Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

TR/Sirefef.AG.35, TR/Small.FI, TR/ATRAPS.Gen2


  • This topic is locked This topic is locked
15 replies to this topic

#1 michalsol

michalsol

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:56 AM

Posted 15 June 2012 - 04:14 PM

Hello ;)

At first I would like to apologize for my English. Forgive me my mistakes - I am non-native (PL).

Some time ago I had some problems with viruses, which Avira mentioned as TR/Sirefef.AG.35, TR/Small.FI and TR/ATRAPS.Gen2. The System Firewall wasn't working and there were many notifications about viruses from Avira.

My friend helped me and we managed to remove those problems. Kaspersky Removal Tool and MBAM say that system is clean.

However, I still have some problems with computer right now: Windows says that antivirus software is not installed in the system (I still have Avira, which works) and when I want to watch film in WMP there is an error. It says that sysyem is out of memory.

Here is my log from DDS:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 10.0.0
Run by Michal at 22:17:45 on 2012-06-15
.
============== Running Processes ===============
.
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.hp.com
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre7\bin\jp2ssv.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [Cpqset] c:\program files\hpq\default settings\cpqset.exe
mRun: [eabconfg.cpl] c:\program files\hpq\quick launch buttons\EabServr.exe /Start
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: E&ksportuj do programu Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1236024405265
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0-windows-i586.cab
DPF: {CAFEEFAC-0017-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 192.168.1.100
TCP: Interfaces\{65C85A0E-F6A7-4AD6-B3B2-8F885C9820A3} : DhcpNameServer = 192.168.1.100
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\michal\application data\mozilla\firefox\profiles\rau1e6rq.default\
FF - prefs.js: browser.search.selectedEngine - Wyszukiwanie filmów wideo w YouTube
FF - prefs.js: browser.startup.homepage - hxxp://www.pajacyk.pl
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?sourceid=navclient&hl=pl&q=
FF - component: c:\documents and settings\michal\application data\mozilla\firefox\profiles\rau1e6rq.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\documents and settings\michal\application data\mozilla\firefox\profiles\rau1e6rq.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbar-ff3.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre7\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre7\bin\new_plugin\npjp2.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\microsoft silverlight\4.1.10329.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_2_202_235.dll
.
---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
.
============= SERVICES / DRIVERS ===============
.
.
=============== Created Last 30 ================
.
2012-06-13 20:41:22 521728 -c----w- c:\windows\system32\dllcache\jsdbgui.dll
2012-06-11 16:03:03 -------- d-----w- c:\documents and settings\michal\DoctorWeb
.
==================== Find3M ====================
.
2012-05-31 13:22:09 599040 ----a-w- c:\windows\system32\crypt32.dll
2012-05-16 15:08:26 916992 ----a-w- c:\windows\system32\wininet.dll
2012-05-15 13:20:33 1863168 ----a-w- c:\windows\system32\win32k.sys
2012-05-12 21:42:25 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-05-12 21:42:25 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-05-11 14:42:33 43520 ------w- c:\windows\system32\licmgr10.dll
2012-05-11 14:42:33 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-05-11 11:38:02 385024 ------w- c:\windows\system32\html.iec
2012-05-09 12:05:45 83392 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2012-05-04 13:12:30 2192640 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-05-04 12:32:19 2069120 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-05-02 13:46:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-04-04 13:56:40 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
.
============= FINISH: 22:19:20,12 ===============


I'm attaching also second long from DDS (attach.txt) and from GMER (ark.txt).

I would be very grateful for help.
Thank you and again - sorry for my English :)

--
Regards,
michalsol

Attached Files



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:56 AM

Posted 17 June 2012 - 12:31 AM

Greetings and Welcome to The Forums!!

My name is Gringo and I'll be glad to help you with your computer problems.

I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of us

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the Watch Topic Button, select Immediate Notification, and click on Proceed. This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of hartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

Security Check

  • Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.



Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 michalsol

michalsol
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:56 AM

Posted 17 June 2012 - 06:33 AM

Thank you for response.

I did everything you told me and I still have those problems.
Widnows keeps informing me that antivirus software is not installed, and some of films don't work in WMP and other players (I must try opening films many times until they are played).
And the system is a bit slow now (when I press a button I must wait a while until the letter is shown on the screen).

This is my Secuity Check log (it is writen in Polish, I can translate it into English if this is problem):

Results of screen317's Security Check version 0.99.41
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
Avira Free Antivirus
Avira successfully updated!
`````````Anti-malware/Other Utilities Check:`````````
Malwarebytes Anti-Malware wersja 1.61.0.1400
CCleaner
Java™ 7
Java™ SE Development Kit 7
Java version out of date!
Adobe Flash Player 11.2.202.235
Adobe Reader X (10.1.3)
Mozilla Firefox (12.0)
````````Process Check: objlist.exe by Laurent````````
`````````````````System Health check`````````````````
Total Fragmentation on Drive C:: 17% Defragment your hard drive soon!
````````````````````End of Log``````````````````````

And this is my Combofix log:

ComboFix 12-06-16.02 - Michal 2012-06-17 13:14:07.1.1 - x86
Uruchomiony z: c:\documents and settings\Michal\Desktop\ComboFix.exe
* Utworzono nowy punkt przywracania
.
.
((((((((((((((((((((((((((((((((((((((( Usunięto )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Michal\WINDOWS
c:\program files\INSTALL.LOG
c:\windows\d.ini
c:\windows\IsUn0415.exe
c:\windows\pkunzip.pif
c:\windows\pkzip.pif
.
.
((((((((((((((((((((((((( Pliki utworzone od 2012-05-17 do 2012-06-17 )))))))))))))))))))))))))))))))
.
.
2012-06-13 20:41 . 2012-05-11 14:42 521728 -c----w- c:\windows\system32\dllcache\jsdbgui.dll
2012-06-11 16:03 . 2012-06-11 18:29 -------- d-----w- c:\documents and settings\Michal\DoctorWeb
2012-06-02 11:14 . 2012-06-02 11:14 -------- d-----w- c:\documents and settings\Administrator
.
.
.
(((((((((((((((((((((((((((((((((((((((( Sekcja Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-05-31 13:22 . 2004-08-04 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2012-05-16 15:08 . 2004-08-04 12:00 916992 ----a-w- c:\windows\system32\wininet.dll
2012-05-15 13:20 . 2004-08-04 12:00 1863168 ----a-w- c:\windows\system32\win32k.sys
2012-05-12 21:42 . 2012-04-11 18:49 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-05-12 21:42 . 2011-06-19 17:19 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-05-11 14:42 . 2004-08-04 12:00 43520 ------w- c:\windows\system32\licmgr10.dll
2012-05-11 14:42 . 2004-08-04 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-05-11 11:38 . 2004-08-04 12:00 385024 ------w- c:\windows\system32\html.iec
2012-05-09 12:05 . 2012-02-19 20:21 83392 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2012-05-09 12:05 . 2012-02-19 20:21 137928 ----a-w- c:\windows\system32\drivers\avipbb.sys
2012-05-04 13:12 . 2004-08-04 12:00 2192640 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-05-04 12:32 . 2004-08-03 22:59 2069120 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-05-02 13:46 . 2009-02-07 12:49 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-04-04 13:56 . 2011-06-23 12:35 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-05-13 18:51 . 2011-03-23 20:42 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-12-01 204288]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-02-02 102492]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-06 1024000]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-05 339968]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2005-03-29 233534]
"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-12-03 290816]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-05-04 252136]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2012-05-09 348624]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
[HKLM\~\startupfolder\C:^Documents and Settings^Michal^Start Menu^Programs^Startup^Tworzenie wycinków ekranu i uruchamianie programu OneNote 2007.lnk]
path=c:\documents and settings\Michal\Start Menu\Programs\Startup\Tworzenie wycinków ekranu i uruchamianie programu OneNote 2007.lnk
backup=c:\windows\pss\Tworzenie wycinków ekranu i uruchamianie programu OneNote 2007.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpeedTouch USB Diagnostics]
2004-03-23 11:06 888832 ----a-w- c:\program files\Thomson\SpeedTouch USB\dragdiag.exe
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" /background
"CTFMON.EXE"=c:\windows\system32\ctfmon.exe
"WMPNSCFG"=c:\program files\Windows Media Player\WMPNSCFG.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
"NeroFilterCheck"=c:\windows\system32\NeroCheck.exe
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe"
"hpWirelessAssistant"=c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
.
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-12 257696]
R3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\DRIVERS\ggflt.sys [2010-03-13 13224]
R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [2012-05-13 129976]
R3 Sony PC Companion;Sony PC Companion;c:\program files\Sony\Sony PC Companion\PCCService.exe [2012-01-18 155320]
R4 PuranDefrag;PuranDefrag;c:\windows\system32\PuranDefragS.exe [2011-04-08 229376]
S1 avkmgr;avkmgr;c:\windows\system32\DRIVERS\avkmgr.sys [2011-09-16 36000]
S2 AntiVirSchedulerService;Avira Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2012-05-09 86224]
S3 HSFHWATI;HSFHWATI;c:\windows\system32\DRIVERS\HSFHWATI.sys [2005-04-18 200576]
S3 seehcri;Sony Ericsson seehcri Device Driver;c:\windows\system32\DRIVERS\seehcri.sys [2010-03-13 27632]
.
.
Zawartość folderu 'Zaplanowane zadania'
.
2012-06-16 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-11 21:42]
.
2012-06-17 c:\windows\Tasks\User_Feed_Synchronization-{7BD0834F-2178-4E44-8678-2FED79201BDE}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 02:31]
.
.
------- Skan uzupełniający -------
.
uStart Page = hxxp://www.hp.com
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&ksportuj do programu Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.100
FF - ProfilePath - c:\documents and settings\Michal\Application Data\Mozilla\Firefox\Profiles\rau1e6rq.default\
FF - prefs.js: browser.search.selectedEngine - Wyszukiwanie filmĂłw wideo w YouTube
FF - prefs.js: browser.startup.homepage - hxxp://www.pajacyk.pl
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?sourceid=navclient&hl=pl&q=
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
.
- - - - USUNIĘTO PUSTE WPISY - - - -
.
SafeBoot-Wdf01000.sys
MSConfigStartUp-Google Update - c:\documents and settings\Michal\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-06-17 13:18
Windows 5.1.2600 Service Pack 3 NTFS
.
skanowanie ukrytych procesów ...
.
skanowanie ukrytych wpisów autostartu ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????2?1?7?7??????? ???B?????????????hLC? ??????
.
skanowanie ukrytych plików ...
.
skanowanie pomyślnie ukończone
ukryte pliki: 0
.
**************************************************************************
.
--------------------- Pliki DLL ładowane pod uruchomionymi procesami ---------------------
.
- - - - - - - > 'winlogon.exe'(836)
c:\windows\system32\Ati2evxx.dll
.
Czas ukończenia: 2012-06-17 13:20:52
ComboFix-quarantined-files.txt 2012-06-17 11:20
.
Przed: 1 406 787 584 bytes free
Po: 1 574 166 528 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-PLK.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - B094B25930A11F411FFF3A1A39BE0014

