Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need help cleaning "Live Security Platinum" infection


  • This topic is locked This topic is locked
62 replies to this topic

#1 mn_sailor

mn_sailor

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ham Lake, MN
  • Local time:01:40 PM

Posted 20 June 2012 - 02:39 PM

Hi Bleeping Computer Staff,

I was browsing with Firefox looking for a manual for sprinkler controllers (of all things) when a bogus security message popped up. I must have clicked the wrong place and was introduced to "Live Security Platinum".

Since cleaning with TDSSKiller, MalwareBytes, ESET Online and my Panda Cloud Antivirus (resident), I still have some problems with the computer:

1. I can't start the Windows Firewall - this message pops up: "Due to an unidentified problem, Windows cannot display Windows Firewall settings."
2. My folder view options, including the Desktop Icons, are constantly changed to some unknown and unwanted settings.
3. Some DNS values seem to be seem to be hijacked and I get redirected to unwanted web locations.

I have included the DDS log below and attached the attach.txt and ark.txt files. I also attached the TDSSKiller, Malwarebytes, and ESET logs created when cleaning (they should have details on what was cleaned) .

I noted the following virus (trojan) results during the above scans: JS/Redirector.NIQ, Win32/Agent.TEO, and Win32/Sirefef.FA/EV/EZ/DA/EU.

Thanks in advance for helping to clean this mess. I'm hoping I have not lost any data to the bad guys!

John


.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_29
Run by Sue and John at 11:25:21 on 2012-06-20
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.103 [GMT -5:00]
.
AV: Panda Cloud Antivirus *Enabled/Updated* {5AD27692-540A-464E-B625-78275FA38393}
FW: COMODO Firewall Pro *Disabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\WINDOWS\System32\svchost.exe -k Akamai
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Kaspersky Lab\Kaspersky Security Scan 2.0\kss.exe
C:\Program Files\Panda Security\Panda Cloud Antivirus\PSANHost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\Program Files\D-Link\AirPlus XtremeG DWL-G520\AirPlusCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\HTC\ModeSelection\VMMModeSelection.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Panda Security\Panda Cloud Antivirus\PSUNMain.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Sue and John\Local Settings\Application Data\Akamai\netsession_win.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Kaspersky Lab\Kaspersky Security Scan 2.0\kss.exe
C:\Documents and Settings\Sue and John\Local Settings\Application Data\Akamai\netsession_win.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <local>;127.0.0.1:9421;
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {4D46ED77-1429-4CF6-8F63-C84B5D710BAF} - No File
uRun: [Akamai NetSession Interface] "c:\documents and settings\sue and john\local settings\application data\akamai\netsession_win.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [KSS] "c:\program files\kaspersky lab\kaspersky security scan 2.0\kss.exe" /autorun
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe
mRun: [D-Link AirPlus XtremeG DWL-G520] c:\program files\d-link\airplus xtremeg dwl-g520\AirPlusCFG.exe
mRun: [ANIWZCS2Service] c:\program files\ani\aniwzcs2 service\WZCSLDR2.exe
mRun: [36X Raid Configurer] c:\windows\system32\JMRaidSetup.exe boot
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [VMM Mode Selection] c:\program files\htc\modeselection\VMMModeSelection.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [PSUNMain] "c:\program files\panda security\panda cloud antivirus\PSUNMain.exe" /Traybar
mRun: [TrueImageMonitor.exe] c:\program files\acronis\trueimagehome\TrueImageMonitor.exe
mRun: [AcronisTimounterMonitor] c:\program files\acronis\trueimagehome\TimounterMonitor.exe
mRun: [Acronis Scheduler2 Service] "c:\program files\common files\acronis\schedule2\schedhlp.exe"
mRun: [sdfer] "c:\windows\system32\rundll32.exe" "c:\documents and settings\sue and john\application data\sdfer.dll",LoadPRTBufferFromFileA
dRunOnce: [RunNarrator] Narrator.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
LSP: mswsock.dll
Trusted Zone: intuit.com\ttlc
Trusted Zone: turbotax.com
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {2BCDB465-81F9-41CB-832C-8037A4064446} - hxxps://vpn.esc.gov/vdesk/terminal/urxvpn.cab#version=6030,2008,1031,2121
DPF: {41EF3CD2-D8CC-4438-84B1-280BB4E77C8E} - hxxps://vpn.esc.gov/vdesk/terminal/f5tunsrv.cab#version=6030,2008,1112,2313
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.5.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1168991497968
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1171897268343
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} - hxxp://71.204.234.102/activex/AxisCamControl.ocx
DPF: {983A9C21-8207-4B58-BBB8-0EBC3D7C5505} - hxxps://webmail.apengineering.com/dwa8W.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CC85ACDF-B277-486F-8C70-2C9B2ED2A4E7} - hxxps://vpn.esc.gov/vdesk/terminal/urxshost.cab#version=6030,2008,1031,2112
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://bjm.byy.com:8099/activex/AMC.cab
DPF: {E0FF21FA-B857-45C5-8621-F120A0C17FF2} - hxxps://vpn.esc.gov/vdesk/terminal/urxhost.cab#version=6030,2008,1031,2108
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {FC6703A7-5B7E-4f58-BE6D-2693AA3906AE} - hxxp://h30299.www3.hp.com/ediags/hpnar/en/app/17/install/gtdownhp.cab?1,0,0,94
TCP: DhcpNameServer = 75.75.76.76 75.75.75.75 192.168.1.1
TCP: Interfaces\{DAC61952-2AAD-4923-80E0-11C589E60A44} : DhcpNameServer = 75.75.76.76 75.75.75.75 192.168.1.1
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Authentication Packages = msv1_0 relog_ap
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\sue and john\application data\mozilla\firefox\profiles\xtvuoigy.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - plugin: c:\documents and settings\sue and john\application data\mozilla\firefox\profiles\xtvuoigy.default\extensions\{195a3098-0bd5-4e90-ae22-ba1c540afd1e}\plugins\npGarmin.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\update\1.3.21.111\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.10411.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_3_300_257.dll
.
============= SERVICES / DRIVERS ===============
.
R0 UGURU;UGURU;c:\windows\system32\drivers\uGuru.sys [2007-1-16 14592]
R1 PSINKNC;PSINKNC;c:\windows\system32\drivers\PSINKNC.sys [2011-11-23 130312]
R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2006-2-28 14336]
R2 IntuitUpdateServiceV4;Intuit Update Service v4;c:\program files\common files\intuit\update service v4\IntuitUpdateService.exe [2011-8-25 13672]
R2 KSS;Kaspersky Security Scan Service;c:\program files\kaspersky lab\kaspersky security scan 2.0\kss.exe [2012-4-25 202296]
R2 NanoServiceMain;Panda Cloud Antivirus Service;c:\program files\panda security\panda cloud antivirus\PSANHost.exe [2011-4-28 140608]
R2 PSINAflt;PSINAflt;c:\windows\system32\drivers\PSINAflt.sys [2012-1-5 144008]
R2 PSINFile;PSINFile;c:\windows\system32\drivers\PSINFile.sys [2011-4-28 97096]
R2 PSINProc;PSINProc;c:\windows\system32\drivers\PSINProc.sys [2011-4-28 111688]
R2 PSINProt;PSINProt;c:\windows\system32\drivers\PSINProt.sys [2011-11-30 112648]
R3 urvpndrv;F5 Networks VPN Adapter;c:\windows\system32\drivers\covpndrv.sys [2008-10-31 33408]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-4-4 136176]
S2 ubsbm;Unibrain 1394 SBM Driver;c:\windows\system32\drivers\ubsbm.sys --> c:\windows\system32\drivers\ubsbm.sys [?]
S2 ubumapi;Unibrain 1394 FireAPI Driver;c:\windows\system32\drivers\ubumapi.sys --> c:\windows\system32\drivers\ubumapi.sys [?]
S3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\drivers\A3AB.sys [2006-5-11 547744]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-12 257224]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2010-12-23 1691480]
S3 BENDER;Pinnacle AV/DV2 Capture;c:\windows\system32\drivers\bender.sys [2007-2-25 203264]
S3 f5ipfw;F5 Networks StoneWall Filter;c:\windows\system32\drivers\urfltw2k.sys [2009-8-15 10752]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-4-4 136176]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-5-2 113120]
S3 ubohci;Unibrain 1394 OHCI Driver;c:\windows\system32\drivers\ubohci.sys --> c:\windows\system32\drivers\ubohci.sys [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== File Associations ===============
.
.scr=AutoCADScriptFile
.
=============== Created Last 30 ================
.
2012-06-15 04:12:48 -------- d-----w- c:\program files\Kaspersky Lab
2012-06-15 04:12:48 -------- d-----w- c:\documents and settings\all users\application data\Kaspersky Lab
2012-06-13 12:31:30 521728 -c----w- c:\windows\system32\dllcache\jsdbgui.dll
2012-06-11 14:51:42 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-11 14:51:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-06-11 14:43:24 -------- d-----w- C:\TDSSKiller_Quarantine
2012-06-11 13:43:46 -------- d-----w- c:\documents and settings\sue and john\application data\Xaahby
2012-06-11 13:43:46 -------- d-----w- c:\documents and settings\sue and john\application data\Otgead
2012-06-11 13:43:46 -------- d-----w- c:\documents and settings\sue and john\application data\Obotsy
2012-06-11 13:42:25 -------- d-----w- c:\documents and settings\sue and john\local settings\application data\{426C18AA-B3CB-11E1-8270-B8AC6F996F26}
2012-06-11 13:42:21 343040 ----a-w- c:\documents and settings\sue and john\application data\sdfer.dll
2012-06-11 13:42:03 -------- d-----w- c:\program files\common files\MS
2012-06-11 13:41:44 -------- d-----w- c:\documents and settings\all users\application data\F4D55EFF0CF218850A6C0FADD151FC4E
2012-06-09 13:46:57 770384 ----a-w- c:\program files\mozilla firefox\msvcr100.dll
2012-06-09 13:46:57 421200 ----a-w- c:\program files\mozilla firefox\msvcp100.dll
.
==================== Find3M ====================
.
2012-06-14 19:13:15 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-06-14 19:13:15 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-06-11 14:44:39 162816 ----a-w- c:\windows\system32\drivers\netbt.sys
2012-05-31 13:22:09 599040 ----a-w- c:\windows\system32\crypt32.dll
2012-05-16 15:08:26 916992 ----a-w- c:\windows\system32\wininet.dll
2012-05-15 13:20:33 1863168 ------w- c:\windows\system32\win32k.sys
2012-05-11 14:42:33 43520 ------w- c:\windows\system32\licmgr10.dll
2012-05-11 14:42:33 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-05-11 11:38:02 385024 ------w- c:\windows\system32\html.iec
2012-05-05 15:37:12 4140192 ----a-w- c:\windows\system32\FlashPlayerInstaller.exe
2012-05-04 13:16:13 2148352 ------w- c:\windows\system32\ntoskrnl.exe
2012-05-04 12:32:19 2026496 ------w- c:\windows\system32\ntkrnlpa.exe
2012-05-02 13:46:36 139656 ------w- c:\windows\system32\drivers\rdpwd.sys
.
============= FINISH: 11:26:28.21 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 mn_sailor

mn_sailor
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ham Lake, MN
  • Local time:01:40 PM

Posted 23 June 2012 - 08:40 AM

Hi Moderators and Malware Response members,

My apologies for attaching files to the original post. I learned after reading other threads on this forum to not use attachments.

1. I was curious as to the reason - could these text files be infected?

2. Should the forum instructions be changed to eliminate this step when preparing a request for help?

Thanks again,

John

Edited by mn_sailor, 23 June 2012 - 01:05 PM.


#3 nasdaq

nasdaq

  • Malware Response Team
  • 39,586 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:40 PM

Posted 24 June 2012 - 10:31 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

Please run Malwarebytes again and if any bad items are found remove them.
===

Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your Anti-Virus and Anti-Spyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Close any open browsers, and all other programs working. Make sure you save your file if working on a document.
  • Do not install any other programs until this if fixed.[/b]
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Some Rookit infection may damage your boot sector. The Windows Recovery Console may be needed to restore it. Do not bypass this installation. You may regret it.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Note: If you have difficulty properly disabling your protection programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html

Do not mouse click ComboFix's window while it's running. That may cause it to stall
===

Third party programs if not up to date can be the cause of infiltration an infection.

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===

Note: If after running ComboFix you get this error message "Illegal operation attempted on a registry key that has been marked for deletion." when attempting to run a program all you need to do is restart the computer to reset the registry.
===

Third party programs if not up to date can be an open door for an infection.

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===


Please post the logs and let me know if the problem persists.

#4 mn_sailor

mn_sailor
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ham Lake, MN
  • Local time:01:40 PM

Posted 24 June 2012 - 02:17 PM

Hi nasdaq,

Thanks for your reply and assistance!!

I'll get going on your list right now.

Sorry I didn't respond sooner. I have a nasty summer cold (the old fashioned virus) and have not been on top of my emails, but I'll stick with it now.

