Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Lingering SMARTCheck infection


  • This topic is locked This topic is locked
19 replies to this topic

#1 Ivan Blimisie

Ivan Blimisie

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:09 AM

Posted 30 May 2012 - 09:59 PM

Hi,

I got infected by the S.M.A.R.T.Check virus about a week ago. I thought I cleaned it out by finding the rogue apps and shutting them all down and removing them, then I ran unhide to get all my folders and desktop back, but it seems there's something that I can't find no matter how hard I search. I no longer get all the scare tactic pop ups but I'm still getting a few indications that I'm still infected somehow.

One thing I keep seeing is a dialog box that appears under all my open windows that has a big yellow exclamation point with a title bar the reads "Message from webpage" and the following warning:

Viruses were found on your computer.
You need to clean your computer to prevent the system crash.

I know this is just a piece of crap and that my system is safe from crashing.

Another thing that happens now is that I get redirected when using google searches in IE8 and I also get some strange additional scripts that the No Script plugin blocks whenever I try to go the the Microsoft website using Firefox. It's kind of like there's a bogus script that's keeping the Microsoft site from loading unless I allow it to run, which I don't!

The last thing that I can see is an item in my IE8 browsing history for a site called bluecava.com, even though I've never heard of it and never been nor gone there. It seems to be running a script called Complete.aspx.

What I'd really like to do is start from scratch with a totally fresh reinstall of my OS but I can't get my optical drive to read any disc I put into it. The drive letter shows up in my explorer, the tray opens and closes, but the drive never spools up. It also won't boot to that drive and if I try to access a directory in the command window nothing shows up.


I've read through the preparations for removal and followed all the steps before posting. I ran the DeFogger to shut off any CD emulations. Then I ran the DDS script and when I did my Windows Media Player opened right away with hcp_asx in the now playing window. Here's the log from that:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_31
Run by Wombat at 15:21:52 on 2012-05-30
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.435 [GMT -6:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\sstray.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://srythshangar.lasthome.net/
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [nForce Tray Options] sstray.exe /r
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\CLIStart.exe"
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam\Quickcam.exe" /hide
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
IE: E&xport to Microsoft Excel - d:\micros~1\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
TCP: Interfaces\{2DEF03DB-5D67-4642-87C5-450F38BAAE00} : NameServer = 68.94.156.1,68.94.157.1
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} -
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\wombat\application data\mozilla\firefox\profiles\blqyob9a.default\
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\java\jre6\bin\plugin2\npdeployJava1.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
.
============= SERVICES / DRIVERS ===============
.
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-5-3 129976]
.
=============== Created Last 30 ================
.
2012-05-29 21:15:35 183817 ----a-w- c:\windows\Addictive Pitts Uninstaller.exe
2012-05-25 17:59:02 -------- d-----w- c:\windows\system32\wbem\repository\FS
2012-05-25 17:59:02 -------- d-----w- c:\windows\system32\wbem\Repository
2012-05-22 23:22:50 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-05-22 23:22:50 476904 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll
2012-05-22 22:15:41 123392 ----a-w- c:\windows\system32\fastsrch.dll
2012-05-21 23:22:57 -------- d-sh--w- c:\documents and settings\wombat\IECompatCache
2012-05-03 19:15:05 -------- d-----w- c:\program files\Mozilla Maintenance Service
2012-05-03 19:15:04 157352 ----a-w- c:\program files\mozilla firefox\maintenanceservice_installer.exe
2012-05-03 19:15:04 129976 ----a-w- c:\program files\mozilla firefox\maintenanceservice.exe
.
==================== Find3M ====================
.
2012-05-22 23:22:33 472808 ----a-w- c:\windows\system32\deployJava1.dll
.
============= FINISH: 15:27:53.79 ===============


Next I ran the GMER scan. It popped up an error message before running that said this:

LoadDriver("C:\DOCUME~1\Wombat\LOCALS~1\Temp\fxtyqaob.sys") error 0xC000010E: cannot create a stable subkey under a volatile parent key.

Also, the following checkboxes were all grayed out and I was not able to check them before running the scan:

System
Sections
Devices
Modules
Processes
Threads
Libraries

Not sure why I got the error message or why all those items were grayed out, but I ran the scan anyway.

Like I said, I'd really just like to get my system cleaned out so my DVD drive works so I can do a full reinstall of Windows. Any help is greatly appreciated.

Attached Files



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:09 AM

Posted 31 May 2012 - 01:32 AM

Hello and Welcome to Bleeping Computer!!

My name is Gringo and I'll be glad to help you with your computer problems.

I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of us

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the Watch Topic Button, select Immediate Notification, and click on Proceed. This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of hartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

Security Check

  • Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.



Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 Ivan Blimisie

Ivan Blimisie
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:09 AM

Posted 31 May 2012 - 07:22 PM

Hi,

Thanks for helping.

I followed the instructions and ran both of the scans. Here are the logs:

Results of screen317's Security Check version 0.99.41
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````
Java™ 6 Update 31
Java version out of date!
Adobe Flash Player 10 Flash Player out of date!
Adobe Flash Player 10.1.102.64 Flash Player out of Date!
Adobe Reader 6 Adobe Reader out of date!
Mozilla Firefox (12.0)
````````Process Check: objlist.exe by Laurent````````
`````````````````System Health check`````````````````
Total Fragmentation on Drive C:: 14% Defragment your hard drive soon!
````````````````````End of Log``````````````````````


ComboFix 12-05-31.02 - Wombat 05/31/2012 17:02:12.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.596 [GMT -6:00]
Running from: c:\documents and settings\Wombat\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\dllcache\dlimport.exe
c:\windows\system32\fastsrch.dll
c:\windows\system32\sstray.exe
c:\windows\TEMP\logishrd\LVPrcInj01.dll
.
.
((((((((((((((((((((((((( Files Created from 2012-04-28 to 2012-05-31 )))))))))))))))))))))))))))))))
.
.
2012-05-29 21:15 . 2012-05-29 21:18 183817 ----a-w- c:\windows\Addictive Pitts Uninstaller.exe
2012-05-25 17:59 . 2012-05-25 17:59 -------- d-----w- c:\windows\system32\wbem\Repository
2012-05-22 23:23 . 2012-05-25 17:58 -------- d-----w- c:\program files\Common Files\Java
2012-05-22 23:22 . 2012-05-22 23:22 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-05-22 23:22 . 2012-05-22 23:22 476904 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2012-05-22 23:22 . 2012-05-25 17:58 -------- d-----w- c:\program files\Java
2012-05-21 23:22 . 2012-05-21 23:22 -------- d-sh--w- c:\documents and settings\Wombat\IECompatCache
2012-05-03 19:15 . 2012-05-03 19:15 -------- d-----w- c:\program files\Mozilla Maintenance Service
2012-05-03 19:15 . 2012-05-03 19:15 157352 ----a-w- c:\program files\Mozilla Firefox\maintenanceservice_installer.exe
2012-05-03 19:15 . 2012-05-03 19:15 129976 ----a-w- c:\program files\Mozilla Firefox\maintenanceservice.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-05-22 23:22 . 2010-10-31 21:39 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-05-03 19:15 . 2012-04-19 00:09 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-09-25 90112]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2008-08-14 565008]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2008-08-14 2407184]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
.
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [5/3/2012 1:15 PM 129976]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://srythshangar.lasthome.net/
IE: E&xport to Microsoft Excel - d:\micros~1\Office12\EXCEL.EXE/3000
TCP: Interfaces\{2DEF03DB-5D67-4642-87C5-450F38BAAE00}: NameServer = 68.94.156.1,68.94.157.1
FF - ProfilePath - c:\documents and settings\Wombat\Application Data\Mozilla\Firefox\Profiles\blqyob9a.default\
FF - prefs.js: network.proxy.type - 0
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKLM-Run-nForce Tray Options - sstray.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-05-31 17:33
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(716)
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'explorer.exe'(6288)
c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\msls31.dll
c:\windows\system32\Macromed\Flash\Flash10k.ocx
c:\windows\system32\iepeers.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\ImgUtil.dll
c:\windows\system32\pngfilt.dll
c:\windows\system32\Dxtrans.dll
c:\windows\system32\Dxtmsft.dll
c:\windows\system32\vbscript.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\windows\System32\HPZipm12.exe
c:\windows\system32\wscntfy.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\ATI Technologies\ATI.ACE\CLI.EXE
c:\program files\ATI Technologies\ATI.ACE\cli.exe
c:\program files\ATI Technologies\ATI.ACE\cli.exe
c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe
.
**************************************************************************
.
Completion time: 2012-05-31 17:50:02 - machine was rebooted
ComboFix-quarantined-files.txt 2012-05-31 23:49
.
Pre-Run: 1,362,997,248 bytes free
Post-Run: 1,407,873,024 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
.
- - End Of File - - DFCD61FAC2C136A11547A7EC8F5FA020


The Combofix scan took over an hour to complete. After they were both finished I tested and found that my DVD drive is still NOT spooling up when I insert a disc, nor can I access any data on the disc in windows explorer.

I'm still getting redirected when I try to click on any google searches in IE8 and I'm still getting those bogus scripts when I try to go to Microsoft sites in Firefox.

One new thing I noticed was an item in yesterday's browsing history in IE8 for a site called Plimus.com. When I expanded the tree for it there was one line that said "Loading..." with the following link:

"https: //www.plimus.com/sp/redirect.jsp?contactId=3058186&referrer=565763"

I have no idea what that is or how it got there, possibly from testing the google search.

I didn't see any other pop ups, but I didn't stay online that much longer after Combofix was finished. However I was online for the entire time that Combofix was running its scans.

Awaiting further instructions.

Edited by Ivan Blimisie, 31 May 2012 - 07:26 PM.


#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:09 AM

Posted 31 May 2012 - 10:51 PM

Greetings

I want you to run these next,

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • it will ask to download extra definitions - ALLOW IT
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

If you have any problems running either one come back and let me know

please reply with the reports from TDSSKiller and aswMBR

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 Ivan Blimisie

Ivan Blimisie
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:09 AM

Posted 01 June 2012 - 07:02 AM

Hi,

I can't get either of those to run at all. I double clicked on each of them for at least 30 minutes and all I got was a very momentary hourglass and then nothing. Not sure what this means, I hope there's an answer.

And after doing some minor browsing for about an hour the webpage warning pop up returned.

"Message from webpage" and the following warning:

Viruses were found on your computer.
You need to clean your computer to prevent the system crash.

Edited by Ivan Blimisie, 01 June 2012 - 08:25 AM.


#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:09 AM

Posted 03 June 2012 - 06:23 AM

Hello

I would like you to run this tool for me - fixTDSS

download it to your desktop and start the program

Follow the prompts and Ok any security prompts

when it is complete it will say the infection was cleared or no infection was found - let me know what it says

after it is complete I want you to restart the computer and try to rerun TDSSKiller for me and send me the report

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 Ivan Blimisie

Ivan Blimisie
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:09 AM

Posted 03 June 2012 - 07:11 PM

Hi,

Downloaded and ran the fixTDSS, it rebooted and ran and said it found an infected MBR. I clicked repair and it said the repair succeeded.

Rebooted again and ran the TDSSKiller, here's the report:

17:53:35.0390 3308 TDSS rootkit removing tool 2.7.36.0 May 21 2012 16:40:16
17:53:36.0031 3308 ============================================================
17:53:36.0031 3308 Current date / time: 2012/06/03 17:53:36.0031
17:53:36.0031 3308 SystemInfo:
17:53:36.0031 3308
17:53:36.0031 3308 OS Version: 5.1.2600 ServicePack: 3.0
17:53:36.0031 3308 Product type: Workstation
17:53:36.0031 3308 ComputerName: SPARTICUS2
17:53:36.0031 3308 UserName: Wombat
17:53:36.0031 3308 Windows directory: C:\WINDOWS
17:53:36.0031 3308 System windows directory: C:\WINDOWS
17:53:36.0031 3308 Processor architecture: Intel x86
17:53:36.0031 3308 Number of processors: 1
17:53:36.0031 3308 Page size: 0x1000
17:53:36.0031 3308 Boot type: Normal boot
17:53:36.0031 3308 ============================================================
17:53:37.0375 3308 Drive \Device\Harddisk0\DR0 - Size: 0x1315740000 (76.34 Gb), SectorSize: 0x200, Cylinders: 0x26EC, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
17:53:37.0375 3308 Drive \Device\Harddisk1\DR1 - Size: 0x12A1F16000 (74.53 Gb), SectorSize: 0x200, Cylinders: 0x2601, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
17:53:37.0375 3308 ============================================================
17:53:37.0375 3308 \Device\Harddisk0\DR0:
17:53:37.0375 3308 MBR partitions:
17:53:37.0375 3308 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x1200798
