Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with PC Cleaner Pro


  • This topic is locked This topic is locked
23 replies to this topic

#1 thonczarenko

thonczarenko

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:11:12 PM

Posted 29 June 2012 - 07:01 AM

Hello Bleeping Computer,

I have seemed to have caught the PC Cleaner Pro virus. I have not attempted to remove it yet. Please help!

Here is the HijackThis log.

Thank you!
Todd

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 7:53:22 AM, on 6/29/2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\PC Cleaners\PCCleaners.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\m50\m50.exe
C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
c:\blp\API\office tools\bxlaui.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Reuters\RBWS\RBWS.exe
C:\blp\Wintrv\WINTRV.EXE
C:\blp\Wintrv\blpcbbap.exe
C:\blp\Wintrv\blpcbbap.exe
C:\blp\Wintrv\blpcbbap.exe
C:\blp\Wintrv\SmartClient\blpsmarthost.exe
C:\blp\Wintrv\blpcbbap.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [PC Cleaners] "C:\Program Files\PC Cleaners\PCCleaners.exe" /minimize
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim] "C:\Program Files\AIM\aim.exe" /d locale=en-US
O4 - HKCU\..\Run: [CLRHost] C:\blp\API\Office Tools\bbxlcmd.exe
O4 - Startup: Flash Messaging Startup.lnk = ?
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://www.csfb.com
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://trs.webex.com/client/T27L10NSP11EP8-trs/support/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = oraclepartners.com
O17 - HKLM\Software\..\Telephony: DomainName = oraclepartners.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{804B68F6-E537-4FDB-BC38-2AB5EB860AED}: NameServer = 192.168.80.22,192.168.80.242
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = oraclepartners.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = oraclepartners.com
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LMIGuardianSvc - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: Eze Pricing Service PRIMARY (PricingPubDM_PRIMARY) - Unknown owner - C:\Program Files\Eze Castle Software\EzePricing\PricingPublisherSvc.exe
O23 - Service: Eze Sentry PRIMARY (SentrySvcDM_PRIMARY) - Eze Castle Software - C:\Program Files\Eze Castle Software\Common\SentrySvc.exe
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: Eze Static Pricing Publisher PRIMARY (StaticPricePubService_PRIMARY) - Unknown owner - C:\Program Files\Eze Castle Software\EzePricing\StaticPricingPublisherSvc.exe
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe

--
End of file - 7554 bytes

BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:12 AM

Posted 03 July 2012 - 11:51 PM

Greetings and Welcome to The Forums!!

My name is Gringo and I'll be glad to help you with your computer problems.

I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of us

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the Watch Topic Button, select Immediate Notification, and click on Proceed. This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of hartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.


DeFogger:

  • Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger may ask you to reboot the machine, if it does - click OK
Do not re-enable these drivers until otherwise instructed.


Security Check

  • Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.


Download DDS:

  • Please download DDS by sUBs from one of the links below and save it to your desktop:

    Posted Image
    Download DDS and save it to your desktop

    Link1
    Link2
    Link3

    Please disable any anti-malware program that will block scripts from running before running DDS.

    • Double-Click on dds.scr and a command window will appear. This is normal.
    • Shortly after two logs will appear:
    • DDS.txt
    • Attach.txt
  • A window will open instructing you save & post the logs
  • Save the logs to a convenient place such as your desktop
  • Copy the contents of both logs & post in your next reply

information and logs:

  • In your next post I need the following

  • .logs from DDS
  • let me know of any problems you may have had

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 thonczarenko

thonczarenko
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:11:12 PM

Posted 04 July 2012 - 04:17 PM

Hi Gringo,

Thank you for helping!

Here is the checkup.txt since the instrucions ask to post them; I will also paste the DDS logs below. There were no issues running those programs/scripts.

Thank you!