John

#5 mn_sailor

mn_sailor
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ham Lake, MN
  • Local time:01:40 PM

Posted 24 June 2012 - 03:58 PM

Results log of MBAM full scan included below.

ComboFix and Security Check still to come.

John

=====

Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.06.24.04

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Sue and John :: DWOFFICEE6300 [administrator]

6/24/2012 2:28:20 PM
mbam-log-2012-06-24 (14-28-20).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 493548
Time elapsed: 1 hour(s), 20 minute(s), 14 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

#6 mn_sailor

mn_sailor
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ham Lake, MN
  • Local time:01:40 PM

Posted 24 June 2012 - 04:57 PM

Hi nasdaq,

ComboFix and Security Check logs are included below.

At one point during it's scan, ComboFix reported that this computer was infected with ZeroAccess! rootkit. It also reported that it may be necessary to run ComboFix a second time. I have not done this, but the computer did re-boot during the ComboFix run and it seemed to start over.

As for the problems I was experiencing:
1. I still cannot turn on Windows firewall.
2. My folder views seem to have returned to normal.
3. I have not done any Web browsing to determine if re-directs are still occurring.

Thanks again for your assist,

John

=========

ComboFix 12-06-24.03 - Sue and John 06/24/2012 16:13:58.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.549 [GMT -5:00]
Running from: c:\documents and settings\Sue and John\Desktop\ComboFix.exe
AV: Panda Cloud Antivirus *Disabled/Updated* {5AD27692-540A-464E-B625-78275FA38393}
FW: COMODO Firewall Pro *Disabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Sue and John\Application Data\Obotsy
c:\documents and settings\Sue and John\Application Data\Obotsy\heop.pee
c:\documents and settings\Sue and John\Application Data\sdfer.dll
c:\documents and settings\Sue and John\Application Data\Xaahby
c:\documents and settings\Sue and John\Application Data\Xaahby\ehaga.epa
.
.
((((((((((((((((((((((((( Files Created from 2012-05-24 to 2012-06-24 )))))))))))))))))))))))))))))))
.
.
2012-06-15 04:12 . 2012-06-15 04:12 -------- d-----w- c:\program files\Kaspersky Lab
2012-06-15 04:12 . 2012-06-15 04:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2012-06-13 12:31 . 2012-05-11 14:42 521728 -c----w- c:\windows\system32\dllcache\jsdbgui.dll
2012-06-11 14:51 . 2012-06-11 14:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-06-11 14:51 . 2012-04-04 20:56 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-11 14:43 . 2012-06-15 15:39 -------- d-----w- C:\TDSSKiller_Quarantine
2012-06-11 13:46 . 2012-06-11 13:46 -------- d-----w- c:\documents and settings\Guest\Local Settings\Application Data\{426C18AA-B3CB-11E1-8270-B8AC6F996F26}
2012-06-11 13:43 . 2012-06-11 13:43 -------- d-----w- c:\documents and settings\Sue and John\Application Data\Otgead
2012-06-11 13:42 . 2012-06-11 13:42 -------- d-----w- c:\documents and settings\Sue and John\Local Settings\Application Data\{426C18AA-B3CB-11E1-8270-B8AC6F996F26}
2012-06-11 13:42 . 2012-06-11 13:42 -------- d-----w- c:\program files\Common Files\MS
2012-06-11 13:41 . 2012-06-11 13:41 -------- d-----w- c:\documents and settings\All Users\Application Data\F4D55EFF0CF218850A6C0FADD151FC4E
2012-06-09 13:46 . 2012-06-09 13:46 770384 ----a-w- c:\program files\Mozilla Firefox\msvcr100.dll
2012-06-09 13:46 . 2012-06-09 13:46 421200 ----a-w- c:\program files\Mozilla Firefox\msvcp100.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-06-23 05:37 . 2012-04-12 16:26 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-06-23 05:37 . 2011-05-31 13:50 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-06-11 14:44 . 2006-02-28 12:00 162816 ----a-w- c:\windows\system32\drivers\netbt.sys
2012-06-02 20:19 . 2007-08-20 20:13 22040 ----a-w- c:\windows\system32\wucltui.dll.mui
2012-06-02 20:19 . 2007-08-20 20:13 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2012-06-02 20:19 . 2007-01-15 23:41 329240 ----a-w- c:\windows\system32\wucltui.dll
2012-06-02 20:19 . 2007-01-15 23:41 219160 ----a-w- c:\windows\system32\wuaucpl.cpl
2012-06-02 20:19 . 2007-01-15 23:41 210968 ----a-w- c:\windows\system32\wuweb.dll
2012-06-02 20:19 . 2007-08-20 20:13 15384 ----a-w- c:\windows\system32\wuapi.dll.mui
2012-06-02 20:19 . 2007-01-16 23:53 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 20:19 . 2007-01-15 23:41 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 20:19 . 2007-01-15 23:41 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-02 20:19 . 2006-02-28 12:00 97304 ----a-w- c:\windows\system32\cdm.dll
2012-06-02 20:19 . 2007-08-20 20:13 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui
2012-06-02 20:19 . 2007-01-15 23:41 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 20:19 . 2007-01-15 23:41 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 20:18 . 2007-08-20 20:13 17136 ----a-w- c:\windows\system32\mucltui.dll.mui
2012-06-02 20:18 . 2007-02-19 21:43 275696 ----a-w- c:\windows\system32\mucltui.dll
2012-06-02 20:18 . 2005-05-26 10:19 214256 ----a-w- c:\windows\system32\muweb.dll
2012-05-31 13:22 . 2006-02-28 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2012-05-16 15:08 . 2006-02-28 12:00 916992 ----a-w- c:\windows\system32\wininet.dll
2012-05-15 13:20 . 2006-02-28 12:00 1863168 ------w- c:\windows\system32\win32k.sys
2012-05-11 14:42 . 2006-02-28 12:00 43520 ------w- c:\windows\system32\licmgr10.dll
2012-05-11 14:42 . 2006-02-28 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-05-11 11:38 . 2006-02-28 12:00 385024 ------w- c:\windows\system32\html.iec
2012-05-04 13:16 . 2006-02-28 12:00 2148352 ------w- c:\windows\system32\ntoskrnl.exe
2012-05-04 12:32 . 2004-08-03 22:59 2026496 ------w- c:\windows\system32\ntkrnlpa.exe
2012-05-02 13:46 . 2007-01-15 23:39 139656 ------w- c:\windows\system32\drivers\rdpwd.sys
2012-06-17 13:04 . 2011-11-18 15:54 85472 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Akamai NetSession Interface"="c:\documents and settings\Sue and John\Local Settings\Application Data\Akamai\netsession_win.exe" [2012-05-26 4327744]
"KSS"="c:\program files\Kaspersky Lab\Kaspersky Security Scan 2.0\kss.exe" [2012-04-26 202296]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2006-01-13 196608]
"D-Link AirPlus XtremeG DWL-G520"="c:\program files\D-Link\AirPlus XtremeG DWL-G520\AirPlusCFG.exe" [2007-06-27 1327104]
"ANIWZCS2Service"="c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2007-01-19 49152]
"36X Raid Configurer"="c:\windows\system32\JMRaidSetup.exe" [2007-01-13 1953792]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-10-16 110696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-10-16 13851752]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-08-26 1753192]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"VMM Mode Selection"="c:\program files\HTC\ModeSelection\VMMModeSelection.exe" [2011-02-14 43520]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"PSUNMain"="c:\program files\Panda Security\Panda Cloud Antivirus\PSUNMain.exe" [2011-04-28 439616]
"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2007-02-17 1169776]
"AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe" [2007-02-17 1945960]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2007-02-17 149024]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ------w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpqSRMon]
2008-08-20 15:54 150016 ----a-w- e:\dw program files\HP\Digital Imaging\bin\HpqSRmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
2006-11-15 22:58 151552 ----a-w- c:\program files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JMB36X IDE Setup]
2007-01-13 20:31 36864 ----a-w- c:\windows\JM\JMInsIDE.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2011-07-05 23:36 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2010-11-17 02:34 19722344 ----a-w- c:\windows\RTHDCPL.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
.
R0 UGURU;UGURU;c:\windows\system32\drivers\uGuru.sys [1/16/2007 3:30 PM 14592]
R1 PSINKNC;PSINKNC;c:\windows\system32\drivers\PSINKNC.sys [11/23/2011 3:59 AM 130312]
R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [2/28/2006 7:00 AM 14336]
R2 IntuitUpdateServiceV4;Intuit Update Service v4;c:\program files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe [8/25/2011 6:53 PM 13672]
R2 KSS;Kaspersky Security Scan Service;c:\program files\Kaspersky Lab\Kaspersky Security Scan 2.0\kss.exe [4/25/2012 7:53 PM 202296]
R2 NanoServiceMain;Panda Cloud Antivirus Service;c:\program files\Panda Security\Panda Cloud Antivirus\PSANHost.exe [4/28/2011 2:58 PM 140608]
R2 PSINAflt;PSINAflt;c:\windows\system32\drivers\PSINAflt.sys [1/5/2012 7:10 AM 144008]
R2 PSINFile;PSINFile;c:\windows\system32\drivers\PSINFile.sys [4/28/2011 2:57 PM 97096]
R2 PSINProc;PSINProc;c:\windows\system32\drivers\PSINProc.sys [4/28/2011 2:57 PM 111688]
R2 PSINProt;PSINProt;c:\windows\system32\drivers\PSINProt.sys [11/30/2011 12:37 PM 112648]
R3 urvpndrv;F5 Networks VPN Adapter;c:\windows\system32\drivers\covpndrv.sys [10/31/2008 4:22 PM 33408]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [4/4/2011 2:14 PM 136176]
S2 ubsbm;Unibrain 1394 SBM Driver;c:\windows\system32\DRIVERS\ubsbm.sys --> c:\windows\system32\DRIVERS\ubsbm.sys [?]
S2 ubumapi;Unibrain 1394 FireAPI Driver;c:\windows\system32\DRIVERS\ubumapi.sys --> c:\windows\system32\DRIVERS\ubumapi.sys [?]
S3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\drivers\A3AB.sys [5/11/2006 2:11 PM 547744]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [4/12/2012 11:26 AM 250056]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [12/23/2010 4:44 AM 1691480]
S3 BENDER;Pinnacle AV/DV2 Capture;c:\windows\system32\drivers\bender.sys [2/25/2007 9:33 PM 203264]
S3 f5ipfw;F5 Networks StoneWall Filter;c:\windows\system32\drivers\urfltw2k.sys [8/15/2009 7:34 PM 10752]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [4/4/2011 2:14 PM 136176]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [5/2/2012 2:22 PM 113120]
S3 ubohci;Unibrain 1394 OHCI Driver;c:\windows\system32\DRIVERS\ubohci.sys --> c:\windows\system32\DRIVERS\ubohci.sys [?]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder
.
2012-06-24 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-12 05:37]
.
2012-06-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-04-04 19:13]
.
2012-06-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-04-04 19:13]
.
2012-06-24 c:\windows\Tasks\HP Photo Creations Communicator.job
- c:\documents and settings\All Users\Application Data\HP Photo Creations\MessageCheck.exe [2012-04-14 20:46]
.
2012-06-24 c:\windows\Tasks\User_Feed_Synchronization-{19ADA066-DCE3-47E1-BA03-1ED61F409479}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <local>;127.0.0.1:9421;
Trusted Zone: intuit.com\ttlc
Trusted Zone: turbotax.com
TCP: DhcpNameServer = 75.75.76.76 75.75.75.75 192.168.1.1
DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://bjm.byy.com:8099/activex/AMC.cab
FF - ProfilePath - c:\documents and settings\Sue and John\Application Data\Mozilla\Firefox\Profiles\xtvuoigy.default\
FF - prefs.js: browser.startup.homepage - www.google.com
.
.
------- File Associations -------
.
.scr=AutoCADScriptFile
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-sdfer - c:\documents and settings\Sue and John\Application Data\sdfer.dll
SafeBoot-27858809.sys
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-06-24 16:29
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Akamai]
"ServiceDll"="c:\program files\common files\akamai/netsession_win_80c2ffa.dll"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(1492)
c:\windows\system32\relog_ap.dll
.
Completion time: 2012-06-24 16:31:56
ComboFix-quarantined-files.txt 2012-06-24 21:31
.
Pre-Run: 31,887,716,352 bytes free
Post-Run: 32,539,033,600 bytes free
.
- - End Of File - - 1AA6225216D0977EA8AAE12342DFF64C