Thank you for checking and replying.

Edited by michalsol, 17 June 2012 - 06:34 AM.


#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:56 AM

Posted 17 June 2012 - 09:08 AM

Greetings

I want you to run these next,

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • it will ask to download extra definitions - ALLOW IT
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

If you have any problems running either one come back and let me know

please reply with the reports from TDSSKiller and aswMBR

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 michalsol

michalsol
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:56 AM

Posted 17 June 2012 - 03:15 PM

TDSS:

21:42:30.0390 3656 TDSS rootkit removing tool 2.7.40.0 Jun 15 2012 15:13:31
21:42:31.0000 3656 ============================================================
21:42:31.0000 3656 Current date / time: 2012/06/17 21:42:31.0000
21:42:31.0000 3656 SystemInfo:
21:42:31.0000 3656
21:42:31.0000 3656 OS Version: 5.1.2600 ServicePack: 3.0
21:42:31.0000 3656 Product type: Workstation
21:42:31.0000 3656 ComputerName: MICHAL-0CA1A2A5
21:42:31.0000 3656 UserName: Michal
21:42:31.0000 3656 Windows directory: C:\WINDOWS
21:42:31.0000 3656 System windows directory: C:\WINDOWS
21:42:31.0000 3656 Processor architecture: Intel x86
21:42:31.0000 3656 Number of processors: 1
21:42:31.0000 3656 Page size: 0x1000
21:42:31.0000 3656 Boot type: Normal boot
21:42:31.0000 3656 ============================================================
21:42:33.0484 3656 Drive \Device\Harddisk0\DR0 - Size: 0xDF8F90000 (55.89 Gb), SectorSize: 0x200, Cylinders: 0x1E48, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xF0, Type 'K0', Flags 0x00000054
21:42:33.0484 3656 ============================================================
21:42:33.0484 3656 \Device\Harddisk0\DR0:
21:42:33.0484 3656 MBR partitions:
21:42:33.0484 3656 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x24B9FF1
21:42:33.0500 3656 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x24BA06F, BlocksNum 0x3CEFDE1
21:42:33.0515 3656 \Device\Harddisk0\DR0\Partition2: MBR, Type 0x7, StartLBA 0x61A9E8F, BlocksNum 0xE1A2E1
21:42:33.0515 3656 ============================================================
21:42:33.0546 3656 C: <-> \Device\Harddisk0\DR0\Partition0
21:42:33.0593 3656 D: <-> \Device\Harddisk0\DR0\Partition1
21:42:33.0640 3656 E: <-> \Device\Harddisk0\DR0\Partition2
21:42:33.0640 3656 ============================================================
21:42:33.0640 3656 Initialize success
21:42:33.0640 3656 ============================================================
21:42:57.0296 3968 ============================================================
21:42:57.0296 3968 Scan started
21:42:57.0296 3968 Mode: Manual;
21:42:57.0296 3968 ============================================================
21:42:57.0890 3968 Abiosdsk - ok
21:42:57.0906 3968 abp480n5 - ok
21:42:57.0937 3968 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
21:42:57.0937 3968 ACPI - ok
21:42:57.0984 3968 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
21:42:58.0000 3968 ACPIEC - ok
21:42:58.0093 3968 AdobeFlashPlayerUpdateSvc (76d5a3d2a50402a0b9b6ed13c4371e79) C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
21:42:58.0093 3968 AdobeFlashPlayerUpdateSvc - ok
21:42:58.0109 3968 adpu160m - ok
21:42:58.0140 3968 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
21:42:58.0156 3968 aec - ok
21:42:58.0203 3968 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
21:42:58.0203 3968 AFD - ok
21:42:58.0218 3968 Aha154x - ok
21:42:58.0234 3968 aic78u2 - ok
21:42:58.0250 3968 aic78xx - ok
21:42:58.0281 3968 alcan5wn (0940030d5a5869067ccc03e3b0b8dec7) C:\WINDOWS\system32\DRIVERS\alcan5wn.sys
21:42:58.0296 3968 alcan5wn - ok
21:42:58.0343 3968 alcaudsl (4c9577888c53243e2991456f510488a1) C:\WINDOWS\system32\DRIVERS\alcaudsl.sys
21:42:58.0359 3968 alcaudsl - ok
21:42:58.0390 3968 Alerter (a9a3daa780ca6c9671a19d52456705b4) C:\WINDOWS\system32\alrsvc.dll
21:42:58.0406 3968 Alerter - ok
21:42:58.0437 3968 ALG (8c515081584a38aa007909cd02020b3d) C:\WINDOWS\System32\alg.exe
21:42:58.0437 3968 ALG - ok
21:42:58.0437 3968 AliIde - ok
21:42:58.0484 3968 AmdK8 (3a32570ede7bda210b7245d95d52fc33) C:\WINDOWS\system32\DRIVERS\AmdK8.sys
21:42:58.0484 3968 AmdK8 - ok
21:42:58.0500 3968 amsint - ok
21:42:58.0609 3968 AntiVirSchedulerService (0a1cc583e8147004e4ad4625d7fbf88c) C:\Program Files\Avira\AntiVir Desktop\sched.exe
21:42:58.0625 3968 AntiVirSchedulerService - ok
21:42:58.0671 3968 AntiVirService (c9a36ef935aced86aedf93e97e606911) C:\Program Files\Avira\AntiVir Desktop\avguard.exe
21:42:58.0687 3968 AntiVirService - ok
21:42:58.0687 3968 AppMgmt - ok
21:42:58.0750 3968 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
21:42:58.0750 3968 Arp1394 - ok
21:42:58.0765 3968 asc - ok
21:42:58.0781 3968 asc3350p - ok
21:42:58.0796 3968 asc3550 - ok
21:42:58.0937 3968 aspnet_state (0e5e4957549056e2bf2c49f4f6b601ad) C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
21:42:58.0984 3968 aspnet_state - ok
21:42:59.0015 3968 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
21:42:59.0015 3968 AsyncMac - ok
21:42:59.0046 3968 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
21:42:59.0046 3968 atapi - ok
21:42:59.0046 3968 Atdisk - ok
21:42:59.0125 3968 Ati HotKey Poller (6bdb117f5cf40fe91ff50e1bb3f28184) C:\WINDOWS\system32\Ati2evxx.exe
21:42:59.0171 3968 Ati HotKey Poller - ok
21:42:59.0234 3968 ati2mtag (e9ebf7dca6c5eb9c597035a10a5a6a1b) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
21:42:59.0343 3968 ati2mtag - ok
21:42:59.0390 3968 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
21:42:59.0406 3968 Atmarpc - ok
21:42:59.0453 3968 ATSWPDRV (d19c1309c83123647b233a71e8a05683) C:\WINDOWS\system32\Drivers\ATSwpDrv.sys
21:42:59.0468 3968 ATSWPDRV - ok
21:42:59.0515 3968 AudioSrv (def7a7882bec100fe0b2ce2549188f9d) C:\WINDOWS\System32\audiosrv.dll
21:42:59.0531 3968 AudioSrv - ok
21:42:59.0562 3968 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
21:42:59.0562 3968 audstub - ok
21:42:59.0578 3968 avgntflt (d5541f0afb767e85fc412fc609d96a74) C:\WINDOWS\system32\DRIVERS\avgntflt.sys
21:42:59.0593 3968 avgntflt - ok
21:42:59.0625 3968 avipbb (7d967a682d4694df7fa57d63a2db01fe) C:\WINDOWS\system32\DRIVERS\avipbb.sys
21:42:59.0640 3968 avipbb - ok
21:42:59.0687 3968 avkmgr (271cfd1a989209b1964e24d969552bf7) C:\WINDOWS\system32\DRIVERS\avkmgr.sys
21:42:59.0703 3968 avkmgr - ok
21:42:59.0718 3968 b57w2k (03758a3307168a783d3498ec1d392611) C:\WINDOWS\system32\DRIVERS\b57xp32.sys
21:42:59.0750 3968 b57w2k - ok
21:42:59.0812 3968 BCM43XX (e7debb46b9ef1f28932e533be4a3d1a9) C:\WINDOWS\system32\DRIVERS\bcmwl5.sys
21:42:59.0859 3968 BCM43XX - ok
21:42:59.0890 3968 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
21:42:59.0890 3968 Beep - ok
21:42:59.0953 3968 BITS (574738f61fca2935f5265dc4e5691314) C:\WINDOWS\system32\qmgr.dll
21:43:00.0031 3968 BITS - ok
21:43:00.0078 3968 Browser (a06ce3399d16db864f55faeb1f1927a9) C:\WINDOWS\System32\browser.dll
21:43:00.0093 3968 Browser - ok
21:43:00.0140 3968 CAMCAUD (e06d3da2a2059dfdbffa5364eae3768f) C:\WINDOWS\system32\drivers\camc6aud.sys
21:43:00.0156 3968 CAMCAUD - ok
21:43:00.0187 3968 CAMCHALA (87e897e6e852766d0722b02f637d4881) C:\WINDOWS\system32\drivers\camc6hal.sys
21:43:00.0234 3968 CAMCHALA - ok
21:43:00.0390 3968 catchme - ok
21:43:00.0437 3968 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
21:43:00.0437 3968 cbidf2k - ok
21:43:00.0453 3968 cd20xrnt - ok
21:43:00.0500 3968 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
21:43:00.0515 3968 Cdaudio - ok
21:43:00.0546 3968 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
21:43:00.0562 3968 Cdfs - ok
21:43:00.0593 3968 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
21:43:00.0593 3968 Cdrom - ok
21:43:00.0609 3968 Changer - ok
21:43:00.0656 3968 CiSvc (1cfe720eb8d93a7158a4ebc3ab178bde) C:\WINDOWS\system32\cisvc.exe
21:43:00.0671 3968 CiSvc - ok
21:43:00.0703 3968 ClipSrv (34cbe729f38138217f9c80212a2a0c82) C:\WINDOWS\system32\clipsrv.exe
21:43:00.0718 3968 ClipSrv - ok
21:43:00.0828 3968 clr_optimization_v2.0.50727_32 (d87acaed61e417bba546ced5e7e36d9c) C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
21:43:00.0921 3968 clr_optimization_v2.0.50727_32 - ok
21:43:00.0953 3968 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
21:43:00.0968 3968 CmBatt - ok
21:43:00.0984 3968 CmdIde - ok
21:43:01.0000 3968 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
21:43:01.0000 3968 Compbatt - ok
