Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

infected with sirefef.DN and DT rootkit in svchost.exe


  • This topic is locked This topic is locked
5 replies to this topic

#1 riyan

riyan

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:47 PM

Posted 17 May 2012 - 08:42 AM

hi BleepingComputer.com my name is riyan from banjarmasin-indonesia.

when i try clean with ESET, ESET seems to have cleaned a lot of it, but on every subsequent startup it finds two sirefef.D* variants like these:
Operating memory \GLOBAL??\2ed9325b\WINDOWS\$NtUninstallKB7298$\785986139\Desktop.ini - Win32/Sirefef.DN trojan - cleaned by deleting [1]
Operating memory svchost.exe(864) - a variant of Win32/Sirefef.DT trojan - unable to clean
C:\WINDOWS\system32\drivers\afd.sys - Win32/Sirefef.DA trojan - unable to clean

i found this site from google when i try search this virus. i get this post http://www.bleepingcomputer.com/forums/topic441947.html
seems similar to problems I had. so I follow the steps here http://www.bleepingcomputer.com/forums/topic34773.html.

The virus sometimes takes a lot of cpu resources it makes me worry, I really need your help to remove this virus permanently. Sorry if my english bad, I use google translation.

Thanks in advance.

Riyan

Here are the DDS and GMER logs

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_31
Run by Bornmatrix at 0:02:43 on 2012-05-17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2009.1274 [GMT 8:00]
.
AV: ESET NOD32 Antivirus 4.2 *Enabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\CodeGear\RAD Studio\6.0\bin\BSQLServer.exe
C:\Program Files\CyberLink\PowerDVD10\PDVD10Serv.exe
C:\Program Files\Cyberlink\Shared files\brs.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Vista Inspirat 2\RocketDock\RocketDock.exe
c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Internet Download Manager\IEMonitor.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.searchnu.com/406
uSearch Bar = hxxp://dts.search-results.com/sidebar.html?src=ssb&appid=0&systemid=406&sr=0
uInternet Settings,ProxyServer = 127.0.0.1:8080
uSearchAssistant = hxxp://dts.search-results.com/sr?src=ieb&appid=0&systemid=406&sr=0&q={searchTerms}
mSearchAssistant = hxxp://dts.search-results.com/sr?src=ieb&appid=0&systemid=406&sr=0&q={searchTerms}
BHO: IDM integration (IDMIEHlprObj Class): {0055c089-8582-441b-a0bf-17b458c2a3a8} - c:\program files\internet download manager\IDMIECC.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {99079a25-328f-4bd4-be04-00955acaa0a7} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: Yontoo Layers: {fd72061e-9fde-484d-a58a-0bab4151cad8} - Yontoo Layers
TB: {99079a25-328f-4bd4-be04-00955acaa0a7} - No File
TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
uRun: [Yahoo! Pager] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [Google Update] "c:\documents and settings\bornmatrix\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [IDMan] c:\program files\internet download manager\IDMan.exe /onboot
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [RemoteControl10] "c:\program files\cyberlink\powerdvd10\PDVD10Serv.exe"
mRun: [BDRegion] c:\program files\cyberlink\shared files\brs.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [SM?RT-Protection] c:\program files\smadav\SM?RTP.exe rtp
mRun: [Lan Diagnostic Tool] c:\program files\lan diagnostic tool\landiagnostictool.exe
mRun: [NBKeyScan] "c:\program files\nero\nero8\nero backitup\NBKeyScan.exe"
mRun: [WinDLL (service.exe)] service.exe
mRunServices: [WinSystemLibrary] pwrszr.exe -system
mRunServices: [LoadWin32Dll] zndll.exe
mRunServices: [a001]
dRun: [SuperBoot] c:\windows\temp\superboot\SuperBoot.exe
StartupFolder: c:\docume~1\bornma~1\startm~1\programs\startup\rocket~1.lnk - c:\program files\vista inspirat 2\rocketdock\RocketDock.exe
StartupFolder: c:\docume~1\bornma~1\startm~1\programs\startup\transbar.lnk - c:\program files\vista inspirat 2\transbar\TransBar.exe
uPolicies-explorer: DisableRegistryTools = 1 (0x1)
uPolicies-explorer: NoViewOnDrive = 0 (0x0)
mPolicies-explorer: NoViewOnDrive = 0 (0x0)
dPolicies-explorer: DisableRegistryTools = 1 (0x1)
IE: Download all links with IDM - c:\program files\internet download manager\IEGetAll.htm
IE: Download FLV video content with IDM - c:\program files\internet download manager\IEGetVL.htm
IE: Download with IDM - c:\program files\internet download manager\IEExt.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} - "c:\program files\fiddler2\Fiddler.exe"
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: mswsock.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: Interfaces\{634B5EEA-B34A-4EEF-9699-FB06DFAC1451} : NameServer = 8.8.8.8,8.8.4.4
Notify: Antiwpa - antiwpa.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs:
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\bornmatrix\application data\mozilla\firefox\profiles\2w08g7og.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2418376&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.id/
FF - prefs.js: keyword.URL - hxxp://dts.search-results.com/sr?src=ffb&appid=0&systemid=406&sr=0&q=
FF - prefs.js: network.proxy.ftp - 127.0.0.1
FF - prefs.js: network.proxy.ftp_port - 8080
FF - prefs.js: network.proxy.gopher - 64.64.197.160
FF - prefs.js: network.proxy.gopher_port - 3128
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 8080
FF - prefs.js: network.proxy.socks - 127.0.0.1
FF - prefs.js: network.proxy.socks_port - 8080
FF - prefs.js: network.proxy.ssl - 127.0.0.1
FF - prefs.js: network.proxy.ssl_port - 8080
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\documents and settings\bornmatrix\local settings\application data\google\update\1.3.21.111\npGoogleUpdate3.dll
FF - plugin: c:\documents and settings\bornmatrix\local settings\application data\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\canon\easy-photoprint ex\NPEZFFPI.DLL
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npdeployJava1.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npRLCT4Player.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_2_202_235.dll
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
============= SERVICES / DRIVERS ===============
.
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2010-3-24 114984]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2010-3-24 95872]
R1 hwinterface;hwinterface;c:\windows\system32\drivers\hwinterface.sys [2011-3-24 3026]
R1 IDMTDI;IDMTDI;c:\windows\system32\drivers\idmtdi.sys [2011-6-23 101360]
R2 {1BA31E5A-C098-42d8-8F88-3C9F78A2FDDC};Power Control [2012/01/28 17:31:08];c:\program files\cyberlink\powerdvd10\navfilter\000.fcl [2010-8-26 87536]
R2 BlackfishSQL;BlackfishSQL;c:\program files\codegear\rad studio\6.0\bin\BSQLServer.exe [2008-8-30 65536]
R2 ekrn;ESET Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2010-3-24 810120]
R2 regi;regi;c:\windows\system32\drivers\regi.sys [2012-2-5 13880]
S2 IBG_gds_db;InterBase 2009 Guardian gds_db;c:\codegear\interbase\bin\ibguard.exe -i "c:\codegear\interbase" -p gds_db --> c:\codegear\interbase\bin\ibguard.exe -i c:\codegear\InterBase [?]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2010-5-9 1684736]
S3 apf001;apf001;\??\d:\gimmers\softnyxgame\gunboundids\apf001.sys --> d:\gimmers\softnyxgame\gunboundids\apf001.sys [?]
S3 CEDRIVER60;CEDRIVER60;c:\program files\cheat engine 6.1\dbk32.sys [2011-10-22 72576]
S3 EagleXNt;EagleXNt;\??\c:\windows\system32\drivers\eaglexnt.sys --> c:\windows\system32\drivers\EagleXNt.sys [?]
S3 IBS_gds_db;InterBase 2009 Server gds_db;c:\codegear\interbase\bin\ibserver.exe -i "c:\codegear\interbase" -p gds_db --> c:\codegear\interbase\bin\ibserver.exe -i c:\codegear\InterBase [?]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-4-30 129976]
S3 msdirectx;msdirectx;\??\d:\gimmers\xshot\system\msdirectx.dll --> d:\gimmers\xshot\system\msdirectx.dll [?]
S3 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2011-12-23 35088]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 pwdrvio;pwdrvio;c:\windows\system32\pwdrvio.sys [2011-3-2 16456]
S3 pwdspio;pwdspio;c:\windows\system32\pwdspio.sys [2011-3-2 11088]
S3 slicedisk.sys;slicedisk.sys;\??\c:\windows\system32\slicedisk.sys --> c:\windows\system32\slicedisk.sys [?]
S3 SliceDisk5;SliceDisk5;\??\c:\docume~1\bornma~1\locals~1\temp\findandmount\slicedisk.sys --> c:\docume~1\bornma~1\locals~1\temp\findandmount\slicedisk.sys [?]
S3 usedisk;USEDisk Driver;c:\windows\system32\drivers\usedisk.sys [2011-4-26 17408]
S3 XDva361;XDva361;\??\c:\windows\system32\xdva361.sys --> c:\windows\system32\XDva361.sys [?]
S3 XDva392;XDva392;\??\c:\windows\system32\xdva392.sys --> c:\windows\system32\XDva392.sys [?]
.
=============== Created Last 30 ================
.
2012-05-16 09:33:06 388096 ----a-r- c:\documents and settings\bornmatrix\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2012-05-16 09:33:05 -------- d-----w- c:\program files\Trend Micro
2012-05-16 00:55:05 60416 ----a-w- c:\windows\system32\antiwpa.dll
2012-05-15 13:58:01 -------- d-----w- C:\xampp
2012-05-14 15:24:49 -------- d-----w- c:\program files\X-pack
2012-05-14 12:46:15 -------- d-----w- c:\program files\FlashBoot
2012-05-13 14:55:34 -------- d-sh--r- c:\windows\S-1-5-21-1700724368-7596393281-319339953-0402
2012-05-13 11:13:30 -------- d-----w- c:\program files\WinZip Registry Optimizer
2012-05-13 06:44:25 0 --sha-w- c:\windows\system32\dds_trash_log.cmd
2012-05-12 17:08:04 -------- d-----w- c:\documents and settings\bornmatrix\application data\Nico Mak Computing
2012-05-12 17:07:59 17224 ----a-w- c:\windows\system32\roboot.exe
2012-05-08 02:56:21 -------- d-----w- c:\documents and settings\bornmatrix\local settings\application data\Opera
2012-05-05 13:45:05 -------- d-----w- c:\windows\system32\C2MP
2012-05-01 12:31:50 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-04-30 10:55:31 -------- d-----w- c:\program files\Mozilla Maintenance Service
2012-04-30 10:55:29 157352 ----a-w- c:\program files\mozilla firefox\maintenanceservice_installer.exe
2012-04-30 10:55:29 129976 ----a-w- c:\program files\mozilla firefox\maintenanceservice.exe
2012-04-28 04:39:35 138904 ----a-w- c:\documents and settings\bornmatrix\application data\PnkBstrK.sys
2012-04-22 20:14:18 3515392 ----a-w- c:\windows\system32\ffdshow.ax
2012-04-22 20:12:22 4424704 ----a-w- c:\windows\system32\ffmpeg.dll
2012-04-19 15:46:45 -------- d-----w- c:\documents and settings\bornmatrix\local settings\application data\Pando_Temp
2012-04-19 13:02:10 140232 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2012-04-19 13:02:05 283416 ----a-w- c:\windows\system32\PnkBstrB.exe
2012-04-19 13:02:05 283416 ----a-w- c:\windows\system32\PnkBstrB.ex0
2012-04-19 13:02:00 283416 ----a-w- c:\windows\system32\PnkBstrB.xtr
2012-04-19 13:01:54 -------- d-----w- c:\windows\system32\LogFiles
2012-04-19 13:01:53 76888 ----a-w- c:\windows\system32\PnkBstrA.exe
2012-04-19 13:01:53 -------- d-----w- c:\documents and settings\bornmatrix\local settings\application data\PunkBuster
2012-04-19 12:58:12 -------- d-----w- c:\program files\NVIDIA Corporation
2012-04-19 12:58:06 -------- d-----w- c:\program files\common files\Wise Installation Wizard
2012-04-18 15:01:16 -------- d-----w- c:\program files\Pando Networks
2012-04-18 15:01:00 -------- d-----w- c:\program files\GamersFirst
2012-04-16 16:49:23 -------- d-----w- c:\documents and settings\bornmatrix\application data\IDM
2012-04-16 16:49:17 -------- d-----w- c:\program files\Internet Download Manager
.
==================== Find3M ====================
.
2012-05-16 09:54:46 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-05-12 18:37:46 17408 ----a-w- C:\psapi.dll
2012-05-11 04:25:25 3036 --sha-w- c:\documents and settings\all users\application data\KGyGaAvL.sys
2012-04-10 01:26:56 12920 ----a-w- c:\windows\system32\apl001.sys
2012-04-10 01:26:56 10872 ----a-w- c:\windows\system32\apf001.sys
2012-04-08 23:40:36 79360 ----a-w- c:\windows\system32\ff_vfw.dll
2012-04-08 23:39:46 260608 ----a-w- c:\windows\system32\TomsMoComp_ff.dll
2012-04-08 23:39:32 99840 ----a-w- c:\windows\system32\ff_wmv9.dll
2012-04-08 23:39:32 158720 ----a-w- c:\windows\system32\ff_unrar.dll
2012-04-08 23:39:30 1525248 ----a-w- c:\windows\system32\ff_samplerate.dll
2012-04-08 23:39:30 146944 ----a-w- c:\windows\system32\ff_libmad.dll
2012-04-08 23:39:28 212480 ----a-w- c:\windows\system32\ff_libdts.dll
2012-04-08 23:39:28 115200 ----a-w- c:\windows\system32\ff_liba52.dll
2012-04-08 23:39:26 328704 ----a-w- c:\windows\system32\ff_libfaad2.dll
2012-03-29 14:21:32 606720 ----a-w- c:\windows\system32\LAVVideo.ax
2012-03-29 14:21:32 462848 ----a-w- c:\windows\system32\LAVSplitter.ax
2012-03-29 14:21:28 217600 ----a-w- c:\windows\system32\LAVAudio.ax
2012-03-29 14:21:26 172032 ----a-w- c:\windows\system32\libbluray.dll
2012-03-29 14:21:18 6582226 ----a-w- c:\windows\system32\avcodec-lav-54.dll
2012-03-29 14:21:18 374152 ----a-w- c:\windows\system32\swscale-lav-2.dll
2012-03-29 14:21:18 207872 ----a-w- c:\windows\system32\avutil-lav-51.dll
2012-03-29 14:21:18 144523 ----a-w- c:\windows\system32\avfilter-lav-2.dll
2012-03-29 14:21:18 1152365 ----a-w- c:\windows\system32\avformat-lav-54.dll
2012-03-27 15:08:52 267264 ----a-w- c:\windows\system32\IntelQuickSyncDecoder.dll
2012-02-26 15:30:08 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-02-26 15:30:08 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-02-06 21:38:58 1503232 ----a-w- c:\program files\Smadav 2012 Rev. 8.9.exe
2012-02-01 15:36:40 103936 ----a-w- c:\program files\SmadEngine.dll
2011-07-10 09:45:57 73728 ----a-w- c:\program files\Smadav-Updater.exe
2010-02-19 10:26:20 97792 ----a-w- c:\program files\SmadExtc.dll
2011-10-05 21:10:29 382976 --sha-r- c:\windows\system32\bootc0g.exe
.
============= FINISH: 0:03:06.34 ===============


GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-05-17 03:03:37
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-5 ST3250318AS rev.CC38
Running: xcsredg8.exe; Driver: C:\DOCUME~1\BORNMA~1\LOCALS~1\Temp\pgtdqpob.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwAssignProcessToJobObject [0xA74C6610]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwDebugActiveProcess [0xA74C6C10]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwDuplicateObject [0xA74C6730]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwOpenProcess [0xA74C64B0]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwOpenThread [0xA74C6570]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwProtectVirtualMemory [0xA74C66D0]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwQueueApcThread [0xA74C6790]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSetContextThread [0xA74C6690]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSetInformationThread [0xA74C6650]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSetSecurityObject [0xA74C67D0]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSuspendProcess [0xA74C6510]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSuspendThread [0xA74C6590]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwTerminateProcess [0xA74C64D0]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwTerminateThread [0xA74C65D0]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwWriteVirtualMemory [0xA74C6750]

---- Kernel code sections - GMER 1.0.15 ----

.text C:\Program Files\CyberLink\PowerDVD10\NavFilter\000.fcl section is writeable [0xA6595000, 0x2892, 0xE8000020]
.vmp2 C:\Program Files\CyberLink\PowerDVD10\NavFilter\000.fcl entry point in ".vmp2" section [0xA65B8050]
? C:\DOCUME~1\BORNMA~1\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[412] kernel32.dll!SetUnhandledExceptionFilter 7C8449FD 4 Bytes [C2, 04, 00, 00]
.text C:\WINDOWS\system32\winlogon.exe[760] ntdll.dll!NtLockProductActivationKeys 7C90D490 5 Bytes JMP 10001000 C:\WINDOWS\system32\antiwpa.dll
.text C:\WINDOWS\system32\winlogon.exe[760] USER32.dll!GetSystemMetrics 7E418F9C 5 Bytes JMP 10001018 C:\WINDOWS\system32\antiwpa.dll
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2732] USER32.dll!SetWindowLongA 7E42C29D 5 Bytes JMP 10665EE6 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2732] USER32.dll!SetWindowLongW 7E42C2BB 5 Bytes JMP 10665E78 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2732] USER32.dll!GetWindowInfo 7E42C49C 5 Bytes JMP 10454822 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2732] USER32.dll!TrackPopupMenu 7E46531E 5 Bytes JMP 10454DD6 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[3428] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 0122C930 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[3428] kernel32.dll!VirtualAlloc 7C809AE1 5 Bytes JMP 0145E0AA C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[3428] kernel32.dll!MapViewOfFile 7C80B995 5 Bytes JMP 0145E083 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[3428] GDI32.dll!CreateDIBSection 77F19E09 1 Byte [E9]
.text C:\Program Files\Mozilla Firefox\firefox.exe[3428] GDI32.dll!CreateDIBSection 77F19E09 5 Bytes JMP 0145E00D C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)
AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdir.sys (ESET Antivirus Network Redirector/ESET)
AttachedDevice \Driver\Tcpip \Device\Tcp idmtdi.sys (Internet Download Manager TDI Driver/Tonec Inc.)

---- Modules - GMER 1.0.15 ----

Module (noname) (*** hidden *** ) A73BC000-A73D3000 (94208 bytes)
---- Processes - GMER 1.0.15 ----

Library C:\Program (*** hidden *** ) @ C:\Program [356] 0x00400000

Process C:\WINDOWS\System32\ping.exe (*** hidden *** ) 2764

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Classes\CLSID\{0b8158a6-3419-48cd-98e8-efb28ced34a3}@MData 0x73 0xD5 0xCF 0xB8 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}@scansk 0x19 0xBB 0x26 0x63 ...

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\$NtUninstallKB7298$\2075558266 0 bytes
File C:\WINDOWS\$NtUninstallKB7298$\785986139 0 bytes
File C:\WINDOWS\$NtUninstallKB7298$\785986139\@ 2048 bytes
File C:\WINDOWS\$NtUninstallKB7298$\785986139\cfg.ini 204 bytes
File C:\WINDOWS\$NtUninstallKB7298$\785986139\Desktop.ini 4608 bytes
File C:\WINDOWS\$NtUninstallKB7298$\785986139\L 0 bytes
File C:\WINDOWS\$NtUninstallKB7298$\785986139\L\hkmgaxin 138112 bytes
File C:\WINDOWS\$NtUninstallKB7298$\785986139\twl.dll 223744 bytes
File C:\WINDOWS\$NtUninstallKB7298$\785986139\U 0 bytes
File C:\WINDOWS\$NtUninstallKB7298$\785986139\U\00000001.@ 2048 bytes
File C:\WINDOWS\$NtUninstallKB7298$\785986139\U\00000002.@ 224768 bytes
File C:\WINDOWS\$NtUninstallKB7298$\785986139\U\00000004.@ 1024 bytes
File C:\WINDOWS\$NtUninstallKB7298$\785986139\U\80000000.@ 66560 bytes
File C:\WINDOWS\$NtUninstallKB7298$\785986139\U\80000004.@ 1024 bytes
File C:\WINDOWS\$NtUninstallKB7298$\785986139\U\80000032.@ 115712 bytes
File C:\WINDOWS\$NtUninstallKB7298$\785986139\version 1267 bytes

---- EOF - GMER 1.0.15 ----

BC AdBot (Login to Remove)

 


#2 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:09:47 AM

Posted 17 May 2012 - 05:08 PM

Hello riyan,
  • Welcome to Bleeping Computer.
  • My name is fireman4it and I will be helping you with your Malware problem.

    Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
  • In the upper right hand corner of the topic you will see a button called Watch Topic.I suggest you click it and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

  • Finally, please reply using the ADD REPLY button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.



1.
Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    Note: If Cure is not an option, Skip instead, do not choose Delete unless instructed.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.


2.
Install Recovery Console and Run ComboFix

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Posted Image
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.


Things to include in your next reply::
TdssKiller log
Combofix.txt
How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#3 riyan

riyan
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:47 PM

Posted 18 May 2012 - 10:40 AM

hi fireman4it,
thanks for the guidance to help me remove malware

this the log:

18:09:18.0156 2112 TDSS rootkit removing tool 2.7.35.0 May 16 2012 07:37:57
18:09:18.0750 2112 ============================================================
18:09:18.0750 2112 Current date / time: 2012/05/18 18:09:18.0750
18:09:18.0750 2112 SystemInfo:
18:09:18.0750 2112
18:09:18.0750 2112 OS Version: 5.1.2600 ServicePack: 3.0
18:09:18.0750 2112 Product type: Workstation
18:09:18.0750 2112 ComputerName: BILLING
18:09:18.0750 2112 UserName: Bornmatrix
18:09:18.0750 2112 Windows directory: C:\WINDOWS
18:09:18.0750 2112 System windows directory: C:\WINDOWS
18:09:18.0750 2112 Processor architecture: Intel x86
18:09:18.0750 2112 Number of processors: 2
18:09:18.0750 2112 Page size: 0x1000
18:09:18.0750 2112 Boot type: Normal boot
18:09:18.0750 2112 ============================================================
18:09:20.0000 2112 Drive \Device\Harddisk0\DR0 - Size: 0x3A38B2E000 (232.89 Gb), SectorSize: 0x200, Cylinders: 0x76C1, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
18:09:20.0000 2112 ============================================================
18:09:20.0000 2112 \Device\Harddisk0\DR0:
18:09:20.0000 2112 MBR partitions:
18:09:20.0000 2112 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x6403941
18:09:20.0015 2112 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x64039BF, BlocksNum 0x16DC0BC2
18:09:20.0015 2112 ============================================================
18:09:20.0031 2112 C: <-> \Device\Harddisk0\DR0\Partition0
18:09:20.0078 2112 D: <-> \Device\Harddisk0\DR0\Partition1
18:09:20.0078 2112 ============================================================
18:09:20.0078 2112 Initialize success
18:09:20.0078 2112 ============================================================
18:19:57.0906 2780 ============================================================
18:19:57.0906 2780 Scan started
18:19:57.0906 2780 Mode: Manual;
18:19:57.0906 2780 ============================================================
18:19:58.0140 2780 Abiosdsk - ok
18:19:58.0156 2780 abp480n5 - ok
18:19:58.0171 2780 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
18:19:58.0203 2780 ACPI - ok
18:19:58.0234 2780 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
18:19:58.0250 2780 ACPIEC - ok
18:19:58.0250 2780 adpu160m - ok
18:19:58.0281 2780 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
18:19:58.0296 2780 aec - ok
18:19:58.0312 2780 AFD (01fe362b88b8e533bea3cfcff3a3d229) C:\WINDOWS\System32\drivers\afd.sys
18:19:58.0328 2780 Suspicious file (Forged): C:\WINDOWS\System32\drivers\afd.sys. Real md5: 01fe362b88b8e533bea3cfcff3a3d229, Fake md5: 322d0e36693d6e24a2398bee62a268cd
18:19:58.0328 2780 AFD ( Virus.Win32.ZAccess.k ) - infected
18:19:58.0328 2780 AFD - detected Virus.Win32.ZAccess.k (0)
18:19:58.0328 2780 Aha154x - ok
18:19:58.0328 2780 aic78u2 - ok
18:19:58.0328 2780 aic78xx - ok
18:19:58.0359 2780 Alerter (a9a3daa780ca6c9671a19d52456705b4) C:\WINDOWS\system32\alrsvc.dll
18:19:58.0375 2780 Alerter - ok
18:19:58.0375 2780 ALG (8c515081584a38aa007909cd02020b3d) C:\WINDOWS\System32\alg.exe
18:19:58.0375 2780 ALG - ok
18:19:58.0375 2780 AliIde - ok
18:19:58.0453 2780 Ambfilt (f6af59d6eee5e1c304f7f73706ad11d8) C:\WINDOWS\system32\drivers\Ambfilt.sys
18:19:58.0500 2780 Ambfilt - ok
18:19:58.0531 2780 amsint - ok
18:19:58.0609 2780 apf001 - ok
18:19:58.0656 2780 AppMgmt (d8849f77c0b66226335a59d26cb4edc6) C:\WINDOWS\System32\appmgmts.dll
18:19:58.0671 2780 AppMgmt - ok
18:19:58.0671 2780 asc - ok
18:19:58.0671 2780 asc3350p - ok
18:19:58.0671 2780 asc3550 - ok
18:19:58.0734 2780 aspnet_state (4eabf511b1af176a971c3271e48fa3a8) C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
18:19:58.0734 2780 aspnet_state - ok
18:19:58.0750 2780 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
18:19:58.0765 2780 AsyncMac - ok
18:19:58.0796 2780 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
18:19:58.0796 2780 atapi - ok
18:19:58.0812 2780 Atdisk - ok
18:19:58.0812 2780 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
18:19:58.0828 2780 Atmarpc - ok
18:19:58.0859 2780 AudioSrv (def7a7882bec100fe0b2ce2549188f9d) C:\WINDOWS\System32\audiosrv.dll
18:19:58.0859 2780 AudioSrv - ok
18:19:58.0890 2780 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
18:19:58.0906 2780 audstub - ok
18:19:58.0937 2780 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
18:19:58.0953 2780 Beep - ok
18:19:59.0000 2780 BITS (574738f61fca2935f5265dc4e5691314) C:\WINDOWS\system32\qmgr.dll
18:19:59.0031 2780 BITS - ok
18:19:59.0109 2780 BlackfishSQL (4bd769e85224de6486122482560e6909) C:\Program Files\CodeGear\RAD Studio\6.0\bin\BSQLServer.exe
18:19:59.0203 2780 BlackfishSQL - ok
18:19:59.0218 2780 Browser (a06ce3399d16db864f55faeb1f1927a9) C:\WINDOWS\System32\browser.dll
18:19:59.0218 2780 Browser - ok
18:19:59.0250 2780 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
18:19:59.0265 2780 cbidf2k - ok
18:19:59.0281 2780 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
18:19:59.0296 2780 CCDECODE - ok
18:19:59.0296 2780 cd20xrnt - ok
18:19:59.0312 2780 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
18:19:59.0312 2780 Cdaudio - ok
18:19:59.0359 2780 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
18:19:59.0359 2780 Cdfs - ok
18:19:59.0390 2780 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
18:19:59.0406 2780 Cdrom - ok
18:19:59.0437 2780 CEDRIVER60 (d316b4c0e4b97fa4428b221b731611ae) C:\Program Files\Cheat Engine 6.1\dbk32.sys
18:19:59.0437 2780 CEDRIVER60 - ok
18:19:59.0437 2780 Changer - ok
18:19:59.0468 2780 CiSvc (1cfe720eb8d93a7158a4ebc3ab178bde) C:\WINDOWS\system32\cisvc.exe
18:19:59.0468 2780 CiSvc - ok
18:19:59.0484 2780 ClipSrv (34cbe729f38138217f9c80212a2a0c82) C:\WINDOWS\system32\clipsrv.exe
18:19:59.0484 2780 ClipSrv - ok
18:19:59.0546 2780 clr_optimization_v2.0.50727_32 (234b1bc2796483e1f5c3f26649fb3388) C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
18:19:59.0562 2780 clr_optimization_v2.0.50727_32 - ok
18:19:59.0562 2780 CmdIde - ok
18:19:59.0578 2780 COMSysApp - ok
18:19:59.0578 2780 Cpqarray - ok
18:19:59.0609 2780 CryptSvc (3d4e199942e29207970e04315d02ad3b) C:\WINDOWS\System32\cryptsvc.dll
18:19:59.0609 2780 CryptSvc - ok
18:19:59.0609 2780 dac2w2k - ok
18:19:59.0609 2780 dac960nt - ok
18:19:59.0656 2780 DcomLaunch (2589fe6015a316c0f5d5112b4da7b509) C:\WINDOWS\system32\rpcss.dll
18:19:59.0656 2780 DcomLaunch - ok
18:19:59.0671 2780 Dhcp (5e38d7684a49cacfb752b046357e0589) C:\WINDOWS\System32\dhcpcsvc.dll
18:19:59.0671 2780 Dhcp - ok
18:19:59.0703 2780 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
18:19:59.0718 2780 Disk - ok
18:19:59.0718 2780 dmadmin - ok
18:19:59.0765 2780 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
18:19:59.0796 2780 dmboot - ok
18:19:59.0812 2780 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\DRIVERS\dmio.sys
18:19:59.0843 2780 dmio - ok
18:19:59.0859 2780 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
18:19:59.0875 2780 dmload - ok
18:19:59.0890 2780 dmserver (57edec2e5f59f0335e92f35184bc8631) C:\WINDOWS\System32\dmserver.dll
18:19:59.0890 2780 dmserver - ok
18:19:59.0921 2780 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
18:19:59.0921 2780 DMusic - ok
18:19:59.0937 2780 Dnscache (474b4dc3983173e4b4c9740b0dac98a6) C:\WINDOWS\System32\dnsrslvr.dll
18:19:59.0937 2780 Dnscache - ok
18:19:59.0968 2780 Dot3svc (0f0f6e687e5e15579ef4da8dd6945814) C:\WINDOWS\System32\dot3svc.dll
18:19:59.0968 2780 Dot3svc - ok
18:19:59.0968 2780 dpti2o - ok
18:19:59.0984 2780 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
18:20:00.0000 2780 drmkaud - ok
18:20:00.0000 2780 EagleNT - ok
18:20:00.0000 2780 EagleXNt - ok
18:20:00.0031 2780 eamon (b7b3fbc5591358b89955c4189970269e) C:\WINDOWS\system32\DRIVERS\eamon.sys
18:20:00.0046 2780 eamon - ok
18:20:00.0062 2780 EapHost (2187855a7703adef0cef9ee4285182cc) C:\WINDOWS\System32\eapsvc.dll
18:20:00.0062 2780 EapHost - ok
18:20:00.0078 2780 ehdrv (a6823c79f80c1a76ab7f3f1f425e524c) C:\WINDOWS\system32\DRIVERS\ehdrv.sys
18:20:00.0078 2780 ehdrv - ok
18:20:00.0125 2780 EhttpSrv (e23490618f4c7126583cf04795932070) C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
18:20:00.0140 2780 EhttpSrv - ok
18:20:00.0171 2780 ekrn (7f69964274272c4df172ad2d79014732) C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
18:20:00.0171 2780 ekrn - ok
18:20:00.0203 2780 epfwtdir (efa0bbfbe9096e445961d18ef70317d8) C:\WINDOWS\system32\DRIVERS\epfwtdir.sys
18:20:00.0234 2780 epfwtdir - ok
18:20:00.0250 2780 ERSvc (bc93b4a066477954555966d77fec9ecb) C:\WINDOWS\System32\ersvc.dll
18:20:00.0250 2780 ERSvc - ok
18:20:00.0281 2780 Eventlog (0e776ed5f7cc9f94299e70461b7b8185) C:\WINDOWS\system32\services.exe
18:20:00.0281 2780 Eventlog - ok
18:20:00.0328 2780 EventSystem (19a799805b24990867b00c120d300c3a) C:\WINDOWS\system32\es.dll
18:20:00.0328 2780 EventSystem - ok
18:20:00.0343 2780 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
18:20:00.0359 2780 Fastfat - ok
18:20:00.0359 2780 FastUserSwitchingCompatibility (1926899bf9ffe2602b63074971700412) C:\WINDOWS\System32\shsvcs.dll
18:20:00.0359 2780 FastUserSwitchingCompatibility - ok
18:20:00.0390 2780 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
18:20:00.0406 2780 Fdc - ok
18:20:00.0421 2780 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
18:20:00.0437 2780 Fips - ok
18:20:00.0453 2780 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
18:20:00.0468 2780 Flpydisk - ok
18:20:00.0500 2780 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
18:20:00.0515 2780 FltMgr - ok
18:20:00.0578 2780 FontCache3.0.0.0 (993883524aa9cf1c90e1545411a9ac9c) C:\WINDOWS\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
18:20:00.0578 2780 FontCache3.0.0.0 - ok
18:20:00.0609 2780 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
18:20:00.0609 2780 Fs_Rec - ok
18:20:00.0625 2780 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
18:20:00.0640 2780 Ftdisk - ok
18:20:00.0656 2780 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
18:20:00.0671 2780 Gpc - ok
18:20:00.0703 2780 hamachi (833051c6c6c42117191935f734cfbd97) C:\WINDOWS\system32\DRIVERS\hamachi.sys
18:20:00.0703 2780 hamachi - ok
18:20:00.0734 2780 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
18:20:00.0750 2780 HDAudBus - ok
18:20:00.0812 2780 helpsvc (4fcca060dfe0c51a09dd5c3843888bcd) C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll
18:20:00.0812 2780 helpsvc - ok
18:20:00.0843 2780 HidServ (deb04da35cc871b6d309b77e1443c796) C:\WINDOWS\System32\hidserv.dll
18:20:00.0843 2780 HidServ - ok
18:20:00.0859 2780 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
18:20:00.0875 2780 hidusb - ok
18:20:00.0890 2780 hkmsvc (8878bd685e490239777bfe51320b88e9) C:\WINDOWS\System32\kmsvc.dll
18:20:00.0890 2780 hkmsvc - ok
18:20:00.0890 2780 hpn - ok
18:20:00.0906 2780 HTTP (f6aacf5bce2893e0c1754afeb672e5c9) C:\WINDOWS\system32\Drivers\HTTP.sys
18:20:00.0921 2780 HTTP - ok
18:20:00.0953 2780 HTTPFilter (6100a808600f44d999cebdef8841c7a3) C:\WINDOWS\System32\w3ssl.dll
18:20:00.0953 2780 HTTPFilter - ok
18:20:00.0968 2780 hwinterface (448bb2fe30f1dde9eaa4f0e87b52b687) C:\WINDOWS\system32\Drivers\hwinterface.sys
18:20:00.0984 2780 hwinterface - ok
18:20:01.0000 2780 i2omgmt - ok
18:20:01.0000 2780 i2omp - ok
18:20:01.0015 2780 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
18:20:01.0046 2780 i8042prt - ok
18:20:01.0234 2780 ialm (f339b2e3a3f63cc14077d614a56a967b) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
18:20:01.0328 2780 ialm - ok
18:20:01.0359 2780 IBG_gds_db - ok
18:20:01.0359 2780 IBS_gds_db - ok
18:20:01.0437 2780 IDMTDI (18d128e762b58a6fd176ceca26e8cc5f) C:\WINDOWS\system32\DRIVERS\idmtdi.sys
18:20:01.0437 2780 IDMTDI - ok
18:20:01.0515 2780 idsvc (e7cc3aeaed9893a88876744cd439f76c) C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
18:20:01.0531 2780 idsvc - ok
18:20:01.0562 2780 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
