Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google redirect, searchnu.com Malware Help!


  • This topic is locked This topic is locked
22 replies to this topic

#1 Dangbro

Dangbro

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:12 PM

Posted 30 May 2012 - 01:21 AM

Hi, I started a thread earlier located here- My link Since then I have ran the DDS scan and the gmer scan and saved both the logs which I will post. However Safari is now my only browser that is working correctly, and all my other browsers won't let my email show up and redirects me with searchnu.com. Thanks for the help really digging this site. Here are the logs DDS followed by gmer and security scan, hope this is the right way to do this.


.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421
Run by CGroskie at 20:11:51 on 2012-05-29
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2939.1129 [GMT -6:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Enabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\svchost.exe -k rpcss
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\agrsmsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Program Files\PostgreSQL\8.3\bin\pg_ctl.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\PostgreSQL\8.3\bin\postgres.exe
C:\Program Files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe
C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
C:\Windows\system32\TODDSrv.exe
C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\PostgreSQL\8.3\bin\postgres.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\PostgreSQL\8.3\bin\postgres.exe
C:\Program Files\PostgreSQL\8.3\bin\postgres.exe
C:\Program Files\PostgreSQL\8.3\bin\postgres.exe
C:\Program Files\PostgreSQL\8.3\bin\postgres.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Toshiba\SmartFaceV\SmartFaceVWatchSrv.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Toshiba\Power Saver\TPwrMain.exe
C:\Program Files\Toshiba\SmoothView\SmoothView.exe
C:\Program Files\Toshiba\FlashCards\TCrdMain.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\SweetIM\Messenger\SweetIM.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Toshiba\TOSCDSPD\TOSCDSPD.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Common Files\Apple\Internet Services\ubd.exe
C:\Users\CGroskie\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Common Files\Apple\Apple Application Support\distnoted.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Toshiba\ConfigFree\CFSwMgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Safari\Safari.exe
C:\Program Files\Safari\Apple Application Support\WebKit2WebProcess.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://yahoo.com/
uDefault_Page_URL = hxxp://www.toshibadirect.com/dpdstart
mStart Page = hxxp://home.sweetim.com
mDefault_Page_URL = hxxp://www.toshibadirect.com/dpdstart
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: UrlSearchHook Class: {00000000-6e41-4fd3-8538-502f5495e5fc} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Windows Live Messenger Companion Helper: {9fdde16b-836f-4806-ab1f-1455cbeff289} - c:\program files\windows live\companion\companioncore.dll
BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: SweetIM Toolbar Helper: {eee6c35c-6118-11dc-9c72-001320c79847} - c:\program files\sweetim\toolbars\internet explorer\mgToolbarIE.dll
TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: SweetIM Toolbar for Internet Explorer: {eee6c35b-6118-11dc-9c72-001320c79847} - c:\program files\sweetim\toolbars\internet explorer\mgToolbarIE.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {043C5167-00BB-4324-AF7E-62013FAEDACF} - No File
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\TOSCDSPD.exe
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [DW6] "c:\program files\the weather channel fw\desktop\DesktopWeather.exe"
uRun: [DriverFinder] c:\program files\driverfinder\DriverFinder.exe
uRun: [MobileDocuments] c:\program files\common files\apple\internet services\ubd.exe
uRun: [Spotify Web Helper] "c:\users\cgroskie\appdata\roaming\spotify\data\SpotifyWebHelper.exe"
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [Camera Assistant Software] "c:\program files\camera assistant software for toshiba\traybar.exe" /start
mRun: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
mRun: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
mRun: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
mRun: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [NDSTray.exe] NDSTray.exe
mRun: [cfFncEnabler.exe] cfFncEnabler.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [<NO NAME>]
mRun: [ApnUpdater] "c:\program files\ask.com\updater\Updater.exe"
mRun: [SweetIM] c:\program files\sweetim\messenger\SweetIM.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {53F6FCCD-9E22-4d71-86EA-6E43136192AB}
IE: {925DAB62-F9AC-4221-806A-057BFB1014AA}
IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - c:\program files\windows live\companion\companioncore.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{21D5FA56-C953-4D5A-8C38-4C6A8A5CD3E8} : DhcpNameServer = 67.211.82.2 67.211.82.3
TCP: Interfaces\{FF760607-1879-4406-AC47-128752A558DA} : DhcpNameServer = 192.168.0.1
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
Notify: igfxcui - igfxdev.dll
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2011-4-18 171064]
R2 ConfigFree Service;ConfigFree Service;c:\program files\toshiba\configfree\CFSvcs.exe [2008-7-10 40960]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
R2 pgsql-8.3;PostgreSQL Database Server 8.3;c:\program files\postgresql\8.3\bin\pg_ctl.exe [2008-9-19 65536]
R2 TMachInfo;TMachInfo;c:\program files\toshiba\toshiba service station\TMachInfo.exe [2008-8-14 46392]
R2 TOSHIBA SMART Log Service;TOSHIBA SMART Log Service;c:\program files\toshiba\smartlogservice\TosIPCSrv.exe [2007-12-3 126976]
R3 FwLnk;FwLnk Driver;c:\windows\system32\drivers\FwLnk.sys [2008-8-14 7168]
R3 NETw5v32;Intel® Wireless WiFi Link Adapter Driver for Windows Vista 32 Bit ;c:\windows\system32\drivers\NETw5v32.sys [2008-4-28 3658752]
R3 SmartFaceVWatchSrv;SmartFaceVWatchSrv;c:\program files\toshiba\smartfacev\SmartFaceVWatchSrv.exe [2008-4-24 73728]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-3-9 135664]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-3-28 257696]
S3 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr.sys [2011-5-1 39272]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2010-9-23 1493352]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-3-9 135664]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2012-5-24 40776]
S3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2011-4-27 74112]
S3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\NisSrv.exe [2012-3-26 214952]
S3 SVRPEDRV;SVRPEDRV;c:\windows\system32\sysprep\PEDRV.SYS [2008-8-20 9216]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\windows live\mesh\wlcrasvc.exe [2010-9-22 51040]
.
=============== Created Last 30 ================
.
2012-05-25 04:54:34 56200 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{abb28e83-c63c-4eb2-a709-34a11b655a7c}\offreg.dll
2012-05-25 04:44:28 -------- d-----w- c:\programdata\boost_interprocess
2012-05-25 04:37:28 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-05-25 04:18:12 -------- d-----w- c:\users\cgroskie\appdata\local\Ilivid Player
2012-05-25 03:37:56 6737808 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2012-05-25 03:37:39 6737808 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{8575ea89-e238-47aa-9df9-7e5edcdaa6bc}\mpengine.dll
2012-05-23 20:04:14 -------- d-----w- c:\users\cgroskie\appdata\roaming\StreamTorrent
2012-05-21 21:18:34 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin7.dll
2012-05-21 21:18:34 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin6.dll
2012-05-21 21:18:34 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin5.dll
2012-05-21 21:18:34 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin4.dll
2012-05-21 21:18:34 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin3.dll
2012-05-21 21:18:34 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin2.dll
2012-05-21 21:18:34 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin.dll
2012-05-21 19:19:50 3602816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-05-21 19:19:50 3550080 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-05-21 19:19:49 2044928 ----a-w- c:\windows\system32\win32k.sys
.
==================== Find3M ====================
.
2012-05-21 19:24:25 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-05-21 19:24:24 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-04-19 02:56:30 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2012-04-19 02:56:30 69632 ----a-w- c:\windows\system32\QuickTime.qts
2012-04-04 21:56:40 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-03-30 12:39:11 914304 ----a-w- c:\windows\system32\drivers\tcpip.sys
2012-03-29 13:39:19 31232 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
2012-03-28 22:51:19 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-03-21 02:44:12 74112 ----a-w- c:\windows\system32\drivers\NisDrvWFP.sys
2012-03-21 02:44:12 171064 ----a-w- c:\windows\system32\drivers\MpFilter.sys
2012-03-20 23:28:50 53120 ----a-w- c:\windows\system32\drivers\partmgr.sys
2012-03-01 14:46:01 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
2012-03-01 14:46:01 160768 ----a-w- c:\windows\system32\d3d10_1.dll
.
============= FINISH: 20:12:40.42 ===============





GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-05-30 00:00:58
Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD25 rev.01.0
Running: gmer.exe; Driver: C:\Users\CGroskie\AppData\Local\Temp\fwlyrkog.sys


---- System - GMER 1.0.15 ----

INT 0x61 ? 90AC0A50
INT 0x71 ? 90AC0CD0

---- Kernel code sections - GMER 1.0.15 ----

.text C:\Windows\system32\DRIVERS\tos_sps32.sys section is writeable [0x8B55A480, 0x3C939, 0xE8000020]
.dsrt C:\Windows\system32\DRIVERS\tos_sps32.sys unknown last section [0x8B59B900, 0x3CA, 0x48000040]

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----




Results of screen317's Security Check version 0.99.41
Windows Vista Service Pack 2 x86 (UAC is enabled)
Internet Explorer 9
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
Microsoft Security Essentials
Antivirus up to date!
`````````Anti-malware/Other Utilities Check:`````````
Malwarebytes Anti-Malware version 1.61.0.1400
Java™ 6 Update 31
Java™ 6 Update 6
Java version out of date!
Adobe Flash Player 10 Flash Player out of date!
Adobe Flash Player 11.2.202.235
Adobe Reader 8 Adobe Reader out of date!
````````Process Check: objlist.exe by Laurent````````
Microsoft Security Essentials MSMpEng.exe
Microsoft Security Essentials msseces.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 9 % Defragment your hard drive soon!
````````````````````End of Log``````````````````````

Edited by Dangbro, 30 May 2012 - 01:36 AM.


BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:12 AM

Posted 31 May 2012 - 02:11 AM

Hello and Welcome to Bleeping Computer!!

My name is Gringo and I'll be glad to help you with your computer problems.

I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of us

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the Watch Topic Button, select Immediate Notification, and click on Proceed. This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of hartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

Security Check

  • Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.



Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 Dangbro

Dangbro
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:12 PM

Posted 31 May 2012 - 01:54 PM

Hi Gringo, Thanks a lot for your help! I have the 2 logs you requested. While I was running the combofix scan windows shut down "PVE.exe" because it wasn't responding, not sure what that was. I noticed the scan was still going so I just let it run till it was finished. After the scans I went to check if Google Chrome was still redirecting me with searchnu.com and happy to say it wasn't. I then went to check if my email would show up on IE and Google chrome and it did as well. So those scans definitely seemed to help. From looking at other topics I am sure there are still more scans to run, so I will await your next directions, and let me know if you need any more information about my situation.


Results of screen317's Security Check version 0.99.41
Windows Vista Service Pack 2 x86 (UAC is enabled)
Internet Explorer 9
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
Microsoft Security Essentials
Antivirus up to date!
`````````Anti-malware/Other Utilities Check:`````````
Malwarebytes Anti-Malware version 1.61.0.1400
Java™ 6 Update 31
Java™ 6 Update 6
Java version out of date!
Adobe Flash Player 10 Flash Player out of date!
Adobe Flash Player 11.2.202.235
Adobe Reader 8 Adobe Reader out of date!
````````Process Check: objlist.exe by Laurent````````
Microsoft Security Essentials MSMpEng.exe
Microsoft Security Essentials msseces.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 10 % Defragment your hard drive soon!
````````````````````End of Log``````````````````````




ComboFix 12-05-31.02 - CGroskie 05/29/2012 23:44:51.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2939.1230 [GMT -6:00]
Running from: c:\users\CGroskie\Downloads\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\Roaming
c:\programdata\Roaming\Intel\Wireless\Settings\Settings.ini
.
.
((((((((((((((((((((((((( Files Created from 2012-04-28 to 2012-05-30 )))))))))))))))))))))))))))))))
.
.
2012-05-30 05:58 . 2012-05-30 05:59 -------- d-----w- c:\users\CGroskie\AppData\Local\temp
2012-05-30 05:58 . 2012-05-30 05:58 -------- d-----w- c:\users\postgres\AppData\Local\temp
2012-05-30 05:58 . 2012-05-30 05:58 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-05-30 02:11 . 2012-05-30 02:11 29904 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{22AC0538-4A7E-4A94-A6FF-1986F9A5BCF1}\MpKsl630bf4b2.sys
2012-05-30 02:11 . 2012-05-30 02:11 100864 ----a-w- C:\fwlyrkog.sys
2012-05-30 02:11 . 2012-05-08 15:40 6737808 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{22AC0538-4A7E-4A94-A6FF-1986F9A5BCF1}\mpengine.dll
2012-05-30 02:10 . 2012-05-30 02:10 29904 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{22AC0538-4A7E-4A94-A6FF-1986F9A5BCF1}\MpKslf70edea3.sys
2012-05-30 02:10 . 2012-05-30 02:10 56200 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{22AC0538-4A7E-4A94-A6FF-1986F9A5BCF1}\offreg.dll
2012-05-25 04:54 . 2012-05-25 04:54 56200 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{ABB28E83-C63C-4EB2-A709-34A11B655A7C}\offreg.dll
2012-05-25 04:44 . 2012-05-25 04:44 -------- d-----w- c:\programdata\boost_interprocess
2012-05-25 04:37 . 2012-05-25 04:46 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-05-25 04:18 . 2012-05-25 04:18 -------- d-----w- c:\users\CGroskie\AppData\Local\Ilivid Player
2012-05-25 03:37 . 2012-05-08 15:40 6737808 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-05-25 03:24 . 2012-05-25 03:24 -------- d-----w- c:\users\CGroskie\AppData\Roaming\vlc
2012-05-23 20:04 . 2012-05-23 20:04 -------- d-----w- c:\users\CGroskie\AppData\Roaming\StreamTorrent
2012-05-21 21:18 . 2012-05-21 21:18 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin7.dll
2012-05-21 21:18 . 2012-05-21 21:18 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin6.dll
2012-05-21 21:18 . 2012-05-21 21:18 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin5.dll
2012-05-21 21:18 . 2012-05-21 21:18 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin4.dll
2012-05-21 21:18 . 2012-05-21 21:18 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin3.dll
2012-05-21 21:18 . 2012-05-21 21:18 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin2.dll
2012-05-21 21:18 . 2012-05-21 21:18 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin.dll
2012-05-21 21:17 . 2012-05-21 21:18 -------- d-----w- c:\program files\QuickTime
2012-05-21 19:19 . 2012-04-03 08:16 3602816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-05-21 19:19 . 2012-04-03 08:16 3550080 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-05-21 19:19 . 2012-04-02 13:36 2044928 ----a-w- c:\windows\system32\win32k.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-05-21 19:24 . 2012-03-28 22:42 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-05-21 19:24 . 2011-12-27 19:03 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-04-19 02:56 . 2012-04-19 02:56 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2012-04-19 02:56 . 2012-04-19 02:56 69632 ----a-w- c:\windows\system32\QuickTime.qts
2012-04-04 21:56 . 2010-08-09 21:52 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-03-28 23:09 . 2012-03-28 23:09 713784 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{8B108CFA-578F-4D90-8B68-CFB2D4CA6E9B}\gapaengine.dll
2012-03-28 22:51 . 2011-04-20 00:01 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-03-21 02:44 . 2011-04-27 21:25 74112 ----a-w- c:\windows\system32\drivers\NisDrvWFP.sys
2012-03-21 02:44 . 2011-04-18 19:18 171064 ----a-w- c:\windows\system32\drivers\MpFilter.sys
2012-03-14 02:15 . 2012-03-28 07:20 6582328 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{ABB28E83-C63C-4EB2-A709-34A11B655A7C}\mpengine.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{00000000-6E41-4FD3-8538-502F5495E5FC}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2011-08-24 1515688]
.
[HKEY_CLASSES_ROOT\clsid\{00000000-6e41-4fd3-8538-502f5495e5fc}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2011-08-24 04:20 1515688 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EEE6C35C-6118-11DC-9C72-001320C79847}]
2011-08-25 01:21 1299248 ----a-r- c:\program files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2011-08-24 1515688]
"{EEE6C35B-6118-11DC-9C72-001320C79847}"= "c:\program files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll" [2011-08-25 1299248]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_CLASSES_ROOT\clsid\{eee6c35b-6118-11dc-9c72-001320c79847}]
[HKEY_CLASSES_ROOT\SWEETIE.IEToolbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{EEE6C35E-6118-11DC-9C72-001320C79847}]
[HKEY_CLASSES_ROOT\SWEETIE.IEToolbar]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2011-08-24 1515688]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe" [2008-04-24 430080]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-12-03 14944136]
"MobileDocuments"="c:\program files\Common Files\Apple\Internet Services\ubd.exe" [2012-02-23 59240]
"Spotify Web Helper"="c:\users\CGroskie\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe" [2012-04-17 932528]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-06-25 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-06-25 170520]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-06-25 145944]
"RtHDVCpl"="RtHDVCpl.exe" [2008-04-08 6037504]
"Camera Assistant Software"="c:\program files\Camera Assistant Software for Toshiba\traybar.exe" [2008-07-31 417792]
"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2008-02-06 431456]
"HSON"="c:\program files\TOSHIBA\TBS\HSON.exe" [2007-11-01 54608]
"SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2007-06-16 448080]
"00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2008-03-19 716800]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-08-14 1348904]
"NDSTray.exe"="NDSTray.exe" [BU]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-10-06 59240]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
"ApnUpdater"="c:\program files\Ask.com\Updater\Updater.exe" [2011-08-24 887976]
"SweetIM"="c:\program files\SweetIM\Messenger\SweetIM.exe" [2011-08-01 114992]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-03-27 421736]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2012-04-19 421888]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 931200]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-21 257696]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MPKSLF70EDEA3
*Deregistered* - fwlyrkog
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2012-05-30 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-28 19:24]
.
2012-05-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-09 09:08]
.
2012-05-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-09 09:08]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://yahoo.com/
mStart Page = hxxp://home.sweetim.com
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.0.1
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-10 - (no file)
HKCU-Run-DW6 - c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe
HKCU-Run-DriverFinder - c:\program files\DriverFinder\DriverFinder.exe
HKLM-Run-cfFncEnabler.exe - cfFncEnabler.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-05-29 23:58
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
TOSCDSPD = c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe?/i?????m5uk????h?????????????????
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\RNG*]
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
Completion time: 2012-05-30 00:03:59
ComboFix-quarantined-files.txt 2012-05-30 06:03
.
Pre-Run: 136,378,699,776 bytes free
Post-Run: 137,283,166,208 bytes free
.
- - End Of File - - C656637F349A2B52491D47E6188CCB45

