)
PRC - C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
PRC - C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
PRC - C:\Program Files\AGI\core\3.1\AGCoreService.exe (AG Interactive)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe (Nero AG)
PRC - C:\Program Files\Nero\Nero 7\InCD\InCD.exe (Nero AG)
PRC - C:\Program Files\Canon\IJPLM\ijplmsvc.exe ()
PRC - C:\Program Files\Symantec AntiVirus\VPTray.exe (Symantec Corporation)
PRC - C:\Program Files\Symantec AntiVirus\Rtvscan.exe (Symantec Corporation)
PRC - C:\Program Files\Symantec AntiVirus\DefWatch.exe (Symantec Corporation)
PRC - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe (Symantec Corporation)
PRC - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe (Symantec Corporation)
PRC - C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)


========== Modules (No Company Name) ==========

MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.ServiceProce#\8dc4a28c456f81ee7399da21bd9d55aa\System.ServiceProcess.ni.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Configuratio#\bf7d6af03e1230ccad546a8659245ae9\System.Configuration.Install.ni.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.EnterpriseSe#\29bce0113d611084a9329349e33528ac\System.EnterpriseServices.ni.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Configuration\3d5b7368bde0f65aa15d9f46b498cc89\System.Configuration.ni.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Xml\3bba1b8b0b5ef0be238b011cc7a0575e\System.Xml.ni.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System\e4b5afc4da43b1c576f9322f9f2e1bfe\System.ni.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\mscorlib\e337c89bc9f81b69d7237aa70e935900\mscorlib.ni.dll ()
MOD - C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_2_202_233.dll ()
MOD - C:\Program Files\Mozilla Firefox\mozjs.dll ()
MOD - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSPTLS.DLL ()
MOD - C:\Program Files\Canon\IJPLM\ijplmsvc.exe ()


========== Win32 Services (SafeList) ==========

SRV - (AdobeFlashPlayerUpdateSvc) -- C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe (Adobe Systems Incorporated)
SRV - (MBAMService) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation)
SRV - (AGCoreService) -- C:\Program Files\AGI\core\3.1\AGCoreService.exe (AG Interactive)
SRV - (InCDsrv) -- C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe (Nero AG)
SRV - (IJPLMSVC) -- C:\Program Files\Canon\IJPLM\ijplmsvc.exe ()
SRV - (SavRoam) -- C:\Program Files\Symantec AntiVirus\SavRoam.exe (symantec)
SRV - (Symantec AntiVirus) -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe (Symantec Corporation)
SRV - (DefWatch) -- C:\Program Files\Symantec AntiVirus\DefWatch.exe (Symantec Corporation)
SRV - (SNDSrvc) -- C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (Symantec Corporation)
SRV - (ccSetMgr) -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe (Symantec Corporation)
SRV - (ccPwdSvc) -- C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe (Symantec Corporation)
SRV - (ccEvtMgr) -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe (Symantec Corporation)


========== Driver Services (SafeList) ==========

DRV - (WDICA) -- File not found
DRV - (PDRFRAME) -- File not found
DRV - (PDRELI) -- File not found
DRV - (PDFRAME) -- File not found
DRV - (PDCOMP) -- File not found
DRV - (PCIDump) -- File not found
DRV - (lbrtfdc) -- File not found
DRV - (Lbd) -- system32\DRIVERS\Lbd.sys File not found
DRV - (i2omgmt) -- File not found
DRV - (GMSIPCI) -- D:\INSTALL\GMSIPCI.SYS File not found
DRV - (Changer) -- File not found
DRV - (MBAMProtector) -- C:\WINDOWS\system32\drivers\mbam.sys (Malwarebytes Corporation)
DRV - (NAVEX15) -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20110502.002\NAVEX15.SYS (Symantec Corporation)
DRV - (NAVENG) -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20110502.002\NAVENG.SYS (Symantec Corporation)
DRV - (SASKUTIL) -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS (SUPERAdBlocker.com and SUPERAntiSpyware.com)
DRV - (SASDIFSV) -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys (SUPERAdBlocker.com and SUPERAntiSpyware.com)
DRV - (Revoflt) -- C:\WINDOWS\system32\drivers\revoflt.sys (VS Revo Group)
DRV - (IntcAzAudAddService) Service for Realtek HD Audio (WDM) -- C:\WINDOWS\system32\drivers\RtkHDAud.sys (Realtek Semiconductor Corp.)
DRV - (RTLE8023xp) -- C:\WINDOWS\system32\drivers\Rtenicxp.sys (Realtek Semiconductor Corporation )
DRV - (Ambfilt) -- C:\WINDOWS\system32\drivers\Ambfilt.sys (Creative)
DRV - (incdrm) -- C:\WINDOWS\system32\drivers\InCDRm.sys (Nero AG)
DRV - (InCDPass) -- C:\WINDOWS\system32\drivers\InCDPass.sys (Nero AG)
DRV - (InCDrec) -- C:\WINDOWS\System32\drivers\InCDrec.sys (Nero AG)
DRV - (InCDfs) -- C:\WINDOWS\system32\drivers\InCDfs.sys (Nero AG)
DRV - (Monfilt) -- C:\WINDOWS\system32\drivers\Monfilt.sys (Creative Technology Ltd.)
DRV - (SYMTDI) -- C:\WINDOWS\system32\drivers\symtdi.sys (Symantec Corporation)
DRV - (SYMREDRV) -- C:\WINDOWS\system32\drivers\symredrv.sys (Symantec Corporation)
DRV - (SymEvent) -- C:\Program Files\Symantec\SYMEVENT.SYS (Symantec Corporation)
DRV - (SAVRT) -- C:\Program Files\Symantec AntiVirus\savrt.sys (Symantec Corporation)
DRV - (SAVRTPEL) -- C:\Program Files\Symantec AntiVirus\Savrtpel.sys (Symantec Corporation)
DRV - (ONSIO) -- C:\WINDOWS\system32\drivers\ONSIO.SYS ()
DRV - (SMPLSCSI) -- C:\WINDOWS\system32\drivers\SMPLSCSI.SYS (OnSpec Electronic, Inc.)
DRV - (ASPI32) -- C:\WINDOWS\System32\drivers\ASPI32.SYS (Adaptec)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-1957994488-1383384898-725345543-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKU\S-1-5-21-1957994488-1383384898-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-1957994488-1383384898-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = 0.0.0.0:00

========== FireFox ==========

FF - user.js - File not found

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_2_202_233.dll ()
FF - HKLM\Software\MozillaPlugins\@google.com/npPicasa3,version=3.0.0: C:\Program Files\Google\Picasa3\npPicasa3.dll (Google, Inc.)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=6.0.12.449: C:\Program Files\Real\RealPlayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprjplug;version=1.0.3.448: C:\Program Files\Real\RealPlayer\Netscape6\nprjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpjplug;version=6.0.12.448: C:\Program Files\Real\RealPlayer\Netscape6\nprpjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=: File not found
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\{5CDFAFD5-4C49-4265-A553-94A1760BCC84}: C:\Documents and Settings\Stan\Local Settings\Application Data\{5CDFAFD5-4C49-4265-A553-94A1760BCC84}\ [2011/09/03 17:35:57 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 11.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/04/21 16:56:21 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 11.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012/04/21 16:56:21 | 000,000,000 | ---D | M]

[2011/02/05 17:24:48 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Stan\Application Data\Mozilla\Extensions
[2010/03/05 14:49:20 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Stan\Application Data\Mozilla\Extensions\mozswing@mozswing.org
[2012/04/21 16:54:54 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Stan\Application Data\Mozilla\Firefox\Profiles\0qzvh3y7.default\extensions
[2011/02/05 17:28:28 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Stan\Application Data\Mozilla\Firefox\Profiles\0qzvh3y7.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2011/12/13 14:57:49 | 000,000,000 | ---D | M] ("S3 Firefox Organizer(S3Fox)") -- C:\Documents and Settings\Stan\Application Data\Mozilla\Firefox\Profiles\0qzvh3y7.default\extensions\{7CEA821D-3DAB-4238-B424-BF7324531750}
[2011/09/06 22:44:09 | 000,000,000 | ---D | M] (DownloadHelper) -- C:\Documents and Settings\Stan\Application Data\Mozilla\Firefox\Profiles\0qzvh3y7.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
[2011/02/07 16:32:30 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Documents and Settings\Stan\Application Data\Mozilla\Firefox\Profiles\0qzvh3y7.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2011/08/31 09:33:07 | 000,000,000 | ---D | M] (Capture Fox) -- C:\Documents and Settings\Stan\Application Data\Mozilla\Firefox\Profiles\0qzvh3y7.default\extensions\capturefoxmovie@advancity.net
[2012/04/21 17:10:11 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2012/04/21 16:56:17 | 000,097,208 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2010/11/12 19:53:06 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
[2012/04/21 16:56:13 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2012/04/21 16:56:13 | 000,002,040 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml

O1 HOSTS File: ([2011/02/03 20:32:10 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll (RealPlayer)
O4 - HKLM..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
O4 - HKLM..\Run: [InCD] C:\Program Files\Nero\Nero 7\InCD\InCD.exe (Nero AG)
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe (Nero AG)
O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
O4 - HKLM..\Run: [vptray] C:\Program Files\Symantec AntiVirus\VPTray.exe (Symantec Corporation)
O4 - HKLM..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe (BillP Studios)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1957994488-1383384898-725345543-1003\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1957994488-1383384898-725345543-1003\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-21-1957994488-1383384898-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-1957994488-1383384898-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-1957994488-1383384898-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\WINDOWS\System32\GPhotos.scr (Google Inc.)
O16 - DPF: {31435657-9980-0010-8000-00AA00389B71} http://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab (Reg Error: Key error.)
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6886.cab (Windows Live Safety Center Base Module)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1255483012277 (WUWebControl Class)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab (Java Plug-in 1.6.0_23)
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} http://ax.emsisoft.com/asquared.cab (a-squared Scanner)
O16 - DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab (Java Plug-in 1.6.0_23)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab (Java Plug-in 1.6.0_23)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 75.75.75.75 75.75.76.76
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{C6A926BE-6FDF-4B6D-B6D5-4A1BA0719859}: DhcpNameServer = 75.75.75.75 75.75.76.76
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - (C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL) - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\NavLogon: DllName - (C:\WINDOWS\system32\NavLogon.dll) - C:\WINDOWS\system32\NavLogon.dll (Symantec Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Stan\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Stan\Application Data\Webshots\The Webshots Desktop\Webshots Wallpaper.bmp
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/10/13 19:13:16 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2012/05/11 11:58:21 | 000,595,456 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Stan\Desktop\OTL.exe
[2012/05/11 11:41:32 | 000,000,000 | ---D | C] -- C:\WINDOWS\LastGood
[2012/05/11 11:28:17 | 000,399,264 | ---- | C] (Bleeping Computer, LLC) -- C:\Documents and Settings\Stan\Desktop\unhide.exe
[2012/05/11 11:26:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Stan\Desktop\Bleeping
[2012/05/10 15:45:11 | 000,607,260 | R--- | C] (Swearware) -- C:\Documents and Settings\Stan\Desktop\dds.scr
[2012/05/09 09:28:39 | 000,000,000 | -HSD | C] -- C:\Config.Msi
[2012/05/05 19:02:40 | 000,000,000 | --SD | C] -- C:\32788R22FWJFW
[2012/05/05 17:38:49 | 000,000,000 | ---D | C] -- C:\WINDOWS\CSC
[2012/04/28 16:05:53 | 000,418,464 | ---- | C] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerApp.exe
[2012/04/28 16:05:53 | 000,070,304 | ---- | C] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl
[2012/04/13 22:36:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Stan\Desktop\MySites

