Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Amazon.com Hijacked With Fraudulent Credit Prompt


  • This topic is locked This topic is locked
16 replies to this topic

#1 GrimBrunn

GrimBrunn

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:01:36 AM

Posted 13 May 2012 - 08:05 PM

Starting about a week ago an un-exitable prompt would occasionally overly over the Amazon.com webpage demanding my full credit info, including pin, to confirm my identity. This of course struck me as an obvious fraud attempt.

It reads as follows:

"We do not recognize the computer you are using.
To continue with Online Banking, please provide the information requested below.

Confirm Your Identity

Instructions: Provide your Card Security Code and as much additional security information as you can. Your entries must match the information on the account record and will be used solely to confirm your identity.
"
A screencap of the prompt is available here: http://i.imgur.com/DZEJC.jpg

Googling the text lead me to several resources that point to it as a possible rootkit infection by the name of Zbot, so I decided to refer to you guys on this one. While originally looking through Bleepingcomputer archives for a cure path, I found this case which appears to possess the exact same symptoms if it helps any: http://www.bleepingcomputer.com/forums/topic357931.html . I have not preformed any of the suggestions posted there.

I did run TDSSKiller however which reported it had found two instances of 'Rootkit.Boot.Sinowal.b' in \Device\Harddisk0\DR0 and \Device\Harddisk1\DR1. Full log is attached.

Also, both attempts to run GMER scans as suggested by the posting guide failed. The first for unknown reasons as my system would not output video to my monitors upon my return, and the second, which was more closely followed, due to gradual system performance degradation during the scan followed by a system error and bluescreen. The error I did not have time to catch, but the bluescreen was in EMU10k.sys, which I believe is attached to my sound card drivers. I've included an incomplete log saved midway through the second scan attempt.


DDS log as follows:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 10.4.1
Run by Grim at 2:17:11 on 2012-05-13
.
============== Running Processes ===============
.
C:\Program Files\Tablet\Pen\Pen_TouchService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Tablet\Pen\Pen_TouchUser.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Autodesk\3ds Max 2012\mentalimages\satellite\raysat_3dsmax2012_32server.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\Program Files\Tablet\Pen\Pen_Tablet.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Tablet\Pen\Pen_TabletUser.exe
C:\Program Files\Tablet\Pen\Pen_Tablet.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Razer\DeathAdder\razerhid.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Razer\DeathAdder\razertra.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Razer\DeathAdder\razerofa.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Xfire\Xfire.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\Grim\Desktop\dds.scr
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k HPService
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uInternet Settings,ProxyOverride = *.local
mURLSearchHooks: H - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\oracle\javafx 2.1 runtime\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\oracle\javafx 2.1 runtime\bin\jp2ssv.dll
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [DeathAdder] c:\program files\razer\deathadder\razerhid.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [IMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
mRun: [EVGAPrecision] "c:\program files\evga precision x\EVGAPrecision.exe" /s
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
DPF: {4E218431-2F07-40BD-A9D3-035324C1F13F} - hxxp://webserver.dyyno.com/tng/dyyno-client/DyynoCAB.1.0.0.26.CAB
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1206766824796
DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} - hxxp://www.acclaim.com/cabs/acclaim_v4.cab
DPF: {AA07EBD2-EBDD-4BD6-9F8F-114BD513492C} - hxxp://dist.globalgamecdn.com/dist/neffy/NeffyLauncher.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: Interfaces\{1493DA86-63F1-409C-B799-FBD1C19D078E} : DhcpNameServer = 65.32.5.111 65.32.5.112
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\grim\application data\mozilla\firefox\profiles\4drk7qcn.default\
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\documents and settings\all users\application data\id software\quakelive\npquakezero.dll
FF - plugin: c:\documents and settings\grim\local settings\application data\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.10411.0\npctrlui.dll
FF - plugin: c:\program files\oracle\javafx 2.1 runtime\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\tabletplugins\npwacom.dll
FF - plugin: c:\program files\tabletplugins\npWacomTabletPlugin.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_2_202_235.dll
FF - plugin: c:\windows\system32\npdeployJava1.dll
FF - plugin: c:\windows\system32\npptools.dll
FF - plugin: c:\windows\system32\NPSWF32.dll
.
============= SERVICES / DRIVERS ===============
.
R? {09BB444F-B2E2-4009-BAF2-7B727681223E};BuddyVM
R? Ambfilt;Ambfilt
R? AODDriver;AODDriver
R? clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86
R? cpuz130;cpuz130
R? dfmirage;dfmirage
R? dugb.sys;dugb.sys
R? etdrv;etdrv
R? EvcapMaui;Emuzed EvcapMaui Device
R? FStarForce;FStarForce
R? GenericMount;Generic Mount Driver
R? kxwdmdrv;kX WDM Driver Service
R? LGBusEnum;Logitech GamePanel Virtual Bus Enumerator Driver
R? LGVirHid;Logitech Gamepanel Virtual HID Device Driver
R? MEMSWEEP2;MEMSWEEP2
R? portio32;portio32
R? ProcAPI;ProcAPI
R? RPCT;Remote Procedure Call (TPM)
R? SwitchBoard;Adobe SwitchBoard
R? Symantec SymSnap VSS Provider;Symantec SymSnap VSS Provider
R? tat;tat
R? WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0
R? xbreader;MaxDrive XBox Driver (xbreader.sys)
R? xcpip;TCP/IP Protocol Driver
R? XDva311;XDva311
R? xpsec;IPSEC driver
S? AntiVirSchedulerService;Avira Scheduler
S? AntiVirService;Avira Realtime Protection
S? avgntflt;avgntflt
S? avkmgr;avkmgr
S? DAdderFltr;DeathAdder Mouse
S? dtsoftbus01;DAEMON Tools Virtual Bus Driver
S? DwProt;DrWeb Protection
S? hidkmdf;Filter Driver Service for HID-KMDF Interface layer
S? MBAMProtector;MBAMProtector
S? MBAMService;MBAMService
S? mi-raysat_3dsmax2012_32;mental ray 3.9 Satellite for Autodesk 3ds Max 2012 32-bit - English 32-bit
S? RPCQT;Remote Procedure Call (CQTPM)
S? RRamdisk;Ramdisk Driver
S? TabletServicePen;TabletServicePen
S? TouchServicePen;Wacom Consumer Touch Service
S? VBoxDrv;VirtualBox Service
S? VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter
S? VBoxNetFlt;VirtualBox Bridged Networking Service
S? VBoxUSBMon;VirtualBox USB Monitor Driver
S? VKbms;Virtual HID Minidriver
S? wcafix;Windows Cursor Acceleration Fix
.
=============== Created Last 30 ================
.
2012-05-13 06:00:27 -------- d-----w- c:\documents and settings\grim\DoctorWeb
2012-05-13 05:37:39 -------- d-----w- C:\TDSSKiller_Quarantine
2012-05-13 05:21:24 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-05-13 05:21:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-05-12 19:14:27 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-05-12 19:14:27 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-05-12 19:08:49 143872 ----a-w- c:\windows\system32\javacpl.cpl
2012-05-12 08:48:38 -------- d-----w- c:\program files\Guild Wars
2012-05-12 01:50:35 -------- d-----w- c:\documents and settings\grim\application data\wtablet
2012-05-12 01:49:03 1107832 ----a-w- c:\windows\system32\Pen_Touch_Tablet.dll
2012-05-12 01:48:53 -------- d-----w- c:\program files\TabletPlugins
2012-05-12 01:48:32 11312 ----a-w- c:\windows\system32\drivers\wacommousefilter.sys
2012-05-12 01:48:24 14120 ----a-w- c:\windows\system32\drivers\wacomvhid.sys
2012-05-12 01:48:22 1369464 ----a-w- c:\windows\system32\Pen_Tablet.dll
2012-05-12 01:48:22 1156472 ----a-w- c:\windows\system32\Wintab32.dll
2012-05-12 01:48:22 1152888 ----a-w- c:\windows\system32\WacomMT.dll
2012-05-12 01:48:20 -------- d-----w- c:\program files\Tablet
2012-05-09 23:25:16 -------- d-----w- c:\documents and settings\grim\application data\IDoser
2012-05-09 23:25:07 -------- d-----w- c:\program files\I-Doser Premium
2012-05-03 02:54:46 42392 ----a-w- c:\windows\system32\xfcodec.dll
2012-05-02 00:41:03 -------- d-----w- c:\documents and settings\grim\local settings\application data\AlephOne
2012-05-01 06:19:21 -------- d-----w- c:\documents and settings\grim\application data\Seeing Machines
2012-05-01 06:19:21 -------- d-----w- c:\documents and settings\all users\application data\Seeing Machines
2012-05-01 06:16:02 -------- d-----w- c:\program files\Abbequerque Inc
2012-05-01 05:20:47 -------- d-----w- c:\documents and settings\grim\local settings\application data\ArmA 2 Free
2012-05-01 04:44:10 -------- d-----w- c:\documents and settings\grim\local settings\application data\ToCAEDIT
2012-04-30 22:48:09 -------- d-----w- c:\documents and settings\grim\local settings\application data\ArmA 2 OA DEMO
2012-04-30 19:36:38 -------- d-----w- c:\program files\FreeTrack
2012-04-30 19:09:01 60032 -c--a-w- c:\windows\system32\dllcache\usbaudio.sys
2012-04-30 19:09:01 60032 ----a-w- c:\windows\system32\drivers\USBAUDIO.sys
2012-04-30 18:33:12 -------- d-----w- c:\program files\Code Laboratories
2012-04-26 07:08:36 -------- d-----w- C:\sw3dg
2012-04-26 07:07:07 -------- d-----w- c:\program files\Evochron Mercenary
2012-04-25 00:24:37 -------- d-----w- c:\documents and settings\grim\local settings\application data\PassMark
2012-04-25 00:24:23 -------- d-----w- c:\documents and settings\all users\application data\PassMark
2012-04-24 21:17:40 -------- d-----w- c:\documents and settings\all users\application data\RELOADED
2012-04-24 21:09:08 -------- d-----w- c:\program files\The Walking Dead
2012-04-22 09:17:32 334008 ----a-r- c:\documents and settings\grim\application data\microsoft\installer\{905d6095-7f38-43f3-82a4-8a36e5a00fad}\BOINCMGRLink_B65C4A4D2B2A46CCA2D918164C6297B8.exe
2012-04-22 09:17:32 334008 ----a-r- c:\documents and settings\grim\application data\microsoft\installer\{905d6095-7f38-43f3-82a4-8a36e5a00fad}\ARPPRODUCTICON.exe
2012-04-22 07:03:40 10368 ----a-w- c:\windows\system32\drivers\rramdisk.sys
2012-04-21 08:04:25 164160 ----a-w- c:\windows\system32\nvsvc32.exe
2012-04-21 08:04:25 143680 ----a-w- c:\windows\system32\nvcolor.exe
2012-04-21 08:04:24 54272 ----a-w- c:\windows\system32\nvwddi.dll
2012-04-21 08:04:24 15503168 ----a-w- c:\windows\system32\nvcpl.dll
2012-04-21 08:04:24 108352 ----a-w- c:\windows\system32\nvmctray.dll
2012-04-21 08:04:07 65536 ----a-w- c:\windows\system32\OpenCL.dll
2012-04-21 08:04:03 1072828 ----a-w- c:\windows\system32\nvdrsdb1.bin
2012-04-21 08:04:03 1072828 ----a-w- c:\windows\system32\nvdrsdb0.bin
2012-04-21 08:04:03 1 ----a-w- c:\windows\system32\nvdrssel.bin
2012-04-21 08:02:53 881984 ----a-w- c:\windows\system32\nvgenco32.dll
2012-04-21 08:02:53 6012928 ----a-w- c:\windows\system32\nvcuda.dll
2012-04-21 08:02:53 2530624 ----a-w- c:\windows\system32\nvcuvid.dll
2012-04-21 08:02:53 2444608 ----a-w- c:\windows\system32\nvcuvenc.dll
2012-04-21 08:02:53 2358784 ----a-w- c:\windows\system32\nvapi.dll
2012-04-21 08:02:53 18747392 ----a-w- c:\windows\system32\nvoglnt.dll
2012-04-21 08:02:53 17543168 ----a-w- c:\windows\system32\nvcompiler.dll
2012-04-21 08:02:53 1000256 ----a-w- c:\windows\system32\nvdispco32.dll
2012-04-18 18:22:41 -------- d-----w- c:\documents and settings\grim\application data\SYSTEMAX Software Development
2012-04-18 18:22:41 -------- d-----w- c:\documents and settings\all users\application data\SYSTEMAX Software Development
2012-04-13 21:38:10 -------- d-----w- c:\program files\EVGA Precision X
.
==================== Find3M ====================
.
2012-05-08 22:30:15 83392 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2012-04-11 13:14:41 2148352 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-04-11 13:12:06 1862272 ----a-w- c:\windows\system32\win32k.sys
2012-04-11 12:35:51 2026496 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-04-04 22:47:08 772504 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-04-04 22:47:02 687504 ----a-w- c:\windows\system32\deployJava1.dll
2012-04-04 16:05:44 869552 ----a-w- c:\windows\boinc.scr
2012-04-03 23:50:14 108409 ----a-w- c:\windows\Thumbplug TGA Uninstaller.exe
2012-04-03 17:14:00 4336640 ----a-w- c:\windows\system32\nv4_disp.dll
2012-04-03 17:14:00 14008320 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2012-04-02 20:51:28 445016 ----a-w- c:\windows\system32\wrap_oal.dll
2012-03-01 11:01:32 916992 ----a-w- c:\windows\system32\wininet.dll
2012-03-01 11:01:32 43520 ------w- c:\windows\system32\licmgr10.dll
2012-03-01 11:01:32 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-02-29 21:09:22 76888 ----a-w- c:\windows\system32\PnkBstrA.exe
2012-02-29 21:09:22 140304 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2012-02-29 21:09:16 281032 ----a-w- c:\windows\system32\PnkBstrB.xtr
2012-02-29 21:09:16 281032 ----a-w- c:\windows\system32\PnkBstrB.exe
2012-02-29 21:09:10 280856 ----a-w- c:\windows\system32\PnkBstrB.ex0
2012-02-29 14:08:49 178176 ----a-w- c:\windows\system32\wintrust.dll
2012-02-29 14:08:49 148480 ----a-w- c:\windows\system32\imagehlp.dll
2012-02-29 12:17:40 385024 ------w- c:\windows\system32\html.iec
2012-02-20 05:01:38 69952 ----a-w- c:\windows\system32\CLEyeDevices.dll
2012-02-15 18:00:00 79360 ----a-w- c:\windows\system32\ff_vfw.dll
2012-02-14 20:51:30 720896 ----a-w- c:\windows\iun6002.exe
.
============= FINISH: 2:17:34.73 ===============

Attached Files


Edited by GrimBrunn, 13 May 2012 - 08:07 PM.


BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:36 AM

Posted 13 May 2012 - 11:54 PM

Hello and Welcome to Bleeping Computer!!

My name is Gringo and I'll be glad to help you with your computer problems.

I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of us

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the Watch Topic Button, select Immediate Notification, and click on Proceed. This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of hartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

Security Check

  • Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.



Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 GrimBrunn

GrimBrunn
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:01:36 AM

Posted 14 May 2012 - 04:02 PM

Thank you for the quick response and taking my case.

The system is preforming well, but the infection has never seemed to negatively impact overall system performance or functionality though, so it may be hard to gauge progress from this.

After running ComboFix I spent some time trying to get the fraudulent prompt again by revisiting Amazon.com and other potential target sites several times, but was not able to receive it. It only ever appeared quite rarely though, so I'm unsure if this can be considered a mark of progress. The infection seems highly incognito by nature, so getting a solid read on symptoms may be hard. I'll continue to stay on guard for the re-appearance of the prompts though.

I also tried running GMER again which failed, again. I was able to catch the error prompt which reads,

"Windows was unable to save all the data for the file \WINDOWS\System32\config\AppEvent.Evt. The data has been lost. This error may be caused by a failure of your computer hardware or network connection. Please try to save this file elsewhere."

I'm unaware if this is a symptom of the infection or just an incompatibility between my machine and GMER.

Also, due to some lingering leftovers from an older infection of ZeroAccess, ComboFix detects ZeroAccess every time it's ran on my machine and tries unsuccessful to clean it. I don't know if this will interfere or if it may even be connected to this infection.