18:20:01.0578 2780 Imapi - ok
18:20:01.0609 2780 ImapiService (30deaf54a9755bb8546168cfe8a6b5e1) C:\WINDOWS\system32\imapi.exe
18:20:01.0625 2780 ImapiService - ok
18:20:01.0625 2780 ini910u - ok
18:20:01.0781 2780 IntcAzAudAddService (0cacdcbbc8e6f11e2865c47bfc509848) C:\WINDOWS\system32\drivers\RtkHDAud.sys
18:20:01.0828 2780 IntcAzAudAddService - ok
18:20:01.0875 2780 IntelIde - ok
18:20:01.0906 2780 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
18:20:01.0921 2780 intelppm - ok
18:20:01.0937 2780 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
18:20:01.0953 2780 Ip6Fw - ok
18:20:01.0984 2780 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
18:20:02.0015 2780 IpFilterDriver - ok
18:20:02.0031 2780 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
18:20:02.0046 2780 IpInIp - ok
18:20:02.0062 2780 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
18:20:02.0078 2780 IpNat - ok
18:20:02.0109 2780 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
18:20:02.0125 2780 IPSec - ok
18:20:02.0156 2780 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
18:20:02.0156 2780 IRENUM - ok
18:20:02.0171 2780 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
18:20:02.0187 2780 isapnp - ok
18:20:02.0234 2780 ISODrive (d7ad3c72b9f956798a578a9e0d07b933) C:\Program Files\UltraISO\drivers\ISODrive.sys
18:20:02.0250 2780 ISODrive - ok
18:20:02.0296 2780 JavaQuickStarterService (0a5709543986843d37a92290b7838340) C:\Program Files\Java\jre6\bin\jqs.exe
18:20:02.0296 2780 JavaQuickStarterService - ok
18:20:02.0312 2780 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
18:20:02.0328 2780 Kbdclass - ok
18:20:02.0343 2780 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
18:20:02.0359 2780 kbdhid - ok
18:20:02.0390 2780 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
18:20:02.0390 2780 kmixer - ok
18:20:02.0421 2780 KSecDD (1705745d900dabf2d89f90ebaddc7517) C:\WINDOWS\system32\drivers\KSecDD.sys
18:20:02.0421 2780 KSecDD - ok
18:20:02.0453 2780 lanmanserver (f385f4b02c535bffe1d70cab80838123) C:\WINDOWS\System32\srvsvc.dll
18:20:02.0468 2780 lanmanserver - ok
18:20:02.0468 2780 lanmanworkstation (1b67b632786fef1c1bbaef46c2f3f2e6) C:\WINDOWS\System32\wkssvc.dll
18:20:02.0468 2780 lanmanworkstation - ok
18:20:02.0484 2780 lbrtfdc - ok
18:20:02.0500 2780 LmHosts (a7db739ae99a796d91580147e919cc59) C:\WINDOWS\System32\lmhsvc.dll
18:20:02.0500 2780 LmHosts - ok
18:20:02.0515 2780 Messenger (986b1ff5814366d71e0ac5755c88f2d3) C:\WINDOWS\System32\msgsvc.dll
18:20:02.0515 2780 Messenger - ok
18:20:02.0531 2780 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
18:20:02.0546 2780 mnmdd - ok
18:20:02.0578 2780 mnmsrvc (d18f1f0c101d06a1c1adf26eed16fcdd) C:\WINDOWS\system32\mnmsrvc.exe
18:20:02.0578 2780 mnmsrvc - ok
18:20:02.0593 2780 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
18:20:02.0609 2780 Modem - ok
18:20:02.0656 2780 Monfilt (9fa7207d1b1adead88ae8eed9cdbbaa5) C:\WINDOWS\system32\drivers\Monfilt.sys
18:20:02.0703 2780 Monfilt - ok
18:20:02.0718 2780 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
18:20:02.0734 2780 Mouclass - ok
18:20:02.0765 2780 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
18:20:02.0781 2780 mouhid - ok
18:20:02.0812 2780 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
18:20:02.0828 2780 MountMgr - ok
18:20:02.0890 2780 MozillaMaintenance (96aa8ba23142cc8e2b30f3cae0c80254) C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe
18:20:02.0890 2780 MozillaMaintenance - ok
18:20:02.0890 2780 mraid35x - ok
18:20:02.0906 2780 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
18:20:02.0937 2780 MRxDAV - ok
18:20:02.0953 2780 MRxSmb (68755f0ff16070178b54674fe5b847b0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
18:20:02.0984 2780 MRxSmb - ok
18:20:02.0984 2780 msdirectx - ok
18:20:03.0015 2780 MSDTC (a137f1470499a205abbb9aafb3b6f2b1) C:\WINDOWS\system32\msdtc.exe
18:20:03.0015 2780 MSDTC - ok
18:20:03.0015 2780 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
18:20:03.0031 2780 Msfs - ok
18:20:03.0046 2780 MSIServer - ok
18:20:03.0078 2780 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
18:20:03.0093 2780 MSKSSRV - ok
18:20:03.0109 2780 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
18:20:03.0109 2780 MSPCLOCK - ok
18:20:03.0140 2780 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
18:20:03.0156 2780 MSPQM - ok
18:20:03.0156 2780 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
18:20:03.0171 2780 mssmbios - ok
18:20:03.0187 2780 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
18:20:03.0203 2780 MSTEE - ok
18:20:03.0234 2780 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
18:20:03.0250 2780 Mup - ok
18:20:03.0265 2780 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
18:20:03.0281 2780 NABTSFEC - ok
18:20:03.0312 2780 napagent (0102140028fad045756796e1c685d695) C:\WINDOWS\System32\qagentrt.dll
18:20:03.0328 2780 napagent - ok
18:20:03.0328 2780 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
18:20:03.0343 2780 NDIS - ok
18:20:03.0359 2780 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
18:20:03.0375 2780 NdisIP - ok
18:20:03.0406 2780 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
18:20:03.0421 2780 NdisTapi - ok
18:20:03.0437 2780 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
18:20:03.0453 2780 Ndisuio - ok
18:20:03.0484 2780 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
18:20:03.0500 2780 NdisWan - ok
18:20:03.0515 2780 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
18:20:03.0515 2780 NDProxy - ok
18:20:03.0531 2780 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
18:20:03.0546 2780 NetBIOS - ok
18:20:03.0562 2780 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
18:20:03.0578 2780 NetBT - ok
18:20:03.0609 2780 NetDDE (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe
18:20:03.0609 2780 NetDDE - ok
18:20:03.0609 2780 NetDDEdsdm (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe
18:20:03.0609 2780 NetDDEdsdm - ok
18:20:03.0640 2780 Netlogon (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
18:20:03.0640 2780 Netlogon - ok
18:20:03.0687 2780 Netman (13e67b55b3abd7bf3fe7aae5a0f9a9de) C:\WINDOWS\System32\netman.dll
18:20:03.0687 2780 Netman - ok
18:20:03.0750 2780 NetTcpPortSharing (f9102685f97f9ba85f4a70afcf722cfe) C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
18:20:03.0750 2780 NetTcpPortSharing - ok
18:20:03.0781 2780 Nla (b4138e99236f0f57d4cf49bae98a0746) C:\WINDOWS\System32\mswsock.dll
18:20:03.0796 2780 Nla - ok
18:20:03.0812 2780 npf (b48dc6abcd3aeff8618350ccbdc6b09a) C:\WINDOWS\system32\drivers\npf.sys
18:20:03.0812 2780 npf - ok
18:20:03.0828 2780 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
18:20:03.0843 2780 Npfs - ok
18:20:03.0843 2780 npggsvc - ok
18:20:03.0906 2780 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
18:20:03.0921 2780 Ntfs - ok
18:20:03.0937 2780 NtLmSsp (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
18:20:03.0937 2780 NtLmSsp - ok
18:20:03.0968 2780 NtmsSvc (156f64a3345bd23c600655fb4d10bc08) C:\WINDOWS\system32\ntmssvc.dll
18:20:03.0968 2780 NtmsSvc - ok
18:20:04.0000 2780 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
18:20:04.0015 2780 Null - ok
18:20:04.0031 2780 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
18:20:04.0031 2780 NwlnkFlt - ok
18:20:04.0046 2780 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
18:20:04.0062 2780 NwlnkFwd - ok
18:20:04.0156 2780 odserv (84de1dd996b48b05ace31ad015fa108a) C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE
18:20:04.0156 2780 odserv - ok
18:20:04.0187 2780 ose (5a432a042dae460abe7199b758e8606c) C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
18:20:04.0187 2780 ose - ok
18:20:04.0218 2780 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
18:20:04.0234 2780 Parport - ok
18:20:04.0250 2780 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
18:20:04.0265 2780 PartMgr - ok
18:20:04.0281 2780 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
18:20:04.0296 2780 ParVdm - ok
18:20:04.0312 2780 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
18:20:04.0328 2780 PCI - ok
18:20:04.0328 2780 PCIDump - ok
18:20:04.0343 2780 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
18:20:04.0343 2780 PCIIde - ok
18:20:04.0375 2780 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
18:20:04.0406 2780 Pcmcia - ok
18:20:04.0406 2780 PDCOMP - ok
18:20:04.0406 2780 PDFRAME - ok
18:20:04.0421 2780 PDRELI - ok
18:20:04.0421 2780 PDRFRAME - ok
18:20:04.0421 2780 perc2 - ok
18:20:04.0421 2780 perc2hib - ok
18:20:04.0453 2780 PlugPlay (0e776ed5f7cc9f94299e70461b7b8185) C:\WINDOWS\system32\services.exe
18:20:04.0453 2780 PlugPlay - ok
18:20:04.0484 2780 Pml Driver HPZ12 (d31f88c5f19eefa366a415d6bc5f2abc) C:\WINDOWS\system32\HPZipm12.exe
18:20:04.0484 2780 Pml Driver HPZ12 - ok
18:20:04.0515 2780 PnkBstrA (3a2e85f7d90d15460c337ce80c2e3b29) C:\WINDOWS\system32\PnkBstrA.exe
18:20:04.0515 2780 PnkBstrA - ok
18:20:04.0546 2780 PolicyAgent (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
18:20:04.0546 2780 PolicyAgent - ok
18:20:04.0546 2780 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
18:20:04.0562 2780 PptpMiniport - ok
18:20:04.0578 2780 ProtectedStorage (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
18:20:04.0578 2780 ProtectedStorage - ok
18:20:04.0578 2780 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
18:20:04.0609 2780 PSched - ok
18:20:04.0625 2780 PSI_SVC_2 (543a4ef0923bf70d126625b034ef25af) c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
18:20:04.0625 2780 PSI_SVC_2 - ok
18:20:04.0656 2780 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
18:20:04.0671 2780 Ptilink - ok
18:20:04.0687 2780 pwdrvio (99cf0190f1f346cb0a0bbd1873683425) C:\WINDOWS\system32\pwdrvio.sys
18:20:04.0703 2780 pwdrvio - ok
18:20:04.0718 2780 pwdspio (57febcc5f8c577faad55b0ff2d617826) C:\WINDOWS\system32\pwdspio.sys
18:20:04.0718 2780 pwdspio - ok
18:20:04.0750 2780 PxHelp20 (d86b4a68565e444d76457f14172c875a) C:\WINDOWS\system32\Drivers\PxHelp20.sys
18:20:04.0765 2780 PxHelp20 - ok
18:20:04.0765 2780 ql1080 - ok
18:20:04.0765 2780 Ql10wnt - ok
18:20:04.0765 2780 ql12160 - ok
18:20:04.0781 2780 ql1240 - ok
18:20:04.0781 2780 ql1280 - ok
18:20:04.0812 2780 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
18:20:04.0828 2780 RasAcd - ok
18:20:04.0843 2780 RasAuto (ad188be7bdf94e8df4ca0a55c00a5073) C:\WINDOWS\System32\rasauto.dll
18:20:04.0843 2780 RasAuto - ok
18:20:04.0875 2780 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
18:20:04.0890 2780 Rasl2tp - ok
18:20:04.0906 2780 RasMan (76a9a3cbeadd68cc57cda5e1d7448235) C:\WINDOWS\System32\rasmans.dll
18:20:04.0906 2780 RasMan - ok
18:20:04.0921 2780 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
18:20:04.0937 2780 RasPppoe - ok
18:20:04.0953 2780 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
18:20:04.0968 2780 Raspti - ok
18:20:05.0000 2780 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
18:20:05.0046 2780 Rdbss - ok
18:20:05.0078 2780 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
18:20:05.0093 2780 RDPCDD - ok
18:20:05.0109 2780 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
18:20:05.0125 2780 rdpdr - ok
18:20:05.0156 2780 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
18:20:05.0187 2780 RDPWD - ok
18:20:05.0218 2780 RDSessMgr (3c37bf86641bda977c3bf8a840f3b7fa) C:\WINDOWS\system32\sessmgr.exe
18:20:05.0218 2780 RDSessMgr - ok
18:20:05.0250 2780 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
18:20:05.0265 2780 redbook - ok
18:20:05.0281 2780 regi (24d3b49dab660a8b8afa40240e735e24) C:\WINDOWS\system32\drivers\regi.sys
18:20:05.0281 2780 regi - ok
18:20:05.0312 2780 RemoteAccess (7e699ff5f59b5d9de5390e3c34c67cf5) C:\WINDOWS\System32\mprdim.dll
18:20:05.0328 2780 RemoteAccess - ok
18:20:05.0343 2780 RemoteRegistry (5b19b557b0c188210a56a6b699d90b8f) C:\WINDOWS\system32\regsvc.dll
