Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Still infected with Smart HDD (or Other) ?


  • This topic is locked This topic is locked
34 replies to this topic

#1 NdotA

NdotA

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:06 AM

Posted 22 June 2012 - 03:19 PM

Hi,
I do not know if my system is still infected with Smart HDD or any other malware. This is what happened:

  • while surfing on the inetrnet I suddenly got the messages, that my harddrive is defective etc etc, which I could identify by searching the interner to be an infection with the Smart HDD trojan (or whatever this is).
  • I found the removal guide on this site and followed it. But as the infected system did not connect to the internet any more - my wlan-manager would not work in safe mode - I could download MalWarebytres to an USB-stick, but could not have it updated. I had to scan with a version of Malwarebytes outdated by 76 days. This found six infections and put them into quarantine. But on reboot to normal mode I found the malware still active.
  • Booting to safe mode again, I stumbled over the option to contionue in safe mode or restore the system to an older point. I did restore my system and selected a date immediately before I noticed the infection. This worked fine. My desktop was back, I had to unhide some files and then I was back to working conditions.
  • I updated Malwarebytes and the scan found three more infections and put them into quarantine (ran in normal mode).
  • I found I got reconnected when clicking on a google search result. I downloaded and ran TDSSKill, this found one infection and put it into quarantine. Now ma systemn seems working fine - but not the same as before the infection.

What makes me think my system might still be infected ?
  • My system seems much slower when performing compiles of the programs I am developing, estimated factor about 4 to 5. (this is the task I can perform on my PC with the longest duration without manual input).
  • GMER got stuck while doing its scan. I tried three times, once I got a BSOD, twice the screen froze (no changes any more, the cursor no longer reacting to mouse movements). With the first to incidents I have been working a little on my prog while the scan was running, but on the third I made sure neither mouse or keypad were touched while the scan was running. This is very fishy to me.

Remark:
I am having boot problems for some time now (and have learned to live with them for I did find your site only recently). This will be a thread of its own in the future, but just in case you stumble across anything in this direction...

Here is dds.txt, attach.txt is attached. Naturally I cannot provide the GMER log as this got stuck as detailed above.:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_26
Run by Aust at 17:27:09 on 2012-06-22
Microsoft Windows XP Home Edition 5.1.2600.3.1252.49.1031.18.3327.2815 [GMT 2:00]
.
AV: Norton 360 *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
svchost.exe
C:\Programme\Java\jre6\bin\jqs.exe
C:\Programme\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\BMWgroup\ETKLokal\transbase\tbmux32.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Real\RealPlayer\update\realsched.exe
C:\Programme\Malwarebytes' Anti-Malware\mbamgui.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\NOTEPAD.EXE
.
============== Pseudo HJT Report ===============
.
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = iexplore
mSearchAssistant = hxxp://www.google.com/ie
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\programme\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\dokumente und einstellungen\all users\anwendungsdaten\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\programme\norton 360\norton 360\engine\5.1.0.29\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\programme\norton 360\norton 360\engine\5.1.0.29\ips\IPSBHO.DLL
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\programme\google\googletoolbarnotifier\5.2.4204.1700\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\programme\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\programme\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: EpsonToolBandKicker Class: {e99421fb-68dd-40f0-b4ac-b7027cae2f1a} - c:\programme\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: EPSON Web-To-Page: {ee5d279f-081b-4404-994d-c6b60aaeba6d} - c:\programme\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\programme\norton 360\norton 360\engine\5.1.0.29\coIEPlg.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MsnMsgr] "c:\progra~1\msnmes~1\msnmsgr.exe" /background
mRun: [TkBellExe] "c:\programme\real\realplayer\update\realsched.exe" -osboot
mRun: [Malwarebytes' Anti-Malware] "c:\programme\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\dokume~1\aust\startm~1\progra~1\autost~1\norton\norton~2.lnk - c:\dokumente und einstellungen\all users\dokumente\norton\{N360600145-SHPD-FSD25037}
IE: Alles mit FDM herunterladen - file://c:\programme\free download manager\dlall.htm
IE: Auswahl mit FDM herunterladen - file://c:\programme\free download manager\dlselected.htm
IE: Datei mit FDM herunterladen - file://c:\programme\free download manager\dllink.htm
IE: Videos mit FDM herunterladen - file://c:\programme\free download manager\dlfvideo.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\programme\messenger\msmsgs.exe
DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
TCP: Interfaces\{0D4044BF-FF21-4576-89FB-DEB0C3922942} : DhcpNameServer = 192.168.2.1
TCP: Interfaces\{EEB84F45-77CF-4887-A164-C39811EBD7C8} : DhcpNameServer = 192.168.2.1
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\dokumente und einstellungen\aust\anwendungsdaten\mozilla\firefox\profiles\hz7t7jnk.default\
FF - prefs.js: browser.startup.homepage - hxxp://de.msn.com/
FF - component: c:\dokumente und einstellungen\all users\anwendungsdaten\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\coffplgn\components\coFFPlgn.dll
FF - component: c:\dokumente und einstellungen\all users\anwendungsdaten\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\ipsffplgn\components\IPSFFPl.dll
FF - component: c:\dokumente und einstellungen\all users\anwendungsdaten\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll
FF - component: c:\dokumente und einstellungen\all users\anwendungsdaten\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordlegacyext.dll
FF - plugin: c:\dokumente und einstellungen\all users\anwendungsdaten\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\programme\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\programme\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\programme\google\update\1.3.21.53\npGoogleUpdate3.dll
FF - plugin: c:\programme\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\programme\mozilla firefox\plugins\npWebLaunch.dll
FF - plugin: c:\programme\opera\program\plugins\NPDllFrame.dll
FF - plugin: c:\programme\opera\program\plugins\npdoc.dll
FF - plugin: c:\programme\opera\program\plugins\NPFpiFrame.dll
FF - plugin: c:\programme\opera\program\plugins\NPFpiFrame2.dll
FF - plugin: c:\programme\opera\program\plugins\npsmlvdo.dll
FF - plugin: c:\programme\virtual earth 3d\npVE3D.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\programme\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\programme\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\programme\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\programme\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\programme\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\programme\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\programme\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\programme\java\jre6\lib\deploy\jqs\ff
FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\dokumente und einstellungen\all users\anwendungsdaten\real\realplayer\browserrecordplugin\firefox\Ext
.
============= SERVICES / DRIVERS ===============
.
R1 ATMhelpr;ATMhelpr;c:\windows\system32\drivers\ATMHELPR.SYS [2008-12-1 4064]
R2 cpuz135;cpuz135;c:\windows\system32\drivers\cpuz135_x32.sys [2011-11-30 21992]
R2 MBAMService;MBAMService;c:\programme\malwarebytes' anti-malware\mbamservice.exe [2012-6-20 654408]
R2 Transbase;Transbase;c:\bmwgroup\etklokal\transbase\tbmux32.exe [2008-6-11 385024]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-6-20 22344]
R3 rt2870;Speedport W 102 Stick IEEE 802.11n USB 2.0 Driver;c:\windows\system32\drivers\rt2870.sys [2008-10-29 644096]
S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\n360\0502000.00d\symds.sys --> c:\windows\system32\drivers\n360\0502000.00d\SYMDS.SYS [?]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0502000.00d\symefa.sys --> c:\windows\system32\drivers\n360\0502000.00d\SYMEFA.SYS [?]
S1 BHDrvx86;BHDrvx86;c:\dokumente und einstellungen\all users\anwendungsdaten\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.1.0.29\definitions\bashdefs\20120317.002\BHDrvx86.sys [2012-3-17 820856]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\n360\0502000.00d\ironx86.sys --> c:\windows\system32\drivers\n360\0502000.00d\Ironx86.SYS [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\programme\google\update\GoogleUpdate.exe [2009-12-31 135664]
S2 N360;Norton 360;"c:\programme\norton 360\norton 360\engine\5.2.0.13\ccsvchst.exe" /s "n360" /m "c:\programme\norton 360\norton 360\engine\5.2.0.13\dimaster.dll" /prefetch:1 --> c:\programme\norton 360\norton 360\engine\5.2.0.13\ccSvcHst.exe [?]
S3 gupdatem;Google Update-Dienst (gupdatem);c:\programme\google\update\GoogleUpdate.exe [2009-12-31 135664]
S3 IDSxpx86;IDSxpx86;c:\dokumente und einstellungen\all users\anwendungsdaten\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.1.0.29\definitions\ipsdefs\20120329.002\IDSXpx86.sys [2012-3-29 356280]
S3 MSI_MSIBIOS_010507;MSI_MSIBIOS_010507;c:\programme\msi\live update 5\msibios32_100507.sys [2011-11-30 25912]
S3 NAVENG;NAVENG;c:\dokumente und einstellungen\all users\anwendungsdaten\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.1.0.29\definitions\virusdefs\20120330.002\NAVENG.SYS [2012-3-30 86136]
S3 NAVEX15;NAVEX15;c:\dokumente und einstellungen\all users\anwendungsdaten\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.1.0.29\definitions\virusdefs\20120330.002\NAVEX15.SYS [2012-3-30 1576312]
S3 NTIOLib_1_0_4;NTIOLib_1_0_4;c:\programme\msi\live update 5\NTIOLib.sys [2011-11-30 7680]
S3 PciCon;PciCon;\??\e:\pcicon.sys --> e:\PciCon.sys [?]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\i:\ntglm7x.sys --> i:\NTGLM7X.sys [?]
S3 TS111_USB;T-Sinus 111data Driver;c:\windows\system32\drivers\TS111USB.sys [2007-8-31 645120]
S3 w32n5323;w32n5323 Protocol Driver;\??\c:\progra~1\dt\dt11mb~1\instal~1\winxp\w32n5323.sys --> c:\progra~1\dt\dt11mb~1\instal~1\winxp\w32n5323.SYS [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2012-06-22 11:16:40 -------- d-----w- C:\TDSSKiller_Quarantine
2012-06-20 15:08:02 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-20 14:50:18 -------- d-----w- c:\windows\system32\wbem\repository\FS
2012-06-20 14:50:18 -------- d-----w- c:\windows\system32\wbem\Repository
2012-06-20 09:23:04 -------- d-----w- c:\dokumente und einstellungen\aust\anwendungsdaten\Malwarebytes
2012-06-20 08:26:04 -------- d-----w- c:\programme\Malwarebytes' Anti-Malware
2012-06-20 08:26:04 -------- d-----w- c:\dokumente und einstellungen\all users\anwendungsdaten\Malwarebytes
2012-06-13 10:42:30 521728 -c----w- c:\windows\system32\dllcache\jsdbgui.dll
.
==================== Find3M ====================
.
2012-06-02 13:19:38 219160 ----a-w- c:\windows\system32\wuaucpl.cpl
2012-06-02 13:19:38 18456 ----a-w- c:\windows\system32\wuaueng.dll.mui
2012-06-02 13:19:38 15896 ----a-w- c:\windows\system32\wuapi.dll.mui
2012-06-02 13:19:34 15896 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2012-06-02 13:19:28 23576 ----a-w- c:\windows\system32\wucltui.dll.mui
2012-05-31 13:22:01 604160 ----a-w- c:\windows\system32\crypt32.dll
2012-05-16 15:07:03 916992 ----a-w- c:\windows\system32\wininet.dll
2012-05-15 13:56:00 1863296 ----a-w- c:\windows\system32\win32k.sys
2012-05-11 14:40:24 43520 ------w- c:\windows\system32\licmgr10.dll
2012-05-11 14:40:24 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-05-11 11:38:02 385024 ----a-w- c:\windows\system32\html.iec
2012-05-05 03:14:31 2150912 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-05-05 03:14:31 2029056 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-05-02 13:46:30 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-03-30 14:54:04 60872 ----a-w- c:\windows\system32\S32EVNT1.DLL
2012-03-30 14:54:04 126584 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2012-03-26 12:21:55 1409 ----a-w- c:\windows\QTFont.for
.
============= FINISH: 17:27:18,51 ===============

Thanks in advance for your good work.