Logs:

Results of screen317's Security Check version 0.99.32
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Disabled!
Avira Free Antivirus
Antivirus up to date!
```````````````````````````````
Anti-malware/Other Utilities Check:

CCleaner
JavaFX 2.1.0
Java™ 7 Update 4
Adobe Flash Player 11.2.202.235
Adobe Reader 9 Adobe Reader out of date!
Mozilla Firefox (12.0.)
Mozilla Thunderbird (x86 en-US..)
````````````````````````````````
Process Check:
objlist.exe by Laurent

Malwarebytes' Anti-Malware mbamservice.exe
Avira Antivir avgnt.exe
Avira Antivir avguard.exe
``````````End of Log````````````


-----------------------------------------------------------------------------------
-----------------------------------------------------------------------------------
-----------------------------------------------------------------------------------


ComboFix 12-05-13.04 - Grim 05/14/2012 2:03.1.2 - x86
Running from: c:\documents and settings\Grim\Desktop\ComboFix.exe
AV: Avira Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\apppatch\AppLoc.exe
c:\windows\AppPatch\Custom\{deb7008b-681e-4a4a-8aae-cc833e8216ce}.sdb
c:\windows\iun6002.exe
c:\windows\system32\dds_trash_log.cmd
c:\windows\system32\dllcache\dlimport.exe
c:\windows\system32\tmp39A.tmp
c:\windows\system32\tmp39B.tmp
c:\windows\system32\tmp46E.tmp
c:\windows\system32\tmp46F.tmp
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_xcpip
.
.
((((((((((((((((((((((((( Files Created from 2012-04-14 to 2012-05-14 )))))))))))))))))))))))))))))))
.
.
2012-05-13 06:00 . 2012-05-13 06:00 -------- d-----w- c:\documents and settings\Grim\DoctorWeb
2012-05-13 05:38 . 2012-05-13 05:38 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\WTablet
2012-05-13 05:37 . 2012-05-13 05:37 -------- d-----w- C:\TDSSKiller_Quarantine
2012-05-13 05:21 . 2012-05-13 05:21 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-05-13 05:21 . 2012-04-04 19:56 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-05-12 19:14 . 2012-05-12 19:14 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-05-12 19:14 . 2012-05-12 19:14 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-05-12 19:08 . 2012-05-12 19:08 -------- d-----w- c:\documents and settings\Grim\Application Data\Oracle
2012-05-12 19:08 . 2012-04-04 22:47 143872 ----a-w- c:\windows\system32\javacpl.cpl
2012-05-12 19:08 . 2012-05-12 19:08 -------- d-----w- c:\program files\Java
2012-05-12 08:48 . 2012-05-12 09:02 -------- d-----w- c:\program files\Guild Wars
2012-05-12 01:50 . 2012-05-12 01:50 -------- d-----w- c:\documents and settings\Grim\Application Data\wtablet
2012-05-12 01:49 . 2011-09-08 21:48 1107832 ----a-w- c:\windows\system32\Pen_Touch_Tablet.dll
2012-05-12 01:48 . 2011-09-08 21:49 11312 ----a-w- c:\windows\system32\drivers\wacommousefilter.sys
2012-05-12 01:48 . 2011-09-08 21:49 14120 ----a-w- c:\windows\system32\drivers\wacomvhid.sys
2012-05-12 01:48 . 2011-09-08 21:48 1156472 ----a-w- c:\windows\system32\Wintab32.dll
2012-05-12 01:48 . 2011-09-08 21:48 1152888 ----a-w- c:\windows\system32\WacomMT.dll
2012-05-12 01:48 . 2011-09-08 21:48 1369464 ----a-w- c:\windows\system32\Pen_Tablet.dll
2012-05-12 01:48 . 2012-05-12 01:49 -------- d-----w- c:\program files\Tablet
2012-05-10 09:17 . 2012-05-10 09:17 -------- d--h--r- c:\documents and settings\Grim\Application Data\SecuROM
2012-05-09 23:25 . 2012-05-09 23:42 -------- d-----w- c:\documents and settings\Grim\Application Data\IDoser
2012-05-09 23:25 . 2012-05-09 23:25 -------- d-----w- c:\program files\I-Doser Premium
2012-05-03 02:54 . 2012-05-03 02:54 42392 ----a-w- c:\windows\system32\xfcodec.dll
2012-05-02 00:41 . 2012-05-05 09:17 -------- d-----w- c:\documents and settings\Grim\Local Settings\Application Data\AlephOne
2012-05-01 06:19 . 2012-05-01 06:19 -------- d-----w- c:\documents and settings\Grim\Application Data\Seeing Machines
2012-05-01 06:19 . 2012-05-01 06:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Seeing Machines
2012-05-01 06:16 . 2012-05-01 07:14 -------- d-----w- c:\program files\Abbequerque Inc
2012-05-01 05:20 . 2012-05-13 00:17 -------- d-----w- c:\documents and settings\Grim\Local Settings\Application Data\ArmA 2 Free
2012-05-01 04:44 . 2012-05-01 04:44 -------- d-----w- c:\documents and settings\Grim\Local Settings\Application Data\ToCAEDIT
2012-04-30 22:48 . 2012-04-30 22:48 -------- d-----w- c:\documents and settings\Grim\Local Settings\Application Data\ArmA 2 OA DEMO
2012-04-30 19:36 . 2012-05-13 02:55 -------- d-----w- c:\program files\FreeTrack
2012-04-30 19:09 . 2008-04-14 04:15 60032 -c--a-w- c:\windows\system32\dllcache\usbaudio.sys
2012-04-30 19:09 . 2008-04-14 04:15 60032 ----a-w- c:\windows\system32\drivers\USBAUDIO.sys
2012-04-30 18:33 . 2012-04-30 18:33 -------- d-----w- c:\program files\Code Laboratories
2012-04-26 07:08 . 2012-04-26 07:08 -------- d-----w- C:\sw3dg
2012-04-26 07:07 . 2012-04-26 07:07 -------- d-----w- c:\program files\Evochron Mercenary
2012-04-25 00:24 . 2012-04-25 00:24 -------- d-----w- c:\documents and settings\Grim\Local Settings\Application Data\PassMark
2012-04-25 00:24 . 2012-04-25 00:24 -------- d-----w- c:\documents and settings\All Users\Application Data\PassMark
2012-04-24 21:17 . 2012-04-24 21:17 -------- d-----w- c:\documents and settings\All Users\Application Data\RELOADED
2012-04-24 21:09 . 2012-04-24 21:10 -------- d-----w- c:\program files\The Walking Dead
2012-04-22 09:17 . 2012-04-22 09:17 334008 ----a-r- c:\documents and settings\Grim\Application Data\Microsoft\Installer\{905D6095-7F38-43F3-82A4-8A36E5A00FAD}\BOINCMGRLink_B65C4A4D2B2A46CCA2D918164C6297B8.exe
2012-04-22 09:17 . 2012-04-22 09:17 334008 ----a-r- c:\documents and settings\Grim\Application Data\Microsoft\Installer\{905D6095-7F38-43F3-82A4-8A36E5A00FAD}\ARPPRODUCTICON.exe
2012-04-22 07:03 . 2003-12-09 14:04 10368 ----a-w- c:\windows\system32\drivers\rramdisk.sys
2012-04-21 08:04 . 2012-04-03 12:59 143680 ----a-w- c:\windows\system32\nvcolor.exe
2012-04-21 08:04 . 2012-04-03 12:59 164160 ----a-w- c:\windows\system32\nvsvc32.exe
2012-04-21 08:04 . 2012-04-03 13:00 54272 ----a-w- c:\windows\system32\nvwddi.dll
2012-04-21 08:04 . 2012-04-03 12:59 108352 ----a-w- c:\windows\system32\nvmctray.dll
2012-04-21 08:04 . 2012-04-03 12:59 15503168 ----a-w- c:\windows\system32\nvcpl.dll
2012-04-21 08:04 . 2012-04-03 17:14 65536 ----a-w- c:\windows\system32\OpenCL.dll
2012-04-21 08:04 . 2012-04-26 07:39 1072828 ----a-w- c:\windows\system32\nvdrsdb1.bin
2012-04-21 08:04 . 2012-04-26 07:39 1 ----a-w- c:\windows\system32\nvdrssel.bin
2012-04-21 08:04 . 2012-04-26 07:39 1072828 ----a-w- c:\windows\system32\nvdrsdb0.bin
2012-04-21 08:02 . 2012-04-03 17:14 881984 ----a-w- c:\windows\system32\nvgenco32.dll
2012-04-21 08:02 . 2012-04-03 17:14 6012928 ----a-w- c:\windows\system32\nvcuda.dll
2012-04-21 08:02 . 2012-04-03 17:14 2530624 ----a-w- c:\windows\system32\nvcuvid.dll
2012-04-21 08:02 . 2012-04-03 17:14 2444608 ----a-w- c:\windows\system32\nvcuvenc.dll
2012-04-21 08:02 . 2012-04-03 17:14 2358784 ----a-w- c:\windows\system32\nvapi.dll
2012-04-21 08:02 . 2012-04-03 17:14 18747392 ----a-w- c:\windows\system32\nvoglnt.dll
2012-04-21 08:02 . 2012-04-03 17:14 17543168 ----a-w- c:\windows\system32\nvcompiler.dll
2012-04-21 08:02 . 2012-04-03 17:14 1000256 ----a-w- c:\windows\system32\nvdispco32.dll
2012-04-18 18:22 . 2012-04-18 18:22 -------- d-----w- c:\documents and settings\Grim\Application Data\SYSTEMAX Software Development
2012-04-18 18:22 . 2012-04-18 18:22 -------- d-----w- c:\documents and settings\All Users\Application Data\SYSTEMAX Software Development
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-05-08 22:30 . 2011-10-19 04:45 83392 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2012-05-08 22:30 . 2011-10-19 04:45 137928 ----a-w- c:\windows\system32\drivers\avipbb.sys
2012-04-11 13:14 . 2004-08-04 12:00 2148352 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-04-11 13:12 . 2004-08-04 12:00 1862272 ----a-w- c:\windows\system32\win32k.sys
2012-04-11 12:35 . 2004-08-03 22:59 2026496 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-04-04 22:47 . 2012-02-11 03:11 772504 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-04-04 22:47 . 2010-04-16 19:11 687504 ----a-w- c:\windows\system32\deployJava1.dll
2012-04-04 16:05 . 2012-04-04 16:05 869552 ----a-w- c:\windows\boinc.scr
2012-04-03 23:50 . 2012-04-03 23:50 108409 ----a-w- c:\windows\Thumbplug TGA Uninstaller.exe
2012-04-03 17:14 . 2011-08-09 00:16 4336640 ----a-w- c:\windows\system32\nv4_disp.dll
2012-04-03 17:14 . 2011-08-09 00:16 14008320 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2012-04-02 20:51 . 2011-08-08 01:46 445016 ----a-w- c:\windows\system32\wrap_oal.dll
2012-03-01 11:01 . 2004-08-04 12:00 916992 ----a-w- c:\windows\system32\wininet.dll
2012-03-01 11:01 . 2004-08-04 12:00 43520 ------w- c:\windows\system32\licmgr10.dll
2012-03-01 11:01 . 2004-08-04 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-02-29 21:09 . 2008-04-01 19:01 140304 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2012-02-29 21:09 . 2008-04-01 19:00 76888 ----a-w- c:\windows\system32\PnkBstrA.exe
2012-02-29 21:09 . 2009-03-27 01:15 281032 ----a-w- c:\windows\system32\PnkBstrB.xtr
2012-02-29 21:09 . 2008-04-01 19:00 281032 ----a-w- c:\windows\system32\PnkBstrB.exe
2012-02-29 21:09 . 2008-04-01 19:00 280856 ----a-w- c:\windows\system32\PnkBstrB.ex0
2012-02-29 14:08 . 2004-08-04 12:00 178176 ----a-w- c:\windows\system32\wintrust.dll
2012-02-29 14:08 . 2004-08-04 12:00 148480 ----a-w- c:\windows\system32\imagehlp.dll
2012-02-29 12:17 . 2004-08-04 12:00 385024 ------w- c:\windows\system32\html.iec
2012-02-20 05:01 . 2012-02-20 05:01 69952 ----a-w- c:\windows\system32\CLEyeDevices.dll
2012-02-15 18:00 . 2012-02-19 22:41 79360 ----a-w- c:\windows\system32\ff_vfw.dll
2012-04-21 01:19 . 2012-05-12 07:00 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-17 81920]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"DeathAdder"="c:\program files\Razer\DeathAdder\razerhid.exe" [2011-03-21 248320]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-06-04 186904]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2012-05-08 348624]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-04 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-14 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2012-04-03 15503168]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2012-04-03 108352]
"nwiz"="c:\program files\NVIDIA Corporation\nview\nwiz.exe" [2012-04-03 1634112]
"EVGAPrecision"="c:\program files\EVGA Precision X\EVGAPrecision.exe" [2012-04-10 553800]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408]
.
c:\documents and settings\Grim\Start Menu\Programs\Startup\
Xfire.lnk - c:\program files\Xfire\Xfire.exe [2012-5-2 3553176]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"idsvc"=3 (0x3)
"Diskeeper"=2 (0x2)
"Imapi Helper"=3 (0x3)
"PD91Agent"=2 (0x2)
"gupdate1c9c69c8d38db62"=2 (0x2)
"Adobe Version Cue CS4"=3 (0x3)
"npggsvc"=3 (0x3)
"ose"=3 (0x3)
"WMPNetworkSvc"=2 (0x2)
"DAUpdaterSvc"=3 (0x3)
"ABBYY.Licensing.FineReader.Professional.9.0"=2 (0x2)
"LiveTurbineMessageService"=3 (0x3)
"LiveTurbineNetworkService"=3 (0x3)
"ALG"=3 (0x3)
"IDriverT"=3 (0x3)
"SwitchBoard"=3 (0x3)
"RPCT"=2 (0x2)
"rpcapd"=3 (0x3)
"wlidsvc"=2 (0x2)
"IAANTMON"=2 (0x2)
"AntiVirWebService"=2 (0x2)
"AntiVirMailService"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Xfire\\xfire.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\Program Files\\Deep Silver\\S.T.A.L.K.E.R. - Clear Sky\\bin\\xrEngine.exe"=
"c:\\Program Files\\Deep Silver\\S.T.A.L.K.E.R. - Clear Sky\\bin\\dedicated\\xrEngine.exe"=
"c:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FarCry2.exe"=
"c:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FC2Launcher.exe"=
"c:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FC2Editor.exe"=
"c:\\Documents and Settings\\Grim\\Local Settings\\Application Data\\Dyyno Receiver\\DPPM.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Codemasters\\Overlord II\\Overlord2.exe"=
"c:\\Program Files\\Mass Effect\\Binaries\\MassEffect.exe"=
"c:\\Program Files\\Mass Effect\\MassEffectLauncher.exe"=
"c:\\Program Files\\Valve\\Steam\\steamapps\\common\\dawn of war gold\\W40kWA.exe"=
"c:\\Program Files\\Electronic Arts\\Mass Effect 2\\Binaries\\MassEffect2.exe"=
"c:\\Program Files\\Electronic Arts\\Mass Effect 2\\MassEffect2Launcher.exe"=
"c:\\Program Files\\bitComposer Games\\S.T.A.L.K.E.R. - Call of Pripyat\\bin\\xrEngine.exe"=
"c:\\Program Files\\bitComposer Games\\S.T.A.L.K.E.R. - Call of Pripyat\\bin\\dedicated\\xrEngine.exe"=
"c:\\Program Files\\Electronic Arts\\Battlefield Bad Company 2\\BFBC2Updater.exe"=
"c:\\Program Files\\Ubisoft\\Ubisoft Game Launcher\\UbisoftGameLauncher.exe"=
"c:\\Program Files\\Activision\\Apache Air Assault\\launcher.exe"=
"c:\\Program Files\\Activision\\Apache Air Assault\\yuPlay\\yuPlay.exe"=
"c:\\Program Files\\Valve\\Steam\\steamapps\\grim_r\\synergy\\hl2.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Codemasters\\DiRT 3\\dirt3_game.exe"=
"c:\\Program Files\\Codemasters\\GRID\\GRID.exe"=
"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe"=
"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe"=
"c:\\Program Files\\Autodesk\\3ds Max 2012\\mentalimages\\satellite\\raysat_3dsmax2012_32.exe"=
"c:\\Program Files\\Autodesk\\3ds Max 2012\\3dsmax.exe"=
"c:\\Program Files\\Autodesk\\3ds Max 2012\\mentalimages\\satellite\\raysat_3dsmax2012_32server.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\monitor.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\manager.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\server.exe"=
"c:\\Program Files\\Valve\\Steam\\steamapps\\common\\red orchestra\\System\\RedOrchestra.exe"=
"c:\\Program Files\\Valve\\Steam\\steamapps\\common\\amnesia the dark descent\\Launcher.exe"=
"c:\\Program Files\\Valve\\Steam\\steamapps\\common\\skyrim\\CreationKit.exe"=
"c:\\Program Files\\Valve\\Steam\\steamapps\\common\\dawn of war dark crusade\\darkcrusade.exe"=
"c:\\Program Files\\Valve\\Steam\\steamapps\\common\\dawn of war soulstorm\\soulstorm.exe"=
"c:\\Program Files\\Valve\\Steam\\steamapps\\common\\skyrim\\SkyrimLauncher.exe"=
"c:\\Program Files\\Electronic Arts\\Mass Effect 3\\Binaries\\Win32\\MassEffect3.exe"=
"c:\\Program Files\\Codemasters\\F1 2011\\F1_2011.exe"=
"c:\\Program Files\\Valve\\Steam\\steamapps\\grim_r\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Valve\\Steam\\steamapps\\grim_r\\half-life\\hl.exe"=
"c:\\Program Files\\Valve\\Steam\\steamapps\\common\\killingfloor\\System\\KillingFloor.exe"=
"c:\\Program Files\\Valve\\Steam\\steamapps\\common\\stalker shadow of chernobyl\\bin\\XR_3DA.exe"=
"c:\\Program Files\\Valve\\Steam\\steamapps\\common\\red orchestra 2\\Binaries\\Win32\\ROGame.exe"=
"c:\\Program Files\\Valve\\Steam\\steamapps\\common\\x3 terran conflict\\X3TC.exe"=
"c:\\Program Files\\Valve\\Steam\\steamapps\\common\\x3 terran conflict\\X3AP.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\{F27CFD16-939A-4232-98CD-180898D14713}\\setup\\hpznui01.exe"=
"c:\\Program Files\\Valve\\Steam\\steamapps\\common\\mountblade warband\\mb_warband.exe"=
"c:\\Program Files\\Bohemia Interactive\\ArmA 2 Free\\arma2free.exe"=
"c:\\Program Files\\Valve\\Steam\\steamapps\\grim_r\\counter-strike\\hl.exe"=
"c:\\Program Files\\Valve\\Steam\\steamapps\\common\\Portal 2\\portal2.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"53:UDP"= 53:UDP:Promo
"3389:TCP"= 3389:TCP:Remote Desktop
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
.
R0 RRamdisk;Ramdisk Driver;c:\windows\system32\drivers\rramdisk.sys [4/22/2012 3:03 AM 10368]
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [10/19/2011 12:45 AM 36000]
R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\drivers\dtsoftbus01.sys [2/10/2012 3:40 PM 242240]