=========

Results of screen317's Security Check version 0.99.42
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````Antivirus/Firewall Check:``````````````
Panda Cloud Antivirus
Antivirus up to date!
`````````Anti-malware/Other Utilities Check:`````````
Malwarebytes Anti-Malware version 1.61.0.1400
CCleaner
Java™ 6 Update 29
Java version out of Date!
Adobe Flash Player 11.3.300.262
Adobe Reader 8 Adobe Reader out of Date!
Adobe Reader X (10.1.3)
Mozilla Firefox (13.0.1)
````````Process Check: objlist.exe by Laurent````````
Panda Security Panda Cloud Antivirus PSANHost.exe
Kaspersky Lab Kaspersky Security Scan 2.0 kss.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C:: 5%
````````````````````End of Log``````````````````````


=========

#7 nasdaq

nasdaq

  • Malware Response Team
  • 39,586 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:40 PM

Posted 25 June 2012 - 10:12 AM

Restart the computer normally.

Run ComboFix one more time and post the log.

===

I still cannot turn on Windows firewall.

With the Comodo Firewall this Microsoft firewall is not required.
You cannot run two firewall in real life.
===

Secure your system by updating 3rd party programs.

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.

Check your present version and update as recommended.
https://www.java.com/en/download/installed.jsp

If present remove the old version(s) of Java using the Add/Remove Programs applet.


Java™ 6 Update 29


Remove also this old version of the Adobe Reader 8

===

Please let me know what problem persists.

#8 mn_sailor

mn_sailor
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ham Lake, MN
  • Local time:01:40 PM

Posted 25 June 2012 - 11:26 AM

Good Morning nasdaq,

=======

When I restarted the machine, the Windows Firewall was working. It gave me the following warning: "Windows Firewall has blocked some of the features of this program: Akamai NetSession Client, Akamai Technologies, Inc." in a dialog box. I selected the "Keep Blocking" box. It sounds like this program may have been corrupted. When I ran TDSSKiller on June 11 after I was first infected, it also detetected Akamai NetSession as well as netbt.sys driver.

I don't know why Comodo Firewall keeps surfacing as a firewall option. I thought I had un-installed it years ago. I would be interested in installing a better (than Windows) firewall, but I need one that is somewhat straight-forward to configure.

=======

I ran ComboFix again and got the same message as the first run ==> "You are infected with Rootkit.ZeroAccess! It has inserted itself into the tcp/ip stack. ..." It also prompted a re-boot before doing the full scan. The log is included below.

=======

I updated Java to Java™ 7 Update 5 and deleted the old version. I could not remove Adobe Reader 8, as there was no entry for it in Add/Remove Programs.

======

It seems I am still getting Web re-directs from Google searches.

I'll await your next instructions,

John
=========

ComboFix 12-06-25.03 - Sue and John 06/25/2012 10:42:28.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.571 [GMT -5:00]
Running from: c:\documents and settings\Sue and John\Desktop\ComboFix.exe
AV: Panda Cloud Antivirus *Disabled/Updated* {5AD27692-540A-464E-B625-78275FA38393}
FW: COMODO Firewall Pro *Disabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
.
.
((((((((((((((((((((((((( Files Created from 2012-05-25 to 2012-06-25 )))))))))))))))))))))))))))))))
.
.
2012-06-15 04:12 . 2012-06-15 04:12 -------- d-----w- c:\program files\Kaspersky Lab
2012-06-15 04:12 . 2012-06-15 04:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2012-06-13 12:31 . 2012-05-11 14:42 521728 -c----w- c:\windows\system32\dllcache\jsdbgui.dll
2012-06-11 14:51 . 2012-06-11 14:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-06-11 14:51 . 2012-04-04 20:56 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-11 14:43 . 2012-06-15 15:39 -------- d-----w- C:\TDSSKiller_Quarantine
2012-06-11 13:46 . 2012-06-11 13:46 -------- d-----w- c:\documents and settings\Guest\Local Settings\Application Data\{426C18AA-B3CB-11E1-8270-B8AC6F996F26}
2012-06-11 13:43 . 2012-06-11 13:43 -------- d-----w- c:\documents and settings\Sue and John\Application Data\Otgead
2012-06-11 13:42 . 2012-06-11 13:42 -------- d-----w- c:\documents and settings\Sue and John\Local Settings\Application Data\{426C18AA-B3CB-11E1-8270-B8AC6F996F26}
2012-06-11 13:42 . 2012-06-11 13:42 -------- d-----w- c:\program files\Common Files\MS
2012-06-11 13:41 . 2012-06-11 13:41 -------- d-----w- c:\documents and settings\All Users\Application Data\F4D55EFF0CF218850A6C0FADD151FC4E
2012-06-09 13:46 . 2012-06-09 13:46 770384 ----a-w- c:\program files\Mozilla Firefox\msvcr100.dll
2012-06-09 13:46 . 2012-06-09 13:46 421200 ----a-w- c:\program files\Mozilla Firefox\msvcp100.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-06-23 05:37 . 2012-04-12 16:26 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-06-23 05:37 . 2011-05-31 13:50 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-06-11 14:44 . 2006-02-28 12:00 162816 ----a-w- c:\windows\system32\drivers\netbt.sys
2012-06-02 20:19 . 2007-08-20 20:13 22040 ----a-w- c:\windows\system32\wucltui.dll.mui
2012-06-02 20:19 . 2007-08-20 20:13 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2012-06-02 20:19 . 2007-01-15 23:41 329240 ----a-w- c:\windows\system32\wucltui.dll
2012-06-02 20:19 . 2007-01-15 23:41 219160 ----a-w- c:\windows\system32\wuaucpl.cpl
2012-06-02 20:19 . 2007-01-15 23:41 210968 ----a-w- c:\windows\system32\wuweb.dll
2012-06-02 20:19 . 2007-08-20 20:13 15384 ----a-w- c:\windows\system32\wuapi.dll.mui
2012-06-02 20:19 . 2007-01-16 23:53 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 20:19 . 2007-01-15 23:41 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 20:19 . 2007-01-15 23:41 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-02 20:19 . 2006-02-28 12:00 97304 ----a-w- c:\windows\system32\cdm.dll
2012-06-02 20:19 . 2007-08-20 20:13 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui
2012-06-02 20:19 . 2007-01-15 23:41 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 20:19 . 2007-01-15 23:41 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 20:18 . 2007-08-20 20:13 17136 ----a-w- c:\windows\system32\mucltui.dll.mui
2012-06-02 20:18 . 2007-02-19 21:43 275696 ----a-w- c:\windows\system32\mucltui.dll
2012-06-02 20:18 . 2005-05-26 10:19 214256 ----a-w- c:\windows\system32\muweb.dll
2012-05-31 13:22 . 2006-02-28 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2012-05-16 15:08 . 2006-02-28 12:00 916992 ----a-w- c:\windows\system32\wininet.dll
2012-05-15 13:20 . 2006-02-28 12:00 1863168 ------w- c:\windows\system32\win32k.sys
2012-05-11 14:42 . 2006-02-28 12:00 43520 ------w- c:\windows\system32\licmgr10.dll
2012-05-11 14:42 . 2006-02-28 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-05-11 11:38 . 2006-02-28 12:00 385024 ------w- c:\windows\system32\html.iec
2012-05-04 13:16 . 2006-02-28 12:00 2148352 ------w- c:\windows\system32\ntoskrnl.exe
2012-05-04 12:32 . 2004-08-03 22:59 2026496 ------w- c:\windows\system32\ntkrnlpa.exe
2012-05-02 13:46 . 2007-01-15 23:39 139656 ------w- c:\windows\system32\drivers\rdpwd.sys
2012-06-17 13:04 . 2011-11-18 15:54 85472 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Akamai NetSession Interface"="c:\documents and settings\Sue and John\Local Settings\Application Data\Akamai\netsession_win.exe" [2012-05-26 4327744]
"KSS"="c:\program files\Kaspersky Lab\Kaspersky Security Scan 2.0\kss.exe" [2012-04-26 202296]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2006-01-13 196608]
"D-Link AirPlus XtremeG DWL-G520"="c:\program files\D-Link\AirPlus XtremeG DWL-G520\AirPlusCFG.exe" [2007-06-27 1327104]
"ANIWZCS2Service"="c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2007-01-19 49152]
"36X Raid Configurer"="c:\windows\system32\JMRaidSetup.exe" [2007-01-13 1953792]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-10-16 110696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-10-16 13851752]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-08-26 1753192]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"VMM Mode Selection"="c:\program files\HTC\ModeSelection\VMMModeSelection.exe" [2011-02-14 43520]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"PSUNMain"="c:\program files\Panda Security\Panda Cloud Antivirus\PSUNMain.exe" [2011-04-28 439616]
"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2007-02-17 1169776]
"AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe" [2007-02-17 1945960]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2007-02-17 149024]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ------w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpqSRMon]
2008-08-20 15:54 150016 ----a-w- e:\dw program files\HP\Digital Imaging\bin\HpqSRmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
2006-11-15 22:58 151552 ----a-w- c:\program files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JMB36X IDE Setup]
2007-01-13 20:31 36864 ----a-w- c:\windows\JM\JMInsIDE.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2011-07-05 23:36 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2010-11-17 02:34 19722344 ----a-w- c:\windows\RTHDCPL.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\Sue and John\\Local Settings\\Application Data\\Akamai\\netsession_win.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1039:TCP"= 1039:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface
.
R0 UGURU;UGURU;c:\windows\system32\drivers\uGuru.sys [1/16/2007 3:30 PM 14592]
R1 PSINKNC;PSINKNC;c:\windows\system32\drivers\PSINKNC.sys [11/23/2011 3:59 AM 130312]
R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [2/28/2006 7:00 AM 14336]
R2 IntuitUpdateServiceV4;Intuit Update Service v4;c:\program files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe [8/25/2011 6:53 PM 13672]
R2 KSS;Kaspersky Security Scan Service;c:\program files\Kaspersky Lab\Kaspersky Security Scan 2.0\kss.exe [4/25/2012 7:53 PM 202296]
R2 NanoServiceMain;Panda Cloud Antivirus Service;c:\program files\Panda Security\Panda Cloud Antivirus\PSANHost.exe [4/28/2011 2:58 PM 140608]
R2 PSINAflt;PSINAflt;c:\windows\system32\drivers\PSINAflt.sys [1/5/2012 7:10 AM 144008]
R2 PSINFile;PSINFile;c:\windows\system32\drivers\PSINFile.sys [4/28/2011 2:57 PM 97096]
R2 PSINProc;PSINProc;c:\windows\system32\drivers\PSINProc.sys [4/28/2011 2:57 PM 111688]
R2 PSINProt;PSINProt;c:\windows\system32\drivers\PSINProt.sys [11/30/2011 12:37 PM 112648]
R3 urvpndrv;F5 Networks VPN Adapter;c:\windows\system32\drivers\covpndrv.sys [10/31/2008 4:22 PM 33408]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [4/4/2011 2:14 PM 136176]
S2 ubsbm;Unibrain 1394 SBM Driver;c:\windows\system32\DRIVERS\ubsbm.sys --> c:\windows\system32\DRIVERS\ubsbm.sys [?]
S2 ubumapi;Unibrain 1394 FireAPI Driver;c:\windows\system32\DRIVERS\ubumapi.sys --> c:\windows\system32\DRIVERS\ubumapi.sys [?]
S3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\drivers\A3AB.sys [5/11/2006 2:11 PM 547744]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [4/12/2012 11:26 AM 250056]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [12/23/2010 4:44 AM 1691480]
S3 BENDER;Pinnacle AV/DV2 Capture;c:\windows\system32\drivers\bender.sys [2/25/2007 9:33 PM 203264]