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:12 AM

Posted 31 May 2012 - 08:35 PM

Greetings

I want you to run these next,

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • it will ask to download extra definitions - ALLOW IT
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

If you have any problems running either one come back and let me know

please reply with the reports from TDSSKiller and aswMBR

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 Dangbro

Dangbro
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:12 PM

Posted 01 June 2012 - 12:10 AM

Here are the reports you asked for. The TDSS went just fine. The first time I ran the aswMBR it looked like it found some malware highlighted in yellow, and about halfway through the scan I got a blue screen saying. "Windows shut down your computer to avoid damage" or something like that and then started doing a memory dump. The comp then restarted and I signed back in and ran another aswMBR scan that went smoothly. Here are the results.


13:51:14.0065 5472 TDSS rootkit removing tool 2.7.36.0 May 21 2012 16:40:16
13:51:14.0557 5472 ============================================================
13:51:14.0557 5472 Current date / time: 2012/05/31 13:51:14.0557
13:51:14.0557 5472 SystemInfo:
13:51:14.0557 5472
13:51:14.0558 5472 OS Version: 6.0.6002 ServicePack: 2.0
13:51:14.0558 5472 Product type: Workstation
13:51:14.0558 5472 ComputerName: CGROSKIE-PC
13:51:14.0558 5472 UserName: CGroskie
13:51:14.0558 5472 Windows directory: C:\Windows
13:51:14.0558 5472 System windows directory: C:\Windows
13:51:14.0558 5472 Processor architecture: Intel x86
13:51:14.0558 5472 Number of processors: 2
13:51:14.0558 5472 Page size: 0x1000
13:51:14.0558 5472 Boot type: Normal boot
13:51:14.0559 5472 ============================================================
13:51:15.0348 5472 Drive \Device\Harddisk0\DR0 - Size: 0x3A38B2E000 (232.89 Gb), SectorSize: 0x200, Cylinders: 0x76C1, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000050
13:51:15.0420 5472 ============================================================
13:51:15.0420 5472 \Device\Harddisk0\DR0:
13:51:15.0553 5472 MBR partitions:
13:51:15.0554 5472 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x2EE800, BlocksNum 0x1CED7000
13:51:15.0554 5472 ============================================================
13:51:15.0585 5472 C: <-> \Device\Harddisk0\DR0\Partition0
13:51:15.0585 5472 ============================================================
13:51:15.0585 5472 Initialize success
13:51:15.0585 5472 ============================================================
13:51:28.0550 3848 ============================================================
13:51:28.0550 3848 Scan started
13:51:28.0550 3848 Mode: Manual;
13:51:28.0550 3848 ============================================================
13:51:29.0155 3848 ACPI (82b296ae1892fe3dbee00c9cf92f8ac7) C:\Windows\system32\drivers\acpi.sys
13:51:29.0180 3848 ACPI - ok
13:51:29.0288 3848 AdobeFlashPlayerUpdateSvc (76d5a3d2a50402a0b9b6ed13c4371e79) C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
13:51:29.0295 3848 AdobeFlashPlayerUpdateSvc - ok
13:51:29.0416 3848 adp94xx (04f0fcac69c7c71a3ac4eb97fafc8303) C:\Windows\system32\drivers\adp94xx.sys
13:51:29.0458 3848 adp94xx - ok
13:51:29.0514 3848 adpahci (60505e0041f7751bdbb80f88bf45c2ce) C:\Windows\system32\drivers\adpahci.sys
13:51:29.0557 3848 adpahci - ok
13:51:29.0585 3848 adpu160m (8a42779b02aec986eab64ecfc98f8bd7) C:\Windows\system32\drivers\adpu160m.sys
13:51:29.0589 3848 adpu160m - ok
13:51:29.0629 3848 adpu320 (241c9e37f8ce45ef51c3de27515ca4e5) C:\Windows\system32\drivers\adpu320.sys
13:51:29.0639 3848 adpu320 - ok
13:51:29.0686 3848 AeLookupSvc (9d1fda9e086ba64e3c93c9de32461bcf) C:\Windows\System32\aelupsvc.dll
13:51:29.0688 3848 AeLookupSvc - ok
13:51:29.0766 3848 AFD (3911b972b55fea0478476b2e777b29fa) C:\Windows\system32\drivers\afd.sys
13:51:29.0780 3848 AFD - ok
13:51:29.0835 3848 AgereModemAudio (39e435c90c9c4f780fa0ed05ca3c3a1b) C:\Windows\system32\agrsmsvc.exe
13:51:29.0837 3848 AgereModemAudio - ok
13:51:30.0084 3848 AgereSoftModem (ce91b158fa490cf4c4d487a4130f4660) C:\Windows\system32\DRIVERS\AGRSM.sys
13:51:30.0137 3848 AgereSoftModem - ok
13:51:30.0181 3848 agp440 (13f9e33747e6b41a3ff305c37db0d360) C:\Windows\system32\drivers\agp440.sys
13:51:30.0184 3848 agp440 - ok
13:51:30.0220 3848 aic78xx (ae1fdf7bf7bb6c6a70f67699d880592a) C:\Windows\system32\drivers\djsvs.sys
13:51:30.0224 3848 aic78xx - ok
13:51:30.0269 3848 ALG (a1545b731579895d8cc44fc0481c1192) C:\Windows\System32\alg.exe
13:51:30.0271 3848 ALG - ok
13:51:30.0288 3848 aliide (9eaef5fc9b8e351afa7e78a6fae91f91) C:\Windows\system32\drivers\aliide.sys
13:51:30.0290 3848 aliide - ok
13:51:30.0322 3848 amdagp (c47344bc706e5f0b9dce369516661578) C:\Windows\system32\drivers\amdagp.sys
13:51:30.0324 3848 amdagp - ok
13:51:30.0346 3848 amdide (9b78a39a4c173fdbc1321e0dd659b34c) C:\Windows\system32\drivers\amdide.sys
13:51:30.0348 3848 amdide - ok
13:51:30.0367 3848 AmdK7 (18f29b49ad23ecee3d2a826c725c8d48) C:\Windows\system32\drivers\amdk7.sys
13:51:30.0369 3848 AmdK7 - ok
13:51:30.0382 3848 AmdK8 (93ae7f7dd54ab986a6f1a1b37be7442d) C:\Windows\system32\drivers\amdk8.sys
13:51:30.0384 3848 AmdK8 - ok
13:51:30.0428 3848 Appinfo (c6d704c7f0434dc791aac37cac4b6e14) C:\Windows\System32\appinfo.dll
13:51:30.0431 3848 Appinfo - ok
13:51:31.0018 3848 Apple Mobile Device (7ef47644b74ebe721cc32211d3c35e76) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
13:51:31.0021 3848 Apple Mobile Device - ok
13:51:31.0093 3848 arc (5d2888182fb46632511acee92fdad522) C:\Windows\system32\drivers\arc.sys
13:51:31.0096 3848 arc - ok
13:51:31.0136 3848 arcsas (5e2a321bd7c8b3624e41fdec3e244945) C:\Windows\system32\drivers\arcsas.sys
13:51:31.0139 3848 arcsas - ok
13:51:31.0174 3848 AsyncMac (53b202abee6455406254444303e87be1) C:\Windows\system32\DRIVERS\asyncmac.sys
13:51:31.0176 3848 AsyncMac - ok
13:51:31.0213 3848 atapi (1f05b78ab91c9075565a9d8a4b880bc4) C:\Windows\system32\drivers\atapi.sys
13:51:31.0214 3848 atapi - ok
13:51:31.0321 3848 AudioEndpointBuilder (68e2a1a0407a66cf50da0300852424ab) C:\Windows\System32\Audiosrv.dll
13:51:31.0355 3848 AudioEndpointBuilder - ok
13:51:31.0366 3848 Audiosrv (68e2a1a0407a66cf50da0300852424ab) C:\Windows\System32\Audiosrv.dll
13:51:31.0373 3848 Audiosrv - ok
13:51:31.0398 3848 Beep (67e506b75bd5326a3ec7b70bd014dfb6) C:\Windows\system32\drivers\Beep.sys
13:51:31.0400 3848 Beep - ok
13:51:31.0513 3848 BFE (c789af0f724fda5852fb9a7d3a432381) C:\Windows\System32\bfe.dll
13:51:31.0532 3848 BFE - ok
13:51:31.0683 3848 BITS (93952506c6d67330367f7e7934b6a02f) C:\Windows\system32\qmgr.dll
13:51:31.0743 3848 BITS - ok
13:51:31.0763 3848 blbdrive (d4df28447741fd3d953526e33a617397) C:\Windows\system32\drivers\blbdrive.sys
13:51:31.0765 3848 blbdrive - ok
13:51:31.0895 3848 Bonjour Service (db5bea73edaf19ac68b2c0fad0f92b1a) C:\Program Files\Bonjour\mDNSResponder.exe
13:51:31.0905 3848 Bonjour Service - ok
13:51:31.0970 3848 bowser (35f376253f687bde63976ccb3f2108ca) C:\Windows\system32\DRIVERS\bowser.sys
13:51:31.0973 3848 bowser - ok
13:51:32.0011 3848 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\drivers\brfiltlo.sys
13:51:32.0013 3848 BrFiltLo - ok
13:51:32.0030 3848 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\drivers\brfiltup.sys
13:51:32.0032 3848 BrFiltUp - ok
13:51:32.0070 3848 Browser (a3629a0c4226f9e9c72faaeebc3ad33c) C:\Windows\System32\browser.dll
13:51:32.0073 3848 Browser - ok
13:51:32.0100 3848 Brserid (b304e75cff293029eddf094246747113) C:\Windows\system32\drivers\brserid.sys
13:51:32.0103 3848 Brserid - ok
13:51:32.0124 3848 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\system32\drivers\brserwdm.sys
13:51:32.0127 3848 BrSerWdm - ok
13:51:32.0152 3848 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\system32\drivers\brusbmdm.sys
13:51:32.0153 3848 BrUsbMdm - ok
13:51:32.0169 3848 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\system32\drivers\brusbser.sys
13:51:32.0170 3848 BrUsbSer - ok
13:51:32.0190 3848 BTHMODEM (ad07c1ec6665b8b35741ab91200c6b68) C:\Windows\system32\drivers\bthmodem.sys
13:51:32.0192 3848 BTHMODEM - ok
13:51:32.0306 3848 catchme - ok
13:51:32.0353 3848 cdfs (7add03e75beb9e6dd102c3081d29840a) C:\Windows\system32\DRIVERS\cdfs.sys
13:51:32.0356 3848 cdfs - ok
13:51:32.0400 3848 cdrom (6b4bffb9becd728097024276430db314) C:\Windows\system32\DRIVERS\cdrom.sys
13:51:32.0404 3848 cdrom - ok
13:51:32.0480 3848 CertPropSvc (312ec3e37a0a1f2006534913e37b4423) C:\Windows\System32\certprop.dll
13:51:32.0483 3848 CertPropSvc - ok
13:51:32.0518 3848 circlass (e5d4133f37219dbcfe102bc61072589d) C:\Windows\system32\drivers\circlass.sys
13:51:32.0520 3848 circlass - ok
13:51:32.0594 3848 CLFS (d7659d3b5b92c31e84e53c1431f35132) C:\Windows\system32\CLFS.sys
13:51:32.0601 3848 CLFS - ok
13:51:33.0022 3848 clr_optimization_v2.0.50727_32 (8ee772032e2fe80a924f3b8dd5082194) C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
13:51:33.0026 3848 clr_optimization_v2.0.50727_32 - ok
13:51:33.0230 3848 clr_optimization_v4.0.30319_32 (c5a75eb48e2344abdc162bda79e16841) C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
13:51:33.0242 3848 clr_optimization_v4.0.30319_32 - ok
13:51:33.0292 3848 CmBatt (99afc3795b58cc478fbbbcdc658fcb56) C:\Windows\system32\DRIVERS\CmBatt.sys
13:51:33.0294 3848 CmBatt - ok
13:51:33.0312 3848 cmdide (0ca25e686a4928484e9fdabd168ab629) C:\Windows\system32\drivers\cmdide.sys
13:51:33.0314 3848 cmdide - ok
13:51:33.0334 3848 Compbatt (6afef0b60fa25de07c0968983ee4f60a) C:\Windows\system32\DRIVERS\compbatt.sys
13:51:33.0336 3848 Compbatt - ok
13:51:33.0348 3848 COMSysApp - ok
13:51:33.0458 3848 ConfigFree Service (c508b28b9da7563634a2a2b2eef4395d) C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
13:51:33.0460 3848 ConfigFree Service - ok
13:51:33.0473 3848 crcdisk (741e9dff4f42d2d8477d0fc1dc0df871) C:\Windows\system32\drivers\crcdisk.sys
13:51:33.0475 3848 crcdisk - ok
13:51:33.0499 3848 Crusoe (1f07becdca750766a96cda811ba86410) C:\Windows\system32\drivers\crusoe.sys
13:51:33.0501 3848 Crusoe - ok
13:51:33.0582 3848 CryptSvc (fb27772beaf8e1d28ccd825c09da939b) C:\Windows\system32\cryptsvc.dll
13:51:33.0593 3848 CryptSvc - ok
13:51:33.0727 3848 DcomLaunch (3b5b4d53fec14f7476ca29a20cc31ac9) C:\Windows\system32\rpcss.dll
13:51:33.0747 3848 DcomLaunch - ok
13:51:33.0797 3848 DfsC (622c41a07ca7e6dd91770f50d532cb6c) C:\Windows\system32\Drivers\dfsc.sys
13:51:33.0801 3848 DfsC - ok
13:51:34.0272 3848 DFSR (2cc3dcfb533a1035b13dcab6160ab38b) C:\Windows\system32\DFSR.exe
13:51:34.0344 3848 DFSR - ok
13:51:34.0697 3848 Dhcp (9028559c132146fb75eb7acf384b086a) C:\Windows\System32\dhcpcsvc.dll
13:51:34.0770 3848 Dhcp - ok
13:51:34.0852 3848 disk (5d4aefc3386920236a548271f8f1af6a) C:\Windows\system32\drivers\disk.sys
13:51:34.0855 3848 disk - ok
13:51:34.0952 3848 Dnscache (57d762f6f5974af0da2be88a3349baaa) C:\Windows\System32\dnsrslvr.dll
13:51:34.0956 3848 Dnscache - ok
13:51:35.0018 3848 dot3svc (324fd74686b1ef5e7c19a8af49e748f6) C:\Windows\System32\dot3svc.dll
13:51:35.0027 3848 dot3svc - ok
13:51:35.0074 3848 DPS (a622e888f8aa2f6b49e9bc466f0e5def) C:\Windows\system32\dps.dll
13:51:35.0080 3848 DPS - ok
13:51:35.0137 3848 drmkaud (97fef831ab90bee128c9af390e243f80) C:\Windows\system32\drivers\drmkaud.sys
13:51:35.0139 3848 drmkaud - ok
13:51:35.0262 3848 DXGKrnl (c68ac676b0ef30cfbb1080adce49eb1f) C:\Windows\System32\drivers\dxgkrnl.sys
13:51:35.0292 3848 DXGKrnl - ok
13:51:35.0321 3848 E1G60 (5425f74ac0c1dbd96a1e04f17d63f94c) C:\Windows\system32\DRIVERS\E1G60I32.sys
13:51:35.0335 3848 E1G60 - ok
13:51:35.0372 3848 EapHost (c0b95e40d85cd807d614e264248a45b9) C:\Windows\System32\eapsvc.dll
13:51:35.0376 3848 EapHost - ok
13:51:35.0462 3848 Ecache (7f64ea048dcfac7acf8b4d7b4e6fe371) C:\Windows\system32\drivers\ecache.sys
13:51:35.0473 3848 Ecache - ok
13:51:35.0536 3848 ehRecvr (9be3744d295a7701eb425332014f0797) C:\Windows\ehome\ehRecvr.exe
13:51:35.0558 3848 ehRecvr - ok
13:51:35.0591 3848 ehSched (ad1870c8e5d6dd340c829e6074bf3c3f) C:\Windows\ehome\ehsched.exe
13:51:35.0606 3848 ehSched - ok
13:51:35.0627 3848 ehstart (c27c4ee8926e74aa72efcab24c5242c3) C:\Windows\ehome\ehstart.dll
13:51:35.0629 3848 ehstart - ok
13:51:35.0713 3848 elxstor (23b62471681a124889978f6295b3f4c6) C:\Windows\system32\drivers\elxstor.sys
13:51:35.0725 3848 elxstor - ok
13:51:35.0838 3848 EMDMgmt (4e6b23dfc917ea39306b529b773950f4) C:\Windows\system32\emdmgmt.dll
13:51:35.0895 3848 EMDMgmt - ok
13:51:35.0935 3848 ErrDev (3db974f3935483555d7148663f726c61) C:\Windows\system32\drivers\errdev.sys
13:51:35.0937 3848 ErrDev - ok
13:51:36.0033 3848 EventSystem (67058c46504bc12d821f38cf99b7b28f) C:\Windows\system32\es.dll
13:51:36.0042 3848 EventSystem - ok
13:51:36.0256 3848 EvtEng (306ac856622864c761cbdb5e816bb9d8) C:\Program Files\Intel\WiFi\bin\EvtEng.exe
13:51:36.0287 3848 EvtEng - ok
13:51:36.0372 3848 exfat (22b408651f9123527bcee54b4f6c5cae) C:\Windows\system32\drivers\exfat.sys
13:51:36.0385 3848 exfat - ok
13:51:36.0470 3848 fastfat (1e9b9a70d332103c52995e957dc09ef8) C:\Windows\system32\drivers\fastfat.sys
13:51:36.0526 3848 fastfat - ok
13:51:36.0584 3848 fdc (afe1e8b9782a0dd7fb46bbd88e43f89a) C:\Windows\system32\DRIVERS\fdc.sys
13:51:36.0587 3848 fdc - ok
13:51:36.0629 3848 fdPHost (6629b5f0e98151f4afdd87567ea32ba3) C:\Windows\system32\fdPHost.dll
13:51:36.0632 3848 fdPHost - ok
13:51:36.0653 3848 FDResPub (89ed56dce8e47af40892778a5bd31fd2) C:\Windows\system32\fdrespub.dll
13:51:36.0656 3848 FDResPub - ok
13:51:36.0707 3848 FileInfo (a8c0139a884861e3aae9cfe73b208a9f) C:\Windows\system32\drivers\fileinfo.sys
13:51:36.0710 3848 FileInfo - ok
13:51:36.0755 3848 Filetrace (0ae429a696aecbc5970e3cf2c62635ae) C:\Windows\system32\drivers\filetrace.sys
13:51:36.0757 3848 Filetrace - ok
13:51:36.0767 3848 flpydisk (85b7cf99d532820495d68d747fda9ebd) C:\Windows\system32\DRIVERS\flpydisk.sys
13:51:36.0769 3848 flpydisk - ok
13:51:36.0841 3848 FltMgr (01334f9ea68e6877c4ef05d3ea8abb05) C:\Windows\system32\drivers\fltmgr.sys
13:51:36.0859 3848 FltMgr - ok
13:51:37.0076 3848 FontCache (8ce364388c8eca59b14b539179276d44) C:\Windows\system32\FntCache.dll
13:51:37.0130 3848 FontCache - ok