17:53:37.0437 3308 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x1200816, BlocksNum 0x2800A34
17:53:37.0484 3308 \Device\Harddisk0\DR0\Partition2: MBR, Type 0x7, StartLBA 0x3A01289, BlocksNum 0x5EA2EA2
17:53:37.0484 3308 \Device\Harddisk1\DR1:
17:53:37.0484 3308 MBR partitions:
17:53:37.0484 3308 \Device\Harddisk1\DR1\Partition0: MBR, Type 0x7, StartLBA 0x3F00, BlocksNum 0x950A5C1
17:53:37.0484 3308 ============================================================
17:53:37.0500 3308 C: <-> \Device\Harddisk0\DR0\Partition0
17:53:37.0562 3308 D: <-> \Device\Harddisk0\DR0\Partition1
17:53:37.0625 3308 E: <-> \Device\Harddisk0\DR0\Partition2
17:53:37.0640 3308 F: <-> \Device\Harddisk1\DR1\Partition0
17:53:37.0640 3308 ============================================================
17:53:37.0640 3308 Initialize success
17:53:37.0640 3308 ============================================================
17:53:48.0421 3512 ============================================================
17:53:48.0421 3512 Scan started
17:53:48.0421 3512 Mode: Manual;
17:53:48.0421 3512 ============================================================
17:53:48.0703 3512 Abiosdsk - ok
17:53:48.0718 3512 abp480n5 - ok
17:53:48.0750 3512 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
17:53:48.0765 3512 ACPI - ok
17:53:48.0812 3512 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
17:53:48.0812 3512 ACPIEC - ok
17:53:48.0812 3512 adpu160m - ok
17:53:48.0843 3512 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
17:53:48.0859 3512 aec - ok
17:53:48.0875 3512 AFD (322d0e36693d6e24a2398bee62a268cd) C:\WINDOWS\System32\drivers\afd.sys
17:53:48.0890 3512 AFD - ok
17:53:48.0890 3512 Aha154x - ok
17:53:48.0906 3512 aic78u2 - ok
17:53:48.0921 3512 aic78xx - ok
17:53:48.0937 3512 Alerter (a9a3daa780ca6c9671a19d52456705b4) C:\WINDOWS\system32\alrsvc.dll
17:53:48.0937 3512 Alerter - ok
17:53:48.0968 3512 ALG (8c515081584a38aa007909cd02020b3d) C:\WINDOWS\System32\alg.exe
17:53:48.0968 3512 ALG - ok
17:53:48.0984 3512 AliIde - ok
17:53:49.0000 3512 AmdK7 (8fce268cdbdd83b23419d1f35f42c7b1) C:\WINDOWS\system32\DRIVERS\amdk7.sys
17:53:49.0015 3512 AmdK7 - ok
17:53:49.0015 3512 amsint - ok
17:53:49.0062 3512 AppMgmt (d8849f77c0b66226335a59d26cb4edc6) C:\WINDOWS\System32\appmgmts.dll
17:53:49.0078 3512 AppMgmt - ok
17:53:49.0109 3512 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
17:53:49.0109 3512 Arp1394 - ok
17:53:49.0125 3512 asc - ok
17:53:49.0140 3512 asc3350p - ok
17:53:49.0140 3512 asc3550 - ok
17:53:49.0203 3512 aspnet_state (d33c507942299753868204cc7642fa27) C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
17:53:49.0234 3512 aspnet_state - ok
17:53:49.0250 3512 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
17:53:49.0250 3512 AsyncMac - ok
17:53:49.0265 3512 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
17:53:49.0281 3512 atapi - ok
17:53:49.0281 3512 Atdisk - ok
17:53:49.0328 3512 Ati HotKey Poller (c27a0a876e7277428ab894cd58600686) C:\WINDOWS\System32\Ati2evxx.exe
17:53:49.0343 3512 Ati HotKey Poller - ok
17:53:49.0375 3512 ATI Smart (bfbe2f559eba2aaff58235760fc1ecba) C:\WINDOWS\system32\ati2sgag.exe
17:53:49.0406 3512 ATI Smart - ok
17:53:49.0500 3512 ati2mtag (633d22a45283762dc05989751cc1397c) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
17:53:49.0515 3512 ati2mtag - ok
17:53:49.0593 3512 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
17:53:49.0593 3512 Atmarpc - ok
17:53:49.0625 3512 AudioSrv (def7a7882bec100fe0b2ce2549188f9d) C:\WINDOWS\System32\audiosrv.dll
17:53:49.0625 3512 AudioSrv - ok
17:53:49.0656 3512 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
17:53:49.0656 3512 audstub - ok
17:53:49.0718 3512 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
17:53:49.0718 3512 Beep - ok
17:53:49.0765 3512 BITS (574738f61fca2935f5265dc4e5691314) C:\WINDOWS\system32\qmgr.dll
17:53:49.0812 3512 BITS - ok
17:53:49.0843 3512 Bonjour Service - ok
17:53:49.0875 3512 Browser (a06ce3399d16db864f55faeb1f1927a9) C:\WINDOWS\System32\browser.dll
17:53:49.0875 3512 Browser - ok
17:53:49.0937 3512 catchme - ok
17:53:49.0984 3512 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
17:53:49.0984 3512 cbidf2k - ok
17:53:50.0015 3512 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
17:53:50.0015 3512 CCDECODE - ok
17:53:50.0015 3512 cd20xrnt - ok
17:53:50.0046 3512 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
17:53:50.0046 3512 Cdaudio - ok
17:53:50.0062 3512 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
17:53:50.0078 3512 Cdfs - ok
17:53:50.0093 3512 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
17:53:50.0093 3512 Cdrom - ok
17:53:50.0109 3512 Changer - ok
17:53:50.0140 3512 cisvc (1cfe720eb8d93a7158a4ebc3ab178bde) C:\WINDOWS\system32\cisvc.exe
17:53:50.0140 3512 cisvc - ok
17:53:50.0156 3512 ClipSrv (34cbe729f38138217f9c80212a2a0c82) C:\WINDOWS\system32\clipsrv.exe
17:53:50.0156 3512 ClipSrv - ok
17:53:50.0218 3512 clr_optimization_v2.0.50727_32 (3c4d595e7f9b747325aef28b4adcaae5) C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
17:53:50.0234 3512 clr_optimization_v2.0.50727_32 - ok
17:53:50.0234 3512 CmdIde - ok
17:53:50.0250 3512 COMSysApp - ok
17:53:50.0281 3512 Cpqarray - ok
17:53:50.0296 3512 CryptSvc (3d4e199942e29207970e04315d02ad3b) C:\WINDOWS\System32\cryptsvc.dll
17:53:50.0312 3512 CryptSvc - ok
17:53:50.0312 3512 dac2w2k - ok
17:53:50.0328 3512 dac960nt - ok
17:53:50.0375 3512 DcomLaunch (2589fe6015a316c0f5d5112b4da7b509) C:\WINDOWS\system32\rpcss.dll
17:53:50.0390 3512 DcomLaunch - ok
17:53:50.0421 3512 Dhcp (5e38d7684a49cacfb752b046357e0589) C:\WINDOWS\System32\dhcpcsvc.dll
17:53:50.0437 3512 Dhcp - ok
17:53:50.0453 3512 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
17:53:50.0453 3512 Disk - ok
17:53:50.0468 3512 dmadmin - ok
17:53:50.0531 3512 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
17:53:50.0562 3512 dmboot - ok
17:53:50.0578 3512 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
17:53:50.0578 3512 dmio - ok
17:53:50.0609 3512 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
17:53:50.0609 3512 dmload - ok
17:53:50.0625 3512 dmserver (57edec2e5f59f0335e92f35184bc8631) C:\WINDOWS\System32\dmserver.dll
17:53:50.0625 3512 dmserver - ok
17:53:50.0656 3512 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
17:53:50.0671 3512 DMusic - ok
17:53:50.0718 3512 Dnscache (474b4dc3983173e4b4c9740b0dac98a6) C:\WINDOWS\System32\dnsrslvr.dll
17:53:50.0718 3512 Dnscache - ok
17:53:50.0750 3512 Dot3svc (0f0f6e687e5e15579ef4da8dd6945814) C:\WINDOWS\System32\dot3svc.dll
17:53:50.0765 3512 Dot3svc - ok
17:53:50.0781 3512 dpti2o - ok
17:53:50.0796 3512 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
17:53:50.0796 3512 drmkaud - ok
17:53:50.0828 3512 EapHost (2187855a7703adef0cef9ee4285182cc) C:\WINDOWS\System32\eapsvc.dll
17:53:50.0828 3512 EapHost - ok
17:53:50.0859 3512 ERSvc (bc93b4a066477954555966d77fec9ecb) C:\WINDOWS\System32\ersvc.dll
17:53:50.0859 3512 ERSvc - ok
17:53:50.0890 3512 Eventlog (0e776ed5f7cc9f94299e70461b7b8185) C:\WINDOWS\system32\services.exe
17:53:50.0890 3512 Eventlog - ok
17:53:50.0921 3512 EventSystem (19a799805b24990867b00c120d300c3a) C:\WINDOWS\System32\es.dll
17:53:50.0953 3512 EventSystem - ok
17:53:50.0968 3512 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
17:53:50.0984 3512 Fastfat - ok
17:53:51.0015 3512 FastUserSwitchingCompatibility (1926899bf9ffe2602b63074971700412) C:\WINDOWS\System32\shsvcs.dll
17:53:51.0031 3512 FastUserSwitchingCompatibility - ok
17:53:51.0046 3512 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
17:53:51.0062 3512 Fdc - ok
17:53:51.0078 3512 FilterService (50104c5f1ee1e295781caf9521ca2e56) C:\WINDOWS\system32\DRIVERS\lvuvcflt.sys
17:53:51.0078 3512 FilterService - ok
17:53:51.0093 3512 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
17:53:51.0093 3512 Fips - ok
17:53:51.0171 3512 FLEXnet Licensing Service (227846995afeefa70d328bf5334a86a5) C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
17:53:51.0187 3512 FLEXnet Licensing Service - ok
17:53:51.0203 3512 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
17:53:51.0203 3512 Flpydisk - ok
17:53:51.0234 3512 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
17:53:51.0234 3512 FltMgr - ok
17:53:51.0265 3512 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
17:53:51.0265 3512 Fs_Rec - ok
17:53:51.0281 3512 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
17:53:51.0281 3512 Ftdisk - ok
17:53:51.0296 3512 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
17:53:51.0312 3512 Gpc - ok
17:53:51.0375 3512 HCF_MSFT (4236e014632f4163f53ebb717f41594c) C:\WINDOWS\system32\DRIVERS\HCF_MSFT.sys