Results of screen317's Security Check version 0.99.42
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````Antivirus/Firewall Check:``````````````
Windows Security Center service is not running! This report may not be accurate!
PC Cleaner Pro
Symantec Endpoint Protection
Antivirus up to date! (On Access scanning disabled!)
`````````Anti-malware/Other Utilities Check:`````````
PC Cleaners
Java 2 Runtime Environment Standard Edition v1.3.1
Java™ 6 Update 31
Java version out of Date!
Adobe Reader X (10.1.3)
````````Process Check: objlist.exe by Laurent````````
Norton ccSvcHst.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C:: 25% Defragment your hard drive soon!
````````````````````End of Log``````````````````````


DDS:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by bmeglio at 17:13:07 on 2012-07-04
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3072.2068 [GMT -4:00]
.
AV: PC Cleaner Pro *Disabled/Updated* {737A8864-C2D9-4337-B49A-B5E35815B9BB}
AV: Symantec Endpoint Protection *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *Disabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\PC Cleaners\PCCleaners.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\m50\m50.exe
C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
c:\blp\API\office tools\bxlaui.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
c:\blp\API\office tools\bxlartd.exe
C:\blp\API\bbcomm.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\bmeglio\Desktop\Defogger.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
.
============== Pseudo HJT Report ===============
.
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Aim] "c:\program files\aim\aim.exe" /d locale=en-US
uRun: [CLRHost] c:\blp\api\office tools\bbxlcmd.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [PC Cleaners] "c:\program files\pc cleaners\PCCleaners.exe" /minimize
StartupFolder: c:\docume~1\bmeglio\startm~1\programs\startup\flashm~1.lnk - c:\program files\m50\m50.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 5.0\distillr\AcroTray.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: csfb.com\www
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-0013-0001-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.3.1/jinstall-131-win.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://trs.webex.com/client/T27L10NSP11EP8-trs/support/ieatgpc.cab
TCP: Interfaces\{804B68F6-E537-4FDB-BC38-2AB5EB860AED} : NameServer = 192.168.80.22,192.168.80.242
Notify: LMIinit - LMIinit.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
============= SERVICES / DRIVERS ===============
.
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2010-1-25 108392]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2010-1-25 108392]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\logmein\x86\LMIGuardianSvc.exe [2012-1-31 374152]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2011-9-16 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2012-5-1 47640]
R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2010-4-23 1831024]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2012-6-28 106656]
R3 FLMckUsb;AuthenTec TruePrint USB Driver for AES 3400, 3500, and 4000 Fingerprint Sensors;c:\windows\system32\drivers\ATTchWDF.sys [2012-5-1 64000]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20120703.002\NAVENG.SYS [2012-7-3 87928]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20120703.002\NAVEX15.SYS [2012-7-3 1589752]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-5-1 257224]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2009-12-2 23888]
S3 PricingPubDM_PRIMARY;Eze Pricing Service PRIMARY;c:\program files\eze castle software\ezepricing\PricingPublisherSvc.exe [2006-11-22 2157056]
S3 SentrySvcDM_PRIMARY;Eze Sentry PRIMARY;c:\program files\eze castle software\common\SentrySvc.exe [2006-11-22 1952256]
S3 StaticPricePubService_PRIMARY;Eze Static Pricing Publisher PRIMARY;c:\program files\eze castle software\ezepricing\StaticPricingPublisherSvc.exe [2006-11-22 1981952]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2008-4-14 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
.
=============== Created Last 30 ================
.
2012-06-29 11:52:18 388096 ----a-r- c:\documents and settings\bmeglio\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2012-06-29 11:52:16 -------- d-----w- c:\program files\Trend Micro
2012-06-29 06:53:40 521728 -c----w- c:\windows\system32\dllcache\jsdbgui.dll
2012-06-08 16:31:25 -------- d-----w- C:\temp_pyx
2012-06-08 16:31:25 -------- d-----w- C:\paychex
2012-06-08 11:17:20 -------- d-----w- c:\documents and settings\bmeglio\application data\PC Cleaners
2012-06-08 11:17:15 4198712 ----a-w- c:\windows\uninst.exe
2012-06-08 11:17:15 -------- d-----w- c:\documents and settings\bmeglio\application data\PCPro
2012-06-08 11:17:14 -------- d-----w- c:\program files\PC Cleaners
2012-06-08 11:17:14 -------- d-----w- c:\documents and settings\all users\application data\PC1Data
.
==================== Find3M ====================
.
2012-06-29 11:15:56 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-06-29 11:15:54 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-06-02 19:19:44 22040 ----a-w- c:\windows\system32\wucltui.dll.mui
2012-06-02 19:19:38 219160 ----a-w- c:\windows\system32\wuaucpl.cpl
2012-06-02 19:19:38 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2012-06-02 19:19:34 15384 ----a-w- c:\windows\system32\wuapi.dll.mui
2012-06-02 19:19:30 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui
2012-05-31 13:22:09 599040 ----a-w- c:\windows\system32\crypt32.dll
2012-05-21 19:27:29 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2012-05-21 19:27:29 52096 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\LMIproc.dll
2012-05-21 19:27:28 87424 ----a-w- c:\windows\system32\LMIinit.dll
2012-05-21 19:27:28 30592 ----a-w- c:\windows\system32\LMIport.dll
2012-05-16 15:08:26 916992 ----a-w- c:\windows\system32\wininet.dll
2012-05-15 13:20:33 1863168 ----a-w- c:\windows\system32\win32k.sys
2012-05-11 14:42:33 43520 ------w- c:\windows\system32\licmgr10.dll
2012-05-11 14:42:33 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-05-11 11:38:02 385024 ------w- c:\windows\system32\html.iec
2012-05-04 13:16:13 2148352 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-05-04 12:32:19 2026496 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-05-02 13:46:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-05-02 00:27:38 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-05-02 00:27:38 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-05-01 18:08:19 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2012-05-01 18:08:19 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
.
============= FINISH: 17:13:55.42 ===============

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:12 AM

Posted 04 July 2012 - 05:49 PM

Hello

I Would like you to do the following.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 thonczarenko

thonczarenko
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:11:12 PM

Posted 04 July 2012 - 07:00 PM

Hi Gringo,

The computer blue screened during the Combofix scan. Should I try again?

Thank you,
Todd

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:12 AM

Posted 04 July 2012 - 07:40 PM

Hello

Ok lets try this, I want you to run combofix in safe mode but it is very important that when combofix reboots the computer for you to direct it back into safe mode so it can finish the scan.

Boot into Safe Mode

Reboot your computer in Safe Mode.
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
  • Login on your usual account.

after combofix has finished its scan please post the report back here.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 thonczarenko

thonczarenko
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:11:12 PM

Posted 04 July 2012 - 08:00 PM

I was able to run COmbofix in normal mode! I tried it before you replied. Here is the log.

Thank you!

ComboFix 12-07-04.04 - bmeglio 07/04/2012 20:03:11.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3072.2372 [GMT -4:00]
Running from: c:\documents and settings\bmeglio\Desktop\ComboFix.exe
AV: Symantec Endpoint Protection *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *Disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\docume~1\bmeglio\LOCALS~1\Temp\SPOON\CACHE\0xD40341C5FD70502B\STUBEXE\0x0B624CAA8193C822\bxlaui.exe
c:\docume~1\bmeglio\LOCALS~1\Temp\SPOON\CACHE\0xD40341C5FD70502B\STUBEXE\0x25C0C55654D1CFB5\PresentationFontCache.exe