R1 VBoxDrv;VirtualBox Service;c:\windows\system32\drivers\VBoxDrv.sys [11/11/2008 11:47 PM 158512]
R1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\drivers\VBoxUSBMon.sys [11/11/2008 11:47 PM 91440]
R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [10/19/2011 12:45 AM 86224]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [5/13/2012 1:21 AM 654408]
R2 mi-raysat_3dsmax2012_32;mental ray 3.9 Satellite for Autodesk 3ds Max 2012 32-bit - English 32-bit;c:\program files\Autodesk\3ds Max 2012\mentalimages\satellite\raysat_3dsmax2012_32server.exe [2/23/2011 8:59 AM 86016]
R2 RPCQT;Remote Procedure Call (CQTPM);c:\windows\System32\svchost.exe -k netsvcs [8/4/2004 8:00 AM 14336]
R2 TabletServicePen;TabletServicePen;c:\program files\Tablet\Pen\Pen_Tablet.exe [5/11/2012 9:48 PM 5554552]
R2 TouchServicePen;Wacom Consumer Touch Service;c:\program files\Tablet\Pen\Pen_TouchService.exe [5/11/2012 9:49 PM 451960]
R2 wcafix;Windows Cursor Acceleration Fix;c:\windows\system32\drivers\wcafix.sys [3/21/2010 6:44 AM 3516]
R3 hidkmdf;Filter Driver Service for HID-KMDF Interface layer;c:\windows\system32\drivers\hidkmdf.sys [8/7/2011 3:25 AM 6656]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [5/13/2012 1:21 AM 22344]
R3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\drivers\VBoxNetAdp.sys [7/17/2009 6:12 PM 104752]
R3 VBoxNetFlt;VirtualBox Bridged Networking Service;c:\windows\system32\drivers\VBoxNetFlt.sys [12/19/2011 3:11 PM 116016]
R3 VKbms;Virtual HID Minidriver;c:\windows\system32\drivers\VKbms.sys [8/7/2011 3:25 AM 10240]
S2 {09BB444F-B2E2-4009-BAF2-7B727681223E};BuddyVM;\??\c:\program files\ZyX\VMLaunch\BuddyVM.sys --> c:\program files\ZyX\VMLaunch\BuddyVM.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 2:16 PM 130384]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys --> c:\windows\system32\drivers\Ambfilt.sys [?]
S3 AODDriver;AODDriver;\??\c:\program files\GIGABYTE\ET6\i386\AODDriver.sys --> c:\program files\GIGABYTE\ET6\i386\AODDriver.sys [?]
S3 cpuz130;cpuz130;\??\c:\docume~1\Grim\LOCALS~1\Temp\cpuz130\cpuz_x32.sys --> c:\docume~1\Grim\LOCALS~1\Temp\cpuz130\cpuz_x32.sys [?]
S3 DAdderFltr;DeathAdder Mouse;c:\windows\system32\drivers\dadder.sys [3/29/2008 12:17 AM 22784]
S3 dfmirage;dfmirage;c:\windows\system32\drivers\dfmirage.sys [11/25/2005 5:43 PM 31896]
S3 dugb.sys;dugb.sys;\??\c:\windows\system32\drivers\dugb.sys --> c:\windows\system32\drivers\dugb.sys [?]
S3 etdrv;etdrv;c:\windows\etdrv.sys [3/20/2010 7:47 PM 17488]
S3 EvcapMaui;Emuzed EvcapMaui Device;c:\windows\system32\drivers\EvcapMau.sys [10/12/2009 3:52 PM 180864]
S3 FStarForce;FStarForce;c:\windows\system32\drivers\FStarForce.sys [3/2/2009 6:07 PM 7680]
S3 GenericMount;Generic Mount Driver;c:\windows\system32\DRIVERS\GenericMount.sys --> c:\windows\system32\DRIVERS\GenericMount.sys [?]
S3 kxwdmdrv;kX WDM Driver Service;c:\windows\system32\drivers\kx.sys --> c:\windows\system32\drivers\kx.sys [?]
S3 LGBusEnum;Logitech GamePanel Virtual Bus Enumerator Driver;c:\windows\system32\drivers\LGBusEnum.sys [7/14/2009 4:35 PM 19720]
S3 LGVirHid;Logitech Gamepanel Virtual HID Device Driver;c:\windows\system32\drivers\LGVirHid.sys [12/6/2010 4:54 PM 14856]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\C2.tmp --> c:\windows\system32\C2.tmp [?]
S3 portio32;portio32;c:\windows\system32\drivers\portio32.sys [10/31/2009 4:10 AM 2048]
S3 ProcAPI;ProcAPI;\??\c:\program files\Intel Corporation\Thermal Analysis Tool\ProcAPI.sys --> c:\program files\Intel Corporation\Thermal Analysis Tool\ProcAPI.sys [?]
S3 Symantec SymSnap VSS Provider;Symantec SymSnap VSS Provider;c:\windows\system32\dllhost.exe [8/4/2004 8:00 AM 5120]
S3 tat;tat;\??\c:\program files\Intel Corporation\Thermal Analysis Tool\tat.sys --> c:\program files\Intel Corporation\Thermal Analysis Tool\tat.sys [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 2:16 PM 753504]
S3 xbreader;MaxDrive XBox Driver (xbreader.sys);c:\windows\system32\Drivers\xbreader.sys --> c:\windows\system32\Drivers\xbreader.sys [?]
S3 XDva311;XDva311;\??\c:\windows\system32\XDva311.sys --> c:\windows\system32\XDva311.sys [?]
S3 xpsec;IPSEC driver;c:\windows\system32\drivers\xpsec.sys --> c:\windows\system32\drivers\xpsec.sys [?]
S4 RPCT;Remote Procedure Call (TPM);c:\program files\Common Files\System\qmgr.exe --> c:\program files\Common Files\System\qmgr.exe [?]
S4 sptd;sptd;c:\windows\system32\Drivers\sptd.sys --> c:\windows\system32\Drivers\sptd.sys [?]
S4 SwitchBoard;Adobe SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2/19/2010 1:37 PM 517096]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
RPCQT
PID_PEPI
TeamViewer
CVirtA
AsIO
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uInternet Settings,ProxyOverride = *.local
TCP: DhcpNameServer = 65.32.5.111 65.32.5.112
DPF: {AA07EBD2-EBDD-4BD6-9F8F-114BD513492C} - hxxp://dist.globalgamecdn.com/dist/neffy/NeffyLauncher.cab
FF - ProfilePath - c:\documents and settings\Grim\Application Data\Mozilla\Firefox\Profiles\4drk7qcn.default\
FF - prefs.js: network.proxy.type - 0
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-KProbe - c:\windows\iun6002.exe
AddRemove-Roccat GUI3.0 - c:\program files\valve\steam\steamapps\grim_r\counter-strike source\uninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-05-14 02:20
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\C2.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1935655697-412668190-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{273539A3-4A04-9AE7-695D-FED4C0D21015}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"iabkfmnkggopjgnmep"=hex:6a,61,67,6e,67,68,6f,63,63,61,6c,62,6f,69,62,63,6a,70,
6c,6f,00,f2
"halkedffbcmlonnb"=hex:6a,61,67,6e,67,68,6f,63,63,61,6c,62,6f,69,62,63,6a,70,
6c,6f,00,f2
"gaelbgmolbbiib"=hex:61,63,64,69,61,69,6a,6c,6b,69,65,69,69,6c,6e,63,67,6e,6a,
64,65,61,6a,64,68,6b,64,6d,6f,6b,63,61,67,6f,67,6d,66,63,6b,68,65,62,6a,6d,\
.
[HKEY_USERS\S-1-5-21-1935655697-412668190-725345543-1003\Software\SecuROM\License information*]
"datasecu"=hex:e4,cb,33,0c,46,1b,66,9d,08,2d,28,0e,92,64,53,87,ba,dc,5d,31,25,
a4,cc,71,83,9b,11,f5,b7,27,9b,95,fe,52,49,53,a2,6a,a3,e8,6d,ab,c7,9b,4f,d4,\
"rkeysecu"=hex:66,27,8d,90,56,46,a0,48,9d,67,9d,6e,11,95,b4,82
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\561ad306-5297-65a9-d042-f658e60eb21]
@Denied: (Full) (AuthenticatedUsers)
@Denied: (Full) (Administrators)
"1txammlkhrnfq"=hex:31,39,30,63,61,35,33,66,2d,66,62,37,35,2d,34,39,63,35,2d,
61,36,35,37,2d,31,36,30,62,33,61,66,37,34,65,39,64
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2324)
c:\windows\system32\WININET.dll
c:\program files\Xfire\xfire_toucan_45547.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Tablet\Pen\Pen_TouchUser.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe
c:\windows\system32\devldr32.exe
c:\program files\Razer\DeathAdder\razerofa.exe
c:\program files\Razer\DeathAdder\vdDaemon.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\Common Files\Protexis\License Service\PsiService_2.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Tablet\Pen\Pen_TabletUser.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
.
**************************************************************************
.
Completion time: 2012-05-14 02:23:59 - machine was rebooted
ComboFix-quarantined-files.txt 2012-05-14 06:23
.
Pre-Run: 190,481,854,464 bytes free
Post-Run: 190,036,914,176 bytes free
.
- - End Of File - - D41AB80A466F3AE968EB9C3872CE3542

Edited by GrimBrunn, 14 May 2012 - 04:03 PM.


#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:36 AM

Posted 15 May 2012 - 05:37 AM

Greetings

I want you to run these next,

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • it will ask to download extra definitions - ALLOW IT
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

If you have any problems running either one come back and let me know

please reply with the reports from TDSSKiller and aswMBR

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 GrimBrunn

GrimBrunn
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:01:36 AM

Posted 15 May 2012 - 02:44 PM

15:03:10.0750 5716 TDSS rootkit removing tool 2.7.34.0 May 2 2012 09:59:18
15:03:11.0140 5716 ============================================================
15:03:11.0140 5716 Current date / time: 2012/05/15 15:03:11.0140
15:03:11.0140 5716 SystemInfo:
15:03:11.0140 5716
15:03:11.0140 5716 OS Version: 5.1.2600 ServicePack: 3.0
15:03:11.0140 5716 Product type: Workstation
15:03:11.0140 5716 ComputerName: SCYTHE
15:03:11.0140 5716 UserName: Grim
15:03:11.0140 5716 Windows directory: C:\WINDOWS
15:03:11.0140 5716 System windows directory: C:\WINDOWS
15:03:11.0140 5716 Processor architecture: Intel x86
15:03:11.0140 5716 Number of processors: 2
15:03:11.0140 5716 Page size: 0x1000
15:03:11.0140 5716 Boot type: Normal boot
15:03:11.0140 5716 ============================================================
15:03:13.0312 5716 Drive \Device\Harddisk0\DR0 - Size: 0xAEA8BD5E00 (698.64 Gb), SectorSize: 0x200, Cylinders: 0x16441, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
15:03:13.0687 5716 Drive \Device\Harddisk1\DR1 - Size: 0x1D1C100DE00 (1863.02 Gb), SectorSize: 0x200, Cylinders: 0x3B601, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
15:03:13.0703 5716 Drive \Device\Harddisk2\DR2 - Size: 0x7470AFDE00 (465.76 Gb), SectorSize: 0x200, Cylinders: 0xED81, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
15:03:13.0734 5716 ============================================================
15:03:13.0734 5716 \Device\Harddisk0\DR0:
15:03:13.0734 5716 MBR partitions:
15:03:13.0734 5716 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x575452C2
15:03:13.0734 5716 \Device\Harddisk1\DR1:
15:03:13.0734 5716 MBR partitions:
15:03:13.0734 5716 \Device\Harddisk1\DR1\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0xE8E035C1
15:03:13.0734 5716 \Device\Harddisk2\DR2:
15:03:13.0734 5716 MBR partitions:
15:03:13.0734 5716 \Device\Harddisk2\DR2\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x3A385B42
15:03:13.0734 5716 ============================================================
15:03:13.0781 5716 C: <-> \Device\Harddisk0\DR0\Partition0
15:03:13.0906 5716 E: <-> \Device\Harddisk1\DR1\Partition0
15:03:13.0953 5716 F: <-> \Device\Harddisk2\DR2\Partition0
15:03:13.0968 5716 ============================================================
15:03:13.0968 5716 Initialize success
15:03:13.0968 5716 ============================================================
15:03:32.0328 2648 ============================================================
15:03:32.0328 2648 Scan started
15:03:32.0328 2648 Mode: Manual;
15:03:32.0328 2648 ============================================================
15:03:33.0328 2648 6to4 (c07d5197410aab28d0d93f943f59656d) C:\WINDOWS\System32\6to4svc.dll
15:03:33.0328 2648 6to4 - ok
15:03:33.0343 2648 Abiosdsk - ok
15:03:33.0375 2648 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
15:03:33.0375 2648 ACPI - ok
15:03:33.0406 2648 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
15:03:33.0437 2648 ACPIEC - ok
15:03:33.0437 2648 adfs - ok
15:03:33.0453 2648 admjoy (a23675760dec131b9f799b6fb038a1f0) C:\WINDOWS\system32\DRIVERS\admjoy.sys
15:03:33.0468 2648 admjoy - ok
15:03:33.0484 2648 adpu160m - ok
15:03:33.0500 2648 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
15:03:33.0531 2648 aec - ok
15:03:33.0546 2648 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
15:03:33.0546 2648 AFD - ok
15:03:33.0546 2648 aic78xx - ok
15:03:33.0578 2648 Alerter (a9a3daa780ca6c9671a19d52456705b4) C:\WINDOWS\system32\alrsvc.dll
15:03:33.0625 2648 Alerter - ok
15:03:33.0640 2648 ALG (8c515081584a38aa007909cd02020b3d) C:\WINDOWS\System32\alg.exe
15:03:33.0718 2648 ALG - ok
15:03:33.0718 2648 AliIde - ok
15:03:33.0718 2648 Ambfilt - ok
15:03:33.0734 2648 AmdLLD (ad8fa28d8ed0d0a689a0559085ce0f18) C:\WINDOWS\system32\DRIVERS\AmdLLD.sys
15:03:33.0765 2648 AmdLLD - ok
15:03:33.0765 2648 amsint - ok
15:03:33.0828 2648 AntiVirSchedulerService (0a1cc583e8147004e4ad4625d7fbf88c) C:\Program Files\Avira\AntiVir Desktop\sched.exe
15:03:33.0843 2648 AntiVirSchedulerService - ok
15:03:33.0859 2648 AntiVirService (c9a36ef935aced86aedf93e97e606911) C:\Program Files\Avira\AntiVir Desktop\avguard.exe
15:03:33.0906 2648 AntiVirService - ok
15:03:33.0921 2648 AODDriver - ok
15:03:33.0953 2648 AppMgmt (d8849f77c0b66226335a59d26cb4edc6) C:\WINDOWS\System32\appmgmts.dll
15:03:33.0984 2648 AppMgmt - ok
15:03:34.0015 2648 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
15:03:34.0031 2648 Arp1394 - ok
15:03:34.0046 2648 asc - ok
15:03:34.0046 2648 asc3350p - ok
15:03:34.0046 2648 asc3550 - ok
15:03:34.0046 2648 AsIO - ok
15:03:34.0093 2648 ASPI32 (5b01af89d16d562825c4db4530f20cbb) C:\WINDOWS\system32\drivers\ASPI32.sys
15:03:34.0125 2648 ASPI32 - ok
15:03:34.0187 2648 aspnet_state (776acefa0ca9df0faa51a5fb2f435705) C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe
15:03:34.0250 2648 aspnet_state - ok
15:03:34.0281 2648 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
15:03:34.0281 2648 AsyncMac - ok
15:03:34.0312 2648 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
15:03:34.0312 2648 atapi - ok
15:03:34.0328 2648 Atdisk - ok
15:03:34.0359 2648 ATITool (d4ed96ac2fafee2c697436b9a2871cd3) C:\WINDOWS\system32\DRIVERS\ATITool.sys
15:03:34.0390 2648 ATITool - ok
15:03:34.0406 2648 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
15:03:34.0437 2648 Atmarpc - ok
15:03:34.0468 2648 AudioSrv (def7a7882bec100fe0b2ce2549188f9d) C:\WINDOWS\System32\audiosrv.dll
15:03:34.0484 2648 AudioSrv - ok
15:03:34.0500 2648 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
15:03:34.0515 2648 audstub - ok
15:03:34.0531 2648 avgntflt (d5541f0afb767e85fc412fc609d96a74) C:\WINDOWS\system32\DRIVERS\avgntflt.sys
15:03:34.0531 2648 avgntflt - ok
15:03:34.0546 2648 avipbb (7d967a682d4694df7fa57d63a2db01fe) C:\WINDOWS\system32\DRIVERS\avipbb.sys
15:03:34.0562 2648 avipbb - ok
15:03:34.0578 2648 avkmgr (271cfd1a989209b1964e24d969552bf7) C:\WINDOWS\system32\DRIVERS\avkmgr.sys
15:03:34.0625 2648 avkmgr - ok
15:03:34.0640 2648 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
15:03:34.0656 2648 Beep - ok
15:03:34.0687 2648 BITS (574738f61fca2935f5265dc4e5691314) C:\WINDOWS\system32\qmgr.dll
15:03:34.0734 2648 BITS - ok
15:03:34.0750 2648 Browser (a06ce3399d16db864f55faeb1f1927a9) C:\WINDOWS\System32\browser.dll
15:03:34.0781 2648 Browser - ok
15:03:34.0796 2648 catchme - ok
15:03:34.0812 2648 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
15:03:34.0843 2648 cbidf2k - ok
15:03:34.0843 2648 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
15:03:34.0859 2648 CCDECODE - ok
15:03:34.0859 2648 cd20xrnt - ok
15:03:34.0875 2648 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
15:03:34.0890 2648 Cdaudio - ok
15:03:34.0906 2648 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
15:03:34.0906 2648 Cdfs - ok
15:03:34.0921 2648 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
15:03:34.0937 2648 Cdrom - ok
15:03:34.0937 2648 Changer - ok
15:03:34.0953 2648 CiSvc (1cfe720eb8d93a7158a4ebc3ab178bde) C:\WINDOWS\system32\cisvc.exe
15:03:34.0984 2648 CiSvc - ok
15:03:35.0000 2648 ClipSrv (34cbe729f38138217f9c80212a2a0c82) C:\WINDOWS\system32\clipsrv.exe
15:03:35.0015 2648 ClipSrv - ok
15:03:35.0109 2648 clr_optimization_v2.0.50727_32 (d87acaed61e417bba546ced5e7e36d9c) C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
15:03:35.0171 2648 clr_optimization_v2.0.50727_32 - ok
15:03:35.0218 2648 clr_optimization_v4.0.30319_32 (c5a75eb48e2344abdc162bda79e16841) C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
15:03:35.0312 2648 clr_optimization_v4.0.30319_32 - ok
15:03:35.0312 2648 CmdIde - ok
15:03:35.0343 2648 cmuda3 - ok
15:03:35.0343 2648 COMSysApp - ok
15:03:35.0343 2648 Cpqarray - ok