========== Files - Modified Within 30 Days ==========

[2012/05/11 11:58:12 | 000,595,456 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Stan\Desktop\OTL.exe
[2012/05/11 11:45:21 | 000,879,714 | ---- | M] () -- C:\Documents and Settings\Stan\Desktop\SecurityCheck.exe
[2012/05/11 11:40:25 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/05/11 11:40:08 | 000,000,310 | ---- | M] () -- C:\WINDOWS\tasks\GlaryInitialize.job
[2012/05/11 11:39:57 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/05/11 11:33:16 | 000,000,830 | ---- | M] () -- C:\WINDOWS\tasks\Adobe Flash Player Updater.job
[2012/05/11 11:28:09 | 000,399,264 | ---- | M] (Bleeping Computer, LLC) -- C:\Documents and Settings\Stan\Desktop\unhide.exe
[2012/05/11 11:24:47 | 000,002,515 | ---- | M] () -- C:\Documents and Settings\Stan\Desktop\Word.lnk
[2012/05/10 17:49:36 | 000,302,592 | ---- | M] () -- C:\Documents and Settings\Stan\Desktop\iexplore.exe
[2012/05/10 17:47:20 | 000,302,592 | ---- | M] () -- C:\Documents and Settings\Stan\Desktop\wobqp3xb.exe
[2012/05/10 15:49:53 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Stan\defogger_reenable
[2012/05/10 15:45:07 | 000,607,260 | R--- | M] (Swearware) -- C:\Documents and Settings\Stan\Desktop\dds.scr
[2012/05/10 15:44:27 | 000,050,477 | ---- | M] () -- C:\Documents and Settings\Stan\Desktop\Defogger.exe
[2012/05/09 09:29:35 | 000,494,004 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2012/05/09 09:29:35 | 000,084,548 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2012/05/09 09:24:48 | 000,001,355 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2012/05/05 19:05:34 | 000,368,096 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2012/05/05 19:04:29 | 000,000,356 | ---- | M] () -- C:\Start_.cmd
[2012/05/01 15:24:39 | 000,000,026 | ---- | M] () -- C:\register.js
[2012/04/28 16:05:53 | 000,418,464 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerApp.exe
[2012/04/28 16:05:53 | 000,070,304 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl

========== Files Created - No Company Name ==========

[2012/05/11 11:45:29 | 000,879,714 | ---- | C] () -- C:\Documents and Settings\Stan\Desktop\SecurityCheck.exe
[2012/05/10 17:50:15 | 000,302,592 | ---- | C] () -- C:\Documents and Settings\Stan\Desktop\iexplore.exe
[2012/05/10 17:47:23 | 000,302,592 | ---- | C] () -- C:\Documents and Settings\Stan\Desktop\wobqp3xb.exe
[2012/05/10 15:49:53 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Stan\defogger_reenable
[2012/05/10 15:44:32 | 000,050,477 | ---- | C] () -- C:\Documents and Settings\Stan\Desktop\Defogger.exe
[2012/05/05 19:04:29 | 000,000,356 | ---- | C] () -- C:\Start_.cmd
[2012/04/28 16:05:55 | 000,000,830 | ---- | C] () -- C:\WINDOWS\tasks\Adobe Flash Player Updater.job
[2012/04/21 17:14:20 | 000,000,730 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Mozilla Firefox.lnk
[2012/04/17 16:39:09 | 000,000,818 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Paint.NET.lnk
[2012/02/15 18:01:33 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2012/02/15 10:54:52 | 000,023,624 | ---- | C] () -- C:\WINDOWS\System32\drivers\hitmanpro35.sys
[2012/02/12 23:30:31 | 000,023,624 | ---- | C] () -- C:\WINDOWS\System32\drivers\hitmanpro36.sys
[2011/12/24 13:56:10 | 000,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2011/12/16 17:37:23 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/10/15 17:06:54 | 000,201,784 | ---- | C] () -- C:\WINDOWS\XHeader Uninstaller.exe
[2011/09/30 14:48:13 | 000,000,059 | ---- | C] () -- C:\WINDOWS\ANS2000.INI
[2011/09/30 14:48:13 | 000,000,020 | ---- | C] () -- C:\WINDOWS\akebook.ini
[2011/09/30 14:48:13 | 000,000,004 | ---- | C] () -- C:\WINDOWS\a3kebook.ini
[2011/09/29 19:50:02 | 000,000,118 | ---- | C] () -- C:\WINDOWS\mbutton.ini
[2011/08/11 17:48:30 | 000,000,059 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2011/04/25 13:27:57 | 000,000,135 | ---- | C] () -- C:\WINDOWS\Mp3CutterJoiner.ini
[2011/04/25 13:26:57 | 000,000,005 | ---- | C] () -- C:\WINDOWS\System32\SySMP3CutJoin.dat
[2011/02/26 17:12:22 | 000,001,181 | ---- | C] () -- C:\Documents and Settings\Stan\Application Data\vso_ts_preview.xml
[2011/01/27 01:58:19 | 000,114,176 | RHS- | C] () -- C:\WINDOWS\System32\msadds32X.dll
[2011/01/12 22:47:28 | 000,000,054 | ---- | C] () -- C:\WINDOWS\Audiocut.ini
[2011/01/07 14:13:50 | 000,000,005 | ---- | C] () -- C:\WINDOWS\System32\SySCut.dat
[2011/01/07 14:13:03 | 000,003,082 | ---- | C] () -- C:\WINDOWS\System32\affv11300p2now.sys
[2010/12/24 22:31:33 | 000,153,600 | ---- | C] () -- C:\WINDOWS\System32\WS_ContextMenu.dll
[2010/12/22 23:10:20 | 000,027,648 | ---- | C] () -- C:\WINDOWS\System32\AVSredirect.dll
[2010/09/06 14:36:13 | 000,237,568 | ---- | C] () -- C:\WINDOWS\System32\lame_enc.dll

========== Custom Scans ==========

< %TEMP%\smtmp\*.* /s >
[2009/10/13 19:53:15 | 000,000,272 | -HS- | M] () -- C:\DOCUME~1\Stan\LOCALS~1\Temp\smtmp\1\desktop.ini
[2009/10/13 19:12:24 | 000,000,150 | -HS- | M] () -- C:\DOCUME~1\Stan\LOCALS~1\Temp\smtmp\1\Programs\desktop.ini
[2009/10/13 19:11:04 | 000,000,188 | -HS- | M] () -- C:\DOCUME~1\Stan\LOCALS~1\Temp\smtmp\1\Programs\Accessories\desktop.ini
[2009/10/13 19:11:05 | 000,000,090 | -HS- | M] () -- C:\DOCUME~1\Stan\LOCALS~1\Temp\smtmp\1\Programs\Accessories\Accessibility\desktop.ini
[2009/10/13 19:54:41 | 000,000,516 | -HS- | M] () -- C:\DOCUME~1\Stan\LOCALS~1\Temp\smtmp\1\Programs\Accessories\Communications\desktop.ini
[2009/10/13 19:11:05 | 000,000,146 | -HS- | M] () -- C:\DOCUME~1\Stan\LOCALS~1\Temp\smtmp\1\Programs\Accessories\Entertainment\desktop.ini
[2009/10/13 19:13:22 | 000,000,757 | -HS- | M] () -- C:\DOCUME~1\Stan\LOCALS~1\Temp\smtmp\1\Programs\Accessories\System Tools\desktop.ini
[2009/10/13 19:13:22 | 000,000,545 | -HS- | M] () -- C:\DOCUME~1\Stan\LOCALS~1\Temp\smtmp\1\Programs\Administrative Tools\desktop.ini
[2009/10/13 19:11:05 | 000,000,798 | -HS- | M] () -- C:\DOCUME~1\Stan\LOCALS~1\Temp\smtmp\1\Programs\Games\desktop.ini
[2009/10/13 19:13:22 | 000,000,084 | -HS- | M] () -- C:\DOCUME~1\Stan\LOCALS~1\Temp\smtmp\1\Programs\Startup\desktop.ini
[2011/09/19 11:22:22 | 000,000,119 | -HS- | M] () -- C:\DOCUME~1\Stan\LOCALS~1\Temp\smtmp\2\desktop.ini

========== Alternate Data Streams ==========

@Alternate Data Stream - 95 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34
@Alternate Data Stream - 118 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:CB0AACC9

< End of report >

----------------------------------------

Extras

OTL Extras logfile created on: 5/11/2012 12:03:30 PM - Run 1
OTL by OldTimer - Version 3.2.42.3 Folder = C:\Documents and Settings\Stan\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.99 Gb Total Physical Memory | 2.02 Gb Available Physical Memory | 67.62% Memory free
5.83 Gb Paging File | 5.07 Gb Available in Paging File | 86.99% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 149.04 Gb Total Space | 89.76 Gb Free Space | 60.23% Space Free | Partition Type: NTFS

Computer Name: STAN1 | User Name: Stan | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
.url [@ = InternetShortcut] -- rundll32.exe shdocvw.dll,OpenURL %l

[HKEY_USERS\S-1-5-21-1957994488-1383384898-725345543-1003\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
http [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
https [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
InternetShortcut [open] -- rundll32.exe shdocvw.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- C:\Program Files\VideoLAN\VLC\vlc.exe --started-from-file --playlist-enqueue "%1" ()
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- C:\Program Files\VideoLAN\VLC\vlc.exe --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusOverride" = 1
"FirewallOverride" = 0
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\BitTorrent\bittorrent.exe" = C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent -- (BitTorrent, Inc.)
"C:\Program Files\Java\jre6\bin\javaw.exe" = C:\Program Files\Java\jre6\bin\javaw.exe:*:Enabled:Java™ Platform SE binary -- (Sun Microsystems, Inc.)
"C:\Program Files\Acoustica Mixcraft 4\Mixcraft4.exe" = C:\Program Files\Acoustica Mixcraft 4\Mixcraft4.exe:*:Disabled:Mixcraft 4 -- (Acoustica, Inc)
"C:\Program Files\Acoustica Mixcraft 5\mixcraft5.exe" = C:\Program Files\Acoustica Mixcraft 5\mixcraft5.exe:*:Disabled:Mixcraft 5 -- (Acoustica, Inc)
"D:\Installation\Setupx.exe" = D:\Installation\Setupx.exe:*:Enabled:Nero ProductSetup