21:43:01.0015 3968 COMSysApp - ok
21:43:01.0031 3968 Cpqarray - ok
21:43:01.0078 3968 CryptSvc (3d4e199942e29207970e04315d02ad3b) C:\WINDOWS\System32\cryptsvc.dll
21:43:01.0093 3968 CryptSvc - ok
21:43:01.0109 3968 dac2w2k - ok
21:43:01.0109 3968 dac960nt - ok
21:43:01.0187 3968 DcomLaunch (6b27a5c03dfb94b4245739065431322c) C:\WINDOWS\system32\rpcss.dll
21:43:01.0187 3968 DcomLaunch - ok
21:43:01.0234 3968 Dhcp (5e38d7684a49cacfb752b046357e0589) C:\WINDOWS\System32\dhcpcsvc.dll
21:43:01.0250 3968 Dhcp - ok
21:43:01.0265 3968 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
21:43:01.0281 3968 Disk - ok
21:43:01.0296 3968 dmadmin - ok
21:43:01.0390 3968 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
21:43:01.0453 3968 dmboot - ok
21:43:01.0484 3968 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
21:43:01.0515 3968 dmio - ok
21:43:01.0546 3968 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
21:43:01.0546 3968 dmload - ok
21:43:01.0593 3968 dmserver (57edec2e5f59f0335e92f35184bc8631) C:\WINDOWS\System32\dmserver.dll
21:43:01.0593 3968 dmserver - ok
21:43:01.0625 3968 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
21:43:01.0625 3968 DMusic - ok
21:43:01.0671 3968 Dnscache (5f7e24fa9eab896051ffb87f840730d2) C:\WINDOWS\System32\dnsrslvr.dll
21:43:01.0671 3968 Dnscache - ok
21:43:01.0718 3968 Dot3svc (0f0f6e687e5e15579ef4da8dd6945814) C:\WINDOWS\System32\dot3svc.dll
21:43:01.0734 3968 Dot3svc - ok
21:43:01.0750 3968 dpti2o - ok
21:43:01.0796 3968 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
21:43:01.0796 3968 drmkaud - ok
21:43:01.0859 3968 eabfiltr (81b7808d3b5892388f33273119c2dc31) C:\WINDOWS\system32\drivers\EABFiltr.sys
21:43:01.0875 3968 eabfiltr - ok
21:43:01.0890 3968 eabusb (1ba14da377b66278335d4b9e8824cd42) C:\WINDOWS\system32\drivers\eabusb.sys
21:43:01.0906 3968 eabusb - ok
21:43:01.0921 3968 EapHost (2187855a7703adef0cef9ee4285182cc) C:\WINDOWS\System32\eapsvc.dll
21:43:01.0937 3968 EapHost - ok
21:43:01.0968 3968 ERSvc (bc93b4a066477954555966d77fec9ecb) C:\WINDOWS\System32\ersvc.dll
21:43:01.0984 3968 ERSvc - ok
21:43:02.0031 3968 Eventlog (65df52f5b8b6e9bbd183505225c37315) C:\WINDOWS\system32\services.exe
21:43:02.0046 3968 Eventlog - ok
21:43:02.0093 3968 EventSystem (d4991d98f2db73c60d042f1aef79efae) C:\WINDOWS\system32\es.dll
21:43:02.0093 3968 EventSystem - ok
21:43:02.0125 3968 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
21:43:02.0140 3968 Fastfat - ok
21:43:02.0203 3968 FastUserSwitchingCompatibility (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
21:43:02.0218 3968 FastUserSwitchingCompatibility - ok
21:43:02.0250 3968 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
21:43:02.0265 3968 Fdc - ok
21:43:02.0312 3968 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
21:43:02.0328 3968 Fips - ok
21:43:02.0343 3968 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
21:43:02.0343 3968 Flpydisk - ok
21:43:02.0375 3968 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
21:43:02.0390 3968 FltMgr - ok
21:43:02.0546 3968 FontCache3.0.0.0 (8ba7c024070f2b7fdd98ed8a4ba41789) C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
21:43:02.0546 3968 FontCache3.0.0.0 - ok
21:43:02.0609 3968 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
21:43:02.0609 3968 Fs_Rec - ok
21:43:02.0625 3968 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
21:43:02.0640 3968 Ftdisk - ok
21:43:02.0687 3968 ggflt (007aea2e06e7cef7372e40c277163959) C:\WINDOWS\system32\DRIVERS\ggflt.sys
21:43:02.0687 3968 ggflt - ok
21:43:02.0718 3968 ggsemc (c73de35960ca75c5ab4ae636b127c64e) C:\WINDOWS\system32\DRIVERS\ggsemc.sys
21:43:02.0734 3968 ggsemc - ok
21:43:02.0765 3968 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
21:43:02.0781 3968 Gpc - ok
21:43:02.0828 3968 helpsvc (4fcca060dfe0c51a09dd5c3843888bcd) C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll
21:43:02.0843 3968 helpsvc - ok
21:43:02.0890 3968 HidServ (deb04da35cc871b6d309b77e1443c796) C:\WINDOWS\System32\hidserv.dll
21:43:02.0890 3968 HidServ - ok
21:43:02.0937 3968 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
21:43:02.0953 3968 hidusb - ok
21:43:03.0000 3968 hkmsvc (8878bd685e490239777bfe51320b88e9) C:\WINDOWS\System32\kmsvc.dll
21:43:03.0015 3968 hkmsvc - ok
21:43:03.0031 3968 hpn - ok
21:43:03.0093 3968 hpqwmi (8ee02114f0f628d4e71d1a42c28f9061) C:\Program Files\HPQ\Shared\hpqwmi.exe
21:43:03.0109 3968 hpqwmi - ok
21:43:03.0171 3968 HSFHWATI (110d8515670f8ebfc831bd02b7a8fc74) C:\WINDOWS\system32\DRIVERS\HSFHWATI.sys
21:43:03.0218 3968 HSFHWATI - ok
21:43:03.0296 3968 HSF_DP (6fbefacc2a0379bf3b395b0ca0cadb17) C:\WINDOWS\system32\DRIVERS\HSF_DP.sys
21:43:03.0375 3968 HSF_DP - ok
21:43:03.0468 3968 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
21:43:03.0484 3968 HTTP - ok
21:43:03.0500 3968 HTTPFilter (6100a808600f44d999cebdef8841c7a3) C:\WINDOWS\System32\w3ssl.dll
21:43:03.0515 3968 HTTPFilter - ok
21:43:03.0531 3968 i2omgmt - ok
21:43:03.0546 3968 i2omp - ok
21:43:03.0578 3968 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
21:43:03.0593 3968 i8042prt - ok
21:43:03.0796 3968 idsvc (c01ac32dc5c03076cfb852cb5da5229c) C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
21:43:03.0906 3968 idsvc - ok
21:43:03.0921 3968 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
21:43:03.0937 3968 Imapi - ok
21:43:03.0984 3968 ImapiService (30deaf54a9755bb8546168cfe8a6b5e1) C:\WINDOWS\system32\imapi.exe
21:43:04.0015 3968 ImapiService - ok
21:43:04.0031 3968 ini910u - ok
21:43:04.0046 3968 IntelIde - ok
21:43:04.0078 3968 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
21:43:04.0093 3968 Ip6Fw - ok
21:43:04.0140 3968 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
21:43:04.0140 3968 IpFilterDriver - ok
21:43:04.0171 3968 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
21:43:04.0171 3968 IpInIp - ok
21:43:04.0218 3968 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
21:43:04.0234 3968 IpNat - ok
21:43:04.0265 3968 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
21:43:04.0281 3968 IPSec - ok
21:43:04.0312 3968 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
21:43:04.0312 3968 IRENUM - ok
21:43:04.0359 3968 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
21:43:04.0359 3968 isapnp - ok
21:43:04.0500 3968 JavaQuickStarterService (a1509ba3a5fdc5366146e92b3d130eb5) C:\Program Files\Java\jre7\bin\jqs.exe
21:43:04.0515 3968 JavaQuickStarterService - ok
21:43:04.0546 3968 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
21:43:04.0546 3968 Kbdclass - ok
21:43:04.0593 3968 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
21:43:04.0593 3968 kbdhid - ok
21:43:04.0625 3968 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
21:43:04.0656 3968 kmixer - ok
21:43:04.0703 3968 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
21:43:04.0703 3968 KSecDD - ok
21:43:04.0765 3968 lanmanserver (3a7c3cbe5d96b8ae96ce81f0b22fb527) C:\WINDOWS\System32\srvsvc.dll
21:43:04.0765 3968 lanmanserver - ok
21:43:04.0828 3968 lanmanworkstation (a8888a5327621856c0cec4e385f69309) C:\WINDOWS\System32\wkssvc.dll
21:43:04.0828 3968 lanmanworkstation - ok
21:43:04.0843 3968 lbrtfdc - ok
21:43:04.0890 3968 LmHosts (a7db739ae99a796d91580147e919cc59) C:\WINDOWS\System32\lmhsvc.dll
21:43:04.0906 3968 LmHosts - ok
21:43:04.0968 3968 MDM (7cf1b716372b89568ae4c0fe769f5869) C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
21:43:05.0000 3968 MDM - ok
21:43:05.0046 3968 mdmxsdk (3c318b9cd391371bed62126581ee9961) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
21:43:05.0062 3968 mdmxsdk - ok
21:43:05.0109 3968 Messenger (986b1ff5814366d71e0ac5755c88f2d3) C:\WINDOWS\System32\msgsvc.dll
21:43:05.0109 3968 Messenger - ok
21:43:05.0156 3968 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
21:43:05.0171 3968 mnmdd - ok
21:43:05.0203 3968 mnmsrvc (d18f1f0c101d06a1c1adf26eed16fcdd) C:\WINDOWS\system32\mnmsrvc.exe
21:43:05.0218 3968 mnmsrvc - ok
21:43:05.0250 3968 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
21:43:05.0265 3968 Modem - ok
21:43:05.0281 3968 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
21:43:05.0281 3968 Mouclass - ok
21:43:05.0343 3968 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
21:43:05.0343 3968 mouhid - ok
21:43:05.0359 3968 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
21:43:05.0375 3968 MountMgr - ok
21:43:05.0421 3968 MozillaMaintenance (96aa8ba23142cc8e2b30f3cae0c80254) C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe
21:43:05.0437 3968 MozillaMaintenance - ok
21:43:05.0453 3968 mraid35x - ok
21:43:05.0484 3968 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
21:43:05.0531 3968 MRxDAV - ok
21:43:05.0609 3968 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
21:43:05.0625 3968 MRxSmb - ok
21:43:05.0640 3968 MSDTC (a137f1470499a205abbb9aafb3b6f2b1) C:\WINDOWS\system32\msdtc.exe
21:43:05.0640 3968 MSDTC - ok
21:43:05.0671 3968 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
21:43:05.0671 3968 Msfs - ok
21:43:05.0687 3968 MSIServer - ok
21:43:05.0718 3968 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
21:43:05.0718 3968 MSKSSRV - ok
21:43:05.0765 3968 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
21:43:05.0765 3968 MSPCLOCK - ok
21:43:05.0781 3968 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
21:43:05.0781 3968 MSPQM - ok
21:43:05.0812 3968 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
21:43:05.0812 3968 mssmbios - ok
21:43:05.0859 3968 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
21:43:05.0859 3968 Mup - ok
21:43:05.0921 3968 napagent (0102140028fad045756796e1c685d695) C:\WINDOWS\System32\qagentrt.dll
21:43:05.0968 3968 napagent - ok
21:43:06.0015 3968 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
21:43:06.0031 3968 NDIS - ok
21:43:06.0093 3968 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
21:43:06.0093 3968 NdisTapi - ok
21:43:06.0109 3968 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
21:43:06.0109 3968 Ndisuio - ok
21:43:06.0140 3968 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
21:43:06.0156 3968 NdisWan - ok
21:43:06.0203 3968 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
21:43:06.0203 3968 NDProxy - ok
21:43:06.0218 3968 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
21:43:06.0218 3968 NetBIOS - ok
21:43:06.0250 3968 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
21:43:06.0296 3968 NetBT - ok
21:43:06.0343 3968 NetDDE (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe
21:43:06.0359 3968 NetDDE - ok
21:43:06.0375 3968 NetDDEdsdm (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe
21:43:06.0375 3968 NetDDEdsdm - ok
21:43:06.0406 3968 Netlogon (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
21:43:06.0406 3968 Netlogon - ok
21:43:06.0468 3968 Netman (13e67b55b3abd7bf3fe7aae5a0f9a9de) C:\WINDOWS\System32\netman.dll
21:43:06.0500 3968 Netman - ok
21:43:06.0640 3968 NetTcpPortSharing (d34612c5d02d026535b3095d620626ae) C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
21:43:06.0656 3968 NetTcpPortSharing - ok
21:43:06.0687 3968 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
21:43:06.0703 3968 NIC1394 - ok
21:43:06.0765 3968 Nla (943337d786a56729263071623bbb9de5) C:\WINDOWS\System32\mswsock.dll
21:43:06.0765 3968 Nla - ok
21:43:06.0812 3968 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
21:43:06.0828 3968 Npfs - ok
21:43:06.0875 3968 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
21:43:06.0937 3968 Ntfs - ok
21:43:06.0937 3968 NtLmSsp (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
21:43:06.0937 3968 NtLmSsp - ok
21:43:06.0984 3968 NtmsSvc (156f64a3345bd23c600655fb4d10bc08) C:\WINDOWS\system32\ntmssvc.dll
21:43:07.0031 3968 NtmsSvc - ok
21:43:07.0062 3968 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
21:43:07.0062 3968 Null - ok
21:43:07.0125 3968 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
21:43:07.0140 3968 NwlnkFlt - ok
21:43:07.0187 3968 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
21:43:07.0187 3968 NwlnkFwd - ok
21:43:07.0328 3968 odserv (785f487a64950f3cb8e9f16253ba3b7b) C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE
21:43:07.0375 3968 odserv - ok
21:43:07.0421 3968 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
21:43:07.0421 3968 ohci1394 - ok
21:43:07.0468 3968 ose (5a432a042dae460abe7199b758e8606c) C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
21:43:07.0484 3968 ose - ok
21:43:07.0515 3968 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
21:43:07.0531 3968 Parport - ok
21:43:07.0562 3968 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
21:43:07.0562 3968 PartMgr - ok
21:43:07.0609 3968 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
21:43:07.0609 3968 ParVdm - ok
21:43:07.0625 3968 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
21:43:07.0640 3968 PCI - ok
21:43:07.0656 3968 PCIDump - ok
21:43:07.0703 3968 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
21:43:07.0703 3968 PCIIde - ok
21:43:07.0734 3968 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
21:43:07.0765 3968 Pcmcia - ok
21:43:07.0781 3968 PDCOMP - ok
21:43:07.0796 3968 PDFRAME - ok
21:43:07.0796 3968 PDRELI - ok
21:43:07.0828 3968 PDRFRAME - ok
21:43:07.0828 3968 perc2 - ok
21:43:07.0843 3968 perc2hib - ok
21:43:07.0921 3968 PlugPlay (65df52f5b8b6e9bbd183505225c37315) C:\WINDOWS\system32\services.exe
21:43:07.0921 3968 PlugPlay - ok
21:43:07.0968 3968 PolicyAgent (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
21:43:07.0968 3968 PolicyAgent - ok
21:43:08.0000 3968 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
21:43:08.0000 3968 PptpMiniport - ok
21:43:08.0015 3968 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
21:43:08.0031 3968 Processor - ok
21:43:08.0046 3968 ProtectedStorage (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
21:43:08.0046 3968 ProtectedStorage - ok
21:43:08.0078 3968 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
21:43:08.0093 3968 PSched - ok
21:43:08.0125 3968 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
21:43:08.0140 3968 Ptilink - ok
21:43:08.0203 3968 PuranDefrag (d9495810ec4efd4ca906c1ccd494b895) C:\WINDOWS\system32\PuranDefragS.exe
21:43:08.0234 3968 PuranDefrag - ok
21:43:08.0250 3968 PxHelp20 (49452bfcec22f36a7a9b9c2181bc3042) C:\WINDOWS\system32\Drivers\PxHelp20.sys
21:43:08.0265 3968 PxHelp20 - ok
21:43:08.0281 3968 ql1080 - ok
21:43:08.0296 3968 Ql10wnt - ok
21:43:08.0312 3968 ql12160 - ok
21:43:08.0328 3968 ql1240 - ok
21:43:08.0343 3968 ql1280 - ok
21:43:08.0359 3968 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
21:43:08.0375 3968 RasAcd - ok
21:43:08.0406 3968 RasAuto (ad188be7bdf94e8df4ca0a55c00a5073) C:\WINDOWS\System32\rasauto.dll
21:43:08.0421 3968 RasAuto - ok
21:43:08.0453 3968 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
21:43:08.0453 3968 Rasl2tp - ok
21:43:08.0500 3968 RasMan (76a9a3cbeadd68cc57cda5e1d7448235) C:\WINDOWS\System32\rasmans.dll
21:43:08.0546 3968 RasMan - ok
21:43:08.0562 3968 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
21:43:08.0562 3968 RasPppoe - ok
21:43:08.0578 3968 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
21:43:08.0593 3968 Raspti - ok
21:43:08.0625 3968 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
21:43:08.0656 3968 Rdbss - ok
21:43:08.0687 3968 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
21:43:08.0687 3968 RDPCDD - ok
21:43:08.0750 3968 RDPWD (6589db6e5969f8eee594cf71171c5028) C:\WINDOWS\system32\drivers\RDPWD.sys
21:43:08.0750 3968 RDPWD - ok
21:43:08.0812 3968 RDSessMgr (3c37bf86641bda977c3bf8a840f3b7fa) C:\WINDOWS\system32\sessmgr.exe
21:43:08.0843 3968 RDSessMgr - ok
21:43:08.0875 3968 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
21:43:08.0875 3968 redbook - ok
21:43:08.0906 3968 RemoteAccess (7e699ff5f59b5d9de5390e3c34c67cf5) C:\WINDOWS\System32\mprdim.dll
21:43:08.0921 3968 RemoteAccess - ok
21:43:08.0937 3968 RpcLocator (aaed593f84afa419bbae8572af87cf6a) C:\WINDOWS\system32\locator.exe
21:43:08.0953 3968 RpcLocator - ok
21:43:09.0000 3968 RpcSs (6b27a5c03dfb94b4245739065431322c) C:\WINDOWS\System32\rpcss.dll
21:43:09.0015 3968 RpcSs - ok
21:43:09.0046 3968 RSVP (471b3f9741d762abe75e9deea4787e47) C:\WINDOWS\system32\rsvp.exe
21:43:09.0078 3968 RSVP - ok
21:43:09.0109 3968 SamSs (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
21:43:09.0109 3968 SamSs - ok
21:43:09.0140 3968 SCardSvr (86d007e7a654b9a71d1d7d856b104353) C:\WINDOWS\System32\SCardSvr.exe
21:43:09.0156 3968 SCardSvr - ok
21:43:09.0203 3968 Schedule (0a9a7365a1ca4319aa7c1d6cd8e4eafa) C:\WINDOWS\system32\schedsvc.dll
21:43:09.0250 3968 Schedule - ok
21:43:09.0281 3968 sdbus (8d04819a3ce51b9eb47e5689b44d43c4) C:\WINDOWS\system32\DRIVERS\sdbus.sys
21:43:09.0296 3968 sdbus - ok
21:43:09.0328 3968 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
21:43:09.0343 3968 Secdrv - ok
21:43:09.0375 3968 seclogon (cbe612e2bb6a10e3563336191eda1250) C:\WINDOWS\System32\seclogon.dll
21:43:09.0375 3968 seclogon - ok