S3 f5ipfw;F5 Networks StoneWall Filter;c:\windows\system32\drivers\urfltw2k.sys [8/15/2009 7:34 PM 10752]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [4/4/2011 2:14 PM 136176]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [5/2/2012 2:22 PM 113120]
S3 ubohci;Unibrain 1394 OHCI Driver;c:\windows\system32\DRIVERS\ubohci.sys --> c:\windows\system32\DRIVERS\ubohci.sys [?]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder
.
2012-06-24 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-12 05:37]
.
2012-06-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-04-04 19:13]
.
2012-06-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-04-04 19:13]
.
2012-06-24 c:\windows\Tasks\HP Photo Creations Communicator.job
- c:\documents and settings\All Users\Application Data\HP Photo Creations\MessageCheck.exe [2012-04-14 20:46]
.
2012-06-25 c:\windows\Tasks\User_Feed_Synchronization-{19ADA066-DCE3-47E1-BA03-1ED61F409479}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <local>;127.0.0.1:9421;
Trusted Zone: intuit.com\ttlc
Trusted Zone: turbotax.com
TCP: DhcpNameServer = 75.75.76.76 75.75.75.75 192.168.1.1
DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://bjm.byy.com:8099/activex/AMC.cab
FF - ProfilePath - c:\documents and settings\Sue and John\Application Data\Mozilla\Firefox\Profiles\xtvuoigy.default\
FF - prefs.js: browser.startup.homepage - www.google.com
.
.
------- File Associations -------
.
.scr=AutoCADScriptFile
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-06-25 10:53
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Akamai]
"ServiceDll"="c:\program files\common files\akamai/netsession_win_80c2ffa.dll"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(1484)
c:\windows\system32\relog_ap.dll
.
Completion time: 2012-06-25 10:55:49
ComboFix-quarantined-files.txt 2012-06-25 15:55
ComboFix2.txt 2012-06-24 21:31
.
Pre-Run: 32,512,618,496 bytes free
Post-Run: 32,499,269,632 bytes free
.
- - End Of File - - 35B298B03566BCF0FF534464CEA3D254

=======

#9 nasdaq

nasdaq

  • Malware Response Team
  • 39,586 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:40 PM

Posted 25 June 2012 - 01:31 PM

The COMODO uninstaller may have left some traces.
Will remove what ComboFix found.

I could not remove Adobe Reader 8, as there was no entry for it in Add/Remove Programs.

See if you can remove all traces of this reader 8
http://majorgeeks.com/Revo_Uninstaller_d5706.html
Revo Uninstaller helps you to remove any unwanted application installed on your computer.
<<<>>>

I would install the Panda Firewall. Keep it in the family. You already have the Antivirus...
http://www.pandasecurity.com/enterprise/solutions/security-appliances/firewall.htm
You already have Microsoft's Firewall. Is this not enough?
<<<>>>

Run these fixes and let me know if the redirection is still an issue.

Go Posted Image > run box and type cmd and hit OK
type
ipconfig /flushdns <-- (The space between g and / is needed) press the Enter key.

repeat with
ipconfig /renew

Then type Exit, hit the Enter key
*/*

Your router may have been compromised.

How to Reset a Router Back to the Factory Default Settings
http://www.ehow.com/how_2110924_reset-back-factory-default-settings.html

Then, please reconfigure it back to your preferred setting.. Below is the list of default username and password, should you don't know it ;)

http://www.routerpasswords.com/
http://www.phenoelit-us.org/dpl/dpl.html
===

Reset for Linksys, Netgear, D-Link and Belkin Routers
http://www.techsupportforum.com/2763-reset-for-linksys-netgear-d-link-and-belkin-routers/

How to Secure Your Wireless Router
http://www.ehow.com/how_2253625_secure-wireless-router.html
===

When I ran TDSSKiller on June 11 after I was first infected, it also detetected Akamai NetSession as well as netbt.sys driver.

Your first post here was on June 20.
Run TDSSKiller again and post the log.

Open notepad and copy/paste the text in the quote box below into it:

SecCenter::
{043803A3-4F86-4ef6-AFC5-F6E02A79969B}

ClearJavaCache::


Save this as CFScript.txt on your desktop.

Posted Image

Referring to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.
===

Please post the logs and let me know what problem persists.

#10 mn_sailor

mn_sailor
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ham Lake, MN
  • Local time:01:40 PM

Posted 25 June 2012 - 03:25 PM

Hi nasdaq,

I used the Revo Uninstaller to remove the Adobe 8 Spelling Dictionary and some other traces.

===

I'll look into the Panda Firewall. I was just wanting something more robust, with some traffic monitoring.

===

I executed the ipconfig commands - too early to tell on the redirects.

===

I will reset the Router I soon as I can record my current configuration.

===

The TDSS killer log is below and the ComboFix log will be in my next post.

John


======

15:19:26.0812 3324 TDSS rootkit removing tool 2.7.41.0 Jun 20 2012 20:53:32
15:19:27.0140 3324 ============================================================
15:19:27.0140 3324 Current date / time: 2012/06/25 15:19:27.0140
15:19:27.0140 3324 SystemInfo:
15:19:27.0140 3324
15:19:27.0140 3324 OS Version: 5.1.2600 ServicePack: 3.0
15:19:27.0140 3324 Product type: Workstation
15:19:27.0140 3324 ComputerName: DWOFFICEE6300
15:19:27.0140 3324 UserName: Sue and John
15:19:27.0140 3324 Windows directory: C:\WINDOWS
15:19:27.0140 3324 System windows directory: C:\WINDOWS
15:19:27.0140 3324 Processor architecture: Intel x86
15:19:27.0140 3324 Number of processors: 2
15:19:27.0140 3324 Page size: 0x1000
15:19:27.0140 3324 Boot type: Normal boot
15:19:27.0140 3324 ============================================================
15:19:27.0609 3324 Drive \Device\Harddisk0\DR0 - Size: 0x7471100000 (465.77 Gb), SectorSize: 0x200, Cylinders: 0xED81, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000050
15:19:27.0625 3324 Drive \Device\Harddisk1\DR1 - Size: 0x3A38B2E000 (232.89 Gb), SectorSize: 0x200, Cylinders: 0x76C1, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000050
15:19:27.0625 3324 ============================================================
15:19:27.0625 3324 \Device\Harddisk0\DR0:
15:19:27.0625 3324 MBR partitions:
15:19:27.0625 3324 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x6455F16
15:19:27.0640 3324 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x6455F94, BlocksNum 0x30D3C74
15:19:27.0656 3324 \Device\Harddisk0\DR0\Partition2: MBR, Type 0x7, StartLBA 0x9529C68, BlocksNum 0x20CB0CA7
15:19:27.0687 3324 \Device\Harddisk0\DR0\Partition3: MBR, Type 0x7, StartLBA 0x2A1DA96D, BlocksNum 0x6426DEB
15:19:27.0687 3324 \Device\Harddisk0\DR0\Partition4: MBR, Type 0x7, StartLBA 0x306017BB, BlocksNum 0x8FFC0D3
15:19:27.0718 3324 \Device\Harddisk0\DR0\Partition5: MBR, Type 0x7, StartLBA 0x395FD8D4, BlocksNum 0xD8736D
15:19:27.0718 3324 \Device\Harddisk1\DR1:
15:19:27.0718 3324 MBR partitions:
15:19:27.0718 3324 \Device\Harddisk1\DR1\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x2711637
15:19:27.0734 3324 \Device\Harddisk1\DR1\Partition1: MBR, Type 0x7, StartLBA 0x27116B5, BlocksNum 0xC34F28D
15:19:27.0750 3324 ============================================================
15:19:27.0781 3324 C: <-> \Device\Harddisk0\DR0\Partition0
15:19:27.0796 3324 E: <-> \Device\Harddisk0\DR0\Partition1
15:19:27.0843 3324 F: <-> \Device\Harddisk0\DR0\Partition2
15:19:27.0890 3324 G: <-> \Device\Harddisk0\DR0\Partition3
15:19:27.0906 3324 H: <-> \Device\Harddisk0\DR0\Partition4
15:19:27.0937 3324 I: <-> \Device\Harddisk0\DR0\Partition5
15:19:27.0953 3324 J: <-> \Device\Harddisk1\DR1\Partition0
15:19:27.0984 3324 K: <-> \Device\Harddisk1\DR1\Partition1
15:19:27.0984 3324 ============================================================
15:19:27.0984 3324 Initialize success
15:19:27.0984 3324 ============================================================
15:19:35.0609 0772 ============================================================
15:19:35.0609 0772 Scan started
15:19:35.0609 0772 Mode: Manual;
15:19:35.0609 0772 ============================================================
15:19:36.0375 0772 61883 (914a9709fc3bf419ad2f85547f2a4832) C:\WINDOWS\system32\DRIVERS\61883.sys
15:19:36.0375 0772 61883 - ok
15:19:36.0484 0772 A3AB (21af8e9c727c6d7643ad497268f55bf1) C:\WINDOWS\system32\DRIVERS\A3AB.sys
15:19:36.0515 0772 A3AB - ok
15:19:36.0515 0772 Abiosdsk - ok
15:19:36.0515 0772 abp480n5 - ok
15:19:36.0593 0772 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
15:19:36.0593 0772 ACPI - ok
15:19:36.0640 0772 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
15:19:36.0640 0772 ACPIEC - ok
15:19:36.0765 0772 AcrSch2Svc (46a5cbb09b8f0c46f8cbe9210e5e3be2) C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
15:19:36.0765 0772 AcrSch2Svc - ok
15:19:36.0828 0772 AdobeFlashPlayerUpdateSvc (990dc6edc9f933194d7cd4e65146bc94) C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
15:19:36.0843 0772 AdobeFlashPlayerUpdateSvc - ok
15:19:36.0843 0772 adpu160m - ok
15:19:36.0890 0772 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
15:19:36.0906 0772 aec - ok
15:19:36.0953 0772 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
15:19:36.0953 0772 AFD - ok
15:19:36.0953 0772 Aha154x - ok
15:19:36.0953 0772 aic78u2 - ok
15:19:36.0953 0772 aic78xx - ok
15:19:37.0125 0772 Akamai (c775d704feb2b600a5bf7b0b088546af) c:\program files\common files\akamai/netsession_win_80c2ffa.dll
15:19:37.0125 0772 Suspicious file (Hidden): c:\program files\common files\akamai/netsession_win_80c2ffa.dll. md5: c775d704feb2b600a5bf7b0b088546af
15:19:37.0125 0772 Akamai ( HiddenFile.Multi.Generic ) - warning
15:19:37.0125 0772 Akamai - detected HiddenFile.Multi.Generic (1)
15:19:37.0203 0772 Alerter (a9a3daa780ca6c9671a19d52456705b4) C:\WINDOWS\system32\alrsvc.dll
15:19:37.0203 0772 Alerter - ok
15:19:37.0250 0772 ALG (8c515081584a38aa007909cd02020b3d) C:\WINDOWS\System32\alg.exe
15:19:37.0250 0772 ALG - ok
15:19:37.0250 0772 AliIde - ok
15:19:37.0375 0772 Ambfilt (267fc636801edc5ab28e14036349e3be) C:\WINDOWS\system32\drivers\Ambfilt.sys
15:19:37.0421 0772 Ambfilt - ok
15:19:37.0453 0772 amsint - ok
15:19:37.0484 0772 ANIO (920298c7aef97d8168d219d35975d295) C:\WINDOWS\system32\ANIO.SYS
15:19:37.0484 0772 ANIO - ok
15:19:37.0500 0772 ANIWZCSdService (aa3d68f26b2a27f660afc46039b061a4) C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
15:19:37.0500 0772 ANIWZCSdService - ok
15:19:37.0531 0772 AppMgmt (d8849f77c0b66226335a59d26cb4edc6) C:\WINDOWS\System32\appmgmts.dll
15:19:37.0531 0772 AppMgmt - ok
15:19:37.0640 0772 AR5416 (572d2cda0b0131cb4dbb31981ec75b49) C:\WINDOWS\system32\DRIVERS\athw.sys
15:19:37.0703 0772 AR5416 - ok
15:19:37.0734 0772 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
15:19:37.0734 0772 Arp1394 - ok
15:19:37.0734 0772 asc - ok
15:19:37.0734 0772 asc3350p - ok
15:19:37.0750 0772 asc3550 - ok
15:19:37.0796 0772 aspnet_state (776acefa0ca9df0faa51a5fb2f435705) C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe
15:19:37.0796 0772 aspnet_state - ok
15:19:37.0812 0772 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
15:19:37.0812 0772 AsyncMac - ok
15:19:37.0828 0772 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
15:19:37.0828 0772 atapi - ok
15:19:37.0828 0772 Atdisk - ok
15:19:37.0859 0772 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
15:19:37.0859 0772 Atmarpc - ok
15:19:37.0875 0772 AudioSrv (def7a7882bec100fe0b2ce2549188f9d) C:\WINDOWS\System32\audiosrv.dll
15:19:37.0875 0772 AudioSrv - ok
15:19:37.0890 0772 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
15:19:37.0890 0772 audstub - ok