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{007811BF-E310-4285-BFC6-55DB29B3EDDE}" = WinPatrol
"{0A0CADCF-78DA-33C4-A350-CD51849B9702}" = Microsoft .NET Framework 4 Extended
"{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_iP2600_series" = Canon iP2600 series
"{216AB108-2AE1-4130-B3D5-20B2C4C80F8F}" = QuickTime
"{26A24AE4-039D-4CA4-87B4-2F83216016FF}" = Java™ 6 Update 23
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{45A66726-69BC-466B-A7A4-12FCBA4883D7}" = HiJackThis
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4FB69149-60CC-4F48-B63B-716F482E0142}" = Easy Web Builder
"{529125EF-E3AC-4B74-97E6-F688A7C0F1BF}" = Paint.NET v3.5.10
"{56C049BE-79E9-4502-BEA7-9754A3E60F9B}" = neroxml
"{5C0856B6-6260-4952-8FF5-C79C3FD3AA44}" = e-Sword
"{67579783-0FB7-4F7B-B881-E5BE47C9DBE0}_is1" = Revo Uninstaller Pro 2.5.1
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{76169163-891E-4BC5-88AF-7FA4B8CAC235}" = FLV Producer Lite
"{848AC794-8B81-440A-81AE-6474337DB527}" = Symantec AntiVirus
"{8E72B982-D54F-486F-B35A-C24B6F171033}" = Nero 7 Essentials
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_ENTERPRISE_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_ENTERPRISE_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_ENTERPRISE_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_ENTERPRISE_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_ENTERPRISE_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_ENTERPRISE_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_ENTERPRISE_{1FF96026-A04A-4C3E-B50A-BB7022654D0F}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_ENTERPRISE_{71F055E8-E2C6-4214-BB3D-BFE03561B89E}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_ENTERPRISE_{2314F9A1-126F-45CC-8A5E-DFAF866F3FBC}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}_ENTERPRISE_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_ENTERPRISE_{98333358-268C-4164-B6D4-C96DF5153727}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_ENTERPRISE_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007
"{90120000-00BA-0409-0000-0000000FF1CE}_ENTERPRISE_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007
"{90120000-0114-0409-0000-0000000FF1CE}_ENTERPRISE_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_ENTERPRISE_{98333358-268C-4164-B6D4-C96DF5153727}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_ENTERPRISE_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90140000-2005-0000-0000-0000000FF1CE}" = Microsoft Office File Validation Add-In
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{99F0545E-D93D-481D-8088-7F50FD76DE55}" = Scrapbooks Plus Workshop
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{AC76BA86-7AD7-1033-7B44-AA1000000001}" = Adobe Reader X (10.1.1)
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{B2AE44CB-2AAB-4C08-A54B-D264BD604DA8}" = Citrix Presentation Server Client
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C0E8FE43-C35B-451D-B35F-D4BD056D70E7}" = Camtasia Studio 7
"{c83b53b8-8da0-32ba-8ccc-6573e8a75a82}" = Webshots Desktop
"{C9BED750-1211-4480-B1A5-718A3BE15525}" = REALTEK GbE & FE Ethernet PCI-E NIC Driver
"{CA9C1956-4E64-4FF3-966F-CD242E9F7EE3}" = SpinChimp Basic
"{CC4A73BF-938E-4C19-A553-853C035C9BA1}" = LightScribe System Software 1.10.13.1
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D8262480-2A04-407C-B2F7-1439B789C349}" = Print Artist Gold 21
"{DB6AB705-C9BD-40E3-8929-2EA57F36A4FF}_is1" = ConvertXtoDVD 4.1.10.348
"{E6B87DC4-2B3D-4483-ADFF-E483BF718991}" = OpenOffice.org 3.1
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"{FD9C31B6-F572-414D-81E3-89368C97A125}_is1" = CamStudio OSS Desktop Recorder
"Acoustica Effects Pack" = Acoustica Effects Pack
"Acoustica Mixcraft 4.5" = Acoustica Mixcraft 4.5
"Acoustica Mixcraft 5" = Acoustica Mixcraft 5
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
"Any Video Converter_is1" = Any Video Converter 3.1.7
"Audacity_is1" = Audacity 1.2.6
"BitTorrent" = BitTorrent
"Canon iP2600 series User Registration" = Canon iP2600 series User Registration
"CANONIJPLM100" = PIXMA Extended Survey Program
"CanonMyPrinter" = Canon My Printer
"CanonSolutionMenu" = Canon Utilities Solution Menu
"CCleaner" = CCleaner
"Cool Page 2.7" = Cool Page 2.7
"DVD Decrypter" = DVD Decrypter (Remove Only)
"DVD Shrink_is1" = DVD Shrink 3.2
"DVDFab 8_is1" = DVDFab 8.0.7.6 Beta (25/02/2011)
"Easy-PhotoPrint EX" = Canon Utilities Easy-PhotoPrint EX
"ENTERPRISE" = Microsoft Office Enterprise 2007
"ESET Online Scanner" = ESET Online Scanner v3
"Free Video Converter_is1" = Free Video Converter V 2.9
"Glary Utilities_is1" = Glary Utilities 2.31.0.1098
"HDMI" = Intel® Graphics Media Accelerator Driver
"InfraRecorder" = InfraRecorder
"IrfanView" = IrfanView (remove only)
"LiveUpdate" = LiveUpdate 2.0 (Symantec Corporation)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.61.0.1400
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft .NET Framework 4 Extended" = Microsoft .NET Framework 4 Extended
"Microtek ScanWizard V2.46" = Microtek ScanWizard V2.46
"Mozilla Firefox 11.0 (x86 en-US)" = Mozilla Firefox 11.0 (x86 en-US)
"MP3 Cutter Joiner_is1" = MP3 Cutter Joiner 3.00
"PhotoScape" = PhotoScape
"Picasa 3" = Picasa 3
"Power MP3 Cutter Joiner_is1" = Power MP3 Cutter Joiner 1.12
"RealPlayer 12.0" = RealPlayer
"SoapRETE" = Kai's Photo Soap
"SpywareBlaster_is1" = SpywareBlaster 4.4
"SUPER " = SUPER Version 2010.bld.42 (Nov 7, 2010)
"VideoLightBox" = VideoLightBox
"VideoWebWizard" = VideoWebWizard 2.04
"VLC media player" = VLC media player 0.9.8a
"Windows Live OneCare safety scanner" = Windows Live OneCare safety scanner
"Windows Media Format Runtime" = Windows Media Format Runtime
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinGimp-2.0_is1" = GIMP 2.6.11
"WinRAR archiver" = WinRAR archiver
"XHeader" = XHeader

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-1957994488-1383384898-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Smad" = SanctionedMedia

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 5/5/2012 5:44:47 PM | Computer Name = STAN1 | Source = Application Error | ID = 1000
Description = Faulting application explorer.exe, version 6.0.2900.5512, faulting
module flash10c.ocx, version 10.0.32.18, fault address 0x0023e721.

[ System Events ]
Error - 5/8/2012 9:43:30 PM | Computer Name = STAN1 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
Lbd SMPLSCSI

Error - 5/9/2012 9:16:27 AM | Computer Name = STAN1 | Source = sr | ID = 1
Description = The System Restore filter encountered the unexpected error '0xC0000243'
while processing the file 'SAVRT' on the volume 'HarddiskVolume1'. It has stopped
monitoring the volume.

Error - 5/9/2012 9:16:34 AM | Computer Name = STAN1 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
Lbd SMPLSCSI

Error - 5/9/2012 9:58:43 PM | Computer Name = STAN1 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
Lbd SMPLSCSI

Error - 5/10/2012 10:55:44 AM | Computer Name = STAN1 | Source = sr | ID = 1
Description = The System Restore filter encountered the unexpected error '0xC0000243'
while processing the file 'SAVRT' on the volume 'HarddiskVolume1'. It has stopped
monitoring the volume.

Error - 5/10/2012 10:57:09 AM | Computer Name = STAN1 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
Lbd SMPLSCSI

Error - 5/10/2012 5:04:37 PM | Computer Name = STAN1 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
Lbd SMPLSCSI

Error - 5/10/2012 5:41:24 PM | Computer Name = STAN1 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
Lbd SMPLSCSI

Error - 5/11/2012 10:55:59 AM | Computer Name = STAN1 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
Lbd SMPLSCSI

Error - 5/11/2012 11:40:16 AM | Computer Name = STAN1 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
Lbd SMPLSCSI


< End of report >

-------------------------------------------------

I hope I'm doing it right

Thanks again - Looking forward to your next reply - Stan

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:35 PM

Posted 11 May 2012 - 12:54 PM

Hello

I Would like you to do the following.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 Freewaydawg

Freewaydawg
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:35 PM

Posted 11 May 2012 - 02:24 PM

Hello
I downloaded combofix from link 1 disabled all anti virus and malware programs and ran the combofix
When it got to the step of scanning it seemed to stall or stop right after the screen said

scanning for infected files
this usually only takes about ten minutes or so
but on very infected machines scan times may double


It seemed to stall right there and never went into its series of checks which is what it did before
and remember I had trouble running DDS Gmer and Defogger also.
I let it run for a long time and it never made it past that.
Also it locked up my computer and I couldn't even reboot properly.
I had to do a cold boot from the pc itself
Some process must be stopping it don't know what to do next

Thank again - Stan

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:35 PM

Posted 11 May 2012 - 02:54 PM

  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box
ComboFix /nombr
  • click ok

copy and paste the report into this topic for me to review

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 Freewaydawg

Freewaydawg
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:35 PM

Posted 11 May 2012 - 10:12 PM

Hi Gringo I really appreciate all your help

It did give me a combofix log this time but did something weird.

Something closed by itself and gave me an error report so I will give you that also.
It also opened 10 yes 10 notepads called history_manager[1] so I will give you them too.

-----------------------------------------------------------------------------------------
Combo fix log

ComboFix 12-05-11.03 - Stan 05/11/2012 16:25:21.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3062.2198 [GMT -4:00]
Running from: c:\documents and settings\Stan\Desktop\ComboFix.exe
Command switches used :: /nombr
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\Stan\Application Data\vso_ts_preview.xml
c:\documents and settings\Stan\Local Settings\Application Data\{5CDFAFD5-4C49-4265-A553-94A1760BCC84}
c:\documents and settings\Stan\Local Settings\Application Data\{5CDFAFD5-4C49-4265-A553-94A1760BCC84}\chrome.manifest
c:\documents and settings\Stan\Local Settings\Application Data\{5CDFAFD5-4C49-4265-A553-94A1760BCC84}\chrome\content\_cfg.js
c:\documents and settings\Stan\Local Settings\Application Data\{5CDFAFD5-4C49-4265-A553-94A1760BCC84}\chrome\content\overlay.xul
c:\documents and settings\Stan\Local Settings\Application Data\{5CDFAFD5-4C49-4265-A553-94A1760BCC84}\install.rdf
c:\documents and settings\Stan\WINDOWS
c:\windows\a3kebook.ini
c:\windows\akebook.ini
c:\windows\ANS2000.INI
c:\windows\system32\dllcache\dlimport.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-04-11 to 2012-05-11 )))))))))))))))))))))))))))))))
.
.
2012-04-28 20:05 . 2012-04-28 20:05 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-04-28 20:05 . 2012-04-28 20:05 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-04 19:56 . 2011-02-18 20:24 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-02-29 14:10 . 2004-08-04 06:56 177664 ----a-w- c:\windows\system32\wintrust.dll
2012-02-29 14:10 . 2004-08-04 06:56 148480 ----a-w- c:\windows\system32\imagehlp.dll
2012-02-28 18:50 . 2004-08-04 06:56 667136 ----a-w- c:\windows\system32\wininet.dll
2012-02-28 18:50 . 2004-08-04 04:59 61952 ----a-w- c:\windows\system32\tdc.ocx
2012-02-28 18:50 . 2004-08-04 06:56 81920 ----a-w- c:\windows\system32\ieencode.dll
2012-02-28 13:50 . 2004-08-04 04:59 369664 ----a-w- c:\windows\system32\html.iec
2012-02-15 14:54 . 2012-02-15 14:54 23624 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2012-02-13 03:33 . 2012-02-13 03:30 23624 ----a-w- c:\windows\system32\drivers\hitmanpro36.sys
2012-04-21 20:56 . 2012-04-21 20:56 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2006-05-02 23:00 163328 --sh--r- c:\windows\system32\flvDX.dll
2007-02-20 23:00 31232 --sh--r- c:\windows\system32\msfDX.dll
2008-03-15 23:00 216064 --sh--r- c:\windows\system32\nbDX.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0bc6e3fa-78ef-4886-842c-5a1258c4455a}]
2009-11-07 05:07 297808 ----a-w- c:\windows\system32\mscoree.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2009-07-20 18670592]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2004-03-12 124128]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2004-02-29 66680]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2011-02-13 325000]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-10-15 198160]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"InCD"="c:\program files\Nero\Nero 7\InCD\InCD.exe" [2007-06-25 1057064]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"Persistence"=c:\windows\system32\igfxpers.exe
"HotKeysCmds"=c:\windows\system32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\Acoustica Mixcraft 4\\Mixcraft4.exe"=
"c:\\Program Files\\Acoustica Mixcraft 5\\mixcraft5.exe"=
.
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 2:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656]
R2 AGCoreService;AG Core Services;c:\program files\AGI\core\3.1\AGCoreService.exe [10/15/2009 1:42 PM 20480]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2/18/2011 4:24 PM 654408]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2/18/2011 4:24 PM 22344]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [4/28/2012 4:05 PM 253088]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [10/13/2009 7:35 PM 1684736]
S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [2/22/2011 10:56 PM 27064]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [3/12/2004 3:18 PM 169192]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2007-08-23 22:34 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2012-05-11 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-28 20:05]
.
2012-05-11 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2011-02-11 19:13]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyServer = 0.0.0.0:00
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
FF - ProfilePath - c:\documents and settings\Stan\Application Data\Mozilla\Firefox\Profiles\0qzvh3y7.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/firefox
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: Capture Fox: capturefoxmovie@advancity.net - %profile%\extensions\capturefoxmovie@advancity.net
FF - Ext: S3 Firefox Organizer(S3Fox): {7CEA821D-3DAB-4238-B424-BF7324531750} - %profile%\extensions\{7CEA821D-3DAB-4238-B424-BF7324531750}
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-05-11 16:57
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1957994488-1383384898-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{3C149F45-5C51-EA12-C9F5-E017498646E2}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"napdbkjfgbodgkeeamgiffghllgf"=hex:69,61,6b,6c,66,6e,62,6a,61,62,61,63,65,6e,
68,63,6f,6b,00,00
"mafekjdjpmnachfnfcodicakdb"=hex:69,61,6b,6c,66,6e,62,6a,61,62,61,63,65,6e,68,
63,6f,6b,00,00
"oaddiifbmejghgekhnbcopihlchnik"=hex:61,61,00,00
"naddiifbmejghgekhnafmoeigcjl"=hex:61,61,00,00
"oaddiifbmejghgekhncfjhjplcabgn"=hex:61,61,00,00
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(768)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
Completion time: 2012-05-11 17:12:25
ComboFix-quarantined-files.txt 2012-05-11 21:12
.
Pre-Run: 96,050,745,344 bytes free
Post-Run: 96,685,109,248 bytes free
.
- - End Of File - - 2FF38B2BF5C2C7AB7B07331FA384886D