13:51:37.0213 3848 FontCache3.0.0.0 (c7fbdd1ed42f82bfa35167a5c9803ea3) C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
13:51:37.0215 3848 FontCache3.0.0.0 - ok
13:51:37.0270 3848 fssfltr (d909075fa72c090f27aa926c32cb4612) C:\Windows\system32\DRIVERS\fssfltr.sys
13:51:37.0272 3848 fssfltr - ok
13:51:37.0875 3848 fsssvc (4ce9dac1518ff7e77bd213e6394b9d77) C:\Program Files\Windows Live\Family Safety\fsssvc.exe
13:51:37.0971 3848 fsssvc - ok
13:51:38.0161 3848 Fs_Rec (b972a66758577e0bfd1de0f91aaa27b5) C:\Windows\system32\drivers\Fs_Rec.sys
13:51:38.0162 3848 Fs_Rec - ok
13:51:38.0195 3848 FwLnk (cbc22823628544735625b280665e434e) C:\Windows\system32\DRIVERS\FwLnk.sys
13:51:38.0196 3848 FwLnk - ok
13:51:38.0224 3848 gagp30kx (34582a6e6573d54a07ece5fe24a126b5) C:\Windows\system32\drivers\gagp30kx.sys
13:51:38.0226 3848 gagp30kx - ok
13:51:38.0324 3848 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\Windows\system32\DRIVERS\GEARAspiWDM.sys
13:51:38.0326 3848 GEARAspiWDM - ok
13:51:38.0460 3848 gpsvc (cd5d0aeee35dfd4e986a5aa1500a6e66) C:\Windows\System32\gpsvc.dll
13:51:38.0524 3848 gpsvc - ok
13:51:38.0765 3848 gupdate (8f0de4fef8201e306f9938b0905ac96a) C:\Program Files\Google\Update\GoogleUpdate.exe
13:51:38.0769 3848 gupdate - ok
13:51:38.0823 3848 gupdatem (8f0de4fef8201e306f9938b0905ac96a) C:\Program Files\Google\Update\GoogleUpdate.exe
13:51:38.0826 3848 gupdatem - ok
13:51:38.0884 3848 gusvc (cc839e8d766cc31a7710c9f38cf3e375) C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
13:51:38.0894 3848 gusvc - ok
13:51:38.0959 3848 HdAudAddService (cb04c744be0a61b1d648faed182c3b59) C:\Windows\system32\drivers\HdAudio.sys
13:51:38.0975 3848 HdAudAddService - ok
13:51:39.0061 3848 HDAudBus (062452b7ffd68c8c042a6261fe8dff4a) C:\Windows\system32\DRIVERS\HDAudBus.sys
13:51:39.0086 3848 HDAudBus - ok
13:51:39.0107 3848 HidBth (1338520e78d90154ed6be8f84de5fceb) C:\Windows\system32\drivers\hidbth.sys
13:51:39.0109 3848 HidBth - ok
13:51:39.0129 3848 HidIr (ff3160c3a2445128c5a6d9b076da519e) C:\Windows\system32\drivers\hidir.sys
13:51:39.0130 3848 HidIr - ok
13:51:39.0191 3848 hidserv (84067081f3318162797385e11a8f0582) C:\Windows\System32\hidserv.dll
13:51:39.0195 3848 hidserv - ok
13:51:39.0224 3848 HidUsb (cca4b519b17e23a00b826c55716809cc) C:\Windows\system32\DRIVERS\hidusb.sys
13:51:39.0226 3848 HidUsb - ok
13:51:39.0264 3848 hkmsvc (d8ad255b37da92434c26e4876db7d418) C:\Windows\system32\kmsvc.dll
13:51:39.0270 3848 hkmsvc - ok
13:51:39.0313 3848 HpCISSs (16ee7b23a009e00d835cdb79574a91a6) C:\Windows\system32\drivers\hpcisss.sys
13:51:39.0315 3848 HpCISSs - ok
13:51:39.0408 3848 HTTP (f870aa3e254628ebeafe754108d664de) C:\Windows\system32\drivers\HTTP.sys
13:51:39.0425 3848 HTTP - ok
13:51:39.0440 3848 i2omp (c6b032d69650985468160fc9937cf5b4) C:\Windows\system32\drivers\i2omp.sys
13:51:39.0442 3848 i2omp - ok
13:51:39.0498 3848 i8042prt (22d56c8184586b7a1f6fa60be5f5a2bd) C:\Windows\system32\DRIVERS\i8042prt.sys
13:51:39.0500 3848 i8042prt - ok
13:51:39.0584 3848 iaStor (707c1692214b1c290271067197f075f6) C:\Windows\system32\DRIVERS\iaStor.sys
13:51:39.0589 3848 iaStor - ok
13:51:39.0637 3848 iaStorV (54155ea1b0df185878e0fc9ec3ac3a14) C:\Windows\system32\drivers\iastorv.sys
13:51:39.0646 3848 iaStorV - ok
13:51:39.0783 3848 IDriverT (1cf03c69b49acb70c722df92755c0c8c) C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
13:51:39.0787 3848 IDriverT - ok
13:51:40.0004 3848 idsvc (98477b08e61945f974ed9fdc4cb6bdab) C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
13:51:40.0098 3848 idsvc - ok
13:51:40.0440 3848 igfx (6fb1858d1f0923d122b0331865695041) C:\Windows\system32\DRIVERS\igdkmd32.sys
13:51:40.0535 3848 igfx - ok
13:51:40.0760 3848 iirsp (2d077bf86e843f901d8db709c95b49a5) C:\Windows\system32\drivers\iirsp.sys
13:51:40.0764 3848 iirsp - ok
13:51:40.0876 3848 IKEEXT (9908d8a397b76cd8d31d0d383c5773c9) C:\Windows\System32\ikeext.dll
13:51:40.0908 3848 IKEEXT - ok
13:51:41.0218 3848 IntcAzAudAddService (b9cbd3dea7ca02868621173bf7a2af9f) C:\Windows\system32\drivers\RTKVHDA.sys
13:51:41.0347 3848 IntcAzAudAddService - ok
13:51:41.0805 3848 intelide (83aa759f3189e6370c30de5dc5590718) C:\Windows\system32\drivers\intelide.sys
13:51:41.0807 3848 intelide - ok
13:51:41.0875 3848 intelppm (224191001e78c89dfa78924c3ea595ff) C:\Windows\system32\DRIVERS\intelppm.sys
13:51:41.0877 3848 intelppm - ok
13:51:41.0909 3848 IO_Memory - ok
13:51:41.0947 3848 IPBusEnum (9ac218c6e6105477484c6fdbe7d409a4) C:\Windows\system32\ipbusenum.dll
13:51:41.0953 3848 IPBusEnum - ok
13:51:41.0971 3848 IpFilterDriver (62c265c38769b864cb25b4bcf62df6c3) C:\Windows\system32\DRIVERS\ipfltdrv.sys
13:51:41.0974 3848 IpFilterDriver - ok
13:51:42.0041 3848 iphlpsvc (1998bd97f950680bb55f55a7244679c2) C:\Windows\System32\iphlpsvc.dll
13:51:42.0059 3848 iphlpsvc - ok
13:51:42.0067 3848 IpInIp - ok
13:51:42.0095 3848 IPMIDRV (b25aaf203552b7b3491139d582b39ad1) C:\Windows\system32\drivers\ipmidrv.sys
13:51:42.0098 3848 IPMIDRV - ok
13:51:42.0119 3848 IPNAT (8793643a67b42cec66490b2a0cf92d68) C:\Windows\system32\DRIVERS\ipnat.sys
13:51:42.0124 3848 IPNAT - ok
13:51:42.0306 3848 iPod Service (57edb35ea2feca88f8b17c0c095c9a56) C:\Program Files\iPod\bin\iPodService.exe
13:51:42.0372 3848 iPod Service - ok
13:51:42.0393 3848 IRENUM (109c0dfb82c3632fbd11949b73aeeac9) C:\Windows\system32\drivers\irenum.sys
13:51:42.0395 3848 IRENUM - ok
13:51:42.0423 3848 isapnp (6c70698a3e5c4376c6ab5c7c17fb0614) C:\Windows\system32\drivers\isapnp.sys
13:51:42.0426 3848 isapnp - ok
13:51:42.0491 3848 iScsiPrt (232fa340531d940aac623b121a595034) C:\Windows\system32\DRIVERS\msiscsi.sys
13:51:42.0511 3848 iScsiPrt - ok
13:51:42.0536 3848 iteatapi (bced60d16156e428f8df8cf27b0df150) C:\Windows\system32\drivers\iteatapi.sys
13:51:42.0539 3848 iteatapi - ok
13:51:42.0565 3848 iteraid (06fa654504a498c30adca8bec4e87e7e) C:\Windows\system32\drivers\iteraid.sys
13:51:42.0567 3848 iteraid - ok
13:51:42.0596 3848 kbdclass (37605e0a8cf00cbba538e753e4344c6e) C:\Windows\system32\DRIVERS\kbdclass.sys
13:51:42.0598 3848 kbdclass - ok
13:51:42.0614 3848 kbdhid (18247836959ba67e3511b62846b9c2e0) C:\Windows\system32\drivers\kbdhid.sys
13:51:42.0616 3848 kbdhid - ok
13:51:42.0645 3848 KeyIso (a3e186b4b935905b829219502557314e) C:\Windows\system32\lsass.exe
13:51:42.0649 3848 KeyIso - ok
13:51:42.0689 3848 KR10I (e8ca038f51f7761bd6e3a3b0b8014263) C:\Windows\system32\drivers\kr10i.sys
13:51:42.0705 3848 KR10I - ok
13:51:42.0750 3848 KR10N (6a4adb9186dd0e114e623daf57e42b31) C:\Windows\system32\drivers\kr10n.sys
13:51:42.0765 3848 KR10N - ok
13:51:42.0847 3848 KSecDD (2b2f1638466e8cb091400c9019cc730e) C:\Windows\system32\Drivers\ksecdd.sys
13:51:42.0869 3848 KSecDD - ok
13:51:42.0946 3848 KtmRm (8078f8f8f7a79e2e6b494523a828c585) C:\Windows\system32\msdtckrm.dll
13:51:43.0010 3848 KtmRm - ok
13:51:43.0075 3848 LanmanServer (1bf5eebfd518dd7298434d8c862f825d) C:\Windows\System32\srvsvc.dll
13:51:43.0088 3848 LanmanServer - ok
13:51:43.0152 3848 LanmanWorkstation (1db69705b695b987082c8baec0c6b34f) C:\Windows\System32\wkssvc.dll
13:51:43.0176 3848 LanmanWorkstation - ok
13:51:43.0219 3848 lltdio (d1c5883087a0c3f1344d9d55a44901f6) C:\Windows\system32\DRIVERS\lltdio.sys
13:51:43.0221 3848 lltdio - ok
13:51:43.0276 3848 lltdsvc (2d5a428872f1442631d0959a34abff63) C:\Windows\System32\lltdsvc.dll
13:51:43.0295 3848 lltdsvc - ok
13:51:43.0316 3848 lmhosts (35d40113e4a5b961b6ce5c5857702518) C:\Windows\System32\lmhsvc.dll
13:51:43.0320 3848 lmhosts - ok
13:51:43.0356 3848 LSI_FC (c7e15e82879bf3235b559563d4185365) C:\Windows\system32\drivers\lsi_fc.sys
13:51:43.0359 3848 LSI_FC - ok
13:51:43.0390 3848 LSI_SAS (ee01ebae8c9bf0fa072e0ff68718920a) C:\Windows\system32\drivers\lsi_sas.sys
13:51:43.0394 3848 LSI_SAS - ok
13:51:43.0430 3848 LSI_SCSI (912a04696e9ca30146a62afa1463dd5c) C:\Windows\system32\drivers\lsi_scsi.sys
13:51:43.0444 3848 LSI_SCSI - ok
13:51:43.0473 3848 luafv (8f5c7426567798e62a3b3614965d62cc) C:\Windows\system32\drivers\luafv.sys
13:51:43.0477 3848 luafv - ok
13:51:43.0526 3848 MBAMSwissArmy (0db7527db188c7d967a37bb51bbf3963) C:\Windows\system32\drivers\mbamswissarmy.sys
13:51:43.0528 3848 MBAMSwissArmy - ok
13:51:43.0562 3848 Mcx2Svc (aef9babb8a506bc4ce0451a64aaded46) C:\Windows\system32\Mcx2Svc.dll
13:51:43.0568 3848 Mcx2Svc - ok
13:51:43.0606 3848 megasas (0001ce609d66632fa17b84705f658879) C:\Windows\system32\drivers\megasas.sys
13:51:43.0608 3848 megasas - ok
13:51:43.0687 3848 MegaSR (c252f32cd9a49dbfc25ecf26ebd51a99) C:\Windows\system32\drivers\megasr.sys
13:51:43.0704 3848 MegaSR - ok
13:51:43.0731 3848 MMCSS (1076ffcffaae8385fd62dfcb25ac4708) C:\Windows\system32\mmcss.dll
13:51:43.0736 3848 MMCSS - ok
13:51:43.0748 3848 Modem (e13b5ea0f51ba5b1512ec671393d09ba) C:\Windows\system32\drivers\modem.sys
13:51:43.0751 3848 Modem - ok
13:51:43.0771 3848 monitor (0a9bb33b56e294f686abb7c1e4e2d8a8) C:\Windows\system32\DRIVERS\monitor.sys
13:51:43.0774 3848 monitor - ok
13:51:43.0798 3848 mouclass (5bf6a1326a335c5298477754a506d263) C:\Windows\system32\DRIVERS\mouclass.sys
13:51:43.0800 3848 mouclass - ok
13:51:43.0828 3848 mouhid (93b8d4869e12cfbe663915502900876f) C:\Windows\system32\DRIVERS\mouhid.sys
13:51:43.0830 3848 mouhid - ok
13:51:43.0851 3848 MountMgr (bdafc88aa6b92f7842416ea6a48e1600) C:\Windows\system32\drivers\mountmgr.sys
13:51:43.0854 3848 MountMgr - ok
13:51:43.0900 3848 MpFilter (d993bea500e7382dc4e760bf4f35efcb) C:\Windows\system32\DRIVERS\MpFilter.sys
13:51:43.0911 3848 MpFilter - ok
13:51:43.0961 3848 mpio (511d011289755dd9f9a7579fb0b064e6) C:\Windows\system32\drivers\mpio.sys
13:51:43.0964 3848 mpio - ok
13:51:44.0223 3848 MpKsl630bf4b2 (a69630d039c38018689190234f866d77) c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{22AC0538-4A7E-4A94-A6FF-1986F9A5BCF1}\MpKsl630bf4b2.sys
13:51:44.0225 3848 MpKsl630bf4b2 - ok
13:51:44.0258 3848 MpKsl97a46d0f (a69630d039c38018689190234f866d77) c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{22AC0538-4A7E-4A94-A6FF-1986F9A5BCF1}\MpKsl97a46d0f.sys
13:51:44.0260 3848 Suspicious file (Forged): c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{22AC0538-4A7E-4A94-A6FF-1986F9A5BCF1}\MpKsl97a46d0f.sys. Real md5: a69630d039c38018689190234f866d77, Fake md5: 4137ee420481d10734da3018d0325582
13:51:44.0260 3848 MpKsl97a46d0f ( ForgedFile.Multi.Generic ) - warning
13:51:44.0261 3848 MpKsl97a46d0f - detected ForgedFile.Multi.Generic (1)
13:51:44.0302 3848 MpKslf70edea3 (a69630d039c38018689190234f866d77) c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{22AC0538-4A7E-4A94-A6FF-1986F9A5BCF1}\MpKslf70edea3.sys
13:51:44.0303 3848 MpKslf70edea3 - ok
13:51:44.0375 3848 mpsdrv (22241feba9b2defa669c8cb0a8dd7d2e) C:\Windows\system32\drivers\mpsdrv.sys
13:51:44.0379 3848 mpsdrv - ok
13:51:44.0489 3848 MpsSvc (5de62c6e9108f14f6794060a9bdecaec) C:\Windows\system32\mpssvc.dll
13:51:44.0547 3848 MpsSvc - ok
13:51:44.0581 3848 Mraid35x (4fbbb70d30fd20ec51f80061703b001e) C:\Windows\system32\drivers\mraid35x.sys
13:51:44.0584 3848 Mraid35x - ok
13:51:44.0636 3848 MRxDAV (82cea0395524aacfeb58ba1448e8325c) C:\Windows\system32\drivers\mrxdav.sys
13:51:44.0650 3848 MRxDAV - ok
13:51:44.0687 3848 mrxsmb (1e94971c4b446ab2290deb71d01cf0c2) C:\Windows\system32\DRIVERS\mrxsmb.sys
13:51:44.0702 3848 mrxsmb - ok
13:51:44.0752 3848 mrxsmb10 (4fccb34d793b116423209c0f8b7a3b03) C:\Windows\system32\DRIVERS\mrxsmb10.sys
13:51:44.0769 3848 mrxsmb10 - ok
13:51:44.0799 3848 mrxsmb20 (c3cb1b40ad4a0124d617a1199b0b9d7c) C:\Windows\system32\DRIVERS\mrxsmb20.sys
13:51:44.0803 3848 mrxsmb20 - ok
13:51:44.0847 3848 msahci (f70590424eefbf5c27a40c67afdb8383) C:\Windows\system32\drivers\msahci.sys
13:51:44.0849 3848 msahci - ok
13:51:44.0879 3848 msdsm (4468b0f385a86ecddaf8d3ca662ec0e7) C:\Windows\system32\drivers\msdsm.sys
13:51:44.0882 3848 msdsm - ok
13:51:44.0949 3848 MSDTC (fd7520cc3a80c5fc8c48852bb24c6ded) C:\Windows\System32\msdtc.exe
13:51:44.0957 3848 MSDTC - ok
13:51:45.0044 3848 Msfs (a9927f4a46b816c92f461acb90cf8515) C:\Windows\system32\drivers\Msfs.sys
13:51:45.0046 3848 Msfs - ok
13:51:45.0091 3848 msisadrv (0f400e306f385c56317357d6dea56f62) C:\Windows\system32\drivers\msisadrv.sys
13:51:45.0093 3848 msisadrv - ok
13:51:45.0140 3848 MSiSCSI (85466c0757a23d9a9aecdc0755203cb2) C:\Windows\system32\iscsiexe.dll
13:51:45.0153 3848 MSiSCSI - ok
13:51:45.0165 3848 msiserver - ok
13:51:45.0210 3848 MSKSSRV (d8c63d34d9c9e56c059e24ec7185cc07) C:\Windows\system32\drivers\MSKSSRV.sys
13:51:45.0212 3848 MSKSSRV - ok
13:51:45.0276 3848 MsMpSvc (24516bf4e12a46cb67302e2cdcb8cddf) c:\Program Files\Microsoft Security Client\MsMpEng.exe
13:51:45.0278 3848 MsMpSvc - ok
13:51:45.0293 3848 MSPCLOCK (1d373c90d62ddb641d50e55b9e78d65e) C:\Windows\system32\drivers\MSPCLOCK.sys
13:51:45.0295 3848 MSPCLOCK - ok
13:51:45.0318 3848 MSPQM (b572da05bf4e098d4bba3a4734fb505b) C:\Windows\system32\drivers\MSPQM.sys
13:51:45.0321 3848 MSPQM - ok
13:51:45.0385 3848 MsRPC (b49456d70555de905c311bcda6ec6adb) C:\Windows\system32\drivers\MsRPC.sys
13:51:45.0391 3848 MsRPC - ok
13:51:45.0430 3848 mssmbios (e384487cb84be41d09711c30ca79646c) C:\Windows\system32\DRIVERS\mssmbios.sys
13:51:45.0432 3848 mssmbios - ok
13:51:45.0445 3848 MSTEE (7199c1eec1e4993caf96b8c0a26bd58a) C:\Windows\system32\drivers\MSTEE.sys
13:51:45.0447 3848 MSTEE - ok
13:51:45.0464 3848 Mup (6a57b5733d4cb702c8ea4542e836b96c) C:\Windows\system32\Drivers\mup.sys
13:51:45.0467 3848 Mup - ok
13:51:45.0557 3848 napagent (e4eaf0c5c1b41b5c83386cf212ca9584) C:\Windows\system32\qagentRT.dll
13:51:45.0612 3848 napagent - ok
13:51:45.0698 3848 NativeWifiP (85c44fdff9cf7e72a40dcb7ec06a4416) C:\Windows\system32\DRIVERS\nwifi.sys
13:51:45.0708 3848 NativeWifiP - ok
13:51:45.0830 3848 NDIS (1357274d1883f68300aeadd15d7bbb42) C:\Windows\system32\drivers\ndis.sys
13:51:45.0856 3848 NDIS - ok
13:51:45.0879 3848 NdisTapi (0e186e90404980569fb449ba7519ae61) C:\Windows\system32\DRIVERS\ndistapi.sys
13:51:45.0881 3848 NdisTapi - ok
13:51:45.0895 3848 Ndisuio (d6973aa34c4d5d76c0430b181c3cd389) C:\Windows\system32\DRIVERS\ndisuio.sys
13:51:45.0899 3848 Ndisuio - ok
13:51:45.0927 3848 NdisWan (818f648618ae34f729fdb47ec68345c3) C:\Windows\system32\DRIVERS\ndiswan.sys
13:51:45.0931 3848 NdisWan - ok