21:43:09.0421 3968 seehcri (e5b56569a9f79b70314fede6c953641e) C:\WINDOWS\system32\DRIVERS\seehcri.sys
21:43:09.0437 3968 seehcri - ok
21:43:09.0468 3968 SENS (7fdd5d0684eca8c1f68b4d99d124dcd0) C:\WINDOWS\system32\sens.dll
21:43:09.0468 3968 SENS - ok
21:43:09.0484 3968 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
21:43:09.0500 3968 Serial - ok
21:43:09.0531 3968 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
21:43:09.0546 3968 Sfloppy - ok
21:43:09.0578 3968 SharedAccess (83f41d0d89645d7235c051ab1d9523ac) C:\WINDOWS\System32\ipnathlp.dll
21:43:09.0593 3968 SharedAccess - ok
21:43:09.0625 3968 ShellHWDetection (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
21:43:09.0640 3968 ShellHWDetection - ok
21:43:09.0640 3968 Simbad - ok
21:43:09.0750 3968 Sony PC Companion (5177d14a78e60fd61dcfc6b388e7e971) C:\Program Files\Sony\Sony PC Companion\PCCService.exe
21:43:09.0812 3968 Sony PC Companion - ok
21:43:09.0828 3968 Sparrow - ok
21:43:09.0875 3968 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
21:43:09.0875 3968 splitter - ok
21:43:09.0921 3968 Spooler (60784f891563fb1b767f70117fc2428f) C:\WINDOWS\system32\spoolsv.exe
21:43:09.0921 3968 Spooler - ok
21:43:09.0937 3968 sptd - ok
21:43:09.0968 3968 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
21:43:09.0968 3968 sr - ok
21:43:10.0015 3968 srservice (3805df0ac4296a34ba4bf93b346cc378) C:\WINDOWS\system32\srsvc.dll
21:43:10.0062 3968 srservice - ok
21:43:10.0140 3968 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
21:43:10.0156 3968 Srv - ok
21:43:10.0203 3968 SSDPSRV (0a5679b3714edab99e357057ee88fca6) C:\WINDOWS\System32\ssdpsrv.dll
21:43:10.0218 3968 SSDPSRV - ok
21:43:10.0265 3968 ssmdrv (a36ee93698802cd899f98bfd553d8185) C:\WINDOWS\system32\DRIVERS\ssmdrv.sys
21:43:10.0281 3968 ssmdrv - ok
21:43:10.0328 3968 stisvc (8bad69cbac032d4bbacfce0306174c30) C:\WINDOWS\system32\wiaservc.dll
21:43:10.0359 3968 stisvc - ok
21:43:10.0375 3968 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
21:43:10.0390 3968 swenum - ok
21:43:10.0421 3968 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
21:43:10.0421 3968 swmidi - ok
21:43:10.0437 3968 SwPrv - ok
21:43:10.0453 3968 symc810 - ok
21:43:10.0453 3968 symc8xx - ok
21:43:10.0468 3968 sym_hi - ok
21:43:10.0484 3968 sym_u3 - ok
21:43:10.0546 3968 SynTP (d7b9ad3abd0f7f9f694d71f38b5c7b72) C:\WINDOWS\system32\DRIVERS\SynTP.sys
21:43:10.0578 3968 SynTP - ok
21:43:10.0609 3968 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
21:43:10.0625 3968 sysaudio - ok
21:43:10.0640 3968 SysmonLog (c7abbc59b43274b1109df6b24d617051) C:\WINDOWS\system32\smlogsvc.exe
21:43:10.0671 3968 SysmonLog - ok
21:43:10.0703 3968 TapiSrv (3cb78c17bb664637787c9a1c98f79c38) C:\WINDOWS\System32\tapisrv.dll
21:43:10.0750 3968 TapiSrv - ok
21:43:10.0828 3968 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
21:43:10.0843 3968 Tcpip - ok
21:43:10.0890 3968 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
21:43:10.0890 3968 TDPIPE - ok
21:43:10.0921 3968 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
21:43:10.0921 3968 TDTCP - ok
21:43:10.0953 3968 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
21:43:10.0968 3968 TermDD - ok
21:43:11.0015 3968 TermService (ff3477c03be7201c294c35f684b3479f) C:\WINDOWS\System32\termsrv.dll
21:43:11.0046 3968 TermService - ok
21:43:11.0093 3968 Themes (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
21:43:11.0109 3968 Themes - ok
21:43:11.0171 3968 tifm21 (2448935e1cf84b0341a24a17908c7311) C:\WINDOWS\system32\drivers\tifm21.sys
21:43:11.0203 3968 tifm21 - ok
21:43:11.0234 3968 TosIde - ok
21:43:11.0250 3968 TrkWks (55bca12f7f523d35ca3cb833c725f54e) C:\WINDOWS\system32\trkwks.dll
21:43:11.0265 3968 TrkWks - ok
21:43:11.0312 3968 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
21:43:11.0328 3968 Udfs - ok
21:43:11.0343 3968 ultra - ok
21:43:11.0390 3968 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
21:43:11.0437 3968 Update - ok
21:43:11.0500 3968 upnphost (1ebafeb9a3fbdc41b8d9c7f0f687ad91) C:\WINDOWS\System32\upnphost.dll
21:43:11.0531 3968 upnphost - ok
21:43:11.0562 3968 UPS (05365fb38fca1e98f7a566aaaf5d1815) C:\WINDOWS\System32\ups.exe
21:43:11.0578 3968 UPS - ok
21:43:11.0609 3968 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
21:43:11.0625 3968 usbccgp - ok
21:43:11.0640 3968 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
21:43:11.0656 3968 usbehci - ok
21:43:11.0703 3968 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
21:43:11.0703 3968 usbhub - ok
21:43:11.0750 3968 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
21:43:11.0765 3968 usbohci - ok
21:43:11.0812 3968 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
21:43:11.0828 3968 usbprint - ok
21:43:11.0859 3968 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
21:43:11.0859 3968 USBSTOR - ok
21:43:11.0890 3968 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
21:43:11.0890 3968 VgaSave - ok
21:43:11.0906 3968 ViaIde - ok
21:43:11.0937 3968 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
21:43:11.0937 3968 VolSnap - ok
21:43:11.0984 3968 VSS (7a9db3a67c333bf0bd42e42b8596854b) C:\WINDOWS\System32\vssvc.exe
21:43:12.0015 3968 VSS - ok
21:43:12.0046 3968 W32Time (54af4b1d5459500ef0937f6d33b1914f) C:\WINDOWS\system32\w32time.dll
21:43:12.0078 3968 W32Time - ok
21:43:12.0125 3968 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
21:43:12.0125 3968 Wanarp - ok
21:43:12.0203 3968 Wdf01000 (bbcfeab7e871cddac2d397ee7fa91fdc) C:\WINDOWS\system32\Drivers\wdf01000.sys
21:43:12.0265 3968 Wdf01000 - ok
21:43:12.0281 3968 WDICA - ok
21:43:12.0312 3968 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
21:43:12.0328 3968 wdmaud - ok
21:43:12.0390 3968 WebClient (77a354e28153ad2d5e120a5a8687bc06) C:\WINDOWS\System32\webclnt.dll
21:43:12.0406 3968 WebClient - ok
21:43:12.0484 3968 winachsf (e61219e012e41f52755c04734eb49784) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
21:43:12.0546 3968 winachsf - ok
21:43:12.0640 3968 winmgmt (2d0e4ed081963804ccc196a0929275b5) C:\WINDOWS\system32\wbem\WMIsvc.dll
21:43:12.0656 3968 winmgmt - ok
21:43:12.0718 3968 WmdmPmSN (c51b4a5c05a5475708e3c81c7765b71d) C:\WINDOWS\system32\MsPMSNSv.dll
21:43:12.0718 3968 WmdmPmSN - ok
21:43:12.0734 3968 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
21:43:12.0750 3968 WmiAcpi - ok
21:43:12.0796 3968 WmiApSrv (e0673f1106e62a68d2257e376079f821) C:\WINDOWS\system32\wbem\wmiapsrv.exe
21:43:12.0812 3968 WmiApSrv - ok
21:43:12.0953 3968 WMPNetworkSvc (cdfa647aa82fdba6c9c7a06155afcb40) C:\Program Files\Windows Media Player\WMPNetwk.exe
21:43:13.0046 3968 WMPNetworkSvc - ok
21:43:13.0062 3968 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys
21:43:13.0078 3968 WpdUsb - ok
21:43:13.0109 3968 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
21:43:13.0109 3968 WS2IFSL - ok
21:43:13.0156 3968 wscsvc (7c278e6408d1dce642230c0585a854d5) C:\WINDOWS\system32\wscsvc.dll
21:43:13.0187 3968 wscsvc - ok
21:43:13.0203 3968 wuauserv (35321fb577cdc98ce3eb3a3eb9e4610a) C:\WINDOWS\system32\wuauserv.dll
21:43:13.0203 3968 wuauserv - ok
21:43:13.0265 3968 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
21:43:13.0265 3968 WudfPf - ok
21:43:13.0296 3968 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
21:43:13.0312 3968 WudfRd - ok
21:43:13.0343 3968 WudfSvc (05231c04253c5bc30b26cbaae680ed89) C:\WINDOWS\System32\WUDFSvc.dll
21:43:13.0359 3968 WudfSvc - ok
21:43:13.0421 3968 WZCSVC (81dc3f549f44b1c1fff022dec9ecf30b) C:\WINDOWS\System32\wzcsvc.dll
21:43:13.0468 3968 WZCSVC - ok
21:43:13.0515 3968 xmlprov (295d21f14c335b53cb8154e5b1f892b9) C:\WINDOWS\System32\xmlprov.dll
21:43:13.0562 3968 xmlprov - ok
21:43:13.0609 3968 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
21:43:14.0093 3968 \Device\Harddisk0\DR0 - ok
21:43:14.0109 3968 Boot (0x1200) (da6659c96db0da7cbe2ac524a353cb39) \Device\Harddisk0\DR0\Partition0
21:43:14.0109 3968 \Device\Harddisk0\DR0\Partition0 - ok
21:43:14.0140 3968 Boot (0x1200) (b871250a009bf6604c359abd1b41ddec) \Device\Harddisk0\DR0\Partition1
21:43:14.0140 3968 \Device\Harddisk0\DR0\Partition1 - ok
21:43:14.0156 3968 Boot (0x1200) (2706228e1e79a881a15861bdfc921ea8) \Device\Harddisk0\DR0\Partition2
21:43:14.0171 3968 \Device\Harddisk0\DR0\Partition2 - ok
21:43:14.0171 3968 ============================================================
21:43:14.0171 3968 Scan finished
21:43:14.0171 3968 ============================================================
21:43:14.0187 4008 Detected object count: 0
21:43:14.0187 4008 Actual detected object count: 0