-------------------------------------------------------------------------------------------------------------------------

Here are the other logs

-----------------------------------------------------------------------------------------------------------------

Error report

Generic Host Process for Win32 Services has
encountered a problem and needs to close. We are sorry
for the inconvenience.


Error signature
szAppName : svchost.exe szAppVer : 5.1.2600.5512 szModName : ntdll.dll
szModVer : 5.1.2600.6055 offset : 00001de6


C:\DOCUME~1\Stan\LOCALS~1\Temp\WER999d.dir00\svchost.exe.mdmp
C:\DOCUME~1\Stan\LOCALS~1\Temp\WER999d.dir00\appcompat.txt


---------------------------------------------------------------------------

There were 10 of these logs called history_manager[1]
but they all seem to be the same so I included it too.

history_manager[1]

/*1336720136,176820665*/

.sp_1efnpk{background-image:url(http://static.ak.fbcdn.net/rsrc.php/v1/ya/r/-g1Tj04lpwu.png);background-repeat:no-repeat;display:inline-block;height:16px;width:16px}
.sx_13e907{background-position:-16px -0px}
.selected .sx_13e907{background-position:-0px -0px}
.sx_75431c{background-position:-0px -17px}
.sp_e3y7c9{background-image:url(http://static.ak.fbcdn.net/rsrc.php/v1/yb/r/7sq8I65Lld6.png);background-repeat:no-repeat;display:inline-block;height:16px;width:16px}
.sx_0a1bf3{background-position:-16px -0px}
.selected .sx_0a1bf3{background-position:-0px -0px}
.sx_b2c067{background-position:-0px -17px}

#bootloader_7OzMr { height: 42px; }

-------------------------------------------------------------------------------------------------

I hope you can figure it all out, it looks like a foreign language to me.

Thanks again for all your help - Stan

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:35 PM

Posted 11 May 2012 - 10:20 PM

Greetings

looks like a foreign language to me to but if it keeps happening we will look into it further


I want you to run these next,

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • it will ask to download extra definitions - ALLOW IT
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

If you have any problems running either one come back and let me know

please reply with the reports from TDSSKiller and aswMBR

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 Freewaydawg

Freewaydawg
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:35 PM

Posted 11 May 2012 - 10:42 PM

Hello again
the TDSS killer that I downloaded to my desktop will not start
The aswMBR also will not run. but I had a slightly older version of TDSS killer and it ran.
It finds a rootkit called - Rootkit.Win32.BackBoot.gen(\HardDisk0)
So here is the report

---------------------------------------------------
TDSS Killer

2012/05/11 23:28:39.0546 TDSS rootkit removing tool 2.4.7.0 Nov 8 2010 10:52:22
2012/05/11 23:28:39.0546 ================================================================================
2012/05/11 23:28:39.0546 SystemInfo:
2012/05/11 23:28:39.0546
2012/05/11 23:28:39.0546 OS Version: 5.1.2600 ServicePack: 3.0
2012/05/11 23:28:39.0546 Product type: Workstation
2012/05/11 23:28:39.0546 ComputerName: STAN1
2012/05/11 23:28:39.0546 UserName: Stan
2012/05/11 23:28:39.0546 Windows directory: C:\WINDOWS
2012/05/11 23:28:39.0546 System windows directory: C:\WINDOWS
2012/05/11 23:28:39.0546 Processor architecture: Intel x86
2012/05/11 23:28:39.0546 Number of processors: 2
2012/05/11 23:28:39.0546 Page size: 0x1000
2012/05/11 23:28:39.0546 Boot type: Normal boot
2012/05/11 23:28:39.0546 ================================================================================
2012/05/11 23:28:39.0750 Initialize success
2012/05/11 23:29:02.0015 ================================================================================
2012/05/11 23:29:02.0015 Scan started
2012/05/11 23:29:02.0015 Mode: Manual;
2012/05/11 23:29:02.0015 ================================================================================
2012/05/11 23:29:02.0484 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2012/05/11 23:29:02.0515 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2012/05/11 23:29:02.0562 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2012/05/11 23:29:02.0609 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
2012/05/11 23:29:02.0734 Ambfilt (f6af59d6eee5e1c304f7f73706ad11d8) C:\WINDOWS\system32\drivers\Ambfilt.sys
2012/05/11 23:29:02.0859 ASPI32 (31ed89badd47130ad57cce8c8dfb5b27) C:\WINDOWS\system32\drivers\ASPI32.sys
2012/05/11 23:29:02.0875 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2012/05/11 23:29:02.0906 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2012/05/11 23:29:02.0937 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2012/05/11 23:29:02.0953 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2012/05/11 23:29:03.0000 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2012/05/11 23:29:03.0171 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2012/05/11 23:29:03.0187 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2012/05/11 23:29:03.0234 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2012/05/11 23:29:03.0250 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2012/05/11 23:29:03.0343 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2012/05/11 23:29:03.0390 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2012/05/11 23:29:03.0437 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2012/05/11 23:29:03.0453 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2012/05/11 23:29:03.0484 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2012/05/11 23:29:03.0500 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2012/05/11 23:29:03.0562 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2012/05/11 23:29:03.0593 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2012/05/11 23:29:03.0609 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2012/05/11 23:29:03.0640 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2012/05/11 23:29:03.0687 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2012/05/11 23:29:03.0718 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2012/05/11 23:29:03.0750 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2012/05/11 23:29:03.0796 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2012/05/11 23:29:03.0843 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2012/05/11 23:29:03.0890 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2012/05/11 23:29:03.0953 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2012/05/11 23:29:03.0984 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\drivers\i8042prt.sys
2012/05/11 23:29:04.0125 ialm (0f68e2ec713f132ffb19e45415b09679) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
2012/05/11 23:29:04.0218 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2012/05/11 23:29:04.0250 InCDfs (580a81790cd0a48d85da322267da7ac4) C:\WINDOWS\system32\drivers\InCDFs.sys
2012/05/11 23:29:04.0265 InCDPass (aaa2789d2ce21b31be9406ba1ceb7285) C:\WINDOWS\system32\drivers\InCDPass.sys
2012/05/11 23:29:04.0281 InCDrec (4d022577e9072b5d22e0a383a7806bbb) C:\WINDOWS\system32\drivers\InCDrec.sys
2012/05/11 23:29:04.0281 incdrm (c258e57321a3c3737f4fa815fa69ee0b) C:\WINDOWS\system32\drivers\InCDRm.sys
2012/05/11 23:29:04.0437 IntcAzAudAddService (3a3a539d7db808fad3b55740474a6d02) C:\WINDOWS\system32\drivers\RtkHDAud.sys
2012/05/11 23:29:04.0500 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2012/05/11 23:29:04.0531 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2012/05/11 23:29:04.0578 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2012/05/11 23:29:04.0609 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2012/05/11 23:29:04.0640 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2012/05/11 23:29:04.0687 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2012/05/11 23:29:04.0687 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2012/05/11 23:29:04.0734 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2012/05/11 23:29:04.0734 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2012/05/11 23:29:04.0796 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2012/05/11 23:29:04.0812 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2012/05/11 23:29:04.0828 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2012/05/11 23:29:04.0890 MBAMProtector (fb097bbc1a18f044bd17bd2fccf97865) C:\WINDOWS\system32\drivers\mbam.sys
2012/05/11 23:29:04.0906 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2012/05/11 23:29:04.0953 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2012/05/11 23:29:05.0031 Monfilt (9fa7207d1b1adead88ae8eed9cdbbaa5) C:\WINDOWS\system32\drivers\Monfilt.sys
2012/05/11 23:29:05.0078 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2012/05/11 23:29:05.0093 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2012/05/11 23:29:05.0109 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2012/05/11 23:29:05.0140 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2012/05/11 23:29:05.0171 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2012/05/11 23:29:05.0187 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2012/05/11 23:29:05.0250 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2012/05/11 23:29:05.0250 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2012/05/11 23:29:05.0265 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2012/05/11 23:29:05.0312 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2012/05/11 23:29:05.0343 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
2012/05/11 23:29:05.0453 NAVENG (c34e2a884ccca8b5567d0c2752527073) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20110502.002\naveng.sys
2012/05/11 23:29:05.0484 NAVEX15 (b3916eeec738dd4178f4fd6a44a32e36) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20110502.002\navex15.sys
2012/05/11 23:29:05.0546 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2012/05/11 23:29:05.0578 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2012/05/11 23:29:05.0609 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2012/05/11 23:29:05.0625 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2012/05/11 23:29:05.0656 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2012/05/11 23:29:05.0703 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2012/05/11 23:29:05.0718 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2012/05/11 23:29:05.0765 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2012/05/11 23:29:05.0812 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2012/05/11 23:29:05.0859 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2012/05/11 23:29:05.0906 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2012/05/11 23:29:05.0921 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2012/05/11 23:29:05.0968 ONSIO (2e76a0c21fe51b239529e7752db897a9) C:\WINDOWS\SYSTEM32\DRIVERS\ONSIO.SYS
2012/05/11 23:29:06.0031 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2012/05/11 23:29:06.0031 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2012/05/11 23:29:06.0078 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2012/05/11 23:29:06.0078 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2012/05/11 23:29:06.0125 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2012/05/11 23:29:06.0156 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2012/05/11 23:29:06.0250 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2012/05/11 23:29:06.0265 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2012/05/11 23:29:06.0281 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2012/05/11 23:29:06.0359 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2012/05/11 23:29:06.0375 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2012/05/11 23:29:06.0375 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2012/05/11 23:29:06.0390 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2012/05/11 23:29:06.0406 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2012/05/11 23:29:06.0421 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2012/05/11 23:29:06.0437 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2012/05/11 23:29:06.0468 RDPWD (5b3055daa788bd688594d2f5981f2a83) C:\WINDOWS\system32\drivers\RDPWD.sys
2012/05/11 23:29:06.0500 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2012/05/11 23:29:06.0546 Revoflt (8b5b8a11306190c6963d3473f052d3c8) C:\WINDOWS\system32\DRIVERS\revoflt.sys
2012/05/11 23:29:06.0578 RTLE8023xp (e47c52f0380f0950e2bc9f1bcdc0de9b) C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys
2012/05/11 23:29:06.0703 SASDIFSV (a3281aec37e0720a2bc28034c2df2a56) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
2012/05/11 23:29:06.0718 SASKUTIL (61db0d0756a99506207fd724e3692b25) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
2012/05/11 23:29:06.0765 SAVRT (c8023be4dda22a52cd2f60d9cb9b3985) C:\Program Files\Symantec AntiVirus\savrt.sys
2012/05/11 23:29:06.0781 SAVRTPEL (30547fd7692dc799a0b397b2b918a158) C:\Program Files\Symantec AntiVirus\Savrtpel.sys
2012/05/11 23:29:06.0828 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2012/05/11 23:29:06.0890 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2012/05/11 23:29:06.0890 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2012/05/11 23:29:06.0937 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2012/05/11 23:29:06.0984 SMPLSCSI (f6545ded3308642899a72c8a1789b029) C:\WINDOWS\system32\drivers\SMPLSCSI.SYS
2012/05/11 23:29:07.0031 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2012/05/11 23:29:07.0046 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2012/05/11 23:29:07.0078 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
2012/05/11 23:29:07.0109 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2012/05/11 23:29:07.0125 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2012/05/11 23:29:07.0265 SymEvent (42123611a49c33536ab29bdd852a9f5e) C:\Program Files\Symantec\SYMEVENT.SYS
2012/05/11 23:29:07.0312 SYMREDRV (145eaae477f5b56f2621956150a143b0) C:\WINDOWS\System32\Drivers\SYMREDRV.SYS
2012/05/11 23:29:07.0328 SYMTDI (926efafc087d356bba50bdf6e640bc13) C:\WINDOWS\System32\Drivers\SYMTDI.SYS
2012/05/11 23:29:07.0375 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2012/05/11 23:29:07.0421 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2012/05/11 23:29:07.0453 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2012/05/11 23:29:07.0484 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2012/05/11 23:29:07.0500 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2012/05/11 23:29:07.0546 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2012/05/11 23:29:07.0609 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2012/05/11 23:29:07.0656 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2012/05/11 23:29:07.0671 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2012/05/11 23:29:07.0687 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2012/05/11 23:29:07.0750 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2012/05/11 23:29:07.0765 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2012/05/11 23:29:07.0781 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2012/05/11 23:29:07.0828 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2012/05/11 23:29:07.0875 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2012/05/11 23:29:07.0890 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2012/05/11 23:29:07.0937 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2012/05/11 23:29:07.0984 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
2012/05/11 23:29:08.0156 \HardDisk0 - detected Rootkit.Win32.BackBoot.gen (1)
2012/05/11 23:29:08.0156 ================================================================================
2012/05/11 23:29:08.0156 Scan finished
2012/05/11 23:29:08.0156 ================================================================================
2012/05/11 23:29:08.0171 Detected object count: 1
2012/05/11 23:29:17.0109 Rootkit.Win32.BackBoot.gen(\HardDisk0) - User select action: Skip