c:\docume~1\bmeglio\LOCALS~1\Temp\SPOON\CACHE\0xD40341C5FD70502B\SXS\x86_Microsoft.VC80.CRT@8.0.50727.3053\msvcr80.dll
c:\documents and settings\bmeglio\Local Settings\Temp\SPOON\CACHE\0xD40341C5FD70502B\STUBEXE\0x0B624CAA8193C822\bxlaui.exe
c:\documents and settings\bmeglio\Local Settings\Temp\SPOON\CACHE\0xD40341C5FD70502B\STUBEXE\0x25C0C55654D1CFB5\PresentationFontCache.exe
c:\documents and settings\bmeglio\Local Settings\Temp\SPOON\CACHE\0xD40341C5FD70502B\SXS\x86_Microsoft.VC80.CRT@8.0.50727.3053\msvcr80.dll
c:\windows\system32\SET4FF.tmp
.
.
((((((((((((((((((((((((( Files Created from 2012-06-05 to 2012-07-05 )))))))))))))))))))))))))))))))
.
.
2012-06-29 11:52 . 2012-06-29 11:52 388096 ----a-r- c:\documents and settings\bmeglio\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2012-06-29 11:52 . 2012-06-29 11:52 -------- d-----w- c:\program files\Trend Micro
2012-06-29 06:53 . 2012-05-11 14:42 521728 -c----w- c:\windows\system32\dllcache\jsdbgui.dll
2012-06-15 15:22 . 2012-06-15 15:22 -------- d-----w- c:\windows\Sun
2012-06-08 16:31 . 2012-06-08 16:31 -------- d-----w- C:\temp_pyx
2012-06-08 16:31 . 2012-06-08 16:31 -------- d-----w- C:\paychex
2012-06-08 11:17 . 2012-06-08 11:17 -------- d-----w- c:\documents and settings\bmeglio\Application Data\PC Cleaners
2012-06-08 11:17 . 2012-06-08 11:17 -------- d-----w- c:\documents and settings\bmeglio\Application Data\PCPro
2012-06-08 11:17 . 2012-06-08 11:17 4198712 ----a-w- c:\windows\uninst.exe
2012-06-08 11:17 . 2012-06-08 11:17 -------- d-----w- c:\program files\PC Cleaners
2012-06-08 11:17 . 2012-06-08 11:17 -------- d-----w- c:\documents and settings\All Users\Application Data\PC1Data
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-06-29 11:15 . 2012-05-01 23:59 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-06-29 11:15 . 2012-05-01 23:59 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-06-02 19:19 . 2009-08-06 23:24 22040 ----a-w- c:\windows\system32\wucltui.dll.mui
2012-06-02 19:19 . 2012-05-01 17:37 329240 ----a-w- c:\windows\system32\wucltui.dll
2012-06-02 19:19 . 2012-05-01 17:37 219160 ----a-w- c:\windows\system32\wuaucpl.cpl
2012-06-02 19:19 . 2012-05-01 17:37 210968 ----a-w- c:\windows\system32\wuweb.dll
2012-06-02 19:19 . 2009-08-06 23:24 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2012-06-02 19:19 . 2012-05-01 17:37 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 19:19 . 2012-05-01 17:37 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-02 19:19 . 2009-08-06 23:24 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 19:19 . 2009-08-06 23:24 15384 ----a-w- c:\windows\system32\wuapi.dll.mui
2012-06-02 19:19 . 2008-04-14 12:00 97304 ----a-w- c:\windows\system32\cdm.dll
2012-06-02 19:19 . 2009-08-06 23:24 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui
2012-06-02 19:19 . 2012-05-01 17:37 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 19:19 . 2012-05-01 17:37 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-05-31 13:22 . 2008-04-14 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2012-05-21 19:27 . 2012-05-01 19:26 52096 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\LMIproc.dll
2012-05-21 19:27 . 2012-05-01 19:26 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2012-05-21 19:27 . 2012-05-01 19:26 30592 ----a-w- c:\windows\system32\LMIport.dll
2012-05-21 19:27 . 2012-05-01 19:26 87424 ----a-w- c:\windows\system32\LMIinit.dll
2012-05-16 15:08 . 2008-04-14 12:00 916992 ----a-w- c:\windows\system32\wininet.dll
2012-05-15 13:20 . 2008-04-14 12:00 1863168 ----a-w- c:\windows\system32\win32k.sys
2012-05-11 14:42 . 2008-04-14 12:00 43520 ------w- c:\windows\system32\licmgr10.dll
2012-05-11 14:42 . 2008-04-14 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-05-11 11:38 . 2008-04-14 12:00 385024 ------w- c:\windows\system32\html.iec
2012-05-04 13:16 . 2008-04-14 12:00 2148352 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-05-04 12:32 . 2008-04-14 00:01 2026496 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-05-02 13:46 . 2012-05-01 17:35 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-05-02 01:10 . 2012-05-02 01:10 32768 ----a-r- c:\documents and settings\bmeglio\Application Data\Microsoft\Installer\{74016397-E26A-472B-B007-9DA96710C08D}\_2C1A814F1B85_48EA_BC5A_4F4DB52ABB48.exe
2012-05-02 00:27 . 2012-05-02 00:27 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-05-02 00:27 . 2012-05-02 00:27 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-05-01 19:28 . 2012-05-01 19:28 274432 ----a-r- c:\documents and settings\bmeglio\Application Data\Microsoft\Installer\{1C007A26-2A82-4B10-B1D4-DDD34B65C796}\newport3.exe
2012-05-01 18:33 . 2012-05-01 18:33 274432 ----a-r- c:\documents and settings\opctadmin.OPCT\Application Data\Microsoft\Installer\{1C007A26-2A82-4B10-B1D4-DDD34B65C796}\newport3.exe
2012-05-01 18:08 . 2012-05-01 18:08 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2012-05-01 18:08 . 2012-05-01 18:08 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim"="c:\program files\AIM\aim.exe" [2012-02-29 4321112]
"CLRHost"="c:\blp\API\Office Tools\bbxlcmd.exe" [2012-05-17 273408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2010-01-25 115560]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2011-09-16 63048]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-04-04 843712]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
"PC Cleaners"="c:\program files\PC Cleaners\PCCleaners.exe" [2012-06-08 53450552]
.
c:\documents and settings\bmeglio\Start Menu\Programs\Startup\
Flash Messaging Startup.lnk - c:\program files\m50\m50.exe [2003-3-13 385024]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [2012-5-1 82026]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2012-05-21 19:27 87424 ----a-w- c:\windows\system32\LMIinit.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\persistentroutes]
"138.20.0.0,255.255.0.0,192.168.80.193,1"=""
"144.14.0.0,255.255.0.0,192.168.80.193,1"=""
"63.75.60.0,255.255.252.0,192.168.80.197,1"=""
"199.105.176.0,255.255.248.0,192.168.80.206,1"=""
"199.105.184.0,255.255.254.0,192.168.80.206,1"=""
"69.184.0.0,255.255.0.0,192.168.80.206,1"=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"=
"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
.
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [1/31/2012 9:30 PM 374152]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [9/16/2011 2:10 PM 12856]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [6/28/2012 8:15 PM 106656]
R3 FLMckUsb;AuthenTec TruePrint USB Driver for AES 3400, 3500, and 4000 Fingerprint Sensors;c:\windows\system32\drivers\ATTchWDF.sys [5/1/2012 7:46 PM 64000]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [5/1/2012 7:59 PM 257224]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [12/2/2009 4:02 PM 23888]
S3 PricingPubDM_PRIMARY;Eze Pricing Service PRIMARY;c:\program files\Eze Castle Software\EzePricing\PricingPublisherSvc.exe [11/22/2006 12:38 PM 2157056]
S3 SentrySvcDM_PRIMARY;Eze Sentry PRIMARY;c:\program files\Eze Castle Software\Common\SentrySvc.exe [11/22/2006 12:38 PM 1952256]
S3 StaticPricePubService_PRIMARY;Eze Static Pricing Publisher PRIMARY;c:\program files\Eze Castle Software\EzePricing\StaticPricingPublisherSvc.exe [11/22/2006 12:38 PM 1981952]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2012-07-04 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-01 11:16]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: csfb.com\www
TCP: Interfaces\{804B68F6-E537-4FDB-BC38-2AB5EB860AED}: NameServer = 192.168.80.22,192.168.80.242
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-Symantec Antvirus
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-07-04 20:23
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(960)
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll
.
- - - - - - - > 'winlogon.exe'(3896)
c:\windows\system32\LMIinit.dll
.
- - - - - - - > 'explorer.exe'(3088)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Symantec\Symantec Endpoint Protection\Smc.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\LogMeIn\x86\RaMaint.exe
c:\program files\LogMeIn\x86\LogMeIn.exe
c:\program files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
c:\windows\system32\rdpclip.exe
c:\program files\Symantec\Symantec Endpoint Protection\SmcGui.exe
c:\windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
c:\blp\api\office tools\bxlaui.exe
.
**************************************************************************
.