awsMBR:

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-06-17 21:46:38
-----------------------------
21:46:38.703 OS Version: Windows 5.1.2600 Service Pack 3
21:46:38.703 Number of processors: 1 586 0x2402
21:46:38.703 ComputerName: MICHAL-0CA1A2A5 UserName: Michal
21:46:39.703 Initialize success
21:59:11.281 AVAST engine defs: 12061700
22:00:17.906 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
22:00:17.906 Disk 0 Vendor: FUJITSU_MHT2060AH_PL 006C Size: 57231MB BusType: 3
22:00:17.937 Disk 0 MBR read successfully
22:00:17.937 Disk 0 MBR scan
22:00:18.015 Disk 0 Windows XP default MBR code
22:00:18.015 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 18803 MB offset 63
22:00:18.093 Disk 0 Partition - 00 0F Extended LBA 38420 MB offset 38510640
22:00:18.109 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 31199 MB offset 38510703
22:00:18.125 Disk 0 Partition - 00 05 Extended 7220 MB offset 102407760
22:00:18.203 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 7220 MB offset 102407823
22:00:18.328 Disk 0 scanning sectors +117195120
22:00:18.656 Disk 0 scanning C:\WINDOWS\system32\drivers
22:00:36.093 Service scanning
22:00:53.046 Modules scanning
22:00:58.687 Disk 0 trace - called modules:
22:00:58.703 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
22:00:58.703 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x85f76ab8]
22:00:58.703 3 CLASSPNP.SYS[f74ecfd7] -> nt!IofCallDriver -> \Device\00000083[0x85f7a9e8]
22:00:58.703 5 ACPI.sys[f7363620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x85e92d98]
22:00:58.921 AVAST engine scan C:\WINDOWS
22:01:05.546 AVAST engine scan C:\WINDOWS\system32
22:05:38.453 AVAST engine scan C:\WINDOWS\system32\drivers
22:05:54.984 AVAST engine scan C:\Documents and Settings\Michal
22:09:42.609 AVAST engine scan C:\Documents and Settings\All Users
22:10:33.718 Scan finished successfully
22:12:43.218 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Michal\Desktop\MBR.dat"
22:12:43.218 The log file has been saved successfully to "C:\Documents and Settings\Michal\Desktop\aswMBR.txt"