-----------------------------------------------------------------------------------------------------

Crazy stuff isn't it

Thanks again - Stan

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:35 PM

Posted 11 May 2012 - 10:47 PM

Hello

I would like you to run this tool for me - fixTDSS

download it to your desktop and start the program

Follow the prompts and Ok any security prompts

when it is complete it will say the infection was cleared or no infection was found - let me know what it says

after it is complete I want you to restart the computer and try to rerun TDSSKiller for me and send me the report

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 Freewaydawg

Freewaydawg
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:35 PM

Posted 11 May 2012 - 11:13 PM

Hey Gringo this time it ran here are the results.
Also there is a security update from microsoft pending. I have not installed the update yet.
I thought I would check with you first so I will include it too.

----------------------------------------------

Fix TDSS

***Infected MBR detected
Repair Succeeded

-----------------------------------------------

New TDSS Killer Log

00:01:16.0000 3348 TDSS rootkit removing tool 2.7.34.0 May 2 2012 09:59:18
00:01:16.0359 3348 ============================================================
00:01:16.0359 3348 Current date / time: 2012/05/12 00:01:16.0359
00:01:16.0359 3348 SystemInfo:
00:01:16.0359 3348
00:01:16.0359 3348 OS Version: 5.1.2600 ServicePack: 3.0
00:01:16.0359 3348 Product type: Workstation
00:01:16.0359 3348 ComputerName: STAN1
00:01:16.0359 3348 UserName: Stan
00:01:16.0359 3348 Windows directory: C:\WINDOWS
00:01:16.0359 3348 System windows directory: C:\WINDOWS
00:01:16.0359 3348 Processor architecture: Intel x86
00:01:16.0359 3348 Number of processors: 2
00:01:16.0359 3348 Page size: 0x1000
00:01:16.0359 3348 Boot type: Normal boot
00:01:16.0359 3348 ============================================================
00:01:17.0781 3348 Drive \Device\Harddisk0\DR0 - Size: 0x25433D6000 (149.05 Gb), SectorSize: 0x200, Cylinders: 0x4C01, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
00:01:17.0781 3348 ============================================================
00:01:17.0781 3348 \Device\Harddisk0\DR0:
00:01:17.0781 3348 MBR partitions:
00:01:17.0781 3348 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x12A14BC1
00:01:17.0781 3348 ============================================================
00:01:17.0812 3348 C: <-> \Device\Harddisk0\DR0\Partition0
00:01:17.0812 3348 ============================================================
00:01:17.0812 3348 Initialize success
00:01:17.0812 3348 ============================================================
00:01:24.0312 3524 ============================================================
00:01:24.0312 3524 Scan started
00:01:24.0312 3524 Mode: Manual;
00:01:24.0312 3524 ============================================================
00:01:24.0625 3524 Abiosdsk - ok
00:01:24.0625 3524 abp480n5 - ok
00:01:24.0671 3524 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
00:01:24.0687 3524 ACPI - ok
00:01:24.0718 3524 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
00:01:24.0734 3524 ACPIEC - ok
00:01:24.0781 3524 AdobeFlashPlayerUpdateSvc (459ac130c6ab892b1cd5d7544626efc5) C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
00:01:24.0828 3524 AdobeFlashPlayerUpdateSvc - ok
00:01:24.0828 3524 adpu160m - ok
00:01:24.0875 3524 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
00:01:24.0875 3524 aec - ok
00:01:24.0937 3524 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
00:01:24.0937 3524 AFD - ok
00:01:25.0031 3524 AGCoreService (853a4c3f8ad8c8667536c51afd41b6e4) C:\Program Files\AGI\core\3.1\AGCoreService.exe
00:01:25.0031 3524 AGCoreService - ok
00:01:25.0031 3524 Aha154x - ok
00:01:25.0031 3524 aic78u2 - ok
00:01:25.0031 3524 aic78xx - ok
00:01:25.0062 3524 Alerter (a9a3daa780ca6c9671a19d52456705b4) C:\WINDOWS\system32\alrsvc.dll
00:01:25.0078 3524 Alerter - ok
00:01:25.0109 3524 ALG (8c515081584a38aa007909cd02020b3d) C:\WINDOWS\System32\alg.exe
00:01:25.0109 3524 ALG - ok
00:01:25.0109 3524 AliIde - ok
00:01:25.0203 3524 Ambfilt (f6af59d6eee5e1c304f7f73706ad11d8) C:\WINDOWS\system32\drivers\Ambfilt.sys
00:01:25.0265 3524 Ambfilt - ok
00:01:25.0296 3524 amsint - ok
00:01:25.0343 3524 AppMgmt (d8849f77c0b66226335a59d26cb4edc6) C:\WINDOWS\System32\appmgmts.dll
00:01:25.0343 3524 AppMgmt - ok
00:01:25.0343 3524 asc - ok
00:01:25.0359 3524 asc3350p - ok
00:01:25.0359 3524 asc3550 - ok
00:01:25.0390 3524 ASPI32 (31ed89badd47130ad57cce8c8dfb5b27) C:\WINDOWS\system32\drivers\ASPI32.sys
00:01:25.0406 3524 ASPI32 - ok
00:01:25.0515 3524 aspnet_state (776acefa0ca9df0faa51a5fb2f435705) C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe
00:01:25.0578 3524 aspnet_state - ok
00:01:25.0609 3524 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
00:01:25.0609 3524 AsyncMac - ok
00:01:25.0625 3524 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
00:01:25.0625 3524 atapi - ok
00:01:25.0640 3524 Atdisk - ok
00:01:25.0640 3524 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
00:01:25.0640 3524 Atmarpc - ok
00:01:25.0687 3524 AudioSrv (def7a7882bec100fe0b2ce2549188f9d) C:\WINDOWS\System32\audiosrv.dll
00:01:25.0687 3524 AudioSrv - ok
00:01:25.0734 3524 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
00:01:25.0734 3524 audstub - ok
00:01:25.0781 3524 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
00:01:25.0781 3524 Beep - ok
00:01:25.0828 3524 BITS (574738f61fca2935f5265dc4e5691314) C:\WINDOWS\system32\qmgr.dll
00:01:25.0890 3524 BITS - ok
00:01:25.0906 3524 Browser (a06ce3399d16db864f55faeb1f1927a9) C:\WINDOWS\System32\browser.dll
00:01:25.0906 3524 Browser - ok
00:01:26.0031 3524 catchme - ok
00:01:26.0046 3524 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
00:01:26.0062 3524 cbidf2k - ok
00:01:26.0140 3524 ccEvtMgr (08d26906c74805bee8deca4c7be8c7f5) C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
00:01:26.0140 3524 ccEvtMgr - ok
00:01:26.0156 3524 ccPwdSvc (15e9ab7c078059998933e235a9742502) C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
00:01:26.0171 3524 ccPwdSvc - ok
00:01:26.0234 3524 ccSetMgr (bd565b4456dbce6e02182f35586fd5bf) C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
00:01:26.0250 3524 ccSetMgr - ok
00:01:26.0250 3524 cd20xrnt - ok
00:01:26.0281 3524 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
00:01:26.0281 3524 Cdaudio - ok
00:01:26.0328 3524 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
00:01:26.0328 3524 Cdfs - ok
00:01:26.0343 3524 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
00:01:26.0343 3524 Cdrom - ok
00:01:26.0359 3524 Changer - ok
00:01:26.0390 3524 CiSvc (1cfe720eb8d93a7158a4ebc3ab178bde) C:\WINDOWS\system32\cisvc.exe
00:01:26.0390 3524 CiSvc - ok
00:01:26.0406 3524 ClipSrv (34cbe729f38138217f9c80212a2a0c82) C:\WINDOWS\system32\clipsrv.exe
00:01:26.0421 3524 ClipSrv - ok
00:01:26.0484 3524 clr_optimization_v2.0.50727_32 (d87acaed61e417bba546ced5e7e36d9c) C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
00:01:26.0593 3524 clr_optimization_v2.0.50727_32 - ok
00:01:26.0625 3524 clr_optimization_v4.0.30319_32 (c5a75eb48e2344abdc162bda79e16841) C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
00:01:26.0656 3524 clr_optimization_v4.0.30319_32 - ok
00:01:26.0656 3524 CmdIde - ok
00:01:26.0656 3524 COMSysApp - ok
00:01:26.0656 3524 Cpqarray - ok
00:01:26.0687 3524 CryptSvc (3d4e199942e29207970e04315d02ad3b) C:\WINDOWS\System32\cryptsvc.dll
00:01:26.0703 3524 CryptSvc - ok
00:01:26.0703 3524 dac2w2k - ok
00:01:26.0703 3524 dac960nt - ok
00:01:26.0765 3524 DcomLaunch (6b27a5c03dfb94b4245739065431322c) C:\WINDOWS\system32\rpcss.dll
00:01:26.0765 3524 DcomLaunch - ok
00:01:26.0828 3524 DefWatch (a3985a8ded49f67e3e25d2d2921b4dac) C:\Program Files\Symantec AntiVirus\DefWatch.exe
00:01:26.0843 3524 DefWatch - ok
00:01:26.0890 3524 Dhcp (5e38d7684a49cacfb752b046357e0589) C:\WINDOWS\System32\dhcpcsvc.dll
00:01:26.0906 3524 Dhcp - ok
00:01:26.0953 3524 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
00:01:26.0953 3524 Disk - ok
00:01:26.0953 3524 dmadmin - ok
00:01:27.0000 3524 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
00:01:27.0015 3524 dmboot - ok
00:01:27.0046 3524 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
00:01:27.0062 3524 dmio - ok
00:01:27.0062 3524 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
00:01:27.0078 3524 dmload - ok
00:01:27.0093 3524 dmserver (57edec2e5f59f0335e92f35184bc8631) C:\WINDOWS\System32\dmserver.dll
00:01:27.0093 3524 dmserver - ok
00:01:27.0109 3524 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
00:01:27.0109 3524 DMusic - ok
00:01:27.0156 3524 Dnscache (5f7e24fa9eab896051ffb87f840730d2) C:\WINDOWS\System32\dnsrslvr.dll
00:01:27.0156 3524 Dnscache - ok
00:01:27.0203 3524 Dot3svc (0f0f6e687e5e15579ef4da8dd6945814) C:\WINDOWS\System32\dot3svc.dll
00:01:27.0203 3524 Dot3svc - ok
00:01:27.0218 3524 dpti2o - ok
00:01:27.0234 3524 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
00:01:27.0234 3524 drmkaud - ok
00:01:27.0265 3524 EapHost (2187855a7703adef0cef9ee4285182cc) C:\WINDOWS\System32\eapsvc.dll
00:01:27.0265 3524 EapHost - ok
00:01:27.0312 3524 ERSvc (bc93b4a066477954555966d77fec9ecb) C:\WINDOWS\System32\ersvc.dll
00:01:27.0312 3524 ERSvc - ok
00:01:27.0375 3524 Eventlog (65df52f5b8b6e9bbd183505225c37315) C:\WINDOWS\system32\services.exe
00:01:27.0375 3524 Eventlog - ok
00:01:27.0437 3524 EventSystem (d4991d98f2db73c60d042f1aef79efae) C:\WINDOWS\system32\es.dll
00:01:27.0453 3524 EventSystem - ok
00:01:27.0562 3524 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
00:01:27.0578 3524 Fastfat - ok
00:01:27.0609 3524 FastUserSwitchingCompatibility (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
00:01:27.0656 3524 FastUserSwitchingCompatibility - ok
00:01:27.0656 3524 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
00:01:27.0687 3524 Fdc - ok
00:01:27.0718 3524 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
00:01:27.0718 3524 Fips - ok
00:01:27.0750 3524 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
00:01:27.0765 3524 Flpydisk - ok
00:01:27.0812 3524 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
00:01:27.0828 3524 FltMgr - ok
00:01:27.0921 3524 FontCache3.0.0.0 (8ba7c024070f2b7fdd98ed8a4ba41789) c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
00:01:27.0937 3524 FontCache3.0.0.0 - ok
00:01:27.0937 3524 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
00:01:27.0953 3524 Fs_Rec - ok
00:01:27.0953 3524 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
00:01:27.0953 3524 Ftdisk - ok
00:01:27.0968 3524 GMSIPCI - ok
00:01:27.0984 3524 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
00:01:28.0000 3524 Gpc - ok
00:01:28.0093 3524 gusvc (c1b577b2169900f4cf7190c39f085794) C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
00:01:28.0109 3524 gusvc - ok
00:01:28.0171 3524 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
00:01:28.0171 3524 HDAudBus - ok
00:01:28.0234 3524 helpsvc (4fcca060dfe0c51a09dd5c3843888bcd) C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll
00:01:28.0250 3524 helpsvc - ok
00:01:28.0265 3524 HidServ (deb04da35cc871b6d309b77e1443c796) C:\WINDOWS\System32\hidserv.dll
00:01:28.0281 3524 HidServ - ok
00:01:28.0281 3524 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
00:01:28.0281 3524 hidusb - ok
00:01:28.0312 3524 hkmsvc (8878bd685e490239777bfe51320b88e9) C:\WINDOWS\System32\kmsvc.dll
00:01:28.0312 3524 hkmsvc - ok
00:01:28.0312 3524 hpn - ok