15:03:35.0468 2648 cpuz130 - ok
15:03:35.0562 2648 CryptSvc (3d4e199942e29207970e04315d02ad3b) C:\WINDOWS\System32\cryptsvc.dll
15:03:35.0593 2648 CryptSvc - ok
15:03:35.0593 2648 ctac32k - ok
15:03:35.0593 2648 ctaud2k - ok
15:03:35.0609 2648 ctdvda2k - ok
15:03:35.0640 2648 ctljystk (71007bd2e1e26927fe3e4eb00c0beedf) C:\WINDOWS\system32\DRIVERS\ctljystk.sys
15:03:35.0703 2648 ctljystk - ok
15:03:35.0703 2648 ctprxy2k - ok
15:03:35.0703 2648 ctsfm2k - ok
15:03:35.0703 2648 dac2w2k - ok
15:03:35.0703 2648 dac960nt - ok
15:03:35.0765 2648 DAdderFltr (cb90f77e21109ccfd114a17bd87a42a7) C:\WINDOWS\system32\drivers\dadder.sys
15:03:35.0812 2648 DAdderFltr - ok
15:03:35.0937 2648 DcomLaunch (6b27a5c03dfb94b4245739065431322c) C:\WINDOWS\system32\rpcss.dll
15:03:35.0937 2648 DcomLaunch - ok
15:03:35.0953 2648 dfmirage (d8cd6a2a94f545858eec6117f0d5dff4) C:\WINDOWS\system32\DRIVERS\dfmirage.sys
15:03:35.0968 2648 dfmirage - ok
15:03:35.0984 2648 Dhcp (5e38d7684a49cacfb752b046357e0589) C:\WINDOWS\System32\dhcpcsvc.dll
15:03:36.0015 2648 Dhcp - ok
15:03:36.0046 2648 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
15:03:36.0046 2648 Disk - ok
15:03:36.0046 2648 dmadmin - ok
15:03:36.0109 2648 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
15:03:36.0171 2648 dmboot - ok
15:03:36.0187 2648 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
15:03:36.0187 2648 dmio - ok
15:03:36.0203 2648 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
15:03:36.0203 2648 dmload - ok
15:03:36.0218 2648 dmserver (57edec2e5f59f0335e92f35184bc8631) C:\WINDOWS\System32\dmserver.dll
15:03:36.0234 2648 dmserver - ok
15:03:36.0250 2648 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
15:03:36.0281 2648 DMusic - ok
15:03:36.0296 2648 Dnscache (5f7e24fa9eab896051ffb87f840730d2) C:\WINDOWS\System32\dnsrslvr.dll
15:03:36.0296 2648 Dnscache - ok
15:03:36.0328 2648 Dot3svc (0f0f6e687e5e15579ef4da8dd6945814) C:\WINDOWS\System32\dot3svc.dll
15:03:36.0343 2648 Dot3svc - ok
15:03:36.0359 2648 dpti2o - ok
15:03:36.0375 2648 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
15:03:36.0390 2648 drmkaud - ok
15:03:36.0421 2648 dtsoftbus01 (687af6bb383885ff6a64071b189a7f3e) C:\WINDOWS\system32\DRIVERS\dtsoftbus01.sys
15:03:36.0421 2648 dtsoftbus01 - ok
15:03:36.0421 2648 dugb.sys - ok
15:03:36.0437 2648 EagleNT - ok
15:03:36.0437 2648 EapHost (2187855a7703adef0cef9ee4285182cc) C:\WINDOWS\System32\eapsvc.dll
15:03:36.0468 2648 EapHost - ok
15:03:36.0515 2648 emu10k (01f83e1b5dce05f5cb7d99113ca9e890) C:\WINDOWS\system32\drivers\emu10k1m.sys
15:03:36.0515 2648 emu10k - ok
15:03:36.0531 2648 emu10k1 (7ffa171cce6a8bfc774862a578ba39a2) C:\WINDOWS\system32\drivers\ctlfacem.sys
15:03:36.0546 2648 emu10k1 - ok
15:03:36.0562 2648 emupia (7bb488ec082d40645936d9e583f560dc) C:\WINDOWS\system32\drivers\emupia2k.sys
15:03:36.0593 2648 emupia - ok
15:03:36.0609 2648 ENTECH (16ebd8bf1d5090923694cc972c7ce1b4) C:\WINDOWS\system32\DRIVERS\ENTECH.sys
15:03:36.0656 2648 ENTECH - ok
15:03:36.0656 2648 ERSvc (bc93b4a066477954555966d77fec9ecb) C:\WINDOWS\System32\ersvc.dll
15:03:36.0687 2648 ERSvc - ok
15:03:36.0703 2648 etdrv (3af0ae042afe486b22644cd3fbebf2e2) C:\WINDOWS\etdrv.sys
15:03:38.0109 2648 etdrv - ok
15:03:38.0281 2648 EvcapMaui (ec32894931fe0a14451441ffe7d9fdab) C:\WINDOWS\system32\DRIVERS\EvcapMau.sys
15:03:38.0359 2648 EvcapMaui - ok
15:03:38.0484 2648 Eventlog (65df52f5b8b6e9bbd183505225c37315) C:\WINDOWS\system32\services.exe
15:03:38.0484 2648 Eventlog - ok
15:03:38.0515 2648 EventSystem (d4991d98f2db73c60d042f1aef79efae) C:\WINDOWS\system32\es.dll
15:03:38.0515 2648 EventSystem - ok
15:03:38.0546 2648 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
15:03:38.0578 2648 Fastfat - ok
15:03:38.0609 2648 FastUserSwitchingCompatibility (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
15:03:38.0609 2648 FastUserSwitchingCompatibility - ok
15:03:38.0625 2648 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
15:03:38.0656 2648 Fdc - ok
15:03:38.0671 2648 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
15:03:38.0703 2648 Fips - ok
15:03:38.0796 2648 FLEXnet Licensing Service (73081cf28f0ae20a52ca4f67cee6e6b0) C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
15:03:38.0843 2648 FLEXnet Licensing Service - ok
15:03:38.0859 2648 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
15:03:38.0875 2648 Flpydisk - ok
15:03:38.0906 2648 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
15:03:38.0921 2648 FltMgr - ok
15:03:38.0984 2648 FontCache3.0.0.0 (8ba7c024070f2b7fdd98ed8a4ba41789) c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
15:03:39.0015 2648 FontCache3.0.0.0 - ok
15:03:39.0031 2648 FStarForce (366e2d032c0c4be51b8a69a6b0b31b9b) C:\WINDOWS\system32\DRIVERS\FStarForce.sys
15:03:39.0046 2648 FStarForce - ok
15:03:39.0109 2648 FsVga (455f778ee14368468560bd7cb8c854d0) C:\WINDOWS\system32\DRIVERS\fsvga.sys
15:03:39.0125 2648 FsVga - ok
15:03:39.0140 2648 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
15:03:39.0171 2648 Fs_Rec - ok
15:03:39.0187 2648 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
15:03:39.0187 2648 Ftdisk - ok
15:03:39.0203 2648 gameenum (065639773d8b03f33577f6cdaea21063) C:\WINDOWS\system32\DRIVERS\gameenum.sys
15:03:39.0218 2648 gameenum - ok
15:03:39.0234 2648 gdrv (5c230948dd6652228f88ca7ae6cb276c) C:\WINDOWS\gdrv.sys
15:03:39.0265 2648 gdrv - ok
15:03:39.0281 2648 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
15:03:39.0296 2648 GEARAspiWDM - ok
15:03:39.0296 2648 GenericMount - ok
15:03:39.0328 2648 giveio (77ebf3e9386daa51551af429052d88d0) C:\WINDOWS\system32\giveio.sys
15:03:39.0328 2648 giveio - ok
15:03:39.0359 2648 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
15:03:39.0390 2648 Gpc - ok
15:03:39.0437 2648 ha10kx2k (9bb84b1dff8bce7fdddea746f6819fcf) C:\WINDOWS\system32\drivers\ha10kx2k.sys
15:03:39.0484 2648 ha10kx2k - ok
15:03:39.0500 2648 hamachi (7929a161f9951d173ca9900fe7067391) C:\WINDOWS\system32\DRIVERS\hamachi.sys
15:03:39.0515 2648 hamachi - ok
15:03:39.0515 2648 hap16v2k - ok
15:03:39.0546 2648 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
15:03:39.0578 2648 HDAudBus - ok
15:03:39.0578 2648 hidkmdf (bb1822838c0714b3c03efe0f209d135d) C:\WINDOWS\system32\DRIVERS\hidkmdf.sys
15:03:39.0609 2648 hidkmdf - ok
15:03:39.0625 2648 HidServ (deb04da35cc871b6d309b77e1443c796) C:\WINDOWS\System32\hidserv.dll
15:03:39.0640 2648 HidServ - ok
15:03:39.0656 2648 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
15:03:39.0703 2648 HidUsb - ok
15:03:39.0718 2648 hkmsvc (8878bd685e490239777bfe51320b88e9) C:\WINDOWS\System32\kmsvc.dll
15:03:39.0750 2648 hkmsvc - ok
15:03:39.0750 2648 hpn - ok
15:03:39.0843 2648 HPSLPSVC (7f437a78c5b0105b67b830d00ad719f8) C:\Program Files\HP\Digital Imaging\bin\HPSLPSVC32.DLL
15:03:39.0890 2648 HPSLPSVC - ok
15:03:39.0906 2648 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
15:03:39.0921 2648 HTTP - ok
15:03:39.0937 2648 HTTPFilter (6100a808600f44d999cebdef8841c7a3) C:\WINDOWS\System32\w3ssl.dll
15:03:39.0953 2648 HTTPFilter - ok
15:03:39.0953 2648 i2omgmt - ok
15:03:39.0953 2648 i2omp - ok
15:03:39.0968 2648 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
15:03:40.0000 2648 i8042prt - ok
15:03:40.0078 2648 IAANTMON (7548066df68a8a1a56b043359f915f37) C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
15:03:40.0109 2648 IAANTMON - ok
15:03:40.0140 2648 iaStor (d483687eace0c065ee772481a96e05f5) C:\WINDOWS\system32\drivers\iaStor.sys
15:03:40.0140 2648 iaStor - ok
15:03:40.0187 2648 IDriverT (6f95324909b502e2651442c1548ab12f) C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
15:03:40.0234 2648 IDriverT - ok
15:03:40.0343 2648 idsvc (c01ac32dc5c03076cfb852cb5da5229c) C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
15:03:40.0546 2648 idsvc - ok
15:03:40.0734 2648 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
15:03:40.0750 2648 Imapi - ok
15:03:40.0781 2648 ImapiService (30deaf54a9755bb8546168cfe8a6b5e1) C:\WINDOWS\system32\imapi.exe
15:03:40.0781 2648 ImapiService - ok
15:03:40.0781 2648 ini910u - ok
15:03:40.0796 2648 IntcAzAudAddService - ok
15:03:40.0796 2648 IntelIde - ok
15:03:40.0812 2648 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
15:03:40.0828 2648 intelppm - ok
15:03:40.0843 2648 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
15:03:40.0843 2648 Ip6Fw - ok
15:03:40.0875 2648 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
15:03:40.0890 2648 IpFilterDriver - ok
15:03:40.0906 2648 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
15:03:40.0921 2648 IpInIp - ok
15:03:40.0953 2648 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
15:03:40.0953 2648 IpNat - ok
15:03:40.0984 2648 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
15:03:40.0984 2648 IPSec - ok
15:03:41.0015 2648 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
15:03:41.0031 2648 IRENUM - ok
15:03:41.0062 2648 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
15:03:41.0062 2648 isapnp - ok
15:03:41.0093 2648 ithsgt (b7a5fadf67136fda7e8f25303565b674) C:\WINDOWS\system32\DRIVERS\ithsgt.sys
15:03:41.0140 2648 ithsgt - ok
15:03:41.0203 2648 JavaQuickStarterService (5472d771c0197355c1d347f20392b982) C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe
15:03:41.0250 2648 JavaQuickStarterService - ok
15:03:41.0296 2648 JRAID (a324485106f133e751f4b7f47c4be3ea) C:\WINDOWS\system32\DRIVERS\jraid.sys
15:03:41.0296 2648 JRAID - ok
15:03:41.0312 2648 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
15:03:41.0343 2648 Kbdclass - ok
15:03:41.0359 2648 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
15:03:41.0375 2648 kbdhid - ok
15:03:41.0406 2648 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
15:03:41.0453 2648 kmixer - ok
15:03:41.0468 2648 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
15:03:41.0468 2648 KSecDD - ok
15:03:41.0484 2648 kxwdmdrv - ok
15:03:41.0515 2648 lanmanserver (3a7c3cbe5d96b8ae96ce81f0b22fb527) C:\WINDOWS\System32\srvsvc.dll
15:03:41.0515 2648 lanmanserver - ok
15:03:41.0531 2648 lanmanworkstation (a8888a5327621856c0cec4e385f69309) C:\WINDOWS\System32\wkssvc.dll
15:03:41.0531 2648 lanmanworkstation - ok
15:03:41.0531 2648 lbrtfdc - ok
15:03:41.0562 2648 LGBusEnum (170e7093a77ad586f3a012a3db651d94) C:\WINDOWS\system32\drivers\LGBusEnum.sys
15:03:41.0578 2648 LGBusEnum - ok
15:03:41.0593 2648 LGVirHid (d2dd04d1c8df65eecd1f2c7fb947d43e) C:\WINDOWS\system32\drivers\LGVirHid.sys
15:03:41.0625 2648 LGVirHid - ok
15:03:41.0640 2648 lilsgt (16767ea492b5d140e1de3679a65eae74) C:\WINDOWS\system32\DRIVERS\lilsgt.sys
15:03:41.0656 2648 lilsgt - ok
15:03:41.0671 2648 LmHosts (a7db739ae99a796d91580147e919cc59) C:\WINDOWS\System32\lmhsvc.dll
15:03:41.0703 2648 LmHosts - ok
15:03:41.0718 2648 MBAMProtector (fb097bbc1a18f044bd17bd2fccf97865) C:\WINDOWS\system32\drivers\mbam.sys
15:03:41.0718 2648 MBAMProtector - ok
15:03:41.0765 2648 MBAMService (ba400ed640bca1eae5c727ae17c10207) C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
15:03:41.0796 2648 MBAMService - ok
15:03:41.0796 2648 MEMSWEEP2 - ok
15:03:41.0812 2648 Messenger (986b1ff5814366d71e0ac5755c88f2d3) C:\WINDOWS\System32\msgsvc.dll
15:03:41.0843 2648 Messenger - ok
15:03:41.0859 2648 mf (a7da20ab18a1bdae28b0f349e57da0d1) C:\WINDOWS\system32\DRIVERS\mf.sys
15:03:41.0875 2648 mf - ok
15:03:41.0953 2648 mi-raysat_3dsmax2012_32 (0af89452a8ce3928168f4e5b2208c68b) C:\Program Files\Autodesk\3ds Max 2012\mentalimages\satellite\raysat_3dsmax2012_32server.exe
15:03:41.0953 2648 mi-raysat_3dsmax2012_32 - ok
15:03:41.0984 2648 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
15:03:42.0000 2648 mnmdd - ok
15:03:42.0015 2648 mnmsrvc (d18f1f0c101d06a1c1adf26eed16fcdd) C:\WINDOWS\system32\mnmsrvc.exe
15:03:42.0031 2648 mnmsrvc - ok
15:03:42.0046 2648 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
15:03:42.0062 2648 Modem - ok
15:03:42.0062 2648 Monfilt - ok
15:03:42.0078 2648 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
15:03:42.0093 2648 Mouclass - ok
15:03:42.0109 2648 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
15:03:42.0125 2648 mouhid - ok
15:03:42.0125 2648 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
15:03:42.0125 2648 MountMgr - ok
15:03:42.0140 2648 mraid35x - ok
15:03:42.0140 2648 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
15:03:42.0140 2648 MRxDAV - ok
15:03:42.0187 2648 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
15:03:42.0187 2648 MRxSmb - ok
15:03:42.0203 2648 MSDTC (a137f1470499a205abbb9aafb3b6f2b1) C:\WINDOWS\system32\msdtc.exe
15:03:42.0218 2648 MSDTC - ok
15:03:42.0234 2648 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
15:03:42.0234 2648 Msfs - ok
15:03:42.0234 2648 MSIServer - ok
15:03:42.0250 2648 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
15:03:42.0281 2648 MSKSSRV - ok
15:03:42.0296 2648 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
15:03:42.0296 2648 MSPCLOCK - ok
15:03:42.0312 2648 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
15:03:42.0343 2648 MSPQM - ok
15:03:42.0359 2648 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
15:03:42.0359 2648 mssmbios - ok
15:03:42.0375 2648 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
15:03:42.0390 2648 MSTEE - ok
15:03:42.0406 2648 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
15:03:42.0406 2648 Mup - ok
15:03:42.0421 2648 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
15:03:42.0437 2648 NABTSFEC - ok
15:03:42.0468 2648 napagent (0102140028fad045756796e1c685d695) C:\WINDOWS\System32\qagentrt.dll
15:03:42.0500 2648 napagent - ok
15:03:42.0515 2648 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
15:03:42.0515 2648 NDIS - ok
15:03:42.0515 2648 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
15:03:42.0531 2648 NdisIP - ok
15:03:42.0546 2648 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
15:03:42.0546 2648 NdisTapi - ok
15:03:42.0562 2648 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
15:03:42.0593 2648 Ndisuio - ok
15:03:42.0609 2648 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
15:03:42.0640 2648 NdisWan - ok
15:03:42.0656 2648 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
15:03:42.0656 2648 NDProxy - ok
15:03:42.0671 2648 Net Driver HPZ12 (510c138564486ff926a3f773205c63d1) C:\WINDOWS\system32\HPZinw12.dll
15:03:42.0703 2648 Net Driver HPZ12 - ok
15:03:42.0734 2648 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
15:03:42.0750 2648 NetBIOS - ok
15:03:42.0937 2648 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
15:03:43.0000 2648 NetBT - ok
15:03:43.0015 2648 NetDDE (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe
15:03:43.0062 2648 NetDDE - ok
15:03:43.0062 2648 NetDDEdsdm (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe
15:03:43.0062 2648 NetDDEdsdm - ok
15:03:43.0078 2648 Netlogon (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
15:03:43.0078 2648 Netlogon - ok
15:03:43.0093 2648 Netman (13e67b55b3abd7bf3fe7aae5a0f9a9de) C:\WINDOWS\System32\netman.dll
15:03:43.0125 2648 Netman - ok
15:03:43.0187 2648 NetTcpPortSharing (d22cd77d4f0d63d1169bb35911bff12d) C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe
15:03:43.0218 2648 NetTcpPortSharing - ok
15:03:43.0250 2648 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
15:03:43.0281 2648 NIC1394 - ok
15:03:43.0312 2648 Nla (832e4dd8964ab7acc880b2837cb1ed20) C:\WINDOWS\System32\mswsock.dll
15:03:43.0312 2648 Nla - ok
15:03:43.0343 2648 nm (1e421a6bcf2203cc61b821ada9de878b) C:\WINDOWS\system32\DRIVERS\NMnt.sys
15:03:43.0343 2648 nm - ok
15:03:43.0375 2648 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
15:03:43.0375 2648 Npfs - ok
15:03:43.0406 2648 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
15:03:43.0406 2648 Ntfs - ok
15:03:43.0406 2648 NtLmSsp (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