17:53:51.0390 3512 HCF_MSFT - ok
17:53:51.0437 3512 helpsvc (4fcca060dfe0c51a09dd5c3843888bcd) C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll
17:53:51.0453 3512 helpsvc - ok
17:53:51.0468 3512 HidServ (deb04da35cc871b6d309b77e1443c796) C:\WINDOWS\System32\hidserv.dll
17:53:51.0468 3512 HidServ - ok
17:53:51.0500 3512 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
17:53:51.0500 3512 HidUsb - ok
17:53:51.0531 3512 hkmsvc (8878bd685e490239777bfe51320b88e9) C:\WINDOWS\System32\kmsvc.dll
17:53:51.0531 3512 hkmsvc - ok
17:53:51.0546 3512 hpn - ok
17:53:51.0562 3512 hpt3xx - ok
17:53:51.0593 3512 HPZid412 (9f1d80908658eb7f1bf70809e0b51470) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
17:53:51.0609 3512 HPZid412 - ok
17:53:51.0625 3512 HPZipr12 (f7e3e9d50f9cd3de28085a8fdaa0a1c3) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
17:53:51.0625 3512 HPZipr12 - ok
17:53:51.0656 3512 HPZius12 (cf1b7951b4ec8d13f3c93b74bb2b461b) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
17:53:51.0656 3512 HPZius12 - ok
17:53:51.0718 3512 HTTP (f6aacf5bce2893e0c1754afeb672e5c9) C:\WINDOWS\system32\Drivers\HTTP.sys
17:53:51.0734 3512 HTTP - ok
17:53:51.0750 3512 HTTPFilter (6100a808600f44d999cebdef8841c7a3) C:\WINDOWS\System32\w3ssl.dll
17:53:51.0765 3512 HTTPFilter - ok
17:53:51.0781 3512 i2omgmt - ok
17:53:51.0781 3512 i2omp - ok
17:53:51.0812 3512 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
17:53:51.0828 3512 i8042prt - ok
17:53:51.0843 3512 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\drivers\Imapi.sys
17:53:51.0843 3512 Imapi - ok
17:53:51.0875 3512 ImapiService (30deaf54a9755bb8546168cfe8a6b5e1) C:\WINDOWS\system32\imapi.exe
17:53:51.0890 3512 ImapiService - ok
17:53:51.0906 3512 ini910u - ok
17:53:51.0937 3512 IntelIde - ok
17:53:51.0953 3512 ip6fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
17:53:51.0953 3512 ip6fw - ok
17:53:51.0984 3512 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
17:53:52.0000 3512 IpFilterDriver - ok
17:53:52.0031 3512 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
17:53:52.0031 3512 IpInIp - ok
17:53:52.0062 3512 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
17:53:52.0078 3512 IpNat - ok
17:53:52.0093 3512 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
17:53:52.0093 3512 IPSec - ok
17:53:52.0125 3512 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
17:53:52.0125 3512 IRENUM - ok
17:53:52.0140 3512 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
17:53:52.0156 3512 isapnp - ok
17:53:52.0218 3512 JavaQuickStarterService (0a5709543986843d37a92290b7838340) C:\Program Files\Java\jre6\bin\jqs.exe
17:53:52.0218 3512 JavaQuickStarterService - ok
17:53:52.0234 3512 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
17:53:52.0250 3512 Kbdclass - ok
17:53:52.0265 3512 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
17:53:52.0265 3512 kbdhid - ok
17:53:52.0296 3512 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
17:53:52.0312 3512 kmixer - ok
17:53:52.0328 3512 KSecDD (1705745d900dabf2d89f90ebaddc7517) C:\WINDOWS\system32\drivers\KSecDD.sys
17:53:52.0328 3512 KSecDD - ok
17:53:52.0359 3512 lanmanserver (f385f4b02c535bffe1d70cab80838123) C:\WINDOWS\System32\srvsvc.dll
17:53:52.0375 3512 lanmanserver - ok
17:53:52.0406 3512 lanmanworkstation (1b67b632786fef1c1bbaef46c2f3f2e6) C:\WINDOWS\System32\wkssvc.dll
17:53:52.0421 3512 lanmanworkstation - ok
17:53:52.0421 3512 lbrtfdc - ok
17:53:52.0453 3512 LmHosts (a7db739ae99a796d91580147e919cc59) C:\WINDOWS\System32\lmhsvc.dll
17:53:52.0453 3512 LmHosts - ok
17:53:52.0500 3512 LVCOMSer (38440fe1a65b1fe3d246c5c4cad22f53) C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
17:53:52.0515 3512 LVCOMSer - ok
17:53:52.0546 3512 LVPr2Mon (a6919138f29ae45e90e99fa94737e04c) C:\WINDOWS\system32\DRIVERS\LVPr2Mon.sys
17:53:52.0546 3512 LVPr2Mon - ok
17:53:52.0578 3512 LVPrcSrv (28bd0e4b6c050b591b8cb35b9ad284e6) C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
17:53:52.0578 3512 LVPrcSrv - ok
17:53:52.0625 3512 LVRS (b895839b8743e400d7c7dae156f74e7e) C:\WINDOWS\system32\DRIVERS\lvrs.sys
17:53:52.0656 3512 LVRS - ok
17:53:52.0687 3512 LVUSBSta (23f8ef78bb9553e465a476f3cee5ca18) C:\WINDOWS\system32\drivers\LVUSBSta.sys
17:53:52.0687 3512 LVUSBSta - ok
17:53:52.0921 3512 LVUVC (8bc0d5f6e3898f465a94c6d03afb5a20) C:\WINDOWS\system32\DRIVERS\lvuvc.sys
17:53:53.0031 3512 LVUVC - ok
17:53:53.0125 3512 Messenger (986b1ff5814366d71e0ac5755c88f2d3) C:\WINDOWS\System32\msgsvc.dll
17:53:53.0140 3512 Messenger - ok
17:53:53.0187 3512 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
17:53:53.0187 3512 mnmdd - ok
17:53:53.0218 3512 mnmsrvc (d18f1f0c101d06a1c1adf26eed16fcdd) C:\WINDOWS\System32\mnmsrvc.exe
17:53:53.0218 3512 mnmsrvc - ok
17:53:53.0234 3512 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
17:53:53.0250 3512 Modem - ok
17:53:53.0265 3512 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
17:53:53.0281 3512 Mouclass - ok
17:53:53.0296 3512 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
17:53:53.0296 3512 mouhid - ok
17:53:53.0343 3512 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
17:53:53.0343 3512 MountMgr - ok
17:53:53.0390 3512 MozillaMaintenance (96aa8ba23142cc8e2b30f3cae0c80254) C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe
17:53:53.0390 3512 MozillaMaintenance - ok
17:53:53.0406 3512 mraid35x - ok
17:53:53.0421 3512 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
17:53:53.0437 3512 MRxDAV - ok
17:53:53.0468 3512 MRxSmb (68755f0ff16070178b54674fe5b847b0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
17:53:53.0484 3512 MRxSmb - ok
17:53:53.0515 3512 MSDTC (a137f1470499a205abbb9aafb3b6f2b1) C:\WINDOWS\System32\msdtc.exe
17:53:53.0515 3512 MSDTC - ok
17:53:53.0531 3512 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
17:53:53.0531 3512 Msfs - ok
17:53:53.0531 3512 MSIServer - ok
17:53:53.0562 3512 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
17:53:53.0562 3512 MSKSSRV - ok
17:53:53.0578 3512 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
17:53:53.0578 3512 MSPCLOCK - ok
17:53:53.0593 3512 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
17:53:53.0593 3512 MSPQM - ok
17:53:53.0609 3512 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
17:53:53.0609 3512 mssmbios - ok
17:53:53.0625 3512 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
17:53:53.0625 3512 MSTEE - ok
17:53:53.0656 3512 ms_mpu401 (ca3e22598f411199adc2dfee76cd0ae0) C:\WINDOWS\system32\drivers\msmpu401.sys
17:53:53.0656 3512 ms_mpu401 - ok
17:53:53.0671 3512 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
17:53:53.0687 3512 Mup - ok
17:53:53.0718 3512 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
17:53:53.0718 3512 NABTSFEC - ok
17:53:53.0765 3512 napagent (0102140028fad045756796e1c685d695) C:\WINDOWS\System32\qagentrt.dll
17:53:53.0781 3512 napagent - ok
17:53:53.0812 3512 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
17:53:53.0812 3512 NDIS - ok
17:53:53.0828 3512 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
17:53:53.0828 3512 NdisIP - ok
17:53:53.0843 3512 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
17:53:53.0843 3512 NdisTapi - ok
17:53:53.0859 3512 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
17:53:53.0859 3512 Ndisuio - ok
17:53:53.0890 3512 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
17:53:53.0890 3512 NdisWan - ok
17:53:53.0921 3512 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
17:53:53.0937 3512 NDProxy - ok
17:53:53.0953 3512 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
17:53:53.0953 3512 NetBIOS - ok
17:53:53.0968 3512 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
17:53:53.0984 3512 NetBT - ok
17:53:54.0015 3512 NetDDE (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe
17:53:54.0031 3512 NetDDE - ok
17:53:54.0046 3512 NetDDEdsdm (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe
17:53:54.0046 3512 NetDDEdsdm - ok
17:53:54.0062 3512 Netlogon (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
17:53:54.0062 3512 Netlogon - ok
17:53:54.0093 3512 Netman (13e67b55b3abd7bf3fe7aae5a0f9a9de) C:\WINDOWS\System32\netman.dll
17:53:54.0109 3512 Netman - ok
17:53:54.0140 3512 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
17:53:54.0140 3512 NIC1394 - ok
17:53:54.0171 3512 Nla (b4138e99236f0f57d4cf49bae98a0746) C:\WINDOWS\System32\mswsock.dll
17:53:54.0187 3512 Nla - ok
17:53:54.0203 3512 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
17:53:54.0203 3512 Npfs - ok
17:53:54.0234 3512 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
17:53:54.0265 3512 Ntfs - ok