15:19:37.0906 0772 Avc (f8e6956a614f15a0860474c5e2a7de6b) C:\WINDOWS\system32\DRIVERS\avc.sys
15:19:37.0906 0772 Avc - ok
15:19:37.0921 0772 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
15:19:37.0921 0772 Beep - ok
15:19:37.0968 0772 BENDER (fc6d0c2f327a5f716fdfdc24a305aceb) C:\WINDOWS\system32\drivers\bender.sys
15:19:37.0968 0772 BENDER - ok
15:19:38.0000 0772 BITS (574738f61fca2935f5265dc4e5691314) C:\WINDOWS\system32\qmgr.dll
15:19:38.0062 0772 BITS - ok
15:19:38.0078 0772 Browser (a06ce3399d16db864f55faeb1f1927a9) C:\WINDOWS\System32\browser.dll
15:19:38.0078 0772 Browser - ok
15:19:38.0156 0772 catchme - ok
15:19:38.0156 0772 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
15:19:38.0156 0772 cbidf2k - ok
15:19:38.0187 0772 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
15:19:38.0187 0772 CCDECODE - ok
15:19:38.0187 0772 cd20xrnt - ok
15:19:38.0203 0772 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
15:19:38.0203 0772 Cdaudio - ok
15:19:38.0218 0772 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
15:19:38.0218 0772 Cdfs - ok
15:19:38.0265 0772 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
15:19:38.0265 0772 Cdrom - ok
15:19:38.0265 0772 Changer - ok
15:19:38.0281 0772 CiSvc (1cfe720eb8d93a7158a4ebc3ab178bde) C:\WINDOWS\system32\cisvc.exe
15:19:38.0281 0772 CiSvc - ok
15:19:38.0296 0772 ClipSrv (34cbe729f38138217f9c80212a2a0c82) C:\WINDOWS\system32\clipsrv.exe
15:19:38.0296 0772 ClipSrv - ok
15:19:38.0359 0772 clr_optimization_v2.0.50727_32 (d87acaed61e417bba546ced5e7e36d9c) C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
15:19:38.0390 0772 clr_optimization_v2.0.50727_32 - ok
15:19:38.0421 0772 clr_optimization_v4.0.30319_32 (c5a75eb48e2344abdc162bda79e16841) C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
15:19:38.0453 0772 clr_optimization_v4.0.30319_32 - ok
15:19:38.0453 0772 CmdIde - ok
15:19:38.0468 0772 COMSysApp - ok
15:19:38.0468 0772 Cpqarray - ok
15:19:38.0484 0772 CryptSvc (3d4e199942e29207970e04315d02ad3b) C:\WINDOWS\System32\cryptsvc.dll
15:19:38.0500 0772 CryptSvc - ok
15:19:38.0500 0772 dac2w2k - ok
15:19:38.0500 0772 dac960nt - ok
15:19:38.0578 0772 DcomLaunch (6b27a5c03dfb94b4245739065431322c) C:\WINDOWS\system32\rpcss.dll
15:19:38.0578 0772 DcomLaunch - ok
15:19:38.0609 0772 Dhcp (5e38d7684a49cacfb752b046357e0589) C:\WINDOWS\System32\dhcpcsvc.dll
15:19:38.0609 0772 Dhcp - ok
15:19:38.0640 0772 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
15:19:38.0640 0772 Disk - ok
15:19:38.0640 0772 dmadmin - ok
15:19:38.0718 0772 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
15:19:38.0734 0772 dmboot - ok
15:19:38.0750 0772 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
15:19:38.0765 0772 dmio - ok
15:19:38.0765 0772 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
15:19:38.0765 0772 dmload - ok
15:19:38.0781 0772 dmserver (57edec2e5f59f0335e92f35184bc8631) C:\WINDOWS\System32\dmserver.dll
15:19:38.0781 0772 dmserver - ok
15:19:38.0812 0772 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
15:19:38.0812 0772 DMusic - ok
15:19:38.0859 0772 Dnscache (5f7e24fa9eab896051ffb87f840730d2) C:\WINDOWS\System32\dnsrslvr.dll
15:19:38.0859 0772 Dnscache - ok
15:19:38.0875 0772 Dot3svc (0f0f6e687e5e15579ef4da8dd6945814) C:\WINDOWS\System32\dot3svc.dll
15:19:38.0875 0772 Dot3svc - ok
15:19:38.0875 0772 dpti2o - ok
15:19:38.0906 0772 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
15:19:38.0906 0772 drmkaud - ok
15:19:38.0921 0772 EapHost (2187855a7703adef0cef9ee4285182cc) C:\WINDOWS\System32\eapsvc.dll
15:19:38.0921 0772 EapHost - ok
15:19:38.0937 0772 ENTECH - ok
15:19:38.0937 0772 ERSvc (bc93b4a066477954555966d77fec9ecb) C:\WINDOWS\System32\ersvc.dll
15:19:38.0953 0772 ERSvc - ok
15:19:38.0968 0772 Eventlog (65df52f5b8b6e9bbd183505225c37315) C:\WINDOWS\system32\services.exe
15:19:38.0984 0772 Eventlog - ok
15:19:39.0031 0772 EventSystem (d4991d98f2db73c60d042f1aef79efae) C:\WINDOWS\system32\es.dll
15:19:39.0046 0772 EventSystem - ok
15:19:39.0062 0772 f5ipfw (b057b8a97376df8d5501bf5fd7dc3310) C:\WINDOWS\system32\drivers\urfltw2k.sys
15:19:39.0062 0772 f5ipfw - ok
15:19:39.0093 0772 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
15:19:39.0109 0772 Fastfat - ok
15:19:39.0125 0772 FastUserSwitchingCompatibility (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
15:19:39.0171 0772 FastUserSwitchingCompatibility - ok
15:19:39.0187 0772 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
15:19:39.0187 0772 Fdc - ok
15:19:39.0187 0772 FilterService - ok
15:19:39.0203 0772 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
15:19:39.0203 0772 Fips - ok
15:19:39.0218 0772 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
15:19:39.0218 0772 Flpydisk - ok
15:19:39.0218 0772 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
15:19:39.0234 0772 FltMgr - ok
15:19:39.0281 0772 FontCache3.0.0.0 (8ba7c024070f2b7fdd98ed8a4ba41789) C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
15:19:39.0281 0772 FontCache3.0.0.0 - ok
15:19:39.0281 0772 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
15:19:39.0281 0772 Fs_Rec - ok
15:19:39.0296 0772 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
15:19:39.0296 0772 Ftdisk - ok
15:19:39.0312 0772 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
15:19:39.0312 0772 Gpc - ok
15:19:39.0359 0772 gupdate (f02a533f517eb38333cb12a9e8963773) C:\Program Files\Google\Update\GoogleUpdate.exe
15:19:39.0375 0772 gupdate - ok
15:19:39.0375 0772 gupdatem (f02a533f517eb38333cb12a9e8963773) C:\Program Files\Google\Update\GoogleUpdate.exe
15:19:39.0375 0772 gupdatem - ok
15:19:39.0390 0772 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
15:19:39.0406 0772 HDAudBus - ok
15:19:39.0421 0772 helpsvc (4fcca060dfe0c51a09dd5c3843888bcd) C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll
15:19:39.0437 0772 helpsvc - ok
15:19:39.0437 0772 HidServ - ok
15:19:39.0453 0772 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
15:19:39.0453 0772 HidUsb - ok
15:19:39.0484 0772 hkmsvc (8878bd685e490239777bfe51320b88e9) C:\WINDOWS\System32\kmsvc.dll
15:19:39.0484 0772 hkmsvc - ok
15:19:39.0484 0772 hpn - ok
15:19:39.0546 0772 hpqcxs08 (390920e11d7729a7b98799ebe20e38fb) C:\Program Files\HP\Digital Imaging\bin\hpqcxs08.dll
15:19:39.0546 0772 hpqcxs08 - ok
15:19:39.0609 0772 HPSLPSVC - ok
15:19:39.0640 0772 HPZid412 (d03d10f7ded688fecf50f8fbf1ea9b8a) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
15:19:39.0640 0772 HPZid412 - ok
15:19:39.0687 0772 HPZipr12 (89f41658929393487b6b7d13c8528ce3) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
15:19:39.0687 0772 HPZipr12 - ok
15:19:39.0687 0772 HPZius12 (abcb05ccdbf03000354b9553820e39f8) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
15:19:39.0703 0772 HPZius12 - ok
15:19:39.0734 0772 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
15:19:39.0765 0772 HTTP - ok
15:19:39.0765 0772 HTTPFilter (6100a808600f44d999cebdef8841c7a3) C:\WINDOWS\System32\w3ssl.dll
15:19:39.0781 0772 HTTPFilter - ok
15:19:39.0781 0772 i2omgmt - ok
15:19:39.0781 0772 i2omp - ok
15:19:39.0781 0772 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
15:19:39.0781 0772 i8042prt - ok
15:19:39.0796 0772 IAANTMON (d72f2a013ada9e2dda417887a8dfd217) C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
15:19:39.0796 0772 IAANTMON - ok
15:19:39.0812 0772 iaStor (d483687eace0c065ee772481a96e05f5) C:\WINDOWS\system32\drivers\iaStor.sys
15:19:39.0812 0772 iaStor - ok
15:19:39.0890 0772 idsvc (c01ac32dc5c03076cfb852cb5da5229c) C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
15:19:39.0937 0772 idsvc - ok
15:19:39.0968 0772 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
15:19:39.0968 0772 Imapi - ok
15:19:39.0984 0772 ImapiService (30deaf54a9755bb8546168cfe8a6b5e1) C:\WINDOWS\system32\imapi.exe
15:19:39.0984 0772 ImapiService - ok
15:19:39.0984 0772 ini910u - ok
15:19:40.0281 0772 IntcAzAudAddService (4517fd80b6d734d99ac4b1578443d1d9) C:\WINDOWS\system32\drivers\RtkHDAud.sys
15:19:40.0390 0772 IntcAzAudAddService - ok
15:19:40.0468 0772 IntelIde - ok
15:19:40.0468 0772 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
15:19:40.0484 0772 intelppm - ok
15:19:40.0500 0772 IntuitUpdateServiceV4 (1663a135865f0ba6e853353e98e67f2a) C:\Program Files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
15:19:40.0500 0772 IntuitUpdateServiceV4 - ok
15:19:40.0546 0772 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
15:19:40.0546 0772 Ip6Fw - ok
15:19:40.0578 0772 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
15:19:40.0578 0772 IpFilterDriver - ok
15:19:40.0593 0772 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
15:19:40.0593 0772 IpInIp - ok
15:19:40.0640 0772 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
15:19:40.0640 0772 IpNat - ok
15:19:40.0671 0772 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
15:19:40.0671 0772 IPSec - ok
15:19:40.0671 0772 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
15:19:40.0687 0772 IRENUM - ok
15:19:40.0765 0772 isapnp (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\system32\DRIVERS\isapnp.sys
15:19:40.0765 0772 isapnp - ok
15:19:40.0859 0772 JavaQuickStarterService (c2c1660ddcc9bd67eb98d6d5f91c107f) C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe
15:19:40.0859 0772 JavaQuickStarterService - ok
15:19:40.0859 0772 JGOGO (c995c0e8b4503fac38793bb0236ad246) C:\WINDOWS\system32\DRIVERS\JGOGO.sys
15:19:40.0875 0772 JGOGO - ok
15:19:40.0875 0772 JRAID (c341318beae24fa4042c5f8c64cb38b6) C:\WINDOWS\system32\DRIVERS\jraid.sys
15:19:40.0875 0772 JRAID - ok
15:19:40.0890 0772 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
15:19:40.0890 0772 Kbdclass - ok
15:19:40.0921 0772 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
15:19:40.0921 0772 kmixer - ok
15:19:40.0953 0772 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
15:19:40.0953 0772 KSecDD - ok
15:19:41.0000 0772 KSS (e47ffca0909871ac1bff0d446ff63ca9) C:\Program Files\Kaspersky Lab\Kaspersky Security Scan 2.0\kss.exe
15:19:41.0000 0772 KSS - ok
15:19:41.0015 0772 lanmanserver (3a7c3cbe5d96b8ae96ce81f0b22fb527) C:\WINDOWS\System32\srvsvc.dll
15:19:41.0015 0772 lanmanserver - ok
15:19:41.0046 0772 lanmanworkstation (a8888a5327621856c0cec4e385f69309) C:\WINDOWS\System32\wkssvc.dll
15:19:41.0062 0772 lanmanworkstation - ok
15:19:41.0062 0772 lbrtfdc - ok
15:19:41.0093 0772 LmHosts (a7db739ae99a796d91580147e919cc59) C:\WINDOWS\System32\lmhsvc.dll
15:19:41.0093 0772 LmHosts - ok
15:19:41.0093 0772 LVRS - ok
15:19:41.0093 0772 LVUSBSta - ok
15:19:41.0109 0772 LVUVC - ok
15:19:41.0140 0772 MarvinBus (7584ffb07305d2e9e3823059a9310b0f) C:\WINDOWS\system32\DRIVERS\MarvinBus.sys
15:19:41.0140 0772 MarvinBus - ok
15:19:41.0140 0772 Messenger (986b1ff5814366d71e0ac5755c88f2d3) C:\WINDOWS\System32\msgsvc.dll
15:19:41.0140 0772 Messenger - ok
15:19:41.0156 0772 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
15:19:41.0156 0772 mnmdd - ok
15:19:41.0156 0772 mnmsrvc (d18f1f0c101d06a1c1adf26eed16fcdd) C:\WINDOWS\system32\mnmsrvc.exe
15:19:41.0171 0772 mnmsrvc - ok
15:19:41.0171 0772 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
15:19:41.0171 0772 Modem - ok
15:19:41.0265 0772 Monfilt (c7d9f9717916b34c1b00dd4834af485c) C:\WINDOWS\system32\drivers\Monfilt.sys
15:19:41.0312 0772 Monfilt - ok
15:19:41.0390 0772 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
15:19:41.0390 0772 Mouclass - ok