13:51:45.0960 3848 NDProxy (71dab552b41936358f3b541ae5997fb3) C:\Windows\system32\drivers\NDProxy.sys
13:51:45.0963 3848 NDProxy - ok
13:51:45.0986 3848 NetBIOS (bcd093a5a6777cf626434568dc7dba78) C:\Windows\system32\DRIVERS\netbios.sys
13:51:45.0988 3848 NetBIOS - ok
13:51:46.0062 3848 netbt (ecd64230a59cbd93c85f1cd1cab9f3f6) C:\Windows\system32\DRIVERS\netbt.sys
13:51:46.0092 3848 netbt - ok
13:51:46.0127 3848 Netlogon (a3e186b4b935905b829219502557314e) C:\Windows\system32\lsass.exe
13:51:46.0131 3848 Netlogon - ok
13:51:46.0259 3848 Netman (c8052711daecc48b982434c5116ca401) C:\Windows\System32\netman.dll
13:51:46.0270 3848 Netman - ok
13:51:46.0338 3848 netprofm (2ef3bbe22e5a5acd1428ee387a0d0172) C:\Windows\System32\netprofm.dll
13:51:46.0353 3848 netprofm - ok
13:51:46.0440 3848 NetTcpPortSharing (d6c4e4a39a36029ac0813d476fbd0248) C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
13:51:46.0452 3848 NetTcpPortSharing - ok
13:51:47.0527 3848 NETw5v32 (e559ea9138c77b5d1fda8c558764a25f) C:\Windows\system32\DRIVERS\NETw5v32.sys
13:51:47.0664 3848 NETw5v32 - ok
13:51:48.0177 3848 nfrd960 (2e7fb731d4790a1bc6270accefacb36e) C:\Windows\system32\drivers\nfrd960.sys
13:51:48.0180 3848 nfrd960 - ok
13:51:48.0252 3848 NisDrv (b52f26bade7d7e4a79706e3fd91834cd) C:\Windows\system32\DRIVERS\NisDrvWFP.sys
13:51:48.0256 3848 NisDrv - ok
13:51:48.0342 3848 NisSrv (290c0d4c4889398797f8df3be00b9698) c:\Program Files\Microsoft Security Client\NisSrv.exe
13:51:48.0359 3848 NisSrv - ok
13:51:48.0415 3848 NlaSvc (2997b15415f9bbe05b5a4c1c85e0c6a2) C:\Windows\System32\nlasvc.dll
13:51:48.0436 3848 NlaSvc - ok
13:51:48.0495 3848 Npfs (d36f239d7cce1931598e8fb90a0dbc26) C:\Windows\system32\drivers\Npfs.sys
13:51:48.0497 3848 Npfs - ok
13:51:48.0525 3848 nsi (8bb86f0c7eea2bded6fe095d0b4ca9bd) C:\Windows\system32\nsisvc.dll
13:51:48.0531 3848 nsi - ok
13:51:48.0547 3848 nsiproxy (609773e344a97410ce4ebf74a8914fcf) C:\Windows\system32\drivers\nsiproxy.sys
13:51:48.0549 3848 nsiproxy - ok
13:51:48.0783 3848 Ntfs (6a4a98cee84cf9e99564510dda4baa47) C:\Windows\system32\drivers\Ntfs.sys
13:51:48.0837 3848 Ntfs - ok
13:51:48.0871 3848 ntrigdigi (e875c093aec0c978a90f30c9e0dfbb72) C:\Windows\system32\drivers\ntrigdigi.sys
13:51:48.0873 3848 ntrigdigi - ok
13:51:48.0924 3848 NuidFltr (cf7e041663119e09d2e118521ada9300) C:\Windows\system32\DRIVERS\NuidFltr.sys
13:51:48.0925 3848 NuidFltr - ok
13:51:48.0944 3848 Null (c5dbbcda07d780bda9b685df333bb41e) C:\Windows\system32\drivers\Null.sys
13:51:48.0945 3848 Null - ok
13:51:48.0983 3848 nvraid (2edf9e7751554b42cbb60116de727101) C:\Windows\system32\drivers\nvraid.sys
13:51:48.0997 3848 nvraid - ok
13:51:49.0019 3848 nvstor (abed0c09758d1d97db0042dbb2688177) C:\Windows\system32\drivers\nvstor.sys
13:51:49.0021 3848 nvstor - ok
13:51:49.0050 3848 nv_agp (18bbdf913916b71bd54575bdb6eeac0b) C:\Windows\system32\drivers\nv_agp.sys
13:51:49.0054 3848 nv_agp - ok
13:51:49.0062 3848 NwlnkFlt - ok
13:51:49.0075 3848 NwlnkFwd - ok
13:51:49.0223 3848 odserv (785f487a64950f3cb8e9f16253ba3b7b) C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE
13:51:49.0268 3848 odserv - ok
13:51:49.0319 3848 ohci1394 (6f310e890d46e246e0e261a63d9b36b4) C:\Windows\system32\DRIVERS\ohci1394.sys
13:51:49.0322 3848 ohci1394 - ok
13:51:49.0373 3848 ose (5a432a042dae460abe7199b758e8606c) C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
13:51:49.0383 3848 ose - ok
13:51:49.0511 3848 p2pimsvc (0c8e8e61ad1eb0b250b846712c917506) C:\Windows\system32\p2psvc.dll
13:51:49.0552 3848 p2pimsvc - ok
13:51:49.0570 3848 p2psvc (0c8e8e61ad1eb0b250b846712c917506) C:\Windows\system32\p2psvc.dll
13:51:49.0585 3848 p2psvc - ok
13:51:49.0637 3848 Parport (0fa9b5055484649d63c303fe404e5f4d) C:\Windows\system32\drivers\parport.sys
13:51:49.0640 3848 Parport - ok
13:51:49.0685 3848 partmgr (b9c2b89f08670e159f7181891e449cd9) C:\Windows\system32\drivers\partmgr.sys
13:51:49.0688 3848 partmgr - ok
13:51:49.0741 3848 Parvdm (4f9a6a8a31413180d0fcb279ad5d8112) C:\Windows\system32\drivers\parvdm.sys
13:51:49.0743 3848 Parvdm - ok
13:51:49.0760 3848 PcaSvc (c6276ad11f4bb49b58aa1ed88537f14a) C:\Windows\System32\pcasvc.dll
13:51:49.0767 3848 PcaSvc - ok
13:51:49.0809 3848 pci (941dc1d19e7e8620f40bbc206981efdb) C:\Windows\system32\drivers\pci.sys
13:51:49.0819 3848 pci - ok
13:51:49.0841 3848 pciide (fc175f5ddab666d7f4d17449a547626f) C:\Windows\system32\DRIVERS\pciide.sys
13:51:49.0842 3848 pciide - ok
13:51:49.0883 3848 pcmcia (e6f3fb1b86aa519e7698ad05e58b04e5) C:\Windows\system32\drivers\pcmcia.sys
13:51:49.0893 3848 pcmcia - ok
13:51:50.0043 3848 PEAUTH (6349f6ed9c623b44b52ea3c63c831a92) C:\Windows\system32\drivers\peauth.sys
13:51:50.0102 3848 PEAUTH - ok
13:51:50.0202 3848 pgsql-8.3 (4e87ef38a053f02e454935c8440ec91a) C:\Program Files\PostgreSQL\8.3\bin\pg_ctl.exe
13:51:50.0205 3848 pgsql-8.3 - ok
13:51:50.0478 3848 pla (b1689df169143f57053f795390c99db3) C:\Windows\system32\pla.dll
13:51:50.0554 3848 pla - ok
13:51:50.0847 3848 PlugPlay (c5e7f8a996ec0a82d508fd9064a5569e) C:\Windows\system32\umpnpmgr.dll
13:51:50.0859 3848 PlugPlay - ok
13:51:50.0979 3848 PNRPAutoReg (0c8e8e61ad1eb0b250b846712c917506) C:\Windows\system32\p2psvc.dll
13:51:50.0994 3848 PNRPAutoReg - ok
13:51:51.0017 3848 PNRPsvc (0c8e8e61ad1eb0b250b846712c917506) C:\Windows\system32\p2psvc.dll
13:51:51.0032 3848 PNRPsvc - ok
13:51:51.0165 3848 PolicyAgent (d0494460421a03cd5225cca0059aa146) C:\Windows\System32\ipsecsvc.dll
13:51:51.0178 3848 PolicyAgent - ok
13:51:51.0276 3848 PptpMiniport (ecfffaec0c1ecd8dbc77f39070ea1db1) C:\Windows\system32\DRIVERS\raspptp.sys
13:51:51.0279 3848 PptpMiniport - ok
13:51:51.0302 3848 Processor (2027293619dd0f047c584cf2e7df4ffd) C:\Windows\system32\drivers\processr.sys
13:51:51.0305 3848 Processor - ok
13:51:51.0381 3848 ProfSvc (0508faa222d28835310b7bfca7a77346) C:\Windows\system32\profsvc.dll
13:51:51.0403 3848 ProfSvc - ok
13:51:51.0434 3848 ProtectedStorage (a3e186b4b935905b829219502557314e) C:\Windows\system32\lsass.exe
13:51:51.0438 3848 ProtectedStorage - ok
13:51:51.0505 3848 PSched (99514faa8df93d34b5589187db3aa0ba) C:\Windows\system32\DRIVERS\pacer.sys
13:51:51.0508 3848 PSched - ok
13:51:51.0587 3848 PxHelp20 (49452bfcec22f36a7a9b9c2181bc3042) C:\Windows\system32\Drivers\PxHelp20.sys
13:51:51.0590 3848 PxHelp20 - ok
13:51:51.0757 3848 ql2300 (0a6db55afb7820c99aa1f3a1d270f4f6) C:\Windows\system32\drivers\ql2300.sys
13:51:51.0804 3848 ql2300 - ok
13:51:51.0847 3848 ql40xx (81a7e5c076e59995d54bc1ed3a16e60b) C:\Windows\system32\drivers\ql40xx.sys
13:51:51.0852 3848 ql40xx - ok
13:51:51.0937 3848 QWAVE (e9ecae663f47e6cb43962d18ab18890f) C:\Windows\system32\qwave.dll
13:51:51.0985 3848 QWAVE - ok
13:51:52.0007 3848 QWAVEdrv (9f5e0e1926014d17486901c88eca2db7) C:\Windows\system32\drivers\qwavedrv.sys
13:51:52.0009 3848 QWAVEdrv - ok
13:51:52.0033 3848 RasAcd (147d7f9c556d259924351feb0de606c3) C:\Windows\system32\DRIVERS\rasacd.sys
13:51:52.0035 3848 RasAcd - ok
13:51:52.0063 3848 RasAuto (f6a452eb4ceadbb51c9e0ee6b3ecef0f) C:\Windows\System32\rasauto.dll
13:51:52.0078 3848 RasAuto - ok
13:51:52.0099 3848 Rasl2tp (a214adbaf4cb47dd2728859ef31f26b0) C:\Windows\system32\DRIVERS\rasl2tp.sys
13:51:52.0103 3848 Rasl2tp - ok
13:51:52.0184 3848 RasMan (75d47445d70ca6f9f894b032fbc64fcf) C:\Windows\System32\rasmans.dll
13:51:52.0209 3848 RasMan - ok
13:51:52.0257 3848 RasPppoe (509a98dd18af4375e1fc40bc175f1def) C:\Windows\system32\DRIVERS\raspppoe.sys
13:51:52.0260 3848 RasPppoe - ok
13:51:52.0319 3848 RasSstp (2005f4a1e05fa09389ac85840f0a9e4d) C:\Windows\system32\DRIVERS\rassstp.sys
13:51:52.0322 3848 RasSstp - ok
13:51:52.0418 3848 rdbss (b14c9d5b9add2f84f70570bbbfaa7935) C:\Windows\system32\DRIVERS\rdbss.sys
13:51:52.0468 3848 rdbss - ok
13:51:52.0482 3848 RDPCDD (89e59be9a564262a3fb6c4f4f1cd9899) C:\Windows\system32\DRIVERS\RDPCDD.sys
13:51:52.0484 3848 RDPCDD - ok
13:51:52.0542 3848 rdpdr (fbc0bacd9c3d7f6956853f64a66e252d) C:\Windows\system32\drivers\rdpdr.sys
13:51:52.0555 3848 rdpdr - ok
13:51:52.0564 3848 RDPENCDD (9d91fe5286f748862ecffa05f8a0710c) C:\Windows\system32\drivers\rdpencdd.sys
13:51:52.0566 3848 RDPENCDD - ok
13:51:52.0654 3848 RDPWD (79c6df8477250f5c54f7c5ae1d6b814e) C:\Windows\system32\drivers\RDPWD.sys
13:51:52.0706 3848 RDPWD - ok
13:51:52.0861 3848 RegSrvc (b33c88df3588acf250b87a004526c31a) C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
13:51:52.0901 3848 RegSrvc - ok
13:51:52.0947 3848 RemoteAccess (bcdd6b4804d06b1f7ebf29e53a57ece9) C:\Windows\System32\mprdim.dll
13:51:52.0953 3848 RemoteAccess - ok
13:51:53.0012 3848 RemoteRegistry (9e6894ea18daff37b63e1005f83ae4ab) C:\Windows\system32\regsvc.dll
13:51:53.0020 3848 RemoteRegistry - ok
13:51:53.0071 3848 rimmptsk (c2ef513bbe069f0d4ee0938a76f975d3) C:\Windows\system32\DRIVERS\rimmptsk.sys
13:51:53.0074 3848 rimmptsk - ok
13:51:53.0123 3848 rimsptsk (c398bca91216755b098679a8da8a2300) C:\Windows\system32\DRIVERS\rimsptsk.sys
13:51:53.0125 3848 rimsptsk - ok
13:51:53.0149 3848 rismxdp (2a2554cb24506e0a0508fc395c4a1b42) C:\Windows\system32\DRIVERS\rixdptsk.sys
13:51:53.0152 3848 rismxdp - ok
13:51:53.0187 3848 RpcLocator (5123f83cbc4349d065534eeb6bbdc42b) C:\Windows\system32\locator.exe
13:51:53.0191 3848 RpcLocator - ok
13:51:53.0314 3848 RpcSs (3b5b4d53fec14f7476ca29a20cc31ac9) C:\Windows\system32\rpcss.dll
13:51:53.0328 3848 RpcSs - ok
13:51:53.0368 3848 rspndr (9c508f4074a39e8b4b31d27198146fad) C:\Windows\system32\DRIVERS\rspndr.sys
13:51:53.0371 3848 rspndr - ok
13:51:53.0448 3848 RTL8169 (2d19a7469ea19993d0c12e627f4530bc) C:\Windows\system32\DRIVERS\Rtlh86.sys
13:51:53.0499 3848 RTL8169 - ok
13:51:53.0537 3848 SamSs (a3e186b4b935905b829219502557314e) C:\Windows\system32\lsass.exe
13:51:53.0541 3848 SamSs - ok
13:51:53.0581 3848 sbp2port (3ce8f073a557e172b330109436984e30) C:\Windows\system32\drivers\sbp2port.sys
13:51:53.0584 3848 sbp2port - ok
13:51:53.0669 3848 SCardSvr (77b7a11a0c3d78d3386398fbbea1b632) C:\Windows\System32\SCardSvr.dll
13:51:53.0683 3848 SCardSvr - ok
13:51:53.0838 3848 Schedule (1a58069db21d05eb2ab58ee5753ebe8d) C:\Windows\system32\schedsvc.dll
13:51:53.0859 3848 Schedule - ok
13:51:53.0910 3848 SCPolicySvc (312ec3e37a0a1f2006534913e37b4423) C:\Windows\System32\certprop.dll
13:51:53.0911 3848 SCPolicySvc - ok
13:51:53.0968 3848 sdbus (8f36b54688c31eed4580129040c6a3d3) C:\Windows\system32\DRIVERS\sdbus.sys
13:51:53.0972 3848 sdbus - ok
13:51:54.0006 3848 SDRSVC (716313d9f6b0529d03f726d5aaf6f191) C:\Windows\System32\SDRSVC.dll
13:51:54.0022 3848 SDRSVC - ok
13:51:54.0045 3848 seclogon (fd5199d4d8a521005e4b5ee7fe00fa9b) C:\Windows\system32\seclogon.dll
13:51:54.0051 3848 seclogon - ok
13:51:54.0080 3848 SENS (a9bbab5759771e523f55563d6cbe140f) C:\Windows\system32\sens.dll
13:51:54.0087 3848 SENS - ok
13:51:54.0120 3848 Serenum (68e44e331d46f0fb38f0863a84cd1a31) C:\Windows\system32\drivers\serenum.sys
13:51:54.0122 3848 Serenum - ok
13:51:54.0161 3848 Serial (c70d69a918b178d3c3b06339b40c2e1b) C:\Windows\system32\drivers\serial.sys
13:51:54.0164 3848 Serial - ok
13:51:54.0201 3848 sermouse (8af3d28a879bf75db53a0ee7a4289624) C:\Windows\system32\drivers\sermouse.sys
13:51:54.0203 3848 sermouse - ok
13:51:54.0252 3848 SessionEnv (d2193326f729b163125610dbf3e17d57) C:\Windows\system32\sessenv.dll
13:51:54.0260 3848 SessionEnv - ok
13:51:54.0286 3848 sffdisk (3efa810bdca87f6ecc24f9832243fe86) C:\Windows\system32\drivers\sffdisk.sys
13:51:54.0288 3848 sffdisk - ok
13:51:54.0303 3848 sffp_mmc (e95d451f7ea3e583aec75f3b3ee42dc5) C:\Windows\system32\drivers\sffp_mmc.sys
13:51:54.0305 3848 sffp_mmc - ok
13:51:54.0331 3848 sffp_sd (3d0ea348784b7ac9ea9bd9f317980979) C:\Windows\system32\drivers\sffp_sd.sys
13:51:54.0333 3848 sffp_sd - ok
13:51:54.0342 3848 sfloppy (46ed8e91793b2e6f848015445a0ac188) C:\Windows\system32\drivers\sfloppy.sys
13:51:54.0344 3848 sfloppy - ok
13:51:54.0579 3848 SharedAccess (e1499bd0ff76b1b2fbbf1af339d91165) C:\Windows\System32\ipnathlp.dll
13:51:54.0611 3848 SharedAccess - ok
13:51:54.0687 3848 ShellHWDetection (c7230fbee14437716701c15be02c27b8) C:\Windows\System32\shsvcs.dll
13:51:54.0699 3848 ShellHWDetection - ok
13:51:54.0735 3848 sisagp (1d76624a09a054f682d746b924e2dbc3) C:\Windows\system32\drivers\sisagp.sys
13:51:54.0738 3848 sisagp - ok
13:51:54.0759 3848 SiSRaid2 (43cb7aa756c7db280d01da9b676cfde2) C:\Windows\system32\drivers\sisraid2.sys
13:51:54.0762 3848 SiSRaid2 - ok
13:51:54.0801 3848 SiSRaid4 (a99c6c8b0baa970d8aa59ddc50b57f94) C:\Windows\system32\drivers\sisraid4.sys
13:51:54.0804 3848 SiSRaid4 - ok
13:51:55.0303 3848 slsvc (862bb4cbc05d80c5b45be430e5ef872f) C:\Windows\system32\SLsvc.exe
13:51:55.0386 3848 slsvc - ok
13:51:55.0802 3848 SLUINotify (6edc422215cd78aa8a9cde6b30abbd35) C:\Windows\system32\SLUINotify.dll
13:51:55.0819 3848 SLUINotify - ok
13:51:55.0890 3848 SmartFaceVWatchSrv (3566310df25ea5c3b2e9f50f5b50eac1) C:\Program Files\Toshiba\SmartFaceV\SmartFaceVWatchSrv.exe
13:51:55.0893 3848 SmartFaceVWatchSrv - ok
13:51:55.0986 3848 Smb (7b75299a4d201d6a6533603d6914ab04) C:\Windows\system32\DRIVERS\smb.sys
13:51:55.0990 3848 Smb - ok
13:51:56.0037 3848 SNMPTRAP (2a146a055b4401c16ee62d18b8e2a032) C:\Windows\System32\snmptrap.exe
13:51:56.0043 3848 SNMPTRAP - ok
13:51:56.0072 3848 spldr (7aebdeef071fe28b0eef2cdd69102bff) C:\Windows\system32\drivers\spldr.sys
13:51:56.0075 3848 spldr - ok
13:51:56.0136 3848 Spooler (8554097e5136c3bf9f69fe578a1b35f4) C:\Windows\System32\spoolsv.exe
13:51:56.0169 3848 Spooler - ok
13:51:56.0259 3848 srv (41987f9fc0e61adf54f581e15029ad91) C:\Windows\system32\DRIVERS\srv.sys
13:51:56.0280 3848 srv - ok
13:51:56.0327 3848 srv2 (ff33aff99564b1aa534f58868cbe41ef) C:\Windows\system32\DRIVERS\srv2.sys
13:51:56.0339 3848 srv2 - ok
13:51:56.0361 3848 srvnet (7605c0e1d01a08f3ecd743f38b834a44) C:\Windows\system32\DRIVERS\srvnet.sys
13:51:56.0365 3848 srvnet - ok
13:51:56.0395 3848 SSDPSRV (03d50b37234967433a5ea5ba72bc0b62) C:\Windows\System32\ssdpsrv.dll
13:51:56.0405 3848 SSDPSRV - ok
13:51:56.0465 3848 SstpSvc (6f1a32e7b7b30f004d9a20afadb14944) C:\Windows\system32\sstpsvc.dll
13:51:56.0479 3848 SstpSvc - ok
13:51:56.0578 3848 stisvc (5de7d67e49b88f5f07f3e53c4b92a352) C:\Windows\System32\wiaservc.dll
13:51:56.0594 3848 stisvc - ok
13:51:56.0669 3848 SVRPEDRV (3e4239b92139f7174a0da7d53fe5e1ab) C:\Windows\System32\sysprep\PEDrv.sys
