Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Generic28.AUQH


  • This topic is locked This topic is locked
13 replies to this topic

#1 titletech

titletech

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:24 AM

Posted 19 June 2012 - 05:12 PM

Hello -

A few days ago my computer started redirecting me to different websites. I went to run a scan and discovered AVG was completely gone. I reinstalled it and it constantly comes up with a Multiple Threat Detection: C:\windows\assemply\GAC\desktop.ini - Trojan horse Generic28.AUGH. Can not heal, move to Virus Vault or delete. I have also run MS Safety Scanner and it found and removed Sireef.AB, AG, AK and AM, but not this trojan. Ran SuperAntiSpyware and it found other things (a lot of tracking cookies) but not this trojan. AVG suggests uninstalling and reinstalling IE8 first. I am concerned that the problem is more severe than just doing that to fix it. Is going back to a system restore point before this happened too simple a solution?

Also, on startup, getting a MS Visual C++ Runtime Library error: "Program: C\Documents and Settings\user1\ApplicationData\Leadert... (then it trails off and i can't see the rest of the line.) This application has requested the Runtime to terminate it in an unusual way. Please contact the applications support team for more information."

I'm curious as to why when in Google this trojan, only posts from AVG come up. Nothing from this site or any other reputable antivirus site. I suspect I got it from fb in a post that said you can see who and how many times someone has looked at your profile. Did not download or sign up for anything though.

Sorry if this is not enought info, first time asking for help. I usually can fix this stuff on my own. This one has got me stumped.

Thanks for any help.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,924 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:24 PM

Posted 21 June 2012 - 09:08 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

Please download and run this DDS Scanning Tool. Nothing will be deleted. It will just give me some additional information about your system.

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
Please note: You may have to disable any script protection running if the scan fails to run.

Please just paste the contents of the DDS.txt log in your next post. DO NOT attach the log.

#3 titletech

titletech
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:24 AM

Posted 21 June 2012 - 09:36 AM

Thank you nasdaq. I will do this on Saturday or Sunday as I am away from the computer until then.

#4 titletech

titletech
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:24 AM

Posted 24 June 2012 - 10:54 AM

Hello nasdaq - Here is the log from DDS. Thank you.

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by user1 at 11:47:36 on 2012-06-24
.
============== Running Processes ===============
.
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.cnn.com/CNN/Programs/morning.express/
mURLSearchHooks: H - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Do Not Track: {31332eef-cb9f-458f-afeb-d30e9a66b6ba} - c:\program files\avg\avg2012\avgdtiex.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg2012\avgssie.dll
BHO: AVG Security Toolbar: {95b7759c-8c7f-4bf1-b163-73684a933233} - c:\program files\avg secure search\11.1.0.7\AVG Secure Search_toolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: AVG Security Toolbar: {95b7759c-8c7f-4bf1-b163-73684a933233} - c:\program files\avg secure search\11.1.0.7\AVG Secure Search_toolbar.dll
{e7df6bff-55a5-4eb7-a673-4ed3e9456d39}
uRun: [ModemOnHold] c:\program files\netwaiting\netWaiting.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [IntelZeroConfig] "c:\program files\intel\wifi\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\common files\intel\wirelesscommon\iFrmewrk.exe" /tf Intel Wireless Tray
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [MaxMenuMgr] "c:\program files\seagate\seagatemanager\freeagent status\StxMenuMgr.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [ROC_roc_dec12] "c:\program files\avg secure search\ROC_roc_dec12.exe" /PROMPT /CMPID=roc_dec12
mRun: [AVG_TRAY] "c:\program files\avg\avg2012\avgtray.exe"
mRun: [vProt] "c:\program files\avg secure search\vprot.exe"
StartupFolder: c:\docume~1\user1\startm~1\programs\startup\seagat~1.lnk - c:\documents and settings\user1\application data\leadertech\powerregister\Seagate 2GE6L9CA Product Registration.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - c:\program files\avg\avg2012\avgdtiex.dll
LSP: mswsock.dll
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 10.0.0.1
TCP: Interfaces\{469A6A75-41AB-4BD1-8594-295BBDA2525C} : DhcpNameServer = 10.0.0.1
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg2012\avgpp.dll
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\common files\avg secure search\viprotocolinstaller\11.1.0\ViProtocol.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
============= SERVICES / DRIVERS ===============
.
.
=============== Created Last 30 ================
.
2012-06-17 20:59:23 -------- d-----w- c:\documents and settings\user1\application data\SUPERAntiSpyware.com
2012-06-17 20:58:50 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-06-17 20:58:50 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com
2012-06-17 19:03:08 -------- d-----w- c:\windows\system32\MpEngineStore
2012-06-17 15:41:42 -------- d-----w- C:\desktop copy
2012-06-17 04:15:20 -------- d-----w- c:\documents and settings\user1\application data\AVG2012
2012-06-17 04:11:54 -------- d-----w- c:\documents and settings\user1\local settings\application data\AVG Secure Search
2012-06-17 04:11:35 -------- d-----w- c:\documents and settings\user1\application data\AVG Secure Search
2012-06-17 04:11:32 -------- d-----w- c:\documents and settings\all users\application data\AVG Secure Search
2012-06-17 04:11:25 -------- d-----w- c:\program files\common files\AVG Secure Search
2012-06-17 04:11:22 -------- d-----w- c:\program files\AVG Secure Search
2012-06-17 04:09:17 -------- d-----w- c:\windows\system32\drivers\AVG
2012-06-17 04:09:17 -------- d-----w- c:\documents and settings\all users\application data\AVG2012
2012-06-13 21:40:35 521728 -c----w- c:\windows\system32\dllcache\jsdbgui.dll
2012-06-11 21:54:41 -------- d-----w- c:\windows\system32\XPSViewer
2012-06-11 21:54:01 89088 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
2012-06-11 21:53:45 117760 ------w- c:\windows\system32\prntvpt.dll
2012-06-11 21:53:44 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2012-06-11 21:53:44 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2012-06-11 21:53:44 597504 ------w- c:\windows\system32\spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2012-06-11 21:53:44 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2012-06-11 21:53:44 575488 ------w- c:\windows\system32\xpsshhdr.dll
2012-06-11 21:53:44 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2012-06-11 21:53:44 1676288 ------w- c:\windows\system32\xpssvcs.dll
2012-06-11 21:53:44 -------- d-----w- C:\0de4b6a963201c31f77899202694
2012-06-09 22:06:39 -------- d-----w- c:\documents and settings\user1\local settings\application data\Deployment
.
==================== Find3M ====================
.
2012-06-02 19:19:44 22040 ----a-w- c:\windows\system32\wucltui.dll.mui
2012-06-02 19:19:38 219160 ----a-w- c:\windows\system32\wuaucpl.cpl
2012-06-02 19:19:38 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2012-06-02 19:19:34 15384 ----a-w- c:\windows\system32\wuapi.dll.mui
2012-06-02 19:19:30 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui
2012-05-31 13:22:09 599040 ----a-w- c:\windows\system32\crypt32.dll
2012-05-16 15:08:26 916992 ----a-w- c:\windows\system32\wininet.dll
2012-05-15 13:20:33 1863168 ----a-w- c:\windows\system32\win32k.sys
2012-05-11 14:42:33 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-05-11 14:42:33 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-05-11 11:38:02 385024 ----a-w- c:\windows\system32\html.iec
2012-05-04 13:12:30 2192640 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-05-04 12:32:19 2069120 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-05-02 13:46:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-04-19 08:50:26 24896 ----a-w- c:\windows\system32\drivers\avgidshx.sys
.
============= FINISH: 11:49:25.81 ===============


#5 nasdaq

nasdaq

  • Malware Response Team
  • 38,924 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:24 PM

Posted 24 June 2012 - 12:57 PM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

No Processes or Services listed. Not very good sign.

Please Download
TDSSKiller.zip

>>> Double-click on TDSSKiller.exe to run the application.
  • Click on the Start Scan button and wait for the scan and disinfection process to be over.
  • If an infected file is detected, the default action will be Cure, click on Continue
    Posted Image
  • If a suspicious file is detected, the default action will be Skip, click on Continue
    Posted Image
  • If you are asked to reboot the computer to complete the process, click on the Reboot Now button. A report will be automatically saved at the root of the System drive ((usually C:\) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt" (for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt). Please copy and paste the contents of that file here.
  • If no reboot is required, click on Report. A log file will appear. Please copy and paste the contents of that file in your next reply.

Download http://public.avast.com/~gmerek/aswMBR.exe (aswMBR.exe) to your desktop. Double click the aswMBR.exe to run it

  • Click the "Scan" button to start scan.
  • Upon completion of the scan, click Save log, and save it to your desktop. (Note - do not select any Fix at this time) <- IMPORTANT
  • Please post the contents of that log in your next reply.
There shall also be a file on your desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) folder. Please attach that zipped file in your next reply.

===

Please post the logs for my review.