15:03:43.0406 2648 NtLmSsp - ok
15:03:43.0468 2648 NtmsSvc (156f64a3345bd23c600655fb4d10bc08) C:\WINDOWS\system32\ntmssvc.dll
15:03:43.0500 2648 NtmsSvc - ok
15:03:43.0515 2648 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
15:03:43.0546 2648 Null - ok
15:03:44.0093 2648 nv (db3c77df22d606ec3141d0fbeabb0a78) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
15:03:44.0265 2648 nv - ok
15:03:44.0359 2648 NVSvc (6aee1f81d5e6e9de2d1a05be3ffad1d7) C:\WINDOWS\system32\nvsvc32.exe
15:03:44.0390 2648 NVSvc - ok
15:03:44.0421 2648 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
15:03:44.0421 2648 NwlnkFlt - ok
15:03:44.0437 2648 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
15:03:44.0453 2648 NwlnkFwd - ok
15:03:44.0484 2648 NwlnkIpx (8b8b1be2dba4025da6786c645f77f123) C:\WINDOWS\system32\DRIVERS\nwlnkipx.sys
15:03:44.0515 2648 NwlnkIpx - ok
15:03:44.0515 2648 NwlnkNb (56d34a67c05e94e16377c60609741ff8) C:\WINDOWS\system32\DRIVERS\nwlnknb.sys
15:03:44.0531 2648 NwlnkNb - ok
15:03:44.0546 2648 NwlnkSpx (c0bb7d1615e1acbdc99757f6ceaf8cf0) C:\WINDOWS\system32\DRIVERS\nwlnkspx.sys
15:03:44.0578 2648 NwlnkSpx - ok
15:03:44.0593 2648 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
15:03:44.0609 2648 ohci1394 - ok
15:03:44.0609 2648 ossrv - ok
15:03:44.0640 2648 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
15:03:44.0671 2648 Parport - ok
15:03:44.0687 2648 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
15:03:44.0687 2648 PartMgr - ok
15:03:44.0703 2648 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
15:03:44.0718 2648 ParVdm - ok
15:03:44.0734 2648 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
15:03:44.0734 2648 PCI - ok
15:03:44.0734 2648 PCIDump - ok
15:03:44.0750 2648 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
15:03:44.0750 2648 PCIIde - ok
15:03:44.0765 2648 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
15:03:44.0781 2648 Pcmcia - ok
15:03:44.0781 2648 PDCOMP - ok
15:03:44.0796 2648 PDFRAME - ok
15:03:44.0796 2648 PDRELI - ok
15:03:44.0796 2648 PDRFRAME - ok
15:03:44.0796 2648 perc2 - ok
15:03:44.0796 2648 perc2hib - ok
15:03:44.0843 2648 PlugPlay (65df52f5b8b6e9bbd183505225c37315) C:\WINDOWS\system32\services.exe
15:03:44.0843 2648 PlugPlay - ok
15:03:44.0859 2648 Pml Driver HPZ12 (37e5e8ffbad35605daeec3224ea0e465) C:\WINDOWS\system32\HPZipm12.dll
15:03:44.0875 2648 Pml Driver HPZ12 - ok
15:03:44.0906 2648 PnkBstrA (681da309716aeb98bc901d7a0458d931) C:\WINDOWS\system32\PnkBstrA.exe
15:03:44.0937 2648 PnkBstrA - ok
15:03:44.0953 2648 PolicyAgent (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
15:03:44.0953 2648 PolicyAgent - ok
15:03:44.0968 2648 portio32 (09687a361c9f1418973a4ae17d2f52cc) C:\WINDOWS\system32\drivers\portio32.sys
15:03:44.0984 2648 portio32 - ok
15:03:45.0078 2648 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
15:03:45.0125 2648 PptpMiniport - ok
15:03:45.0250 2648 ProcAPI - ok
15:03:45.0250 2648 ProtectedStorage (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
15:03:45.0250 2648 ProtectedStorage - ok
15:03:45.0312 2648 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
15:03:45.0375 2648 PSched - ok
15:03:45.0484 2648 PSI_SVC_2 (543a4ef0923bf70d126625b034ef25af) c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
15:03:45.0500 2648 PSI_SVC_2 - ok
15:03:45.0515 2648 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
15:03:45.0531 2648 Ptilink - ok
15:03:45.0546 2648 PxHelp20 (e42e3433dbb4cffe8fdd91eab29aea8e) C:\WINDOWS\system32\Drivers\PxHelp20.sys
15:03:45.0546 2648 PxHelp20 - ok
15:03:45.0546 2648 ql1080 - ok
15:03:45.0546 2648 Ql10wnt - ok
15:03:45.0546 2648 ql12160 - ok
15:03:45.0546 2648 ql1240 - ok
15:03:45.0546 2648 ql1280 - ok
15:03:45.0562 2648 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
15:03:45.0593 2648 RasAcd - ok
15:03:45.0609 2648 RasAuto (ad188be7bdf94e8df4ca0a55c00a5073) C:\WINDOWS\System32\rasauto.dll
15:03:45.0640 2648 RasAuto - ok
15:03:45.0656 2648 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
15:03:45.0671 2648 Rasl2tp - ok
15:03:45.0703 2648 RasMan (76a9a3cbeadd68cc57cda5e1d7448235) C:\WINDOWS\System32\rasmans.dll
15:03:45.0718 2648 RasMan - ok
15:03:45.0734 2648 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
15:03:45.0765 2648 RasPppoe - ok
15:03:45.0781 2648 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
15:03:45.0796 2648 Raspti - ok
15:03:45.0828 2648 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
15:03:45.0843 2648 Rdbss - ok
15:03:45.0859 2648 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
15:03:45.0875 2648 RDPCDD - ok
15:03:45.0890 2648 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
15:03:45.0921 2648 rdpdr - ok
15:03:45.0937 2648 RDPWD (5b3055daa788bd688594d2f5981f2a83) C:\WINDOWS\system32\drivers\RDPWD.sys
15:03:45.0937 2648 RDPWD - ok
15:03:45.0968 2648 RDSessMgr (3c37bf86641bda977c3bf8a840f3b7fa) C:\WINDOWS\system32\sessmgr.exe
15:03:45.0984 2648 RDSessMgr - ok
15:03:46.0000 2648 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
15:03:46.0031 2648 redbook - ok
15:03:46.0046 2648 RemoteAccess (7e699ff5f59b5d9de5390e3c34c67cf5) C:\WINDOWS\System32\mprdim.dll
15:03:46.0078 2648 RemoteAccess - ok
15:03:46.0093 2648 RemoteRegistry (5b19b557b0c188210a56a6b699d90b8f) C:\WINDOWS\system32\regsvc.dll
15:03:46.0125 2648 RemoteRegistry - ok
15:03:46.0140 2648 RpcLocator (aaed593f84afa419bbae8572af87cf6a) C:\WINDOWS\system32\locator.exe
15:03:46.0156 2648 RpcLocator - ok
15:03:46.0187 2648 RPCQT - ok
15:03:46.0218 2648 RpcSs (6b27a5c03dfb94b4245739065431322c) C:\WINDOWS\System32\rpcss.dll
15:03:46.0218 2648 RpcSs - ok
15:03:46.0281 2648 RPCT - ok
15:03:46.0312 2648 RRamdisk (3762a37c7ddd4afce6bd75aef790a920) C:\WINDOWS\system32\DRIVERS\rramdisk.sys
15:03:46.0312 2648 RRamdisk - ok
15:03:46.0343 2648 RSVP (471b3f9741d762abe75e9deea4787e47) C:\WINDOWS\system32\rsvp.exe
15:03:46.0359 2648 RSVP - ok
15:03:46.0390 2648 RTLE8023xp (c6d34a1874cd2b212dc3e788091c64b4) C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys
15:03:46.0406 2648 RTLE8023xp - ok
15:03:46.0421 2648 SamSs (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
15:03:46.0421 2648 SamSs - ok
15:03:46.0437 2648 SCardSvr (86d007e7a654b9a71d1d7d856b104353) C:\WINDOWS\System32\SCardSvr.exe
15:03:46.0468 2648 SCardSvr - ok
15:03:46.0484 2648 Schedule (0a9a7365a1ca4319aa7c1d6cd8e4eafa) C:\WINDOWS\system32\schedsvc.dll
15:03:46.0531 2648 Schedule - ok
15:03:46.0546 2648 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
15:03:46.0562 2648 Secdrv - ok
15:03:46.0578 2648 seclogon (cbe612e2bb6a10e3563336191eda1250) C:\WINDOWS\System32\seclogon.dll
15:03:46.0593 2648 seclogon - ok
15:03:46.0609 2648 SENS (7fdd5d0684eca8c1f68b4d99d124dcd0) C:\WINDOWS\system32\sens.dll
15:03:46.0609 2648 SENS - ok
15:03:46.0625 2648 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
15:03:46.0640 2648 serenum - ok
15:03:46.0671 2648 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
15:03:46.0687 2648 Serial - ok
15:03:46.0703 2648 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
15:03:46.0718 2648 Sfloppy - ok
15:03:46.0750 2648 sfman (0b1a5e9cacb5cdd54a2815107bd7c772) C:\WINDOWS\system32\drivers\sfmanm.sys
15:03:46.0781 2648 sfman - ok
15:03:46.0812 2648 SharedAccess (83f41d0d89645d7235c051ab1d9523ac) C:\WINDOWS\System32\ipnathlp.dll
15:03:46.0812 2648 SharedAccess - ok
15:03:46.0843 2648 ShellHWDetection (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
15:03:46.0843 2648 ShellHWDetection - ok
15:03:46.0843 2648 Simbad - ok
15:03:46.0859 2648 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
15:03:46.0875 2648 SLIP - ok
15:03:46.0906 2648 SONYPVU1 (a1eceeaa5c5e74b2499eb51d38185b84) C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS
15:03:46.0921 2648 SONYPVU1 - ok
15:03:46.0921 2648 Sparrow - ok
15:03:46.0953 2648 speedfan (3fa2e254bfbce52b3c6f1bf23aab6911) C:\WINDOWS\system32\speedfan.sys
15:03:46.0953 2648 speedfan - ok
15:03:46.0968 2648 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
15:03:46.0984 2648 splitter - ok
15:03:47.0000 2648 Spooler (60784f891563fb1b767f70117fc2428f) C:\WINDOWS\system32\spoolsv.exe
15:03:47.0000 2648 Spooler - ok
15:03:47.0000 2648 sptd - ok
15:03:47.0000 2648 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
15:03:47.0015 2648 sr - ok
15:03:47.0031 2648 srservice (3805df0ac4296a34ba4bf93b346cc378) C:\WINDOWS\system32\srsvc.dll
15:03:47.0062 2648 srservice - ok
15:03:47.0109 2648 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
15:03:47.0109 2648 Srv - ok
15:03:47.0140 2648 SSDPSRV (0a5679b3714edab99e357057ee88fca6) C:\WINDOWS\System32\ssdpsrv.dll
15:03:47.0171 2648 SSDPSRV - ok
15:03:47.0187 2648 ssmdrv (a36ee93698802cd899f98bfd553d8185) C:\WINDOWS\system32\DRIVERS\ssmdrv.sys
15:03:47.0203 2648 ssmdrv - ok
15:03:47.0218 2648 StillCam (a9573045baa16eab9b1085205b82f1ed) C:\WINDOWS\system32\DRIVERS\serscan.sys
15:03:47.0234 2648 StillCam - ok
15:03:47.0281 2648 stisvc (8bad69cbac032d4bbacfce0306174c30) C:\WINDOWS\system32\wiaservc.dll
15:03:47.0296 2648 stisvc - ok
15:03:47.0312 2648 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
15:03:47.0328 2648 streamip - ok
15:03:47.0343 2648 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
15:03:47.0359 2648 swenum - ok
15:03:47.0453 2648 SwitchBoard (f577910a133a592234ebaad3f3afa258) C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
15:03:47.0515 2648 SwitchBoard - ok
15:03:47.0578 2648 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
15:03:47.0625 2648 swmidi - ok
15:03:47.0625 2648 SwPrv - ok
15:03:47.0625 2648 Symantec SymSnap VSS Provider - ok
15:03:47.0625 2648 symc810 - ok
15:03:47.0640 2648 symc8xx - ok
15:03:47.0640 2648 symsnap - ok
15:03:47.0640 2648 sym_hi - ok
15:03:47.0640 2648 sym_u3 - ok
15:03:47.0734 2648 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
15:03:47.0781 2648 sysaudio - ok
15:03:47.0875 2648 SysmonLog (c7abbc59b43274b1109df6b24d617051) C:\WINDOWS\system32\smlogsvc.exe
15:03:47.0890 2648 SysmonLog - ok
15:03:48.0140 2648 TabletServicePen (1ff41723b6cf6ef0d2456691b75131bb) C:\Program Files\Tablet\Pen\Pen_Tablet.exe
15:03:48.0328 2648 TabletServicePen - ok
15:03:48.0421 2648 TapiSrv (3cb78c17bb664637787c9a1c98f79c38) C:\WINDOWS\System32\tapisrv.dll
15:03:48.0453 2648 TapiSrv - ok
15:03:48.0468 2648 tat - ok
15:03:48.0515 2648 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
15:03:48.0515 2648 Tcpip - ok
15:03:48.0531 2648 Tcpip6 (4e53bbcc4be37d7a4bd6ef1098c89ff7) C:\WINDOWS\system32\DRIVERS\tcpip6.sys
15:03:48.0546 2648 Tcpip6 - ok
15:03:48.0546 2648 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
15:03:48.0578 2648 TDPIPE - ok
15:03:48.0593 2648 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
15:03:48.0609 2648 TDTCP - ok
15:03:48.0625 2648 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
15:03:48.0640 2648 TermDD - ok
15:03:48.0671 2648 TermService (ff3477c03be7201c294c35f684b3479f) C:\WINDOWS\System32\termsrv.dll
15:03:48.0703 2648 TermService - ok
15:03:48.0718 2648 Themes (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
15:03:48.0734 2648 Themes - ok
15:03:48.0750 2648 TlntSvr (db7205804759ff62c34e3efd8a4cc76a) C:\WINDOWS\system32\tlntsvr.exe
15:03:48.0781 2648 TlntSvr - ok
15:03:48.0781 2648 TosIde - ok
15:03:48.0843 2648 TouchServicePen (c17ea46c3326a951dc3b8e883d661e0c) C:\Program Files\Tablet\Pen\Pen_TouchService.exe
15:03:48.0843 2648 TouchServicePen - ok
15:03:48.0859 2648 TrkWks (55bca12f7f523d35ca3cb833c725f54e) C:\WINDOWS\system32\trkwks.dll
15:03:48.0890 2648 TrkWks - ok
15:03:48.0906 2648 tunmp (8f861eda21c05857eb8197300a92501c) C:\WINDOWS\system32\DRIVERS\tunmp.sys
15:03:48.0968 2648 tunmp - ok
15:03:48.0984 2648 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
15:03:49.0015 2648 Udfs - ok
15:03:49.0015 2648 ultra - ok
15:03:49.0046 2648 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
15:03:49.0078 2648 Update - ok
15:03:49.0109 2648 upnphost (1ebafeb9a3fbdc41b8d9c7f0f687ad91) C:\WINDOWS\System32\upnphost.dll
15:03:49.0125 2648 upnphost - ok
15:03:49.0140 2648 UPS (05365fb38fca1e98f7a566aaaf5d1815) C:\WINDOWS\System32\ups.exe
15:03:49.0156 2648 UPS - ok
15:03:49.0187 2648 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
15:03:49.0203 2648 usbaudio - ok
15:03:49.0218 2648 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
15:03:49.0234 2648 usbccgp - ok
15:03:49.0250 2648 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
15:03:49.0281 2648 usbehci - ok
15:03:49.0281 2648 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
15:03:49.0296 2648 usbhub - ok
15:03:49.0328 2648 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
15:03:49.0343 2648 usbprint - ok
15:03:49.0359 2648 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
15:03:49.0359 2648 usbscan - ok
15:03:49.0390 2648 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
15:03:49.0406 2648 USBSTOR - ok
15:03:49.0421 2648 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
15:03:49.0453 2648 usbuhci - ok
15:03:49.0500 2648 VBoxDrv (103b23ec82c08fc4bdbc369552ffab2a) C:\WINDOWS\system32\DRIVERS\VBoxDrv.sys
15:03:49.0531 2648 VBoxDrv - ok
15:03:49.0546 2648 VBoxNetAdp (226cd9e42be28a84ec56430fbb57224f) C:\WINDOWS\system32\DRIVERS\VBoxNetAdp.sys
15:03:49.0562 2648 VBoxNetAdp - ok
15:03:49.0578 2648 VBoxNetFlt (0a5d6512dcb14135a388d0e7e69e01bb) C:\WINDOWS\system32\DRIVERS\VBoxNetFlt.sys
15:03:49.0593 2648 VBoxNetFlt - ok
15:03:49.0625 2648 VBoxUSBMon (96a478edfb1fbf1fc663beb09b4175a8) C:\WINDOWS\system32\DRIVERS\VBoxUSBMon.sys
15:03:49.0640 2648 VBoxUSBMon - ok
15:03:49.0656 2648 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
15:03:49.0671 2648 VgaSave - ok
15:03:49.0671 2648 ViaIde - ok
15:03:49.0687 2648 VKbms (07c20e596a0838809bc5ff5de5a65973) C:\WINDOWS\system32\DRIVERS\VKbms.sys
15:03:49.0703 2648 VKbms - ok
15:03:49.0734 2648 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
15:03:49.0734 2648 VolSnap - ok
15:03:49.0734 2648 VProEventMonitor - ok
15:03:49.0781 2648 VSS (7a9db3a67c333bf0bd42e42b8596854b) C:\WINDOWS\System32\vssvc.exe
15:03:49.0796 2648 VSS - ok
15:03:49.0812 2648 W32Time (54af4b1d5459500ef0937f6d33b1914f) C:\WINDOWS\system32\w32time.dll
15:03:49.0843 2648 W32Time - ok
15:03:49.0859 2648 wacommousefilter (427a8bc96f16c40df81c2d2f4edd32dd) C:\WINDOWS\system32\DRIVERS\wacommousefilter.sys
15:03:49.0890 2648 wacommousefilter - ok
15:03:49.0921 2648 wacomvhid (846b58ea44bf8c92e4b59f4e2252c4c0) C:\WINDOWS\system32\DRIVERS\wacomvhid.sys
15:03:49.0953 2648 wacomvhid - ok
15:03:50.0015 2648 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
15:03:50.0031 2648 Wanarp - ok
15:03:50.0046 2648 wcafix (a8da91e562f2c09060724d9747dfd2e8) C:\WINDOWS\system32\DRIVERS\wcafix.sys
15:03:50.0078 2648 wcafix - ok
15:03:50.0265 2648 Wdf01000 (d918617b46457b9ac28027722e30f647) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
15:03:50.0296 2648 Wdf01000 - ok
15:03:50.0296 2648 WDICA - ok
15:03:50.0312 2648 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
15:03:50.0343 2648 wdmaud - ok
15:03:50.0390 2648 wdm_au8820 (be6b041d36b464f9024477a09c2eccb5) C:\WINDOWS\system32\drivers\adm8820.sys
15:03:50.0421 2648 wdm_au8820 - ok
15:03:50.0437 2648 WebClient (77a354e28153ad2d5e120a5a8687bc06) C:\WINDOWS\System32\webclnt.dll
15:03:50.0468 2648 WebClient - ok
15:03:50.0468 2648 WimFltr - ok
15:03:50.0500 2648 winmgmt (2d0e4ed081963804ccc196a0929275b5) C:\WINDOWS\system32\wbem\WMIsvc.dll
15:03:50.0531 2648 winmgmt - ok
15:03:50.0546 2648 WinUSB (30fc6e5448d0cbaaa95280eeef7fedae) C:\WINDOWS\system32\DRIVERS\WinUSB.sys
15:03:50.0546 2648 WinUSB - ok
15:03:50.0687 2648 wlidsvc (5144ae67d60ec653f97ddf3feed29e77) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
15:03:50.0750 2648 wlidsvc - ok
15:03:50.0843 2648 WmBEnum (59c90bc8317bd3f6e5559a4deaf35090) C:\WINDOWS\system32\drivers\WmBEnum.sys
15:03:50.0875 2648 WmBEnum - ok