17:53:54.0265 3512 NtLmSsp (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\System32\lsass.exe
17:53:54.0281 3512 NtLmSsp - ok
17:53:54.0312 3512 NtmsSvc (156f64a3345bd23c600655fb4d10bc08) C:\WINDOWS\system32\ntmssvc.dll
17:53:54.0328 3512 NtmsSvc - ok
17:53:54.0359 3512 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
17:53:54.0359 3512 Null - ok
17:53:54.0390 3512 nvax (a9af177d2543315108bd974e469f4d45) C:\WINDOWS\system32\drivers\nvax.sys
17:53:54.0406 3512 nvax - ok
17:53:54.0421 3512 NVENET (e07c1f16e5a4e32fc3c0f62b59815ef0) C:\WINDOWS\system32\DRIVERS\NVENET.sys
17:53:54.0437 3512 NVENET - ok
17:53:54.0468 3512 nvnforce (ab0f1072ac0e24567effcb0c4f3499f5) C:\WINDOWS\system32\drivers\nvapu.sys
17:53:54.0484 3512 nvnforce - ok
17:53:54.0500 3512 nv_agp (29291c3a7256337327051cc37e4fc09a) C:\WINDOWS\system32\DRIVERS\nv_agp.sys
17:53:54.0500 3512 nv_agp - ok
17:53:54.0515 3512 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
17:53:54.0515 3512 NwlnkFlt - ok
17:53:54.0546 3512 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
17:53:54.0546 3512 NwlnkFwd - ok
17:53:54.0625 3512 odserv (84de1dd996b48b05ace31ad015fa108a) C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE
17:53:54.0640 3512 odserv - ok
17:53:54.0671 3512 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
17:53:54.0671 3512 ohci1394 - ok
17:53:54.0718 3512 ose (5a432a042dae460abe7199b758e8606c) C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
17:53:54.0718 3512 ose - ok
17:53:54.0734 3512 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
17:53:54.0750 3512 Parport - ok
17:53:54.0765 3512 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
17:53:54.0765 3512 PartMgr - ok
17:53:54.0796 3512 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
17:53:54.0796 3512 ParVdm - ok
17:53:54.0812 3512 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
17:53:54.0812 3512 PCI - ok
17:53:54.0828 3512 PCIDump - ok
17:53:54.0843 3512 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
17:53:54.0843 3512 PCIIde - ok
17:53:54.0875 3512 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
17:53:54.0875 3512 Pcmcia - ok
17:53:54.0890 3512 PDCOMP - ok
17:53:54.0906 3512 PDFRAME - ok
17:53:54.0921 3512 PDRELI - ok
17:53:54.0937 3512 PDRFRAME - ok
17:53:54.0937 3512 perc2 - ok
17:53:54.0953 3512 perc2hib - ok
17:53:55.0000 3512 PlugPlay (0e776ed5f7cc9f94299e70461b7b8185) C:\WINDOWS\system32\services.exe
17:53:55.0000 3512 PlugPlay - ok
17:53:55.0031 3512 Pml Driver HPZ12 (9d84376931440f3679beef2a414fa493) C:\WINDOWS\System32\HPZipm12.exe
17:53:55.0046 3512 Pml Driver HPZ12 - ok
17:53:55.0078 3512 PolicyAgent (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
17:53:55.0078 3512 PolicyAgent - ok
17:53:55.0093 3512 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
17:53:55.0093 3512 PptpMiniport - ok
17:53:55.0109 3512 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
17:53:55.0109 3512 Processor - ok
17:53:55.0125 3512 ProtectedStorage (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
17:53:55.0125 3512 ProtectedStorage - ok
17:53:55.0140 3512 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
17:53:55.0156 3512 PSched - ok
17:53:55.0171 3512 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
17:53:55.0171 3512 Ptilink - ok
17:53:55.0187 3512 ql1080 - ok
17:53:55.0203 3512 Ql10wnt - ok
17:53:55.0203 3512 ql12160 - ok
17:53:55.0218 3512 ql1240 - ok
17:53:55.0234 3512 ql1280 - ok
17:53:55.0250 3512 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
17:53:55.0250 3512 RasAcd - ok
17:53:55.0281 3512 RasAuto (ad188be7bdf94e8df4ca0a55c00a5073) C:\WINDOWS\System32\rasauto.dll
17:53:55.0281 3512 RasAuto - ok
17:53:55.0312 3512 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
17:53:55.0328 3512 Rasl2tp - ok
17:53:55.0359 3512 RasMan (76a9a3cbeadd68cc57cda5e1d7448235) C:\WINDOWS\System32\rasmans.dll
17:53:55.0375 3512 RasMan - ok
17:53:55.0390 3512 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
17:53:55.0390 3512 RasPppoe - ok
17:53:55.0406 3512 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
17:53:55.0406 3512 Raspti - ok
17:53:55.0421 3512 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
17:53:55.0437 3512 Rdbss - ok
17:53:55.0453 3512 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
17:53:55.0453 3512 RDPCDD - ok
17:53:55.0484 3512 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
17:53:55.0500 3512 rdpdr - ok
17:53:55.0531 3512 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
17:53:55.0531 3512 RDPWD - ok
17:53:55.0562 3512 RDSessMgr (3c37bf86641bda977c3bf8a840f3b7fa) C:\WINDOWS\system32\sessmgr.exe
17:53:55.0578 3512 RDSessMgr - ok
17:53:55.0593 3512 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
17:53:55.0593 3512 redbook - ok
17:53:55.0625 3512 RemoteAccess (7e699ff5f59b5d9de5390e3c34c67cf5) C:\WINDOWS\System32\mprdim.dll
17:53:55.0625 3512 RemoteAccess - ok
17:53:55.0656 3512 RemoteRegistry (5b19b557b0c188210a56a6b699d90b8f) C:\WINDOWS\system32\regsvc.dll
17:53:55.0671 3512 RemoteRegistry - ok
17:53:55.0703 3512 RpcLocator (aaed593f84afa419bbae8572af87cf6a) C:\WINDOWS\System32\locator.exe
17:53:55.0718 3512 RpcLocator - ok
17:53:55.0750 3512 RpcSs (2589fe6015a316c0f5d5112b4da7b509) C:\WINDOWS\System32\rpcss.dll
17:53:55.0765 3512 RpcSs - ok
17:53:55.0796 3512 RSVP (471b3f9741d762abe75e9deea4787e47) C:\WINDOWS\System32\rsvp.exe
17:53:55.0812 3512 RSVP - ok
17:53:55.0828 3512 SamSs (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
17:53:55.0828 3512 SamSs - ok
17:53:55.0859 3512 SCardSvr (86d007e7a654b9a71d1d7d856b104353) C:\WINDOWS\System32\SCardSvr.exe
17:53:55.0859 3512 SCardSvr - ok
17:53:55.0890 3512 Schedule (0a9a7365a1ca4319aa7c1d6cd8e4eafa) C:\WINDOWS\system32\schedsvc.dll
17:53:55.0906 3512 Schedule - ok
17:53:55.0921 3512 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
17:53:55.0921 3512 Secdrv - ok
17:53:55.0953 3512 seclogon (cbe612e2bb6a10e3563336191eda1250) C:\WINDOWS\System32\seclogon.dll
17:53:55.0968 3512 seclogon - ok
17:53:55.0984 3512 SENS (7fdd5d0684eca8c1f68b4d99d124dcd0) C:\WINDOWS\system32\sens.dll
17:53:56.0000 3512 SENS - ok
17:53:56.0015 3512 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
17:53:56.0015 3512 serenum - ok
17:53:56.0031 3512 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
17:53:56.0031 3512 Serial - ok
17:53:56.0046 3512 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
17:53:56.0046 3512 Sfloppy - ok
17:53:56.0093 3512 SharedAccess (83f41d0d89645d7235c051ab1d9523ac) C:\WINDOWS\System32\ipnathlp.dll
17:53:56.0093 3512 SharedAccess - ok
17:53:56.0125 3512 ShellHWDetection (1926899bf9ffe2602b63074971700412) C:\WINDOWS\System32\shsvcs.dll
17:53:56.0125 3512 ShellHWDetection - ok
17:53:56.0140 3512 Simbad - ok
17:53:56.0156 3512 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
17:53:56.0171 3512 SLIP - ok
17:53:56.0171 3512 Sparrow - ok
17:53:56.0203 3512 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
17:53:56.0203 3512 splitter - ok
17:53:56.0234 3512 Spooler (d8e14a61acc1d4a6cd0d38aebac7fa3b) C:\WINDOWS\system32\spoolsv.exe
17:53:56.0234 3512 Spooler - ok
17:53:56.0265 3512 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
17:53:56.0265 3512 sr - ok
17:53:56.0296 3512 srservice (3805df0ac4296a34ba4bf93b346cc378) C:\WINDOWS\system32\srsvc.dll
17:53:56.0312 3512 srservice - ok
17:53:56.0343 3512 Srv (5252605079810904e31c332e241cd59b) C:\WINDOWS\system32\DRIVERS\srv.sys
17:53:56.0359 3512 Srv - ok
17:53:56.0375 3512 SSDPSRV (0a5679b3714edab99e357057ee88fca6) C:\WINDOWS\System32\ssdpsrv.dll
17:53:56.0390 3512 SSDPSRV - ok
17:53:56.0421 3512 stisvc (8bad69cbac032d4bbacfce0306174c30) C:\WINDOWS\system32\wiaservc.dll
17:53:56.0437 3512 stisvc - ok
17:53:56.0453 3512 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
17:53:56.0453 3512 streamip - ok
17:53:56.0484 3512 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
17:53:56.0484 3512 swenum - ok
17:53:56.0500 3512 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
17:53:56.0500 3512 swmidi - ok
17:53:56.0515 3512 SwPrv - ok
17:53:56.0531 3512 symc810 - ok
17:53:56.0546 3512 symc8xx - ok
17:53:56.0562 3512 sym_hi - ok
17:53:56.0562 3512 sym_u3 - ok
17:53:56.0593 3512 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
17:53:56.0593 3512 sysaudio - ok
17:53:56.0625 3512 SysmonLog (c7abbc59b43274b1109df6b24d617051) C:\WINDOWS\system32\smlogsvc.exe
17:53:56.0625 3512 SysmonLog - ok
17:53:56.0656 3512 TapiSrv (3cb78c17bb664637787c9a1c98f79c38) C:\WINDOWS\System32\tapisrv.dll
17:53:56.0671 3512 TapiSrv - ok
17:53:56.0718 3512 Tcpip (93ea8d04ec73a85db02eb8805988f733) C:\WINDOWS\system32\DRIVERS\tcpip.sys
17:53:56.0750 3512 Tcpip - ok