#6 titletech

titletech
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:24 AM

Posted 24 June 2012 - 02:39 PM

TDSSKiller:
14:20:43.0671 3688 TDSS rootkit removing tool 2.7.41.0 Jun 20 2012 20:53:32
14:20:43.0953 3688 ============================================================
14:20:43.0953 3688 Current date / time: 2012/06/24 14:20:43.0953
14:20:43.0953 3688 SystemInfo:
14:20:43.0953 3688
14:20:43.0953 3688 OS Version: 5.1.2600 ServicePack: 3.0
14:20:43.0953 3688 Product type: Workstation
14:20:43.0953 3688 ComputerName: LAPTOP-4D170D92
14:20:43.0953 3688 UserName: user1
14:20:43.0953 3688 Windows directory: C:\WINDOWS
14:20:43.0953 3688 System windows directory: C:\WINDOWS
14:20:43.0953 3688 Processor architecture: Intel x86
14:20:43.0953 3688 Number of processors: 1
14:20:43.0953 3688 Page size: 0x1000
14:20:43.0953 3688 Boot type: Normal boot
14:20:43.0953 3688 ============================================================
14:20:50.0437 3688 Drive \Device\Harddisk0\DR0 - Size: 0xDF8F90000 (55.89 Gb), SectorSize: 0x200, Cylinders: 0x1C80, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
14:20:50.0468 3688 Drive \Device\Harddisk1\DR3 - Size: 0x77828000 (1.87 Gb), SectorSize: 0x200, Cylinders: 0xF3, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'W'
14:20:50.0468 3688 ============================================================
14:20:50.0468 3688 \Device\Harddisk0\DR0:
14:20:50.0484 3688 MBR partitions:
14:20:50.0484 3688 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x1F608, BlocksNum 0x6FA08F6
14:20:50.0484 3688 \Device\Harddisk1\DR3:
14:20:50.0484 3688 MBR partitions:
14:20:50.0484 3688 \Device\Harddisk1\DR3\Partition0: MBR, Type 0x6, StartLBA 0x20, BlocksNum 0x3BC120
14:20:50.0484 3688 ============================================================
14:20:51.0343 3688 C: <-> \Device\Harddisk0\DR0\Partition0
14:20:51.0343 3688 ============================================================
14:20:51.0343 3688 Initialize success
14:20:51.0343 3688 ============================================================
14:20:57.0718 2828 ============================================================
14:20:57.0718 2828 Scan started
14:20:57.0718 2828 Mode: Manual;
14:20:57.0718 2828 ============================================================
14:20:58.0687 2828 !SASCORE (c0393eb99a6c72c6bef9bfc4a72b33a6) C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
14:20:58.0750 2828 !SASCORE - ok
14:21:00.0390 2828 Abiosdsk - ok
14:21:00.0390 2828 abp480n5 - ok
14:21:01.0343 2828 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
14:21:01.0359 2828 ACPI - ok
14:21:01.0421 2828 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
14:21:01.0453 2828 ACPIEC - ok
14:21:01.0468 2828 adpu160m - ok
14:21:03.0281 2828 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
14:21:03.0328 2828 aec - ok
14:21:03.0718 2828 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
14:21:03.0734 2828 AFD - ok
14:21:03.0750 2828 Aha154x - ok
14:21:03.0765 2828 aic78u2 - ok
14:21:03.0765 2828 aic78xx - ok
14:21:03.0921 2828 Alerter (a9a3daa780ca6c9671a19d52456705b4) C:\WINDOWS\system32\alrsvc.dll
14:21:03.0968 2828 Alerter - ok
14:21:04.0234 2828 ALG (8c515081584a38aa007909cd02020b3d) C:\WINDOWS\System32\alg.exe
14:21:04.0265 2828 ALG - ok
14:21:04.0281 2828 AliIde - ok
14:21:04.0296 2828 amsint - ok
14:21:04.0593 2828 ApfiltrService (090880e9bf20f928bc341f96d27c019e) C:\WINDOWS\system32\DRIVERS\Apfiltr.sys
14:21:04.0656 2828 ApfiltrService - ok
14:21:05.0328 2828 AppMgmt (d8849f77c0b66226335a59d26cb4edc6) C:\WINDOWS\System32\appmgmts.dll
14:21:05.0406 2828 AppMgmt - ok
14:21:05.0421 2828 asc - ok
14:21:05.0437 2828 asc3350p - ok
14:21:05.0437 2828 asc3550 - ok
14:21:06.0031 2828 aspnet_state (0e5e4957549056e2bf2c49f4f6b601ad) C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
14:21:06.0078 2828 aspnet_state - ok
14:21:06.0187 2828 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
14:21:06.0203 2828 AsyncMac - ok
14:21:06.0312 2828 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
14:21:06.0312 2828 atapi - ok
14:21:06.0328 2828 Atdisk - ok
14:21:07.0375 2828 Ati HotKey Poller (dfea480ee09bdeb7f51244900170e173) C:\WINDOWS\system32\Ati2evxx.exe
14:21:07.0406 2828 Ati HotKey Poller - ok
14:21:07.0515 2828 ati2mtag (2a6c99cfdc23c9c26d0e30b1c99748d4) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
14:21:07.0609 2828 ati2mtag - ok
14:21:07.0656 2828 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
14:21:07.0671 2828 Atmarpc - ok
14:21:07.0765 2828 AudioSrv (def7a7882bec100fe0b2ce2549188f9d) C:\WINDOWS\System32\audiosrv.dll
14:21:07.0781 2828 AudioSrv - ok
14:21:07.0906 2828 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
14:21:07.0937 2828 audstub - ok
14:21:15.0687 2828 AVGIDSAgent (ba60fd7a64b9759a14c0fba4a9ed4c7b) C:\Program Files\AVG\AVG2012\avgidsagent.exe
14:21:15.0921 2828 AVGIDSAgent - ok
14:21:16.0078 2828 AVGIDSDriver (1074f787080068c71303b61fae7e7ca4) C:\WINDOWS\system32\DRIVERS\avgidsdriverx.sys
14:21:16.0109 2828 AVGIDSDriver - ok
14:21:16.0140 2828 AVGIDSFilter (61a7e0b02f82cff3db2445bbe50b3589) C:\WINDOWS\system32\DRIVERS\avgidsfilterx.sys
14:21:16.0171 2828 AVGIDSFilter - ok
14:21:16.0203 2828 AVGIDSHX (d63d83659eedf60b3a3e620281a888e5) C:\WINDOWS\system32\DRIVERS\avgidshx.sys
14:21:16.0218 2828 AVGIDSHX - ok
14:21:16.0234 2828 AVGIDSShim (baf975b72062f53d327788e99d64197e) C:\WINDOWS\system32\DRIVERS\avgidsshimx.sys
14:21:16.0265 2828 AVGIDSShim - ok
14:21:16.0343 2828 Avgldx86 (dda6a2a18841e4c9172bb85958b8d948) C:\WINDOWS\system32\DRIVERS\avgldx86.sys
14:21:16.0406 2828 Avgldx86 - ok
14:21:16.0421 2828 Avgmfx86 (ccdd61545aaea265977e4b1efdc74e8c) C:\WINDOWS\system32\DRIVERS\avgmfx86.sys
14:21:16.0421 2828 Avgmfx86 - ok
14:21:16.0437 2828 Avgrkx86 (1fd90b28d2c3100bf4500199c8ad6358) C:\WINDOWS\system32\DRIVERS\avgrkx86.sys
14:21:16.0437 2828 Avgrkx86 - ok
14:21:16.0468 2828 Avgtdix (1263f2554ace925c237a40b4c568d815) C:\WINDOWS\system32\DRIVERS\avgtdix.sys
14:21:16.0515 2828 Avgtdix - ok
14:21:16.0625 2828 avgwd (ea1145debcd508fd25bd1e95c4346929) C:\Program Files\AVG\AVG2012\avgwdsvc.exe
14:21:16.0671 2828 avgwd - ok
14:21:16.0718 2828 b57w2k (3a3a82ffd268bcfb7ae6a48cecf00ad9) C:\WINDOWS\system32\DRIVERS\b57xp32.sys
14:21:16.0765 2828 b57w2k - ok
14:21:16.0796 2828 BAsfIpM (bdd5538b859dbeb3ecaf09b3d027553a) C:\WINDOWS\system32\basfipm.exe
14:21:16.0859 2828 BAsfIpM - ok
14:21:16.0906 2828 BASFND (3d87b0484be1093c6614062701f375c5) C:\WINDOWS\system32\Drivers\BASFND.sys
14:21:16.0921 2828 BASFND - ok
14:21:16.0968 2828 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
14:21:17.0000 2828 Beep - ok
14:21:17.0078 2828 BITS (574738f61fca2935f5265dc4e5691314) C:\WINDOWS\system32\qmgr.dll
14:21:17.0187 2828 BITS - ok
14:21:17.0250 2828 Browser (a06ce3399d16db864f55faeb1f1927a9) C:\WINDOWS\System32\browser.dll
14:21:17.0265 2828 Browser - ok
14:21:17.0312 2828 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
14:21:17.0328 2828 cbidf2k - ok
14:21:17.0343 2828 cd20xrnt - ok
14:21:17.0375 2828 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
14:21:17.0390 2828 Cdaudio - ok
14:21:17.0437 2828 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
14:21:17.0453 2828 Cdfs - ok
14:21:17.0484 2828 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
14:21:17.0515 2828 Cdrom - ok
14:21:17.0562 2828 cercsr6 (84853b3fd012251690570e9e7e43343f) C:\WINDOWS\system32\drivers\cercsr6.sys
14:21:17.0578 2828 cercsr6 - ok
14:21:17.0593 2828 Changer - ok
14:21:17.0625 2828 CiSvc (1cfe720eb8d93a7158a4ebc3ab178bde) C:\WINDOWS\system32\cisvc.exe
14:21:17.0640 2828 CiSvc - ok
14:21:17.0656 2828 ClipSrv (34cbe729f38138217f9c80212a2a0c82) C:\WINDOWS\system32\clipsrv.exe
14:21:17.0687 2828 ClipSrv - ok
14:21:17.0750 2828 clr_optimization_v2.0.50727_32 (d87acaed61e417bba546ced5e7e36d9c) C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
14:21:17.0828 2828 clr_optimization_v2.0.50727_32 - ok
14:21:17.0859 2828 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
14:21:17.0890 2828 CmBatt - ok
14:21:17.0890 2828 CmdIde - ok
14:21:17.0906 2828 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
14:21:17.0906 2828 Compbatt - ok
14:21:17.0921 2828 COMSysApp - ok