15:03:50.0890 2648 WmdmPmSN (c51b4a5c05a5475708e3c81c7765b71d) C:\WINDOWS\system32\MsPMSNSv.dll
15:03:50.0906 2648 WmdmPmSN - ok
15:03:50.0921 2648 WmFilter (999a4539ad634a741afd357e290bd461) C:\WINDOWS\system32\drivers\WmFilter.sys
15:03:50.0937 2648 WmFilter - ok
15:03:50.0984 2648 Wmi (e76f8807070ed04e7408a86d6d3a6137) C:\WINDOWS\System32\advapi32.dll
15:03:51.0000 2648 Wmi - ok
15:03:51.0031 2648 WmiApSrv (e0673f1106e62a68d2257e376079f821) C:\WINDOWS\system32\wbem\wmiapsrv.exe
15:03:51.0046 2648 WmiApSrv - ok
15:03:51.0125 2648 WMPNetworkSvc (f74e3d9a7fa9556c3bbb14d4e5e63d3b) C:\Program Files\Windows Media Player\WMPNetwk.exe
15:03:51.0171 2648 WMPNetworkSvc - ok
15:03:51.0187 2648 WmVirHid (0b8c64b13776f17537f0705fe62799c6) C:\WINDOWS\system32\drivers\WmVirHid.sys
15:03:51.0187 2648 WmVirHid - ok
15:03:51.0203 2648 WmXlCore (8d388aeb1a12c1192aa9b4ebceabcba6) C:\WINDOWS\system32\drivers\WmXlCore.sys
15:03:51.0234 2648 WmXlCore - ok
15:03:51.0343 2648 WPFFontCache_v0400 (dcf3e3edf5109ee8bc02fe6e1f045795) C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe
15:03:51.0359 2648 WPFFontCache_v0400 - ok
15:03:51.0390 2648 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
15:03:51.0406 2648 WS2IFSL - ok
15:03:51.0421 2648 wscsvc (7c278e6408d1dce642230c0585a854d5) C:\WINDOWS\system32\wscsvc.dll
15:03:51.0437 2648 wscsvc - ok
15:03:51.0453 2648 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
15:03:51.0484 2648 WSTCODEC - ok
15:03:51.0515 2648 wuauserv (35321fb577cdc98ce3eb3a3eb9e4610a) C:\WINDOWS\system32\wuauserv.dll
15:03:51.0515 2648 wuauserv - ok
15:03:51.0531 2648 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
15:03:51.0562 2648 WudfPf - ok
15:03:51.0562 2648 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
15:03:51.0593 2648 WudfRd - ok
15:03:51.0593 2648 WudfSvc (05231c04253c5bc30b26cbaae680ed89) C:\WINDOWS\System32\WUDFSvc.dll
15:03:51.0625 2648 WudfSvc - ok
15:03:51.0656 2648 WZCSVC (81dc3f549f44b1c1fff022dec9ecf30b) C:\WINDOWS\System32\wzcsvc.dll
15:03:51.0687 2648 WZCSVC - ok
15:03:51.0718 2648 XBCD (ee903866d048da5ffdb1262eacf291bd) C:\WINDOWS\system32\Drivers\xbcd.sys
15:03:51.0718 2648 XBCD - ok
15:03:51.0718 2648 xbreader - ok
15:03:51.0734 2648 XDva311 - ok
15:03:51.0750 2648 xmlprov (295d21f14c335b53cb8154e5b1f892b9) C:\WINDOWS\System32\xmlprov.dll
15:03:51.0765 2648 xmlprov - ok
15:03:51.0843 2648 xnacc (7a35352bcdff34d0a6e59d8267b3fcb7) C:\WINDOWS\system32\DRIVERS\xnacc.sys
15:03:51.0859 2648 xnacc - ok
15:03:51.0859 2648 xpsec - ok
15:03:51.0890 2648 xusb21 (f5e5f944e63a9b5f6e76c2ebb2ac462f) C:\WINDOWS\system32\DRIVERS\xusb21.sys
15:03:51.0906 2648 xusb21 - ok
15:03:51.0937 2648 {09BB444F-B2E2-4009-BAF2-7B727681223E} - ok
15:03:51.0953 2648 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
15:03:52.0125 2648 \Device\Harddisk0\DR0 - ok
15:03:52.0125 2648 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk1\DR1
15:03:52.0750 2648 \Device\Harddisk1\DR1 - ok
15:03:52.0750 2648 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk2\DR2
15:03:52.0843 2648 \Device\Harddisk2\DR2 - ok
15:03:52.0859 2648 Boot (0x1200) (72ce802ee4114e2694de75f27fd6b3f2) \Device\Harddisk0\DR0\Partition0
15:03:52.0859 2648 \Device\Harddisk0\DR0\Partition0 - ok
15:03:52.0859 2648 Boot (0x1200) (623ecfb3e18cf5d8db805d059bda8b27) \Device\Harddisk1\DR1\Partition0
15:03:52.0859 2648 \Device\Harddisk1\DR1\Partition0 - ok
15:03:52.0859 2648 Boot (0x1200) (cd32ab72196b9d7abaac5aa75df4b005) \Device\Harddisk2\DR2\Partition0
15:03:52.0859 2648 \Device\Harddisk2\DR2\Partition0 - ok
15:03:52.0859 2648 ============================================================
15:03:52.0859 2648 Scan finished
15:03:52.0859 2648 ============================================================
15:03:52.0859 6048 Detected object count: 0
15:03:52.0859 6048 Actual detected object count: 0
15:05:04.0234 5764 Deinitialize success


-------------------------------------------------------------------------
-------------------------------------------------------------------------
-------------------------------------------------------------------------
-------------------------------------------------------------------------


aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-05-15 15:07:00
-----------------------------
15:07:00.593 OS Version: Windows 5.1.2600 Service Pack 3
15:07:00.593 Number of processors: 2 586 0xF0B
15:07:00.593 ComputerName: SCYTHE UserName: Grim
15:07:02.171 Initialize success
15:07:56.265 AVAST engine defs: 12051500
15:08:10.656 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4
15:08:10.656 Disk 0 Vendor: WDC_WD7501AALS-00J7B0 05.00K05 Size: 715403MB BusType: 3
15:08:10.656 Disk 1 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP0T1L0-c
15:08:10.656 Disk 1 Vendor: WDC_WD20EARS-00MVWB0 51.0AB51 Size: 1907728MB BusType: 3
15:08:10.656 Disk 2 \Device\Harddisk2\DR2 -> \Device\Ide\IdeDeviceP1T0L0-24
15:08:10.656 Disk 2 Vendor: ST3500320AS SD1A Size: 476938MB BusType: 3
15:08:10.671 Disk 0 MBR read successfully
15:08:10.671 Disk 0 MBR scan
15:08:10.687 Disk 0 Windows XP default MBR code
15:08:10.687 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 715402 MB offset 63
15:08:10.687 Disk 0 scanning sectors +1465144065
15:08:10.718 Disk 0 malicious Win32:MBRoot code @ sector 1465144068 !
15:08:10.765 Disk 0 scanning C:\WINDOWS\system32\drivers
15:08:20.281 Service scanning
15:08:33.437 Service RPCQT C:\WINDOWS\system32\Rpcqt.dll **INFECTED** Win32:Delf-SJS [Trj]
15:08:37.265 Modules scanning
15:08:42.218 Disk 0 trace - called modules:
15:08:42.234 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
15:08:42.234 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8b805ab8]
15:08:42.234 3 CLASSPNP.SYS[b80e8fd7] -> nt!IofCallDriver -> \Device\0000009b[0x8b882030]
15:08:42.234 5 ACPI.sys[b7f7f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-4[0x8b830940]
15:08:44.468 AVAST engine scan C:\WINDOWS
15:08:51.187 AVAST engine scan C:\WINDOWS\system32
15:11:27.390 AVAST engine scan C:\WINDOWS\system32\drivers
15:12:02.625 AVAST engine scan C:\Documents and Settings\Grim
15:21:31.984 AVAST engine scan C:\Documents and Settings\All Users
15:36:27.578 Scan finished successfully
15:40:54.781 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Grim\Desktop\MBR.dat"
15:40:54.781 The log file has been saved successfully to "C:\Documents and Settings\Grim\Desktop\aswMBR.txt"

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:36 AM

Posted 15 May 2012 - 09:21 PM

HelpAsst_mebroot_fix

  • Please download HelpAsst_mebroot_fix.exe and save it to your desktop.
  • Close out all other open programs and windows.
  • Double click the file to run it and follow any prompts.
  • If the tool detects an mbr infection, please allow it to run mbr -f and shutdown your computer.
  • Upon restarting, please wait about 5 minutes, click Start>Run and type the following bolded command, then hit Enter.

    • helpasst -mbrt
  • Make sure you leave a space between helpasst and -mbrt !
  • When it completes, a log will open.
  • Please post the contents of that log.

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 GrimBrunn

GrimBrunn
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:01:36 AM

Posted 16 May 2012 - 04:05 AM

The HelpAsst_mebroot_fix tool did not seem to detect an infection and completed without restarting or providing a txt log.

Should I run mbr -f manually and/or continue with the helpasst -mbrt step?

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:36 AM

Posted 16 May 2012 - 05:34 AM

Greetings

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

File::
C:\WINDOWS\system32\Rpcqt.dll

Driver::
dugb.sys

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"=-
"65533:TCP"=-
"52344:TCP"=-

RegLockDel::
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\561ad306-5297-65a9-d042-f658e60eb21]

RegNull::
[HKEY_USERS\S-1-5-21-1935655697-412668190-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{273539A3-4A04-9AE7-695D-FED4C0D21015}*]

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 GrimBrunn

GrimBrunn
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:01:36 AM

Posted 16 May 2012 - 04:17 PM

After running the script ComboFix still reports the older ZeroAccess infection remnants. The exact message is as follows:

You are infected with Rootkit.ZeroAccess! It has inserted itself into the tcp/ip stack. This is a particularly difficult infection.

And if I run GMER it reports the following two entries without having to scan:

Disk \Device\Harddisk0\DR0 malicious Win32:MBRoot code @ sector 1465144068
and
Code \??\C:\DOCUME~1\Grim\LOCALS~1\Temp\catchme.sys pIofCallDriver

Besides those scan hits though, I have no noticeable system performance or functionality symptoms that I could really say for sure is malware induced. I have some occasional failed or half-loaded web pages and occasional system chugging, but this could be said to be within normal operations.

I have not been able to reproduce the fraudulent Amazon.com hijack prompt asking for credit info. The last one I saw was the one that motivated me to create this thread.




ComboFix Report:


ComboFix 12-05-16.02 - Grim 05/16/2012 15:46:11.2.2 - x86
Running from: c:\documents and settings\Grim\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Grim\Desktop\CFScript.txt
AV: Avira Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
FILE ::
"c:\windows\system32\Rpcqt.dll"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\Rpcqt.dll
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_DUGB.SYS
-------\Service_dugb.sys
-------\Legacy_RPCQT
-------\Service_RPCQT
.
.
((((((((((((((((((((((((( Files Created from 2012-04-16 to 2012-05-16 )))))))))))))))))))))))))))))))
.
.
2012-05-16 07:04 . 2012-05-16 07:04 -------- d-----w- C:\HelpAsst_backup
2012-05-15 00:38 . 2012-05-15 00:38 -------- d-----w- c:\program files\Code Laboratories
2012-05-13 06:00 . 2012-05-13 06:00 -------- d-----w- c:\documents and settings\Grim\DoctorWeb
2012-05-13 05:38 . 2012-05-13 05:38 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\WTablet
2012-05-13 05:37 . 2012-05-13 05:37 -------- d-----w- C:\TDSSKiller_Quarantine
2012-05-13 05:21 . 2012-05-13 05:21 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-05-13 05:21 . 2012-04-04 19:56 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-05-12 19:14 . 2012-05-12 19:14 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-05-12 19:14 . 2012-05-12 19:14 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-05-12 19:08 . 2012-05-12 19:08 -------- d-----w- c:\documents and settings\Grim\Application Data\Oracle
2012-05-12 19:08 . 2012-04-04 22:47 143872 ----a-w- c:\windows\system32\javacpl.cpl
2012-05-12 19:08 . 2012-05-12 19:08 -------- d-----w- c:\program files\Java
2012-05-12 08:48 . 2012-05-12 09:02 -------- d-----w- c:\program files\Guild Wars
2012-05-12 01:50 . 2012-05-12 01:50 -------- d-----w- c:\documents and settings\Grim\Application Data\wtablet
2012-05-12 01:49 . 2011-09-08 21:48 1107832 ----a-w- c:\windows\system32\Pen_Touch_Tablet.dll
2012-05-12 01:48 . 2011-09-08 21:49 11312 ----a-w- c:\windows\system32\drivers\wacommousefilter.sys
2012-05-12 01:48 . 2011-09-08 21:49 14120 ----a-w- c:\windows\system32\drivers\wacomvhid.sys
2012-05-12 01:48 . 2011-09-08 21:48 1156472 ----a-w- c:\windows\system32\Wintab32.dll
2012-05-12 01:48 . 2011-09-08 21:48 1152888 ----a-w- c:\windows\system32\WacomMT.dll
2012-05-12 01:48 . 2011-09-08 21:48 1369464 ----a-w- c:\windows\system32\Pen_Tablet.dll
2012-05-12 01:48 . 2012-05-12 01:49 -------- d-----w- c:\program files\Tablet
2012-05-10 09:17 . 2012-05-10 09:17 -------- d--h--r- c:\documents and settings\Grim\Application Data\SecuROM
2012-05-09 23:25 . 2012-05-09 23:42 -------- d-----w- c:\documents and settings\Grim\Application Data\IDoser
2012-05-09 23:25 . 2012-05-09 23:25 -------- d-----w- c:\program files\I-Doser Premium
2012-05-03 02:54 . 2012-05-03 02:54 42392 ----a-w- c:\windows\system32\xfcodec.dll
2012-05-02 00:41 . 2012-05-05 09:17 -------- d-----w- c:\documents and settings\Grim\Local Settings\Application Data\AlephOne
2012-05-01 06:19 . 2012-05-01 06:19 -------- d-----w- c:\documents and settings\Grim\Application Data\Seeing Machines
2012-05-01 06:19 . 2012-05-01 06:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Seeing Machines
2012-05-01 05:20 . 2012-05-13 00:17 -------- d-----w- c:\documents and settings\Grim\Local Settings\Application Data\ArmA 2 Free
2012-05-01 04:44 . 2012-05-01 04:44 -------- d-----w- c:\documents and settings\Grim\Local Settings\Application Data\ToCAEDIT
2012-04-30 22:48 . 2012-04-30 22:48 -------- d-----w- c:\documents and settings\Grim\Local Settings\Application Data\ArmA 2 OA DEMO
2012-04-30 19:36 . 2012-05-13 02:55 -------- d-----w- c:\program files\FreeTrack
2012-04-30 19:09 . 2008-04-14 04:15 60032 -c--a-w- c:\windows\system32\dllcache\usbaudio.sys
2012-04-30 19:09 . 2008-04-14 04:15 60032 ----a-w- c:\windows\system32\drivers\USBAUDIO.sys
2012-04-26 07:08 . 2012-04-26 07:08 -------- d-----w- C:\sw3dg
2012-04-26 07:07 . 2012-04-26 07:07 -------- d-----w- c:\program files\Evochron Mercenary
2012-04-25 00:24 . 2012-04-25 00:24 -------- d-----w- c:\documents and settings\Grim\Local Settings\Application Data\PassMark
2012-04-25 00:24 . 2012-04-25 00:24 -------- d-----w- c:\documents and settings\All Users\Application Data\PassMark
2012-04-24 21:17 . 2012-04-24 21:17 -------- d-----w- c:\documents and settings\All Users\Application Data\RELOADED
2012-04-24 21:09 . 2012-04-24 21:10 -------- d-----w- c:\program files\The Walking Dead
2012-04-22 09:17 . 2012-04-22 09:17 334008 ----a-r- c:\documents and settings\Grim\Application Data\Microsoft\Installer\{905D6095-7F38-43F3-82A4-8A36E5A00FAD}\BOINCMGRLink_B65C4A4D2B2A46CCA2D918164C6297B8.exe
2012-04-22 09:17 . 2012-04-22 09:17 334008 ----a-r- c:\documents and settings\Grim\Application Data\Microsoft\Installer\{905D6095-7F38-43F3-82A4-8A36E5A00FAD}\ARPPRODUCTICON.exe
2012-04-22 07:03 . 2003-12-09 14:04 10368 ----a-w- c:\windows\system32\drivers\rramdisk.sys
2012-04-21 08:04 . 2012-04-03 12:59 143680 ----a-w- c:\windows\system32\nvcolor.exe
2012-04-21 08:04 . 2012-04-03 12:59 164160 ----a-w- c:\windows\system32\nvsvc32.exe
2012-04-21 08:04 . 2012-04-03 13:00 54272 ----a-w- c:\windows\system32\nvwddi.dll
2012-04-21 08:04 . 2012-04-03 12:59 108352 ----a-w- c:\windows\system32\nvmctray.dll
2012-04-21 08:04 . 2012-04-03 12:59 15503168 ----a-w- c:\windows\system32\nvcpl.dll
2012-04-21 08:04 . 2012-04-03 17:14 65536 ----a-w- c:\windows\system32\OpenCL.dll
2012-04-21 08:04 . 2012-05-14 23:28 1072828 ----a-w- c:\windows\system32\nvdrsdb0.bin
2012-04-21 08:04 . 2012-05-14 23:28 1 ----a-w- c:\windows\system32\nvdrssel.bin
2012-04-21 08:04 . 2012-04-26 07:39 1072828 ----a-w- c:\windows\system32\nvdrsdb1.bin
2012-04-21 08:02 . 2012-04-03 17:14 881984 ----a-w- c:\windows\system32\nvgenco32.dll
2012-04-21 08:02 . 2012-04-03 17:14 6012928 ----a-w- c:\windows\system32\nvcuda.dll
2012-04-21 08:02 . 2012-04-03 17:14 2530624 ----a-w- c:\windows\system32\nvcuvid.dll
2012-04-21 08:02 . 2012-04-03 17:14 2444608 ----a-w- c:\windows\system32\nvcuvenc.dll
2012-04-21 08:02 . 2012-04-03 17:14 2358784 ----a-w- c:\windows\system32\nvapi.dll
2012-04-21 08:02 . 2012-04-03 17:14 18747392 ----a-w- c:\windows\system32\nvoglnt.dll
2012-04-21 08:02 . 2012-04-03 17:14 17543168 ----a-w- c:\windows\system32\nvcompiler.dll
2012-04-21 08:02 . 2012-04-03 17:14 1000256 ----a-w- c:\windows\system32\nvdispco32.dll
2012-04-18 18:22 . 2012-04-18 18:22 -------- d-----w- c:\documents and settings\Grim\Application Data\SYSTEMAX Software Development
2012-04-18 18:22 . 2012-04-18 18:22 -------- d-----w- c:\documents and settings\All Users\Application Data\SYSTEMAX Software Development