Thank you :)

Edited by michalsol, 17 June 2012 - 03:15 PM.


#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:56 AM

Posted 17 June 2012 - 05:26 PM

Greetings

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 michalsol

michalsol
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:56 AM

Posted 18 June 2012 - 11:47 AM

This is log from Combofix:

ComboFix 12-06-16.02 - Michal 2012-06-18 18:15:55.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1250.48.1033.18.991.637 [GMT 2:00]
Uruchomiony z: c:\documents and settings\Michal\Desktop\ComboFix.exe
Użyto następujących komend :: c:\documents and settings\Michal\Desktop\CFScript.txt
AV: Avira Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
* Utworzono nowy punkt przywracania
.
.
((((((((((((((((((((((((( Pliki utworzone od 2012-05-18 do 2012-06-18 )))))))))))))))))))))))))))))))
.
.
2012-06-13 20:41 . 2012-05-11 14:42 521728 -c----w- c:\windows\system32\dllcache\jsdbgui.dll
2012-06-11 16:03 . 2012-06-11 18:29 -------- d-----w- c:\documents and settings\Michal\DoctorWeb
2012-06-02 11:14 . 2012-06-02 11:14 -------- d-----w- c:\documents and settings\Administrator
.
.
.
(((((((((((((((((((((((((((((((((((((((( Sekcja Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-05-31 13:22 . 2004-08-04 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2012-05-16 15:08 . 2004-08-04 12:00 916992 ----a-w- c:\windows\system32\wininet.dll
2012-05-15 13:20 . 2004-08-04 12:00 1863168 ----a-w- c:\windows\system32\win32k.sys
2012-05-12 21:42 . 2012-04-11 18:49 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-05-12 21:42 . 2011-06-19 17:19 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-05-11 14:42 . 2004-08-04 12:00 43520 ------w- c:\windows\system32\licmgr10.dll
2012-05-11 14:42 . 2004-08-04 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-05-11 11:38 . 2004-08-04 12:00 385024 ------w- c:\windows\system32\html.iec
2012-05-09 12:05 . 2012-02-19 20:21 83392 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2012-05-09 12:05 . 2012-02-19 20:21 137928 ----a-w- c:\windows\system32\drivers\avipbb.sys
2012-05-04 13:12 . 2004-08-04 12:00 2192640 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-05-04 12:32 . 2004-08-03 22:59 2069120 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-05-02 13:46 . 2009-02-07 12:49 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-04-04 13:56 . 2011-06-23 12:35 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-05-13 18:51 . 2011-03-23 20:42 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-06-17_11.18.47 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-06-18 16:09 . 2012-06-18 16:09 16384 c:\windows\Temp\Perflib_Perfdata_1a4.dat
+ 2004-08-04 12:00 . 2012-06-18 16:13 72292 c:\windows\system32\perfc009.dat
- 2004-08-04 12:00 . 2012-06-15 19:59 72292 c:\windows\system32\perfc009.dat
+ 2004-08-04 12:00 . 2012-06-18 16:13 442548 c:\windows\system32\perfh009.dat
- 2004-08-04 12:00 . 2012-06-15 19:59 442548 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-12-01 204288]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-02-02 102492]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-06 1024000]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-05 339968]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2005-03-29 233534]
"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-12-03 290816]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-05-04 252136]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2012-05-09 348624]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
[HKLM\~\startupfolder\C:^Documents and Settings^Michal^Start Menu^Programs^Startup^Tworzenie wycinków ekranu i uruchamianie programu OneNote 2007.lnk]
path=c:\documents and settings\Michal\Start Menu\Programs\Startup\Tworzenie wycinków ekranu i uruchamianie programu OneNote 2007.lnk
backup=c:\windows\pss\Tworzenie wycinków ekranu i uruchamianie programu OneNote 2007.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpeedTouch USB Diagnostics]
2004-03-23 11:06 888832 ----a-w- c:\program files\Thomson\SpeedTouch USB\dragdiag.exe
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" /background
"CTFMON.EXE"=c:\windows\system32\ctfmon.exe
"WMPNSCFG"=c:\program files\Windows Media Player\WMPNSCFG.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
"NeroFilterCheck"=c:\windows\system32\NeroCheck.exe
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe"
"hpWirelessAssistant"=c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
.
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [2012-02-19 36000]
R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2012-02-19 86224]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [2009-02-07 200576]
R3 seehcri;Sony Ericsson seehcri Device Driver;c:\windows\system32\drivers\seehcri.sys [2010-03-13 27632]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-11 257696]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [2010-03-13 13224]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [2012-05-13 129976]
S3 Sony PC Companion;Sony PC Companion;c:\program files\Sony\Sony PC Companion\PCCService.exe [2012-04-06 155320]
S4 PuranDefrag;PuranDefrag;c:\windows\system32\PuranDefragS.exe [2011-06-25 229376]
.
Zawartość folderu 'Zaplanowane zadania'
.
2012-06-18 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-11 21:42]
.
2012-06-18 c:\windows\Tasks\User_Feed_Synchronization-{7BD0834F-2178-4E44-8678-2FED79201BDE}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 02:31]
.
.
------- Skan uzupełniający -------
.
uStart Page = hxxp://www.hp.com
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&ksportuj do programu Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.100
FF - ProfilePath - c:\documents and settings\Michal\Application Data\Mozilla\Firefox\Profiles\rau1e6rq.default\
FF - prefs.js: browser.search.selectedEngine - Wyszukiwanie filmĂłw wideo w YouTube
FF - prefs.js: browser.startup.homepage - hxxp://www.pajacyk.pl
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?sourceid=navclient&hl=pl&q=
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-06-18 18:21
Windows 5.1.2600 Service Pack 3 NTFS
.
skanowanie ukrytych procesów ...
.
skanowanie ukrytych wpisów autostartu ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????2?1?7?7??????? ???B?????????????hLC? ??????
.
skanowanie ukrytych plików ...
.
skanowanie pomyślnie ukończone
ukryte pliki: 0
.
**************************************************************************
.
--------------------- Pliki DLL ładowane pod uruchomionymi procesami ---------------------
.
- - - - - - - > 'winlogon.exe'(840)
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'explorer.exe'(3284)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Czas ukończenia: 2012-06-18 18:23:02
ComboFix-quarantined-files.txt 2012-06-18 16:22
ComboFix2.txt 2012-06-17 11:20
.
Przed: 1 329 725 440 bytes free
Po: 1 446 694 912 bytes free
.
- - End Of File - - 0801AC11A90FDFCFB4C1230CB5F1903F


I have no more notifications about lack of AV software, but I still have those problems with films.
I think that computer is a bit faster, but I'm not sure.

Thank you!

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:56 AM

Posted 18 June 2012 - 03:35 PM

These logs are looking allot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs

NOTE** Because of the cleanup process some of the programs I have listed may not be in add/remove anymore this is fine just move to the next item on the list.

You can remove these programs using add/remove or you can use the free uninstaller from Revo (Revo does allot better of a job)

Programs to remove

µTorrent
Java™ 7
Java™ SE Development Kit 7
Quicksys RegDefrag 2.9
[/list]


  • Please download and install Revo Uninstaller Free
  • Double click Revo Uninstaller to run it.
  • From the list of programs double click on The Program to remove
  • When prompted if you want to uninstall click Yes.
  • Be sure the Moderate option is selected then click Next.
  • The program will run, If prompted again click Yes
  • when the built-in uninstaller is finished click on Next.
  • Once the program has searched for leftovers click Next.
  • Check/tick the bolded items only on the list then click Delete
  • when prompted click on Yes and then on next.
  • put a check on any folders that are found and select delete
  • when prompted select yes then on next
  • Once done click Finish.
.



Install Java:

Please go here to install Java

  • click on the Free Java Download Button
  • click on Agree and start Free download
  • click on Run
  • click on run again
  • click on install
  • when install is complete click on close

Clean Out Temp Files

  • This small application you may want to keep and use once a week to keep the computer clean.

    Download CCleaner from here http://www.ccleaner.com/

  • Run the installer to install the application.
  • When it gives you the option to install Yahoo toolbar uncheck the box next to it.
  • Run CCleaner. (make sure under Windows tab all the boxes of Internet Explorer and Windows explorer are checked. Under System check Empty Recycle Bin and Temporary Files. Under Application tab all the boxes should be checked).
  • Click Run Cleaner.
  • Close CCleaner.