14:21:17.0937 2828 Cpqarray - ok
14:21:17.0984 2828 CryptSvc (3d4e199942e29207970e04315d02ad3b) C:\WINDOWS\System32\cryptsvc.dll
14:21:17.0984 2828 CryptSvc - ok
14:21:18.0000 2828 dac2w2k - ok
14:21:18.0015 2828 dac960nt - ok
14:21:18.0078 2828 DcomLaunch (6b27a5c03dfb94b4245739065431322c) C:\WINDOWS\system32\rpcss.dll
14:21:18.0109 2828 DcomLaunch - ok
14:21:18.0125 2828 Dhcp (5e38d7684a49cacfb752b046357e0589) C:\WINDOWS\System32\dhcpcsvc.dll
14:21:18.0140 2828 Dhcp - ok
14:21:18.0140 2828 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
14:21:18.0156 2828 Disk - ok
14:21:18.0156 2828 dmadmin - ok
14:21:18.0234 2828 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
14:21:18.0390 2828 dmboot - ok
14:21:18.0437 2828 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
14:21:18.0484 2828 dmio - ok
14:21:18.0515 2828 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
14:21:18.0531 2828 dmload - ok
14:21:18.0562 2828 dmserver (57edec2e5f59f0335e92f35184bc8631) C:\WINDOWS\System32\dmserver.dll
14:21:18.0562 2828 dmserver - ok
14:21:18.0609 2828 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
14:21:18.0625 2828 DMusic - ok
14:21:18.0687 2828 Dnscache (5f7e24fa9eab896051ffb87f840730d2) C:\WINDOWS\System32\dnsrslvr.dll
14:21:18.0687 2828 Dnscache - ok
14:21:18.0734 2828 Dot3svc (0f0f6e687e5e15579ef4da8dd6945814) C:\WINDOWS\System32\dot3svc.dll
14:21:18.0781 2828 Dot3svc - ok
14:21:18.0781 2828 dpti2o - ok
14:21:18.0828 2828 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
14:21:18.0828 2828 drmkaud - ok
14:21:18.0875 2828 DSproct - ok
14:21:18.0921 2828 EapHost (2187855a7703adef0cef9ee4285182cc) C:\WINDOWS\System32\eapsvc.dll
14:21:18.0937 2828 EapHost - ok
14:21:18.0984 2828 ERSvc (bc93b4a066477954555966d77fec9ecb) C:\WINDOWS\System32\ersvc.dll
14:21:19.0000 2828 ERSvc - ok
14:21:19.0062 2828 Eventlog (65df52f5b8b6e9bbd183505225c37315) C:\WINDOWS\system32\services.exe
14:21:19.0062 2828 Eventlog - ok
14:21:19.0125 2828 EventSystem (d4991d98f2db73c60d042f1aef79efae) C:\WINDOWS\system32\es.dll
14:21:19.0140 2828 EventSystem - ok
14:21:19.0234 2828 EvtEng (c37b83b51cdf10e5bb6f78a7e4fed11a) C:\Program Files\Intel\WiFi\bin\EvtEng.exe
14:21:19.0312 2828 EvtEng - ok
14:21:19.0343 2828 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
14:21:19.0359 2828 Fastfat - ok
14:21:19.0406 2828 FastUserSwitchingCompatibility (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
14:21:19.0421 2828 FastUserSwitchingCompatibility - ok
14:21:19.0453 2828 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
14:21:19.0468 2828 Fdc - ok
14:21:19.0484 2828 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
14:21:19.0515 2828 Fips - ok
14:21:19.0515 2828 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
14:21:19.0546 2828 Flpydisk - ok
14:21:19.0578 2828 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
14:21:19.0593 2828 FltMgr - ok
14:21:19.0734 2828 FontCache3.0.0.0 (8ba7c024070f2b7fdd98ed8a4ba41789) c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
14:21:19.0750 2828 FontCache3.0.0.0 - ok
14:21:19.0859 2828 FreeAgentGoNext Service (81b4a2c6c9bd17ffb6031a0a61c09764) C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
14:21:19.0890 2828 FreeAgentGoNext Service - ok
14:21:19.0921 2828 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
14:21:19.0937 2828 Fs_Rec - ok
14:21:19.0968 2828 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
14:21:19.0984 2828 Ftdisk - ok
14:21:20.0015 2828 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
14:21:20.0046 2828 Gpc - ok
14:21:20.0078 2828 GTIPCI21 (ca835331825599b938e37525796d3549) C:\WINDOWS\system32\DRIVERS\gtipci21.sys
14:21:20.0109 2828 GTIPCI21 - ok
14:21:20.0140 2828 helpsvc (4fcca060dfe0c51a09dd5c3843888bcd) C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll
14:21:20.0156 2828 helpsvc - ok
14:21:20.0187 2828 HidServ (deb04da35cc871b6d309b77e1443c796) C:\WINDOWS\System32\hidserv.dll
14:21:20.0203 2828 HidServ - ok
14:21:20.0234 2828 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
14:21:20.0265 2828 HidUsb - ok
14:21:20.0625 2828 hkmsvc (8878bd685e490239777bfe51320b88e9) C:\WINDOWS\System32\kmsvc.dll
14:21:20.0640 2828 hkmsvc - ok
14:21:20.0656 2828 hpn - ok
14:21:20.0703 2828 HSFHWICH (a84bbbdd125d370593004f6429f8445c) C:\WINDOWS\system32\DRIVERS\HSFHWICH.sys
14:21:20.0750 2828 HSFHWICH - ok
14:21:20.0828 2828 HSF_DPV (b678fa91cf4a1c19b462d8db04cd02ab) C:\WINDOWS\system32\DRIVERS\HSF_DPV.SYS
14:21:20.0953 2828 HSF_DPV - ok
14:21:21.0015 2828 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
14:21:21.0031 2828 HTTP - ok
14:21:21.0062 2828 HTTPFilter (6100a808600f44d999cebdef8841c7a3) C:\WINDOWS\System32\w3ssl.dll
14:21:21.0062 2828 HTTPFilter - ok
14:21:21.0062 2828 i2omgmt - ok
14:21:21.0078 2828 i2omp - ok
14:21:21.0109 2828 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
14:21:21.0109 2828 i8042prt - ok
14:21:21.0328 2828 idsvc (c01ac32dc5c03076cfb852cb5da5229c) c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
14:21:21.0546 2828 idsvc - ok
14:21:21.0578 2828 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
14:21:21.0609 2828 Imapi - ok
14:21:21.0656 2828 ImapiService (30deaf54a9755bb8546168cfe8a6b5e1) C:\WINDOWS\system32\imapi.exe
14:21:21.0656 2828 ImapiService - ok
14:21:21.0671 2828 ini910u - ok
14:21:21.0703 2828 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
14:21:21.0703 2828 IntelIde - ok
14:21:21.0750 2828 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
14:21:21.0750 2828 intelppm - ok
14:21:21.0765 2828 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
14:21:21.0796 2828 Ip6Fw - ok
14:21:21.0828 2828 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
14:21:21.0843 2828 IpFilterDriver - ok
14:21:21.0875 2828 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
14:21:21.0906 2828 IpInIp - ok
14:21:21.0953 2828 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
14:21:22.0046 2828 IpNat - ok
14:21:22.0218 2828 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
14:21:22.0234 2828 IPSec - ok
14:21:22.0265 2828 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
14:21:22.0281 2828 IRENUM - ok
14:21:22.0312 2828 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
14:21:22.0312 2828 isapnp - ok
14:21:22.0421 2828 JavaQuickStarterService (381b25dc8e958d905b33130d500bbf29) C:\Program Files\Java\jre6\bin\jqs.exe
14:21:22.0453 2828 JavaQuickStarterService - ok
14:21:22.0484 2828 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
14:21:22.0484 2828 Kbdclass - ok
14:21:22.0515 2828 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
14:21:22.0531 2828 kmixer - ok
14:21:22.0578 2828 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
14:21:22.0593 2828 KSecDD - ok
14:21:22.0593 2828 kufnimxd - ok
14:21:22.0640 2828 lanmanserver (3a7c3cbe5d96b8ae96ce81f0b22fb527) C:\WINDOWS\System32\srvsvc.dll
14:21:22.0640 2828 lanmanserver - ok
14:21:22.0687 2828 lanmanworkstation (a8888a5327621856c0cec4e385f69309) C:\WINDOWS\System32\wkssvc.dll
14:21:22.0703 2828 lanmanworkstation - ok
14:21:22.0703 2828 lbrtfdc - ok
14:21:22.0734 2828 LmHosts (a7db739ae99a796d91580147e919cc59) C:\WINDOWS\System32\lmhsvc.dll
14:21:22.0734 2828 LmHosts - ok
14:21:22.0812 2828 mdmxsdk (3c318b9cd391371bed62126581ee9961) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
14:21:22.0828 2828 mdmxsdk - ok
14:21:22.0859 2828 Messenger (986b1ff5814366d71e0ac5755c88f2d3) C:\WINDOWS\System32\msgsvc.dll
14:21:22.0890 2828 Messenger - ok
14:21:22.0937 2828 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
14:21:22.0968 2828 mnmdd - ok
14:21:23.0015 2828 mnmsrvc (d18f1f0c101d06a1c1adf26eed16fcdd) C:\WINDOWS\system32\mnmsrvc.exe
14:21:23.0046 2828 mnmsrvc - ok
14:21:23.0093 2828 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
14:21:23.0093 2828 Modem - ok
14:21:23.0109 2828 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
14:21:23.0109 2828 Mouclass - ok
14:21:23.0156 2828 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
14:21:23.0171 2828 mouhid - ok
14:21:23.0187 2828 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
14:21:23.0187 2828 MountMgr - ok
14:21:23.0203 2828 mraid35x - ok
14:21:23.0234 2828 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