15:19:41.0406 0772 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
15:19:41.0406 0772 mouhid - ok
15:19:41.0421 0772 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
15:19:41.0421 0772 MountMgr - ok
15:19:41.0468 0772 MozillaMaintenance (15d5398eed42c2504bb3d4fc875c15d1) C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe
15:19:41.0468 0772 MozillaMaintenance - ok
15:19:41.0468 0772 mraid35x - ok
15:19:41.0500 0772 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
15:19:41.0500 0772 MRxDAV - ok
15:19:41.0546 0772 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
15:19:41.0593 0772 MRxSmb - ok
15:19:41.0609 0772 MSDTC (a137f1470499a205abbb9aafb3b6f2b1) C:\WINDOWS\system32\msdtc.exe
15:19:41.0609 0772 MSDTC - ok
15:19:41.0625 0772 MSDV (1477849772712bac69c144dcf2c9ce81) C:\WINDOWS\system32\DRIVERS\msdv.sys
15:19:41.0625 0772 MSDV - ok
15:19:41.0640 0772 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
15:19:41.0640 0772 Msfs - ok
15:19:41.0640 0772 MSIServer - ok
15:19:41.0656 0772 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
15:19:41.0656 0772 MSKSSRV - ok
15:19:41.0671 0772 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
15:19:41.0671 0772 MSPCLOCK - ok
15:19:41.0687 0772 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
15:19:41.0687 0772 MSPQM - ok
15:19:41.0703 0772 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
15:19:41.0703 0772 mssmbios - ok
15:19:41.0718 0772 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
15:19:41.0718 0772 MSTEE - ok
15:19:41.0734 0772 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
15:19:41.0734 0772 Mup - ok
15:19:41.0750 0772 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
15:19:41.0750 0772 NABTSFEC - ok
15:19:41.0796 0772 NanoServiceMain (a830e59f98827943686e90bf79fc96fa) C:\Program Files\Panda Security\Panda Cloud Antivirus\PSANHost.exe
15:19:41.0796 0772 NanoServiceMain - ok
15:19:41.0828 0772 napagent (0102140028fad045756796e1c685d695) C:\WINDOWS\System32\qagentrt.dll
15:19:41.0859 0772 napagent - ok
15:19:41.0890 0772 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
15:19:41.0890 0772 NDIS - ok
15:19:41.0906 0772 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
15:19:41.0921 0772 NdisIP - ok
15:19:41.0937 0772 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
15:19:41.0937 0772 NdisTapi - ok
15:19:41.0953 0772 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
15:19:41.0953 0772 Ndisuio - ok
15:19:41.0968 0772 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
15:19:41.0968 0772 NdisWan - ok
15:19:41.0984 0772 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
15:19:41.0984 0772 NDProxy - ok
15:19:42.0015 0772 Net Driver HPZ12 (2969d26eee289be7422aa46fc55f4e38) C:\WINDOWS\system32\HPZinw12.dll
15:19:42.0015 0772 Net Driver HPZ12 - ok
15:19:42.0062 0772 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
15:19:42.0062 0772 NetBIOS - ok
15:19:42.0093 0772 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
15:19:42.0093 0772 NetBT - ok
15:19:42.0109 0772 NetDDE (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe
15:19:42.0109 0772 NetDDE - ok
15:19:42.0109 0772 NetDDEdsdm (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe
15:19:42.0109 0772 NetDDEdsdm - ok
15:19:42.0125 0772 Netlogon (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
15:19:42.0125 0772 Netlogon - ok
15:19:42.0156 0772 Netman (13e67b55b3abd7bf3fe7aae5a0f9a9de) C:\WINDOWS\System32\netman.dll
15:19:42.0171 0772 Netman - ok
15:19:42.0234 0772 NetTcpPortSharing (d22cd77d4f0d63d1169bb35911bff12d) C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe
15:19:42.0265 0772 NetTcpPortSharing - ok
15:19:42.0281 0772 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
15:19:42.0281 0772 NIC1394 - ok
15:19:42.0328 0772 Nla (943337d786a56729263071623bbb9de5) C:\WINDOWS\System32\mswsock.dll
15:19:42.0359 0772 Nla - ok
15:19:42.0359 0772 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
15:19:42.0359 0772 Npfs - ok
15:19:42.0406 0772 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
15:19:42.0406 0772 Ntfs - ok
15:19:42.0406 0772 NtLmSsp (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
15:19:42.0406 0772 NtLmSsp - ok
15:19:42.0453 0772 NtmsSvc (156f64a3345bd23c600655fb4d10bc08) C:\WINDOWS\system32\ntmssvc.dll
15:19:42.0468 0772 NtmsSvc - ok
15:19:42.0468 0772 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
15:19:42.0468 0772 Null - ok
15:19:42.0875 0772 nv (b9b1bb146eb9a83dcf0f5635b09d3d43) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
15:19:43.0015 0772 nv - ok
15:19:43.0093 0772 nvsvc (cc4f8220ead1f6a38d51679708f435b9) C:\WINDOWS\system32\nvsvc32.exe
15:19:43.0140 0772 nvsvc - ok
15:19:43.0171 0772 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
15:19:43.0171 0772 NwlnkFlt - ok
15:19:43.0171 0772 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
15:19:43.0171 0772 NwlnkFwd - ok
15:19:43.0187 0772 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
15:19:43.0187 0772 ohci1394 - ok
15:19:43.0218 0772 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
15:19:43.0218 0772 Parport - ok
15:19:43.0218 0772 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
15:19:43.0218 0772 PartMgr - ok
15:19:43.0265 0772 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
15:19:43.0265 0772 ParVdm - ok
15:19:43.0281 0772 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
15:19:43.0281 0772 PCI - ok
15:19:43.0281 0772 PCIDump - ok
15:19:43.0296 0772 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
15:19:43.0296 0772 PCIIde - ok
15:19:43.0296 0772 PCLEPCI (1bebe7de8508a02650cdce45c664c2a2) C:\WINDOWS\system32\drivers\pclepci.sys
15:19:43.0312 0772 PCLEPCI - ok
15:19:43.0328 0772 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
15:19:43.0328 0772 Pcmcia - ok
15:19:43.0343 0772 PDCOMP - ok
15:19:43.0343 0772 PDFRAME - ok
15:19:43.0343 0772 PDRELI - ok
15:19:43.0343 0772 PDRFRAME - ok
15:19:43.0359 0772 perc2 - ok
15:19:43.0359 0772 perc2hib - ok
15:19:43.0406 0772 PlugPlay (65df52f5b8b6e9bbd183505225c37315) C:\WINDOWS\system32\services.exe
15:19:43.0406 0772 PlugPlay - ok
15:19:43.0421 0772 Pml Driver HPZ12 (bafc9706bdf425a02b66468ab2605c59) C:\WINDOWS\system32\HPZipm12.dll
15:19:43.0421 0772 Pml Driver HPZ12 - ok
15:19:43.0437 0772 Point32 (2e3394c8ebf31a9b4f0a531eb5cc7bc7) C:\WINDOWS\system32\DRIVERS\point32.sys
15:19:43.0453 0772 Point32 - ok
15:19:43.0453 0772 PolicyAgent (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
15:19:43.0453 0772 PolicyAgent - ok
15:19:43.0453 0772 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
15:19:43.0468 0772 PptpMiniport - ok
15:19:43.0468 0772 ProtectedStorage (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
15:19:43.0468 0772 ProtectedStorage - ok
15:19:43.0468 0772 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
15:19:43.0468 0772 PSched - ok
15:19:43.0515 0772 PSINAflt (b66042e21d32fcdf193b3b80516da1b3) C:\WINDOWS\system32\DRIVERS\PSINAflt.sys
15:19:43.0515 0772 PSINAflt - ok
15:19:43.0531 0772 PSINFile (5bab5fb4cb1963f643a1a8b4d816cf8f) C:\WINDOWS\system32\DRIVERS\PSINFile.sys
15:19:43.0531 0772 PSINFile - ok
15:19:43.0546 0772 PSINKNC (16066810f5dae092db226c6662feedc9) C:\WINDOWS\system32\DRIVERS\psinknc.sys
15:19:43.0546 0772 PSINKNC - ok
15:19:43.0578 0772 PSINProc (87b2fe6d7b427947541360f48c302054) C:\WINDOWS\system32\DRIVERS\PSINProc.sys
15:19:43.0578 0772 PSINProc - ok
15:19:43.0578 0772 PSINProt (72ce5f32ff8260a38127953555e29d66) C:\WINDOWS\system32\DRIVERS\PSINProt.sys
15:19:43.0578 0772 PSINProt - ok
15:19:43.0578 0772 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
15:19:43.0593 0772 Ptilink - ok
15:19:43.0593 0772 ql1080 - ok
15:19:43.0593 0772 Ql10wnt - ok
15:19:43.0593 0772 ql12160 - ok
15:19:43.0593 0772 ql1240 - ok
15:19:43.0609 0772 ql1280 - ok
15:19:43.0609 0772 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
15:19:43.0609 0772 RasAcd - ok
15:19:43.0625 0772 RasAuto (ad188be7bdf94e8df4ca0a55c00a5073) C:\WINDOWS\System32\rasauto.dll
15:19:43.0625 0772 RasAuto - ok
15:19:43.0640 0772 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
15:19:43.0640 0772 Rasl2tp - ok
15:19:43.0656 0772 RasMan (76a9a3cbeadd68cc57cda5e1d7448235) C:\WINDOWS\System32\rasmans.dll
15:19:43.0687 0772 RasMan - ok
15:19:43.0687 0772 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
15:19:43.0687 0772 RasPppoe - ok
15:19:43.0687 0772 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
15:19:43.0687 0772 Raspti - ok
15:19:43.0718 0772 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
15:19:43.0765 0772 Rdbss - ok
15:19:43.0765 0772 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
15:19:43.0765 0772 RDPCDD - ok
15:19:43.0796 0772 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
15:19:43.0796 0772 rdpdr - ok
15:19:43.0828 0772 RDPWD (6589db6e5969f8eee594cf71171c5028) C:\WINDOWS\system32\drivers\RDPWD.sys
15:19:43.0828 0772 RDPWD - ok
15:19:43.0828 0772 RDSessMgr (3c37bf86641bda977c3bf8a840f3b7fa) C:\WINDOWS\system32\sessmgr.exe
15:19:43.0843 0772 RDSessMgr - ok
15:19:43.0859 0772 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
15:19:43.0859 0772 redbook - ok
15:19:43.0859 0772 RemoteAccess (7e699ff5f59b5d9de5390e3c34c67cf5) C:\WINDOWS\System32\mprdim.dll
15:19:43.0859 0772 RemoteAccess - ok
15:19:43.0875 0772 RemoteRegistry (5b19b557b0c188210a56a6b699d90b8f) C:\WINDOWS\system32\regsvc.dll
15:19:43.0890 0772 RemoteRegistry - ok
15:19:43.0890 0772 RpcLocator (aaed593f84afa419bbae8572af87cf6a) C:\WINDOWS\system32\locator.exe
15:19:43.0890 0772 RpcLocator - ok
15:19:43.0921 0772 RpcSs (6b27a5c03dfb94b4245739065431322c) C:\WINDOWS\System32\rpcss.dll
15:19:43.0921 0772 RpcSs - ok
15:19:43.0937 0772 RSVP (471b3f9741d762abe75e9deea4787e47) C:\WINDOWS\system32\rsvp.exe
15:19:43.0937 0772 RSVP - ok
15:19:43.0968 0772 RTLE8023xp (40607773fecd00708354809e233823f2) C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys
15:19:43.0984 0772 RTLE8023xp - ok
15:19:43.0984 0772 SamSs (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
15:19:43.0984 0772 SamSs - ok
15:19:44.0000 0772 SCardSvr (86d007e7a654b9a71d1d7d856b104353) C:\WINDOWS\System32\SCardSvr.exe
15:19:44.0000 0772 SCardSvr - ok
15:19:44.0015 0772 Schedule (0a9a7365a1ca4319aa7c1d6cd8e4eafa) C:\WINDOWS\system32\schedsvc.dll
15:19:44.0031 0772 Schedule - ok
15:19:44.0062 0772 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
15:19:44.0062 0772 Secdrv - ok
15:19:44.0078 0772 seclogon (cbe612e2bb6a10e3563336191eda1250) C:\WINDOWS\System32\seclogon.dll
15:19:44.0078 0772 seclogon - ok
15:19:44.0093 0772 SENS (7fdd5d0684eca8c1f68b4d99d124dcd0) C:\WINDOWS\system32\sens.dll
15:19:44.0093 0772 SENS - ok
15:19:44.0140 0772 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
15:19:44.0140 0772 Serial - ok
15:19:44.0171 0772 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
15:19:44.0171 0772 Sfloppy - ok
15:19:44.0203 0772 SharedAccess (83f41d0d89645d7235c051ab1d9523ac) C:\WINDOWS\System32\ipnathlp.dll
15:19:44.0250 0772 SharedAccess - ok
15:19:44.0281 0772 ShellHWDetection (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
15:19:44.0296 0772 ShellHWDetection - ok
15:19:44.0312 0772 SI3132 (0b9b5c6df6226497ef4819b6e1b2efd5) C:\WINDOWS\system32\DRIVERS\SI3132.sys
15:19:44.0312 0772 SI3132 - ok
15:19:44.0328 0772 SiFilter (6aaeb533189c72c7eaf7d78ab12e4bb7) C:\WINDOWS\system32\DRIVERS\SiWinAcc.sys
15:19:44.0328 0772 SiFilter - ok
15:19:44.0328 0772 Simbad - ok