17:53:56.0781 3512 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
17:53:56.0781 3512 TDPIPE - ok
17:53:56.0796 3512 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
17:53:56.0796 3512 TDTCP - ok
17:53:56.0828 3512 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
17:53:56.0828 3512 TermDD - ok
17:53:56.0875 3512 TermService (ff3477c03be7201c294c35f684b3479f) C:\WINDOWS\System32\termsrv.dll
17:53:56.0890 3512 TermService - ok
17:53:56.0906 3512 Themes (1926899bf9ffe2602b63074971700412) C:\WINDOWS\System32\shsvcs.dll
17:53:56.0921 3512 Themes - ok
17:53:56.0953 3512 TlntSvr (db7205804759ff62c34e3efd8a4cc76a) C:\WINDOWS\System32\tlntsvr.exe
17:53:56.0953 3512 TlntSvr - ok
17:53:56.0968 3512 TosIde - ok
17:53:57.0000 3512 TrkWks (55bca12f7f523d35ca3cb833c725f54e) C:\WINDOWS\system32\trkwks.dll
17:53:57.0000 3512 TrkWks - ok
17:53:57.0031 3512 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
17:53:57.0031 3512 Udfs - ok
17:53:57.0046 3512 ultra - ok
17:53:57.0093 3512 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
17:53:57.0109 3512 Update - ok
17:53:57.0140 3512 upnphost (1ebafeb9a3fbdc41b8d9c7f0f687ad91) C:\WINDOWS\System32\upnphost.dll
17:53:57.0156 3512 upnphost - ok
17:53:57.0171 3512 UPS (05365fb38fca1e98f7a566aaaf5d1815) C:\WINDOWS\System32\ups.exe
17:53:57.0187 3512 UPS - ok
17:53:57.0218 3512 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
17:53:57.0218 3512 usbaudio - ok
17:53:57.0250 3512 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
17:53:57.0250 3512 usbccgp - ok
17:53:57.0265 3512 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
17:53:57.0281 3512 usbhub - ok
17:53:57.0296 3512 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
17:53:57.0296 3512 usbohci - ok
17:53:57.0328 3512 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
17:53:57.0343 3512 usbprint - ok
17:53:57.0359 3512 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
17:53:57.0359 3512 usbscan - ok
17:53:57.0390 3512 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
17:53:57.0390 3512 USBSTOR - ok
17:53:57.0421 3512 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
17:53:57.0437 3512 VgaSave - ok
17:53:57.0437 3512 ViaIde - ok
17:53:57.0468 3512 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
17:53:57.0484 3512 VolSnap - ok
17:53:57.0515 3512 VSS (7a9db3a67c333bf0bd42e42b8596854b) C:\WINDOWS\System32\vssvc.exe
17:53:57.0531 3512 VSS - ok
17:53:57.0546 3512 W32Time (54af4b1d5459500ef0937f6d33b1914f) C:\WINDOWS\system32\w32time.dll
17:53:57.0562 3512 W32Time - ok
17:53:57.0593 3512 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
17:53:57.0593 3512 Wanarp - ok
17:53:57.0609 3512 WDICA - ok
17:53:57.0640 3512 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
17:53:57.0640 3512 wdmaud - ok
17:53:57.0671 3512 WebClient (77a354e28153ad2d5e120a5a8687bc06) C:\WINDOWS\System32\webclnt.dll
17:53:57.0687 3512 WebClient - ok
17:53:57.0765 3512 winmgmt (2d0e4ed081963804ccc196a0929275b5) C:\WINDOWS\system32\wbem\WMIsvc.dll
17:53:57.0765 3512 winmgmt - ok
17:53:57.0812 3512 WmdmPmSN (c7e39ea41233e9f5b86c8da3a9f1e4a8) C:\WINDOWS\System32\mspmsnsv.dll
17:53:57.0812 3512 WmdmPmSN - ok
17:53:57.0859 3512 Wmi (bab489a5fe26f2d0c910cf7af7e4cf92) C:\WINDOWS\System32\advapi32.dll
17:53:57.0890 3512 Wmi - ok
17:53:57.0921 3512 WmiApSrv (e0673f1106e62a68d2257e376079f821) C:\WINDOWS\System32\wbem\wmiapsrv.exe
17:53:57.0921 3512 WmiApSrv - ok
17:53:57.0953 3512 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
17:53:57.0953 3512 WS2IFSL - ok
17:53:58.0000 3512 wscsvc (7c278e6408d1dce642230c0585a854d5) C:\WINDOWS\system32\wscsvc.dll
17:53:58.0000 3512 wscsvc - ok
17:53:58.0046 3512 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
17:53:58.0046 3512 WSTCODEC - ok
17:53:58.0062 3512 wuauserv (35321fb577cdc98ce3eb3a3eb9e4610a) C:\WINDOWS\system32\wuauserv.dll
17:53:58.0078 3512 wuauserv - ok
17:53:58.0109 3512 WZCSVC (81dc3f549f44b1c1fff022dec9ecf30b) C:\WINDOWS\System32\wzcsvc.dll
17:53:58.0125 3512 WZCSVC - ok
17:53:58.0171 3512 xmlprov (295d21f14c335b53cb8154e5b1f892b9) C:\WINDOWS\System32\xmlprov.dll
17:53:58.0187 3512 xmlprov - ok
17:53:58.0218 3512 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
17:53:58.0671 3512 \Device\Harddisk0\DR0 - ok
17:53:58.0687 3512 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk1\DR1
17:53:58.0687 3512 \Device\Harddisk1\DR1 - ok
17:53:58.0703 3512 Boot (0x1200) (f32d744fa6ea3ffdfe1b92c187bbccde) \Device\Harddisk0\DR0\Partition0
17:53:58.0703 3512 \Device\Harddisk0\DR0\Partition0 - ok
17:53:58.0734 3512 Boot (0x1200) (9be86efb1516dec7723fa9bb8280064f) \Device\Harddisk0\DR0\Partition1
17:53:58.0734 3512 \Device\Harddisk0\DR0\Partition1 - ok
17:53:58.0765 3512 Boot (0x1200) (3b88d1273f99a672f49f7001fd04ca9a) \Device\Harddisk0\DR0\Partition2
17:53:58.0765 3512 \Device\Harddisk0\DR0\Partition2 - ok
17:53:58.0765 3512 Boot (0x1200) (6661dd308b1dcff8b77b8aa2d28da28a) \Device\Harddisk1\DR1\Partition0
17:53:58.0781 3512 \Device\Harddisk1\DR1\Partition0 - ok
17:53:58.0781 3512 ============================================================
17:53:58.0781 3512 Scan finished
17:53:58.0781 3512 ============================================================
17:53:58.0796 3504 Detected object count: 0
17:53:58.0796 3504 Actual detected object count: 0


Tested to see if the DVD drive would work and the disc I tried got stuck with the light constantly on. Was able to free the disc using the emergency drawer key/wire. Still didn't spool up but I heard sounds like it was trying but something was stuck, a sort of clicking. Wondering if maybe the drive has failed somehow.

What's next?

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:09 AM

Posted 04 June 2012 - 10:31 PM

Greetings


sounds like the cd drive might be dead but run this to be sure - http://support.microsoft.com/mats/cd_dvd_drive_problems/en-us


also run the aswMBR scan for me now


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 Ivan Blimisie

Ivan Blimisie
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:09 AM

Posted 05 June 2012 - 12:07 PM

Hi,

I ran the FixIt deal and since the drive doesn't spool up at all it failed, no answers at all there.

I ran the aswMBR scan. It said something about finding a something, but I didn't fix it because you didn't say anything about fixing problems that it found. Here's the log:

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-06-05 10:24:28
-----------------------------
10:24:28.140 OS Version: Windows 5.1.2600 Service Pack 3
10:24:28.140 Number of processors: 1 586 0x801
10:24:28.140 ComputerName: SPARTICUS2 UserName: Wombat
10:24:28.343 Initialize success
10:34:11.875 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4
10:34:11.890 Disk 0 Vendor: Maxtor_6Y080P0 YAR41BW0 Size: 78167MB BusType: 3
10:34:11.890 Disk 1 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP0T1L0-c
10:34:11.890 Disk 1 Vendor: WDC_WD800AAJB-00J3A0 01.03E01 Size: 76319MB BusType: 3
10:34:11.906 Disk 0 MBR read successfully
10:34:11.906 Disk 0 MBR scan
10:34:11.906 Disk 0 Windows XP default MBR code
10:34:11.906 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 9216 MB offset 63
10:34:11.906 Disk 0 Partition - 00 0F Extended LBA 68935 MB offset 18876375
10:34:11.953 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 20481 MB offset 18876438
10:34:11.953 Disk 0 Partition - 00 05 Extended 48453 MB offset 60822090
10:34:11.984 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 48453 MB offset 60822153
10:34:11.984 Disk 0 malicious Win32:MBRoot code @ sector 61 !
10:34:12.000 Disk 0 PE file @ sector 160055595 !
10:34:12.531 Disk 0 scanning C:\WINDOWS\system32\drivers
10:34:17.140 Service scanning
10:34:21.953 Modules scanning
10:34:25.375 Disk 0 trace - called modules:
10:34:25.390 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
10:34:25.390 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86778ab8]
10:34:25.390 3 CLASSPNP.SYS[f788ffd7] -> nt!IofCallDriver -> \Device\0000005b[0x8668cf18]
10:34:25.390 5 ACPI.sys[f77e6620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-4[0x867328a8]
10:34:25.390 Scan finished successfully
10:35:34.734 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Wombat\Desktop\MBR.dat"
10:35:34.750 The log file has been saved successfully to "C:\Documents and Settings\Wombat\Desktop\aswMBR.txt"


After all this was finished I tested a couple things. I'm no longer getting redirected when clicking on Google searches when I use IE8, and I'm no longer seeing those bogus scripts when I try to go to Microsoft sites using Firefox, so it seems we are making progress.

Awaiting further instructions.