14:21:23.0234 2828 MRxDAV - ok
14:21:23.0312 2828 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
14:21:23.0328 2828 MRxSmb - ok
14:21:23.0343 2828 MSDTC (a137f1470499a205abbb9aafb3b6f2b1) C:\WINDOWS\system32\msdtc.exe
14:21:23.0359 2828 MSDTC - ok
14:21:23.0375 2828 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
14:21:23.0390 2828 Msfs - ok
14:21:23.0390 2828 MSIServer - ok
14:21:23.0421 2828 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
14:21:23.0453 2828 MSKSSRV - ok
14:21:23.0468 2828 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
14:21:23.0484 2828 MSPCLOCK - ok
14:21:23.0515 2828 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
14:21:23.0531 2828 MSPQM - ok
14:21:23.0578 2828 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
14:21:23.0578 2828 mssmbios - ok
14:21:23.0625 2828 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
14:21:23.0640 2828 Mup - ok
14:21:23.0703 2828 napagent (0102140028fad045756796e1c685d695) C:\WINDOWS\System32\qagentrt.dll
14:21:23.0765 2828 napagent - ok
14:21:23.0796 2828 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
14:21:23.0828 2828 NDIS - ok
14:21:23.0875 2828 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
14:21:23.0875 2828 NdisTapi - ok
14:21:23.0890 2828 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
14:21:23.0890 2828 Ndisuio - ok
14:21:23.0921 2828 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
14:21:23.0937 2828 NdisWan - ok
14:21:24.0000 2828 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
14:21:24.0000 2828 NDProxy - ok
14:21:24.0015 2828 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
14:21:24.0015 2828 NetBIOS - ok
14:21:24.0031 2828 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
14:21:24.0078 2828 NetBT - ok
14:21:24.0125 2828 NetDDE (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe
14:21:24.0156 2828 NetDDE - ok
14:21:24.0171 2828 NetDDEdsdm (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe
14:21:24.0171 2828 NetDDEdsdm - ok
14:21:24.0203 2828 Netlogon (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
14:21:24.0218 2828 Netlogon - ok
14:21:24.0265 2828 Netman (13e67b55b3abd7bf3fe7aae5a0f9a9de) C:\WINDOWS\System32\netman.dll
14:21:24.0281 2828 Netman - ok
14:21:24.0437 2828 NetTcpPortSharing (d34612c5d02d026535b3095d620626ae) c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
14:21:24.0500 2828 NetTcpPortSharing - ok
14:21:24.0562 2828 Nla (943337d786a56729263071623bbb9de5) C:\WINDOWS\System32\mswsock.dll
14:21:24.0578 2828 Nla - ok
14:21:24.0609 2828 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
14:21:24.0609 2828 Npfs - ok
14:21:24.0656 2828 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
14:21:24.0703 2828 Ntfs - ok
14:21:24.0718 2828 NtLmSsp (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
14:21:24.0718 2828 NtLmSsp - ok
14:21:24.0765 2828 NtmsSvc (156f64a3345bd23c600655fb4d10bc08) C:\WINDOWS\system32\ntmssvc.dll
14:21:24.0828 2828 NtmsSvc - ok
14:21:24.0875 2828 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
14:21:24.0890 2828 Null - ok
14:21:24.0937 2828 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
14:21:24.0953 2828 NwlnkFlt - ok
14:21:24.0968 2828 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
14:21:24.0984 2828 NwlnkFwd - ok
14:21:25.0031 2828 OMCI (cec7e2c6c1fa00c7ab2f5434f848ae51) C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS
14:21:25.0062 2828 OMCI - ok
14:21:25.0078 2828 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
14:21:25.0109 2828 Parport - ok
14:21:25.0125 2828 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
14:21:25.0125 2828 PartMgr - ok
14:21:25.0171 2828 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
14:21:25.0187 2828 ParVdm - ok
14:21:25.0203 2828 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
14:21:25.0203 2828 PCI - ok
14:21:25.0218 2828 PCIDump - ok
14:21:25.0234 2828 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\drivers\PCIIde.sys
14:21:25.0234 2828 PCIIde - ok
14:21:25.0250 2828 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
14:21:25.0265 2828 Pcmcia - ok
14:21:25.0281 2828 PDCOMP - ok
14:21:25.0281 2828 PDFRAME - ok
14:21:25.0296 2828 PDRELI - ok
14:21:25.0312 2828 PDRFRAME - ok
14:21:25.0328 2828 perc2 - ok
14:21:25.0328 2828 perc2hib - ok
14:21:25.0390 2828 PlugPlay (65df52f5b8b6e9bbd183505225c37315) C:\WINDOWS\system32\services.exe
14:21:25.0406 2828 PlugPlay - ok
14:21:25.0421 2828 PolicyAgent (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
14:21:25.0421 2828 PolicyAgent - ok
14:21:25.0453 2828 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
14:21:25.0468 2828 PptpMiniport - ok
14:21:25.0484 2828 ProtectedStorage (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
14:21:25.0484 2828 ProtectedStorage - ok
14:21:25.0500 2828 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
14:21:25.0531 2828 PSched - ok
14:21:25.0546 2828 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
14:21:25.0578 2828 Ptilink - ok
14:21:25.0578 2828 ql1080 - ok
14:21:25.0593 2828 Ql10wnt - ok
14:21:25.0609 2828 ql12160 - ok
14:21:25.0625 2828 ql1240 - ok
14:21:25.0625 2828 ql1280 - ok
14:21:25.0640 2828 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
14:21:25.0656 2828 RasAcd - ok
14:21:25.0671 2828 RasAuto (ad188be7bdf94e8df4ca0a55c00a5073) C:\WINDOWS\System32\rasauto.dll
14:21:25.0703 2828 RasAuto - ok
14:21:25.0718 2828 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
14:21:25.0734 2828 Rasl2tp - ok
14:21:25.0781 2828 RasMan (76a9a3cbeadd68cc57cda5e1d7448235) C:\WINDOWS\System32\rasmans.dll
14:21:25.0796 2828 RasMan - ok
14:21:25.0812 2828 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
14:21:25.0828 2828 RasPppoe - ok
14:21:25.0828 2828 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
14:21:25.0843 2828 Raspti - ok
14:21:25.0875 2828 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
14:21:25.0890 2828 Rdbss - ok
14:21:25.0890 2828 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
14:21:25.0906 2828 RDPCDD - ok
14:21:25.0937 2828 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
14:21:25.0953 2828 rdpdr - ok
14:21:26.0015 2828 RDPWD (6589db6e5969f8eee594cf71171c5028) C:\WINDOWS\system32\drivers\RDPWD.sys
14:21:26.0015 2828 RDPWD - ok
14:21:26.0062 2828 RDSessMgr (3c37bf86641bda977c3bf8a840f3b7fa) C:\WINDOWS\system32\sessmgr.exe
14:21:26.0093 2828 RDSessMgr - ok
14:21:26.0109 2828 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
14:21:26.0125 2828 redbook - ok
14:21:26.0250 2828 RegSrvc (c96980cccf84329824623b0b50383703) C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
14:21:26.0312 2828 RegSrvc - ok
14:21:26.0359 2828 RemoteAccess (7e699ff5f59b5d9de5390e3c34c67cf5) C:\WINDOWS\System32\mprdim.dll
14:21:26.0390 2828 RemoteAccess - ok
14:21:26.0437 2828 RemoteRegistry (5b19b557b0c188210a56a6b699d90b8f) C:\WINDOWS\system32\regsvc.dll
14:21:26.0453 2828 RemoteRegistry - ok
14:21:26.0468 2828 RpcLocator (aaed593f84afa419bbae8572af87cf6a) C:\WINDOWS\system32\locator.exe
14:21:26.0484 2828 RpcLocator - ok
14:21:26.0546 2828 RpcSs (6b27a5c03dfb94b4245739065431322c) C:\WINDOWS\system32\rpcss.dll
14:21:26.0546 2828 RpcSs - ok
14:21:26.0609 2828 RSVP (471b3f9741d762abe75e9deea4787e47) C:\WINDOWS\system32\rsvp.exe
14:21:26.0640 2828 RSVP - ok
14:21:26.0765 2828 S24EventMonitor (0fcb7eeb0e81a777735a5af185f56c2b) C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
14:21:26.0859 2828 S24EventMonitor - ok
14:21:26.0937 2828 s24trans (96b4494d4734970f47c566e098c4f527) C:\WINDOWS\system32\DRIVERS\s24trans.sys
14:21:26.0953 2828 s24trans - ok
14:21:27.0000 2828 SamSs (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
14:21:27.0000 2828 SamSs - ok
14:21:27.0046 2828 SASDIFSV (39763504067962108505bff25f024345) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
14:21:27.0062 2828 SASDIFSV - ok
14:21:27.0093 2828 SASKUTIL (77b9fc20084b48408ad3e87570eb4a85) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
14:21:27.0125 2828 SASKUTIL - ok
14:21:27.0171 2828 SCardSvr (86d007e7a654b9a71d1d7d856b104353) C:\WINDOWS\System32\SCardSvr.exe
14:21:27.0187 2828 SCardSvr - ok
14:21:27.0265 2828 Schedule (0a9a7365a1ca4319aa7c1d6cd8e4eafa) C:\WINDOWS\system32\schedsvc.dll