Completion time: 2012-07-04 20:28:16 - machine was rebooted
ComboFix-quarantined-files.txt 2012-07-05 00:28
.
Pre-Run: 127,399,010,304 bytes free
Post-Run: 128,122,789,888 bytes free
.
- - End Of File - - D14F828B42B282DC1FE7C011AB8BA65A

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:12 AM

Posted 04 July 2012 - 08:12 PM

Greetings

I want you to run these next,

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • it will ask to download extra definitions - ALLOW IT
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

If you have any problems running either one come back and let me know

please reply with the reports from TDSSKiller and aswMBR

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 thonczarenko

thonczarenko
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:11:12 PM

Posted 04 July 2012 - 09:08 PM

Kaspersky report.
22:07:01.0977 1204 TDSS rootkit removing tool 2.7.44.0 Jul 2 2012 20:01:08
22:07:02.0321 1204 ============================================================
22:07:02.0321 1204 Current date / time: 2012/07/04 22:07:02.0321
22:07:02.0321 1204 SystemInfo:
22:07:02.0321 1204
22:07:02.0321 1204 OS Version: 5.1.2600 ServicePack: 3.0
22:07:02.0321 1204 Product type: Workstation
22:07:02.0321 1204 ComputerName: BOB-HP-WS
22:07:02.0321 1204 UserName: bmeglio
22:07:02.0321 1204 Windows directory: C:\WINDOWS
22:07:02.0321 1204 System windows directory: C:\WINDOWS
22:07:02.0321 1204 Processor architecture: Intel x86
22:07:02.0321 1204 Number of processors: 2
22:07:02.0321 1204 Page size: 0x1000
22:07:02.0321 1204 Boot type: Normal boot
22:07:02.0321 1204 ============================================================
22:07:04.0227 1204 Drive \Device\Harddisk0\DR0 - Size: 0x25433D6000 (149.05 Gb), SectorSize: 0x200, Cylinders: 0x50C1, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xF0, Type 'K0', Flags 0x00000054
22:07:04.0227 1204 ============================================================
22:07:04.0227 1204 \Device\Harddisk0\DR0:
22:07:04.0227 1204 MBR partitions:
22:07:04.0227 1204 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x12A14BC1
22:07:04.0227 1204 ============================================================
22:07:04.0258 1204 C: <-> \Device\Harddisk0\DR0\Partition0
22:07:04.0258 1204 ============================================================
22:07:04.0258 1204 Initialize success
22:07:04.0258 1204 ============================================================
22:07:05.0789 2840 ============================================================
22:07:05.0789 2840 Scan started
22:07:05.0789 2840 Mode: Manual;
22:07:05.0789 2840 ============================================================
22:07:06.0930 2840 Abiosdsk - ok
22:07:06.0946 2840 abp480n5 - ok
22:07:06.0993 2840 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
22:07:06.0993 2840 ACPI - ok
22:07:07.0039 2840 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
22:07:07.0039 2840 ACPIEC - ok
22:07:07.0118 2840 AdobeFlashPlayerUpdateSvc (f3cd7b20b27d1772c946df993ff3635c) C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
22:07:07.0118 2840 AdobeFlashPlayerUpdateSvc - ok
22:07:07.0118 2840 adpu160m - ok
22:07:07.0164 2840 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
22:07:07.0164 2840 aec - ok
22:07:07.0211 2840 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
22:07:07.0211 2840 AFD - ok
22:07:07.0258 2840 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
22:07:07.0258 2840 agp440 - ok
22:07:07.0274 2840 Aha154x - ok
22:07:07.0289 2840 aic78u2 - ok
22:07:07.0305 2840 aic78xx - ok
22:07:07.0336 2840 Alerter (a9a3daa780ca6c9671a19d52456705b4) C:\WINDOWS\system32\alrsvc.dll
22:07:07.0336 2840 Alerter - ok
22:07:07.0368 2840 ALG (8c515081584a38aa007909cd02020b3d) C:\WINDOWS\System32\alg.exe
22:07:07.0368 2840 ALG - ok
22:07:07.0368 2840 AliIde - ok
22:07:07.0383 2840 amsint - ok
22:07:07.0430 2840 AppMgmt (d8849f77c0b66226335a59d26cb4edc6) C:\WINDOWS\System32\appmgmts.dll
22:07:07.0430 2840 AppMgmt - ok
22:07:07.0430 2840 asc - ok
22:07:07.0461 2840 asc3350p - ok
22:07:07.0477 2840 asc3550 - ok
22:07:07.0602 2840 aspnet_state (776acefa0ca9df0faa51a5fb2f435705) C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe
22:07:07.0602 2840 aspnet_state - ok
22:07:07.0633 2840 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
22:07:07.0633 2840 AsyncMac - ok
22:07:07.0664 2840 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
22:07:07.0680 2840 atapi - ok
22:07:07.0680 2840 Atdisk - ok
22:07:07.0696 2840 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
22:07:07.0711 2840 Atmarpc - ok
22:07:07.0743 2840 AudioSrv (def7a7882bec100fe0b2ce2549188f9d) C:\WINDOWS\System32\audiosrv.dll
22:07:07.0743 2840 AudioSrv - ok
22:07:07.0774 2840 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
22:07:07.0774 2840 audstub - ok
22:07:07.0821 2840 b57w2k (3a3a82ffd268bcfb7ae6a48cecf00ad9) C:\WINDOWS\system32\DRIVERS\b57xp32.sys
22:07:07.0821 2840 b57w2k - ok
22:07:07.0868 2840 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
22:07:07.0868 2840 Beep - ok
22:07:07.0914 2840 BITS (574738f61fca2935f5265dc4e5691314) C:\WINDOWS\system32\qmgr.dll
22:07:07.0914 2840 BITS - ok
22:07:07.0946 2840 Blfp (07a758bffb297819252aa72bab0e6611) C:\WINDOWS\system32\DRIVERS\baspxp32.sys
22:07:07.0946 2840 Blfp - ok
22:07:07.0993 2840 Browser (a06ce3399d16db864f55faeb1f1927a9) C:\WINDOWS\System32\browser.dll
22:07:07.0993 2840 Browser - ok
22:07:07.0993 2840 catchme - ok
22:07:08.0039 2840 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
22:07:08.0039 2840 cbidf2k - ok
22:07:08.0102 2840 ccEvtMgr (260a069f403da226d18c058ad14fd3a3) C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
22:07:08.0102 2840 ccEvtMgr - ok
22:07:08.0118 2840 ccSetMgr (260a069f403da226d18c058ad14fd3a3) C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
22:07:08.0118 2840 ccSetMgr - ok
22:07:08.0133 2840 cd20xrnt - ok
22:07:08.0164 2840 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
22:07:08.0164 2840 Cdaudio - ok
22:07:08.0211 2840 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
22:07:08.0211 2840 Cdfs - ok
22:07:08.0258 2840 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
22:07:08.0258 2840 Cdrom - ok
22:07:08.0258 2840 Changer - ok
22:07:08.0289 2840 CiSvc (1cfe720eb8d93a7158a4ebc3ab178bde) C:\WINDOWS\system32\cisvc.exe
22:07:08.0289 2840 CiSvc - ok
22:07:08.0383 2840 ClipSrv (34cbe729f38138217f9c80212a2a0c82) C:\WINDOWS\system32\clipsrv.exe
22:07:08.0383 2840 ClipSrv - ok
22:07:08.0539 2840 clr_optimization_v2.0.50727_32 (d87acaed61e417bba546ced5e7e36d9c) C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
22:07:08.0539 2840 clr_optimization_v2.0.50727_32 - ok
22:07:08.0618 2840 clr_optimization_v4.0.30319_32 (c5a75eb48e2344abdc162bda79e16841) C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
22:07:08.0633 2840 clr_optimization_v4.0.30319_32 - ok
22:07:08.0633 2840 CmdIde - ok
22:07:08.0680 2840 COH_Mon (de88a385898f6d13026f94f749fbaed2) C:\WINDOWS\system32\Drivers\COH_Mon.sys
22:07:08.0680 2840 COH_Mon - ok
22:07:08.0680 2840 COMSysApp - ok
22:07:08.0711 2840 Cpqarray - ok
22:07:08.0758 2840 CryptSvc (3d4e199942e29207970e04315d02ad3b) C:\WINDOWS\System32\cryptsvc.dll
22:07:08.0758 2840 CryptSvc - ok
22:07:08.0774 2840 dac2w2k - ok
22:07:08.0789 2840 dac960nt - ok
22:07:08.0852 2840 DcomLaunch (6b27a5c03dfb94b4245739065431322c) C:\WINDOWS\system32\rpcss.dll
22:07:08.0868 2840 DcomLaunch - ok
22:07:08.0883 2840 Dhcp (5e38d7684a49cacfb752b046357e0589) C:\WINDOWS\System32\dhcpcsvc.dll
22:07:08.0883 2840 Dhcp - ok
22:07:08.0914 2840 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
22:07:08.0914 2840 Disk - ok
22:07:08.0930 2840 dmadmin - ok
22:07:09.0008 2840 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
22:07:09.0008 2840 dmboot - ok
22:07:09.0039 2840 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
22:07:09.0039 2840 dmio - ok
22:07:09.0071 2840 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
22:07:09.0071 2840 dmload - ok
22:07:09.0102 2840 dmserver (57edec2e5f59f0335e92f35184bc8631) C:\WINDOWS\System32\dmserver.dll
22:07:09.0102 2840 dmserver - ok
22:07:09.0133 2840 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
22:07:09.0133 2840 DMusic - ok
22:07:09.0180 2840 Dnscache (5f7e24fa9eab896051ffb87f840730d2) C:\WINDOWS\System32\dnsrslvr.dll
22:07:09.0180 2840 Dnscache - ok
22:07:09.0211 2840 Dot3svc (0f0f6e687e5e15579ef4da8dd6945814) C:\WINDOWS\System32\dot3svc.dll
22:07:09.0211 2840 Dot3svc - ok
22:07:09.0227 2840 dpti2o - ok