: Malwarebytes' Anti-Malware :

  • I would like you to rerun MBAM
  • Double-click mbam icon
  • go to the update tab at the top
  • click on check for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidentally close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Download HijackThis

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a log file button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the Analyze This button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

"information and logs"

  • In your next post I need the following

  • Log From MBAM
  • report from Hijackthis
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 michalsol

michalsol
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:56 AM

Posted 19 June 2012 - 03:32 PM

I've done everything you said.
During MBAM scan nothing suspicious was find, here is log (in Polish, I can translate it if necessary):

Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Wersja bazy: v2012.06.19.06

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Michal :: MICHAL-0CA1A2A5 [administrator]

2012-06-19 22:17:58
mbam-log-2012-06-19 (22-17-58).txt

Typ skanowania: Szybkie skanowanie
Zaznaczone opcje skanowania: Pamięć | Rozruch | Rejestr | System plików | Heurystyka/Dodatkowe | Heuristyka/Shuriken | PUP | PUM
Odznaczone opcje skanowania: P2P
Przeskanowano obiektów: 208185
Upłynęło: 7 minut(y), 13 sekund(y)

Wykrytych procesów w pamięci: 0
(Nie znaleziono zagrożeń)

Wykrytych modułów w pamięci: 0
(Nie znaleziono zagrożeń)

Wykrytych kluczy rejestru: 0
(Nie znaleziono zagrożeń)

Wykrytych wartości rejestru: 0
(Nie znaleziono zagrożeń)

Wykryte wpisy rejestru systemowego: 0
(Nie znaleziono zagrożeń)

wykrytych folderów: 0
(Nie znaleziono zagrożeń)

Wykrytych plików: 0
(Nie znaleziono zagrożeń)

(zakończone)

Here is HiJackThis log:

aLogfile of Trend Micro HijackThis v2.0.4
Scan saved at 22:29:18, on 2012-06-19
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hp.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jp2ssv.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil32_11_2_202_235_Plugin.exe -update plugin
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&ksportuj do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Wyślij do programu OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Wyślij &do programu OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1236024405265
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: Avira Scheduler (AntiVirSchedulerService) - Avira Operations GmbH & Co. KG - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira Realtime Protection (AntiVirService) - Avira Operations GmbH & Co. KG - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\Shared\hpqwmi.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Oracle Corporation - C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe
O23 - Service: Sony PC Companion - Avanquest Software - C:\Program Files\Sony\Sony PC Companion\PCCService.exe

--
End of file - 6167 bytes


I think computer works almost fine, but problem with films is still present.
Thank you ;)

Edited by michalsol, 19 June 2012 - 03:32 PM.


#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:56 AM

Posted 19 June 2012 - 04:21 PM

Greetings

These logs are looking very good, we are almost done!!! Just one more scan to go.

:Remove unneeded start-up entries:

This part of the fix is purely optional
These are programs that start up when you turn on your computer but don't need to be, any of these programs you can click on their icons (or start from the control panel) and start the program when you need it. By stopping these programs you will boot up faster and your computer will work faster.

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Run HijackThis
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):

    • O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
      O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
      O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
      O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
      O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
      O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil32_11_2_202_235_Plugin.exe -update plugin
  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application.

    NOTE**You can research each of those lines >here< and see if you want to keep them or not
    just copy the name between the brackets and paste into the search space
    O4 - HKLM\..\Run: [IntelliPoint]


NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

Eset Online Scanner

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

Go Eset web page to run an online scanner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
  • When asked, allow the ActiveX control to install
    • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options
    Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • Click on copy to clipboard or copy and paste the results here in this topic

Copy and paste that log as a reply to this topic

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:56 AM

Posted 22 June 2012 - 01:26 AM

Greetings


I have not heard from you in a couple of days so I am coming by to check on you to see if you are having problems or you just need some more time.

Also to remind you that it is very important that we finish the process completely so as to not get reinfected. I will let you know when we are complete and I will ask to remove our tools




Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#12 michalsol

michalsol
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:56 AM

Posted 22 June 2012 - 04:12 PM

I'm sorry for not responding. I had some problems - I just couldn't.

I did what you said with HiJackThis.

And this is my log from ESET:

C:\Documents and Settings\Michal\DoctorWeb\Quarantine\5af9369f-11c07d80 Java/Exploit.CVE-2012-0507.AZ trojan
D:\instalki\DTLite4452-0287.exe Win32/OpenCandy application
D:\instalki\mailpv.zip a variant of Win32/PSWTool.MailPassView.E application

D:\instalki\DTLite4452-0287.exe is just installation file of Deamon Tools.
D:\instalki\mailpv.zip is program which helped when my collegue forgot his password ;)

Thank you!

Edited by michalsol, 22 June 2012 - 04:13 PM.


#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:56 AM

Posted 22 June 2012 - 07:31 PM

Very well done!! This is my general post for when your logs show no more signs of malware - Please let me know if you still are having problems with your computer and what these problems are.


:Why we need to remove some of our tools:

Some of the tools we have used to clean your computer were made by fellow malware fighters and are very powerful and if used incorrectly or at the wrong time can make the computer an expensive paper weight.
They are updated all the time and some of them more than once a day so by the time you are ready to use them again they will already be outdated.

The following procedures will implement some cleanup procedures to remove these tools. It will also reset your System Restore by flushing out previous restore points and create a new restore point. It will also remove all the backups our tools may have made.
:DeFogger:

Note** Defogger only needs to be run if it was run when we first started. If you have not already run it then skip this.

  • To re-enable your Emulation drivers, double click DeFogger to run the tool.
  • The application window will appear
  • Click the Re-enable button to re-enable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK.
Your Emulation drivers are now re-enabled.
:Uninstall ComboFix:

Delete the combofix you have now on the computer (has a bug)

download new combofix here - http://download.bleepingcomputer.com/sUBs/ComboFix.exe



  • turn off all active protection software
  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box ComboFix /Uninstall and click OK.
  • Note the space between the X and the /Uninstall, it needs to be there.
  • Posted Image

:Remove the rest of our tools:

Please download OTCleanIt and save it to desktop. This tool will remove all the tools we used to clean your pc.
  • Double-click OTCleanIt.exe.
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes, if not delete it by yourself.
  • If asked to restart the computer, please do so
Note: If you receive a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the internet, please allow it to do so.

:The programs you can keep:

Some of the programs that we have used would be a good idea to keep and used often in helping to keep the computer clean. I use these programs on my computer.

Revo Uninstaller Free - this is the uninstaller that I had you download and works allot better than add/remove in windows and has saved me more than once from corrupted installs and uninstalls

CCleaner - This is a good program to clean out temp files, I would use this once a week or before any malware scan to remove unwanted temp files - It has a built in registry cleaner but I would leave that alone and not use any registry cleaner

Malwarebytes' Anti-Malware The Gold standard today in antimalware scanners

:Security programs:

One of the questions I am asked all the time is "What programs do you use" I have at this time 4 computers in my home and I have this setup on all 4 of them.


  • Microsoft Security Essentials - provides real-time protection for your home PC that guards against viruses, spyware, and other malicious software.
  • WinPatrol As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge.
  • Malwarebytes' Anti-Malware Malwarebytes' Anti-Malware is a new and powerful anti-malware tool. It is
    totally free but for real-time protection you will have to pay a small one-time fee. We used this to help clean your computer and recomend keeping it and using often. (I have upgraded to the paid version of MBAM and I am glad I did)

    Note** If you decide to install MSE you will need to uninstall your present Antivirus

:Security awareness:

The other question I am asked all the time is "How can I prevent this from happening again." and the short answer to that is to be aware of what is out there and how to start spotting dangers.

Here are some articles that are must reads and should be read by everybody in your household that uses the internet

internetsafety

Internet Safety for Kids

Here is some more reading for you from some of my colleges

PC Safety and Security - What Do I Need? from my friends at Tech Support Forum

COMPUTER SECURITY - a short guide to staying safer online from my friends at Malware Removal

quoted from Tech Support Forum

Conclusion

There is no such thing as ‘perfect security’. This applies to many things, not just computer systems. Using the above guide you should be able to take all the reasonable steps you can to prevent infection. However, the most important part of all this is you, the user. Surf sensibly and think before you download a file or click on a link. Take a few moments to assess the possible risks and you should be able to enjoy all the internet has to offer.


I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can then be closed.

I Will Keep This Open For About Three Days, If Anything Comes Up - Just Come Back And Let Me Know, after that time you will have to send me a PM

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#14 michalsol

michalsol
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:56 AM

Posted 24 June 2012 - 01:37 PM

I did everything you said.
Computer works fine.
I would like to say big thank you for your support!!

You can except donation by the end of this mounth.

BTW - I have two questions:
1. What was exactly wrong with my computer?
2. How bad is my English? :)

Thank you!

#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:56 AM

Posted 24 June 2012 - 08:29 PM

Greetings


you are more than welcome and your English was perfect!!

There was not enough in the reports to pinpoint what was the virus


Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users