14:21:27.0296 2828 Schedule - ok
14:21:27.0375 2828 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
14:21:27.0375 2828 Secdrv - ok
14:21:27.0406 2828 seclogon (cbe612e2bb6a10e3563336191eda1250) C:\WINDOWS\System32\seclogon.dll
14:21:27.0421 2828 seclogon - ok
14:21:27.0437 2828 SENS (7fdd5d0684eca8c1f68b4d99d124dcd0) C:\WINDOWS\system32\sens.dll
14:21:27.0437 2828 SENS - ok
14:21:27.0468 2828 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
14:21:27.0500 2828 serenum - ok
14:21:27.0515 2828 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
14:21:27.0546 2828 Serial - ok
14:21:27.0578 2828 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
14:21:27.0609 2828 Sfloppy - ok
14:21:27.0656 2828 ShellHWDetection (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
14:21:27.0656 2828 ShellHWDetection - ok
14:21:27.0671 2828 Simbad - ok
14:21:27.0734 2828 SONYPVU1 (a1eceeaa5c5e74b2499eb51d38185b84) C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS
14:21:27.0765 2828 SONYPVU1 - ok
14:21:27.0765 2828 Sparrow - ok
14:21:27.0812 2828 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
14:21:27.0812 2828 splitter - ok
14:21:27.0875 2828 Spooler (60784f891563fb1b767f70117fc2428f) C:\WINDOWS\system32\spoolsv.exe
14:21:27.0875 2828 Spooler - ok
14:21:27.0968 2828 SPService - ok
14:21:28.0000 2828 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
14:21:28.0000 2828 sr - ok
14:21:28.0046 2828 srservice (3805df0ac4296a34ba4bf93b346cc378) C:\WINDOWS\system32\srsvc.dll
14:21:28.0062 2828 srservice - ok
14:21:28.0109 2828 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
14:21:28.0140 2828 Srv - ok
14:21:28.0156 2828 SSDPSRV (0a5679b3714edab99e357057ee88fca6) C:\WINDOWS\System32\ssdpsrv.dll
14:21:28.0171 2828 SSDPSRV - ok
14:21:28.0218 2828 STAC97 (305cc42945a713347f978d78566113f3) C:\WINDOWS\system32\drivers\STAC97.sys
14:21:28.0265 2828 STAC97 - ok
14:21:28.0343 2828 stisvc (8bad69cbac032d4bbacfce0306174c30) C:\WINDOWS\system32\wiaservc.dll
14:21:28.0453 2828 stisvc - ok
14:21:28.0468 2828 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
14:21:28.0500 2828 swenum - ok
14:21:28.0546 2828 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
14:21:28.0562 2828 swmidi - ok
14:21:28.0562 2828 SwPrv - ok
14:21:28.0593 2828 symc810 - ok
14:21:28.0593 2828 symc8xx - ok
14:21:28.0609 2828 sym_hi - ok
14:21:28.0625 2828 sym_u3 - ok
14:21:28.0656 2828 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
14:21:28.0671 2828 sysaudio - ok
14:21:28.0703 2828 SysmonLog (c7abbc59b43274b1109df6b24d617051) C:\WINDOWS\system32\smlogsvc.exe
14:21:28.0765 2828 SysmonLog - ok
14:21:28.0796 2828 TapiSrv (3cb78c17bb664637787c9a1c98f79c38) C:\WINDOWS\System32\tapisrv.dll
14:21:28.0828 2828 TapiSrv - ok
14:21:28.0875 2828 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
14:21:28.0906 2828 Tcpip - ok
14:21:28.0953 2828 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
14:21:28.0968 2828 TDPIPE - ok
14:21:29.0000 2828 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
14:21:29.0031 2828 TDTCP - ok
14:21:29.0062 2828 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
14:21:29.0093 2828 TermDD - ok
14:21:29.0140 2828 TermService (ff3477c03be7201c294c35f684b3479f) C:\WINDOWS\System32\termsrv.dll
14:21:29.0156 2828 TermService - ok
14:21:29.0203 2828 Themes (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
14:21:29.0203 2828 Themes - ok
14:21:29.0250 2828 TlntSvr (db7205804759ff62c34e3efd8a4cc76a) C:\WINDOWS\system32\tlntsvr.exe
14:21:29.0281 2828 TlntSvr - ok
14:21:29.0296 2828 TosIde - ok
14:21:29.0343 2828 TrkWks (55bca12f7f523d35ca3cb833c725f54e) C:\WINDOWS\system32\trkwks.dll
14:21:29.0390 2828 TrkWks - ok
14:21:29.0437 2828 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
14:21:29.0468 2828 Udfs - ok
14:21:29.0468 2828 UIUSys - ok
14:21:29.0484 2828 ultra - ok
14:21:29.0562 2828 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
14:21:29.0593 2828 Update - ok
14:21:29.0640 2828 upnphost (1ebafeb9a3fbdc41b8d9c7f0f687ad91) C:\WINDOWS\System32\upnphost.dll
14:21:29.0671 2828 upnphost - ok
14:21:29.0703 2828 UPS (05365fb38fca1e98f7a566aaaf5d1815) C:\WINDOWS\System32\ups.exe
14:21:29.0718 2828 UPS - ok
14:21:29.0781 2828 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
14:21:29.0781 2828 usbccgp - ok
14:21:29.0828 2828 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
14:21:29.0828 2828 usbehci - ok
14:21:29.0843 2828 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
14:21:29.0859 2828 usbhub - ok
14:21:29.0921 2828 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
14:21:29.0921 2828 usbprint - ok
14:21:29.0984 2828 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
14:21:29.0984 2828 usbscan - ok
14:21:30.0046 2828 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
14:21:30.0046 2828 USBSTOR - ok
14:21:30.0078 2828 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
14:21:30.0093 2828 usbuhci - ok
14:21:30.0109 2828 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
14:21:30.0125 2828 VgaSave - ok
14:21:30.0125 2828 ViaIde - ok
14:21:30.0140 2828 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
14:21:30.0156 2828 VolSnap - ok
14:21:30.0187 2828 VSS (7a9db3a67c333bf0bd42e42b8596854b) C:\WINDOWS\System32\vssvc.exe
14:21:30.0234 2828 VSS - ok
14:21:30.0406 2828 vToolbarUpdater11.1.0 (5fa45791413acce628d5361458f32dde) C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\11.1.0\ToolbarUpdater.exe
14:21:30.0468 2828 vToolbarUpdater11.1.0 - ok
14:21:30.0640 2828 w29n51 (f0608f3b5b6d16f4870e867f9d069b6b) C:\WINDOWS\system32\DRIVERS\w29n51.sys
14:21:30.0796 2828 w29n51 - ok
14:21:30.0906 2828 W32Time (54af4b1d5459500ef0937f6d33b1914f) C:\WINDOWS\system32\w32time.dll
14:21:30.0984 2828 W32Time - ok
14:21:31.0046 2828 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
14:21:31.0078 2828 Wanarp - ok
14:21:31.0078 2828 WDICA - ok
14:21:31.0125 2828 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
14:21:31.0140 2828 wdmaud - ok
14:21:31.0187 2828 WebClient (77a354e28153ad2d5e120a5a8687bc06) C:\WINDOWS\System32\webclnt.dll
14:21:31.0203 2828 WebClient - ok
14:21:31.0281 2828 winachsf (0c5b9cf1bdf998750d9c5eeb5f8c55ac) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
14:21:31.0390 2828 winachsf - ok
14:21:31.0453 2828 winmgmt (2d0e4ed081963804ccc196a0929275b5) C:\WINDOWS\system32\wbem\WMIsvc.dll
14:21:31.0468 2828 winmgmt - ok
14:21:31.0593 2828 WLANKEEPER (c9b9942eeca0b82e35d60627e365510a) C:\Program Files\Intel\WiFi\bin\WLKeeper.exe
14:21:31.0625 2828 WLANKEEPER - ok
14:21:31.0687 2828 WmdmPmSN (c7e39ea41233e9f5b86c8da3a9f1e4a8) C:\WINDOWS\system32\mspmsnsv.dll
14:21:31.0718 2828 WmdmPmSN - ok
14:21:31.0812 2828 Wmi (e76f8807070ed04e7408a86d6d3a6137) C:\WINDOWS\System32\advapi32.dll
14:21:31.0843 2828 Wmi - ok
14:21:31.0890 2828 WmiApSrv (e0673f1106e62a68d2257e376079f821) C:\WINDOWS\system32\wbem\wmiapsrv.exe
14:21:31.0953 2828 WmiApSrv - ok
14:21:32.0000 2828 wuauserv (35321fb577cdc98ce3eb3a3eb9e4610a) C:\WINDOWS\system32\wuauserv.dll
14:21:32.0000 2828 wuauserv - ok
14:21:32.0062 2828 WZCSVC (81dc3f549f44b1c1fff022dec9ecf30b) C:\WINDOWS\System32\wzcsvc.dll
14:21:32.0109 2828 WZCSVC - ok
14:21:32.0156 2828 xmlprov (295d21f14c335b53cb8154e5b1f892b9) C:\WINDOWS\System32\xmlprov.dll
14:21:32.0187 2828 xmlprov - ok
14:21:32.0234 2828 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
14:21:32.0890 2828 \Device\Harddisk0\DR0 - ok
14:21:32.0890 2828 MBR (0x1B8) (65e858a8a0293be11a920b0bc99d695e) \Device\Harddisk1\DR3
14:21:33.0703 2828 \Device\Harddisk1\DR3 - ok
14:21:33.0703 2828 Boot (0x1200) (2af5b0b86e9fe25c1ffa7eb3548157b2) \Device\Harddisk0\DR0\Partition0
14:21:33.0703 2828 \Device\Harddisk0\DR0\Partition0 - ok
14:21:33.0718 2828 Boot (0x1200) (4abc4026da0f98c38ce19f765e047244) \Device\Harddisk1\DR3\Partition0
14:21:33.0718 2828 \Device\Harddisk1\DR3\Partition0 - ok
14:21:33.0718 2828 ============================================================
14:21:33.0718 2828 Scan finished
14:21:33.0718 2828 ============================================================
14:21:33.0734 2804 Detected object count: 0
14:21:33.0734 2804 Actual detected object count: 0