00:01:28.0359 3524 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
00:01:28.0375 3524 HTTP - ok
00:01:28.0375 3524 HTTPFilter (6100a808600f44d999cebdef8841c7a3) C:\WINDOWS\System32\w3ssl.dll
00:01:28.0390 3524 HTTPFilter - ok
00:01:28.0390 3524 i2omgmt - ok
00:01:28.0390 3524 i2omp - ok
00:01:28.0421 3524 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\drivers\i8042prt.sys
00:01:28.0437 3524 i8042prt - ok
00:01:28.0703 3524 ialm (0f68e2ec713f132ffb19e45415b09679) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
00:01:28.0828 3524 ialm - ok
00:01:28.0937 3524 IDriverT (1cf03c69b49acb70c722df92755c0c8c) C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
00:01:28.0953 3524 IDriverT - ok
00:01:29.0093 3524 idsvc (c01ac32dc5c03076cfb852cb5da5229c) c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
00:01:29.0140 3524 idsvc - ok
00:01:29.0218 3524 IJPLMSVC (51516252dbbfed36f70b341dba263167) C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
00:01:29.0218 3524 IJPLMSVC - ok
00:01:29.0265 3524 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
00:01:29.0281 3524 Imapi - ok
00:01:29.0312 3524 ImapiService (30deaf54a9755bb8546168cfe8a6b5e1) C:\WINDOWS\system32\imapi.exe
00:01:29.0328 3524 ImapiService - ok
00:01:29.0375 3524 InCDfs (580a81790cd0a48d85da322267da7ac4) C:\WINDOWS\system32\drivers\InCDFs.sys
00:01:29.0375 3524 InCDfs - ok
00:01:29.0375 3524 InCDPass (aaa2789d2ce21b31be9406ba1ceb7285) C:\WINDOWS\system32\drivers\InCDPass.sys
00:01:29.0390 3524 InCDPass - ok
00:01:29.0390 3524 InCDrec (4d022577e9072b5d22e0a383a7806bbb) C:\WINDOWS\system32\drivers\InCDrec.sys
00:01:29.0406 3524 InCDrec - ok
00:01:29.0406 3524 incdrm (c258e57321a3c3737f4fa815fa69ee0b) C:\WINDOWS\system32\drivers\InCDRm.sys
00:01:29.0421 3524 incdrm - ok
00:01:29.0562 3524 InCDsrv (9792b85e32e058cd6a43db274ba47d57) C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
00:01:29.0578 3524 InCDsrv - ok
00:01:29.0640 3524 ini910u - ok
00:01:29.0890 3524 IntcAzAudAddService (3a3a539d7db808fad3b55740474a6d02) C:\WINDOWS\system32\drivers\RtkHDAud.sys
00:01:29.0921 3524 IntcAzAudAddService - ok
00:01:30.0000 3524 IntelIde - ok
00:01:30.0015 3524 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
00:01:30.0015 3524 intelppm - ok
00:01:30.0046 3524 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
00:01:30.0046 3524 Ip6Fw - ok
00:01:30.0093 3524 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
00:01:30.0109 3524 IpFilterDriver - ok
00:01:30.0125 3524 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
00:01:30.0140 3524 IpInIp - ok
00:01:30.0171 3524 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
00:01:30.0171 3524 IpNat - ok
00:01:30.0218 3524 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
00:01:30.0218 3524 IPSec - ok
00:01:30.0218 3524 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
00:01:30.0218 3524 IRENUM - ok
00:01:30.0234 3524 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
00:01:30.0250 3524 isapnp - ok
00:01:30.0359 3524 JavaQuickStarterService (e731921db2e17dcd3db472fad5549c57) C:\Program Files\Java\jre6\bin\jqs.exe
00:01:30.0375 3524 JavaQuickStarterService - ok
00:01:30.0390 3524 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
00:01:30.0390 3524 Kbdclass - ok
00:01:30.0437 3524 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
00:01:30.0453 3524 kbdhid - ok
00:01:30.0468 3524 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
00:01:30.0468 3524 kmixer - ok
00:01:30.0500 3524 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
00:01:30.0500 3524 KSecDD - ok
00:01:30.0531 3524 lanmanserver (3a7c3cbe5d96b8ae96ce81f0b22fb527) C:\WINDOWS\System32\srvsvc.dll
00:01:30.0531 3524 lanmanserver - ok
00:01:30.0578 3524 lanmanworkstation (a8888a5327621856c0cec4e385f69309) C:\WINDOWS\System32\wkssvc.dll
00:01:30.0578 3524 lanmanworkstation - ok
00:01:30.0578 3524 Lbd - ok
00:01:30.0578 3524 lbrtfdc - ok
00:01:30.0640 3524 LightScribeService (53710476495886d9961be46983a6a33f) C:\Program Files\Common Files\LightScribe\LSSrvc.exe
00:01:30.0656 3524 LightScribeService - ok
00:01:30.0687 3524 LmHosts (a7db739ae99a796d91580147e919cc59) C:\WINDOWS\System32\lmhsvc.dll
00:01:30.0687 3524 LmHosts - ok
00:01:30.0703 3524 MBAMProtector (fb097bbc1a18f044bd17bd2fccf97865) C:\WINDOWS\system32\drivers\mbam.sys
00:01:30.0718 3524 MBAMProtector - ok
00:01:30.0781 3524 MBAMService (ba400ed640bca1eae5c727ae17c10207) C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
00:01:30.0859 3524 MBAMService - ok
00:01:30.0890 3524 Messenger (986b1ff5814366d71e0ac5755c88f2d3) C:\WINDOWS\System32\msgsvc.dll
00:01:30.0906 3524 Messenger - ok
00:01:30.0937 3524 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
00:01:30.0937 3524 mnmdd - ok
00:01:30.0968 3524 mnmsrvc (d18f1f0c101d06a1c1adf26eed16fcdd) C:\WINDOWS\system32\mnmsrvc.exe
00:01:30.0984 3524 mnmsrvc - ok
00:01:31.0000 3524 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
00:01:31.0015 3524 Modem - ok
00:01:31.0093 3524 Monfilt (9fa7207d1b1adead88ae8eed9cdbbaa5) C:\WINDOWS\system32\drivers\Monfilt.sys
00:01:31.0140 3524 Monfilt - ok
00:01:31.0156 3524 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
00:01:31.0156 3524 Mouclass - ok
00:01:31.0187 3524 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
00:01:31.0187 3524 mouhid - ok
00:01:31.0218 3524 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
00:01:31.0218 3524 MountMgr - ok
00:01:31.0218 3524 mraid35x - ok
00:01:31.0250 3524 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
00:01:31.0250 3524 MRxDAV - ok
00:01:31.0296 3524 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
00:01:31.0312 3524 MRxSmb - ok
00:01:31.0343 3524 MSDTC (a137f1470499a205abbb9aafb3b6f2b1) C:\WINDOWS\system32\msdtc.exe
00:01:31.0359 3524 MSDTC - ok
00:01:31.0359 3524 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
00:01:31.0359 3524 Msfs - ok
00:01:31.0359 3524 MSIServer - ok
00:01:31.0406 3524 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
00:01:31.0406 3524 MSKSSRV - ok
00:01:31.0406 3524 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
00:01:31.0406 3524 MSPCLOCK - ok
00:01:31.0421 3524 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
00:01:31.0421 3524 MSPQM - ok
00:01:31.0468 3524 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
00:01:31.0468 3524 mssmbios - ok
00:01:31.0500 3524 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
00:01:31.0500 3524 Mup - ok
00:01:31.0531 3524 napagent (0102140028fad045756796e1c685d695) C:\WINDOWS\System32\qagentrt.dll
00:01:31.0546 3524 napagent - ok
00:01:31.0640 3524 NAVENG (c34e2a884ccca8b5567d0c2752527073) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20110502.002\naveng.sys
00:01:31.0640 3524 NAVENG - ok
00:01:31.0703 3524 NAVEX15 (b3916eeec738dd4178f4fd6a44a32e36) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20110502.002\navex15.sys
00:01:31.0703 3524 NAVEX15 - ok
00:01:31.0843 3524 NBService (b498a14133bd09ad0817590ace4470ad) C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
00:01:31.0906 3524 NBService - ok
00:01:32.0531 3524 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
00:01:32.0546 3524 NDIS - ok
00:01:32.0593 3524 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
00:01:32.0609 3524 NdisTapi - ok
00:01:32.0625 3524 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
00:01:32.0625 3524 Ndisuio - ok
00:01:32.0640 3524 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
00:01:32.0656 3524 NdisWan - ok
00:01:32.0703 3524 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
00:01:32.0703 3524 NDProxy - ok
00:01:32.0750 3524 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
00:01:32.0750 3524 NetBIOS - ok
00:01:32.0781 3524 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
00:01:32.0781 3524 NetBT - ok
00:01:32.0921 3524 NetDDE (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe
00:01:32.0968 3524 NetDDE - ok
00:01:32.0968 3524 NetDDEdsdm (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe
00:01:32.0968 3524 NetDDEdsdm - ok
00:01:33.0031 3524 Netlogon (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
00:01:33.0031 3524 Netlogon - ok
00:01:33.0078 3524 Netman (13e67b55b3abd7bf3fe7aae5a0f9a9de) C:\WINDOWS\System32\netman.dll
00:01:33.0093 3524 Netman - ok
00:01:33.0265 3524 NetTcpPortSharing (d22cd77d4f0d63d1169bb35911bff12d) C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe
00:01:33.0406 3524 NetTcpPortSharing - ok
00:01:33.0515 3524 Nla (943337d786a56729263071623bbb9de5) C:\WINDOWS\System32\mswsock.dll
00:01:33.0515 3524 Nla - ok
00:01:33.0750 3524 NMIndexingService (a328a46d87bb92ce4d8a4528e9d84787) C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
00:01:33.0843 3524 NMIndexingService - ok
00:01:33.0875 3524 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
00:01:33.0875 3524 Npfs - ok
00:01:34.0000 3524 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
00:01:34.0046 3524 Ntfs - ok
00:01:34.0093 3524 NtLmSsp (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
00:01:34.0093 3524 NtLmSsp - ok
00:01:34.0265 3524 NtmsSvc (156f64a3345bd23c600655fb4d10bc08) C:\WINDOWS\system32\ntmssvc.dll
00:01:34.0390 3524 NtmsSvc - ok
00:01:34.0421 3524 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
00:01:34.0421 3524 Null - ok
00:01:34.0468 3524 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
00:01:34.0484 3524 NwlnkFlt - ok
00:01:34.0531 3524 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
00:01:34.0562 3524 NwlnkFwd - ok
00:01:35.0484 3524 odserv (785f487a64950f3cb8e9f16253ba3b7b) C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE
00:01:36.0000 3524 odserv - ok
00:01:36.0125 3524 ONSIO (2e76a0c21fe51b239529e7752db897a9) C:\WINDOWS\SYSTEM32\DRIVERS\ONSIO.SYS
00:01:36.0140 3524 ONSIO - ok
00:01:36.0328 3524 ose (5a432a042dae460abe7199b758e8606c) C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
00:01:36.0453 3524 ose - ok
00:01:36.0515 3524 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
00:01:36.0531 3524 Parport - ok
00:01:36.0593 3524 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
00:01:36.0593 3524 PartMgr - ok
00:01:36.0625 3524 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
00:01:36.0625 3524 ParVdm - ok
00:01:36.0687 3524 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
00:01:36.0718 3524 PCI - ok
00:01:36.0718 3524 PCIDump - ok
00:01:36.0765 3524 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
00:01:36.0765 3524 PCIIde - ok
00:01:36.0859 3524 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
00:01:36.0859 3524 Pcmcia - ok
00:01:36.0875 3524 PDCOMP - ok
00:01:36.0875 3524 PDFRAME - ok
00:01:36.0875 3524 PDRELI - ok
00:01:36.0875 3524 PDRFRAME - ok
00:01:36.0875 3524 perc2 - ok
00:01:36.0890 3524 perc2hib - ok
00:01:36.0984 3524 PlugPlay (65df52f5b8b6e9bbd183505225c37315) C:\WINDOWS\system32\services.exe
00:01:36.0984 3524 PlugPlay - ok
00:01:37.0031 3524 PolicyAgent (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
00:01:37.0031 3524 PolicyAgent - ok
00:01:37.0093 3524 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
00:01:37.0109 3524 PptpMiniport - ok
00:01:37.0109 3524 ProtectedStorage (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
00:01:37.0109 3524 ProtectedStorage - ok
00:01:37.0125 3524 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
00:01:37.0140 3524 PSched - ok
00:01:37.0156 3524 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
00:01:37.0156 3524 Ptilink - ok
00:01:37.0156 3524 ql1080 - ok
00:01:37.0156 3524 Ql10wnt - ok
00:01:37.0171 3524 ql12160 - ok
00:01:37.0171 3524 ql1240 - ok
00:01:37.0171 3524 ql1280 - ok