15:19:44.0328 0772 SiRemFil (1ff379ba5e844f03c8786bc059dc1ec1) C:\WINDOWS\system32\DRIVERS\SiRemFil.sys
15:19:44.0328 0772 SiRemFil - ok
15:19:44.0359 0772 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
15:19:44.0359 0772 SLIP - ok
15:19:44.0390 0772 snapman (e78c98378a071ce4d48a7c514fa98fa1) C:\WINDOWS\system32\DRIVERS\snapman.sys
15:19:44.0390 0772 snapman - ok
15:19:44.0390 0772 Sparrow - ok
15:19:44.0406 0772 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
15:19:44.0406 0772 splitter - ok
15:19:44.0421 0772 Spooler (60784f891563fb1b767f70117fc2428f) C:\WINDOWS\system32\spoolsv.exe
15:19:44.0437 0772 Spooler - ok
15:19:44.0437 0772 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
15:19:44.0437 0772 sr - ok
15:19:44.0468 0772 srservice (3805df0ac4296a34ba4bf93b346cc378) C:\WINDOWS\system32\srsvc.dll
15:19:44.0468 0772 srservice - ok
15:19:44.0484 0772 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
15:19:44.0500 0772 Srv - ok
15:19:44.0500 0772 SSDPSRV (0a5679b3714edab99e357057ee88fca6) C:\WINDOWS\System32\ssdpsrv.dll
15:19:44.0515 0772 SSDPSRV - ok
15:19:44.0531 0772 StillCam (a9573045baa16eab9b1085205b82f1ed) C:\WINDOWS\system32\DRIVERS\serscan.sys
15:19:44.0531 0772 StillCam - ok
15:19:44.0546 0772 stisvc (8bad69cbac032d4bbacfce0306174c30) C:\WINDOWS\system32\wiaservc.dll
15:19:44.0562 0772 stisvc - ok
15:19:44.0578 0772 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
15:19:44.0578 0772 streamip - ok
15:19:44.0578 0772 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
15:19:44.0578 0772 swenum - ok
15:19:44.0593 0772 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
15:19:44.0593 0772 swmidi - ok
15:19:44.0593 0772 SwPrv - ok
15:19:44.0609 0772 symc810 - ok
15:19:44.0609 0772 symc8xx - ok
15:19:44.0609 0772 sym_hi - ok
15:19:44.0625 0772 sym_u3 - ok
15:19:44.0640 0772 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
15:19:44.0640 0772 sysaudio - ok
15:19:44.0671 0772 SysmonLog (c7abbc59b43274b1109df6b24d617051) C:\WINDOWS\system32\smlogsvc.exe
15:19:44.0671 0772 SysmonLog - ok
15:19:44.0703 0772 TapiSrv (3cb78c17bb664637787c9a1c98f79c38) C:\WINDOWS\System32\tapisrv.dll
15:19:44.0765 0772 TapiSrv - ok
15:19:44.0796 0772 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
15:19:44.0812 0772 Tcpip - ok
15:19:44.0828 0772 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
15:19:44.0828 0772 TDPIPE - ok
15:19:44.0828 0772 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
15:19:44.0828 0772 TDTCP - ok
15:19:44.0828 0772 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
15:19:44.0828 0772 TermDD - ok
15:19:44.0875 0772 TermService (ff3477c03be7201c294c35f684b3479f) C:\WINDOWS\System32\termsrv.dll
15:19:44.0906 0772 TermService - ok
15:19:44.0921 0772 Themes (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
15:19:44.0937 0772 Themes - ok
15:19:44.0937 0772 tifsfilter (b84b82c0cbeb1b0d7eb7a946bade5830) C:\WINDOWS\system32\DRIVERS\tifsfilt.sys
15:19:44.0937 0772 tifsfilter - ok
15:19:44.0953 0772 timounter (74711884439bdf9ccf446c79cb05fac0) C:\WINDOWS\system32\DRIVERS\timntr.sys
15:19:44.0953 0772 timounter - ok
15:19:44.0968 0772 TlntSvr (db7205804759ff62c34e3efd8a4cc76a) C:\WINDOWS\system32\tlntsvr.exe
15:19:44.0968 0772 TlntSvr - ok
15:19:44.0968 0772 TosIde - ok
15:19:44.0984 0772 TrkWks (55bca12f7f523d35ca3cb833c725f54e) C:\WINDOWS\system32\trkwks.dll
15:19:44.0984 0772 TrkWks - ok
15:19:45.0000 0772 ubohci - ok
15:19:45.0000 0772 ubsbm - ok
15:19:45.0000 0772 ubumapi - ok
15:19:45.0015 0772 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
15:19:45.0015 0772 Udfs - ok
15:19:45.0015 0772 UGURU (c3cd138762aab1797805c26bf5defcbe) C:\WINDOWS\system32\drivers\uGuru.sys
15:19:45.0015 0772 UGURU - ok
15:19:45.0031 0772 ultra - ok
15:19:45.0046 0772 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
15:19:45.0093 0772 Update - ok
15:19:45.0125 0772 upnphost (1ebafeb9a3fbdc41b8d9c7f0f687ad91) C:\WINDOWS\System32\upnphost.dll
15:19:45.0140 0772 upnphost - ok
15:19:45.0156 0772 UPS (05365fb38fca1e98f7a566aaaf5d1815) C:\WINDOWS\System32\ups.exe
15:19:45.0156 0772 UPS - ok
15:19:45.0171 0772 urvpndrv (8ee2e45b049a2d8ac547ae4c8552aef1) C:\WINDOWS\system32\DRIVERS\covpndrv.sys
15:19:45.0171 0772 urvpndrv - ok
15:19:45.0203 0772 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
15:19:45.0203 0772 usbaudio - ok
15:19:45.0234 0772 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
15:19:45.0234 0772 usbccgp - ok
15:19:45.0265 0772 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
15:19:45.0265 0772 usbehci - ok
15:19:45.0281 0772 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
15:19:45.0281 0772 usbhub - ok
15:19:45.0312 0772 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
15:19:45.0312 0772 usbprint - ok
15:19:45.0328 0772 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
15:19:45.0328 0772 usbscan - ok
15:19:45.0359 0772 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
15:19:45.0359 0772 USBSTOR - ok
15:19:45.0375 0772 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
15:19:45.0375 0772 usbuhci - ok
15:19:45.0390 0772 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
15:19:45.0390 0772 VgaSave - ok
15:19:45.0390 0772 ViaIde - ok
15:19:45.0406 0772 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
15:19:45.0406 0772 VolSnap - ok
15:19:45.0421 0772 VSS (7a9db3a67c333bf0bd42e42b8596854b) C:\WINDOWS\System32\vssvc.exe
15:19:45.0421 0772 VSS - ok
15:19:45.0453 0772 W32Time (54af4b1d5459500ef0937f6d33b1914f) C:\WINDOWS\system32\w32time.dll
15:19:45.0468 0772 W32Time - ok
15:19:45.0468 0772 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
15:19:45.0468 0772 Wanarp - ok
15:19:45.0500 0772 wceusbsh (46a247f6617526afe38b6f12f5512120) C:\WINDOWS\system32\DRIVERS\wceusbsh.sys
15:19:45.0500 0772 wceusbsh - ok
15:19:45.0500 0772 WDICA - ok
15:19:45.0515 0772 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
15:19:45.0515 0772 wdmaud - ok
15:19:45.0531 0772 WebClient (77a354e28153ad2d5e120a5a8687bc06) C:\WINDOWS\System32\webclnt.dll
15:19:45.0531 0772 WebClient - ok
15:19:45.0593 0772 winmgmt (2d0e4ed081963804ccc196a0929275b5) C:\WINDOWS\system32\wbem\WMIsvc.dll
15:19:45.0593 0772 winmgmt - ok
15:19:45.0609 0772 WmdmPmSN (c51b4a5c05a5475708e3c81c7765b71d) C:\WINDOWS\system32\MsPMSNSv.dll
15:19:45.0609 0772 WmdmPmSN - ok
15:19:45.0656 0772 Wmi (e76f8807070ed04e7408a86d6d3a6137) C:\WINDOWS\System32\advapi32.dll
15:19:45.0703 0772 Wmi - ok
15:19:45.0734 0772 WmiApSrv (e0673f1106e62a68d2257e376079f821) C:\WINDOWS\system32\wbem\wmiapsrv.exe
15:19:45.0734 0772 WmiApSrv - ok
15:19:45.0843 0772 WMPNetworkSvc (f74e3d9a7fa9556c3bbb14d4e5e63d3b) C:\Program Files\Windows Media Player\WMPNetwk.exe
15:19:45.0890 0772 WMPNetworkSvc - ok
15:19:45.0921 0772 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys
15:19:45.0921 0772 WpdUsb - ok
15:19:46.0046 0772 WPFFontCache_v0400 (dcf3e3edf5109ee8bc02fe6e1f045795) C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe
15:19:46.0078 0772 WPFFontCache_v0400 - ok
15:19:46.0078 0772 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
15:19:46.0093 0772 WS2IFSL - ok
15:19:46.0109 0772 wscsvc (7c278e6408d1dce642230c0585a854d5) C:\WINDOWS\system32\wscsvc.dll
15:19:46.0125 0772 wscsvc - ok
15:19:46.0140 0772 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
15:19:46.0140 0772 WSTCODEC - ok
15:19:46.0156 0772 wuauserv (35321fb577cdc98ce3eb3a3eb9e4610a) C:\WINDOWS\system32\wuauserv.dll
15:19:46.0156 0772 wuauserv - ok
15:19:46.0187 0772 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
15:19:46.0187 0772 WudfPf - ok
15:19:46.0234 0772 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
15:19:46.0250 0772 WudfRd - ok
15:19:46.0265 0772 WudfSvc (05231c04253c5bc30b26cbaae680ed89) C:\WINDOWS\System32\WUDFSvc.dll
15:19:46.0265 0772 WudfSvc - ok
15:19:46.0312 0772 WZCSVC (81dc3f549f44b1c1fff022dec9ecf30b) C:\WINDOWS\System32\wzcsvc.dll
15:19:46.0375 0772 WZCSVC - ok
15:19:46.0406 0772 xmlprov (295d21f14c335b53cb8154e5b1f892b9) C:\WINDOWS\System32\xmlprov.dll
15:19:46.0406 0772 xmlprov - ok
15:19:46.0421 0772 MBR (0x1B8) (dd251b4bfe3188ce2ce45a78cfbf852d) \Device\Harddisk0\DR0
15:19:46.0828 0772 \Device\Harddisk0\DR0 - ok
15:19:46.0828 0772 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk1\DR1
15:19:47.0031 0772 \Device\Harddisk1\DR1 - ok
15:19:47.0046 0772 Boot (0x1200) (f96dc7d6fc4267f82058cfa8a53c6300) \Device\Harddisk0\DR0\Partition0
15:19:47.0046 0772 \Device\Harddisk0\DR0\Partition0 - ok
15:19:47.0046 0772 Boot (0x1200) (b1d781132bd5ebd785abe3b3b54243e0) \Device\Harddisk0\DR0\Partition1
15:19:47.0046 0772 \Device\Harddisk0\DR0\Partition1 - ok
15:19:47.0078 0772 Boot (0x1200) (5f4f0932fa9bfcb7df8bf9182be18a9b) \Device\Harddisk0\DR0\Partition2
15:19:47.0078 0772 \Device\Harddisk0\DR0\Partition2 - ok
15:19:47.0093 0772 Boot (0x1200) (dd9bd3191420a05ba7deab069e903ae7) \Device\Harddisk0\DR0\Partition3
15:19:47.0093 0772 \Device\Harddisk0\DR0\Partition3 - ok
15:19:47.0109 0772 Boot (0x1200) (e57b762767617f38520cc9dad851b2e4) \Device\Harddisk0\DR0\Partition4
15:19:47.0109 0772 \Device\Harddisk0\DR0\Partition4 - ok
15:19:47.0140 0772 Boot (0x1200) (0facfd64ec458a36abf5239181e773f7) \Device\Harddisk0\DR0\Partition5
15:19:47.0140 0772 \Device\Harddisk0\DR0\Partition5 - ok
15:19:47.0140 0772 Boot (0x1200) (b59fb0f8144e79003c7df9bea81ec66d) \Device\Harddisk1\DR1\Partition0
15:19:47.0140 0772 \Device\Harddisk1\DR1\Partition0 - ok
15:19:47.0140 0772 Boot (0x1200) (e8af787486292c51a4b7aeb7c2533d2e) \Device\Harddisk1\DR1\Partition1
15:19:47.0140 0772 \Device\Harddisk1\DR1\Partition1 - ok
15:19:47.0140 0772 ============================================================
15:19:47.0140 0772 Scan finished
15:19:47.0140 0772 ============================================================
15:19:47.0156 1912 Detected object count: 1
15:19:47.0156 1912 Actual detected object count: 1

#11 mn_sailor

mn_sailor
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ham Lake, MN
  • Local time:01:40 PM

Posted 25 June 2012 - 04:04 PM

Third ComboFix run - it had the same behavior as the 1st two runs ==> "You are infected with Rootkit.ZeroAccess! It has inserted itself into the tcp/ip stack. ..." and a reboot required.

Here is the log:

======

ComboFix 12-06-25.03 - Sue and John 06/25/2012 15:41:13.5.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.566 [GMT -5:00]
Running from: c:\documents and settings\Sue and John\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Sue and John\Desktop\CFScript.txt
AV: Panda Cloud Antivirus *Enabled/Updated* {5AD27692-540A-464E-B625-78275FA38393}
.
.
((((((((((((((((((((((((( Files Created from 2012-05-25 to 2012-06-25 )))))))))))))))))))))))))))))))
.
.
2012-06-25 16:11 . 2012-06-25 16:11 -------- d-----w- c:\program files\Common Files\Java
2012-06-25 16:10 . 2012-06-25 16:10 -------- d-----w- c:\program files\Oracle
2012-06-25 16:10 . 2012-06-25 16:10 -------- d-----w- c:\documents and settings\Sue and John\Application Data\Oracle
2012-06-25 16:10 . 2012-05-05 00:29 143872 ----a-w- c:\windows\system32\javacpl.cpl
2012-06-25 16:10 . 2012-05-05 00:29 772504 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-06-15 04:12 . 2012-06-15 04:12 -------- d-----w- c:\program files\Kaspersky Lab
2012-06-15 04:12 . 2012-06-15 04:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2012-06-13 12:31 . 2012-05-11 14:42 521728 -c----w- c:\windows\system32\dllcache\jsdbgui.dll