#7 titletech

titletech
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:24 AM

Posted 24 June 2012 - 02:52 PM

When I run AVAST:

It gets so far then I either get an error (see 1st error attached, 2nd error: avast antiroot kit has encountered a problem...report contents attached.) or a STOP error: driver_IRQL_not_less_or_equal. STOP 0X000000D1,9X3F3F3F9F0, 000000005, 0X00000000, 0XF740BD23 ATAPI.SYS)

I tried to run it 3x's.

I have no MBR file on my desktop.

Attached Files



#8 nasdaq

nasdaq

  • Malware Response Team
  • 38,924 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:24 PM

Posted 25 June 2012 - 09:51 AM

If not already done, please restart the computer in normal mode.

Did you get that error when running aswMBR.exe?

Can you post the log from that scan.
===

Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your Anti-Virus and Anti-Spyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Some Rookit infection may damage your boot sector. The Windows Recovery Console may be needed to restore it. Do not bypass this installation. You may regret it.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Note: If you have difficulty properly disabling your protection programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html

Do not mouse click ComboFix's window while it's running. That may cause it to stall

Note: If after running ComboFix you get this error message "Illegal operation attempted on a registry key that has been marked for deletion." when attempting to run a program all you need to do is restart the computer to reset the registry.
===

#9 nasdaq

nasdaq

  • Malware Response Team
  • 38,924 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:24 PM