13:51:56.0670 3848 SVRPEDRV - ok
13:51:56.0702 3848 swenum (7ba58ecf0c0a9a69d44b3dca62becf56) C:\Windows\system32\DRIVERS\swenum.sys
13:51:56.0704 3848 swenum - ok
13:51:56.0762 3848 swmsflt (e6c797b33a454840245c0c96e7f08b0a) C:\Windows\System32\drivers\swmsflt.sys
13:51:56.0764 3848 swmsflt - ok
13:51:56.0885 3848 swprv (f21fd248040681cca1fb6c9a03aaa93d) C:\Windows\System32\swprv.dll
13:51:56.0916 3848 swprv - ok
13:51:56.0957 3848 Symc8xx (192aa3ac01df071b541094f251deed10) C:\Windows\system32\drivers\symc8xx.sys
13:51:56.0960 3848 Symc8xx - ok
13:51:56.0991 3848 Sym_hi (8c8eb8c76736ebaf3b13b633b2e64125) C:\Windows\system32\drivers\sym_hi.sys
13:51:56.0993 3848 Sym_hi - ok
13:51:57.0033 3848 Sym_u3 (8072af52b5fd103bbba387a1e49f62cb) C:\Windows\system32\drivers\sym_u3.sys
13:51:57.0036 3848 Sym_u3 - ok
13:51:57.0111 3848 SynTP (70534d1e4f9ac990536d5fb5b550b3de) C:\Windows\system32\DRIVERS\SynTP.sys
13:51:57.0127 3848 SynTP - ok
13:51:57.0234 3848 SysMain (9a51b04e9886aa4ee90093586b0ba88d) C:\Windows\system32\sysmain.dll
13:51:57.0299 3848 SysMain - ok
13:51:57.0348 3848 TabletInputService (2dca225eae15f42c0933e998ee0231c3) C:\Windows\System32\TabSvc.dll
13:51:57.0365 3848 TabletInputService - ok
13:51:57.0449 3848 TapiSrv (d7673e4b38ce21ee54c59eeeb65e2483) C:\Windows\System32\tapisrv.dll
13:51:57.0460 3848 TapiSrv - ok
13:51:57.0480 3848 TBS (cb05822cd9cc6c688168e113c603dbe7) C:\Windows\System32\tbssvc.dll
13:51:57.0488 3848 TBS - ok
13:51:57.0637 3848 Tcpip (ee7e10bed85c312c1d5d30c435bdda9f) C:\Windows\system32\drivers\tcpip.sys
13:51:57.0684 3848 Tcpip - ok
13:51:57.0711 3848 Tcpip6 (ee7e10bed85c312c1d5d30c435bdda9f) C:\Windows\system32\DRIVERS\tcpip.sys
13:51:57.0726 3848 Tcpip6 - ok
13:51:57.0768 3848 tcpipreg (2c2d4cff5e09c73908f9b5af49a51365) C:\Windows\system32\drivers\tcpipreg.sys
13:51:57.0770 3848 tcpipreg - ok
13:51:57.0849 3848 tdcmdpst (6fdfba25002ce4bac463ac866ae71405) C:\Windows\system32\DRIVERS\tdcmdpst.sys
13:51:57.0851 3848 tdcmdpst - ok
13:51:57.0887 3848 TDPIPE (5dcf5e267be67a1ae926f2df77fbcc56) C:\Windows\system32\drivers\tdpipe.sys
13:51:57.0889 3848 TDPIPE - ok
13:51:57.0913 3848 TDTCP (389c63e32b3cefed425b61ed92d3f021) C:\Windows\system32\drivers\tdtcp.sys
13:51:57.0916 3848 TDTCP - ok
13:51:57.0980 3848 tdx (76b06eb8a01fc8624d699e7045303e54) C:\Windows\system32\DRIVERS\tdx.sys
13:51:57.0984 3848 tdx - ok
13:51:58.0018 3848 TermDD (3cad38910468eab9a6479e2f01db43c7) C:\Windows\system32\DRIVERS\termdd.sys
13:51:58.0021 3848 TermDD - ok
13:51:58.0114 3848 TermService (bb95da09bef6e7a131bff3ba5032090d) C:\Windows\System32\termsrv.dll
13:51:58.0145 3848 TermService - ok
13:51:58.0225 3848 Themes (c7230fbee14437716701c15be02c27b8) C:\Windows\system32\shsvcs.dll
13:51:58.0235 3848 Themes - ok
13:51:58.0273 3848 THREADORDER (1076ffcffaae8385fd62dfcb25ac4708) C:\Windows\system32\mmcss.dll
13:51:58.0278 3848 THREADORDER - ok
13:51:58.0415 3848 TMachInfo (e09caafb2b323a6ff120cefb96da0a44) C:\Program Files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe
13:51:58.0417 3848 TMachInfo - ok
13:51:58.0472 3848 TNaviSrv (89f74c86523f5e334628dbce66e6d165) C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
13:51:58.0488 3848 TNaviSrv - ok
13:51:58.0533 3848 TODDSrv (c5ac715b65b01788abc22d10749dddd8) C:\Windows\system32\TODDSrv.exe
13:51:58.0546 3848 TODDSrv - ok
13:51:58.0663 3848 TosCoSrv (44dbac611b11646683b5b066a049b8e4) C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
13:51:58.0676 3848 TosCoSrv - ok
13:51:58.0711 3848 TOSHIBA SMART Log Service (22690dffc7f2a18279a7a0489aa02bac) C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe
13:51:58.0714 3848 TOSHIBA SMART Log Service - ok
13:51:58.0771 3848 Tosrfcom - ok
13:51:58.0821 3848 tosrfec (5c4103544612e5011ef46301b93d1aa6) C:\Windows\system32\DRIVERS\tosrfec.sys
13:51:58.0823 3848 tosrfec - ok
13:51:58.0885 3848 tos_sps32 (4399a9bf7d8f49991a07fd86590a1619) C:\Windows\system32\DRIVERS\tos_sps32.sys
13:51:58.0907 3848 tos_sps32 - ok
13:51:58.0946 3848 TrkWks (ec74e77d0eb004bd3a809b5f8fb8c2ce) C:\Windows\System32\trkwks.dll
13:51:58.0960 3848 TrkWks - ok
13:51:59.0036 3848 TrustedInstaller (97d9d6a04e3ad9b6c626b9931db78dba) C:\Windows\servicing\TrustedInstaller.exe
13:51:59.0038 3848 TrustedInstaller - ok
13:51:59.0068 3848 tssecsrv (dcf0f056a2e4f52287264f5ab29cf206) C:\Windows\system32\DRIVERS\tssecsrv.sys
13:51:59.0071 3848 tssecsrv - ok
13:51:59.0104 3848 tunmp (caecc0120ac49e3d2f758b9169872d38) C:\Windows\system32\DRIVERS\tunmp.sys
13:51:59.0106 3848 tunmp - ok
13:51:59.0135 3848 tunnel (300db877ac094feab0be7688c3454a9c) C:\Windows\system32\DRIVERS\tunnel.sys
13:51:59.0137 3848 tunnel - ok
13:51:59.0183 3848 TVALZ (792a8b80f8188aba4b2be271583f3e46) C:\Windows\system32\DRIVERS\TVALZ_O.SYS
13:51:59.0185 3848 TVALZ - ok
13:51:59.0228 3848 uagp35 (7d33c4db2ce363c8518d2dfcf533941f) C:\Windows\system32\drivers\uagp35.sys
13:51:59.0231 3848 uagp35 - ok
13:51:59.0298 3848 udfs (d9728af68c4c7693cb100b8441cbdec6) C:\Windows\system32\DRIVERS\udfs.sys
13:51:59.0315 3848 udfs - ok
13:51:59.0362 3848 UI0Detect (ecef404f62863755951e09c802c94ad5) C:\Windows\system32\UI0Detect.exe
13:51:59.0369 3848 UI0Detect - ok
13:51:59.0477 3848 UleadBurningHelper (332d341d92b933600d41953b08360dfb) C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
13:51:59.0480 3848 UleadBurningHelper - ok
13:51:59.0539 3848 uliagpkx (b0acfdc9e4af279e9116c03e014b2b27) C:\Windows\system32\drivers\uliagpkx.sys
13:51:59.0543 3848 uliagpkx - ok
13:51:59.0588 3848 uliahci (9224bb254f591de4ca8d572a5f0d635c) C:\Windows\system32\drivers\uliahci.sys
13:51:59.0603 3848 uliahci - ok
13:51:59.0636 3848 UlSata (8514d0e5cd0534467c5fc61be94a569f) C:\Windows\system32\drivers\ulsata.sys
13:51:59.0640 3848 UlSata - ok
13:51:59.0676 3848 ulsata2 (38c3c6e62b157a6bc46594fada45c62b) C:\Windows\system32\drivers\ulsata2.sys
13:51:59.0690 3848 ulsata2 - ok
13:51:59.0722 3848 umbus (32cff9f809ae9aed85464492bf3e32d2) C:\Windows\system32\DRIVERS\umbus.sys
13:51:59.0724 3848 umbus - ok
13:51:59.0795 3848 upnphost (68308183f4ae0be7bf8ecd07cb297999) C:\Windows\System32\upnphost.dll
13:51:59.0807 3848 upnphost - ok
13:51:59.0862 3848 USBAAPL (eafe1e00739afe6c51487a050e772e17) C:\Windows\system32\Drivers\usbaapl.sys
13:51:59.0864 3848 USBAAPL - ok
13:51:59.0908 3848 usbccgp (caf811ae4c147ffcd5b51750c7f09142) C:\Windows\system32\DRIVERS\usbccgp.sys
13:51:59.0911 3848 usbccgp - ok
13:51:59.0946 3848 usbcir (e9476e6c486e76bc4898074768fb7131) C:\Windows\system32\drivers\usbcir.sys
13:51:59.0951 3848 usbcir - ok
13:52:00.0004 3848 usbehci (79e96c23a97ce7b8f14d310da2db0c9b) C:\Windows\system32\DRIVERS\usbehci.sys
13:52:00.0007 3848 usbehci - ok
13:52:00.0058 3848 usbhub (4673bbcb006af60e7abddbe7a130ba42) C:\Windows\system32\DRIVERS\usbhub.sys
13:52:00.0075 3848 usbhub - ok
13:52:00.0101 3848 usbohci (38dbc7dd6cc5a72011f187425384388b) C:\Windows\system32\drivers\usbohci.sys
13:52:00.0103 3848 usbohci - ok
13:52:00.0126 3848 usbprint (b51e52acf758be00ef3a58ea452fe360) C:\Windows\system32\drivers\usbprint.sys
13:52:00.0128 3848 usbprint - ok
13:52:00.0168 3848 USBSTOR (be3da31c191bc222d9ad503c5224f2ad) C:\Windows\system32\DRIVERS\USBSTOR.SYS
13:52:00.0171 3848 USBSTOR - ok
13:52:00.0197 3848 usbuhci (814d653efc4d48be3b04a307eceff56f) C:\Windows\system32\DRIVERS\usbuhci.sys
13:52:00.0199 3848 usbuhci - ok
13:52:00.0255 3848 usbvideo (e67998e8f14cb0627a769f6530bcb352) C:\Windows\system32\Drivers\usbvideo.sys
13:52:00.0260 3848 usbvideo - ok
13:52:00.0298 3848 UVCFTR (237c444fbd1c697a2e3fa60f02c61f22) C:\Windows\system32\Drivers\UVCFTR_S.SYS
13:52:00.0300 3848 UVCFTR - ok
13:52:00.0351 3848 UxSms (1509e705f3ac1d474c92454a5c2dd81f) C:\Windows\System32\uxsms.dll
13:52:00.0358 3848 UxSms - ok
13:52:00.0473 3848 vds (cd88d1b7776dc17a119049742ec07eb4) C:\Windows\System32\vds.exe
13:52:00.0515 3848 vds - ok
13:52:00.0530 3848 vga (87b06e1f30b749a114f74622d013f8d4) C:\Windows\system32\DRIVERS\vgapnp.sys
13:52:00.0533 3848 vga - ok
13:52:00.0556 3848 VgaSave (2e93ac0a1d8c79d019db6c51f036636c) C:\Windows\System32\drivers\vga.sys
13:52:00.0559 3848 VgaSave - ok
13:52:00.0583 3848 viaagp (5d7159def58a800d5781ba3a879627bc) C:\Windows\system32\drivers\viaagp.sys
13:52:00.0586 3848 viaagp - ok
13:52:00.0613 3848 ViaC7 (c4f3a691b5bad343e6249bd8c2d45dee) C:\Windows\system32\drivers\viac7.sys
13:52:00.0616 3848 ViaC7 - ok
13:52:00.0644 3848 viaide (aadf5587a4063f52c2c3fed7887426fc) C:\Windows\system32\drivers\viaide.sys
13:52:00.0646 3848 viaide - ok
13:52:00.0673 3848 volmgr (69503668ac66c77c6cd7af86fbdf8c43) C:\Windows\system32\drivers\volmgr.sys
13:52:00.0678 3848 volmgr - ok
13:52:00.0937 3848 volmgrx (23e41b834759917bfd6b9a0d625d0c28) C:\Windows\system32\drivers\volmgrx.sys
13:52:00.0947 3848 volmgrx - ok
13:52:01.0009 3848 volsnap (147281c01fcb1df9252de2a10d5e7093) C:\Windows\system32\drivers\volsnap.sys
13:52:01.0029 3848 volsnap - ok
13:52:01.0083 3848 vsmraid (587253e09325e6bf226b299774b728a9) C:\Windows\system32\drivers\vsmraid.sys
13:52:01.0094 3848 vsmraid - ok
13:52:01.0273 3848 VSS (db3d19f850c6eb32bdcb9bc0836acddb) C:\Windows\system32\vssvc.exe
13:52:01.0343 3848 VSS - ok
13:52:01.0437 3848 W32Time (96ea68b9eb310a69c25ebb0282b2b9de) C:\Windows\system32\w32time.dll
13:52:01.0449 3848 W32Time - ok
13:52:01.0508 3848 WacomPen (48dfee8f1af7c8235d4e626f0c4fe031) C:\Windows\system32\drivers\wacompen.sys
13:52:01.0510 3848 WacomPen - ok
13:52:01.0535 3848 Wanarp (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
13:52:01.0539 3848 Wanarp - ok
13:52:01.0546 3848 Wanarpv6 (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
13:52:01.0548 3848 Wanarpv6 - ok
13:52:01.0608 3848 wcncsvc (a3cd60fd826381b49f03832590e069af) C:\Windows\System32\wcncsvc.dll
13:52:01.0636 3848 wcncsvc - ok
13:52:01.0669 3848 WcsPlugInService (11bcb7afcdd7aadacb5746f544d3a9c7) C:\Windows\System32\WcsPlugInService.dll
13:52:01.0677 3848 WcsPlugInService - ok
13:52:01.0696 3848 Wd (78fe9542363f297b18c027b2d7e7c07f) C:\Windows\system32\drivers\wd.sys
13:52:01.0698 3848 Wd - ok
13:52:01.0777 3848 Wdf01000 (b6f0a7ad6d4bd325fbcd8bac96cd8d96) C:\Windows\system32\drivers\Wdf01000.sys
13:52:01.0816 3848 Wdf01000 - ok
13:52:01.0842 3848 WdiServiceHost (abfc76b48bb6c96e3338d8943c5d93b5) C:\Windows\system32\wdi.dll
13:52:01.0861 3848 WdiServiceHost - ok
13:52:01.0868 3848 WdiSystemHost (abfc76b48bb6c96e3338d8943c5d93b5) C:\Windows\system32\wdi.dll
13:52:01.0879 3848 WdiSystemHost - ok
13:52:01.0948 3848 WebClient (04c37d8107320312fbae09926103d5e2) C:\Windows\System32\webclnt.dll
13:52:01.0965 3848 WebClient - ok
13:52:02.0036 3848 Wecsvc (ae3736e7e8892241c23e4ebbb7453b60) C:\Windows\system32\wecsvc.dll
13:52:02.0059 3848 Wecsvc - ok
13:52:02.0087 3848 wercplsupport (670ff720071ed741206d69bd995ea453) C:\Windows\System32\wercplsupport.dll
13:52:02.0104 3848 wercplsupport - ok
13:52:02.0175 3848 WerSvc (32b88481d3b326da6deb07b1d03481e7) C:\Windows\System32\WerSvc.dll
13:52:02.0186 3848 WerSvc - ok
13:52:02.0288 3848 WinDefend (4575aa12561c5648483403541d0d7f2b) C:\Program Files\Windows Defender\mpsvc.dll
13:52:02.0297 3848 WinDefend - ok
13:52:02.0312 3848 WinHttpAutoProxySvc - ok
13:52:02.0741 3848 Winmgmt (6b2a1d0e80110e3d04e6863c6e62fd8a) C:\Windows\system32\wbem\WMIsvc.dll
13:52:02.0816 3848 Winmgmt - ok
13:52:03.0001 3848 WinRM (7cfe68bdc065e55aa5e8421607037511) C:\Windows\system32\WsmSvc.dll
13:52:03.0059 3848 WinRM - ok
13:52:03.0168 3848 Wlansvc (c008405e4feeb069e30da1d823910234) C:\Windows\System32\wlansvc.dll
13:52:03.0210 3848 Wlansvc - ok
13:52:03.0548 3848 wlcrasvc (6067acef367e79914af628fa1e9b5330) C:\Program Files\Windows Live\Mesh\wlcrasvc.exe
13:52:03.0551 3848 wlcrasvc - ok
13:52:03.0835 3848 wlidsvc (0a70f4022ec2e14c159efc4f69aa2477) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
13:52:03.0895 3848 wlidsvc - ok
13:52:04.0309 3848 WmiAcpi (2e7255d172df0b8283cdfb7b433b864e) C:\Windows\system32\drivers\wmiacpi.sys
13:52:04.0311 3848 WmiAcpi - ok
13:52:04.0560 3848 wmiApSrv (43be3875207dcb62a85c8c49970b66cc) C:\Windows\system32\wbem\WmiApSrv.exe
13:52:04.0626 3848 wmiApSrv - ok
13:52:04.0801 3848 WMPNetworkSvc (3978704576a121a9204f8cc49a301a9b) C:\Program Files\Windows Media Player\wmpnetwk.exe
13:52:04.0828 3848 WMPNetworkSvc - ok
13:52:04.0893 3848 WPCSvc (cfc5a04558f5070cee3e3a7809f3ff52) C:\Windows\System32\wpcsvc.dll
13:52:04.0915 3848 WPCSvc - ok
13:52:04.0950 3848 WPDBusEnum (801fbdb89d472b3c467eb112a0fc9246) C:\Windows\system32\wpdbusenum.dll
13:52:04.0968 3848 WPDBusEnum - ok
13:52:05.0025 3848 WpdUsb (de9d36f91a4df3d911626643debf11ea) C:\Windows\system32\DRIVERS\wpdusb.sys
13:52:05.0028 3848 WpdUsb - ok
13:52:05.0747 3848 WPFFontCache_v0400 (dcf3e3edf5109ee8bc02fe6e1f045795) C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe
13:52:05.0791 3848 WPFFontCache_v0400 - ok
13:52:05.0825 3848 ws2ifsl (e3a3cb253c0ec2494d4a61f5e43a389c) C:\Windows\system32\drivers\ws2ifsl.sys
13:52:05.0827 3848 ws2ifsl - ok
13:52:05.0880 3848 wscsvc (1ca6c40261ddc0425987980d0cd2aaab) C:\Windows\system32\wscsvc.dll
13:52:05.0898 3848 wscsvc - ok
13:52:05.0906 3848 WSearch - ok
13:52:06.0331 3848 wuauserv (6298277b73c77fa99106b271a7525163) C:\Windows\system32\wuaueng.dll
13:52:06.0414 3848 wuauserv - ok
13:52:06.0973 3848 WUDFRd (ac13cb789d93412106b0fb6c7eb2bcb6) C:\Windows\system32\DRIVERS\WUDFRd.sys
13:52:07.0022 3848 WUDFRd - ok
13:52:07.0065 3848 wudfsvc (575a4190d989f64732119e4114045a4f) C:\Windows\System32\WUDFSvc.dll
13:52:07.0073 3848 wudfsvc - ok
13:52:07.0107 3848 MBR (0x1B8) (5b5e648d12fcadc244c1ec30318e1eb9) \Device\Harddisk0\DR0
13:52:07.0955 3848 \Device\Harddisk0\DR0 - ok
13:52:07.0977 3848 Boot (0x1200) (8746054a7862a20a008d53010bc55148) \Device\Harddisk0\DR0\Partition0
13:52:07.0981 3848 \Device\Harddisk0\DR0\Partition0 - ok
13:52:07.0982 3848 ============================================================
13:52:07.0982 3848 Scan finished
13:52:07.0982 3848 ============================================================
13:52:08.0012 4256 Detected object count: 1
13:52:08.0012 4256 Actual detected object count: 1
13:52:15.0113 4256 MpKsl97a46d0f ( ForgedFile.Multi.Generic ) - skipped by user
13:52:15.0113 4256 MpKsl97a46d0f ( ForgedFile.Multi.Generic ) - User select action: Skip



aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-05-31 13:04:14
-----------------------------
13:04:14.688 OS Version: Windows 6.0.6002 Service Pack 2
13:04:14.688 Number of processors: 2 586 0xF0D
13:04:14.690 ComputerName: CGROSKIE-PC UserName: CGroskie
13:04:20.240 Initialize success
13:04:23.221 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
13:04:23.226 Disk 0 Vendor: WDC_WD25 01.0 Size: 238475MB BusType: 3
13:04:23.274 Disk 0 MBR read successfully
13:04:23.280 Disk 0 MBR scan
13:04:23.286 Disk 0 Windows VISTA default MBR code
13:04:23.311 Disk 0 Partition 1 00 27 Hidden NTFS WinRE NTFS 1500 MB offset 2048
13:04:23.373 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 236974 MB offset 3074048
13:04:23.406 Disk 0 scanning sectors +488396800
13:04:23.518 Disk 0 scanning C:\Windows\system32\drivers
13:04:37.739 Service scanning
13:05:19.099 Modules scanning
13:06:01.322 Disk 0 trace - called modules:
13:06:01.380 ntkrnlpa.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll
13:06:01.390 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x874cd680]
13:06:01.764 3 CLASSPNP.SYS[8b31b8b3] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0x8640f028]
13:06:01.777 Scan finished successfully
13:07:19.116 Disk 0 MBR has been saved successfully to "C:\Users\CGroskie\Desktop\Logs\MBR.dat"
13:07:19.283 The log file has been saved successfully to "C:\Users\CGroskie\Desktop\Logs\aswMBR.txt"