22:07:09.0274 2840 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
22:07:09.0274 2840 drmkaud - ok
22:07:09.0305 2840 EapHost (2187855a7703adef0cef9ee4285182cc) C:\WINDOWS\System32\eapsvc.dll
22:07:09.0305 2840 EapHost - ok
22:07:09.0399 2840 eeCtrl (fce87ba643d5e9a8b6e0378508d1b22d) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
22:07:09.0399 2840 eeCtrl - ok
22:07:09.0430 2840 EraserUtilRebootDrv (115dc729465a8c386615207f28875255) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
22:07:09.0430 2840 EraserUtilRebootDrv - ok
22:07:09.0461 2840 ERSvc (bc93b4a066477954555966d77fec9ecb) C:\WINDOWS\System32\ersvc.dll
22:07:09.0461 2840 ERSvc - ok
22:07:09.0508 2840 Eventlog (65df52f5b8b6e9bbd183505225c37315) C:\WINDOWS\system32\services.exe
22:07:09.0508 2840 Eventlog - ok
22:07:09.0539 2840 EventSystem (d4991d98f2db73c60d042f1aef79efae) C:\WINDOWS\system32\es.dll
22:07:09.0555 2840 EventSystem - ok
22:07:09.0586 2840 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
22:07:09.0586 2840 Fastfat - ok
22:07:09.0633 2840 FastUserSwitchingCompatibility (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
22:07:09.0633 2840 FastUserSwitchingCompatibility - ok
22:07:09.0664 2840 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
22:07:09.0664 2840 Fdc - ok
22:07:09.0680 2840 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
22:07:09.0680 2840 Fips - ok
22:07:09.0727 2840 FLMckUsb (9c3f27af7760cf64c4220ca39a132d5a) C:\WINDOWS\system32\DRIVERS\ATTchWDF.sys
22:07:09.0727 2840 FLMckUsb - ok
22:07:09.0758 2840 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
22:07:09.0758 2840 Flpydisk - ok
22:07:09.0789 2840 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
22:07:09.0805 2840 FltMgr - ok
22:07:09.0914 2840 FontCache3.0.0.0 (8ba7c024070f2b7fdd98ed8a4ba41789) c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
22:07:09.0914 2840 FontCache3.0.0.0 - ok
22:07:09.0946 2840 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
22:07:09.0946 2840 Fs_Rec - ok
22:07:09.0977 2840 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
22:07:09.0977 2840 Ftdisk - ok
22:07:09.0992 2840 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
22:07:09.0992 2840 Gpc - ok
22:07:10.0071 2840 helpsvc (4fcca060dfe0c51a09dd5c3843888bcd) C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll
22:07:10.0071 2840 helpsvc - ok
22:07:10.0086 2840 HidServ (deb04da35cc871b6d309b77e1443c796) C:\WINDOWS\System32\hidserv.dll
22:07:10.0086 2840 HidServ - ok
22:07:10.0133 2840 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
22:07:10.0133 2840 hidusb - ok
22:07:10.0164 2840 hkmsvc (8878bd685e490239777bfe51320b88e9) C:\WINDOWS\System32\kmsvc.dll
22:07:10.0164 2840 hkmsvc - ok
22:07:10.0164 2840 hpn - ok
22:07:10.0227 2840 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
22:07:10.0227 2840 HTTP - ok
22:07:10.0258 2840 HTTPFilter (6100a808600f44d999cebdef8841c7a3) C:\WINDOWS\System32\w3ssl.dll
22:07:10.0258 2840 HTTPFilter - ok
22:07:10.0274 2840 i2omgmt - ok
22:07:10.0289 2840 i2omp - ok
22:07:10.0321 2840 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
22:07:10.0321 2840 i8042prt - ok
22:07:10.0414 2840 IDriverT (1cf03c69b49acb70c722df92755c0c8c) C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
22:07:10.0414 2840 IDriverT - ok
22:07:10.0524 2840 idsvc (c01ac32dc5c03076cfb852cb5da5229c) c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
22:07:10.0539 2840 idsvc - ok
22:07:10.0571 2840 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
22:07:10.0571 2840 Imapi - ok
22:07:10.0617 2840 ImapiService (30deaf54a9755bb8546168cfe8a6b5e1) C:\WINDOWS\system32\imapi.exe
22:07:10.0617 2840 ImapiService - ok
22:07:10.0633 2840 ini910u - ok
22:07:10.0696 2840 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
22:07:10.0696 2840 IntelIde - ok
22:07:10.0727 2840 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
22:07:10.0727 2840 intelppm - ok
22:07:10.0758 2840 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
22:07:10.0758 2840 Ip6Fw - ok
22:07:10.0774 2840 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
22:07:10.0774 2840 IpFilterDriver - ok
22:07:10.0789 2840 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
22:07:10.0789 2840 IpInIp - ok
22:07:10.0821 2840 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
22:07:10.0821 2840 IpNat - ok
22:07:10.0867 2840 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
22:07:10.0867 2840 IPSec - ok
22:07:10.0899 2840 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
22:07:10.0899 2840 IRENUM - ok
22:07:10.0946 2840 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
22:07:10.0946 2840 isapnp - ok
22:07:11.0071 2840 JavaQuickStarterService (0a5709543986843d37a92290b7838340) C:\Program Files\Java\jre6\bin\jqs.exe
22:07:11.0071 2840 JavaQuickStarterService - ok
22:07:11.0117 2840 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
22:07:11.0117 2840 Kbdclass - ok
22:07:11.0133 2840 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
22:07:11.0133 2840 kbdhid - ok
22:07:11.0164 2840 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
22:07:11.0164 2840 kmixer - ok
22:07:11.0211 2840 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
22:07:11.0211 2840 KSecDD - ok
22:07:11.0258 2840 LanmanServer (3a7c3cbe5d96b8ae96ce81f0b22fb527) C:\WINDOWS\System32\srvsvc.dll
22:07:11.0258 2840 LanmanServer - ok
22:07:11.0305 2840 lanmanworkstation (a8888a5327621856c0cec4e385f69309) C:\WINDOWS\System32\wkssvc.dll
22:07:11.0305 2840 lanmanworkstation - ok
22:07:11.0305 2840 lbrtfdc - ok
22:07:11.0571 2840 LiveUpdate (6105b28f5d03c4affa7197b228768849) C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
22:07:11.0586 2840 LiveUpdate - ok
22:07:11.0680 2840 LmHosts (a7db739ae99a796d91580147e919cc59) C:\WINDOWS\System32\lmhsvc.dll
22:07:11.0680 2840 LmHosts - ok
22:07:11.0805 2840 LMIGuardianSvc (c2bc96051da4330c1fcf2fe13f60a748) C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
22:07:11.0805 2840 LMIGuardianSvc - ok
22:07:11.0836 2840 LMIInfo (4f69faaabb7db0d43e327c0b6aab40fc) C:\Program Files\LogMeIn\x86\RaInfo.sys
22:07:11.0836 2840 LMIInfo - ok
22:07:11.0852 2840 LMIMaint (8960ac10842199c9dc2ec0956f5a4a8d) C:\Program Files\LogMeIn\x86\RaMaint.exe
22:07:11.0852 2840 LMIMaint - ok
22:07:11.0899 2840 lmimirr (4477689e2d8ae6b78ba34c9af4cc1ed1) C:\WINDOWS\system32\DRIVERS\lmimirr.sys
22:07:11.0899 2840 lmimirr - ok
22:07:11.0914 2840 LMIRfsClientNP - ok
22:07:11.0946 2840 LMIRfsDriver (3faa563ddf853320f90259d455a01d79) C:\WINDOWS\system32\drivers\LMIRfsDriver.sys
22:07:11.0946 2840 LMIRfsDriver - ok
22:07:11.0992 2840 LogMeIn (432618fa75b61059d2c57d6a7e55147a) C:\Program Files\LogMeIn\x86\LogMeIn.exe
22:07:11.0992 2840 LogMeIn - ok
22:07:12.0024 2840 Messenger (986b1ff5814366d71e0ac5755c88f2d3) C:\WINDOWS\System32\msgsvc.dll
22:07:12.0024 2840 Messenger - ok
22:07:12.0055 2840 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
22:07:12.0055 2840 mnmdd - ok
22:07:12.0086 2840 mnmsrvc (d18f1f0c101d06a1c1adf26eed16fcdd) C:\WINDOWS\system32\mnmsrvc.exe
22:07:12.0086 2840 mnmsrvc - ok
22:07:12.0102 2840 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
22:07:12.0102 2840 Modem - ok
22:07:12.0133 2840 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
22:07:12.0133 2840 Mouclass - ok
22:07:12.0149 2840 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
22:07:12.0149 2840 mouhid - ok
22:07:12.0164 2840 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
22:07:12.0164 2840 MountMgr - ok
22:07:12.0180 2840 mraid35x - ok
22:07:12.0211 2840 MRxDAV (e3f17e1ea5256709d4e97ef0da04b3c9) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
22:07:12.0211 2840 MRxDAV - ok
22:07:12.0258 2840 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
22:07:12.0274 2840 MRxSmb - ok
22:07:12.0305 2840 MSDTC (a137f1470499a205abbb9aafb3b6f2b1) C:\WINDOWS\system32\msdtc.exe
22:07:12.0305 2840 MSDTC - ok
22:07:12.0352 2840 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
22:07:12.0352 2840 Msfs - ok
22:07:12.0367 2840 MSIServer - ok
22:07:12.0399 2840 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
22:07:12.0399 2840 MSKSSRV - ok
22:07:12.0414 2840 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
22:07:12.0414 2840 MSPCLOCK - ok
22:07:12.0414 2840 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
22:07:12.0414 2840 MSPQM - ok
22:07:12.0461 2840 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
22:07:12.0461 2840 mssmbios - ok
22:07:12.0492 2840 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
22:07:12.0492 2840 Mup - ok