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-05-08 22:30 . 2011-10-19 04:45 83392 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2012-05-08 22:30 . 2011-10-19 04:45 137928 ----a-w- c:\windows\system32\drivers\avipbb.sys
2012-04-11 13:14 . 2004-08-04 12:00 2148352 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-04-11 13:12 . 2004-08-04 12:00 1862272 ----a-w- c:\windows\system32\win32k.sys
2012-04-11 12:35 . 2004-08-03 22:59 2026496 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-04-04 22:47 . 2012-02-11 03:11 772504 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-04-04 22:47 . 2010-04-16 19:11 687504 ----a-w- c:\windows\system32\deployJava1.dll
2012-04-04 16:05 . 2012-04-04 16:05 869552 ----a-w- c:\windows\boinc.scr
2012-04-03 23:50 . 2012-04-03 23:50 108409 ----a-w- c:\windows\Thumbplug TGA Uninstaller.exe
2012-04-03 17:14 . 2011-08-09 00:16 4336640 ----a-w- c:\windows\system32\nv4_disp.dll
2012-04-03 17:14 . 2011-08-09 00:16 14008320 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2012-04-02 20:51 . 2011-08-08 01:46 445016 ----a-w- c:\windows\system32\wrap_oal.dll
2012-03-01 11:01 . 2004-08-04 12:00 916992 ----a-w- c:\windows\system32\wininet.dll
2012-03-01 11:01 . 2004-08-04 12:00 43520 ------w- c:\windows\system32\licmgr10.dll
2012-03-01 11:01 . 2004-08-04 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-02-29 21:09 . 2008-04-01 19:01 140304 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2012-02-29 21:09 . 2008-04-01 19:00 76888 ----a-w- c:\windows\system32\PnkBstrA.exe
2012-02-29 21:09 . 2009-03-27 01:15 281032 ----a-w- c:\windows\system32\PnkBstrB.xtr
2012-02-29 21:09 . 2008-04-01 19:00 281032 ----a-w- c:\windows\system32\PnkBstrB.exe
2012-02-29 21:09 . 2008-04-01 19:00 280856 ----a-w- c:\windows\system32\PnkBstrB.ex0
2012-02-29 14:08 . 2004-08-04 12:00 178176 ----a-w- c:\windows\system32\wintrust.dll
2012-02-29 14:08 . 2004-08-04 12:00 148480 ----a-w- c:\windows\system32\imagehlp.dll
2012-02-29 12:17 . 2004-08-04 12:00 385024 ------w- c:\windows\system32\html.iec
2012-02-20 05:01 . 2012-02-20 05:01 69952 ----a-w- c:\windows\system32\CLEyeDevices.dll
2012-04-21 01:19 . 2012-05-12 07:00 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-05-14_06.18.53 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-05-16 19:59 . 2012-05-16 19:59 16384 c:\windows\temp\Perflib_Perfdata_764.dat
- 2012-02-13 18:51 . 2012-05-14 01:59 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2012-05-14 06:39 . 2012-05-16 19:11 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2004-08-04 12:00 . 2012-05-16 19:47 553604 c:\windows\system32\perfh009.dat
- 2004-08-04 12:00 . 2012-05-14 06:06 553604 c:\windows\system32\perfh009.dat
- 2004-08-04 12:00 . 2012-05-14 06:06 102004 c:\windows\system32\perfc009.dat
+ 2004-08-04 12:00 . 2012-05-16 19:47 102004 c:\windows\system32\perfc009.dat
+ 2008-03-28 15:08 . 2012-05-16 19:11 1687552 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-03-28 15:08 . 2012-05-14 01:59 1687552 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2012-01-24 3478336]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-17 81920]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"DeathAdder"="c:\program files\Razer\DeathAdder\razerhid.exe" [2011-03-21 248320]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-06-04 186904]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2012-05-08 348624]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-04 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-14 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2012-04-03 15503168]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2012-04-03 108352]
"nwiz"="c:\program files\NVIDIA Corporation\nview\nwiz.exe" [2012-04-03 1634112]
"EVGAPrecision"="c:\program files\EVGA Precision X\EVGAPrecision.exe" [2012-04-10 553800]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408]
.
c:\documents and settings\Grim\Start Menu\Programs\Startup\
Xfire.lnk - c:\program files\Xfire\Xfire.exe [2012-5-2 3553176]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"idsvc"=3 (0x3)
"Diskeeper"=2 (0x2)
"Imapi Helper"=3 (0x3)
"PD91Agent"=2 (0x2)
"gupdate1c9c69c8d38db62"=2 (0x2)
"Adobe Version Cue CS4"=3 (0x3)
"npggsvc"=3 (0x3)
"ose"=3 (0x3)
"WMPNetworkSvc"=2 (0x2)
"DAUpdaterSvc"=3 (0x3)
"ABBYY.Licensing.FineReader.Professional.9.0"=2 (0x2)
"LiveTurbineMessageService"=3 (0x3)
"LiveTurbineNetworkService"=3 (0x3)
"ALG"=3 (0x3)
"IDriverT"=3 (0x3)
"SwitchBoard"=3 (0x3)
"RPCT"=2 (0x2)
"rpcapd"=3 (0x3)
"wlidsvc"=2 (0x2)
"IAANTMON"=2 (0x2)
"AntiVirWebService"=2 (0x2)
"AntiVirMailService"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Xfire\\xfire.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\Program Files\\Deep Silver\\S.T.A.L.K.E.R. - Clear Sky\\bin\\xrEngine.exe"=
"c:\\Program Files\\Deep Silver\\S.T.A.L.K.E.R. - Clear Sky\\bin\\dedicated\\xrEngine.exe"=
"c:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FarCry2.exe"=
"c:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FC2Launcher.exe"=
"c:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FC2Editor.exe"=
"c:\\Documents and Settings\\Grim\\Local Settings\\Application Data\\Dyyno Receiver\\DPPM.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Codemasters\\Overlord II\\Overlord2.exe"=
"c:\\Program Files\\Mass Effect\\Binaries\\MassEffect.exe"=
"c:\\Program Files\\Mass Effect\\MassEffectLauncher.exe"=
"c:\\Program Files\\Valve\\Steam\\steamapps\\common\\dawn of war gold\\W40kWA.exe"=
"c:\\Program Files\\Electronic Arts\\Mass Effect 2\\Binaries\\MassEffect2.exe"=
"c:\\Program Files\\Electronic Arts\\Mass Effect 2\\MassEffect2Launcher.exe"=
"c:\\Program Files\\bitComposer Games\\S.T.A.L.K.E.R. - Call of Pripyat\\bin\\xrEngine.exe"=
"c:\\Program Files\\bitComposer Games\\S.T.A.L.K.E.R. - Call of Pripyat\\bin\\dedicated\\xrEngine.exe"=
"c:\\Program Files\\Electronic Arts\\Battlefield Bad Company 2\\BFBC2Updater.exe"=
"c:\\Program Files\\Ubisoft\\Ubisoft Game Launcher\\UbisoftGameLauncher.exe"=
"c:\\Program Files\\Activision\\Apache Air Assault\\launcher.exe"=
"c:\\Program Files\\Activision\\Apache Air Assault\\yuPlay\\yuPlay.exe"=
"c:\\Program Files\\Valve\\Steam\\steamapps\\grim_r\\synergy\\hl2.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Codemasters\\DiRT 3\\dirt3_game.exe"=
"c:\\Program Files\\Codemasters\\GRID\\GRID.exe"=
"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe"=
"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe"=
"c:\\Program Files\\Autodesk\\3ds Max 2012\\mentalimages\\satellite\\raysat_3dsmax2012_32.exe"=
"c:\\Program Files\\Autodesk\\3ds Max 2012\\3dsmax.exe"=
"c:\\Program Files\\Autodesk\\3ds Max 2012\\mentalimages\\satellite\\raysat_3dsmax2012_32server.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\monitor.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\manager.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\server.exe"=
"c:\\Program Files\\Valve\\Steam\\steamapps\\common\\red orchestra\\System\\RedOrchestra.exe"=
"c:\\Program Files\\Valve\\Steam\\steamapps\\common\\amnesia the dark descent\\Launcher.exe"=
"c:\\Program Files\\Valve\\Steam\\steamapps\\common\\skyrim\\CreationKit.exe"=
"c:\\Program Files\\Valve\\Steam\\steamapps\\common\\dawn of war dark crusade\\darkcrusade.exe"=
"c:\\Program Files\\Valve\\Steam\\steamapps\\common\\dawn of war soulstorm\\soulstorm.exe"=
"c:\\Program Files\\Valve\\Steam\\steamapps\\common\\skyrim\\SkyrimLauncher.exe"=
"c:\\Program Files\\Electronic Arts\\Mass Effect 3\\Binaries\\Win32\\MassEffect3.exe"=
"c:\\Program Files\\Codemasters\\F1 2011\\F1_2011.exe"=
"c:\\Program Files\\Valve\\Steam\\steamapps\\grim_r\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Valve\\Steam\\steamapps\\grim_r\\half-life\\hl.exe"=
"c:\\Program Files\\Valve\\Steam\\steamapps\\common\\killingfloor\\System\\KillingFloor.exe"=
"c:\\Program Files\\Valve\\Steam\\steamapps\\common\\stalker shadow of chernobyl\\bin\\XR_3DA.exe"=
"c:\\Program Files\\Valve\\Steam\\steamapps\\common\\red orchestra 2\\Binaries\\Win32\\ROGame.exe"=
"c:\\Program Files\\Valve\\Steam\\steamapps\\common\\x3 terran conflict\\X3TC.exe"=
"c:\\Program Files\\Valve\\Steam\\steamapps\\common\\x3 terran conflict\\X3AP.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\{F27CFD16-939A-4232-98CD-180898D14713}\\setup\\hpznui01.exe"=
"c:\\Program Files\\Valve\\Steam\\steamapps\\common\\mountblade warband\\mb_warband.exe"=
"c:\\Program Files\\Valve\\Steam\\steamapps\\grim_r\\counter-strike\\hl.exe"=
"c:\\Program Files\\Valve\\Steam\\steamapps\\common\\Portal 2\\portal2.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"53:UDP"= 53:UDP:Promo
.
R0 RRamdisk;Ramdisk Driver;c:\windows\system32\drivers\rramdisk.sys [4/22/2012 3:03 AM 10368]
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [10/19/2011 12:45 AM 36000]
R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\drivers\dtsoftbus01.sys [2/10/2012 3:40 PM 242240]
R1 VBoxDrv;VirtualBox Service;c:\windows\system32\drivers\VBoxDrv.sys [11/11/2008 11:47 PM 158512]
R1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\drivers\VBoxUSBMon.sys [11/11/2008 11:47 PM 91440]
R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [10/19/2011 12:45 AM 86224]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 2:16 PM 130384]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [5/13/2012 1:21 AM 654408]
R2 mi-raysat_3dsmax2012_32;mental ray 3.9 Satellite for Autodesk 3ds Max 2012 32-bit - English 32-bit;c:\program files\Autodesk\3ds Max 2012\mentalimages\satellite\raysat_3dsmax2012_32server.exe [2/23/2011 8:59 AM 86016]
R2 TabletServicePen;TabletServicePen;c:\program files\Tablet\Pen\Pen_Tablet.exe [5/11/2012 9:48 PM 5554552]
R2 TouchServicePen;Wacom Consumer Touch Service;c:\program files\Tablet\Pen\Pen_TouchService.exe [5/11/2012 9:49 PM 451960]
R2 wcafix;Windows Cursor Acceleration Fix;c:\windows\system32\drivers\wcafix.sys [3/21/2010 6:44 AM 3516]
R3 DAdderFltr;DeathAdder Mouse;c:\windows\system32\drivers\dadder.sys [3/29/2008 12:17 AM 22784]
R3 hidkmdf;Filter Driver Service for HID-KMDF Interface layer;c:\windows\system32\drivers\hidkmdf.sys [8/7/2011 3:25 AM 6656]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [5/13/2012 1:21 AM 22344]
R3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\drivers\VBoxNetAdp.sys [7/17/2009 6:12 PM 104752]
R3 VBoxNetFlt;VirtualBox Bridged Networking Service;c:\windows\system32\drivers\VBoxNetFlt.sys [12/19/2011 3:11 PM 116016]
R3 VKbms;Virtual HID Minidriver;c:\windows\system32\drivers\VKbms.sys [8/7/2011 3:25 AM 10240]
S2 {09BB444F-B2E2-4009-BAF2-7B727681223E};BuddyVM;\??\c:\program files\ZyX\VMLaunch\BuddyVM.sys --> c:\program files\ZyX\VMLaunch\BuddyVM.sys [?]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys --> c:\windows\system32\drivers\Ambfilt.sys [?]
S3 AODDriver;AODDriver;\??\c:\program files\GIGABYTE\ET6\i386\AODDriver.sys --> c:\program files\GIGABYTE\ET6\i386\AODDriver.sys [?]
S3 cpuz130;cpuz130;\??\c:\docume~1\Grim\LOCALS~1\Temp\cpuz130\cpuz_x32.sys --> c:\docume~1\Grim\LOCALS~1\Temp\cpuz130\cpuz_x32.sys [?]
S3 dfmirage;dfmirage;c:\windows\system32\drivers\dfmirage.sys [11/25/2005 5:43 PM 31896]
S3 etdrv;etdrv;c:\windows\etdrv.sys [3/20/2010 7:47 PM 17488]
S3 EvcapMaui;Emuzed EvcapMaui Device;c:\windows\system32\drivers\EvcapMau.sys [10/12/2009 3:52 PM 180864]
S3 FStarForce;FStarForce;c:\windows\system32\drivers\FStarForce.sys [3/2/2009 6:07 PM 7680]
S3 GenericMount;Generic Mount Driver;c:\windows\system32\DRIVERS\GenericMount.sys --> c:\windows\system32\DRIVERS\GenericMount.sys [?]
S3 kxwdmdrv;kX WDM Driver Service;c:\windows\system32\drivers\kx.sys --> c:\windows\system32\drivers\kx.sys [?]
S3 LGBusEnum;Logitech GamePanel Virtual Bus Enumerator Driver;c:\windows\system32\drivers\LGBusEnum.sys [7/14/2009 4:35 PM 19720]
S3 LGVirHid;Logitech Gamepanel Virtual HID Device Driver;c:\windows\system32\drivers\LGVirHid.sys [12/6/2010 4:54 PM 14856]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\C2.tmp --> c:\windows\system32\C2.tmp [?]
S3 portio32;portio32;c:\windows\system32\drivers\portio32.sys [10/31/2009 4:10 AM 2048]
S3 ProcAPI;ProcAPI;\??\c:\program files\Intel Corporation\Thermal Analysis Tool\ProcAPI.sys --> c:\program files\Intel Corporation\Thermal Analysis Tool\ProcAPI.sys [?]
S3 Symantec SymSnap VSS Provider;Symantec SymSnap VSS Provider;c:\windows\system32\dllhost.exe [8/4/2004 8:00 AM 5120]
S3 tat;tat;\??\c:\program files\Intel Corporation\Thermal Analysis Tool\tat.sys --> c:\program files\Intel Corporation\Thermal Analysis Tool\tat.sys [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 2:16 PM 753504]
S3 xbreader;MaxDrive XBox Driver (xbreader.sys);c:\windows\system32\Drivers\xbreader.sys --> c:\windows\system32\Drivers\xbreader.sys [?]
S3 XDva311;XDva311;\??\c:\windows\system32\XDva311.sys --> c:\windows\system32\XDva311.sys [?]
S3 xpsec;IPSEC driver;c:\windows\system32\drivers\xpsec.sys --> c:\windows\system32\drivers\xpsec.sys [?]
S4 RPCT;Remote Procedure Call (TPM);c:\program files\Common Files\System\qmgr.exe --> c:\program files\Common Files\System\qmgr.exe [?]
S4 sptd;sptd;c:\windows\system32\Drivers\sptd.sys --> c:\windows\system32\Drivers\sptd.sys [?]
S4 SwitchBoard;Adobe SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2/19/2010 1:37 PM 517096]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
RPCQT
PID_PEPI
TeamViewer
CVirtA
AsIO
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uInternet Settings,ProxyOverride = *.local
TCP: DhcpNameServer = 208.67.222.222 208.67.220.220
DPF: {AA07EBD2-EBDD-4BD6-9F8F-114BD513492C} - hxxp://dist.globalgamecdn.com/dist/neffy/NeffyLauncher.cab
FF - ProfilePath - c:\documents and settings\Grim\Application Data\Mozilla\Firefox\Profiles\4drk7qcn.default\
FF - prefs.js: network.proxy.type - 0
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-05-16 16:02
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\C2.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1935655697-412668190-725345543-1003\Software\SecuROM\License information*]
"datasecu"=hex:e4,cb,33,0c,46,1b,66,9d,08,2d,28,0e,92,64,53,87,ba,dc,5d,31,25,
a4,cc,71,83,9b,11,f5,b7,27,9b,95,fe,52,49,53,a2,6a,a3,e8,6d,ab,c7,9b,4f,d4,\
"rkeysecu"=hex:66,27,8d,90,56,46,a0,48,9d,67,9d,6e,11,95,b4,82
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3332)
c:\windows\system32\WININET.dll
c:\program files\Xfire\xfire_toucan_45547.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Tablet\Pen\Pen_TouchUser.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe
c:\windows\system32\RUNDLL32.EXE
c:\windows\system32\devldr32.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Razer\DeathAdder\razerofa.exe
c:\program files\Razer\DeathAdder\vdDaemon.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\Common Files\Protexis\License Service\PsiService_2.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Tablet\Pen\Pen_TabletUser.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2012-05-16 16:03:52 - machine was rebooted
ComboFix-quarantined-files.txt 2012-05-16 20:03
ComboFix2.txt 2012-05-14 06:24
.
Pre-Run: 190,543,134,720 bytes free
Post-Run: 190,609,584,128 bytes free
.
- - End Of File - - 2345AEBC1226A81C853F3C2186C969AE

Edited by GrimBrunn, 16 May 2012 - 06:23 PM.


#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:36 AM

Posted 17 May 2012 - 01:40 AM

Hello

You are infected with Rootkit.ZeroAccess! It has inserted itself into the tcp/ip stack. This is a particularly difficult infection. - this happens on some xp computer and we have not found out why

Disk \Device\Harddisk0\DR0 malicious Win32:MBRoot code @ sector 1465144068 - this is part of an older infection and is located in a place that our tools cannot get to to clean - good news is that it is not active and poses no threat

Code \??\C:\DOCUME~1\Grim\LOCALS~1\Temp\catchme.sys pIofCallDriver - this is part of combofix and GMer