Norbert

Attached Files



BC AdBot (Login to Remove)

 


#2 NdotA

NdotA
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:06 AM

Posted 22 June 2012 - 03:39 PM

Ooops,

it is only now that I see that some text of the attached file is in German. Here is a translation:

In Attach.txt:
Es wurde versucht, die geschützte Systemdatei c:\programme\gemeinsame dateien\microsoft shared\dao\dao360.dll zu ersetzen. Diese Datei wurde von der Originalversion wiederhergestellt, um die Systemstabilität zu gewährleisten. Die Dateiversion der Systemdatei ist 3.60.9512.0.

would be:
'It was tried to replace the protected system file c:\.... This file was restored from the original vesion to ensure system stability. Fileversion of the system file is 3. ...'

Norbert

Edited by NdotA, 22 June 2012 - 03:40 PM.


#3 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:06 AM

Posted 25 June 2012 - 07:32 AM

Greetings and Welcome to The Forums!!

My name is Gringo and I'll be glad to help you with your computer problems.

I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of us

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the Watch Topic Button, select Immediate Notification, and click on Proceed. This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of hartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

Security Check

  • Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.



Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#4 NdotA

NdotA
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:06 AM

Posted 25 June 2012 - 09:47 AM

Nice to meet you, Gringo.

A strange thing happened when I ran Combofix:

I have Norton 360 on my system but one of the mysteries of my system is, that this fails to start when windows is started. The icon does not show in the system tray and I know for sure that it is not running for otherwise it would be scanning my system all the time. (And hinder me considerably in working). But Combofix informed me, that a Norton scanner was running and I should stop this to prevent unpredictable results. I saw no other way than using my Norton removal tool to make sure Norton 360 is deactivated. Unfortunately I had to reboot my system and had to close Combofix by using the exit button (x in the top right corner). On restart of the system I received quite a few messages of windows saying that the system is recovering from a fatal error and to send / no send a problem report. Hopefully I did not mess up things completely.

Then Combofix ran fine (see logs below).

Now that my system is back running, on starting internet explorer, I get the message, that IE is running without add-ons. But if I open the console to manage the addons, I found all add-ons activated. Would need some advice here.

I see, that the logs contain some information in German. If you want me to translate them, let me know.

My system otherwise running fine. Would you want me to run GMER (and see if it closes properly ?)

Just one remark to maybe improve Combofix:
As i am located in Germany the German version was running. Some of the texts are ambiguous. For instance the line 'Versuche, einen neuen Wiederherstellungspunkt zu erstellen' could either be understood as a short for 'Ich versuche...' (we called this 'telegram style' in th epast) or could be understood as an advice to be followed. When I read the first of the notices I was in doubt what to do. I would propose that the notices should be like 'Combofix versucht, einen neuen Wiederherstellungspunkt zu erstellen'. This would be clear that it is not an advice to do anything. If you should need some assistance for the German texts, I would be happy to oblige.

Now the logs:

Checkup:
Note: I had to run security check a second time for I could not locate checkup text on my desktop or in C:/. Therefore the Norton 360 installation is not showing here fore I had it removed to run Combofix.