22:07:12.0539 2840 napagent (0102140028fad045756796e1c685d695) C:\WINDOWS\System32\qagentrt.dll
22:07:12.0555 2840 napagent - ok
22:07:12.0649 2840 NAVENG (f11033730b38260b6892e837c457fb4b) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20120704.002\NAVENG.SYS
22:07:12.0649 2840 NAVENG - ok
22:07:12.0758 2840 NAVEX15 (4e4e7c0259d3bb97de24a636c0e06aba) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20120704.002\NAVEX15.SYS
22:07:12.0774 2840 NAVEX15 - ok
22:07:12.0867 2840 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
22:07:12.0867 2840 NDIS - ok
22:07:12.0899 2840 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
22:07:12.0914 2840 NdisTapi - ok
22:07:12.0946 2840 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
22:07:12.0946 2840 Ndisuio - ok
22:07:12.0977 2840 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
22:07:12.0977 2840 NdisWan - ok
22:07:12.0992 2840 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
22:07:13.0008 2840 NDProxy - ok
22:07:13.0039 2840 Net Driver HPZ12 (2969d26eee289be7422aa46fc55f4e38) C:\WINDOWS\system32\HPZinw12.dll
22:07:13.0039 2840 Net Driver HPZ12 - ok
22:07:13.0071 2840 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
22:07:13.0086 2840 NetBIOS - ok
22:07:13.0117 2840 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
22:07:13.0133 2840 NetBT - ok
22:07:13.0164 2840 NetDDE (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe
22:07:13.0164 2840 NetDDE - ok
22:07:13.0180 2840 NetDDEdsdm (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe
22:07:13.0180 2840 NetDDEdsdm - ok
22:07:13.0211 2840 Netlogon (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
22:07:13.0211 2840 Netlogon - ok
22:07:13.0242 2840 Netman (13e67b55b3abd7bf3fe7aae5a0f9a9de) C:\WINDOWS\System32\netman.dll
22:07:13.0258 2840 Netman - ok
22:07:13.0367 2840 NetTcpPortSharing (d34612c5d02d026535b3095d620626ae) c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
22:07:13.0367 2840 NetTcpPortSharing - ok
22:07:13.0414 2840 Nla (943337d786a56729263071623bbb9de5) C:\WINDOWS\System32\mswsock.dll
22:07:13.0414 2840 Nla - ok
22:07:13.0430 2840 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
22:07:13.0430 2840 Npfs - ok
22:07:13.0492 2840 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
22:07:13.0492 2840 Ntfs - ok
22:07:13.0508 2840 NtLmSsp (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
22:07:13.0508 2840 NtLmSsp - ok
22:07:13.0555 2840 NtmsSvc (156f64a3345bd23c600655fb4d10bc08) C:\WINDOWS\system32\ntmssvc.dll
22:07:13.0555 2840 NtmsSvc - ok
22:07:13.0602 2840 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
22:07:13.0602 2840 Null - ok
22:07:13.0727 2840 nv (2b298519edbfcf451d43e0f1e8f1006d) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
22:07:13.0742 2840 nv - ok
22:07:13.0821 2840 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
22:07:13.0821 2840 NwlnkFlt - ok
22:07:13.0836 2840 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
22:07:13.0852 2840 NwlnkFwd - ok
22:07:13.0899 2840 ose (7a56cf3e3f12e8af599963b16f50fb6a) C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
22:07:13.0899 2840 ose - ok
22:07:13.0946 2840 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
22:07:13.0961 2840 Parport - ok
22:07:13.0961 2840 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
22:07:13.0961 2840 PartMgr - ok
22:07:14.0008 2840 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
22:07:14.0008 2840 ParVdm - ok
22:07:14.0039 2840 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
22:07:14.0039 2840 PCI - ok
22:07:14.0055 2840 PCIDump - ok
22:07:14.0071 2840 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\drivers\PCIIde.sys
22:07:14.0071 2840 PCIIde - ok
22:07:14.0102 2840 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
22:07:14.0117 2840 Pcmcia - ok
22:07:14.0117 2840 PDCOMP - ok
22:07:14.0133 2840 PDFRAME - ok
22:07:14.0149 2840 PDRELI - ok
22:07:14.0164 2840 PDRFRAME - ok
22:07:14.0180 2840 perc2 - ok
22:07:14.0196 2840 perc2hib - ok
22:07:14.0274 2840 PlugPlay (65df52f5b8b6e9bbd183505225c37315) C:\WINDOWS\system32\services.exe
22:07:14.0274 2840 PlugPlay - ok
22:07:14.0305 2840 Pml Driver HPZ12 (bafc9706bdf425a02b66468ab2605c59) C:\WINDOWS\system32\HPZipm12.dll
22:07:14.0305 2840 Pml Driver HPZ12 - ok
22:07:14.0336 2840 PolicyAgent (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
22:07:14.0336 2840 PolicyAgent - ok
22:07:14.0383 2840 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
22:07:14.0383 2840 PptpMiniport - ok
22:07:14.0602 2840 PricingPubDM_PRIMARY (be1b1be8ec1e32c5d0d30ed17c79eb5e) C:\Program Files\Eze Castle Software\EzePricing\PricingPublisherSvc.exe
22:07:14.0617 2840 PricingPubDM_PRIMARY - ok
22:07:14.0711 2840 ProtectedStorage (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
22:07:14.0711 2840 ProtectedStorage - ok
22:07:14.0727 2840 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
22:07:14.0727 2840 PSched - ok
22:07:14.0758 2840 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
22:07:14.0758 2840 Ptilink - ok
22:07:14.0774 2840 ql1080 - ok
22:07:14.0789 2840 Ql10wnt - ok
22:07:14.0805 2840 ql12160 - ok
22:07:14.0821 2840 ql1240 - ok
22:07:14.0836 2840 ql1280 - ok
22:07:14.0852 2840 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
22:07:14.0852 2840 RasAcd - ok
22:07:14.0899 2840 RasAuto (ad188be7bdf94e8df4ca0a55c00a5073) C:\WINDOWS\System32\rasauto.dll
22:07:14.0899 2840 RasAuto - ok
22:07:14.0930 2840 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
22:07:14.0930 2840 Rasl2tp - ok
22:07:14.0961 2840 RasMan (76a9a3cbeadd68cc57cda5e1d7448235) C:\WINDOWS\System32\rasmans.dll
22:07:14.0961 2840 RasMan - ok
22:07:14.0977 2840 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
22:07:14.0977 2840 RasPppoe - ok
22:07:15.0008 2840 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
22:07:15.0008 2840 Raspti - ok
22:07:15.0039 2840 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
22:07:15.0039 2840 Rdbss - ok
22:07:15.0055 2840 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
22:07:15.0055 2840 RDPCDD - ok
22:07:15.0117 2840 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
22:07:15.0117 2840 rdpdr - ok
22:07:15.0164 2840 RDPWD (6589db6e5969f8eee594cf71171c5028) C:\WINDOWS\system32\drivers\RDPWD.sys
22:07:15.0164 2840 RDPWD - ok
22:07:15.0211 2840 RDSessMgr (3c37bf86641bda977c3bf8a840f3b7fa) C:\WINDOWS\system32\sessmgr.exe
22:07:15.0211 2840 RDSessMgr - ok
22:07:15.0242 2840 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
22:07:15.0242 2840 redbook - ok
22:07:15.0274 2840 RemoteAccess (7e699ff5f59b5d9de5390e3c34c67cf5) C:\WINDOWS\System32\mprdim.dll
22:07:15.0274 2840 RemoteAccess - ok
22:07:15.0305 2840 RemoteRegistry (5b19b557b0c188210a56a6b699d90b8f) C:\WINDOWS\system32\regsvc.dll
22:07:15.0305 2840 RemoteRegistry - ok
22:07:15.0352 2840 RpcLocator (aaed593f84afa419bbae8572af87cf6a) C:\WINDOWS\system32\locator.exe
22:07:15.0352 2840 RpcLocator - ok
22:07:15.0399 2840 RpcSs (6b27a5c03dfb94b4245739065431322c) C:\WINDOWS\System32\rpcss.dll
22:07:15.0414 2840 RpcSs - ok
22:07:15.0446 2840 RSVP (471b3f9741d762abe75e9deea4787e47) C:\WINDOWS\system32\rsvp.exe
22:07:15.0446 2840 RSVP - ok
22:07:15.0477 2840 SamSs (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
22:07:15.0477 2840 SamSs - ok
22:07:15.0508 2840 SCardSvr (86d007e7a654b9a71d1d7d856b104353) C:\WINDOWS\System32\SCardSvr.exe
22:07:15.0524 2840 SCardSvr - ok
22:07:15.0571 2840 Schedule (0a9a7365a1ca4319aa7c1d6cd8e4eafa) C:\WINDOWS\system32\schedsvc.dll
22:07:15.0571 2840 Schedule - ok
22:07:15.0586 2840 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
22:07:15.0586 2840 Secdrv - ok
22:07:15.0633 2840 seclogon (cbe612e2bb6a10e3563336191eda1250) C:\WINDOWS\System32\seclogon.dll
22:07:15.0633 2840 seclogon - ok
22:07:15.0649 2840 SENS (7fdd5d0684eca8c1f68b4d99d124dcd0) C:\WINDOWS\system32\sens.dll
22:07:15.0649 2840 SENS - ok
22:07:15.0883 2840 SentrySvcDM_PRIMARY (4e7d5747c018b07c69f35bbaecd8b9cb) C:\Program Files\Eze Castle Software\Common\SentrySvc.exe
22:07:15.0899 2840 SentrySvcDM_PRIMARY - ok
22:07:16.0008 2840 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
22:07:16.0008 2840 serenum - ok
22:07:16.0024 2840 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
22:07:16.0024 2840 Serial - ok
22:07:16.0086 2840 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
22:07:16.0086 2840 Sfloppy - ok
22:07:16.0133 2840 SharedAccess (83f41d0d89645d7235c051ab1d9523ac) C:\WINDOWS\System32\ipnathlp.dll
22:07:16.0133 2840 SharedAccess - ok