18:20:05.0343 2780 RemoteRegistry - ok
18:20:05.0359 2780 RpcLocator (aaed593f84afa419bbae8572af87cf6a) C:\WINDOWS\system32\locator.exe
18:20:05.0359 2780 RpcLocator - ok
18:20:05.0406 2780 RpcSs (2589fe6015a316c0f5d5112b4da7b509) C:\WINDOWS\system32\rpcss.dll
18:20:05.0406 2780 RpcSs - ok
18:20:05.0437 2780 RSVP (471b3f9741d762abe75e9deea4787e47) C:\WINDOWS\system32\rsvp.exe
18:20:05.0437 2780 RSVP - ok
18:20:05.0468 2780 RTLE8023xp (00fd6811350e175585abcf7d4a61dd90) C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys
18:20:05.0468 2780 RTLE8023xp - ok
18:20:05.0468 2780 SamSs (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
18:20:05.0468 2780 SamSs - ok
18:20:05.0500 2780 SCardSvr (86d007e7a654b9a71d1d7d856b104353) C:\WINDOWS\System32\SCardSvr.exe
18:20:05.0500 2780 SCardSvr - ok
18:20:05.0531 2780 Schedule (0a9a7365a1ca4319aa7c1d6cd8e4eafa) C:\WINDOWS\system32\schedsvc.dll
18:20:05.0531 2780 Schedule - ok
18:20:05.0546 2780 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
18:20:05.0562 2780 Secdrv - ok
18:20:05.0593 2780 seclogon (cbe612e2bb6a10e3563336191eda1250) C:\WINDOWS\System32\seclogon.dll
18:20:05.0593 2780 seclogon - ok
18:20:05.0593 2780 SENS (7fdd5d0684eca8c1f68b4d99d124dcd0) C:\WINDOWS\system32\sens.dll
18:20:05.0593 2780 SENS - ok
18:20:05.0609 2780 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
18:20:05.0625 2780 serenum - ok
18:20:05.0625 2780 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
18:20:05.0656 2780 Serial - ok
18:20:05.0671 2780 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
18:20:05.0687 2780 Sfloppy - ok
18:20:05.0718 2780 SharedAccess (83f41d0d89645d7235c051ab1d9523ac) C:\WINDOWS\System32\ipnathlp.dll
18:20:05.0734 2780 SharedAccess - ok
18:20:05.0734 2780 ShellHWDetection (1926899bf9ffe2602b63074971700412) C:\WINDOWS\System32\shsvcs.dll
18:20:05.0734 2780 ShellHWDetection - ok
18:20:05.0750 2780 Simbad - ok
18:20:05.0750 2780 slicedisk.sys - ok
18:20:05.0796 2780 SliceDisk5 - ok
18:20:05.0828 2780 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
18:20:05.0843 2780 SLIP - ok
18:20:05.0843 2780 sonypvs1 - ok
18:20:05.0843 2780 Sparrow - ok
18:20:05.0859 2780 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
18:20:05.0875 2780 splitter - ok
18:20:05.0906 2780 Spooler (d8e14a61acc1d4a6cd0d38aebac7fa3b) C:\WINDOWS\system32\spoolsv.exe
18:20:05.0906 2780 Spooler - ok
18:20:05.0937 2780 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
18:20:05.0953 2780 sr - ok
18:20:05.0968 2780 srservice (3805df0ac4296a34ba4bf93b346cc378) C:\WINDOWS\system32\srsvc.dll
18:20:05.0984 2780 srservice - ok
18:20:06.0000 2780 Srv (5252605079810904e31c332e241cd59b) C:\WINDOWS\system32\DRIVERS\srv.sys
18:20:06.0015 2780 Srv - ok
18:20:06.0031 2780 SSDPSRV (0a5679b3714edab99e357057ee88fca6) C:\WINDOWS\System32\ssdpsrv.dll
18:20:06.0046 2780 SSDPSRV - ok
18:20:06.0046 2780 stisvc (8bad69cbac032d4bbacfce0306174c30) C:\WINDOWS\system32\wiaservc.dll
18:20:06.0062 2780 stisvc - ok
18:20:06.0078 2780 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
18:20:06.0093 2780 streamip - ok
18:20:06.0125 2780 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
18:20:06.0140 2780 swenum - ok
18:20:06.0156 2780 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
18:20:06.0187 2780 swmidi - ok
18:20:06.0187 2780 SwPrv - ok
18:20:06.0187 2780 symc810 - ok
18:20:06.0203 2780 symc8xx - ok
18:20:06.0203 2780 sym_hi - ok
18:20:06.0203 2780 sym_u3 - ok
18:20:06.0218 2780 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
18:20:06.0218 2780 sysaudio - ok
18:20:06.0250 2780 SysmonLog (c7abbc59b43274b1109df6b24d617051) C:\WINDOWS\system32\smlogsvc.exe
18:20:06.0250 2780 SysmonLog - ok
18:20:06.0265 2780 TapiSrv (3cb78c17bb664637787c9a1c98f79c38) C:\WINDOWS\System32\tapisrv.dll
18:20:06.0265 2780 TapiSrv - ok
18:20:06.0296 2780 Tcpip (93ea8d04ec73a85db02eb8805988f733) C:\WINDOWS\system32\DRIVERS\tcpip.sys
18:20:06.0312 2780 Tcpip - ok
18:20:06.0343 2780 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
18:20:06.0359 2780 TDPIPE - ok
18:20:06.0375 2780 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
18:20:06.0390 2780 TDTCP - ok
18:20:06.0406 2780 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
18:20:06.0453 2780 TermDD - ok
18:20:06.0468 2780 TermService (ff3477c03be7201c294c35f684b3479f) C:\WINDOWS\System32\termsrv.dll
18:20:06.0468 2780 TermService - ok
18:20:06.0500 2780 Themes (1926899bf9ffe2602b63074971700412) C:\WINDOWS\System32\shsvcs.dll
18:20:06.0500 2780 Themes - ok
18:20:06.0531 2780 TlntSvr (db7205804759ff62c34e3efd8a4cc76a) C:\WINDOWS\system32\tlntsvr.exe
18:20:06.0531 2780 TlntSvr - ok
18:20:06.0531 2780 TosIde - ok
18:20:06.0546 2780 TrkWks (55bca12f7f523d35ca3cb833c725f54e) C:\WINDOWS\system32\trkwks.dll
18:20:06.0562 2780 TrkWks - ok
18:20:06.0578 2780 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
18:20:06.0593 2780 Udfs - ok
18:20:06.0593 2780 ultra - ok
18:20:06.0625 2780 UMWdf (c81b8635dee0d3ef5f64b3dd643023a5) C:\WINDOWS\system32\wdfmgr.exe
18:20:06.0625 2780 UMWdf - ok
18:20:06.0656 2780 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
18:20:06.0687 2780 Update - ok
18:20:06.0718 2780 upnphost (1ebafeb9a3fbdc41b8d9c7f0f687ad91) C:\WINDOWS\System32\upnphost.dll
18:20:06.0718 2780 upnphost - ok
18:20:06.0734 2780 UPS (05365fb38fca1e98f7a566aaaf5d1815) C:\WINDOWS\System32\ups.exe
18:20:06.0734 2780 UPS - ok
18:20:06.0750 2780 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
18:20:06.0765 2780 usbaudio - ok
18:20:06.0796 2780 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
18:20:06.0812 2780 usbccgp - ok
18:20:06.0843 2780 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
18:20:06.0859 2780 usbehci - ok
18:20:06.0859 2780 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
18:20:06.0875 2780 usbhub - ok
18:20:06.0906 2780 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
18:20:06.0921 2780 usbprint - ok
18:20:06.0921 2780 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
18:20:06.0937 2780 USBSTOR - ok
18:20:06.0968 2780 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
18:20:06.0984 2780 usbuhci - ok
18:20:07.0000 2780 usedisk (a622297b53768818832f25e48e552119) C:\WINDOWS\system32\DRIVERS\usedisk.sys
18:20:07.0015 2780 usedisk - ok
18:20:07.0046 2780 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
18:20:07.0062 2780 VgaSave - ok
18:20:07.0062 2780 ViaIde - ok
18:20:07.0062 2780 VMnetAdapter - ok
18:20:07.0093 2780 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
18:20:07.0109 2780 VolSnap - ok
18:20:07.0140 2780 VSS (7a9db3a67c333bf0bd42e42b8596854b) C:\WINDOWS\System32\vssvc.exe
18:20:07.0140 2780 VSS - ok
18:20:07.0156 2780 W32Time (54af4b1d5459500ef0937f6d33b1914f) C:\WINDOWS\system32\w32time.dll
18:20:07.0156 2780 W32Time - ok
18:20:07.0171 2780 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
18:20:07.0187 2780 Wanarp - ok
18:20:07.0187 2780 WDICA - ok
18:20:07.0234 2780 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
18:20:07.0250 2780 wdmaud - ok
18:20:07.0265 2780 WebClient (77a354e28153ad2d5e120a5a8687bc06) C:\WINDOWS\System32\webclnt.dll
18:20:07.0265 2780 WebClient - ok
18:20:07.0312 2780 winmgmt (2d0e4ed081963804ccc196a0929275b5) C:\WINDOWS\system32\wbem\WMIsvc.dll
18:20:07.0312 2780 winmgmt - ok
18:20:07.0359 2780 WmdmPmSN (a477391b7a8b0a0daabadb17cf533a4b) C:\WINDOWS\system32\mspmsnsv.dll
18:20:07.0359 2780 WmdmPmSN - ok
18:20:07.0406 2780 Wmi (bab489a5fe26f2d0c910cf7af7e4cf92) C:\WINDOWS\System32\advapi32.dll
18:20:07.0421 2780 Wmi - ok
18:20:07.0453 2780 WmiApSrv (e0673f1106e62a68d2257e376079f821) C:\WINDOWS\system32\wbem\wmiapsrv.exe
18:20:07.0453 2780 WmiApSrv - ok
18:20:07.0453 2780 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
18:20:07.0468 2780 WS2IFSL - ok
18:20:07.0500 2780 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
18:20:07.0515 2780 WSTCODEC - ok
18:20:07.0531 2780 wuauserv (35321fb577cdc98ce3eb3a3eb9e4610a) C:\WINDOWS\system32\wuauserv.dll
18:20:07.0546 2780 wuauserv - ok
18:20:07.0578 2780 WZCSVC (81dc3f549f44b1c1fff022dec9ecf30b) C:\WINDOWS\System32\wzcsvc.dll
18:20:07.0593 2780 WZCSVC - ok
18:20:07.0593 2780 XDva361 - ok
18:20:07.0593 2780 XDva392 - ok
18:20:07.0625 2780 xmlprov (295d21f14c335b53cb8154e5b1f892b9) C:\WINDOWS\System32\xmlprov.dll
18:20:07.0656 2780 xmlprov - ok
18:20:07.0703 2780 {1BA31E5A-C098-42d8-8F88-3C9F78A2FDDC} (74ec37b9eaf9fca015b933a526825c7a) C:\Program Files\CyberLink\PowerDVD10\NavFilter\000.fcl
18:20:07.0718 2780 {1BA31E5A-C098-42d8-8F88-3C9F78A2FDDC} - ok
18:20:07.0718 2780 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
18:20:08.0015 2780 \Device\Harddisk0\DR0 - ok
18:20:08.0015 2780 Boot (0x1200) (54d7a0e4c301fe049b01337be1b42f7f) \Device\Harddisk0\DR0\Partition0
18:20:08.0015 2780 \Device\Harddisk0\DR0\Partition0 - ok
18:20:08.0031 2780 Boot (0x1200) (044518dbe615792a2ebc4f5bed54cf8e) \Device\Harddisk0\DR0\Partition1
18:20:08.0031 2780 \Device\Harddisk0\DR0\Partition1 - ok
18:20:08.0031 2780 ============================================================
18:20:08.0031 2780 Scan finished
18:20:08.0031 2780 ============================================================
18:20:08.0046 2480 Detected object count: 1
18:20:08.0046 2480 Actual detected object count: 1
18:20:14.0343 2480 C:\WINDOWS\System32\drivers\afd.sys - copied to quarantine
18:20:14.0812 2480 C:\WINDOWS\$NtUninstallKB7298$\785986139\@ - copied to quarantine
18:20:14.0812 2480 C:\WINDOWS\$NtUninstallKB7298$\785986139\cfg.ini - copied to quarantine
18:20:14.0812 2480 C:\WINDOWS\$NtUninstallKB7298$\785986139\Desktop.ini - copied to quarantine
18:20:15.0171 2480 C:\WINDOWS\$NtUninstallKB7298$\785986139\L\hkmgaxin - copied to quarantine
18:20:15.0187 2480 C:\WINDOWS\$NtUninstallKB7298$\785986139\twl.dll - copied to quarantine
18:20:15.0250 2480 C:\WINDOWS\$NtUninstallKB7298$\785986139\U\00000001.@ - copied to quarantine
18:20:15.0265 2480 C:\WINDOWS\$NtUninstallKB7298$\785986139\U\00000002.@ - copied to quarantine
18:20:15.0281 2480 C:\WINDOWS\$NtUninstallKB7298$\785986139\U\00000004.@ - copied to quarantine
18:20:15.0281 2480 C:\WINDOWS\$NtUninstallKB7298$\785986139\U\80000000.@ - copied to quarantine
18:20:15.0609 2480 C:\WINDOWS\$NtUninstallKB7298$\785986139\U\80000004.@ - copied to quarantine
18:20:15.0609 2480 C:\WINDOWS\$NtUninstallKB7298$\785986139\U\80000032.@ - copied to quarantine
18:20:16.0000 2480 C:\WINDOWS\$NtUninstallKB7298$\785986139\version - copied to quarantine
18:20:16.0968 2480 Backup copy found, using it..
18:20:17.0015 2480 C:\WINDOWS\System32\drivers\afd.sys - will be cured on reboot
18:20:18.0468 2480 C:\WINDOWS\$NtUninstallKB7298$\2075558266 - will be deleted on reboot
18:20:18.0468 2480 C:\WINDOWS\$NtUninstallKB7298$\785986139\@ - will be deleted on reboot
18:20:18.0468 2480 C:\WINDOWS\$NtUninstallKB7298$\785986139\cfg.ini - will be deleted on reboot
18:20:18.0468 2480 C:\WINDOWS\$NtUninstallKB7298$\785986139\Desktop.ini - will be deleted on reboot
18:20:18.0656 2480 C:\WINDOWS\$NtUninstallKB7298$\785986139\twl.dll - will be deleted on reboot
18:20:18.0671 2480 C:\WINDOWS\$NtUninstallKB7298$\785986139\U\00000001.@ - will be deleted on reboot
18:20:18.0671 2480 C:\WINDOWS\$NtUninstallKB7298$\785986139\U\00000002.@ - will be deleted on reboot
18:20:18.0671 2480 C:\WINDOWS\$NtUninstallKB7298$\785986139\U\00000004.@ - will be deleted on reboot
18:20:18.0671 2480 C:\WINDOWS\$NtUninstallKB7298$\785986139\U\80000000.@ - will be deleted on reboot
18:20:18.0671 2480 C:\WINDOWS\$NtUninstallKB7298$\785986139\U\80000004.@ - will be deleted on reboot
18:20:18.0671 2480 C:\WINDOWS\$NtUninstallKB7298$\785986139\U\80000032.@ - will be deleted on reboot
18:20:18.0671 2480 C:\WINDOWS\$NtUninstallKB7298$\785986139\version - will be deleted on reboot
18:20:18.0671 2480 AFD ( Virus.Win32.ZAccess.k ) - User select action: Cure
18:20:31.0140 3284 Deinitialize success