Results of screen317's Security Check version 0.99.42
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````Antivirus/Firewall Check:``````````````
`````````Anti-malware/Other Utilities Check:`````````
Malwarebytes Anti-Malware Version 1.61.0.1400
TuneUp Utilities 2007
Java™ 6 Update 26
Java™ 6 Update 7
Java version out of Date!
Adobe Flash Player 9.0.115.0 Flash Player out of Date!
Adobe Reader 7 Adobe Reader out of Date!
````````Process Check: objlist.exe by Laurent````````
Malwarebytes Anti-Malware mbamservice.exe
Malwarebytes Anti-Malware mbamgui.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C::
````````````````````End of Log``````````````````````




Combofix:

ComboFix 12-06-25.03 - Aust 25.06.2012 15:40:19.1.4 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.49.1031.18.3327.2816 [GMT 2:00]
ausgeführt von:: c:\dokumente und einstellungen\Aust\Desktop\ComboFix.exe
.
.
(((((((((((((((((((((((((((((((((((( Weitere Löschungen ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\dokumente und einstellungen\All Users\Anwendungsdaten\TEMP
c:\dokumente und einstellungen\Aust\Desktop\Internet Explorer.lnk
c:\dokumente und einstellungen\Aust\Lokale Einstellungen\Anwendungsdaten\assembly\tmp
c:\dokumente und einstellungen\Aust\Recent\Thumbs.db
c:\dokumente und einstellungen\Aust\WINDOWS
c:\windows\Fonts\ARIALUNI.exe
c:\windows\IsUn0407.exe
c:\windows\system32\DC120fc7_32.dll
c:\windows\system32\dllcache\wmpvis.dll
c:\windows\system32\FF05DA0D.dll
c:\windows\unin0407.exe
D:\install.exe
.
.
((((((((((((((((((((((( Dateien erstellt von 2012-05-25 bis 2012-06-25 ))))))))))))))))))))))))))))))
.
.
2012-06-22 11:16 . 2012-06-22 11:16 -------- d-----w- C:\TDSSKiller_Quarantine
2012-06-20 15:08 . 2012-04-04 13:56 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-20 14:50 . 2012-06-20 14:50 -------- d-----w- c:\windows\system32\wbem\Repository
2012-06-20 09:23 . 2012-06-20 09:23 -------- d-----w- c:\dokumente und einstellungen\Aust\Anwendungsdaten\Malwarebytes
2012-06-20 08:26 . 2012-06-20 08:26 -------- d-----w- c:\dokumente und einstellungen\Administrator\Anwendungsdaten\Malwarebytes
2012-06-20 08:26 . 2012-06-20 15:08 -------- d-----w- c:\programme\Malwarebytes' Anti-Malware
2012-06-20 08:26 . 2012-06-20 08:26 -------- d-----w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Malwarebytes
2012-06-13 10:42 . 2012-05-11 14:40 521728 -c----w- c:\windows\system32\dllcache\jsdbgui.dll
.
.
.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-06-02 13:19 . 2007-10-28 16:34 18456 ----a-w- c:\windows\system32\wuaueng.dll.mui
2012-06-02 13:19 . 2007-10-28 16:34 15896 ----a-w- c:\windows\system32\wuapi.dll.mui
2012-06-02 13:19 . 2007-08-27 19:26 329240 ----a-w- c:\windows\system32\wucltui.dll
2012-06-02 13:19 . 2007-08-27 19:26 219160 ----a-w- c:\windows\system32\wuaucpl.cpl
2012-06-02 13:19 . 2007-08-27 19:26 210968 ----a-w- c:\windows\system32\wuweb.dll
2012-06-02 13:19 . 2007-10-28 16:34 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 13:19 . 2007-10-28 16:34 15896 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2012-06-02 13:19 . 2007-08-27 19:26 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-02 13:19 . 2007-08-27 18:15 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 13:19 . 2003-04-02 12:00 97304 ----a-w- c:\windows\system32\cdm.dll
2012-06-02 13:19 . 2007-10-28 16:34 23576 ----a-w- c:\windows\system32\wucltui.dll.mui
2012-06-02 13:19 . 2007-08-27 19:26 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 13:19 . 2007-08-27 18:15 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-05-31 13:22 . 2003-04-02 12:00 604160 ----a-w- c:\windows\system32\crypt32.dll
2012-05-16 15:07 . 2003-04-02 12:00 916992 ----a-w- c:\windows\system32\wininet.dll
2012-05-15 13:56 . 2003-04-02 12:00 1863296 ----a-w- c:\windows\system32\win32k.sys
2012-05-11 14:40 . 2003-04-02 12:00 43520 ------w- c:\windows\system32\licmgr10.dll
2012-05-11 14:40 . 2003-04-02 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-05-11 11:38 . 2007-08-27 19:26 385024 ----a-w- c:\windows\system32\html.iec
2012-05-05 03:14 . 2003-04-02 12:00 2150912 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-05-05 03:14 . 2002-08-29 03:41 2029056 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-05-02 13:46 . 2007-08-27 18:15 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
1998-02-23 08:01 . 2011-03-25 19:48 197120 ----a-w- c:\programme\opera\program\plugins\errormsg.dll
1998-09-14 08:05 . 2011-03-25 19:48 250368 ----a-w- c:\programme\opera\program\plugins\oleplug.dll
2009-03-31 20:47 . 2009-02-26 00:33 324976 ----a-w- c:\programme\mozilla firefox\components\coFFPlgn.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2011-10-25 05:27 . C3A2915C71AE6F225EB906C25CCD29B5 . 24064 . . [1.0.0.5] . . c:\windows\ServicePackFiles\i386\ctfmon.exe
[-] 2011-10-25 05:27 . C3A2915C71AE6F225EB906C25CCD29B5 . 24064 . . [1.0.0.5] . . c:\windows\system32\ctfmon.exe
[7] 2004-08-03 . 7CE20569925DF6789C31799F0C538F29 . 15360 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\ctfmon.exe
.
(((((((((((((((((((((((((((( Autostartpunkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="c:\programme\Real\RealPlayer\update\realsched.exe" [2011-03-15 273544]
"Malwarebytes' Anti-Malware"="c:\programme\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2011-10-25 24064]
.
c:\dokumente und einstellungen\Aust\Startmenü\Programme\Autostart\Norton
Norton-Installationsdateien.lnk - c:\dokumente und einstellungen\All Users\Dokumente\Norton\{N360600145-SHPD-FSD25037} [2012-3-27] [Folder]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"EPSON Stylus SX200 Series"=c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIEFE.EXE /FU "c:\windows\TEMP\E_S65.tmp" /EF "HKCU"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"RTHDCPL"=RTHDCPL.EXE
"Alcmtr"=ALCMTR.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Programme\\Steam\\SteamApps\\common\\railworks\\RailWorks.exe"=
.
R1 ATMhelpr;ATMhelpr;c:\windows\system32\drivers\ATMHELPR.SYS [01.12.2008 20:16 4064]
R2 cpuz135;cpuz135;c:\windows\system32\drivers\cpuz135_x32.sys [30.11.2011 15:41 21992]
R2 MBAMService;MBAMService;c:\programme\Malwarebytes' Anti-Malware\mbamservice.exe [20.06.2012 17:08 654408]
R2 Transbase;Transbase;c:\bmwgroup\ETKLokal\transbase\tbmux32.exe [11.06.2008 20:02 385024]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [20.06.2012 17:08 22344]
S2 gupdate;Google Update Service (gupdate);c:\programme\Google\Update\GoogleUpdate.exe [31.12.2009 17:39 135664]
S3 gupdatem;Google Update-Dienst (gupdatem);c:\programme\Google\Update\GoogleUpdate.exe [31.12.2009 17:39 135664]
S3 MSI_MSIBIOS_010507;MSI_MSIBIOS_010507;c:\programme\MSI\Live Update 5\msibios32_100507.sys [30.11.2011 16:38 25912]
S3 NTIOLib_1_0_4;NTIOLib_1_0_4;c:\programme\MSI\Live Update 5\NTIOLib.sys [30.11.2011 16:38 7680]
S3 PciCon;PciCon;\??\e:\pcicon.sys --> e:\PciCon.sys [?]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\i:\ntglm7x.sys --> i:\NTGLM7X.sys [?]
S3 TS111_USB;T-Sinus 111data Driver;c:\windows\system32\drivers\TS111USB.sys [31.08.2007 13:28 645120]
S3 w32n5323;w32n5323 Protocol Driver;\??\c:\progra~1\DT\DT11MB~1\INSTAL~1\WINXP\w32n5323.SYS --> c:\progra~1\DT\DT11MB~1\INSTAL~1\WINXP\w32n5323.SYS [?]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Inhalt des "geplante Tasks" Ordners
.
2012-06-25 c:\windows\Tasks\Google Software Updater.job
- c:\programme\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-05-19 13:13]
.
2012-06-25 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1957994488-838170752-682003330-1004.job
- c:\programme\Real\RealUpgrade\realupgrade.exe [2011-01-24 13:25]
.
2012-06-25 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1957994488-838170752-682003330-1004.job
- c:\programme\Real\RealUpgrade\realupgrade.exe [2011-01-24 13:25]
.
.
------- Zusätzlicher Suchlauf -------
.
uInternet Connection Wizard,ShellNext = iexplore
IE: Alles mit FDM herunterladen - file://c:\programme\Free Download Manager\dlall.htm
IE: Auswahl mit FDM herunterladen - file://c:\programme\Free Download Manager\dlselected.htm
IE: Datei mit FDM herunterladen - file://c:\programme\Free Download Manager\dllink.htm
IE: Videos mit FDM herunterladen - file://c:\programme\Free Download Manager\dlfvideo.htm
TCP: DhcpNameServer = 192.168.2.1
.
- - - - Entfernte verwaiste Registrierungseinträge - - - -
.
AddRemove-Adobe Type Manager 4.0 - c:\windows\unin0407.exe
AddRemove-ArcSoft PhotoStudio 2000 - c:\windows\IsUn0407.exe
AddRemove-AuranTS2009_is1 - g:\ts2010\unins000.exe
AddRemove-fpi-CD - c:\windows\unin0407.exe
AddRemove-SysadmV10 - c:\windows\unin0407.exe
AddRemove-TISV10 - c:\windows\unin0407.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-06-25 15:45
Windows 5.1.2600 Service Pack 3 NTFS
.
Scanne versteckte Prozesse...
.
Scanne versteckte Autostarteinträge...
.
Scanne versteckte Dateien...
.
Scan erfolgreich abgeschlossen
versteckte Dateien: 0
.
**************************************************************************
.
--------------------- Durch laufende Prozesse gestartete DLLs ---------------------
.
- - - - - - - > 'winlogon.exe'(860)
c:\windows\system32\Ati2evxx.dll
.
Zeit der Fertigstellung: 2012-06-25 15:47:00
ComboFix-quarantined-files.txt 2012-06-25 13:46
.
Vor Suchlauf: 6.734.946.304 Bytes frei
Nach Suchlauf: 7.549.730.816 Bytes frei
.
WindowsXP-KB310994-SP2-Home-BootDisk-DEU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn/ 3GB /USERVA=2990
.
- - End Of File - - 0E6B581AFDF65359C93F5E7A87CA11C0

#5 NdotA

NdotA
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:06 AM

Posted 25 June 2012 - 11:57 AM

Some good and some bad news to add:

The good one:
My system seems to be back to its prior speed.

The bad one:
GMER crashed again to produce a BSOD. I happened to observe the screen and I think it was checking C:/WINDOWS/Micrsoft.Net at the time (or just finished this).
The technical Information included in the BSOD was:
*** STOP: 0x0000007E (0xC0000005, 0xF0BE1481, 0xF5F21984, 0xF5F21680)
*** rt2870.sys - Address F0BE1481 base at F0B8B000, Datastamp 490803FF

After reboot I received the messageboxes again informing me the system is recovering from a severe error (I do not know the proper English text 'cause my System talks German to me).
I caught the technical information contained in the first three errorreports (of about 10 messages) to be

C:\DOKUME~1\Aust\LOKALE~1\Temp\WERa129.dir00\Mini092510-01.dmp
C:\DOKUME~1\Aust\LOKALE~1\Temp\WERa129.dir00\sysdata.xml

C:\DOKUME~1\Aust\LOKALE~1\Temp\WER7bcf.dir00\Mini021311-01.dmp
C:\DOKUME~1\Aust\LOKALE~1\Temp\WER7bcf.dir00\sysdata.xml

C:\DOKUME~1\Aust\LOKALE~1\Temp\WERd93e.dir00\Mini112111-01.dmp
C:\DOKUME~1\Aust\LOKALE~1\Temp\WERd93e.dir00\sysdata.xml

These files do not exist though.

Greetings from Germany to Costa Rica (been there a couple of years back)

Norbert

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:06 AM

Posted 25 June 2012 - 12:59 PM

Greetings


We don't need to run GMer at this time so don't try anymore


I want you to run these next,

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • it will ask to download extra definitions - ALLOW IT
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

If you have any problems running either one come back and let me know

please reply with the reports from TDSSKiller and aswMBR

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 NdotA

NdotA
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:06 AM

Posted 25 June 2012 - 01:33 PM

Hello Gringo,

attached the please find the reports as requested. Both programs ran without any problem.