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:09 AM

Posted 05 June 2012 - 01:26 PM

Greetings Ivan Blimisie

It does look like the drive is dead :huh:

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 Ivan Blimisie

Ivan Blimisie
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:09 AM

Posted 05 June 2012 - 10:16 PM

Hello,

I ran the script, it said there was an updated version and asked if I wanted to download that, I said yes. Ran smoothly, rebooted and gave me a report.



ComboFix 12-06-05.04 - Wombat 06/05/2012 18:38:00.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.704 [GMT -6:00]
Running from: c:\documents and settings\Wombat\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Wombat\Desktop\CFScript.txt
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Wombat\Local Settings\Application Data\{9B3B952B-CE23-42E3-9569-6F757EAFF41E}
c:\documents and settings\Wombat\Local Settings\Application Data\{9B3B952B-CE23-42E3-9569-6F757EAFF41E}\chrome.manifest
c:\documents and settings\Wombat\Local Settings\Application Data\{9B3B952B-CE23-42E3-9569-6F757EAFF41E}\chrome\content\_cfg.js
c:\documents and settings\Wombat\Local Settings\Application Data\{9B3B952B-CE23-42E3-9569-6F757EAFF41E}\chrome\content\overlay.xul
c:\documents and settings\Wombat\Local Settings\Application Data\{9B3B952B-CE23-42E3-9569-6F757EAFF41E}\install.rdf
c:\windows\TEMP\logishrd\LVPrcInj01.dll
.
.
((((((((((((((((((((((((( Files Created from 2012-05-06 to 2012-06-06 )))))))))))))))))))))))))))))))
.
.
2012-06-05 16:43 . 2012-06-05 16:43 -------- d-----w- c:\documents and settings\Wombat\Application Data\ElevatedDiagnostics
2012-05-29 21:15 . 2012-05-29 21:18 183817 ----a-w- c:\windows\Addictive Pitts Uninstaller.exe
2012-05-25 17:59 . 2012-05-25 17:59 -------- d-----w- c:\windows\system32\wbem\Repository
2012-05-22 23:23 . 2012-05-25 17:58 -------- d-----w- c:\program files\Common Files\Java
2012-05-22 23:22 . 2012-05-22 23:22 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-05-22 23:22 . 2012-05-22 23:22 476904 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2012-05-22 23:22 . 2012-05-25 17:58 -------- d-----w- c:\program files\Java
2012-05-21 23:22 . 2012-05-21 23:22 -------- d-sh--w- c:\documents and settings\Wombat\IECompatCache
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-05-22 23:22 . 2010-10-31 21:39 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-05-03 19:15 . 2012-04-19 00:09 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-05-31_23.35.05 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-06-06 00:44 . 2012-06-06 00:44 16384 c:\windows\Temp\Perflib_Perfdata_18c.dat
+ 2012-06-05 16:40 . 2007-11-01 04:48 20992 c:\windows\system32\windowspowershell\v1.0\pwrshsip.dll
+ 2012-06-05 17:04 . 2012-06-05 17:04 37376 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\a322b6c54cebd94eb85acfce54a1baa6\Microsoft.PowerShell.ConsoleHost.resources.ni.dll
+ 2012-06-05 17:04 . 2012-06-05 17:04 20992 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\6ee6c22743764c4cbbf93f8149c94eb0\Microsoft.PowerShell.Commands.Management.resources.ni.dll
+ 2012-06-05 17:04 . 2012-06-05 17:04 18944 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\6c445efb8629104494a8b8b067c979e3\Microsoft.PowerShell.Security.resources.ni.dll
+ 2012-06-05 17:04 . 2012-06-05 17:04 31744 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\19f0dd2dd2ebe2429bc4a30e7ecafc7d\Microsoft.PowerShell.Commands.Utility.resources.ni.dll
+ 2012-06-05 16:41 . 2012-06-05 16:41 65536 c:\windows\assembly\GAC_MSIL\Microsoft.PowerShell.Security\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll
+ 2012-06-05 16:41 . 2012-06-05 16:41 36864 c:\windows\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost.resources\1.0.0.0_en_31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.resources.dll
+ 2012-06-05 16:41 . 2012-06-05 16:41 32768 c:\windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility.resources\1.0.0.0_en_31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.resources.dll
+ 2012-06-05 16:41 . 2012-06-05 16:41 11264 c:\windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management.resources\1.0.0.0_en_31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.resources.dll
+ 2012-06-05 16:40 . 2007-06-30 18:49 4608 c:\windows\system32\windowspowershell\v1.0\pwrshmsg.dll
+ 2012-06-05 16:41 . 2012-06-05 16:41 8704 c:\windows\assembly\GAC_MSIL\Microsoft.PowerShell.Security.resources\1.0.0.0_en_31bf3856ad364e35\Microsoft.PowerShell.Security.resources.dll
+ 2012-06-05 16:40 . 2007-10-30 09:15 330240 c:\windows\system32\windowspowershell\v1.0\powershell.exe
+ 2012-06-05 17:04 . 2012-06-05 17:04 184320 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Management.A#\4bb0f6a65bac6a4da2c3ca783ce39fb4\System.Management.Automation.resources.ni.dll
+ 2012-06-05 17:04 . 2012-06-05 17:04 552960 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\b5ab174f077d0f458c2282689c92bdc8\Microsoft.PowerShell.ConsoleHost.ni.dll
+ 2012-06-05 17:04 . 2012-06-05 17:04 524288 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\4c5e8432d108f54383d1485a7cd5a4b1\Microsoft.PowerShell.Commands.Management.ni.dll
+ 2012-06-05 17:04 . 2012-06-05 17:04 176128 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\4b361ebf439f6e4ab387530f481b8a3e\Microsoft.PowerShell.Security.ni.dll
+ 2012-06-05 16:41 . 2012-06-05 16:41 163840 c:\windows\assembly\GAC_MSIL\System.Management.Automation.resources\1.0.0.0_en_31bf3856ad364e35\System.Management.Automation.resources.dll
+ 2012-06-05 16:41 . 2012-06-05 16:41 200704 c:\windows\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll
+ 2012-06-05 16:41 . 2012-06-05 16:41 294912 c:\windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll
+ 2012-06-05 16:41 . 2012-06-05 16:41 139264 c:\windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll
+ 2012-06-05 17:04 . 2012-06-05 17:04 5271552 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Management.A#\494746811239844e9c1dddce297ea425\System.Management.Automation.ni.dll
+ 2012-06-05 17:04 . 2012-06-05 17:04 1069056 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\bd92da34216daa48b9872f2008849e12\Microsoft.PowerShell.Commands.Utility.ni.dll
+ 2012-06-05 16:41 . 2012-06-05 16:41 1564672 c:\windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-09-25 90112]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2008-08-14 565008]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2008-08-14 2407184]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
.
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [5/3/2012 1:15 PM 129976]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://srythshangar.lasthome.net/
IE: E&xport to Microsoft Excel - d:\micros~1\Office12\EXCEL.EXE/3000
TCP: Interfaces\{2DEF03DB-5D67-4642-87C5-450F38BAAE00}: NameServer = 68.94.156.1,68.94.157.1
FF - ProfilePath - c:\documents and settings\Wombat\Application Data\Mozilla\Firefox\Profiles\blqyob9a.default\
FF - prefs.js: network.proxy.type - 0
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-06-05 18:44
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(696)
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'explorer.exe'(7436)
c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\ATI Technologies\ATI.ACE\CLI.EXE
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\windows\System32\HPZipm12.exe
c:\windows\system32\wscntfy.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe
c:\program files\ATI Technologies\ATI.ACE\cli.exe
c:\program files\ATI Technologies\ATI.ACE\cli.exe
.
**************************************************************************
.
Completion time: 2012-06-05 18:46:21 - machine was rebooted
ComboFix-quarantined-files.txt 2012-06-06 00:46
ComboFix2.txt 2012-05-31 23:50
.
Pre-Run: 1,237,831,680 bytes free
Post-Run: 1,308,876,800 bytes free
.
- - End Of File - - 89CEA7CC38CDF24EE7B1CBBFE8A8A8A4


I retested for any redirects or additional bogus scripts trying to run and haven't seen any so far. Also haven't seen that "Warning from website" pop up either.


I had a question about these two lines from the aswMBR report, because I never let that program fix anything, or was this last Combofix scan supposed to fix these?

10:34:11.984 Disk 0 malicious Win32:MBRoot code @ sector 61 !
10:34:12.000 Disk 0 PE file @ sector 160055595 !

As far as the DVD drive I was wondering if updating the firmware would do anything to get it back in operation?

Apart from that I've been trying to defrag my C: drive but it keeps stopping after only 3%, that was one of the reasons I wanted to perform a fresh reinstall. I think I have a bunch of corrupted files clogging that partition. I really wanted to make sure I had a clean boot sector before I attempted to reinstall Windows.