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:12 AM

Posted 01 June 2012 - 02:54 AM

Greetings

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

Folder::
c:\program files\Ask.com

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 Dangbro

Dangbro
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:12 PM

Posted 03 June 2012 - 10:13 PM

ComboFix 12-06-03.05 - CGroskie 06/03/2012 20:36:08.3.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2939.1345 [GMT -6:00]
Running from: c:\users\CGroskie\Downloads\ComboFix.exe
Command switches used :: c:\users\CGroskie\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\Ask.com
c:\program files\Ask.com\assets\oobe\b.png
c:\program files\Ask.com\assets\oobe\bl.png
c:\program files\Ask.com\assets\oobe\br.png
c:\program files\Ask.com\assets\oobe\l.png
c:\program files\Ask.com\assets\oobe\pointer.png
c:\program files\Ask.com\assets\oobe\r.png
c:\program files\Ask.com\assets\oobe\t.png
c:\program files\Ask.com\assets\oobe\tl.png
c:\program files\Ask.com\assets\oobe\tr.png
c:\program files\Ask.com\cobrand.ico
c:\program files\Ask.com\config.xml
c:\program files\Ask.com\favicon.ico
c:\program files\Ask.com\fv_ba3a.ico
c:\program files\Ask.com\GenericAskToolbar.dll
c:\program files\Ask.com\mupcfg.xml
c:\program files\Ask.com\precache.exe
c:\program files\Ask.com\SaUpdate.exe
c:\program files\Ask.com\Updater\config.xml
c:\program files\Ask.com\Updater\Updater.exe
c:\program files\Ask.com\UpdateTask.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-05-04 to 2012-06-04 )))))))))))))))))))))))))))))))
.
.
2012-06-04 02:43 . 2012-06-04 02:44 -------- d-----w- c:\users\CGroskie\AppData\Local\temp
2012-06-04 02:43 . 2012-06-04 02:43 -------- d-----w- c:\users\postgres\AppData\Local\temp
2012-06-04 02:43 . 2012-06-04 02:43 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-05-31 19:09 . 2012-05-08 15:40 6737808 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{7D323476-5D44-4C61-9AFA-38CC4570B6F2}\mpengine.dll
2012-05-30 02:11 . 2012-05-30 02:11 100864 ----a-w- C:\fwlyrkog.sys
2012-05-30 02:11 . 2012-05-08 15:40 6737808 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-05-25 04:54 . 2012-05-25 04:54 56200 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{ABB28E83-C63C-4EB2-A709-34A11B655A7C}\offreg.dll
2012-05-25 04:44 . 2012-05-25 04:44 -------- d-----w- c:\programdata\boost_interprocess
2012-05-25 04:37 . 2012-05-25 04:46 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-05-25 04:18 . 2012-05-25 04:18 -------- d-----w- c:\users\CGroskie\AppData\Local\Ilivid Player
2012-05-25 03:24 . 2012-05-25 03:24 -------- d-----w- c:\users\CGroskie\AppData\Roaming\vlc
2012-05-23 20:04 . 2012-05-23 20:04 -------- d-----w- c:\users\CGroskie\AppData\Roaming\StreamTorrent
2012-05-21 21:18 . 2012-05-21 21:18 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin7.dll
2012-05-21 21:18 . 2012-05-21 21:18 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin6.dll
2012-05-21 21:18 . 2012-05-21 21:18 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin5.dll
2012-05-21 21:18 . 2012-05-21 21:18 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin4.dll
2012-05-21 21:18 . 2012-05-21 21:18 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin3.dll
2012-05-21 21:18 . 2012-05-21 21:18 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin2.dll
2012-05-21 21:18 . 2012-05-21 21:18 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin.dll
2012-05-21 21:17 . 2012-05-21 21:18 -------- d-----w- c:\program files\QuickTime
2012-05-21 19:19 . 2012-04-03 08:16 3602816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-05-21 19:19 . 2012-04-03 08:16 3550080 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-05-21 19:19 . 2012-04-02 13:36 2044928 ----a-w- c:\windows\system32\win32k.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-05-21 19:24 . 2012-03-28 22:42 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-05-21 19:24 . 2011-12-27 19:03 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-04-19 02:56 . 2012-04-19 02:56 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2012-04-19 02:56 . 2012-04-19 02:56 69632 ----a-w- c:\windows\system32\QuickTime.qts
2012-04-04 21:56 . 2010-08-09 21:52 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-03-28 23:09 . 2012-03-28 23:09 713784 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{8B108CFA-578F-4D90-8B68-CFB2D4CA6E9B}\gapaengine.dll
2012-03-28 22:51 . 2011-04-20 00:01 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-03-21 02:44 . 2011-04-27 21:25 74112 ----a-w- c:\windows\system32\drivers\NisDrvWFP.sys
2012-03-21 02:44 . 2011-04-18 19:18 171064 ----a-w- c:\windows\system32\drivers\MpFilter.sys
2012-03-14 02:15 . 2012-03-28 07:20 6582328 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{ABB28E83-C63C-4EB2-A709-34A11B655A7C}\mpengine.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EEE6C35C-6118-11DC-9C72-001320C79847}]
2011-08-25 01:21 1299248 ----a-r- c:\program files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{EEE6C35B-6118-11DC-9C72-001320C79847}"= "c:\program files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll" [2011-08-25 1299248]
.
[HKEY_CLASSES_ROOT\clsid\{eee6c35b-6118-11dc-9c72-001320c79847}]
[HKEY_CLASSES_ROOT\SWEETIE.IEToolbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{EEE6C35E-6118-11DC-9C72-001320C79847}]
[HKEY_CLASSES_ROOT\SWEETIE.IEToolbar]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe" [2008-04-24 430080]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-12-03 14944136]
"MobileDocuments"="c:\program files\Common Files\Apple\Internet Services\ubd.exe" [2012-02-23 59240]
"Spotify Web Helper"="c:\users\CGroskie\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe" [2012-04-17 932528]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-06-25 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-06-25 170520]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-06-25 145944]
"RtHDVCpl"="RtHDVCpl.exe" [2008-04-08 6037504]
"Camera Assistant Software"="c:\program files\Camera Assistant Software for Toshiba\traybar.exe" [2008-07-31 417792]
"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2008-02-06 431456]
"HSON"="c:\program files\TOSHIBA\TBS\HSON.exe" [2007-11-01 54608]
"SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2007-06-16 448080]
"00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2008-03-19 716800]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-08-14 1348904]
"NDSTray.exe"="NDSTray.exe" [BU]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-10-06 59240]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
"SweetIM"="c:\program files\SweetIM\Messenger\SweetIM.exe" [2011-08-01 114992]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-03-27 421736]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2012-04-19 421888]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 931200]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-21 257696]
.
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - aswMBR
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2012-05-31 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-28 19:24]
.
2012-05-31 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-09 09:08]
.
2012-05-31 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-09 09:08]
.
2012-05-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1235594767-156515733-2245494932-1000Core.job
- c:\users\CGroskie\AppData\Local\Google\Update\GoogleUpdate.exe [2012-05-30 05:24]
.
2012-05-31 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1235594767-156515733-2245494932-1000UA.job
- c:\users\CGroskie\AppData\Local\Google\Update\GoogleUpdate.exe [2012-05-30 05:24]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://yahoo.com/
mStart Page = hxxp://home.sweetim.com
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.0.1
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{00000000-6E41-4FD3-8538-502F5495E5FC} - c:\program files\Ask.com\GenericAskToolbar.dll
BHO-{D4027C7F-154A-4066-A1AD-4243D8127440} - c:\program files\Ask.com\GenericAskToolbar.dll
Toolbar-{D4027C7F-154A-4066-A1AD-4243D8127440} - c:\program files\Ask.com\GenericAskToolbar.dll
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - c:\program files\Ask.com\GenericAskToolbar.dll
HKLM-Run-ApnUpdater - c:\program files\Ask.com\Updater\Updater.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-06-03 20:44
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
TOSCDSPD = c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe?/i?????m5uk????h?????????????????
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\RNG*]
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
Completion time: 2012-06-03 20:53:12
ComboFix-quarantined-files.txt 2012-06-04 02:53
ComboFix2.txt 2012-05-30 06:04
.
Pre-Run: 134,638,710,784 bytes free
Post-Run: 134,256,320,512 bytes free
.
- - End Of File - - BD89FBE1ADB13C943665BDD1B5909742

Didn't have much problem, had to restart once because my date and time was off on my comp and had to update it. Haven't seen any signs of the redirect or other problems I was having. So theses scans seemed to have worked. Should I turn my Firewall and Windows Security back on now? Let me know what's next and again thank you.

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:12 AM

Posted 04 June 2012 - 10:34 PM

Hello

I would like to see a report that combofix makes.

extra combofix report

  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box
C:\Qoobox\Add-Remove Programs.txt
  • click ok

copy and paste the report into this topic for me to review

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 Dangbro

Dangbro
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:12 PM

Posted 04 June 2012 - 10:44 PM

Here you go. I have been noticing my search time being a little longer then before, and for some reason my clock won't stay set on internet time.


Update for Microsoft Office 2007 (KB2508958)
2007 Microsoft Office system
Adobe Flash Player 10 ActiveX
Adobe Flash Player 11 Plugin
Adobe Reader 8.1.3
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Ask Toolbar
Bonjour
Camera Assistant Software for Toshiba
CD/DVD Drive Acoustic Silencer
D3DX10
DVD MovieFactory for TOSHIBA
File Type Assistant
Google Chrome
Google Update Helper
Heroes of Might & Magic V: Hammers of Fate
Heroes of Might and Magic
Heroes of Might and Magic 2
Heroes of Might and Magic 3 Complete
Heroes of Might and Magic 4
Heroes of Might and Magic V
Heroes of Might and Magic V - Tribes of the East
Holdem Manager
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
iCloud
Intel PROSet Wireless
Intel® Graphics Media Accelerator Driver
Intel® PROSet/Wireless WiFi Software
Intel® Matrix Storage Manager
iTunes
Java Auto Updater
Java™ 6 Update 31
Java™ 6 Update 6
Junk Mail filter update
Malwarebytes Anti-Malware version 1.61.0.1400
Mesh Runtime
Messenger Companion
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft Application Error Reporting
Microsoft Office 2007 Service Pack 3 (SP3)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office File Validation Add-In
Microsoft Office Outlook Connector
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional Hybrid 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Suite Activation Assistant
Microsoft Office Word MUI (English) 2007
Microsoft Security Client
Microsoft Security Essentials
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft XML Parser
MobileMe Control Panel
Move Networks Media Player for Internet Explorer
MSVCRT
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
OGA Notifier 2.0.0048.0
Picasa 3
PokerStars
PostgreSQL 8.3
QuickBooks Financial Center
QuickTime
Realtek 8169 8168 8101E 8102E Ethernet Driver
Realtek High Definition Audio Driver
Safari
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
Security Update for Microsoft Office 2007 suites (KB2596672) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596792) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596871) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596880) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2597162) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2597969) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2598041) 32-Bit Edition
Security Update for Microsoft Office Excel 2007 (KB2597161) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition
Security Update for Microsoft Office Publisher 2007 (KB2596705) 32-Bit Edition
Security Update for Microsoft Office Word 2007 (KB2596917) 32-Bit Edition
Security Update for Windows Media Encoder (KB2447961)
Security Update for Windows Media Encoder (KB954156)
Security Update for Windows Media Encoder (KB979332)
Segoe UI
Skype™ 5.0
Sportsbook.ag
Spotify
SweetIM for Messenger 3.6
SweetIM Toolbar for Internet Explorer 4.2
Synaptics Pointing Device Driver
TOSHIBA Application Disc Creator
TOSHIBA Assist
TOSHIBA ConfigFree
TOSHIBA Desktop Links
TOSHIBA Disc Creator
TOSHIBA DVD PLAYER
TOSHIBA Extended Tiles for Windows Mobility Center
TOSHIBA Face Recognition
TOSHIBA Hardware Setup
TOSHIBA PowerCinema Helper
Toshiba Registration
TOSHIBA SD Memory Utilities
TOSHIBA Service Station
TOSHIBA Software Modem
TOSHIBA Speech System Applications
TOSHIBA Speech System SR Engine(U.S.) Version1.0
TOSHIBA Speech System TTS Engine(U.S.) Version1.0
TOSHIBA Supervisor Password
TOSHIBA Value Added Package
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office Access 2007 Help (KB963663)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Outlook 2007 Junk Email Filter (KB2598290) 32-Bit Edition
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Publisher 2007 Help (KB963667)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
VZAccess Manager for Sierra Wireless
Windows Live Communications Platform
Windows Live Essentials
Windows Live Family Safety
Windows Live ID Sign-in Assistant
Windows Live Installer
Windows Live Mail
Windows Live Mesh
Windows Live Mesh ActiveX Control for Remote Connections
Windows Live Messenger
Windows Live Messenger Companion Core
Windows Live MIME IFilter
Windows Live Movie Maker
Windows Live Photo Common
Windows Live Photo Gallery
Windows Live PIMT Platform
Windows Live Remote Client
Windows Live Remote Client Resources
Windows Live Remote Service
Windows Live Remote Service Resources
Windows Live SOXE
Windows Live SOXE Definitions
Windows Live UX Platform
Windows Live UX Platform Language Pack
Windows Live Writer
Windows Live Writer Resources
Windows Media Encoder 9 Series

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:12 AM

Posted 04 June 2012 - 11:58 PM

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs

NOTE** Because of the cleanup process some of the programs I have listed may not be in add/remove anymore this is fine just move to the next item on the list.