Question: Does MalwareBytes in any payware version do the job that Norton 360 does, that is protecting from viruses, or do I have to reinstall this package ? I would like to get to a lightweight product that offers maybe some less functionality but does not consume half of the enginepower of my data pipelines.

Report from TDSSKiller:

19:44:58.0031 2308 TDSS rootkit removing tool 2.7.41.0 Jun 20 2012 20:53:32
19:44:58.0343 2308 ============================================================
19:44:58.0343 2308 Current date / time: 2012/06/25 19:44:58.0343
19:44:58.0343 2308 SystemInfo:
19:44:58.0343 2308
19:44:58.0343 2308 OS Version: 5.1.2600 ServicePack: 3.0
19:44:58.0343 2308 Product type: Workstation
19:44:58.0343 2308 ComputerName: AUST-Q0HX0CC2TV
19:44:58.0343 2308 UserName: Aust
19:44:58.0343 2308 Windows directory: C:\WINDOWS
19:44:58.0343 2308 System windows directory: C:\WINDOWS
19:44:58.0343 2308 Processor architecture: Intel x86
19:44:58.0343 2308 Number of processors: 4
19:44:58.0343 2308 Page size: 0x1000
19:44:58.0343 2308 Boot type: Normal boot
19:44:58.0343 2308 ============================================================
19:44:59.0468 2308 Drive \Device\Harddisk0\DR0 - Size: 0x3A38B2E000 (232.89 Gb), SectorSize: 0x200, Cylinders: 0x76C1, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
19:44:59.0468 2308 ============================================================
19:44:59.0468 2308 \Device\Harddisk0\DR0:
19:44:59.0468 2308 MBR partitions:
19:44:59.0468 2308 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x4E1EDEC
19:44:59.0484 2308 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x4E1EE6A, BlocksNum 0x183A1856
19:44:59.0484 2308 ============================================================
19:44:59.0578 2308 D: <-> \Device\Harddisk0\DR0\Partition1
19:44:59.0609 2308 C: <-> \Device\Harddisk0\DR0\Partition0
19:44:59.0640 2308 ============================================================
19:44:59.0640 2308 Initialize success
19:44:59.0640 2308 ============================================================
19:45:10.0062 3080 ============================================================
19:45:10.0062 3080 Scan started
19:45:10.0062 3080 Mode: Manual;
19:45:10.0062 3080 ============================================================
19:45:10.0421 3080 Abiosdsk - ok
19:45:10.0421 3080 abp480n5 - ok
19:45:10.0468 3080 ACPI (ac407f1a62c3a300b4f2b5a9f1d55b2c) C:\WINDOWS\system32\DRIVERS\ACPI.sys
19:45:10.0468 3080 ACPI - ok
19:45:10.0500 3080 ACPIEC (9e1ca3160dafb159ca14f83b1e317f75) C:\WINDOWS\system32\drivers\ACPIEC.sys
19:45:10.0500 3080 ACPIEC - ok
19:45:10.0500 3080 adpu160m - ok
19:45:10.0515 3080 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
19:45:10.0515 3080 aec - ok
19:45:10.0546 3080 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
19:45:10.0546 3080 AFD - ok
19:45:10.0562 3080 Aha154x - ok
19:45:10.0562 3080 aic78u2 - ok
19:45:10.0562 3080 aic78xx - ok
19:45:10.0578 3080 Alerter (738d80cc01d7bc7584be917b7f544394) C:\WINDOWS\system32\alrsvc.dll
19:45:10.0578 3080 Alerter - ok
19:45:10.0593 3080 ALG (190cd73d4984f94d823f9444980513e5) C:\WINDOWS\System32\alg.exe
19:45:10.0593 3080 ALG - ok
19:45:10.0593 3080 AliIde - ok
19:45:10.0609 3080 amsint - ok
19:45:10.0609 3080 AppMgmt - ok
19:45:10.0609 3080 asc - ok
19:45:10.0609 3080 asc3350p - ok
19:45:10.0625 3080 asc3550 - ok
19:45:10.0734 3080 aspnet_state (776acefa0ca9df0faa51a5fb2f435705) C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe
19:45:10.0750 3080 aspnet_state - ok
19:45:10.0781 3080 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
19:45:10.0781 3080 AsyncMac - ok
19:45:10.0796 3080 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
19:45:10.0796 3080 atapi - ok
19:45:10.0796 3080 Atdisk - ok
19:45:10.0859 3080 Ati HotKey Poller (bae7603f489ddc1c895217d98d3ec5b7) C:\WINDOWS\system32\Ati2evxx.exe
19:45:10.0875 3080 Ati HotKey Poller - ok
19:45:10.0937 3080 ATI Smart (ce0664ae94855be469deb05b8bfafb95) C:\WINDOWS\system32\ati2sgag.exe
19:45:10.0937 3080 ATI Smart - ok
19:45:11.0171 3080 ati2mtag (7a95a5f3ed40a3b6f1275821553f3f4f) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
19:45:11.0203 3080 ati2mtag - ok
19:45:11.0343 3080 ATIAVAIW (9ec2b4fb45a9b90a31eca8245bed28b3) C:\WINDOWS\system32\DRIVERS\atinavt2.sys
19:45:11.0343 3080 ATIAVAIW - ok
19:45:11.0375 3080 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
19:45:11.0375 3080 Atmarpc - ok
19:45:11.0421 3080 ATMhelpr (3ef1db7f168851914517d4ed36b57c04) C:\WINDOWS\system32\drivers\ATMhelpr.sys
19:45:11.0421 3080 ATMhelpr - ok
19:45:11.0453 3080 AudioSrv (58ed0d5452df7be732193e7999c6b9a4) C:\WINDOWS\System32\audiosrv.dll
19:45:11.0453 3080 AudioSrv - ok
19:45:11.0468 3080 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
19:45:11.0468 3080 audstub - ok
19:45:11.0500 3080 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
19:45:11.0500 3080 Beep - ok
19:45:11.0546 3080 BITS (d6f603772a789bb3228f310d650b8bd1) C:\WINDOWS\system32\qmgr.dll
19:45:11.0546 3080 BITS - ok
19:45:11.0578 3080 Browser (b42057f06bbb98b31876c0b3f2b54e33) C:\WINDOWS\System32\browser.dll
19:45:11.0578 3080 Browser - ok
19:45:11.0656 3080 catchme - ok
19:45:11.0687 3080 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
19:45:11.0687 3080 cbidf2k - ok
19:45:11.0703 3080 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
19:45:11.0703 3080 CCDECODE - ok
19:45:11.0718 3080 cd20xrnt - ok
19:45:11.0718 3080 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
19:45:11.0718 3080 Cdaudio - ok
19:45:11.0734 3080 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
19:45:11.0734 3080 Cdfs - ok
19:45:11.0750 3080 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
19:45:11.0750 3080 Cdrom - ok
19:45:11.0750 3080 Changer - ok
19:45:11.0781 3080 CiSvc (28e3040d1f1ca2008cd6b29dfebc9a5e) C:\WINDOWS\system32\cisvc.exe
19:45:11.0781 3080 CiSvc - ok
19:45:11.0796 3080 ClipSrv (778a30ed3c134eb7e406afc407e9997d) C:\WINDOWS\system32\clipsrv.exe
19:45:11.0796 3080 ClipSrv - ok
19:45:11.0859 3080 clr_optimization_v2.0.50727_32 (d87acaed61e417bba546ced5e7e36d9c) C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
19:45:11.0937 3080 clr_optimization_v2.0.50727_32 - ok
19:45:11.0984 3080 clr_optimization_v4.0.30319_32 (c5a75eb48e2344abdc162bda79e16841) C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
19:45:12.0015 3080 clr_optimization_v4.0.30319_32 - ok
19:45:12.0015 3080 CmdIde - ok
19:45:12.0015 3080 COMSysApp - ok
19:45:12.0015 3080 Cpqarray - ok
19:45:12.0046 3080 cpuz135 (3411fdf098aa20193eee5ffa36ba43b2) C:\WINDOWS\system32\drivers\cpuz135_x32.sys
19:45:12.0046 3080 cpuz135 - ok
19:45:12.0046 3080 CryptSvc (611f824e5c703a5a899f84c5f1699e4d) C:\WINDOWS\System32\cryptsvc.dll
19:45:12.0046 3080 CryptSvc - ok
19:45:12.0046 3080 dac2w2k - ok
19:45:12.0062 3080 dac960nt - ok
19:45:12.0109 3080 DcomLaunch (3127afbf2c1ed0ab14a1bbb7aaecb85b) C:\WINDOWS\system32\rpcss.dll
19:45:12.0109 3080 DcomLaunch - ok
19:45:12.0140 3080 Dhcp (c29a1c9b75ba38fa37f8c44405dec360) C:\WINDOWS\System32\dhcpcsvc.dll
19:45:12.0140 3080 Dhcp - ok
19:45:12.0171 3080 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
19:45:12.0171 3080 Disk - ok
19:45:12.0171 3080 dmadmin - ok
19:45:12.0218 3080 dmboot (0dcfc8395a99fecbb1ef771cec7fe4ea) C:\WINDOWS\system32\drivers\dmboot.sys
19:45:12.0218 3080 dmboot - ok
19:45:12.0250 3080 dmio (53720ab12b48719d00e327da470a619a) C:\WINDOWS\system32\drivers\dmio.sys
19:45:12.0250 3080 dmio - ok
19:45:12.0281 3080 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
19:45:12.0281 3080 dmload - ok
19:45:12.0312 3080 dmserver (25c83ffbba13b554eb6d59a9b2e2ee78) C:\WINDOWS\System32\dmserver.dll
19:45:12.0312 3080 dmserver - ok
19:45:12.0328 3080 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
19:45:12.0328 3080 DMusic - ok
19:45:12.0359 3080 Dnscache (407f3227ac618fd1ca54b335b083de07) C:\WINDOWS\System32\dnsrslvr.dll
19:45:12.0359 3080 Dnscache - ok
19:45:12.0406 3080 Dot3svc (676e36c4ff5bcea1900f44182b9723e6) C:\WINDOWS\System32\dot3svc.dll
19:45:12.0406 3080 Dot3svc - ok
19:45:12.0406 3080 dpti2o - ok
19:45:12.0421 3080 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
19:45:12.0421 3080 drmkaud - ok
19:45:12.0437 3080 EapHost (4e4f2fddab0a0736d7671134dcce91fb) C:\WINDOWS\System32\eapsvc.dll
19:45:12.0437 3080 EapHost - ok
19:45:12.0468 3080 ENTECH (bdd170fecb0e496a914318009d85b819) C:\WINDOWS\system32\DRIVERS\ENTECH.SYS
19:45:12.0468 3080 ENTECH - ok
19:45:12.0468 3080 ERSvc (877c18558d70587aa7823a1a308ac96b) C:\WINDOWS\System32\ersvc.dll
19:45:12.0468 3080 ERSvc - ok
19:45:12.0500 3080 Eventlog (a3edbe9053889fb24ab22492472b39dc) C:\WINDOWS\system32\services.exe
19:45:12.0500 3080 Eventlog - ok
19:45:12.0546 3080 EventSystem (af4f6b5739d18ca7972ab53e091cbc74) C:\WINDOWS\System32\es.dll
19:45:12.0546 3080 EventSystem - ok
19:45:12.0578 3080 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
19:45:12.0578 3080 Fastfat - ok
19:45:12.0609 3080 FastUserSwitchingCompatibility (2db7d303c36ddd055215052f118e8e75) C:\WINDOWS\System32\shsvcs.dll
19:45:12.0609 3080 FastUserSwitchingCompatibility - ok
19:45:12.0640 3080 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
19:45:12.0640 3080 Fdc - ok
19:45:12.0671 3080 FINEPIX_PCC (c05d16c1ef3f5519764fefdf281ca4d2) C:\WINDOWS\system32\Drivers\V4CB011D.SYS
19:45:12.0671 3080 FINEPIX_PCC - ok
19:45:12.0703 3080 Fips (b0678a548587c5f1967b0d70bacad6c1) C:\WINDOWS\system32\drivers\Fips.sys
19:45:12.0703 3080 Fips - ok
19:45:12.0718 3080 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
19:45:12.0718 3080 Flpydisk - ok
19:45:12.0750 3080 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
19:45:12.0750 3080 FltMgr - ok
19:45:12.0843 3080 FontCache3.0.0.0 (8ba7c024070f2b7fdd98ed8a4ba41789) C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
19:45:12.0843 3080 FontCache3.0.0.0 - ok
19:45:12.0875 3080 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
19:45:12.0875 3080 Fs_Rec - ok
19:45:12.0906 3080 Ftdisk (8f1955ce42e1484714b542f341647778) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
19:45:12.0906 3080 Ftdisk - ok
19:45:12.0921 3080 GEARAspiWDM (5ae3a887ece5bbb72cfab273c2fd1cfa) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
19:45:12.0921 3080 GEARAspiWDM - ok
19:45:12.0921 3080 GMSIPCI - ok
19:45:12.0937 3080 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
19:45:12.0937 3080 Gpc - ok
19:45:13.0031 3080 gupdate - ok
19:45:13.0031 3080 gupdatem - ok
19:45:13.0078 3080 gusvc (408ddd80eede47175f6844817b90213e) C:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe
19:45:13.0093 3080 gusvc - ok
19:45:13.0109 3080 HdAudAddService (56bf27d7a539f9e6bbc1de201aba0edf) C:\WINDOWS\system32\drivers\AtiHdAud.sys
19:45:13.0109 3080 HdAudAddService - ok
19:45:13.0140 3080 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
19:45:13.0140 3080 HDAudBus - ok
19:45:13.0203 3080 helpsvc (cb66bf85bf599befd6c6a57c2e20357f) C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll
19:45:13.0203 3080 helpsvc - ok
19:45:13.0203 3080 HidServ - ok
19:45:13.0234 3080 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
19:45:13.0234 3080 HidUsb - ok
19:45:13.0250 3080 hkmsvc (ed29f14101523a6e0e808107405d452c) C:\WINDOWS\System32\kmsvc.dll
19:45:13.0250 3080 hkmsvc - ok
19:45:13.0265 3080 hpn - ok
19:45:13.0296 3080 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
19:45:13.0296 3080 HTTP - ok
19:45:13.0328 3080 HTTPFilter (9e4adb854cebcfb81a4b36718feecd16) C:\WINDOWS\System32\w3ssl.dll
19:45:13.0328 3080 HTTPFilter - ok
19:45:13.0328 3080 i2omgmt - ok
19:45:13.0328 3080 i2omp - ok