That's all I can think of, waiting to hear back from you.

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:09 AM

Posted 05 June 2012 - 10:48 PM

These logs are looking allot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs

NOTE** Because of the cleanup process some of the programs I have listed may not be in add/remove anymore this is fine just move to the next item on the list.

You can remove these programs using add/remove or you can use the free uninstaller from Revo (it does allot better of a job

Programs to remove

Adobe Reader 6.0.1
Java™ 6 Update 31
[/list]


  • Please download and install Revo Uninstaller Free
  • Double click Revo Uninstaller to run it.
  • From the list of programs double click on The Program to remove
  • When prompted if you want to uninstall click Yes.
  • Be sure the Moderate option is selected then click Next.
  • The program will run, If prompted again click Yes
  • when the built-in uninstaller is finished click on Next.
  • Once the program has searched for leftovers click Next.
  • Check/tick the bolded items only on the list then click Delete
  • when prompted click on Yes and then on next.
  • put a check on any folders that are found and select delete
  • when prompted select yes then on next
  • Once done click Finish.
.

Update Adobe Reader

Recently there have been vulnerabilities detected in older versions of Adobe Reader. It is strongly suggested that you update to the current version.

You can download it from http://www.adobe.com/products/acrobat/readstep2.html
After installing the latest Adobe Reader, uninstall all previous versions.
If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

If you don't like Adobe Reader (53 MB), you can download Foxit PDF Reader(7 MB) from here. It's a much smaller file to download and uses a lot less resources than Adobe Reader.

Note: When installing FoxitReader, be careful not to install anything to do with AskBar.
[/list]
Install Java:

Please go here to install Java

  • click on the Free Java Download Button
  • click on Agree and start Free download
  • click on Run
  • click on run again
  • click on install
  • when install is complete click on close

Clean Out Temp Files

  • This small application you may want to keep and use once a week to keep the computer clean.

    Download CCleaner from here http://www.ccleaner.com/

  • Run the installer to install the application.
  • When it gives you the option to install Yahoo toolbar uncheck the box next to it.
  • Run CCleaner. (make sure under Windows tab all the boxes of Internet Explorer and Windows explorer are checked. Under System check Empty Recycle Bin and Temporary Files. Under Application tab all the boxes should be checked).
  • Click Run Cleaner.
  • Close CCleaner.


: Malwarebytes' Anti-Malware :

  • Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to
    • Update Malwarebytes' Anti-Malware
    • and Launch Malwarebytes' Anti-Malware
  • then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Download HijackThis

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the AnalyseThis button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.


NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

"information and logs"

  • In your next post I need the following

  • Log From MBAM
  • report from Hijackthis
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 Ivan Blimisie

Ivan Blimisie
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:09 AM

Posted 06 June 2012 - 06:53 AM

Ok,

I've downloaded all the software, and I'm getting ready to go through the list of instructions, but there's a couple things that concern me.

I've had a very bad history with Malwarebytes. This was a couple years ago and when I used it, like I was asked to at another forum, it made my system unbootable. I have no idea why it did my system in, but ever since I've had a bad feeling about running it. However I will try it.

And a word of advice about Foxit Reader. I tried it about a year ago, and it had an email spambot attached to it. The day after I installed it I started getting up to 8 or 9 spam emails a day for everything from car dealers to Viagra. I have no idea if anyone else has had the same thing happen to them, but I still occasionally get something new that I have to add to my blocked senders list.

Crossing my fingers.

#14 Ivan Blimisie

Ivan Blimisie
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:09 AM

Posted 06 June 2012 - 08:27 AM

Alright, no issues with Malwarebytes this time, thank goodness!

I ran Revo and removed Java and Adobe. Reinstalled the up to date Java, saving the Adobe for later, I hate how they cram all kinds of extra crap when you install from their website.

Ran CCleaner and then tried to defrag my C: drive, still won't finish the defrag, plenty of free space, too many corrupted files I think.

Here's the Malwarebytes log:

Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.06.06.03

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Wombat :: SPARTICUS2 [administrator]

6/6/2012 8:05:49 AM
mbam-log-2012-06-06 (08-05-49).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 186245
Time elapsed: 2 minute(s), 49 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)


And here's the HJT log:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 8:11:43 AM, on 6/6/2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe
C:\WINDOWS\system32\msiexec.exe
D:\HJT\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://srythshangar.lasthome.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jp2ssv.dll
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware] D:\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'c:\program files\bonjour\mdnsnsp.dll' missing
O17 - HKLM\System\CCS\Services\Tcpip\..\{2DEF03DB-5D67-4642-87C5-450F38BAAE00}: NameServer = 68.94.156.1,68.94.157.1
O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (file missing)
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Unknown owner - C:\Program Files\Bonjour\mDNSResponder.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Oracle Corporation - C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

--
End of file - 5177 bytes


No idea where those R1 entries came from, they weren't there before I started this process of cleaning things out.

Anything else I need to do?

#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:09 AM

Posted 06 June 2012 - 08:33 AM

Greetings

The R1 are ok and are normal

I use foxit on three computers at my home and have not had a problem with it

and malwarebytes is a program I have used in every case I work on and is probably the only program that has not hurt a computer yet - most likely it was a virus that interfered in some way with you a couple of years ago

These logs are looking very good, we are almost done!!! Just one more scan to go.

:Remove unneeded start-up entries:

This part of the fix is purely optional
These are programs that start up when you turn on your computer but don't need to be, any of these programs you can click on their icons (or start from the control panel) and start the program when you need it. By stopping these programs you will boot up faster and your computer will work faster.

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Run HijackThis
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):

    • O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
      O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
      O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
      O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
      O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application.

    NOTE**You can research each of those lines >here< and see if you want to keep them or not
    just copy the name between the brackets and paste into the search space
    O4 - HKLM\..\Run: [IntelliPoint]


NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

Eset Online Scanner

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

Go Eset web page to run an online scanner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
  • When asked, allow the ActiveX control to install
    • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options
    Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • Click on copy to clipboard or copy and paste the results here in this topic

Copy and paste that log as a reply to this topic

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users