ComboFix 12-05-17.08 - Bornmatrix 05/18/2012 18:31:51.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2009.1409 [GMT 8:00]
Running from: c:\documents and settings\Bornmatrix\Desktop\ComboFix.exe
AV: ESET NOD32 Antivirus 4.2 *Disabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\CFLog
c:\documents and settings\All Users\Application Data\33AAB94C00.sys
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\All Users\Application Data\TEMP\{DEC235ED-58A4-4517-A278-C41E8DAEAB3B}\PostBuild.exe
c:\documents and settings\Bornmatrix\Application Data\IDM\idmmzcc3
c:\documents and settings\Bornmatrix\Application Data\IDM\idmmzcc3\chrome.manifest
c:\documents and settings\Bornmatrix\Application Data\IDM\idmmzcc3\chrome\idmmzcc.jar
c:\documents and settings\Bornmatrix\Application Data\IDM\idmmzcc3\components\idmmzcc.dll
c:\documents and settings\Bornmatrix\Application Data\IDM\idmmzcc3\components\iIDMMzCC.xpt
c:\documents and settings\Bornmatrix\Application Data\IDM\idmmzcc3\components2\idmcchandler.dll
c:\documents and settings\Bornmatrix\Application Data\IDM\idmmzcc3\components2\idmcchandler64.dll
c:\documents and settings\Bornmatrix\Application Data\IDM\idmmzcc3\components2\idmhelper.js
c:\documents and settings\Bornmatrix\Application Data\IDM\idmmzcc3\components2\idmhelper2.js
c:\documents and settings\Bornmatrix\Application Data\IDM\idmmzcc3\components2\idmhelper3.js
c:\documents and settings\Bornmatrix\Application Data\IDM\idmmzcc3\components2\idmmzcc.dll
c:\documents and settings\Bornmatrix\Application Data\IDM\idmmzcc3\components2\idmmzcc64.dll
c:\documents and settings\Bornmatrix\Application Data\IDM\idmmzcc3\components2\iIDMHelper.xpt
c:\documents and settings\Bornmatrix\Application Data\IDM\idmmzcc3\components2\iIDMHelper2.xpt
c:\documents and settings\Bornmatrix\Application Data\IDM\idmmzcc3\components2\iIDMHelper3.xpt
c:\documents and settings\Bornmatrix\Application Data\IDM\idmmzcc3\components2\iIDMMzCC.xpt
c:\documents and settings\Bornmatrix\Application Data\IDM\idmmzcc3\components5\idmmzcc.dll
c:\documents and settings\Bornmatrix\Application Data\IDM\idmmzcc3\components5\idmmzcc64.dll
c:\documents and settings\Bornmatrix\Application Data\IDM\idmmzcc3\install.js
c:\documents and settings\Bornmatrix\Application Data\IDM\idmmzcc3\install.rdf
c:\documents and settings\Bornmatrix\Application Data\IDM\idmmzcc3\META-INF\manifest.mf
c:\documents and settings\Bornmatrix\Application Data\IDM\idmmzcc3\META-INF\zigbert.rsa
c:\documents and settings\Bornmatrix\Application Data\IDM\idmmzcc3\META-INF\zigbert.sf
c:\documents and settings\Bornmatrix\Local Settings\Application Data\bonus.exe
c:\documents and settings\Bornmatrix\Local Settings\Application Data\Setup.exe
c:\documents and settings\Bornmatrix\Local Settings\Application Data\updater.exe
c:\documents and settings\Bornmatrix\SendTo\RemoveOnReboot.exe
c:\program files\Smadav 2012 Rev. 8.9.exe
c:\windows\system32\bootc0g.exe
c:\windows\system32\dds_trash_log.cmd
c:\windows\system32\drivers\hwinterface.sys
c:\windows\system32\paypal.url
c:\windows\system32\roboot.exe
c:\windows\system32\Temp
c:\windows\system32\VIRepair
c:\windows\system32\winx.url
c:\windows\taskmgr.exe
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_msdirectx
-------\Legacy_hwinterface
-------\Service_hwinterface
.
.
((((((((((((((((((((((((( Files Created from 2012-04-18 to 2012-05-18 )))))))))))))))))))))))))))))))
.
.
2012-05-18 10:20 . 2012-05-18 10:20 -------- d-----w- C:\TDSSKiller_Quarantine
2012-05-16 09:33 . 2012-05-16 09:33 388096 ----a-r- c:\documents and settings\Bornmatrix\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2012-05-16 09:33 . 2012-05-16 09:33 -------- d-----w- c:\program files\Trend Micro
2012-05-16 00:55 . 2009-01-15 07:46 60416 ----a-w- c:\windows\system32\antiwpa.dll
2012-05-15 13:58 . 2012-05-16 12:53 -------- d-----w- C:\xampp
2012-05-14 15:24 . 2012-05-15 10:53 -------- d-----w- c:\program files\X-pack
2012-05-14 12:46 . 2012-05-15 16:00 -------- d-----w- c:\program files\FlashBoot
2012-05-13 14:55 . 2012-05-13 23:37 -------- d-sh--r- c:\windows\S-1-5-21-1700724368-7596393281-319339953-0402
2012-05-13 11:13 . 2012-05-13 11:14 -------- d-----w- c:\program files\WinZip Registry Optimizer
2012-05-13 06:54 . 2012-05-13 06:54 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\ESET
2012-05-12 17:08 . 2012-05-13 11:13 -------- d-----w- c:\documents and settings\Bornmatrix\Application Data\Nico Mak Computing
2012-05-08 02:56 . 2012-05-08 02:56 -------- d-----w- c:\documents and settings\Bornmatrix\Local Settings\Application Data\Opera
2012-05-05 13:45 . 2012-05-05 13:47 -------- d-----w- c:\windows\system32\C2MP
2012-05-01 12:31 . 2012-05-16 09:54 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-04-30 10:55 . 2012-04-30 10:55 -------- d-----w- c:\program files\Mozilla Maintenance Service
2012-04-30 10:55 . 2012-04-30 10:55 157352 ----a-w- c:\program files\Mozilla Firefox\maintenanceservice_installer.exe
2012-04-30 10:55 . 2012-04-30 10:55 129976 ----a-w- c:\program files\Mozilla Firefox\maintenanceservice.exe
2012-04-28 04:39 . 2012-04-28 04:39 138904 ----a-w- c:\documents and settings\Bornmatrix\Application Data\PnkBstrK.sys
2012-04-22 20:14 . 2012-04-22 20:14 3515392 ----a-w- c:\windows\system32\ffdshow.ax
2012-04-22 20:12 . 2012-04-22 20:12 4424704 ----a-w- c:\windows\system32\ffmpeg.dll
2012-04-19 15:46 . 2012-04-19 15:46 -------- d-----w- c:\documents and settings\Bornmatrix\Local Settings\Application Data\Pando_Temp
2012-04-19 13:02 . 2012-05-13 10:44 140232 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2012-04-19 13:02 . 2012-05-13 10:44 283416 ----a-w- c:\windows\system32\PnkBstrB.exe
2012-04-19 13:02 . 2012-05-01 12:14 283416 ----a-w- c:\windows\system32\PnkBstrB.ex0
2012-04-19 13:02 . 2012-05-13 10:44 283416 ----a-w- c:\windows\system32\PnkBstrB.xtr
2012-04-19 13:01 . 2012-04-19 13:01 -------- d-----w- c:\windows\system32\LogFiles
2012-04-19 13:01 . 2012-04-28 04:39 76888 ----a-w- c:\windows\system32\PnkBstrA.exe
2012-04-19 13:01 . 2012-04-19 13:01 -------- d-----w- c:\documents and settings\Bornmatrix\Local Settings\Application Data\PunkBuster
2012-04-19 12:58 . 2012-04-19 12:58 -------- d-----w- c:\program files\NVIDIA Corporation
2012-04-19 12:58 . 2012-04-19 12:58 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-05-18 10:20 . 2008-04-14 12:00 138112 ----a-w- c:\windows\system32\drivers\afd.sys
2012-05-16 09:54 . 2011-05-23 22:49 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-05-12 18:37 . 2011-03-24 09:21 17408 ----a-w- C:\psapi.dll
2012-05-11 04:25 . 2011-01-20 12:13 3036 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2012-04-10 01:26 . 2012-04-10 01:26 12920 ----a-w- c:\windows\system32\apl001.sys
2012-04-10 01:26 . 2012-04-10 01:26 10872 ----a-w- c:\windows\system32\apf001.sys
2012-04-08 23:40 . 2012-04-08 23:40 79360 ----a-w- c:\windows\system32\ff_vfw.dll
2012-04-08 23:39 . 2012-04-08 23:39 260608 ----a-w- c:\windows\system32\TomsMoComp_ff.dll
2012-04-08 23:39 . 2012-04-08 23:39 99840 ----a-w- c:\windows\system32\ff_wmv9.dll
2012-04-08 23:39 . 2012-04-08 23:39 158720 ----a-w- c:\windows\system32\ff_unrar.dll
2012-04-08 23:39 . 2012-04-08 23:39 1525248 ----a-w- c:\windows\system32\ff_samplerate.dll
2012-04-08 23:39 . 2012-04-08 23:39 146944 ----a-w- c:\windows\system32\ff_libmad.dll
2012-04-08 23:39 . 2012-04-08 23:39 212480 ----a-w- c:\windows\system32\ff_libdts.dll
2012-04-08 23:39 . 2012-04-08 23:39 115200 ----a-w- c:\windows\system32\ff_liba52.dll
2012-04-08 23:39 . 2012-04-08 23:39 328704 ----a-w- c:\windows\system32\ff_libfaad2.dll
2012-03-29 14:21 . 2012-03-29 14:21 606720 ----a-w- c:\windows\system32\LAVVideo.ax
2012-03-29 14:21 . 2012-03-29 14:21 462848 ----a-w- c:\windows\system32\LAVSplitter.ax
2012-03-29 14:21 . 2012-03-29 14:21 217600 ----a-w- c:\windows\system32\LAVAudio.ax
2012-03-29 14:21 . 2012-03-29 14:21 172032 ----a-w- c:\windows\system32\libbluray.dll
2012-03-29 14:21 . 2012-03-29 14:21 6582226 ----a-w- c:\windows\system32\avcodec-lav-54.dll
2012-03-29 14:21 . 2012-03-29 14:21 374152 ----a-w- c:\windows\system32\swscale-lav-2.dll
2012-03-29 14:21 . 2012-03-29 14:21 207872 ----a-w- c:\windows\system32\avutil-lav-51.dll
2012-03-29 14:21 . 2012-03-29 14:21 144523 ----a-w- c:\windows\system32\avfilter-lav-2.dll
2012-03-29 14:21 . 2012-03-29 14:21 1152365 ----a-w- c:\windows\system32\avformat-lav-54.dll
2012-03-27 15:08 . 2012-03-27 15:08 267264 ----a-w- c:\windows\system32\IntelQuickSyncDecoder.dll
2012-02-26 15:30 . 2012-02-26 15:30 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-02-26 15:30 . 2011-01-02 14:13 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-02-01 15:36 . 2012-04-03 15:35 103936 ----a-w- c:\program files\SmadEngine.dll
2011-07-10 09:45 . 2012-04-03 15:35 73728 ----a-w- c:\program files\Smadav-Updater.exe
2010-02-19 10:26 . 2012-04-03 15:35 97792 ----a-w- c:\program files\SmadExtc.dll
2006-06-15 12:33 . 2011-01-01 16:29 233472 ----a-w- c:\program files\mozilla firefox\plugins\CrazyTalk4Native.dll
2006-05-25 10:43 . 2011-01-01 16:29 204895 ----a-w- c:\program files\mozilla firefox\plugins\ctdomemhelper.dll
2005-09-29 06:41 . 2011-01-01 16:29 77824 ----a-w- c:\program files\mozilla firefox\plugins\ctframeplayerobject.dll
2006-06-19 05:10 . 2011-01-01 16:29 426081 ----a-w- c:\program files\mozilla firefox\plugins\ctplayerobject.dll
2005-02-02 04:19 . 2011-01-01 16:29 458752 ----a-w- c:\program files\mozilla firefox\plugins\imagickrt.dll
2006-04-10 10:35 . 2011-01-01 16:29 139264 ----a-w- c:\program files\mozilla firefox\plugins\rlcontentclass.dll
2005-11-09 03:10 . 2011-01-01 16:29 204800 ----a-w- c:\program files\mozilla firefox\plugins\RLMusicPacker.dll
2005-11-09 03:42 . 2011-01-01 16:29 106496 ----a-w- c:\program files\mozilla firefox\plugins\RLMusicUnpacker.dll
2006-01-04 03:22 . 2011-01-01 16:29 212992 ----a-w- c:\program files\mozilla firefox\plugins\RLVoicePacker.dll