2012-06-11 14:51 . 2012-06-11 14:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-06-11 14:51 . 2012-04-04 20:56 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-11 14:43 . 2012-06-15 15:39 -------- d-----w- C:\TDSSKiller_Quarantine
2012-06-11 13:46 . 2012-06-11 13:46 -------- d-----w- c:\documents and settings\Guest\Local Settings\Application Data\{426C18AA-B3CB-11E1-8270-B8AC6F996F26}
2012-06-11 13:43 . 2012-06-11 13:43 -------- d-----w- c:\documents and settings\Sue and John\Application Data\Otgead
2012-06-11 13:42 . 2012-06-11 13:42 -------- d-----w- c:\documents and settings\Sue and John\Local Settings\Application Data\{426C18AA-B3CB-11E1-8270-B8AC6F996F26}
2012-06-11 13:42 . 2012-06-11 13:42 -------- d-----w- c:\program files\Common Files\MS
2012-06-11 13:41 . 2012-06-11 13:41 -------- d-----w- c:\documents and settings\All Users\Application Data\F4D55EFF0CF218850A6C0FADD151FC4E
2012-06-09 13:46 . 2012-06-09 13:46 770384 ----a-w- c:\program files\Mozilla Firefox\msvcr100.dll
2012-06-09 13:46 . 2012-06-09 13:46 421200 ----a-w- c:\program files\Mozilla Firefox\msvcp100.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-06-23 05:37 . 2012-04-12 16:26 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-06-23 05:37 . 2011-05-31 13:50 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-06-11 14:44 . 2006-02-28 12:00 162816 ----a-w- c:\windows\system32\drivers\netbt.sys
2012-06-02 20:19 . 2007-08-20 20:13 22040 ----a-w- c:\windows\system32\wucltui.dll.mui
2012-06-02 20:19 . 2007-08-20 20:13 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2012-06-02 20:19 . 2007-01-15 23:41 329240 ----a-w- c:\windows\system32\wucltui.dll
2012-06-02 20:19 . 2007-01-15 23:41 219160 ----a-w- c:\windows\system32\wuaucpl.cpl
2012-06-02 20:19 . 2007-01-15 23:41 210968 ----a-w- c:\windows\system32\wuweb.dll
2012-06-02 20:19 . 2007-08-20 20:13 15384 ----a-w- c:\windows\system32\wuapi.dll.mui
2012-06-02 20:19 . 2007-01-16 23:53 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 20:19 . 2007-01-15 23:41 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 20:19 . 2007-01-15 23:41 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-02 20:19 . 2006-02-28 12:00 97304 ----a-w- c:\windows\system32\cdm.dll
2012-06-02 20:19 . 2007-08-20 20:13 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui
2012-06-02 20:19 . 2007-01-15 23:41 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 20:19 . 2007-01-15 23:41 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 20:18 . 2007-08-20 20:13 17136 ----a-w- c:\windows\system32\mucltui.dll.mui
2012-06-02 20:18 . 2007-02-19 21:43 275696 ----a-w- c:\windows\system32\mucltui.dll
2012-06-02 20:18 . 2005-05-26 10:19 214256 ----a-w- c:\windows\system32\muweb.dll
2012-05-31 13:22 . 2006-02-28 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2012-05-16 15:08 . 2006-02-28 12:00 916992 ----a-w- c:\windows\system32\wininet.dll
2012-05-15 13:20 . 2006-02-28 12:00 1863168 ------w- c:\windows\system32\win32k.sys
2012-05-11 14:42 . 2006-02-28 12:00 43520 ------w- c:\windows\system32\licmgr10.dll
2012-05-11 14:42 . 2006-02-28 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-05-11 11:38 . 2006-02-28 12:00 385024 ------w- c:\windows\system32\html.iec
2012-05-05 00:29 . 2010-12-09 00:48 687504 ----a-w- c:\windows\system32\deployJava1.dll
2012-05-04 13:16 . 2006-02-28 12:00 2148352 ------w- c:\windows\system32\ntoskrnl.exe
2012-05-04 12:32 . 2004-08-03 22:59 2026496 ------w- c:\windows\system32\ntkrnlpa.exe
2012-05-02 13:46 . 2007-01-15 23:39 139656 ------w- c:\windows\system32\drivers\rdpwd.sys
2012-06-17 13:04 . 2011-11-18 15:54 85472 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Akamai NetSession Interface"="c:\documents and settings\Sue and John\Local Settings\Application Data\Akamai\netsession_win.exe" [2012-05-26 4327744]
"KSS"="c:\program files\Kaspersky Lab\Kaspersky Security Scan 2.0\kss.exe" [2012-04-26 202296]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2006-01-13 196608]
"D-Link AirPlus XtremeG DWL-G520"="c:\program files\D-Link\AirPlus XtremeG DWL-G520\AirPlusCFG.exe" [2007-06-27 1327104]
"ANIWZCS2Service"="c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2007-01-19 49152]
"36X Raid Configurer"="c:\windows\system32\JMRaidSetup.exe" [2007-01-13 1953792]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-10-16 110696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-10-16 13851752]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-08-26 1753192]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"VMM Mode Selection"="c:\program files\HTC\ModeSelection\VMMModeSelection.exe" [2011-02-14 43520]
"PSUNMain"="c:\program files\Panda Security\Panda Cloud Antivirus\PSUNMain.exe" [2011-04-28 439616]
"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2007-02-17 1169776]
"AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe" [2007-02-17 1945960]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2007-02-17 149024]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ------w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpqSRMon]
2008-08-20 15:54 150016 ----a-w- e:\dw program files\HP\Digital Imaging\bin\HpqSRmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
2006-11-15 22:58 151552 ----a-w- c:\program files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JMB36X IDE Setup]
2007-01-13 20:31 36864 ----a-w- c:\windows\JM\JMInsIDE.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2011-07-05 23:36 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2010-11-17 02:34 19722344 ----a-w- c:\windows\RTHDCPL.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\Sue and John\\Local Settings\\Application Data\\Akamai\\netsession_win.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1098:TCP"= 1098:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface
.
R0 UGURU;UGURU;c:\windows\system32\drivers\uGuru.sys [1/16/2007 3:30 PM 14592]
R1 PSINKNC;PSINKNC;c:\windows\system32\drivers\PSINKNC.sys [11/23/2011 3:59 AM 130312]
R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [2/28/2006 7:00 AM 14336]
R2 IntuitUpdateServiceV4;Intuit Update Service v4;c:\program files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe [8/25/2011 6:53 PM 13672]
R2 KSS;Kaspersky Security Scan Service;c:\program files\Kaspersky Lab\Kaspersky Security Scan 2.0\kss.exe [4/25/2012 7:53 PM 202296]
R2 NanoServiceMain;Panda Cloud Antivirus Service;c:\program files\Panda Security\Panda Cloud Antivirus\PSANHost.exe [4/28/2011 2:58 PM 140608]
R2 PSINAflt;PSINAflt;c:\windows\system32\drivers\PSINAflt.sys [1/5/2012 7:10 AM 144008]
R2 PSINFile;PSINFile;c:\windows\system32\drivers\PSINFile.sys [4/28/2011 2:57 PM 97096]
R2 PSINProc;PSINProc;c:\windows\system32\drivers\PSINProc.sys [4/28/2011 2:57 PM 111688]
R2 PSINProt;PSINProt;c:\windows\system32\drivers\PSINProt.sys [11/30/2011 12:37 PM 112648]
R3 urvpndrv;F5 Networks VPN Adapter;c:\windows\system32\drivers\covpndrv.sys [10/31/2008 4:22 PM 33408]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [4/4/2011 2:14 PM 136176]
S2 ubsbm;Unibrain 1394 SBM Driver;c:\windows\system32\DRIVERS\ubsbm.sys --> c:\windows\system32\DRIVERS\ubsbm.sys [?]
S2 ubumapi;Unibrain 1394 FireAPI Driver;c:\windows\system32\DRIVERS\ubumapi.sys --> c:\windows\system32\DRIVERS\ubumapi.sys [?]
S3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\drivers\A3AB.sys [5/11/2006 2:11 PM 547744]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [4/12/2012 11:26 AM 250056]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [12/23/2010 4:44 AM 1691480]
S3 BENDER;Pinnacle AV/DV2 Capture;c:\windows\system32\drivers\bender.sys [2/25/2007 9:33 PM 203264]
S3 f5ipfw;F5 Networks StoneWall Filter;c:\windows\system32\drivers\urfltw2k.sys [8/15/2009 7:34 PM 10752]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [4/4/2011 2:14 PM 136176]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [5/2/2012 2:22 PM 113120]
S3 ubohci;Unibrain 1394 OHCI Driver;c:\windows\system32\DRIVERS\ubohci.sys --> c:\windows\system32\DRIVERS\ubohci.sys [?]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder
.
2012-06-25 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-12 05:37]
.
2012-06-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-04-04 19:13]
.
2012-06-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-04-04 19:13]
.
2012-06-25 c:\windows\Tasks\HP Photo Creations Communicator.job
- c:\documents and settings\All Users\Application Data\HP Photo Creations\MessageCheck.exe [2012-04-14 20:46]
.
2012-06-25 c:\windows\Tasks\User_Feed_Synchronization-{19ADA066-DCE3-47E1-BA03-1ED61F409479}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <local>;127.0.0.1:9421;
Trusted Zone: intuit.com\ttlc
Trusted Zone: turbotax.com
TCP: DhcpNameServer = 75.75.76.76 75.75.75.75 192.168.1.1
DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://bjm.byy.com:8099/activex/AMC.cab
FF - ProfilePath - c:\documents and settings\Sue and John\Application Data\Mozilla\Firefox\Profiles\xtvuoigy.default\
FF - prefs.js: browser.startup.homepage - www.google.com
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-06-25 15:53
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Akamai]
"ServiceDll"="c:\program files\common files\akamai/netsession_win_80c2ffa.dll"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(1484)
c:\windows\system32\relog_ap.dll
.
Completion time: 2012-06-25 15:55:20
ComboFix-quarantined-files.txt 2012-06-25 20:55
ComboFix2.txt 2012-06-25 15:55
ComboFix3.txt 2012-06-24 21:31
.
Pre-Run: 32,133,722,112 bytes free
Post-Run: 32,163,180,544 bytes free
.
- - End Of File - - 925B665106931EB44790EB2BBF707356

#12 mn_sailor

mn_sailor
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ham Lake, MN
  • Local time:01:40 PM

Posted 26 June 2012 - 09:38 AM

Hi Nasdaq,

Report on Router reset ==> I reset my Linksys E3000, changed passwords and SSID, did not broadcast the SSID, etc.

Is it worth the effort to assign static IP addresses to the devices on my wireless network?

John

#13 nasdaq

nasdaq

  • Malware Response Team
  • 39,586 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:40 PM

Posted 26 June 2012 - 09:39 AM

Download this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a flash drive.

Plug the flash drive into the infected PC.

Restart your computer and tap F8 to bring up the Advanced Menu, then click Repair your computer

Follow the prompt to enter keyboard input method, and then the prompt to enter a password. If the machine does not have a password, simply click Enter.

In the next menu, use the arrow keys on the keyboard to highlight Command Prompt and press Enter.
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst64.exe and press Enter. Or FRST.exe if 32 bit system.

    Note: Replace letter e with the drive letter of your flash drive.

  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.


#14 mn_sailor

mn_sailor
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ham Lake, MN
  • Local time:01:40 PM

Posted 26 June 2012 - 10:03 AM

I have a problem/question. When following your instructions to run FRST.exe, I don't see "Repair your computer" as a menu item in the F8 Advanced Options Menu. I'm running Windows XP Professional.

John

#15 nasdaq

nasdaq

  • Malware Response Team
  • 39,586 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:40 PM

Posted 26 June 2012 - 10:11 AM

Can you just go to the Command prompt and follow the rest of the instructions?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users