22:07:16.0180 2840 ShellHWDetection (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
22:07:16.0180 2840 ShellHWDetection - ok
22:07:16.0196 2840 Simbad - ok
22:07:16.0383 2840 SmcService (0dc94380be7d36ae241029c72807692e) C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
22:07:16.0399 2840 SmcService - ok
22:07:16.0461 2840 SNAC (65e1ebf379856b677979802c8d5bcd87) C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
22:07:16.0461 2840 SNAC - ok
22:07:16.0524 2840 Sparrow - ok
22:07:16.0680 2840 SPBBCDrv (e87cf104f12c92401c4d33c50a3d5dc8) C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys
22:07:16.0680 2840 SPBBCDrv - ok
22:07:16.0711 2840 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
22:07:16.0711 2840 splitter - ok
22:07:16.0742 2840 Spooler (60784f891563fb1b767f70117fc2428f) C:\WINDOWS\system32\spoolsv.exe
22:07:16.0742 2840 Spooler - ok
22:07:16.0789 2840 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
22:07:16.0789 2840 sr - ok
22:07:16.0821 2840 srservice (3805df0ac4296a34ba4bf93b346cc378) C:\WINDOWS\system32\srsvc.dll
22:07:16.0821 2840 srservice - ok
22:07:16.0883 2840 SRTSP (5a293729e1f9fce3a2106d1f5dc5e98a) C:\WINDOWS\system32\Drivers\SRTSP.SYS
22:07:16.0883 2840 SRTSP - ok
22:07:16.0914 2840 SRTSPL (0ddb7fba32be09d8057063c0cee24137) C:\WINDOWS\system32\Drivers\SRTSPL.SYS
22:07:16.0930 2840 SRTSPL - ok
22:07:16.0946 2840 SRTSPX (a99719dfb61b61aa5026341bbb733c0a) C:\WINDOWS\system32\Drivers\SRTSPX.SYS
22:07:16.0946 2840 SRTSPX - ok
22:07:16.0992 2840 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
22:07:17.0008 2840 Srv - ok
22:07:17.0039 2840 SSDPSRV (0a5679b3714edab99e357057ee88fca6) C:\WINDOWS\System32\ssdpsrv.dll
22:07:17.0055 2840 SSDPSRV - ok
22:07:17.0305 2840 StaticPricePubService_PRIMARY (a7fe194b0da2cf0f33ae0015b9ec4963) C:\Program Files\Eze Castle Software\EzePricing\StaticPricingPublisherSvc.exe
22:07:17.0321 2840 StaticPricePubService_PRIMARY - ok
22:07:17.0414 2840 stisvc (8bad69cbac032d4bbacfce0306174c30) C:\WINDOWS\system32\wiaservc.dll
22:07:17.0430 2840 stisvc - ok
22:07:17.0461 2840 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
22:07:17.0461 2840 swenum - ok
22:07:17.0508 2840 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
22:07:17.0508 2840 swmidi - ok
22:07:17.0524 2840 SwPrv - ok
22:07:17.0711 2840 Symantec AntiVirus (f3a4ead0b3946e439f0397f7a4d09952) C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
22:07:17.0727 2840 Symantec AntiVirus - ok
22:07:17.0789 2840 symc810 - ok
22:07:17.0805 2840 symc8xx - ok
22:07:17.0852 2840 SymEvent (a54ff04bd6e75dc4d8cb6f3e352635e0) C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
22:07:17.0867 2840 SymEvent - ok
22:07:17.0899 2840 SYMREDRV (394b2368212114d538316812af60fddd) C:\WINDOWS\System32\Drivers\SYMREDRV.SYS
22:07:17.0899 2840 SYMREDRV - ok
22:07:17.0930 2840 SYMTDI (d46676bb414c7531bdffe637a33f5033) C:\WINDOWS\System32\Drivers\SYMTDI.SYS
22:07:17.0930 2840 SYMTDI - ok
22:07:17.0946 2840 sym_hi - ok
22:07:17.0961 2840 sym_u3 - ok
22:07:17.0992 2840 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
22:07:17.0992 2840 sysaudio - ok
22:07:18.0024 2840 SysmonLog (c7abbc59b43274b1109df6b24d617051) C:\WINDOWS\system32\smlogsvc.exe
22:07:18.0039 2840 SysmonLog - ok
22:07:18.0071 2840 SysPlant (5dcc2c7acc29dfba5ba82ed47d99c7e5) C:\WINDOWS\SYSTEM32\Drivers\SysPlant.sys
22:07:18.0071 2840 SysPlant - ok
22:07:18.0102 2840 TapiSrv (3cb78c17bb664637787c9a1c98f79c38) C:\WINDOWS\System32\tapisrv.dll
22:07:18.0117 2840 TapiSrv - ok
22:07:18.0164 2840 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
22:07:18.0180 2840 Tcpip - ok
22:07:18.0196 2840 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
22:07:18.0211 2840 TDPIPE - ok
22:07:18.0227 2840 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
22:07:18.0227 2840 TDTCP - ok
22:07:18.0274 2840 Teefer2 (1d3c046a9106de97ddc8276958700bf4) C:\WINDOWS\system32\DRIVERS\teefer2.sys
22:07:18.0274 2840 Teefer2 - ok
22:07:18.0321 2840 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
22:07:18.0321 2840 TermDD - ok
22:07:18.0367 2840 TermService (ff3477c03be7201c294c35f684b3479f) C:\WINDOWS\System32\termsrv.dll
22:07:18.0367 2840 TermService - ok
22:07:18.0414 2840 Themes (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
22:07:18.0414 2840 Themes - ok
22:07:18.0446 2840 TlntSvr (db7205804759ff62c34e3efd8a4cc76a) C:\WINDOWS\system32\tlntsvr.exe
22:07:18.0461 2840 TlntSvr - ok
22:07:18.0461 2840 TosIde - ok
22:07:18.0508 2840 TrkWks (55bca12f7f523d35ca3cb833c725f54e) C:\WINDOWS\system32\trkwks.dll
22:07:18.0508 2840 TrkWks - ok
22:07:18.0539 2840 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
22:07:18.0539 2840 Udfs - ok
22:07:18.0555 2840 ultra - ok
22:07:18.0602 2840 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
22:07:18.0617 2840 Update - ok
22:07:18.0649 2840 upnphost (1ebafeb9a3fbdc41b8d9c7f0f687ad91) C:\WINDOWS\System32\upnphost.dll
22:07:18.0664 2840 upnphost - ok
22:07:18.0680 2840 UPS (05365fb38fca1e98f7a566aaaf5d1815) C:\WINDOWS\System32\ups.exe
22:07:18.0680 2840 UPS - ok
22:07:18.0711 2840 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
22:07:18.0711 2840 usbaudio - ok
22:07:18.0758 2840 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
22:07:18.0758 2840 usbccgp - ok
22:07:18.0774 2840 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
22:07:18.0774 2840 usbehci - ok
22:07:18.0789 2840 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
22:07:18.0789 2840 usbhub - ok
22:07:18.0805 2840 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
22:07:18.0805 2840 usbuhci - ok
22:07:18.0852 2840 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
22:07:18.0852 2840 VgaSave - ok
22:07:18.0852 2840 ViaIde - ok
22:07:18.0914 2840 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
22:07:18.0914 2840 VolSnap - ok
22:07:18.0961 2840 VSS (7a9db3a67c333bf0bd42e42b8596854b) C:\WINDOWS\System32\vssvc.exe
22:07:18.0961 2840 VSS - ok
22:07:19.0008 2840 W32Time (54af4b1d5459500ef0937f6d33b1914f) C:\WINDOWS\system32\w32time.dll
22:07:19.0008 2840 W32Time - ok
22:07:19.0024 2840 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
22:07:19.0024 2840 Wanarp - ok
22:07:19.0086 2840 Wdf01000 (d918617b46457b9ac28027722e30f647) C:\WINDOWS\system32\Drivers\wdf01000.sys
22:07:19.0086 2840 Wdf01000 - ok
22:07:19.0102 2840 WDICA - ok
22:07:19.0149 2840 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
22:07:19.0149 2840 wdmaud - ok
22:07:19.0196 2840 WebClient (77a354e28153ad2d5e120a5a8687bc06) C:\WINDOWS\System32\webclnt.dll
22:07:19.0196 2840 WebClient - ok
22:07:19.0289 2840 winmgmt (2d0e4ed081963804ccc196a0929275b5) C:\WINDOWS\system32\wbem\WMIsvc.dll
22:07:19.0289 2840 winmgmt - ok
22:07:19.0383 2840 WinRM (18f347402da544a780949b8fdf83351b) C:\WINDOWS\system32\WsmSvc.dll
22:07:19.0399 2840 WinRM - ok
22:07:19.0446 2840 WmdmPmSN (c51b4a5c05a5475708e3c81c7765b71d) C:\WINDOWS\system32\MsPMSNSv.dll
22:07:19.0446 2840 WmdmPmSN - ok
22:07:19.0524 2840 Wmi (e76f8807070ed04e7408a86d6d3a6137) C:\WINDOWS\System32\advapi32.dll
22:07:19.0524 2840 Wmi - ok
22:07:19.0617 2840 WmiApSrv (e0673f1106e62a68d2257e376079f821) C:\WINDOWS\system32\wbem\wmiapsrv.exe
22:07:19.0617 2840 WmiApSrv - ok
22:07:19.0742 2840 WMPNetworkSvc (f74e3d9a7fa9556c3bbb14d4e5e63d3b) C:\Program Files\Windows Media Player\WMPNetwk.exe
22:07:19.0758 2840 WMPNetworkSvc - ok
22:07:19.0946 2840 WPFFontCache_v0400 (dcf3e3edf5109ee8bc02fe6e1f045795) C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe
22:07:19.0946 2840 WPFFontCache_v0400 - ok
22:07:20.0024 2840 WPS (e8e745b8eee63c7cf7d34833d3b8ca7f) C:\WINDOWS\system32\drivers\wpsdrvnt.sys
22:07:20.0024 2840 WPS - ok
22:07:20.0071 2840 WpsHelper (ff983a25ae6f7d3f87f26bf51f02a201) C:\WINDOWS\system32\drivers\WpsHelper.sys
22:07:20.0071 2840 WpsHelper - ok
22:07:20.0102 2840 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
22:07:20.0102 2840 WS2IFSL - ok
22:07:20.0133 2840 wscsvc (7c278e6408d1dce642230c0585a854d5) C:\WINDOWS\system32\wscsvc.dll
22:07:20.0149 2840 wscsvc - ok
22:07:20.0180 2840 wuauserv (35321fb577cdc98ce3eb3a3eb9e4610a) C:\WINDOWS\system32\wuauserv.dll
22:07:20.0180 2840 wuauserv - ok
22:07:20.0211 2840 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
22:07:20.0211 2840 WudfPf - ok
22:07:20.0242 2840 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
22:07:20.0242 2840 WudfRd - ok
22:07:20.0274 2840 WudfSvc (05231c04253c5bc30b26cbaae680ed89) C:\WINDOWS\System32\WUDFSvc.dll
22:07:20.0274 2840 WudfSvc - ok