19:45:13.0359 3080 i8042prt (e283b97cfbeb86c1d86baed5f7846a92) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
19:45:13.0359 3080 i8042prt - ok
19:45:13.0453 3080 idsvc (c01ac32dc5c03076cfb852cb5da5229c) C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
19:45:13.0468 3080 idsvc - ok
19:45:13.0484 3080 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
19:45:13.0484 3080 Imapi - ok
19:45:13.0515 3080 ImapiService (d4b413aa210c21e46aedd2ba5b68d38e) C:\WINDOWS\system32\imapi.exe
19:45:13.0531 3080 ImapiService - ok
19:45:13.0531 3080 ini910u - ok
19:45:13.0828 3080 IntcAzAudAddService (1367a51bb535d2f76f642d4aade72aee) C:\WINDOWS\system32\drivers\RtkHDAud.sys
19:45:13.0843 3080 IntcAzAudAddService - ok
19:45:13.0937 3080 IntelIde - ok
19:45:13.0984 3080 intelppm (4c7d2750158ed6e7ad642d97bffae351) C:\WINDOWS\system32\DRIVERS\intelppm.sys
19:45:13.0984 3080 intelppm - ok
19:45:13.0984 3080 ip6fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
19:45:13.0984 3080 ip6fw - ok
19:45:14.0031 3080 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
19:45:14.0031 3080 IpFilterDriver - ok
19:45:14.0046 3080 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
19:45:14.0046 3080 IpInIp - ok
19:45:14.0062 3080 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
19:45:14.0062 3080 IpNat - ok
19:45:14.0078 3080 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
19:45:14.0078 3080 IPSec - ok
19:45:14.0078 3080 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
19:45:14.0078 3080 IRENUM - ok
19:45:14.0093 3080 isapnp (6dfb88f64135c525433e87648bda30de) C:\WINDOWS\system32\DRIVERS\isapnp.sys
19:45:14.0093 3080 isapnp - ok
19:45:14.0203 3080 JavaQuickStarterService (9dba73c2f1e76ec4cb837e67c5743596) C:\Programme\Java\jre6\bin\jqs.exe
19:45:14.0218 3080 JavaQuickStarterService - ok
19:45:14.0218 3080 Kbdclass (1704d8c4c8807b889e43c649b478a452) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
19:45:14.0234 3080 Kbdclass - ok
19:45:14.0250 3080 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
19:45:14.0250 3080 kmixer - ok
19:45:14.0281 3080 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
19:45:14.0281 3080 KSecDD - ok
19:45:14.0328 3080 lanmanserver (2bbdcb79900990f0716dfcb714e72de7) C:\WINDOWS\System32\srvsvc.dll
19:45:14.0328 3080 lanmanserver - ok
19:45:14.0375 3080 lanmanworkstation (1869b14b06b44b44af70548e1ea3303f) C:\WINDOWS\System32\wkssvc.dll
19:45:14.0375 3080 lanmanworkstation - ok
19:45:14.0375 3080 lbrtfdc - ok
19:45:14.0437 3080 LexBceS (7b3f06ca6f927402d27ea6c64558e021) C:\WINDOWS\system32\LEXBCES.EXE
19:45:14.0437 3080 LexBceS - ok
19:45:14.0468 3080 LmHosts (636714b7d43c8d0c80449123fd266920) C:\WINDOWS\System32\lmhsvc.dll
19:45:14.0468 3080 LmHosts - ok
19:45:14.0500 3080 MASPINT (a2ae666cee860babe7fa6f1662b71737) C:\WINDOWS\system32\drivers\MASPINT.sys
19:45:14.0500 3080 MASPINT - ok
19:45:14.0531 3080 MBAMProtector (fb097bbc1a18f044bd17bd2fccf97865) C:\WINDOWS\system32\drivers\mbam.sys
19:45:14.0531 3080 MBAMProtector - ok
19:45:14.0625 3080 MBAMService (ba400ed640bca1eae5c727ae17c10207) C:\Programme\Malwarebytes' Anti-Malware\mbamservice.exe
19:45:14.0640 3080 MBAMService - ok
19:45:14.0656 3080 Messenger (b7550a7107281d170ce85524b1488c98) C:\WINDOWS\System32\msgsvc.dll
19:45:14.0656 3080 Messenger - ok
19:45:14.0671 3080 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
19:45:14.0671 3080 mnmdd - ok
19:45:14.0703 3080 mnmsrvc (c2f1d365fd96791b037ee504868065d3) C:\WINDOWS\System32\mnmsrvc.exe
19:45:14.0703 3080 mnmsrvc - ok
19:45:14.0718 3080 Modem (6fb74ebd4ec57a6f1781de3852cc3362) C:\WINDOWS\system32\drivers\Modem.sys
19:45:14.0718 3080 Modem - ok
19:45:14.0718 3080 Mouclass (b24ce8005deab254c0251e15cb71d802) C:\WINDOWS\system32\DRIVERS\mouclass.sys
19:45:14.0718 3080 Mouclass - ok
19:45:14.0750 3080 mouhid (66a6f73c74e1791464160a7065ce711a) C:\WINDOWS\system32\DRIVERS\mouhid.sys
19:45:14.0750 3080 mouhid - ok
19:45:14.0750 3080 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
19:45:14.0750 3080 MountMgr - ok
19:45:14.0781 3080 MPE (c0f8e0c2c3c0437cf37c6781896dc3ec) C:\WINDOWS\system32\DRIVERS\MPE.sys
19:45:14.0781 3080 MPE - ok
19:45:14.0781 3080 mraid35x - ok
19:45:14.0843 3080 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
19:45:14.0843 3080 MRxDAV - ok
19:45:14.0906 3080 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
19:45:14.0906 3080 MRxSmb - ok
19:45:14.0937 3080 MSDTC (35a031af38c55f92d28aa03ee9f12cc9) C:\WINDOWS\System32\msdtc.exe
19:45:14.0937 3080 MSDTC - ok
19:45:14.0953 3080 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
19:45:14.0953 3080 Msfs - ok
19:45:14.0953 3080 MSIServer - ok
19:45:15.0015 3080 MSI_MSIBIOS_010507 (3846c05a66a3f5cd1d33e1a323c1762c) C:\Programme\MSI\Live Update 5\msibios32_100507.sys
19:45:15.0015 3080 MSI_MSIBIOS_010507 - ok
19:45:15.0031 3080 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
19:45:15.0031 3080 MSKSSRV - ok
19:45:15.0031 3080 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
19:45:15.0031 3080 MSPCLOCK - ok
19:45:15.0031 3080 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
19:45:15.0031 3080 MSPQM - ok
19:45:15.0062 3080 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
19:45:15.0062 3080 mssmbios - ok
19:45:15.0078 3080 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
19:45:15.0078 3080 MSTEE - ok
19:45:15.0109 3080 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
19:45:15.0109 3080 Mup - ok
19:45:15.0125 3080 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
19:45:15.0125 3080 NABTSFEC - ok
19:45:15.0156 3080 napagent (46bb15ae2ac7d025d6d2567b876817bd) C:\WINDOWS\System32\qagentrt.dll
19:45:15.0171 3080 napagent - ok
19:45:15.0187 3080 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
19:45:15.0187 3080 NDIS - ok
19:45:15.0187 3080 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
19:45:15.0187 3080 NdisIP - ok
19:45:15.0218 3080 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
19:45:15.0218 3080 NdisTapi - ok
19:45:15.0250 3080 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
19:45:15.0250 3080 Ndisuio - ok
19:45:15.0265 3080 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
19:45:15.0265 3080 NdisWan - ok
19:45:15.0281 3080 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
19:45:15.0281 3080 NDProxy - ok
19:45:15.0312 3080 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
19:45:15.0312 3080 NetBIOS - ok
19:45:15.0328 3080 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
19:45:15.0328 3080 NetBT - ok
19:45:15.0359 3080 NetDDE (8ace4251bffd09ce75679fe940e996cc) C:\WINDOWS\system32\netdde.exe
19:45:15.0359 3080 NetDDE - ok
19:45:15.0375 3080 NetDDEdsdm (8ace4251bffd09ce75679fe940e996cc) C:\WINDOWS\system32\netdde.exe
19:45:15.0375 3080 NetDDEdsdm - ok
19:45:15.0390 3080 Netlogon (afb8261b56cba0d86aeb6df682af9785) C:\WINDOWS\system32\lsass.exe
19:45:15.0390 3080 Netlogon - ok
19:45:15.0421 3080 Netman (e6d88f1f6745bf00b57e7855a2ab696c) C:\WINDOWS\System32\netman.dll
19:45:15.0421 3080 Netman - ok
19:45:15.0515 3080 NetTcpPortSharing (d34612c5d02d026535b3095d620626ae) C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
19:45:15.0515 3080 NetTcpPortSharing - ok
19:45:15.0562 3080 Nla (f1b67b6b0751ae0e6e964b02821206a3) C:\WINDOWS\System32\mswsock.dll
19:45:15.0562 3080 Nla - ok
19:45:15.0578 3080 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
19:45:15.0578 3080 Npfs - ok
19:45:15.0578 3080 NTACCESS - ok
19:45:15.0640 3080 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
19:45:15.0640 3080 Ntfs - ok
19:45:15.0687 3080 NTIOLib_1_0_4 (cd2166c9511d336a058cde91778aaa69) C:\Programme\MSI\Live Update 5\NTIOLib.sys
19:45:15.0687 3080 NTIOLib_1_0_4 - ok
19:45:15.0718 3080 NtLmSsp (afb8261b56cba0d86aeb6df682af9785) C:\WINDOWS\System32\lsass.exe
19:45:15.0734 3080 NtLmSsp - ok
19:45:15.0781 3080 NtmsSvc (56af4064996fa5bac9c449b1514b4770) C:\WINDOWS\system32\ntmssvc.dll
19:45:15.0796 3080 NtmsSvc - ok
19:45:15.0812 3080 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
19:45:15.0812 3080 Null - ok
19:45:15.0843 3080 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
19:45:15.0843 3080 NwlnkFlt - ok
19:45:15.0859 3080 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
19:45:15.0859 3080 NwlnkFwd - ok
19:45:15.0906 3080 ose (7a56cf3e3f12e8af599963b16f50fb6a) C:\Programme\Gemeinsame Dateien\Microsoft Shared\Source Engine\OSE.EXE
19:45:15.0906 3080 ose - ok
19:45:15.0953 3080 Parport (f84785660305b9b903fb3bca8ba29837) C:\WINDOWS\system32\DRIVERS\parport.sys
19:45:15.0953 3080 Parport - ok
19:45:15.0953 3080 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
19:45:15.0953 3080 PartMgr - ok
19:45:15.0984 3080 ParVdm (c2bf987829099a3eaa2ca6a0a90ecb4f) C:\WINDOWS\system32\drivers\ParVdm.sys
19:45:15.0984 3080 ParVdm - ok
19:45:16.0015 3080 PCASp50 (1961590aa191b6b7dcf18a6a693af7b8) C:\WINDOWS\system32\Drivers\PCASp50.sys
19:45:16.0031 3080 PCASp50 - ok
19:45:16.0031 3080 PCI (387e8dedc343aa2d1efbc30580273acd) C:\WINDOWS\system32\DRIVERS\pci.sys
19:45:16.0031 3080 PCI - ok
19:45:16.0046 3080 PciCon - ok
19:45:16.0046 3080 PCIDump - ok
19:45:16.0062 3080 PCIIde (59ba86d9a61cbcf4df8e598c331f5b82) C:\WINDOWS\system32\DRIVERS\pciide.sys
19:45:16.0062 3080 PCIIde - ok
19:45:16.0093 3080 Pcmcia (a2a966b77d61847d61a3051df87c8c97) C:\WINDOWS\system32\drivers\Pcmcia.sys
19:45:16.0093 3080 Pcmcia - ok
19:45:16.0093 3080 PDCOMP - ok
19:45:16.0093 3080 PDFRAME - ok
19:45:16.0093 3080 PDRELI - ok
19:45:16.0093 3080 PDRFRAME - ok
19:45:16.0109 3080 perc2 - ok
19:45:16.0109 3080 perc2hib - ok
19:45:16.0156 3080 PlugPlay (a3edbe9053889fb24ab22492472b39dc) C:\WINDOWS\system32\services.exe
19:45:16.0156 3080 PlugPlay - ok
19:45:16.0156 3080 PolicyAgent (afb8261b56cba0d86aeb6df682af9785) C:\WINDOWS\system32\lsass.exe
19:45:16.0156 3080 PolicyAgent - ok
19:45:16.0156 3080 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
19:45:16.0156 3080 PptpMiniport - ok
19:45:16.0171 3080 Processor (2cb55427c58679f49ad600fccba76360) C:\WINDOWS\system32\DRIVERS\processr.sys
19:45:16.0171 3080 Processor - ok
19:45:16.0171 3080 ProtectedStorage (afb8261b56cba0d86aeb6df682af9785) C:\WINDOWS\system32\lsass.exe
19:45:16.0171 3080 ProtectedStorage - ok
19:45:16.0218 3080 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
19:45:16.0218 3080 PSched - ok
19:45:16.0234 3080 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
19:45:16.0234 3080 Ptilink - ok
19:45:16.0250 3080 PxHelp20 - ok
19:45:16.0250 3080 ql1080 - ok
19:45:16.0250 3080 Ql10wnt - ok
19:45:16.0250 3080 ql12160 - ok
19:45:16.0250 3080 ql1240 - ok
19:45:16.0250 3080 ql1280 - ok
19:45:16.0281 3080 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
19:45:16.0281 3080 RasAcd - ok
19:45:16.0312 3080 RasAuto (f5ba6caccdb66c8f048e867563203246) C:\WINDOWS\System32\rasauto.dll
19:45:16.0312 3080 RasAuto - ok
19:45:16.0328 3080 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
19:45:16.0328 3080 Rasl2tp - ok
19:45:16.0375 3080 RasMan (f9a7b66ea345726edb5862a46b1eccd5) C:\WINDOWS\System32\rasmans.dll
19:45:16.0375 3080 RasMan - ok
19:45:16.0375 3080 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
19:45:16.0375 3080 RasPppoe - ok
19:45:16.0406 3080 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
19:45:16.0406 3080 Raspti - ok
19:45:16.0421 3080 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
19:45:16.0437 3080 Rdbss - ok
19:45:16.0437 3080 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
19:45:16.0437 3080 RDPCDD - ok
19:45:16.0468 3080 RDPWD (6589db6e5969f8eee594cf71171c5028) C:\WINDOWS\system32\drivers\RDPWD.sys
19:45:16.0484 3080 RDPWD - ok
19:45:16.0500 3080 RDSessMgr (263af18af0f3db99f574c95f284ccec9) C:\WINDOWS\system32\sessmgr.exe