Posted 01 July 2012 - 07:19 AM

Due to the lack of feedback, this topic is now closed. Topic reopened. ComboFix log from a PM message. ComboFix 12-06-28.03 - user1 07/01/2012 14:03:50.1.1 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.578 [GMT -4:00] Running from: c:\documents and settings\user1\Desktop\ComboFix.exe . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\documents and settings\All Users\Application Data\TEMP c:\documents and settings\All Users\Application Data\TEMP\AVG\avgmfapx.exe c:\documents and settings\All Users\Application Data\TEMP\AVG\avgmfarx.dll c:\documents and settings\All Users\Application Data\TEMP\AVG\avgntdumpx.exe c:\documents and settings\All Users\Application Data\TEMP\AVG\avgrunasx.exe c:\documents and settings\All Users\Application Data\TEMP\AVG\compat.ini c:\documents and settings\All Users\Application Data\TEMP\AVG\htmlayout.dll c:\documents and settings\All Users\Application Data\TEMP\AVG\incavi.avm c:\documents and settings\All Users\Application Data\TEMP\AVG\license_cz.htm c:\documents and settings\All Users\Application Data\TEMP\AVG\license_da.htm c:\documents and settings\All Users\Application Data\TEMP\AVG\license_es.htm c:\documents and settings\All Users\Application Data\TEMP\AVG\license_fr.htm c:\documents and settings\All Users\Application Data\TEMP\AVG\license_ge.htm c:\documents and settings\All Users\Application Data\TEMP\AVG\license_hu.htm c:\documents and settings\All Users\Application Data\TEMP\AVG\license_id.htm c:\documents and settings\All Users\Application Data\TEMP\AVG\license_in.htm c:\documents and settings\All Users\Application Data\TEMP\AVG\license_it.htm c:\documents and settings\All Users\Application Data\TEMP\AVG\license_jp.htm c:\documents and settings\All Users\Application Data\TEMP\AVG\license_ko.htm c:\documents and settings\All Users\Application Data\TEMP\AVG\license_ms.htm c:\documents and settings\All Users\Application Data\TEMP\AVG\license_nl.htm c:\documents and settings\All Users\Application Data\TEMP\AVG\license_pb.htm c:\documents and settings\All Users\Application Data\TEMP\AVG\license_pl.htm c:\documents and settings\All Users\Application Data\TEMP\AVG\license_pt.htm c:\documents and settings\All Users\Application Data\TEMP\AVG\license_ru.htm c:\documents and settings\All Users\Application Data\TEMP\AVG\license_sc.htm c:\documents and settings\All Users\Application Data\TEMP\AVG\license_sk.htm c:\documents and settings\All Users\Application Data\TEMP\AVG\license_sp.htm c:\documents and settings\All Users\Application Data\TEMP\AVG\license_tr.htm c:\documents and settings\All Users\Application Data\TEMP\AVG\license_us.htm c:\documents and settings\All Users\Application Data\TEMP\AVG\license_zh.htm c:\documents and settings\All Users\Application Data\TEMP\AVG\license_zt.htm c:\documents and settings\All Users\Application Data\TEMP\AVG\mfaconf.txt c:\documents and settings\All Users\Application Data\TEMP\AVG\mfacz.lns c:\documents and settings\All Users\Application Data\TEMP\AVG\mfada.lns c:\documents and settings\All Users\Application Data\TEMP\AVG\mfaes.lns c:\documents and settings\All Users\Application Data\TEMP\AVG\mfafr.lns c:\documents and settings\All Users\Application Data\TEMP\AVG\mfage.lns c:\documents and settings\All Users\Application Data\TEMP\AVG\mfahu.lns c:\documents and settings\All Users\Application Data\TEMP\AVG\mfaid.lns c:\documents and settings\All Users\Application Data\TEMP\AVG\mfain.lns c:\documents and settings\All Users\Application Data\TEMP\AVG\mfait.lns c:\documents and settings\All Users\Application Data\TEMP\AVG\mfajp.lns c:\documents and settings\All Users\Application Data\TEMP\AVG\mfako.lns c:\documents and settings\All Users\Application Data\TEMP\AVG\mfams.lns c:\documents and settings\All Users\Application Data\TEMP\AVG\mfanl.lns c:\documents and settings\All Users\Application Data\TEMP\AVG\mfapb.lns c:\documents and settings\All Users\Application Data\TEMP\AVG\mfapl.lns c:\documents and settings\All Users\Application Data\TEMP\AVG\mfapt.lns c:\documents and settings\All Users\Application Data\TEMP\AVG\mfaru.lns c:\documents and settings\All Users\Application Data\TEMP\AVG\mfasc.lns c:\documents and settings\All Users\Application Data\TEMP\AVG\mfask.lns c:\documents and settings\All Users\Application Data\TEMP\AVG\mfasp.lns c:\documents and settings\All Users\Application Data\TEMP\AVG\mfatr.lns c:\documents and settings\All Users\Application Data\TEMP\AVG\mfaus.lns c:\documents and settings\All Users\Application Data\TEMP\AVG\mfavera.txt c:\documents and settings\All Users\Application Data\TEMP\AVG\mfaverx.txt c:\documents and settings\All Users\Application Data\TEMP\AVG\mfazh.lns c:\documents and settings\All Users\Application Data\TEMP\AVG\mfazt.lns c:\documents and settings\All Users\Application Data\TEMP\AVG\setup.exe c:\documents and settings\All Users\Application Data\TEMP\AVG\setup.ini c:\documents and settings\user1\Recent\Thumbs.db c:\windows\Installer\{ed651c09-775d-cd42-7507-e8a889974b0e}\@ c:\windows\Installer\{ed651c09-775d-cd42-7507-e8a889974b0e}\L\00000004.@ c:\windows\Installer\{ed651c09-775d-cd42-7507-e8a889974b0e}\L\1afb2d56 c:\windows\Installer\{ed651c09-775d-cd42-7507-e8a889974b0e}\L\201d3dde c:\windows\Installer\{ed651c09-775d-cd42-7507-e8a889974b0e}\U\00000004.@ c:\windows\system32\Cache c:\windows\system32\Cache\272512937d9e61a4.fb c:\windows\system32\Cache\287204568329e189.fb c:\windows\system32\Cache\28bc8f716fd76a47.fb c:\windows\system32\Cache\2c53092c95605355.fb c:\windows\system32\Cache\31a0997e9a5b5eb3.fb c:\windows\system32\Cache\32c84fe32bb74d60.fb c:\windows\system32\Cache\3917078cb68ec657.fb c:\windows\system32\Cache\590ba23ce359fd0c.fb c:\windows\system32\Cache\610289e025a3ee9a.fb c:\windows\system32\Cache\651c5d3cdbfb8bd1.fb c:\windows\system32\Cache\6c59ac5e7e7a3ad0.fb c:\windows\system32\Cache\6d03dad1035885d3.fb c:\windows\system32\Cache\73e895d6e7588ab5.fb c:\windows\system32\Cache\a8556537add6dfc5.fb c:\windows\system32\Cache\ad10a52aff5e038d.fb c:\windows\system32\Cache\b076d2a1625a6983.fb c:\windows\system32\Cache\c1fa887b03019701.fb c:\windows\system32\Cache\c4d28dca2e7648be.fb c:\windows\system32\Cache\c9aea6ba767bdcad.fb c:\windows\system32\Cache\d201ef9910cd39de.fb c:\windows\system32\Cache\d2e94710a5708128.fb c:\windows\system32\Cache\d79b9dfe81484ec4.fb c:\windows\system32\Cache\e0de16f883bea794.fb c:\windows\system32\Cache\f2ade5d8aa82fb68.fb c:\windows\system32\Cache\f998975c9cc711ee.fb . . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . . -------\Service_SPService . . ((((((((((((((((((((((((( Files Created from 2012-06-01 to 2012-07-01 ))))))))))))))))))))))))))))))) . . 2012-06-27 00:18 . 2012-06-27 00:18 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe 2012-06-17 20:59 . 2012-06-17 20:59 -------- d-----w- c:\documents and settings\user1\Application Data\SUPERAntiSpyware.com 2012-06-17 20:58 . 2012-06-17 21:08 -------- d-----w- c:\program files\SUPERAntiSpyware 2012-06-17 20:58 . 2012-06-17 20:58 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com 2012-06-17 19:03 . 2012-06-17 19:04 -------- d-----w- c:\windows\system32\MpEngineStore 2012-06-17 17:45 . 2012-06-17 17:45 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer 2012-06-17 15:41 . 2012-06-17 15:42 -------- d-----w- C:\desktop copy 2012-06-17 04:15 . 2012-06-17 04:15 -------- d-----w- c:\documents and settings\user1\Application Data\AVG2012 2012-06-17 04:11 . 2012-06-17 04:11 -------- d-----w- c:\documents and settings\user1\Local Settings\Application Data\AVG Secure Search 2012-06-17 04:11 . 2012-06-17 04:11 -------- d-----w- c:\documents and settings\user1\Application Data\AVG Secure Search 2012-06-17 04:11 . 2012-06-18 04:41 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Secure Search 2012-06-17 04:11 . 2012-06-17 04:11 -------- d-----w- c:\program files\Common Files\AVG Secure Search 2012-06-17 04:11 . 2012-06-18 04:41 -------- d-----w- c:\program files\AVG Secure Search 2012-06-17 04:09 . 2012-07-01 15:14 -------- d-----w- c:\windows\system32\drivers\AVG 2012-06-17 04:09 . 2012-06-19 20:19 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG2012 2012-06-17 04:04 . 2012-06-17 04:04 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache 2012-06-13 21:40 . 2012-05-11 14:42 521728 -c----w- c:\windows\system32\dllcache\jsdbgui.dll 2012-06-11 21:54 . 2012-06-12 21:26 -------- d-----w- c:\windows\system32\XPSViewer 2012-06-11 21:54 . 2012-06-11 21:54 -------- d-----w- c:\program files\MSBuild 2012-06-11 21:54 . 2012-06-11 21:54 -------- d-----w- c:\program files\Reference Assemblies 2012-06-11 21:54 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll 2012-06-11 21:53 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll 2012-06-11 21:53 . 2012-06-11 21:54 -------- d-----w- C:\0de4b6a963201c31f77899202694 2012-06-11 21:53 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll 2012-06-11 21:53 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll 2012-06-11 21:53 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll 2012-06-11 21:53 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll 2012-06-11 21:53 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll 2012-06-11 21:53 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe 2012-06-11 21:53 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe 2012-06-09 22:06 . 2012-06-09 22:40 -------- d-----w- c:\documents and settings\user1\Local Settings\Application Data\Deployment . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2012-06-27 00:18 . 2011-12-16 17:32 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2012-06-02 19:19 . 2009-08-06 23:24 22040 ----a-w- c:\windows\system32\wucltui.dll.mui 2012-06-02 19:19 . 2009-08-06 23:24 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui 2012-06-02 19:19 . 2008-01-11 14:23 329240 ----a-w- c:\windows\system32\wucltui.dll 2012-06-02 19:19 . 2008-01-11 14:23 210968 ----a-w- c:\windows\system32\wuweb.dll 2012-06-02 19:19 . 2008-01-11 14:23 219160 ----a-w- c:\windows\system32\wuaucpl.cpl 2012-06-02 19:19 . 2009-08-06 23:24 45080 ----a-w- c:\windows\system32\wups2.dll 2012-06-02 19:19 . 2009-08-06 23:24 15384 ----a-w- c:\windows\system32\wuapi.dll.mui 2012-06-02 19:19 . 2008-01-11 14:23 53784 ----a-w- c:\windows\system32\wuauclt.exe 2012-06-02 19:19 . 2008-01-11 14:23 35864 ----a-w- c:\windows\system32\wups.dll 2012-06-02 19:19 . 2004-08-04 12:00 97304 ----a-w- c:\windows\system32\cdm.dll 2012-06-02 19:19 . 2009-08-06 23:24 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui 2012-06-02 19:19 . 2008-01-11 14:23 577048 ----a-w- c:\windows\system32\wuapi.dll 2012-06-02 19:19 . 2008-01-11 14:23 1933848 ----a-w- c:\windows\system32\wuaueng.dll 2012-05-31 13:22 . 2004-08-04 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll 2012-05-16 15:08 . 2004-08-04 12:00 916992 ----a-w- c:\windows\system32\wininet.dll 2012-05-15 13:20 . 2004-08-04 12:00 1863168 ----a-w- c:\windows\system32\win32k.sys 2012-05-11 14:42 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll 2012-05-11 14:42 . 2004-08-04 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl 2012-05-11 11:38 . 2004-08-04 12:00 385024 ----a-w- c:\windows\system32\html.iec 2012-05-04 13:12 . 2004-08-04 12:00 2192640 ----a-w- c:\windows\system32\ntoskrnl.exe 2012-05-04 12:32 . 2004-08-03 22:59 2069120 ----a-w- c:\windows\system32\ntkrnlpa.exe 2012-05-02 13:46 . 2008-01-11 14:21 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys 2012-04-19 08:50 . 2012-04-19 08:50 24896 ----a-w- c:\windows\system32\drivers\avgidshx.sys . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}] 2012-06-18 04:41 2068536 ----a-w- c:\program files\AVG Secure Search\11.1.0.7\AVG Secure Search_toolbar.dll . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{95B7759C-8C7F-4BF1-B163-73684A933233}"= "c:\program files\AVG Secure Search\11.1.0.7\AVG Secure Search_toolbar.dll" [2012-06-18 2068536] . [HKEY_CLASSES_ROOT\clsid\{95b7759c-8c7f-4bf1-b163-73684a933233}] [HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj.1] [HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IntelZeroConfig"="c:\program files\Intel\WiFi\bin\ZCfgSvc.exe" [2009-11-03 1372160] "IntelWireless"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2009-11-03 1202448] "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-07-07 344064] "Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128] "MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2009-12-18 197928] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-10-07 421888] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696] "AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2012-04-05 2587008] "vProt"="c:\program files\AVG Secure Search\vprot.exe" [2012-06-18 1104440] . [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL . [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager] BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE] @="" . [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= . R0 AVGIDSHX;AVGIDSHX;c:\windows\system32\drivers\avgidshx.sys [4/19/2012 4:50 AM 24896] R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [1/31/2012 4:46 AM 31952] R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2/22/2012 5:25 AM 235216] R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [3/19/2012 5:17 AM 301248] R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 12:27 PM 12880] R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 5:55 PM 67664] R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [8/11/2011 7:38 PM 116608] R2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2012\avgidsagent.exe [4/30/2012 9:44 AM 5106744] R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2012\avgwdsvc.exe [2/14/2012 4:53 AM 193288] R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [12/18/2009 12:25 PM 189736] R2 vToolbarUpdater11.1.0;vToolbarUpdater11.1.0;c:\program files\Common Files\AVG Secure Search\vToolbarUpdater\11.1.0\ToolbarUpdater.exe [6/18/2012 12:41 AM 935480] R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\avgidsdriverx.sys [12/23/2011 1:32 PM 139856] R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\avgidsfilterx.sys [12/23/2011 1:32 PM 24144] R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshimx.sys [12/23/2011 1:32 PM 17232] R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [5/28/2010 4:05 PM 88192] S1 kufnimxd;kufnimxd;\??\c:\windows\system32\drivers\kufnimxd.sys --> c:\windows\system32\drivers\kufnimxd.sys [?] . --- Other Services/Drivers In Memory --- . *NewlyCreated* - WS2IFSL . Contents of the 'Scheduled Tasks' folder . 2012-07-01 c:\windows\Tasks\User_Feed_Synchronization-{D3F87846-0852-41A5-855B-CC7FE33A3DEC}.job - c:\windows\system32\msfeedssync.exe [2009-03-08 08:31] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.cnn.com/CNN/Programs/morning.express/ IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000 TCP: DhcpNameServer = 10.0.0.1 Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\Common Files\AVG Secure Search\ViProtocolInstaller\11.1.0\ViProtocol.dll . - - - - ORPHANS REMOVED - - - - . Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file) WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file) WebBrowser-{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - (no file) ShellIconOverlayIdentifiers-{96AFBE69-C3B0-4b00-8578-D933D2896EE2} - (no file) HKCU-Run-ModemOnHold - c:\program files\NetWaiting\netWaiting.exe HKLM-Run-ROC_roc_dec12 - c:\program files\AVG Secure Search\ROC_roc_dec12.exe . . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2012-07-01 14:37 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'winlogon.exe'(944) c:\program files\SUPERAntiSpyware\SASWINLO.DLL c:\windows\system32\WININET.dll c:\windows\system32\Ati2evxx.dll c:\windows\system32\netprovcredman.dll . - - - - - - - > 'explorer.exe'(172) c:\windows\system32\WININET.dll c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\netprovcredman.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\Ati2evxx.exe c:\program files\Intel\WiFi\bin\S24EvMon.exe c:\windows\system32\Ati2evxx.exe c:\windows\System32\SCardSvr.exe c:\program files\Intel\WiFi\bin\EvtEng.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe c:\program files\AVG\AVG2012\avgnsx.exe c:\program files\AVG\AVG2012\avgemcx.exe c:\program files\AVG\AVG2012\avgrsx.exe c:\program files\AVG\AVG2012\avgcsrvx.exe c:\program files\Apoint\HidFind.exe c:\program files\Apoint\Apntex.exe c:\windows\system32\wbem\unsecapp.exe . ************************************************************************** . Completion time: 2012-07-01 14:43:52 - machine was rebooted ComboFix-quarantined-files.txt 2012-07-01 18:43 . Pre-Run: 30,478,610,432 bytes free Post-Run: 32,517,865,472 bytes free . WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons UnsupportedDebug="do not select this" /debug multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect . - - End Of File - - 1D034778D48FDA29D3DAF3442C6855C7

Edited by nasdaq, 02 July 2012 - 07:34 AM.


#10 nasdaq

nasdaq

  • Malware Response Team
  • 38,924 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:24 PM

Posted 02 July 2012 - 07:41 AM

Open notepad and copy/paste the text in the quote box below into it:

Driver::
kufnimxd


Save this as CFScript.txt on your desktop.

Posted Image

Referring to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.
===

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===

Let me know what problem persists.