:P2P Warning!:

IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

Please note that as long as you are using any form of Peer-to-Peer networking and downloading files from non-documented sources, you can expect infestations of malware to occur
Once upon a time, P2P file sharing was fairly safe. That is no longer true. P2P programs form a direct conduit on to your computer, their security measures are easily circumvented and malware writers are increasingly exploiting them to spread their wares on to your computer. Further to that, if your P2P program is not configured correctly, your computer may be sharing more files than you realise. There have been cases where people's passwords, address books and other personal, private, and financial details have been exposed to a file sharing network by a badly configured program.

Please read these short reports on the dangers of peer-2-peer programs and file sharing.

FBI Cyber Education Letter
File sharing infects 500,000 computers
USAToday
infoworld


These logs are looking allot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs

NOTE** Because of the cleanup process some of the programs I have listed may not be in add/remove anymore this is fine just move to the next item on the list.

You can remove these programs using add/remove or you can use the free uninstaller from Revo (Revo does allot better of a job)

Programs to remove

µTorrent
JavaFX 2.1.0
[/list]


  • Please download and install Revo Uninstaller Free
  • Double click Revo Uninstaller to run it.
  • From the list of programs double click on The Program to remove
  • When prompted if you want to uninstall click Yes.
  • Be sure the Moderate option is selected then click Next.
  • The program will run, If prompted again click Yes
  • when the built-in uninstaller is finished click on Next.
  • Once the program has searched for leftovers click Next.
  • Check/tick the bolded items only on the list then click Delete
  • when prompted click on Yes and then on next.
  • put a check on any folders that are found and select delete
  • when prompted select yes then on next
  • Once done click Finish.
.


Clean Out Temp Files

  • This small application you may want to keep and use once a week to keep the computer clean.

    Download CCleaner from here http://www.ccleaner.com/

  • Run the installer to install the application.
  • When it gives you the option to install Yahoo toolbar uncheck the box next to it.
  • Run CCleaner. (make sure under Windows tab all the boxes of Internet Explorer and Windows explorer are checked. Under System check Empty Recycle Bin and Temporary Files. Under Application tab all the boxes should be checked).
  • Click Run Cleaner.
  • Close CCleaner.

: Malwarebytes' Anti-Malware :

  • I would like you to rerun MBAM
  • Double-click mbam icon
  • go to the update tab at the top
  • click on check for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidentally close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Download HijackThis

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a log file button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the Analyze This button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

"information and logs"

  • In your next post I need the following

  • Log From MBAM
  • report from Hijackthis
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 GrimBrunn

GrimBrunn
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:01:36 AM

Posted 17 May 2012 - 03:30 AM

You are infected with Rootkit.ZeroAccess! It has inserted itself into the tcp/ip stack. This is a particularly difficult infection. - this happens on some xp computer and we have not found out why

That's relieving. The existence of that problem had been a worrying thought on the back of my mind for a while now.


:P2P Warning!:
IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

I've elected to retain uTorrent, aware of all the risks and responsibilities that go with it.



I continue to have no noticeable system performance or functionality symptoms that I could really say for sure is malware induced. For the sake of full disclosure however I did have a somewhat unusual system freeze and following automatic reboot earlier, and another somewhat unusual incident in which large parts of the functionality of my keyboard was lost and task manager had a large delay in fully opening; solved by rebooting.



I had no problem with the logs and here they are:


Malwarebytes Anti-Malware (PRO) 1.61.0.1400
www.malwarebytes.org

Database version: v2012.05.17.02

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Grim :: SCYTHE [administrator]

Protection: Disabled

5/17/2012 3:13:15 AM
mbam-log-2012-05-17 (03-13-15).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 246030
Time elapsed: 4 minute(s), 5 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

--------------------------------------------
--------------------------------------------
--------------------------------------------

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 3:58:07 AM, on 5/17/2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Tablet\Pen\Pen_TouchService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Tablet\Pen\Pen_TouchUser.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Razer\DeathAdder\razerhid.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Xfire\Xfire.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Razer\DeathAdder\razerofa.exe
C:\Program Files\Razer\DeathAdder\vdDaemon.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Autodesk\3ds Max 2012\mentalimages\satellite\raysat_3dsmax2012_32server.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\PnkBstrA.exe
c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Tablet\Pen\Pen_Tablet.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Tablet\Pen\Pen_TabletUser.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Tablet\Pen\Pen_Tablet.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Java\jre7\bin\jqs.exe
C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Trend Micro\HijackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [DeathAdder] C:\Program Files\Razer\DeathAdder\razerhid.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nview\nwiz.exe /installquiet
O4 - HKLM\..\Run: [EVGAPrecision] "C:\Program Files\EVGA Precision X\EVGAPrecision.exe" /s
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\Grim\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\Grim\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (file missing) (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {4E218431-2F07-40BD-A9D3-035324C1F13F} - http://webserver.dyyno.com/tng/dyyno-client/DyynoCAB.1.0.0.26.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1206766824796
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} - http://www.acclaim.com/cabs/acclaim_v4.cab
O16 - DPF: {AA07EBD2-EBDD-4BD6-9F8F-114BD513492C} - http://dist.globalgamecdn.com/dist/neffy/NeffyLauncher.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Avira Scheduler (AntiVirSchedulerService) - Avira Operations GmbH & Co. KG - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira Realtime Protection (AntiVirService) - Avira Operations GmbH & Co. KG - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: FLEXnet Licensing Service - Flexera Software, Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Oracle Corporation - C:\Program Files\Java\jre7\bin\jqs.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: mental ray 3.9 Satellite for Autodesk 3ds Max 2012 32-bit - English 32-bit (mi-raysat_3dsmax2012_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 2012\mentalimages\satellite\raysat_3dsmax2012_32server.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
O23 - Service: TabletServicePen - Wacom Technology, Corp. - C:\Program Files\Tablet\Pen\Pen_Tablet.exe
O23 - Service: Wacom Consumer Touch Service (TouchServicePen) - Wacom Technology, Corp. - C:\Program Files\Tablet\Pen\Pen_TouchService.exe

--
End of file - 7558 bytes

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:36 AM

Posted 17 May 2012 - 07:43 AM

Greetings

These logs are looking very good, we are almost done!!! Just one more scan to go.

:Remove unneeded start-up entries:

This part of the fix is purely optional
These are programs that start up when you turn on your computer but don't need to be, any of these programs you can click on their icons (or start from the control panel) and start the program when you need it. By stopping these programs you will boot up faster and your computer will work faster.

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Run HijackThis
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):

    • O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
      O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
      O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
      O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
      O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
      O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nview\nwiz.exe /installquiet
  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application.

    NOTE**You can research each of those lines >here< and see if you want to keep them or not
    just copy the name between the brackets and paste into the search space
    O4 - HKLM\..\Run: [IntelliPoint]


NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

Eset Online Scanner

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

Go Eset web page to run an online scanner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
  • When asked, allow the ActiveX control to install
    • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options
    Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • Click on copy to clipboard or copy and paste the results here in this topic

Copy and paste that log as a reply to this topic

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 GrimBrunn

GrimBrunn
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:01:36 AM

Posted 17 May 2012 - 09:10 PM

Pretty clean. All it got were:


E:\Documents and Settings\Grim\My Documents\My Programs\EvID4226Patch.exe Win32/Tool.EvID4226 application
F:\Documents and Settings\Grim\Local Settings\Temp\nsbC2.tmp\OCSetupHlp.dll Win32/OpenCandy application



EvID4226Patch is a legitimate and useful program I keep for archival purposes.
F is a secondary and non-funtional XP install. Waiting to be wiped and used for a Windows 7 dual boot whenever I get around to it.

#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:36 AM

Posted 17 May 2012 - 09:32 PM

Very well done!! This is my general post for when your logs show no more signs of malware - Please let me know if you still are having problems with your computer and what these problems are.


:Why we need to remove some of our tools:

Some of the tools we have used to clean your computer were made by fellow malware fighters and are very powerful and if used incorrectly or at the wrong time can make the computer an expensive paper weight.
They are updated all the time and some of them more than once a day so by the time you are ready to use them again they will already be outdated.

The following procedures will implement some cleanup procedures to remove these tools. It will also reset your System Restore by flushing out previous restore points and create a new restore point. It will also remove all the backups our tools may have made.
:DeFogger:

Note** Defogger only needs to be run if it was run when we first started. If you have not already run it then skip this.

  • To re-enable your Emulation drivers, double click DeFogger to run the tool.
  • The application window will appear
  • Click the Re-enable button to re-enable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK.
Your Emulation drivers are now re-enabled.

:Uninstall ComboFix:

  • turn off all active protection software
  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box ComboFix /Uninstall and click OK.
  • Note the space between the X and the /Uninstall, it needs to be there.
  • Posted Image

:Remove the rest of our tools:

Please download OTCleanIt and save it to desktop. This tool will remove all the tools we used to clean your pc.
  • Double-click OTCleanIt.exe.
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes, if not delete it by yourself.
  • If asked to restart the computer, please do so
Note: If you receive a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the internet, please allow it to do so.

:The programs you can keep:

Some of the programs that we have used would be a good idea to keep and used often in helping to keep the computer clean. I use these programs on my computer.

Revo Uninstaller Free - this is the uninstaller that I had you download and works allot better than add/remove in windows and has saved me more than once from corrupted installs and uninstalls

CCleaner - This is a good program to clean out temp files, I would use this once a week or before any malware scan to remove unwanted temp files - It has a built in registry cleaner but I would leave that alone and not use any registry cleaner

Malwarebytes' Anti-Malware The Gold standard today in antimalware scanners

:Security programs:

One of the questions I am asked all the time is "What programs do you use" I have at this time 4 computers in my home and I have this setup on all 4 of them.


  • Microsoft Security Essentials - provides real-time protection for your home PC that guards against viruses, spyware, and other malicious software.
  • WinPatrol As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge.
  • Malwarebytes' Anti-Malware Malwarebytes' Anti-Malware is a new and powerful anti-malware tool. It is
    totally free but for real-time protection you will have to pay a small one-time fee. We used this to help clean your computer and recomend keeping it and using often. (I have upgraded to the paid version of MBAM and I am glad I did)

    Note** If you decide to install MSE you will need to uninstall your present Antivirus

:Security awareness:

The other question I am asked all the time is "How can I prevent this from happening again." and the short answer to that is to be aware of what is out there and how to start spotting dangers.

Here are some articles that are must reads and should be read by everybody in your household that uses the internet

internetsafety

Internet Safety for Kids

Here is some more reading for you from some of my colleges

PC Safety and Security - What Do I Need? from my friends at Tech Support Forum

COMPUTER SECURITY - a short guide to staying safer online from my friends at Malware Removal

quoted from Tech Support Forum

Conclusion

There is no such thing as ‘perfect security’. This applies to many things, not just computer systems. Using the above guide you should be able to take all the reasonable steps you can to prevent infection. However, the most important part of all this is you, the user. Surf sensibly and think before you download a file or click on a link. Take a few moments to assess the possible risks and you should be able to enjoy all the internet has to offer.


I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can then be closed.

I Will Keep This Open For About Three Days, If Anything Comes Up - Just Come Back And Let Me Know, after that time you will have to send me a PM

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 GrimBrunn

GrimBrunn
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:01:36 AM

Posted 18 May 2012 - 03:28 PM

I've read and understand. Thank you for taking my case and your time and effort towards it.

Edited by GrimBrunn, 18 May 2012 - 03:28 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users