2006-01-04 03:21 . 2011-01-01 16:29 167936 ----a-w- c:\program files\mozilla firefox\plugins\RLVoiceUnpacker.dll
2012-04-30 10:55 . 2011-05-10 10:00 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\IDM Shell Extension]
@="{CDC95B92-E27C-4745-A8C5-64A52A78855D}"
[HKEY_CLASSES_ROOT\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}]
2011-05-30 16:50 21864 ----a-w- c:\program files\Internet Download Manager\IDMShellExt.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-03-27 4670968]
"IDMan"="c:\program files\Internet Download Manager\IDMan.exe" [2012-04-16 3293184]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SM?RT-Protection"="c:\program files\Smadav\SM?RTP.exe" [?]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2010-03-24 2145000]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-06-01 141336]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-06-01 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-06-01 142872]
"RTHDCPL"="RTHDCPL.EXE" [2009-05-21 17881600]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2006-02-28 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2006-02-28 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2006-02-28 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2006-02-28 455168]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-11-02 2508104]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2009-09-04 767312]
"RemoteControl10"="c:\program files\CyberLink\PowerDVD10\PDVD10Serv.exe" [2010-02-02 87336]
"BDRegion"="c:\program files\Cyberlink\Shared files\brs.exe" [2010-08-26 75048]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
"Lan Diagnostic Tool"="c:\program files\Lan Diagnostic Tool\landiagnostictool.exe" [2012-03-11 266240]
.
c:\documents and settings\Pelanggan\Start Menu\Programs\Startup\
RocketDock.lnk - c:\program files\Vista Inspirat 2\RocketDock\RocketDock.exe [2007-3-19 630784]
TransBar.lnk - c:\program files\Vista Inspirat 2\TransBar\TransBar.exe [2005-6-2 65536]
.
c:\documents and settings\Bornmatrix\Start Menu\Programs\Startup\
RocketDock.lnk - c:\program files\Vista Inspirat 2\RocketDock\RocketDock.exe [2007-3-19 630784]
TransBar.lnk - c:\program files\Vista Inspirat 2\TransBar\TransBar.exe [2005-6-2 65536]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"DisableRegistryTools"= 1 (0x1)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"DisableRegistryTools"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SYSQINTP]
@="LegacyDriver"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Secure Tunnel.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Secure Tunnel.lnk
backup=c:\windows\pss\Secure Tunnel.lnkCommon Startup
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Gemscool\\PointBlank\\PointBlank.exe"=
"d:\\Gimmers\\Prototype\\prototypef.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"d:\\Gimmers\\APB Reloaded\\Binaries\\APB.exe"=
"d:\\Gimmers\\APB Reloaded\\Binaries\\VivoxVoiceService.exe"=
"c:\\Program Files\\BillingExplorer Ver DeskPro 6 2007\\billing.exe"=
"c:\\Program Files\\phpDesigner 7\\phpDesigner.exe"=
"c:\\xampp\\apache\\bin\\httpd.exe"=
"c:\\xampp\\mysql\\bin\\mysqld.exe"=
.
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [3/24/2010 8:31 PM 114984]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [3/24/2010 8:33 PM 95872]
R1 IDMTDI;IDMTDI;c:\windows\system32\drivers\idmtdi.sys [6/23/2011 11:50 PM 101360]
R2 {1BA31E5A-C098-42d8-8F88-3C9F78A2FDDC};Power Control [2012/01/28 17:31];c:\program files\CyberLink\PowerDVD10\NavFilter\000.fcl [8/26/2010 12:18 PM 87536]
R2 BlackfishSQL;BlackfishSQL;c:\program files\CodeGear\RAD Studio\6.0\bin\BSQLServer.exe [8/30/2008 3:00 AM 65536]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [3/24/2010 8:31 PM 810120]
R2 regi;regi;c:\windows\system32\drivers\regi.sys [2/5/2012 10:44 PM 13880]
S2 IBG_gds_db;InterBase 2009 Guardian gds_db;c:\codegear\InterBase\bin\ibguard.exe -i "c:\codegear\InterBase" -p gds_db --> c:\codegear\InterBase\bin\ibguard.exe -i c:\codegear\InterBase [?]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [5/9/2010 5:57 AM 1684736]
S3 apf001;apf001;\??\d:\gimmers\SoftnyxGame\GunboundIDS\apf001.sys --> d:\gimmers\SoftnyxGame\GunboundIDS\apf001.sys [?]
S3 CEDRIVER60;CEDRIVER60;c:\program files\Cheat Engine 6.1\dbk32.sys [10/22/2011 9:47 PM 72576]
S3 EagleXNt;EagleXNt;\??\c:\windows\system32\drivers\EagleXNt.sys --> c:\windows\system32\drivers\EagleXNt.sys [?]
S3 IBS_gds_db;InterBase 2009 Server gds_db;c:\codegear\InterBase\bin\ibserver.exe -i "c:\codegear\InterBase" -p gds_db --> c:\codegear\InterBase\bin\ibserver.exe -i c:\codegear\InterBase [?]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [4/30/2012 6:55 PM 129976]
S3 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [12/23/2011 7:43 AM 35088]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 pwdrvio;pwdrvio;c:\windows\system32\pwdrvio.sys [3/2/2011 12:09 PM 16456]
S3 pwdspio;pwdspio;c:\windows\system32\pwdspio.sys [3/2/2011 12:09 PM 11088]
S3 slicedisk.sys;slicedisk.sys;\??\c:\windows\system32\slicedisk.sys --> c:\windows\system32\slicedisk.sys [?]
S3 SliceDisk5;SliceDisk5;\??\c:\docume~1\BORNMA~1\LOCALS~1\Temp\FindAndMount\slicedisk.sys --> c:\docume~1\BORNMA~1\LOCALS~1\Temp\FindAndMount\slicedisk.sys [?]
S3 usedisk;USEDisk Driver;c:\windows\system32\drivers\usedisk.sys [4/26/2011 5:57 PM 17408]
S3 XDva361;XDva361;\??\c:\windows\system32\XDva361.sys --> c:\windows\system32\XDva361.sys [?]
S3 XDva392;XDva392;\??\c:\windows\system32\XDva392.sys --> c:\windows\system32\XDva392.sys [?]
.
Contents of the 'Scheduled Tasks' folder
.
2012-05-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-448539723-1960408961-839522115-1003Core.job
- c:\documents and settings\Bornmatrix\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-02-11 05:08]
.
2012-05-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-448539723-1960408961-839522115-1003UA.job
- c:\documents and settings\Bornmatrix\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-02-11 05:08]
.
2012-05-18 c:\windows\Tasks\Registry Optimizer_DEFAULT.job
- c:\program files\WinZip Registry Optimizer\Winzipro.exe [2012-05-13 11:14]
.
2012-05-16 c:\windows\Tasks\Registry Optimizer_UPDATES.job
- c:\program files\WinZip Registry Optimizer\Winzipro.exe [2012-05-13 11:14]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.searchnu.com/406
uInternet Settings,ProxyServer = 127.0.0.1:8080
uSearchAssistant = hxxp://dts.search-results.com/sr?src=ieb&appid=0&systemid=406&sr=0&q={searchTerms}
IE: Download all links with IDM - c:\program files\Internet Download Manager\IEGetAll.htm
IE: Download FLV video content with IDM - c:\program files\Internet Download Manager\IEGetVL.htm
IE: Download with IDM - c:\program files\Internet Download Manager\IEExt.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: Interfaces\{634B5EEA-B34A-4EEF-9699-FB06DFAC1451}: NameServer = 8.8.8.8,8.8.4.4
FF - ProfilePath - c:\documents and settings\Bornmatrix\Application Data\Mozilla\Firefox\Profiles\2w08g7og.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2418376&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.id/
FF - prefs.js: keyword.URL - hxxp://dts.search-results.com/sr?src=ffb&appid=0&systemid=406&sr=0&q=
FF - prefs.js: network.proxy.ftp - 127.0.0.1
FF - prefs.js: network.proxy.ftp_port - 8080
FF - prefs.js: network.proxy.gopher - 64.64.197.160
FF - prefs.js: network.proxy.gopher_port - 3128
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 8080
FF - prefs.js: network.proxy.socks - 127.0.0.1
FF - prefs.js: network.proxy.socks_port - 8080
FF - prefs.js: network.proxy.ssl - 127.0.0.1
FF - prefs.js: network.proxy.ssl_port - 8080
FF - prefs.js: network.proxy.type - 4
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-10 - (no file)
HKLM-Run-WinampAgent - c:\program files\Winamp\winampa.exe
HKLM-Run-NBKeyScan - c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe
HKLM-Run-WinDLL (service.exe) - service.exe
SafeBoot-06422813.sys
MSConfigStartUp-a001 - c:\program files\LClock\LClock.exe
MSConfigStartUp-LClock - c:\program files\LClock\LClock.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-05-18 23:05
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files:
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\{1BA31E5A-C098-42d8-8F88-3C9F78A2FDDC}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD10\NavFilter\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{0b8158a6-3419-48cd-98e8-efb28ced34a3}]
@Denied: (Full) (Everyone)
"MData"=hex(0):73,d5,cf,b8,a4,07,89,80,31,e4,35,6b,2a,ca,fe,43,b6,1f,81,1f,5a,
1b,4d,36,46,8f,3c,f2,5c,68,ee,21,46,8f,3c,f2,5c,68,ee,21,46,8f,3c,f2,5c,68,\
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):19,bb,26,63,53,23,5b,64,2a,77,89,3f,e0,91,ef,d3,0c,2e,ac,da,39,
dc,bc,37,8a,1f,67,19,19,59,5a,a9,02,12,0a,27,28,57,e4,d8,00,00,00,00,00,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(780)
c:\windows\system32\antiwpa.dll
.
- - - - - - - > 'explorer.exe'(356)
c:\program files\Vista Inspirat 2\RocketDock\RocketDock.dll
c:\program files\Internet Download Manager\IDMShellExt.dll
c:\program files\Internet Download Manager\IDMNetMon.DLL
c:\windows\system32\msi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\savedump.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\HPZipm12.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\Common Files\Protexis\License Service\PsiService_2.exe
c:\windows\system32\wscntfy.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\igfxsrvc.exe
c:\program files\Lan Diagnostic Tool\ldtbandwidthmonitor.exe
.
**************************************************************************
.
Completion time: 2012-05-18 23:09:24 - machine was rebooted
ComboFix-quarantined-files.txt 2012-05-18 15:09
.
Pre-Run: 13,533,745,152 bytes free
Post-Run: 13,400,326,144 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 51FF3947526CD71A8FA7F425FDD3C31A