You can remove these programs using add/remove or you can use the free uninstaller from Revo (Revo does allot better of a job)

Programs to remove

Adobe Reader 8.1.3
Ask Toolbar
Java™ 6 Update 31
Java™ 6 Update 6
PokerStars
SweetIM for Messenger 3.6
SweetIM Toolbar for Internet Explorer 4.2
[/list]


  • Please download and install Revo Uninstaller Free
  • Double click Revo Uninstaller to run it.
  • From the list of programs double click on The Program to remove
  • When prompted if you want to uninstall click Yes.
  • Be sure the Moderate option is selected then click Next.
  • The program will run, If prompted again click Yes
  • when the built-in uninstaller is finished click on Next.
  • Once the program has searched for leftovers click Next.
  • Check/tick the bolded items only on the list then click Delete
  • when prompted click on Yes and then on next.
  • put a check on any folders that are found and select delete
  • when prompted select yes then on next
  • Once done click Finish.
.

Update Adobe Reader

Recently there have been vulnerabilities detected in older versions of Adobe Reader. It is strongly suggested that you update to the current version.

You can download it from http://www.adobe.com/products/acrobat/readstep2.html
After installing the latest Adobe Reader, uninstall all previous versions.
If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

If you don't like Adobe Reader (53 MB), you can download Foxit PDF Reader(7 MB) from here. It's a much smaller file to download and uses a lot less resources than Adobe Reader.

Note: When installing FoxitReader, be careful not to install anything to do with AskBar.
[/list]

Install Java:

Please go here to install Java

  • click on the Free Java Download Button
  • click on Agree and start Free download
  • click on Run
  • click on run again
  • click on install
  • when install is complete click on close

Clean Out Temp Files

  • This small application you may want to keep and use once a week to keep the computer clean.

    Download CCleaner from here http://www.ccleaner.com/

  • Run the installer to install the application.
  • When it gives you the option to install Yahoo toolbar uncheck the box next to it.
  • Run CCleaner. (make sure under Windows tab all the boxes of Internet Explorer and Windows explorer are checked. Under System check Empty Recycle Bin and Temporary Files. Under Application tab all the boxes should be checked).
  • Click Run Cleaner.
  • Close CCleaner.

: Malwarebytes' Anti-Malware :

  • I would like you to rerun MBAM
  • Double-click mbam icon
  • go to the update tab at the top
  • click on check for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidentally close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Download HijackThis

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a log file button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the Analyze This button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

"information and logs"

  • In your next post I need the following

  • Log From MBAM
  • report from Hijackthis
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 Dangbro

Dangbro
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:12 PM

Posted 05 June 2012 - 02:53 AM

Hi, I think I did this all right. However on the MBAM scan the 2nd to last step- "Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected." never showed up. Here are the logs you requested, let me know if I need to run them again. After these scans the search time seems to be back to normal and I am about to adjust the clock right now hopefully that will work.


Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.06.05.02

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
CGroskie :: CGROSKIE-PC [administrator]

6/4/2012 2:52:54 PM
mbam-log-2012-06-04 (14-52-54).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 224614
Time elapsed: 7 minute(s), 13 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)


Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 3:09:17 PM, on 6/4/2012
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v9.00 (9.00.8112.16421)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Toshiba\Power Saver\TPwrMain.exe
C:\Program Files\Toshiba\FlashCards\TCrdMain.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Toshiba\TOSCDSPD\TOSCDSPD.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Common Files\Apple\Internet Services\ubd.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Common Files\Apple\Apple Application Support\distnoted.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\explorer.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Users\CGroskie\AppData\Local\Google\Update\1.3.21.111\GoogleCrashHandler.exe
C:\Program Files\Safari\Safari.exe
C:\Program Files\Safari\Apple Application Support\WebKit2WebProcess.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\ssv.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Messenger Companion Helper - {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - C:\Program Files\Windows Live\Companion\companioncore.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jp2ssv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [Camera Assistant Software] "C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe" /start
O4 - HKLM\..\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
O4 - HKLM\..\Run: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
O4 - HKLM\..\Run: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
O4 - HKLM\..\Run: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MobileDocuments] C:\Program Files\Common Files\Apple\Internet Services\ubd.exe
O4 - HKCU\..\Run: [Spotify Web Helper] "C:\Users\CGroskie\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Google Update] "C:\Users\CGroskie\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-21-1235594767-156515733-2245494932-1001\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'postgres')
O4 - HKUS\S-1-5-21-1235594767-156515733-2245494932-1001\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'postgres')
O4 - HKUS\S-1-5-21-1235594767-156515733-2245494932-1001\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe (User 'postgres')
O4 - HKUS\S-1-5-21-1235594767-156515733-2245494932-1001\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" (User 'postgres')
O4 - HKUS\S-1-5-21-1235594767-156515733-2245494932-1001\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe (User 'postgres')
O4 - HKUS\S-1-5-21-1235594767-156515733-2245494932-1001\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe (User 'postgres')
O4 - HKUS\S-1-5-21-1235594767-156515733-2245494932-1001\..\Run: [Google Update] "C:\Users\CGroskie\AppData\Local\Google\Update\GoogleUpdate.exe" /c (User 'postgres')
O4 - HKUS\S-1-5-21-1235594767-156515733-2245494932-1001\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized (User 'postgres')
O4 - HKUS\S-1-5-21-1235594767-156515733-2245494932-1001\..\Run: [DW6] "C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe" (User 'postgres')
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: @C:\Program Files\Windows Live\Companion\companionlang.dll,-600 - {0000036B-C524-4050-81A0-243669A86B9F} - C:\Program Files\Windows Live\Companion\companioncore.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre7\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre7\bin\jp2iexp.dll
O9 - Extra button: @C:\Program Files\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1004 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1003 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {53F6FCCD-9E22-4d71-86EA-6E43136192AB} - (no file)
O9 - Extra button: (no name) - {925DAB62-F9AC-4221-806A-057BFB1014AA} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ConfigFree Service - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel® Corporation - C:\Program Files\Intel\WiFi\bin\EvtEng.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PostgreSQL Database Server 8.3 (pgsql-8.3) - PostgreSQL Global Development Group - C:\Program Files\PostgreSQL\8.3\bin\pg_ctl.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel® Corporation - C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
O23 - Service: SmartFaceVWatchSrv - Toshiba - C:\Program Files\Toshiba\SmartFaceV\SmartFaceVWatchSrv.exe
O23 - Service: TMachInfo - TOSHIBA Corporation - C:\Program Files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe
O23 - Service: TOSHIBA Navi Support Service (TNaviSrv) - TOSHIBA Corporation - C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
O23 - Service: TOSHIBA SMART Log Service - TOSHIBA Corporation - C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 10690 bytes

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:12 AM

Posted 05 June 2012 - 07:53 AM

Greetings

These logs are looking very good, we are almost done!!! Just one more scan to go.

:Remove unneeded start-up entries:

This part of the fix is purely optional
These are programs that start up when you turn on your computer but don't need to be, any of these programs you can click on their icons (or start from the control panel) and start the program when you need it. By stopping these programs you will boot up faster and your computer will work faster.

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Run HijackThis
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):

    • O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
      O4 - HKLM\..\Run: [Camera Assistant Software] "C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe" /start
      O4 - HKLM\..\Run: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
      O4 - HKLM\..\Run: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
      O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
      O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
      O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
      O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
      O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
      O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
      O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
      O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
      O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
      O4 - HKCU\..\Run: [MobileDocuments] C:\Program Files\Common Files\Apple\Internet Services\ubd.exe
      O4 - HKCU\..\Run: [Spotify Web Helper] "C:\Users\CGroskie\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe"
      O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
      O4 - HKCU\..\Run: [Google Update] "C:\Users\CGroskie\AppData\Local\Google\Update\GoogleUpdate.exe" /c
      O4 - HKUS\S-1-5-21-1235594767-156515733-2245494932-1001\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'postgres')
      O4 - HKUS\S-1-5-21-1235594767-156515733-2245494932-1001\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'postgres')
      O4 - HKUS\S-1-5-21-1235594767-156515733-2245494932-1001\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" (User 'postgres')
      O4 - HKUS\S-1-5-21-1235594767-156515733-2245494932-1001\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe (User 'postgres')
      O4 - HKUS\S-1-5-21-1235594767-156515733-2245494932-1001\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe (User 'postgres')
      O4 - HKUS\S-1-5-21-1235594767-156515733-2245494932-1001\..\Run: [Google Update] "C:\Users\CGroskie\AppData\Local\Google\Update\GoogleUpdate.exe" /c (User 'postgres')
      O4 - HKUS\S-1-5-21-1235594767-156515733-2245494932-1001\..\Run: [DW6] "C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe" (User 'postgres')
  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application.

    NOTE**You can research each of those lines >here< and see if you want to keep them or not
    just copy the name between the brackets and paste into the search space
    O4 - HKLM\..\Run: [IntelliPoint]


NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

Eset Online Scanner

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

Go Eset web page to run an online scanner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
  • When asked, allow the ActiveX control to install
    • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options
    Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • Click on copy to clipboard or copy and paste the results here in this topic

Copy and paste that log as a reply to this topic

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 Dangbro

Dangbro
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:12 PM

Posted 05 June 2012 - 05:57 PM

ESET Scan took a very long time, here is the results. Hope I did it right.


C:\Users\CGroskie\AppData\Local\Xenocode\ApplianceCaches\HoldemManager.exe_v501547F3\Native\STUBEXE\@PROGRAMFILES@\RVG Software\Holdem Manager\DBControlPanel.exe probably a variant of Win32/Agent.HTWFFQY trojan
C:\Users\CGroskie\AppData\Local\Xenocode\ApplianceCaches\HoldemManager.exe_v501547F3\TheApp\STUBEXE\@PROGRAMFILES@\RVG Software\Holdem Manager\HMImport.exe probably a variant of Win32/Agent.JPLTNQZ trojan
C:\Users\CGroskie\Downloads\FLVPlayerSetup (1).exe a variant of Win32/InstallCore.W application
C:\Users\CGroskie\Downloads\FLVPlayerSetup.exe a variant of Win32/InstallCore.W application

#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:12 AM

Posted 05 June 2012 - 08:50 PM

Hello

There are some minor things in your online scan that should be removed.


delete files

  • Copy all text in the quote box (below)...to Notepad.

    @echo off
    del /f /s /q "C:\Users\CGroskie\AppData\Local\Xenocode\ApplianceCaches\HoldemManager.exe_v501547F3\Native\STUBEXE\@PROGRAMFILES@\RVG Software\Holdem Manager\DBControlPanel.exe"
    del /f /s /q "C:\Users\CGroskie\AppData\Local\Xenocode\ApplianceCaches\HoldemManager.exe_v501547F3\TheApp\STUBEXE\@PROGRAMFILES@\RVG Software\Holdem Manager\HMImport.exe"
    del /f /s /q "C:\Users\CGroskie\Downloads\FLVPlayerSetup (1).exe"
    del /f /s /q "C:\Users\CGroskie\Downloads\FLVPlayerSetup.exe"
    del %0

  • Save the Notepad file on your desktop...as delfile.bat... save type as "All Files"
    It should look like this: Posted Image<--XPPosted Image<--vista
  • Double click on delfile.bat to execute it.
    A black CMD window will flash, then disappear...this is normal.
  • The files and folders, if found...will have been deleted and the "delfile.bat" file will also be deleted.


The rest of the Online scan is only reporting backups created during the course of this fix C:\Qoobox\Quarantine\, and/or items located in System Restore's cache C:\System Volume Information\, Whatever is in these folders can't harm you unless you choose to perform a manual restore. the following steps will remove these backups.




Very well done!! This is my general post for when your logs show no more signs of malware - Please let me know if you still are having problems with your computer and what these problems are.


:Why we need to remove some of our tools:

Some of the tools we have used to clean your computer were made by fellow malware fighters and are very powerful and if used incorrectly or at the wronge time can make the computer an expensive paper weight.
They are updated all the time and some of them more than once a day so by the time you are ready to use them again they will already be outdated.

The following procedures will implement some cleanup procedures to remove these tools. It will also reset your System Restore by flushing out previous restore points and create a new restore point. It will also remove all the backups our tools may have made.
:DeFogger:

Note** Defogger only needs to be run if it was run when we first started. If you have not already run it then skip this.

  • To re-enable your Emulation drivers, double click DeFogger to run the tool.
  • The application window will appear
  • Click the Re-enable button to re-enable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK.
Your Emulation drivers are now re-enabled.

:Uninstall ComboFix:

  • turn off all active protection software
  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box ComboFix /Uninstall and click OK.
  • Note the space between the X and the /Uninstall, it needs to be there.
  • Posted Image

:Remove the rest of our tools:

Please download OTCleanIt and save it to desktop. This tool will remove all the tools we used to clean your pc.
  • Double-click OTCleanIt.exe.
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes, if not delete it by yourself.
  • If asked to restart the computer, please do so
Note: If you receive a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the internet, please allow it to do so.

:The programs you can keep:

Some of the programs that we have used would be a good idea to keep and used often in helping to keep the computer clean. I use these programs on my computer.

Revo Uninstaller Free - this is the uninstaller that I had you download and works allot better than add/remove in windows and has saved me more than once from corrupted installs and uninstalls

CCleaner - This is a good program to clean out temp files, I would use this once a week or before any malware scan to remove unwanted temp files - It has a built in registry cleaner but I would leave that alone and not use any registry cleaner

Malwarebytes' Anti-Malware The Gold standerd today in antimalware scanners

:Security programs:

One of the questions I am asked all the time is "What programs do you use" I have at this time 4 computers in my home and I have this setup on all 4 of them.

  • Microsoft Security Essentials - provides real-time protection for your home PC that guards against viruses, spyware, and other malicious software.
  • WinPatrol As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge.
  • Malwarebytes' Anti-Malware Malwarebytes' Anti-Malware is a new and powerful anti-malware tool. It is
    totally free but for real-time protection you will have to pay a small one-time fee. We used this to help clean your computer and recomend keeping it and using often. (I have upgraded to the paid version of MBAM and I am glad I did)


    Note** If you decide to install MSE you will need to uninstall your present Antivirus

:Security awareness:

The other question I am asked all the time is "How can I prevent this from happening again." and the short answer to that is to be aware of what is out there and how to start spotting dangers.

Here are some articles that are must reads and should be read by everybody in your household that uses the internet

internetsafety

Internet Safety for Kids

Here is some more reading for you from some of my colleges

PC Safety and Security - What Do I Need? from my friends at Tech Support Forum

COMPUTER SECURITY - a short guide to staying safer online from my friends at Malware Removal

quoted from Tech Support Forum

Conclusion

There is no such thing as ‘perfect security’. This applies to many things, not just computer systems. Using the above guide you should be able to take all the reasonable steps you can to prevent infection. However, the most important part of all this is you, the user. Surf sensibly and think before you download a file or click on a link. Take a few moments to assess the possible risks and you should be able to enjoy all the internet has to offer.


I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can then be closed.

I Will Keep This Open For About Three Days, If Anything Comes Up - Just Come Back And Let Me Know, after that time you will have to send me a PM

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 Dangbro

Dangbro
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:12 PM

Posted 05 June 2012 - 10:29 PM

Alright, everything seems to be looking good. I ended up keeping Revo,CCleaner, and MBAM. The only other problem I am having which is pretty minor is I can't get my clock to sync up with internet time and stay that way. Not sure if you can help me with that, and if not no biggie you have done plenty, and I thank you. I will try to send over a donation within the next week.

Thanks again
Take care,
Nick




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users