00:01:37.0562 3524 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
00:01:37.0562 3524 RasAcd - ok
00:01:37.0750 3524 RasAuto (ad188be7bdf94e8df4ca0a55c00a5073) C:\WINDOWS\System32\rasauto.dll
00:01:37.0765 3524 RasAuto - ok
00:01:37.0781 3524 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
00:01:37.0812 3524 Rasl2tp - ok
00:01:37.0890 3524 RasMan (76a9a3cbeadd68cc57cda5e1d7448235) C:\WINDOWS\System32\rasmans.dll
00:01:37.0906 3524 RasMan - ok
00:01:37.0921 3524 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
00:01:37.0937 3524 RasPppoe - ok
00:01:37.0953 3524 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
00:01:37.0968 3524 Raspti - ok
00:01:38.0015 3524 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
00:01:38.0015 3524 Rdbss - ok
00:01:38.0046 3524 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
00:01:38.0046 3524 RDPCDD - ok
00:01:38.0078 3524 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
00:01:38.0109 3524 rdpdr - ok
00:01:38.0140 3524 RDPWD (5b3055daa788bd688594d2f5981f2a83) C:\WINDOWS\system32\drivers\RDPWD.sys
00:01:38.0171 3524 RDPWD - ok
00:01:38.0218 3524 RDSessMgr (3c37bf86641bda977c3bf8a840f3b7fa) C:\WINDOWS\system32\sessmgr.exe
00:01:38.0250 3524 RDSessMgr - ok
00:01:38.0281 3524 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
00:01:38.0281 3524 redbook - ok
00:01:38.0343 3524 RemoteAccess (7e699ff5f59b5d9de5390e3c34c67cf5) C:\WINDOWS\System32\mprdim.dll
00:01:38.0343 3524 RemoteAccess - ok
00:01:38.0375 3524 RemoteRegistry (5b19b557b0c188210a56a6b699d90b8f) C:\WINDOWS\system32\regsvc.dll
00:01:38.0390 3524 RemoteRegistry - ok
00:01:38.0421 3524 Revoflt (8b5b8a11306190c6963d3473f052d3c8) C:\WINDOWS\system32\DRIVERS\revoflt.sys
00:01:38.0421 3524 Revoflt - ok
00:01:38.0437 3524 RpcLocator (aaed593f84afa419bbae8572af87cf6a) C:\WINDOWS\system32\locator.exe
00:01:38.0453 3524 RpcLocator - ok
00:01:38.0593 3524 RpcSs (6b27a5c03dfb94b4245739065431322c) C:\WINDOWS\System32\rpcss.dll
00:01:38.0593 3524 RpcSs - ok
00:01:38.0656 3524 RSVP (471b3f9741d762abe75e9deea4787e47) C:\WINDOWS\system32\rsvp.exe
00:01:38.0687 3524 RSVP - ok
00:01:38.0875 3524 RTLE8023xp (e47c52f0380f0950e2bc9f1bcdc0de9b) C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys
00:01:38.0906 3524 RTLE8023xp - ok
00:01:38.0953 3524 SamSs (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
00:01:38.0968 3524 SamSs - ok
00:01:39.0093 3524 SASDIFSV (a3281aec37e0720a2bc28034c2df2a56) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
00:01:39.0093 3524 SASDIFSV - ok
00:01:39.0109 3524 SASKUTIL (61db0d0756a99506207fd724e3692b25) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
00:01:39.0109 3524 SASKUTIL - ok
00:01:39.0171 3524 SavRoam (40f6c7dd9228e62aa54f25df23585634) C:\Program Files\Symantec AntiVirus\SavRoam.exe
00:01:39.0187 3524 SavRoam - ok
00:01:39.0234 3524 SAVRT (c8023be4dda22a52cd2f60d9cb9b3985) C:\Program Files\Symantec AntiVirus\savrt.sys
00:01:39.0234 3524 SAVRT - ok
00:01:39.0250 3524 SAVRTPEL (30547fd7692dc799a0b397b2b918a158) C:\Program Files\Symantec AntiVirus\Savrtpel.sys
00:01:39.0250 3524 SAVRTPEL - ok
00:01:39.0296 3524 SCardSvr (86d007e7a654b9a71d1d7d856b104353) C:\WINDOWS\System32\SCardSvr.exe
00:01:39.0312 3524 SCardSvr - ok
00:01:39.0359 3524 Schedule (0a9a7365a1ca4319aa7c1d6cd8e4eafa) C:\WINDOWS\system32\schedsvc.dll
00:01:39.0375 3524 Schedule - ok
00:01:39.0390 3524 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
00:01:39.0406 3524 Secdrv - ok
00:01:39.0421 3524 seclogon (cbe612e2bb6a10e3563336191eda1250) C:\WINDOWS\System32\seclogon.dll
00:01:39.0421 3524 seclogon - ok
00:01:39.0437 3524 SENS (7fdd5d0684eca8c1f68b4d99d124dcd0) C:\WINDOWS\system32\sens.dll
00:01:39.0437 3524 SENS - ok
00:01:39.0484 3524 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
00:01:39.0484 3524 serenum - ok
00:01:39.0484 3524 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
00:01:39.0500 3524 Serial - ok
00:01:39.0515 3524 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
00:01:39.0515 3524 Sfloppy - ok
00:01:39.0578 3524 SharedAccess (83f41d0d89645d7235c051ab1d9523ac) C:\WINDOWS\System32\ipnathlp.dll
00:01:39.0593 3524 SharedAccess - ok
00:01:39.0640 3524 ShellHWDetection (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
00:01:39.0640 3524 ShellHWDetection - ok
00:01:39.0640 3524 Simbad - ok
00:01:39.0671 3524 SMPLSCSI (f6545ded3308642899a72c8a1789b029) C:\WINDOWS\system32\drivers\SMPLSCSI.SYS
00:01:39.0687 3524 SMPLSCSI - ok
00:01:39.0812 3524 SNDSrvc (e6d3841a12face16e2eba24e714ca203) C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
00:01:39.0859 3524 SNDSrvc - ok
00:01:39.0859 3524 Sparrow - ok
00:01:39.0906 3524 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
00:01:39.0906 3524 splitter - ok
00:01:39.0953 3524 Spooler (60784f891563fb1b767f70117fc2428f) C:\WINDOWS\system32\spoolsv.exe
00:01:39.0968 3524 Spooler - ok
00:01:39.0968 3524 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
00:01:39.0984 3524 sr - ok
00:01:40.0031 3524 srservice (3805df0ac4296a34ba4bf93b346cc378) C:\WINDOWS\system32\srsvc.dll
00:01:40.0031 3524 srservice - ok
00:01:40.0062 3524 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
00:01:40.0078 3524 Srv - ok
00:01:40.0140 3524 SSDPSRV (0a5679b3714edab99e357057ee88fca6) C:\WINDOWS\System32\ssdpsrv.dll
00:01:40.0140 3524 SSDPSRV - ok
00:01:40.0203 3524 stisvc (8bad69cbac032d4bbacfce0306174c30) C:\WINDOWS\system32\wiaservc.dll
00:01:40.0218 3524 stisvc - ok
00:01:40.0250 3524 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
00:01:40.0265 3524 swenum - ok
00:01:40.0265 3524 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
00:01:40.0281 3524 swmidi - ok
00:01:40.0281 3524 SwPrv - ok
00:01:40.0406 3524 Symantec AntiVirus (91c4579e77abdfac02c16e0d0736123e) C:\Program Files\Symantec AntiVirus\Rtvscan.exe
00:01:40.0453 3524 Symantec AntiVirus - ok
00:01:40.0468 3524 symc810 - ok
00:01:40.0468 3524 symc8xx - ok
00:01:40.0515 3524 SymEvent (42123611a49c33536ab29bdd852a9f5e) C:\Program Files\Symantec\SYMEVENT.SYS
00:01:40.0515 3524 SymEvent - ok
00:01:40.0562 3524 SYMREDRV (145eaae477f5b56f2621956150a143b0) C:\WINDOWS\System32\Drivers\SYMREDRV.SYS
00:01:40.0562 3524 SYMREDRV - ok
00:01:40.0578 3524 SYMTDI (926efafc087d356bba50bdf6e640bc13) C:\WINDOWS\System32\Drivers\SYMTDI.SYS
00:01:40.0593 3524 SYMTDI - ok
00:01:40.0593 3524 sym_hi - ok
00:01:40.0593 3524 sym_u3 - ok
00:01:40.0609 3524 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
00:01:40.0609 3524 sysaudio - ok
00:01:40.0640 3524 SysmonLog (c7abbc59b43274b1109df6b24d617051) C:\WINDOWS\system32\smlogsvc.exe
00:01:40.0656 3524 SysmonLog - ok
00:01:40.0703 3524 TapiSrv (3cb78c17bb664637787c9a1c98f79c38) C:\WINDOWS\System32\tapisrv.dll
00:01:40.0703 3524 TapiSrv - ok
00:01:40.0750 3524 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
00:01:40.0750 3524 Tcpip - ok
00:01:40.0796 3524 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
00:01:40.0796 3524 TDPIPE - ok
00:01:40.0828 3524 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
00:01:40.0828 3524 TDTCP - ok
00:01:40.0859 3524 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
00:01:40.0859 3524 TermDD - ok
00:01:40.0906 3524 TermService (ff3477c03be7201c294c35f684b3479f) C:\WINDOWS\System32\termsrv.dll
00:01:40.0906 3524 TermService - ok
00:01:40.0953 3524 Themes (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
00:01:40.0953 3524 Themes - ok
00:01:40.0984 3524 TlntSvr (db7205804759ff62c34e3efd8a4cc76a) C:\WINDOWS\system32\tlntsvr.exe
00:01:40.0984 3524 TlntSvr - ok
00:01:40.0984 3524 TosIde - ok
00:01:41.0015 3524 TrkWks (55bca12f7f523d35ca3cb833c725f54e) C:\WINDOWS\system32\trkwks.dll
00:01:41.0031 3524 TrkWks - ok
00:01:41.0046 3524 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
00:01:41.0046 3524 Udfs - ok
00:01:41.0046 3524 ultra - ok
00:01:41.0093 3524 UMWdf (ab0a7ca90d9e3d6a193905dc1715ded0) C:\WINDOWS\system32\wdfmgr.exe
00:01:41.0093 3524 UMWdf - ok
00:01:41.0156 3524 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
00:01:41.0171 3524 Update - ok
00:01:41.0203 3524 upnphost (1ebafeb9a3fbdc41b8d9c7f0f687ad91) C:\WINDOWS\System32\upnphost.dll
00:01:41.0218 3524 upnphost - ok
00:01:41.0218 3524 UPS (05365fb38fca1e98f7a566aaaf5d1815) C:\WINDOWS\System32\ups.exe
00:01:41.0234 3524 UPS - ok
00:01:41.0265 3524 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
00:01:41.0281 3524 usbccgp - ok
00:01:41.0281 3524 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
00:01:41.0281 3524 usbehci - ok
00:01:41.0328 3524 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
00:01:41.0343 3524 usbhub - ok
00:01:41.0390 3524 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
00:01:41.0390 3524 usbprint - ok
00:01:41.0421 3524 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
00:01:41.0437 3524 USBSTOR - ok
00:01:41.0453 3524 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
00:01:41.0453 3524 usbuhci - ok
00:01:41.0500 3524 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
00:01:41.0500 3524 VgaSave - ok
00:01:41.0500 3524 ViaIde - ok
00:01:41.0515 3524 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
00:01:41.0515 3524 VolSnap - ok
00:01:41.0562 3524 VSS (7a9db3a67c333bf0bd42e42b8596854b) C:\WINDOWS\System32\vssvc.exe
00:01:41.0578 3524 VSS - ok
00:01:41.0625 3524 W32Time (54af4b1d5459500ef0937f6d33b1914f) C:\WINDOWS\system32\w32time.dll
00:01:41.0625 3524 W32Time - ok
00:01:41.0640 3524 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
00:01:41.0640 3524 Wanarp - ok
00:01:41.0640 3524 WDICA - ok
00:01:41.0687 3524 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
00:01:41.0687 3524 wdmaud - ok
00:01:41.0734 3524 WebClient (77a354e28153ad2d5e120a5a8687bc06) C:\WINDOWS\System32\webclnt.dll
00:01:41.0734 3524 WebClient - ok
00:01:41.0812 3524 winmgmt (2d0e4ed081963804ccc196a0929275b5) C:\WINDOWS\system32\wbem\WMIsvc.dll
00:01:41.0828 3524 winmgmt - ok
00:01:41.0875 3524 WmdmPmSN (140ef97b64f560fd78643cae2cdad838) C:\WINDOWS\system32\MsPMSNSv.dll
00:01:41.0875 3524 WmdmPmSN - ok
00:01:41.0937 3524 Wmi (e76f8807070ed04e7408a86d6d3a6137) C:\WINDOWS\System32\advapi32.dll
00:01:41.0953 3524 Wmi - ok
00:01:41.0984 3524 WmiApSrv (e0673f1106e62a68d2257e376079f821) C:\WINDOWS\system32\wbem\wmiapsrv.exe
00:01:41.0984 3524 WmiApSrv - ok
00:01:42.0156 3524 WPFFontCache_v0400 (dcf3e3edf5109ee8bc02fe6e1f045795) C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe
00:01:42.0234 3524 WPFFontCache_v0400 - ok
00:01:42.0296 3524 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
00:01:42.0296 3524 WS2IFSL - ok
00:01:42.0343 3524 wscsvc (7c278e6408d1dce642230c0585a854d5) C:\WINDOWS\system32\wscsvc.dll
00:01:42.0343 3524 wscsvc - ok
00:01:42.0390 3524 wuauserv (35321fb577cdc98ce3eb3a3eb9e4610a) C:\WINDOWS\system32\wuauserv.dll
00:01:42.0390 3524 wuauserv - ok
00:01:42.0453 3524 WZCSVC (81dc3f549f44b1c1fff022dec9ecf30b) C:\WINDOWS\System32\wzcsvc.dll
00:01:42.0453 3524 WZCSVC - ok
00:01:42.0500 3524 xmlprov (295d21f14c335b53cb8154e5b1f892b9) C:\WINDOWS\System32\xmlprov.dll
00:01:42.0500 3524 xmlprov - ok
00:01:42.0515 3524 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
00:01:42.0718 3524 \Device\Harddisk0\DR0 - ok
00:01:42.0718 3524 Boot (0x1200) (0035dd7a1d4df6aa2fd8104795395786) \Device\Harddisk0\DR0\Partition0
00:01:42.0718 3524 \Device\Harddisk0\DR0\Partition0 - ok
00:01:42.0718 3524 ============================================================
00:01:42.0718 3524 Scan finished
00:01:42.0718 3524 ============================================================
00:01:42.0718 3516 Detected object count: 0
00:01:42.0718 3516 Actual detected object count: 0