#11 titletech

titletech
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:24 AM

Posted 04 July 2012 - 07:30 PM

2nd ComboFix scan:

ComboFix 12-06-28.03 - user1 07/04/2012 19:59:09.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.389 [GMT -4:00]
Running from: c:\documents and settings\user1\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\user1\Desktop\CFScript.txt
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_kufnimxd
.
.
((((((((((((((((((((((((( Files Created from 2012-06-05 to 2012-07-05 )))))))))))))))))))))))))))))))
.
.
2012-06-27 00:18 . 2012-06-27 00:18 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-06-17 20:59 . 2012-06-17 20:59 -------- d-----w- c:\documents and settings\user1\Application Data\SUPERAntiSpyware.com
2012-06-17 20:58 . 2012-06-17 21:08 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-06-17 20:58 . 2012-06-17 20:58 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2012-06-17 19:03 . 2012-06-17 19:04 -------- d-----w- c:\windows\system32\MpEngineStore
2012-06-17 17:45 . 2012-06-17 17:45 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2012-06-17 15:41 . 2012-06-17 15:42 -------- d-----w- C:\desktop copy
2012-06-17 04:15 . 2012-06-17 04:15 -------- d-----w- c:\documents and settings\user1\Application Data\AVG2012
2012-06-17 04:11 . 2012-06-17 04:11 -------- d-----w- c:\documents and settings\user1\Local Settings\Application Data\AVG Secure Search
2012-06-17 04:11 . 2012-06-17 04:11 -------- d-----w- c:\documents and settings\user1\Application Data\AVG Secure Search
2012-06-17 04:11 . 2012-06-18 04:41 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Secure Search
2012-06-17 04:11 . 2012-06-17 04:11 -------- d-----w- c:\program files\Common Files\AVG Secure Search
2012-06-17 04:11 . 2012-06-18 04:41 -------- d-----w- c:\program files\AVG Secure Search
2012-06-17 04:09 . 2012-07-04 22:08 -------- d-----w- c:\windows\system32\drivers\AVG
2012-06-17 04:09 . 2012-06-19 20:19 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG2012
2012-06-17 04:04 . 2012-06-17 04:04 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2012-06-13 21:40 . 2012-05-11 14:42 521728 -c----w- c:\windows\system32\dllcache\jsdbgui.dll
2012-06-11 21:54 . 2012-06-12 21:26 -------- d-----w- c:\windows\system32\XPSViewer
2012-06-11 21:54 . 2012-06-11 21:54 -------- d-----w- c:\program files\MSBuild
2012-06-11 21:54 . 2012-06-11 21:54 -------- d-----w- c:\program files\Reference Assemblies
2012-06-11 21:54 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
2012-06-11 21:53 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2012-06-11 21:53 . 2012-06-11 21:54 -------- d-----w- C:\0de4b6a963201c31f77899202694
2012-06-11 21:53 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2012-06-11 21:53 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2012-06-11 21:53 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2012-06-11 21:53 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2012-06-11 21:53 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2012-06-11 21:53 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2012-06-11 21:53 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2012-06-09 22:06 . 2012-06-09 22:40 -------- d-----w- c:\documents and settings\user1\Local Settings\Application Data\Deployment
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-06-27 00:18 . 2011-12-16 17:32 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-06-02 19:19 . 2009-08-06 23:24 22040 ----a-w- c:\windows\system32\wucltui.dll.mui
2012-06-02 19:19 . 2009-08-06 23:24 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2012-06-02 19:19 . 2008-01-11 14:23 329240 ----a-w- c:\windows\system32\wucltui.dll
2012-06-02 19:19 . 2008-01-11 14:23 210968 ----a-w- c:\windows\system32\wuweb.dll
2012-06-02 19:19 . 2008-01-11 14:23 219160 ----a-w- c:\windows\system32\wuaucpl.cpl
2012-06-02 19:19 . 2009-08-06 23:24 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 19:19 . 2009-08-06 23:24 15384 ----a-w- c:\windows\system32\wuapi.dll.mui
2012-06-02 19:19 . 2008-01-11 14:23 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 19:19 . 2008-01-11 14:23 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-02 19:19 . 2004-08-04 12:00 97304 ----a-w- c:\windows\system32\cdm.dll
2012-06-02 19:19 . 2009-08-06 23:24 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui
2012-06-02 19:19 . 2008-01-11 14:23 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 19:19 . 2008-01-11 14:23 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-05-31 13:22 . 2004-08-04 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2012-05-16 15:08 . 2004-08-04 12:00 916992 ----a-w- c:\windows\system32\wininet.dll
2012-05-15 13:20 . 2004-08-04 12:00 1863168 ----a-w- c:\windows\system32\win32k.sys
2012-05-11 14:42 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-05-11 14:42 . 2004-08-04 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-05-11 11:38 . 2004-08-04 12:00 385024 ----a-w- c:\windows\system32\html.iec
2012-05-04 13:12 . 2004-08-04 12:00 2192640 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-05-04 12:32 . 2004-08-03 22:59 2069120 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-05-02 13:46 . 2008-01-11 14:21 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-04-19 08:50 . 2012-04-19 08:50 24896 ----a-w- c:\windows\system32\drivers\avgidshx.sys
.
.
((((((((((((((((((((((((((((( SnapShot@2012-07-01_18.34.46 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-07-05 00:15 . 2012-07-05 00:15 16384 c:\windows\Temp\Perflib_Perfdata_654.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}]
2012-06-18 04:41 2068536 ----a-w- c:\program files\AVG Secure Search\11.1.0.7\AVG Secure Search_toolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{95B7759C-8C7F-4BF1-B163-73684A933233}"= "c:\program files\AVG Secure Search\11.1.0.7\AVG Secure Search_toolbar.dll" [2012-06-18 2068536]
.
[HKEY_CLASSES_ROOT\clsid\{95b7759c-8c7f-4bf1-b163-73684a933233}]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj.1]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelZeroConfig"="c:\program files\Intel\WiFi\bin\ZCfgSvc.exe" [2009-11-03 1372160]
"IntelWireless"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2009-11-03 1202448]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-07-07 344064]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]
"MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2009-12-18 197928]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-10-07 421888]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2012-04-05 2587008]
"vProt"="c:\program files\AVG Secure Search\vprot.exe" [2012-06-18 1104440]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
.
R0 AVGIDSHX;AVGIDSHX;c:\windows\system32\drivers\avgidshx.sys [4/19/2012 4:50 AM 24896]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [1/31/2012 4:46 AM 31952]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2/22/2012 5:25 AM 235216]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [3/19/2012 5:17 AM 301248]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 12:27 PM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 5:55 PM 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [8/11/2011 7:38 PM 116608]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2012\avgidsagent.exe [4/30/2012 9:44 AM 5106744]
R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2012\avgwdsvc.exe [2/14/2012 4:53 AM 193288]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [12/18/2009 12:25 PM 189736]
R2 vToolbarUpdater11.1.0;vToolbarUpdater11.1.0;c:\program files\Common Files\AVG Secure Search\vToolbarUpdater\11.1.0\ToolbarUpdater.exe [6/18/2012 12:41 AM 935480]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\avgidsdriverx.sys [12/23/2011 1:32 PM 139856]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\avgidsfilterx.sys [12/23/2011 1:32 PM 24144]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshimx.sys [12/23/2011 1:32 PM 17232]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [5/28/2010 4:05 PM 88192]
.
Contents of the 'Scheduled Tasks' folder
.
2012-07-04 c:\windows\Tasks\User_Feed_Synchronization-{D3F87846-0852-41A5-855B-CC7FE33A3DEC}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.cnn.com/CNN/Programs/morning.express/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
TCP: DhcpNameServer = 10.0.0.1
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\Common Files\AVG Secure Search\ViProtocolInstaller\11.1.0\ViProtocol.dll
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-07-04 20:18
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(948)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\netprovcredman.dll
.
- - - - - - - > 'explorer.exe'(3972)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\netprovcredman.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Intel\WiFi\bin\S24EvMon.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\System32\SCardSvr.exe
c:\program files\Intel\WiFi\bin\EvtEng.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe
c:\program files\Intel\WiFi\bin\WLKeeper.exe
c:\program files\AVG\AVG2012\avgnsx.exe
c:\program files\AVG\AVG2012\avgemcx.exe
c:\program files\AVG\AVG2012\avgrsx.exe
c:\program files\AVG\AVG2012\avgcsrvx.exe
c:\program files\Apoint\HidFind.exe
c:\program files\Apoint\Apntex.exe
c:\windows\system32\wbem\unsecapp.exe
.
**************************************************************************
.
Completion time: 2012-07-04 20:26:13 - machine was rebooted
ComboFix-quarantined-files.txt 2012-07-05 00:26
ComboFix2.txt 2012-07-04 23:42
ComboFix3.txt 2012-07-01 18:43
.
Pre-Run: 32,493,846,528 bytes free
Post-Run: 32,490,905,600 bytes free
.
- - End Of File - - 943B0CB2C0DDAC326D661B084CE054C3

#12 titletech

titletech
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:24 AM

Posted 04 July 2012 - 07:36 PM

Security Check log:
Results of screen317's Security Check version 0.99.42
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
AVG Anti-Virus Free Edition 2012
Antivirus up to date!
`````````Anti-malware/Other Utilities Check:`````````
SUPERAntiSpyware
Java™ 6 Update 29
Java version out of Date!
Adobe Reader X (10.1.3)
````````Process Check: objlist.exe by Laurent````````
AVG avgwdsvc.exe
AVG avgtray.exe
AVG avgrsx.exe
AVG avgnsx.exe
AVG avgemc.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C:: 2%
````````````````````End of Log``````````````````````


All AVG scans come up clean. Desktop icons now stay where there were put and items seem to have stopped disappearing.

Please let me know if there is anything you see in the logs that would be of concern.

Thank you for your time and help with this. It is much appreciated!

#13 nasdaq

nasdaq

  • Malware Response Team
  • 38,924 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:24 PM

Posted 05 July 2012 - 08:08 AM

If all is well:

Time for some housekeeping

The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bold text into the Run box and click OK:

ComboFix /Uninstall
===

Delete the other tools we used.

#14 nasdaq

nasdaq

  • Malware Response Team
  • 38,924 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:24 PM

Posted 11 July 2012 - 09:38 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users