about my computer:
===================
I think I'm not so sure about my computer performence, cpu resources are used up before the vulnerable period of 5 to 10 minutes when I did not run any programs.
But now the cpu usage looks normal on my computer and ESET did not detect the virus in memory or on disk it makes me happy :lol: :
Scan Log
Version of virus signature database: 7148 (20120518)
Date: 5/18/2012 Time: 11:21:12 PM
Scanned disks, folders and files: Operating memory
Number of scanned objects: 364
Number of threats found: 0
Time of completion: 11:21:14 PM Total scanning time: 2 sec (00:00:02)

I am very happy for your help in guiding me to remove the virus, do you think if I was free from the virus or not?

#4 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:09:47 AM

Posted 18 May 2012 - 05:29 PM

Hello,

I looks as if the virus is gone. Lets run a couple other scanners to make sure you have no leftovers.


1.
Please download Malwarebytes Anti-Malware and save it to your desktop.
  • Important!! When you save the mbam-setup file, rename it to something random (such as 123abc.exe) before beginning the download.
Malwarebytes may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

  • Make sure you are connected to the Internet and double-click on the renamed file to install the application.
    For instructions with screenshots, please refer to this Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • Malwarebytes will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • Under the Scanner tab, make sure the "Perform Quick Scan" option is selected.
  • Click on the Scan button.
  • When finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box, then click the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked and then click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows the database version and your operating system.
  • Exit Malwarebytes when done.
Note: If Malwarebytes encounters a file that is difficult to remove, you will be asked to reboot your computer so it can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally will prevent Malwarebytes from removing all the malware.


2.
Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Please download DrWeb-CureIt and save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on launch.exe to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All.
  • When complete, click Select All, then choose Cure > Move incurable.
    (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • Now put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and UNcheck "Heuristic analysis" under the "Scanning" tab, then click Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • When the scan is complete, a message will be displayed at the bottom indicating if any viruses were found.
  • Click "Yes to all" if asked to cure or move the file(s) and select "Move incurable".
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#5 riyan

riyan
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:47 PM

Posted 20 May 2012 - 08:29 AM

hello again fireman4it

this the logs:

Malwarebytes Anti-Malware (Trial) 1.61.0.1400
www.malwarebytes.org

Database version: v2012.05.20.03

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 6.0.2900.5512
Bornmatrix :: BILLING [administrator]

Protection: Enabled

5/20/2012 8:23:33 PM
mbam-log-2012-05-20 (20-23-33).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 204386
Time elapsed: 2 minute(s), 55 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 1
C:\WINDOWS\system32\antiwpa.dll (PUP.Wpakill) -> No action taken.

Registry Keys Detected: 2
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Antiwpa (PUP.Wpakill) -> No action taken.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Antiwpa (Trojan.I.Stole.Windows) -> No action taken.

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 1
HKLM\SOFTWARE\Microsoft\Security Center|UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Folders Detected: 0
(No malicious items detected)

Files Detected: 6
C:\WINDOWS\system32\antiwpa.dll (PUP.Wpakill) -> No action taken.
C:\WINDOWS\system32\antiwpa.dll25077 (PUP.Wpakill) -> No action taken.
C:\WINDOWS\system32\antiwpa.dll6CE7E (PUP.Wpakill) -> No action taken.
C:\WINDOWS\system32\antiwpa.dllEB88 (PUP.Wpakill) -> No action taken.
C:\WINDOWS\system32\antiwpa.dll (Trojan.I.Stole.Windows) -> No action taken.
C:\Documents and Settings\Bornmatrix\Local Settings\temp\HBCD\ProduKey.exe (PUP.PSWTool.ProductKey) -> Quarantined and deleted successfully.

(end)

just antiwpa.dll detected and I do not want to remove it because when I removed i can't logon to window :lmao:
thank you for your help and your patience guided me, I think now my computer is free from viruses.

thanks and very god job :thumbsup: :thumbsup: :thumbsup:

see you :heart:

riyan

#6 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:09:47 AM

Posted 20 May 2012 - 11:09 AM

Hello,

Since you are using an illegal copy of windows I will no longer be bale to assist you.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users