19:45:16.0500 3080 RDSessMgr - ok
19:45:16.0515 3080 redbook (ed761d453856f795a7fe056e42c36365) C:\WINDOWS\system32\DRIVERS\redbook.sys
19:45:16.0515 3080 redbook - ok
19:45:16.0546 3080 RemoteAccess (0e97ec96d6942ceec2d188cc2eb69a01) C:\WINDOWS\System32\mprdim.dll
19:45:16.0546 3080 RemoteAccess - ok
19:45:16.0562 3080 RpcLocator (2a02e21867497df20b8fc95631395169) C:\WINDOWS\System32\locator.exe
19:45:16.0562 3080 RpcLocator - ok
19:45:16.0625 3080 RpcSs (3127afbf2c1ed0ab14a1bbb7aaecb85b) C:\WINDOWS\System32\rpcss.dll
19:45:16.0625 3080 RpcSs - ok
19:45:16.0640 3080 RSVP (4bdd71b4b521521499dfd14735c4f398) C:\WINDOWS\System32\rsvp.exe
19:45:16.0640 3080 RSVP - ok
19:45:16.0718 3080 rt2870 (19a0b57164830df3c699e3cc93f68e37) C:\WINDOWS\system32\DRIVERS\rt2870.sys
19:45:16.0718 3080 rt2870 - ok
19:45:16.0765 3080 RTLE8023xp (bb0ae2171f08129f4f3ff9df20ffbf89) C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys
19:45:16.0765 3080 RTLE8023xp - ok
19:45:16.0796 3080 SamSs (afb8261b56cba0d86aeb6df682af9785) C:\WINDOWS\system32\lsass.exe
19:45:16.0796 3080 SamSs - ok
19:45:16.0828 3080 SCardSvr (dcec079fad95d36c8dd5cb6d779dfe32) C:\WINDOWS\System32\SCardSvr.exe
19:45:16.0828 3080 SCardSvr - ok
19:45:16.0875 3080 Schedule (a050194a44d7fa8d7186ed2f4e8367ae) C:\WINDOWS\system32\schedsvc.dll
19:45:16.0875 3080 Schedule - ok
19:45:16.0937 3080 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
19:45:16.0937 3080 Secdrv - ok
19:45:16.0937 3080 seclogon (bee4cfd1d48c23b44cf4b974b0b79b2b) C:\WINDOWS\System32\seclogon.dll
19:45:16.0937 3080 seclogon - ok
19:45:16.0953 3080 SENS (2aac9b6ed9eddffb721d6452e34d67e3) C:\WINDOWS\system32\sens.dll
19:45:16.0953 3080 SENS - ok
19:45:16.0968 3080 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
19:45:16.0968 3080 serenum - ok
19:45:16.0984 3080 Serial (cf24eb4f0412c82bcd1f4f35a025e31d) C:\WINDOWS\system32\DRIVERS\serial.sys
19:45:16.0984 3080 Serial - ok
19:45:17.0000 3080 SetupNTGLM7X - ok
19:45:17.0000 3080 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
19:45:17.0000 3080 Sfloppy - ok
19:45:17.0093 3080 SharedAccess (cad058d5f8b889a87ca3eb3cf624dcef) C:\WINDOWS\System32\ipnathlp.dll
19:45:17.0093 3080 SharedAccess - ok
19:45:17.0140 3080 ShellHWDetection (2db7d303c36ddd055215052f118e8e75) C:\WINDOWS\System32\shsvcs.dll
19:45:17.0140 3080 ShellHWDetection - ok
19:45:17.0140 3080 Simbad - ok
19:45:17.0140 3080 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
19:45:17.0140 3080 SLIP - ok
19:45:17.0140 3080 Sparrow - ok
19:45:17.0156 3080 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
19:45:17.0156 3080 splitter - ok
19:45:17.0203 3080 Spooler (60784f891563fb1b767f70117fc2428f) C:\WINDOWS\system32\spoolsv.exe
19:45:17.0203 3080 Spooler - ok
19:45:17.0218 3080 sr (50fa898f8c032796d3b1b9951bb5a90f) C:\WINDOWS\system32\DRIVERS\sr.sys
19:45:17.0218 3080 sr - ok
19:45:17.0250 3080 srservice (fe77a85495065f3ad59c5c65b6c54182) C:\WINDOWS\system32\srsvc.dll
19:45:17.0250 3080 srservice - ok
19:45:17.0296 3080 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
19:45:17.0296 3080 Srv - ok
19:45:17.0312 3080 SSDPSRV (4df5b05dfaec29e13e1ed6f6ee12c500) C:\WINDOWS\System32\ssdpsrv.dll
19:45:17.0312 3080 SSDPSRV - ok
19:45:17.0359 3080 stisvc (bc2c5985611c5356b24aeb370953ded9) C:\WINDOWS\system32\wiaservc.dll
19:45:17.0375 3080 stisvc - ok
19:45:17.0406 3080 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
19:45:17.0406 3080 streamip - ok
19:45:17.0406 3080 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
19:45:17.0406 3080 swenum - ok
19:45:17.0421 3080 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
19:45:17.0421 3080 swmidi - ok
19:45:17.0421 3080 SwPrv - ok
19:45:17.0437 3080 symc810 - ok
19:45:17.0437 3080 symc8xx - ok
19:45:17.0437 3080 sym_hi - ok
19:45:17.0437 3080 sym_u3 - ok
19:45:17.0453 3080 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
19:45:17.0453 3080 sysaudio - ok
19:45:17.0453 3080 SysmonLog (2903fffa2523926d6219428040dce6b9) C:\WINDOWS\system32\smlogsvc.exe
19:45:17.0468 3080 SysmonLog - ok
19:45:17.0500 3080 TapiSrv (05903cac4b98908d55ea5774775b382e) C:\WINDOWS\System32\tapisrv.dll
19:45:17.0515 3080 TapiSrv - ok
19:45:17.0546 3080 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
19:45:17.0562 3080 Tcpip - ok
19:45:17.0562 3080 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
19:45:17.0562 3080 TDPIPE - ok
19:45:17.0578 3080 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
19:45:17.0578 3080 TDTCP - ok
19:45:17.0578 3080 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
19:45:17.0578 3080 TermDD - ok
19:45:17.0609 3080 TermService (b7de02c863d8f5a005a7bf375375a6a4) C:\WINDOWS\System32\termsrv.dll
19:45:17.0625 3080 TermService - ok
19:45:17.0656 3080 Themes (2db7d303c36ddd055215052f118e8e75) C:\WINDOWS\System32\shsvcs.dll
19:45:17.0656 3080 Themes - ok
19:45:17.0656 3080 TosIde - ok
19:45:17.0765 3080 Transbase (79bbcb1d8c674ae8977dfd80689982e9) C:\BMWgroup\ETKLokal\transbase\tbmux32.exe
19:45:17.0765 3080 Transbase - ok
19:45:17.0781 3080 TrkWks (626504572b175867f30f3215c04b3e2f) C:\WINDOWS\system32\trkwks.dll
19:45:17.0781 3080 TrkWks - ok
19:45:17.0859 3080 TS111_USB (96f4fe33c1eaa685a00cede1e345f2f7) C:\WINDOWS\system32\DRIVERS\TS111USB.sys
19:45:17.0859 3080 TS111_USB - ok
19:45:17.0906 3080 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
19:45:17.0906 3080 Udfs - ok
19:45:17.0906 3080 ultra - ok
19:45:17.0953 3080 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
19:45:17.0953 3080 Update - ok
19:45:18.0000 3080 upnphost (1dfd8975d8c89214b98d9387c1125b49) C:\WINDOWS\System32\upnphost.dll
19:45:18.0000 3080 upnphost - ok
19:45:18.0015 3080 UPS (9b11e6118958e63e1fef129466e2bda7) C:\WINDOWS\System32\ups.exe
19:45:18.0031 3080 UPS - ok
19:45:18.0046 3080 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
19:45:18.0046 3080 usbccgp - ok
19:45:18.0062 3080 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
19:45:18.0062 3080 usbehci - ok
19:45:18.0078 3080 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
19:45:18.0078 3080 usbhub - ok
19:45:18.0078 3080 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
19:45:18.0078 3080 usbprint - ok
19:45:18.0093 3080 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
19:45:18.0093 3080 usbscan - ok
19:45:18.0093 3080 usbstor (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
19:45:18.0093 3080 usbstor - ok
19:45:18.0093 3080 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
19:45:18.0093 3080 usbuhci - ok
19:45:18.0125 3080 UxTuneUp (d81cd7e761c1a52dec20f0d4eaea3259) C:\WINDOWS\System32\uxtuneup.dll
19:45:18.0125 3080 UxTuneUp - ok
19:45:18.0140 3080 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
19:45:18.0140 3080 VgaSave - ok
19:45:18.0140 3080 ViaIde - ok
19:45:18.0156 3080 VolSnap (a5a712f4e880874a477af790b5186e1d) C:\WINDOWS\system32\drivers\VolSnap.sys
19:45:18.0156 3080 VolSnap - ok
19:45:18.0187 3080 VSS (68f106273be29e7b7ef8266977268e78) C:\WINDOWS\System32\vssvc.exe
19:45:18.0187 3080 VSS - ok
19:45:18.0234 3080 w32n5323 - ok
19:45:18.0265 3080 W32Time (7b353059e665f8b7ad2bbeaef597cf45) C:\WINDOWS\system32\w32time.dll
19:45:18.0265 3080 W32Time - ok
19:45:18.0296 3080 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
19:45:18.0296 3080 Wanarp - ok
19:45:18.0296 3080 WDICA - ok
19:45:18.0328 3080 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
19:45:18.0328 3080 wdmaud - ok
19:45:18.0343 3080 WebClient (81727c9873e3905a2ffc1ebd07265002) C:\WINDOWS\System32\webclnt.dll
19:45:18.0343 3080 WebClient - ok
19:45:18.0421 3080 winmgmt (6f3f3973d97714cc5f906a19fe883729) C:\WINDOWS\system32\wbem\WMIsvc.dll
19:45:18.0421 3080 winmgmt - ok
19:45:18.0453 3080 WmdmPmSN (c51b4a5c05a5475708e3c81c7765b71d) C:\WINDOWS\system32\MsPMSNSv.dll
19:45:18.0453 3080 WmdmPmSN - ok
19:45:18.0484 3080 WmiApSrv (93908111ba57a6e60ec2fa2de202105c) C:\WINDOWS\System32\wbem\wmiapsrv.exe
19:45:18.0484 3080 WmiApSrv - ok
19:45:18.0593 3080 WMPNetworkSvc (bf05650bb7df5e9ebdd25974e22403bb) C:\Programme\Windows Media Player\WMPNetwk.exe
19:45:18.0609 3080 WMPNetworkSvc - ok
19:45:18.0796 3080 WPFFontCache_v0400 (dcf3e3edf5109ee8bc02fe6e1f045795) C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe
19:45:18.0812 3080 WPFFontCache_v0400 - ok
19:45:18.0890 3080 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
19:45:18.0890 3080 WS2IFSL - ok
19:45:18.0921 3080 wscsvc (300b3e84faf1a5c1f791c159ba28035d) C:\WINDOWS\system32\wscsvc.dll
19:45:18.0921 3080 wscsvc - ok
19:45:18.0953 3080 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
19:45:18.0953 3080 WSTCODEC - ok
19:45:18.0968 3080 wuauserv (7b4fe05202aa6bf9f4dfd0e6a0d8a085) C:\WINDOWS\system32\wuauserv.dll
19:45:18.0968 3080 wuauserv - ok
19:45:19.0000 3080 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
19:45:19.0000 3080 WudfPf - ok
19:45:19.0015 3080 WudfSvc (05231c04253c5bc30b26cbaae680ed89) C:\WINDOWS\System32\WUDFSvc.dll
19:45:19.0015 3080 WudfSvc - ok
19:45:19.0078 3080 WZCSVC (c4f109c005f6725162d2d12ca751e4a7) C:\WINDOWS\System32\wzcsvc.dll
19:45:19.0078 3080 WZCSVC - ok
19:45:19.0093 3080 xmlprov (0ada34871a2e1cd2caafed1237a47750) C:\WINDOWS\System32\xmlprov.dll
19:45:19.0109 3080 xmlprov - ok
19:45:19.0125 3080 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
19:45:19.0453 3080 \Device\Harddisk0\DR0 - ok
19:45:19.0453 3080 Boot (0x1200) (59d8ccc6de29a8bdfe158e3b7673e2ef) \Device\Harddisk0\DR0\Partition0
19:45:19.0453 3080 \Device\Harddisk0\DR0\Partition0 - ok
19:45:19.0468 3080 Boot (0x1200) (49b476de5c7710eedd05db0a5b29a6ee) \Device\Harddisk0\DR0\Partition1
19:45:19.0468 3080 \Device\Harddisk0\DR0\Partition1 - ok
19:45:19.0468 3080 ============================================================
19:45:19.0468 3080 Scan finished
19:45:19.0468 3080 ============================================================
19:45:19.0468 0976 Detected object count: 0
19:45:19.0468 0976 Actual detected object count: 0


The report from aswMBR:

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-06-25 19:49:56
-----------------------------
19:49:56.359 OS Version: Windows 5.1.2600 Service Pack 3
19:49:56.359 Number of processors: 4 586 0xF07
19:49:56.359 ComputerName: AUST-Q0HX0CC2TV UserName: Aust
19:49:56.734 Initialize success
19:53:36.453 AVAST engine defs: 12062500
19:53:57.640 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-19
19:53:57.640 Disk 0 Vendor: SAMSUNG_SP2504C VT100-33 Size: 238475MB BusType: 3
19:53:57.781 Disk 0 MBR read successfully
19:53:57.796 Disk 0 MBR scan
19:53:57.921 Disk 0 Windows XP default MBR code
19:53:57.953 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 39997 MB offset 63
19:53:57.953 Disk 0 Partition - 00 0F Extended LBA 198467 MB offset 81915435
19:53:57.984 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 198467 MB offset 81915498
19:53:58.000 Disk 0 scanning sectors +488376000
19:53:58.078 Disk 0 scanning C:\WINDOWS\system32\drivers
19:54:04.796 Service scanning
19:54:14.484 Modules scanning
19:54:18.421 Disk 0 trace - called modules:
19:54:18.437 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
19:54:18.437 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfcfb5ab8]
19:54:18.437 3 CLASSPNP.SYS[f6147fd7] -> nt!IofCallDriver -> \Device\0000006f[0xfd02e920]
19:54:18.437 5 ACPI.sys[f60bd620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-19[0xfcfd5d98]
19:54:18.765 AVAST engine scan C:\WINDOWS
19:54:34.265 AVAST engine scan C:\WINDOWS\system32
19:56:46.875 AVAST engine scan C:\WINDOWS\system32\drivers
19:56:56.890 AVAST engine scan C:\Dokumente und Einstellungen\Aust
20:02:53.718 AVAST engine scan C:\Dokumente und Einstellungen\All Users