---------------------------------------------------------------------------

Thanks again - Stan

#12 Freewaydawg

Freewaydawg
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:35 PM

Posted 11 May 2012 - 11:15 PM

Here Is The security update that I forgot

Security Update for Windows XP (KB2676562)


Size: 957 KB - 3.1 MB

A security issue has been identified that could allow an unauthenticated remote attacker to compromise your system and gain control over it. You can help protect your system by installing this update from Microsoft. After you install this update, you may have to restart your system.

More information for this update can be found at http://go.microsoft.com/fwlink/?LinkId=244692

Thanks - Stan

#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:35 PM

Posted 11 May 2012 - 11:47 PM

go ahead and install the update and then run aswmbr for me



gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#14 Freewaydawg

Freewaydawg
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:35 PM

Posted 12 May 2012 - 12:37 AM

Hey gringo

The program seemed to just stop although it never said it was finished.
here is the log

aswMBR log

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-05-12 01:09:52
-----------------------------
01:09:52.687 OS Version: Windows 5.1.2600 Service Pack 3
01:09:52.687 Number of processors: 2 586 0x170A
01:09:52.687 ComputerName: STAN1 UserName: Stan
01:09:53.203 Initialize success
01:09:56.921 AVAST engine defs: 12051101
01:10:23.593 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-6
01:10:23.593 Disk 0 Vendor: WDC_WD1600AAJS-00B4A0 01.03A01 Size: 152627MB BusType: 3
01:10:23.656 Disk 0 MBR read successfully
01:10:23.656 Disk 0 MBR scan
01:10:23.687 Disk 0 Windows XP default MBR code
01:10:23.687 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 152617 MB offset 63
01:10:23.703 Disk 0 scanning sectors +312560640
01:10:23.812 Disk 0 scanning C:\WINDOWS\system32\drivers
01:10:42.718 Service scanning
01:10:45.515 Service GMSIPCI D:\INSTALL\GMSIPCI.SYS **LOCKED** 21
01:10:55.671 Modules scanning
01:11:14.015 Disk 0 trace - called modules:
01:11:14.046 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
01:11:14.546 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8ad1dab8]
01:11:14.546 3 CLASSPNP.SYS[f7647fd7] -> nt!IofCallDriver -> \Device\0000006d[0x8ad45f18]
01:11:14.546 5 ACPI.sys[f75ae620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-6[0x8acac030]
01:11:15.046 AVAST engine scan C:\WINDOWS
01:11:16.812 File: C:\WINDOWS\eciyiwif.dll **INFECTED** Win32:Famudin [Trj]
01:11:32.765 AVAST engine scan C:\WINDOWS\system32
01:16:00.296 AVAST engine scan C:\WINDOWS\system32\drivers
01:16:35.593 AVAST engine scan C:\Documents and Settings\Stan
01:18:54.484 File: C:\Documents and Settings\Stan\desktop\SecureTree\patch.exe **INFECTED** Win32:Malware-gen
01:26:32.281 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Stan\Desktop\MBR.dat"
01:26:32.281 The log file has been saved successfully to "C:\Documents and Settings\Stan\Desktop\aswMBR.txt"


Sorry if I stopped it too soon but it was dormant for some time. And I am wiped.
I am very tired and have had a very long day so I will pick this up again tomorrow
I am going to try to run it again and just let it go all night to see if it gets any farther.

Thanks again and talk to you tomorrow - Stan

#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:35 PM

Posted 12 May 2012 - 12:42 AM

Greetings

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

File::
C:\WINDOWS\eciyiwif.dll

RegNull::
[HKEY_USERS\S-1-5-21-1957994488-1383384898-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{3C149F45-5C51-EA12-C9F5-E017498646E2}*]

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users