20:03:26.625 Scan finished successfully
20:07:57.500 Disk 0 MBR has been saved successfully to "C:\Dokumente und Einstellungen\Aust\Desktop\MBR.dat"
20:07:57.500 The log file has been saved successfully to "C:\Dokumente und Einstellungen\Aust\Desktop\aswMBR.txt"


regards

Norbert

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:06 AM

Posted 25 June 2012 - 10:30 PM

Greetings

I would like to get to a lightweight product that offers maybe some less functionality but does not consume half of the enginepower of my data pipelines.


try this out - it is what I use - Microsoft Security Essentials

and No MBAM is not a substitute for an antivirus but a compliment to one



:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 NdotA

NdotA
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:06 AM

Posted 26 June 2012 - 02:54 AM

THanks, Gringo.

Before running Combofix as instructed I downloaded and installed MSE (for I felt quite unsafe with my defences down). MSE performed a quickscan without finding anything.

Combofix asked me to allow updating, what I did. Then Combofix restarted and ran wíthout any problems.

Performance of my PC seems unchanged for what I know.

The log:

ComboFix 12-06-25.05 - Aust 26.06.2012 9:18.2.4 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.49.1031.18.3327.2708 [GMT 2:00]
ausgeführt von:: c:\dokumente und einstellungen\Aust\Desktop\ComboFix.exe
Benutzte Befehlsschalter :: c:\dokumente und einstellungen\Aust\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
(((((((((((((((((((((((((((((((((((( Weitere Löschungen ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\dokumente und einstellungen\Aust\Recent\Thumbs.db
.
.
((((((((((((((((((((((( Dateien erstellt von 2012-05-26 bis 2012-06-26 ))))))))))))))))))))))))))))))
.
.
2012-06-26 07:06 . 2012-06-26 07:06 56200 ----a-w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Microsoft\Microsoft Antimalware\Definition Updates\{F372802D-900E-4CEA-AE4B-CD634B34F00F}\offreg.dll
2012-06-26 07:06 . 2012-06-26 07:06 29904 ----a-w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Microsoft\Microsoft Antimalware\Definition Updates\{F372802D-900E-4CEA-AE4B-CD634B34F00F}\MpKsl6b27dbba.sys
2012-06-26 06:56 . 2012-05-30 18:41 6762896 ----a-w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Microsoft\Microsoft Antimalware\Definition Updates\{F372802D-900E-4CEA-AE4B-CD634B34F00F}\mpengine.dll
2012-06-26 06:56 . 2012-01-31 12:44 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-06-26 06:53 . 2012-06-26 06:53 -------- d-----w- c:\windows\LastGood
2012-06-26 06:53 . 2012-06-26 06:53 -------- d-----w- c:\programme\Microsoft Security Client
2012-06-25 17:10 . 2012-06-25 17:10 1409 ----a-w- c:\windows\QTFont.for
2012-06-22 11:16 . 2012-06-22 11:16 -------- d-----w- C:\TDSSKiller_Quarantine
2012-06-20 15:08 . 2012-04-04 13:56 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-20 14:50 . 2012-06-20 14:50 -------- d-----w- c:\windows\system32\wbem\Repository
2012-06-20 09:23 . 2012-06-20 09:23 -------- d-----w- c:\dokumente und einstellungen\Aust\Anwendungsdaten\Malwarebytes
2012-06-20 08:26 . 2012-06-20 08:26 -------- d-----w- c:\dokumente und einstellungen\Administrator\Anwendungsdaten\Malwarebytes
2012-06-20 08:26 . 2012-06-20 15:08 -------- d-----w- c:\programme\Malwarebytes' Anti-Malware
2012-06-20 08:26 . 2012-06-20 08:26 -------- d-----w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Malwarebytes
2012-06-13 10:42 . 2012-05-11 14:40 521728 -c----w- c:\windows\system32\dllcache\jsdbgui.dll
.
.
.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-06-02 13:19 . 2007-10-28 16:34 18456 ----a-w- c:\windows\system32\wuaueng.dll.mui
2012-06-02 13:19 . 2007-10-28 16:34 15896 ----a-w- c:\windows\system32\wuapi.dll.mui
2012-06-02 13:19 . 2007-08-27 19:26 329240 ----a-w- c:\windows\system32\wucltui.dll
2012-06-02 13:19 . 2007-08-27 19:26 219160 ----a-w- c:\windows\system32\wuaucpl.cpl
2012-06-02 13:19 . 2007-08-27 19:26 210968 ----a-w- c:\windows\system32\wuweb.dll
2012-06-02 13:19 . 2007-10-28 16:34 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 13:19 . 2007-10-28 16:34 15896 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2012-06-02 13:19 . 2007-08-27 19:26 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-02 13:19 . 2007-08-27 18:15 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 13:19 . 2003-04-02 12:00 97304 ----a-w- c:\windows\system32\cdm.dll
2012-06-02 13:19 . 2007-10-28 16:34 23576 ----a-w- c:\windows\system32\wucltui.dll.mui
2012-06-02 13:19 . 2007-08-27 19:26 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 13:19 . 2007-08-27 18:15 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-05-31 13:22 . 2003-04-02 12:00 604160 ----a-w- c:\windows\system32\crypt32.dll
2012-05-16 15:07 . 2003-04-02 12:00 916992 ----a-w- c:\windows\system32\wininet.dll
2012-05-15 13:56 . 2003-04-02 12:00 1863296 ----a-w- c:\windows\system32\win32k.sys
2012-05-11 14:40 . 2003-04-02 12:00 43520 ------w- c:\windows\system32\licmgr10.dll
2012-05-11 14:40 . 2003-04-02 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-05-11 11:38 . 2007-08-27 19:26 385024 ----a-w- c:\windows\system32\html.iec
2012-05-05 03:14 . 2003-04-02 12:00 2150912 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-05-05 03:14 . 2002-08-29 03:41 2029056 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-05-02 13:46 . 2007-08-27 18:15 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
1998-02-23 08:01 . 2011-03-25 19:48 197120 ----a-w- c:\programme\opera\program\plugins\errormsg.dll
1998-09-14 08:05 . 2011-03-25 19:48 250368 ----a-w- c:\programme\opera\program\plugins\oleplug.dll
2009-03-31 20:47 . 2009-02-26 00:33 324976 ----a-w- c:\programme\mozilla firefox\components\coFFPlgn.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2011-10-25 05:27 . C3A2915C71AE6F225EB906C25CCD29B5 . 24064 . . [1.0.0.5] . . c:\windows\ServicePackFiles\i386\ctfmon.exe
[-] 2011-10-25 05:27 . C3A2915C71AE6F225EB906C25CCD29B5 . 24064 . . [1.0.0.5] . . c:\windows\system32\ctfmon.exe
[7] 2004-08-03 . 7CE20569925DF6789C31799F0C538F29 . 15360 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\ctfmon.exe
.
((((((((((((((((((((((((((((( SnapShot@2012-06-25_13.45.16 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-06-26 05:34 . 2012-06-26 05:34 16384 c:\windows\Temp\Perflib_Perfdata_6d4.dat
+ 2012-03-20 18:44 . 2012-03-20 18:44 171064 c:\windows\system32\drivers\MpFilter.sys
+ 2012-06-26 06:53 . 2012-06-26 06:53 301056 c:\windows\Installer\89a9b.msi
+ 2012-06-26 06:53 . 2012-06-26 06:53 109563 c:\windows\Installer\{0F842B77-56EA-4AAF-8295-81A022350B5E}\SCEP.exe
+ 2012-06-26 06:53 . 2012-06-26 06:53 123352 c:\windows\Installer\{0F842B77-56EA-4AAF-8295-81A022350B5E}\MSE.exe
+ 2012-06-26 06:53 . 2012-06-26 06:53 109563 c:\windows\Installer\{0F842B77-56EA-4AAF-8295-81A022350B5E}\INTUNE.exe
+ 2012-06-26 06:53 . 2012-06-26 06:53 109563 c:\windows\Installer\{0F842B77-56EA-4AAF-8295-81A022350B5E}\FEP.exe
+ 2012-06-26 06:53 . 2012-06-26 06:53 109563 c:\windows\Installer\{0F842B77-56EA-4AAF-8295-81A022350B5E}\EPP.exe
+ 2012-06-26 06:53 . 2012-06-26 06:53 1826304 c:\windows\Installer\89aa4.msi
.
(((((((((((((((((((((((((((( Autostartpunkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="c:\programme\Real\RealPlayer\update\realsched.exe" [2011-03-15 273544]
"Malwarebytes' Anti-Malware"="c:\programme\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408]
"MSC"="c:\programme\Microsoft Security Client\msseces.exe" [2012-03-26 931200]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2011-10-25 24064]
.
c:\dokumente und einstellungen\Aust\Startmenü\Programme\Autostart\Norton
Norton-Installationsdateien.lnk - c:\dokumente und einstellungen\All Users\Dokumente\Norton\{N360600145-SHPD-FSD25037} [2012-3-27] [Folder]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"EPSON Stylus SX200 Series"=c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIEFE.EXE /FU "c:\windows\TEMP\E_S65.tmp" /EF "HKCU"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"RTHDCPL"=RTHDCPL.EXE
"Alcmtr"=ALCMTR.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Programme\\Steam\\SteamApps\\common\\railworks\\RailWorks.exe"=
.
R1 ATMhelpr;ATMhelpr;c:\windows\system32\drivers\ATMHELPR.SYS [01.12.2008 20:16 4064]
R1 MpKsl6b27dbba;MpKsl6b27dbba;c:\dokumente und einstellungen\All Users\Anwendungsdaten\Microsoft\Microsoft Antimalware\Definition Updates\{F372802D-900E-4CEA-AE4B-CD634B34F00F}\MpKsl6b27dbba.sys [26.06.2012 09:06 29904]
R2 cpuz135;cpuz135;c:\windows\system32\drivers\cpuz135_x32.sys [30.11.2011 15:41 21992]
R2 MBAMService;MBAMService;c:\programme\Malwarebytes' Anti-Malware\mbamservice.exe [20.06.2012 17:08 654408]
R2 Transbase;Transbase;c:\bmwgroup\ETKLokal\transbase\tbmux32.exe [11.06.2008 20:02 385024]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [20.06.2012 17:08 22344]
S2 gupdate;Google Update Service (gupdate);c:\programme\Google\Update\GoogleUpdate.exe [31.12.2009 17:39 135664]
S3 gupdatem;Google Update-Dienst (gupdatem);c:\programme\Google\Update\GoogleUpdate.exe [31.12.2009 17:39 135664]
S3 MSI_MSIBIOS_010507;MSI_MSIBIOS_010507;c:\programme\MSI\Live Update 5\msibios32_100507.sys [30.11.2011 16:38 25912]
S3 NTIOLib_1_0_4;NTIOLib_1_0_4;c:\programme\MSI\Live Update 5\NTIOLib.sys [30.11.2011 16:38 7680]
S3 PciCon;PciCon;\??\e:\pcicon.sys --> e:\PciCon.sys [?]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\i:\ntglm7x.sys --> i:\NTGLM7X.sys [?]
S3 TS111_USB;T-Sinus 111data Driver;c:\windows\system32\drivers\TS111USB.sys [31.08.2007 13:28 645120]
S3 w32n5323;w32n5323 Protocol Driver;\??\c:\progra~1\DT\DT11MB~1\INSTAL~1\WINXP\w32n5323.SYS --> c:\progra~1\DT\DT11MB~1\INSTAL~1\WINXP\w32n5323.SYS [?]
.
--- Andere Dienste/Treiber im Speicher ---
.
*NewlyCreated* - MPFILTER
*NewlyCreated* - MPKSL6B27DBBA
*NewlyCreated* - MSMPSVC
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Inhalt des "geplante Tasks" Ordners
.
2012-06-25 c:\windows\Tasks\Google Software Updater.job
- c:\programme\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-05-19 13:13]
.
2012-06-26 c:\windows\Tasks\Microsoft Antimalware Scheduled Scan.job
- c:\programme\Microsoft Security Client\MpCmdRun.exe [2012-03-26 15:03]
.
2012-06-26 c:\windows\Tasks\MpIdleTask.job
- c:\programme\Microsoft Security Client\MpCmdRun.exe [2012-03-26 15:03]
.
2012-06-26 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1957994488-838170752-682003330-1004.job
- c:\programme\Real\RealUpgrade\realupgrade.exe [2011-01-24 13:25]
.
2012-06-26 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1957994488-838170752-682003330-1004.job
- c:\programme\Real\RealUpgrade\realupgrade.exe [2011-01-24 13:25]
.
.
------- Zusätzlicher Suchlauf -------
.
uInternet Connection Wizard,ShellNext = iexplore
IE: Alles mit FDM herunterladen - file://c:\programme\Free Download Manager\dlall.htm
IE: Auswahl mit FDM herunterladen - file://c:\programme\Free Download Manager\dlselected.htm
IE: Datei mit FDM herunterladen - file://c:\programme\Free Download Manager\dllink.htm
IE: Videos mit FDM herunterladen - file://c:\programme\Free Download Manager\dlfvideo.htm
TCP: DhcpNameServer = 192.168.2.1
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-06-26 09:26
Windows 5.1.2600 Service Pack 3 NTFS
.
Scanne versteckte Prozesse...
.
Scanne versteckte Autostarteinträge...
.
Scanne versteckte Dateien...
.
Scan erfolgreich abgeschlossen
versteckte Dateien: 0
.
**************************************************************************
.
--------------------- Durch laufende Prozesse gestartete DLLs ---------------------
.
- - - - - - - > 'winlogon.exe'(860)
c:\windows\system32\Ati2evxx.dll
.
Zeit der Fertigstellung: 2012-06-26 09:27:41
ComboFix-quarantined-files.txt 2012-06-26 07:27
ComboFix2.txt 2012-06-25 13:47
.
Vor Suchlauf: 7.165.960.192 Bytes frei
Nach Suchlauf: 7.397.642.240 Bytes frei
.
- - End Of File - - 3542AEB17D1B5A7BD9779A732C2D706C


Best regards

Norbert

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:06 AM

Posted 26 June 2012 - 03:17 AM

These logs are looking allot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs

NOTE** Because of the cleanup process some of the programs I have listed may not be in add/remove anymore this is fine just move to the next item on the list.

You can remove these programs using add/remove or you can use the free uninstaller from Revo (Revo does allot better of a job)

Programs to remove

Adobe Reader 7.0
J2SE Runtime Environment 5.0 Update 7
Java™ 6 Update 26
Java™ 6 Update 7
[/list]


  • Please download and install Revo Uninstaller Free
  • Double click Revo Uninstaller to run it.
  • From the list of programs double click on The Program to remove
  • When prompted if you want to uninstall click Yes.
  • Be sure the Moderate option is selected then click Next.
  • The program will run, If prompted again click Yes
  • when the built-in uninstaller is finished click on Next.
  • Once the program has searched for leftovers click Next.
  • Check/tick the bolded items only on the list then click Delete
  • when prompted click on Yes and then on next.
  • put a check on any folders that are found and select delete
  • when prompted select yes then on next
  • Once done click Finish.
.

Update Adobe Reader

Recently there have been vulnerabilities detected in older versions of Adobe Reader. It is strongly suggested that you update to the current version.

You can download it from http://www.adobe.com/products/acrobat/readstep2.html
After installing the latest Adobe Reader, uninstall all previous versions.
If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

If you don't like Adobe Reader (53 MB), you can download Foxit PDF Reader(7 MB) from here. It's a much smaller file to download and uses a lot less resources than Adobe Reader.

Note: When installing FoxitReader, be careful not to install anything to do with AskBar.
[/list]

Install Java:

Please go here to install Java

  • click on the Free Java Download Button
  • click on Agree and start Free download
  • click on Run
  • click on run again
  • click on install
  • when install is complete click on close

Clean Out Temp Files

  • This small application you may want to keep and use once a week to keep the computer clean.

    Download CCleaner from here http://www.ccleaner.com/

  • Run the installer to install the application.
  • When it gives you the option to install Yahoo toolbar uncheck the box next to it.
  • Run CCleaner. (make sure under Windows tab all the boxes of Internet Explorer and Windows explorer are checked. Under System check Empty Recycle Bin and Temporary Files. Under Application tab all the boxes should be checked).
  • Click Run Cleaner.
  • Close CCleaner.

: Malwarebytes' Anti-Malware :

  • I would like you to rerun MBAM
  • Double-click mbam icon
  • go to the update tab at the top
  • click on check for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidentally close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Download HijackThis

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a log file button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the Analyze This button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

"information and logs"

  • In your next post I need the following

  • Log From MBAM
  • report from Hijackthis
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 NdotA

NdotA
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:06 AM

Posted 26 June 2012 - 10:10 AM

Hello Gringo,

here the logs as requested:

(1) MBAM (do you need translating of the German texts ??):

Malwarebytes Anti-Malware (Test) 1.61.0.1400
www.malwarebytes.org

Datenbank Version: v2012.06.26.06

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Aust :: AUST-Q0HX0CC2TV [Administrator]

Schutz: Aktiviert

26.06.2012 16:38:09
mbam-log-2012-06-26 (16-38-09).txt

Art des Suchlaufs: Quick-Scan
Aktivierte Suchlaufeinstellungen: Speicher | Autostart | Registrierung | Dateisystem | Heuristiks/Extra | HeuristiKs/Shuriken | PUP | PUM
Deaktivierte Suchlaufeinstellungen: P2P
Durchsuchte Objekte: 210604
Laufzeit: 1 Minute(n), 26 Sekunde(n)

Infizierte Speicherprozesse: 0
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule: 0
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel: 0
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungswerte: 0
(Keine bösartigen Objekte gefunden)

Infizierte Dateiobjekte der Registrierung: 0
(Keine bösartigen Objekte gefunden)

Infizierte Verzeichnisse: 0
(Keine bösartigen Objekte gefunden)

Infizierte Dateien: 0
(Keine bösartigen Objekte gefunden)

(Ende)

(2) Hijack this:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 16:27:04, on 26.06.2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Programme\Microsoft Security Client\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Programme\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\System32\svchost.exe
C:\BMWgroup\ETKLokal\transbase\tbmux32.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Programme\Microsoft Security Client\msseces.exe
C:\Programme\DT\Speedport W 102 Stick\UI.exe
C:\Programme\Real\RealPlayer\update\realsched.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\Programme\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe
C:\Programme\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Oracle\JavaFX 2.1 Runtime\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programme\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programme\Oracle\JavaFX 2.1 Runtime\bin\jp2ssv.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Real\RealPlayer\update\realsched.exe" -osboot
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Programme\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\Run: [MSC] "C:\Programme\Microsoft Security Client\msseces.exe" -hide -runkey
O4 - HKLM\..\Run: [Adobe ARM] "C:\Programme\Gemeinsame Dateien\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Gemeinsame Dateien\Java\Java Update\jusched.exe"
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Norton
O8 - Extra context menu item: Alles mit FDM herunterladen - file://C:\Programme\Free Download Manager\dlall.htm
O8 - Extra context menu item: Auswahl mit FDM herunterladen - file://C:\Programme\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Datei mit FDM herunterladen - file://C:\Programme\Free Download Manager\dllink.htm
O8 - Extra context menu item: Videos mit FDM herunterladen - file://C:\Programme\Free Download Manager\dlfvideo.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Programme\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update-Dienst (gupdatem) (gupdatem) - Google Inc. - C:\Programme\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Oracle Corporation - C:\Programme\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Programme\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: Transbase - Transaction Software, D 81737 Munich - C:\BMWgroup\ETKLokal\transbase\tbmux32.exe

--
End of file - 5597 bytes


(3) No real problem, but the link to download hijack this had me redirected to TrendMicros main site and I had to find my way to the downloadlink of HijackThis and ended on the site of sourceforge.net to download. But all went fine then. I do not know if this was a temporary problem on the site your link refers to or not.

(4) My PC runs fine, somewhat faster than before. I still have my boot problems (but this thread was not targeted at solving them, I will post in the OS-forum once we are through here) and Internet explorer still messages me that it is running without Add-Ons. The AddOns are marked 'active' in the management screen but do not get executed. I had run unshade.exe, just in case that this is due to some hidden file but no success. I deactivated / activated each and every Add-On showing in the manager, but still no success. If this is not related to the problem we deal with here, I am willing to post in your appropriate forum.

Best regards

Norbert

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:06 AM

Posted 26 June 2012 - 01:23 PM

Greetings

Just so I know - what is the boot problem?

These logs are looking very good, we are almost done!!! Just one more scan to go.

:Remove unneeded start-up entries:

This part of the fix is purely optional
These are programs that start up when you turn on your computer but don't need to be, any of these programs you can click on their icons (or start from the control panel) and start the program when you need it. By stopping these programs you will boot up faster and your computer will work faster.

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Run HijackThis
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):

    • O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Real\RealPlayer\update\realsched.exe" -osboot
      O4 - HKLM\..\Run: [Adobe ARM] "C:\Programme\Gemeinsame Dateien\Adobe\ARM\1.0\AdobeARM.exe"
      O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Gemeinsame Dateien\Java\Java Update\jusched.exe"
      O4 - Startup: Norton
  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application.

    NOTE**You can research each of those lines >here< and see if you want to keep them or not
    just copy the name between the brackets and paste into the search space
    O4 - HKLM\..\Run: [IntelliPoint]


NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

Eset Online Scanner

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

Go Eset web page to run an online scanner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
  • When asked, allow the ActiveX control to install
    • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options
    Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • Click on copy to clipboard or copy and paste the results here in this topic

Copy and paste that log as a reply to this topic

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 NdotA

NdotA
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:06 AM

Posted 26 June 2012 - 03:00 PM

About my boot problems:
As a preparation to give a detailed account of what is happening I wrote a textfile over the past few days as a concept of my post to be. I did put this in the attachment, because it is more or less preliminary as yet.

I will come back presently with the log.

Norbert

Attached Files



#14 NdotA

NdotA
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:06 AM

Posted 26 June 2012 - 03:28 PM

Hi Gringo,

the ESET scanner failed to run. After I accepted the terms an started the scan, the ESET-window shows just a red x in the top left corner and says ready in the status bar. Only this and nothing more.

What to do ?

Norbert

#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:06 AM

Posted 26 June 2012 - 10:12 PM

Hello

try this just for fun


I want you to reset the DMA you can do this by this script here - Reset DMA

If you have problems when you click on the link try to right click on the link and select "Save Target As" and then save to your desktop.
Once it is on your desktop right click on the file and select "Run"

If you still can't run it then you can go here "Reset DMA" to see what I want to do



Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users