22:07:20.0336 2840 WZCSVC (81dc3f549f44b1c1fff022dec9ecf30b) C:\WINDOWS\System32\wzcsvc.dll
22:07:20.0352 2840 WZCSVC - ok
22:07:20.0367 2840 xmlprov (295d21f14c335b53cb8154e5b1f892b9) C:\WINDOWS\System32\xmlprov.dll
22:07:20.0383 2840 xmlprov - ok
22:07:20.0414 2840 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
22:07:20.0867 2840 \Device\Harddisk0\DR0 - ok
22:07:20.0867 2840 Boot (0x1200) (7444fd3e215c0b3d68736f4f05915e25) \Device\Harddisk0\DR0\Partition0
22:07:20.0867 2840 \Device\Harddisk0\DR0\Partition0 - ok
22:07:20.0883 2840 ============================================================
22:07:20.0883 2840 Scan finished
22:07:20.0883 2840 ============================================================
22:07:20.0899 2580 Detected object count: 0
22:07:20.0899 2580 Actual detected object count: 0



aswMBR Report.



aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-07-04 21:35:07
-----------------------------
21:35:07.455 OS Version: Windows 5.1.2600 Service Pack 3
21:35:07.455 Number of processors: 2 586 0x209
21:35:07.455 ComputerName: BOB-HP-WS UserName: bmeglio
21:35:08.361 Initialize success
21:36:36.191 AVAST engine defs: 12070401
21:36:46.472 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
21:36:46.472 Disk 0 Vendor: ST3160021A 3.06 Size: 152627MB BusType: 3
21:36:46.488 Disk 0 MBR read successfully
21:36:46.488 Disk 0 MBR scan
21:36:46.534 Disk 0 Windows XP default MBR code
21:36:46.550 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 152617 MB offset 63
21:36:46.550 Disk 0 scanning sectors +312560640
21:36:46.644 Disk 0 scanning C:\WINDOWS\system32\drivers
21:36:57.066 Service scanning
21:37:18.097 Service SysPlant C:\WINDOWS\SYSTEM32\Drivers\SysPlant.sys **LOCKED** 32
21:37:18.535 Service Teefer2 C:\WINDOWS\system32\DRIVERS\teefer2.sys **LOCKED** 32
21:37:21.613 Service WPS C:\WINDOWS\system32\drivers\wpsdrvnt.sys **LOCKED** 32
21:37:21.722 Service WpsHelper C:\WINDOWS\system32\drivers\WpsHelper.sys **LOCKED** 32
21:37:22.847 Modules scanning
21:37:30.408 Disk 0 trace - called modules:
21:37:30.424 ntoskrnl.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll intelide.sys PCIIDEX.SYS
21:37:30.424 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a1faab8]
21:37:30.424 3 CLASSPNP.SYS[f7637fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x8a1add98]
21:37:30.877 AVAST engine scan C:\WINDOWS
21:37:40.032 AVAST engine scan C:\WINDOWS\system32
21:42:03.905 AVAST engine scan C:\WINDOWS\system32\drivers
21:42:20.184 AVAST engine scan C:\Documents and Settings\bmeglio
21:48:26.325 AVAST engine scan C:\Documents and Settings\All Users
21:48:47.840 Scan finished successfully
22:05:53.477 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\bmeglio\Desktop\MBR.dat"
22:05:53.477 The log file has been saved successfully to "C:\Documents and Settings\bmeglio\Desktop\aswMBR.txt"

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:12 AM

Posted 05 July 2012 - 09:04 AM

Greetings

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 thonczarenko

thonczarenko
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:11:12 PM

Posted 05 July 2012 - 07:48 PM

Everything seems to be working well. Here is the log file.

Thank you!

ComboFix 12-07-05.04 - bmeglio 07/05/2012 20:19:41.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3072.2359 [GMT -4:00]
Running from: c:\documents and settings\bmeglio\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\bmeglio\Desktop\CFScript.txt
AV: Symantec Endpoint Protection *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *Disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\docume~1\bmeglio\LOCALS~1\Temp\SPOON\CACHE\0xD40341C5FD70502B\STUBEXE\0x0B624CAA8193C822\bxlaui.exe
c:\docume~1\bmeglio\LOCALS~1\Temp\SPOON\CACHE\0xD40341C5FD70502B\STUBEXE\0x25C0C55654D1CFB5\PresentationFontCache.exe
c:\docume~1\bmeglio\LOCALS~1\Temp\SPOON\CACHE\0xD40341C5FD70502B\STUBEXE\0x9990F23C65E87FA2\bxlartd.exe
c:\docume~1\bmeglio\LOCALS~1\Temp\SPOON\CACHE\0xD40341C5FD70502B\SXS\x86_Microsoft.VC80.CRT@8.0.50727.3053\msvcr80.dll
c:\documents and settings\bmeglio\Local Settings\Temp\SPOON\CACHE\0xD40341C5FD70502B\STUBEXE\0x0B624CAA8193C822\bxlaui.exe
c:\documents and settings\bmeglio\Local Settings\Temp\SPOON\CACHE\0xD40341C5FD70502B\STUBEXE\0x25C0C55654D1CFB5\PresentationFontCache.exe
c:\documents and settings\bmeglio\Local Settings\Temp\SPOON\CACHE\0xD40341C5FD70502B\STUBEXE\0x9990F23C65E87FA2\bxlartd.exe
c:\documents and settings\bmeglio\Local Settings\Temp\SPOON\CACHE\0xD40341C5FD70502B\SXS\x86_Microsoft.VC80.CRT@8.0.50727.3053\msvcr80.dll
.
.
((((((((((((((((((((((((( Files Created from 2012-06-06 to 2012-07-06 )))))))))))))))))))))))))))))))
.
.
2012-06-29 11:52 . 2012-06-29 11:52 388096 ----a-r- c:\documents and settings\bmeglio\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2012-06-29 11:52 . 2012-06-29 11:52 -------- d-----w- c:\program files\Trend Micro
2012-06-29 06:53 . 2012-05-11 14:42 521728 -c----w- c:\windows\system32\dllcache\jsdbgui.dll
2012-06-15 15:22 . 2012-06-15 15:22 -------- d-----w- c:\windows\Sun
2012-06-08 16:31 . 2012-06-08 16:31 -------- d-----w- C:\temp_pyx
2012-06-08 16:31 . 2012-06-08 16:31 -------- d-----w- C:\paychex
2012-06-08 11:17 . 2012-06-08 11:17 -------- d-----w- c:\documents and settings\bmeglio\Application Data\PC Cleaners
2012-06-08 11:17 . 2012-06-08 11:17 -------- d-----w- c:\documents and settings\bmeglio\Application Data\PCPro
2012-06-08 11:17 . 2012-06-08 11:17 4198712 ----a-w- c:\windows\uninst.exe
2012-06-08 11:17 . 2012-06-08 11:17 -------- d-----w- c:\documents and settings\All Users\Application Data\PC1Data
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-06-29 11:15 . 2012-05-01 23:59 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-06-29 11:15 . 2012-05-01 23:59 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-06-02 19:19 . 2009-08-06 23:24 22040 ----a-w- c:\windows\system32\wucltui.dll.mui
2012-06-02 19:19 . 2012-05-01 17:37 329240 ----a-w- c:\windows\system32\wucltui.dll
2012-06-02 19:19 . 2012-05-01 17:37 219160 ----a-w- c:\windows\system32\wuaucpl.cpl
2012-06-02 19:19 . 2012-05-01 17:37 210968 ----a-w- c:\windows\system32\wuweb.dll
2012-06-02 19:19 . 2009-08-06 23:24 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2012-06-02 19:19 . 2012-05-01 17:37 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 19:19 . 2012-05-01 17:37 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-02 19:19 . 2009-08-06 23:24 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 19:19 . 2009-08-06 23:24 15384 ----a-w- c:\windows\system32\wuapi.dll.mui
2012-06-02 19:19 . 2008-04-14 12:00 97304 ----a-w- c:\windows\system32\cdm.dll
2012-06-02 19:19 . 2009-08-06 23:24 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui
2012-06-02 19:19 . 2012-05-01 17:37 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 19:19 . 2012-05-01 17:37 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-05-31 13:22 . 2008-04-14 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2012-05-21 19:27 . 2012-05-01 19:26 52096 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\LMIproc.dll
2012-05-21 19:27 . 2012-05-01 19:26 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2012-05-21 19:27 . 2012-05-01 19:26 30592 ----a-w- c:\windows\system32\LMIport.dll
2012-05-21 19:27 . 2012-05-01 19:26 87424 ----a-w- c:\windows\system32\LMIinit.dll
2012-05-16 15:08 . 2008-04-14 12:00 916992 ----a-w- c:\windows\system32\wininet.dll
2012-05-15 13:20 . 2008-04-14 12:00 1863168 ----a-w- c:\windows\system32\win32k.sys
2012-05-11 14:42 . 2008-04-14 12:00 43520 ------w- c:\windows\system32\licmgr10.dll
2012-05-11 14:42 . 2008-04-14 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-05-11 11:38 . 2008-04-14 12:00 385024 ------w- c:\windows\system32\html.iec
2012-05-04 13:16 . 2008-04-14 12:00 2148352 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-05-04 12:32 . 2008-04-14 00:01 2026496 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-05-02 13:46 . 2012-05-01 17:35 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-05-02 01:10 . 2012-05-02 01:10 32768 ----a-r- c:\documents and settings\bmeglio\Application Data\Microsoft\Installer\{74016397-E26A-472B-B007-9DA96710C08D}\_2C1A814F1B85_48EA_BC5A_4F4DB52ABB48.exe
2012-05-02 00:27 . 2012-05-02 00:27 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-05-02 00:27 . 2012-05-02 00:27 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-05-01 19:28 . 2012-05-01 19:28 274432 ----a-r- c:\documents and settings\bmeglio\Application Data\Microsoft\Installer\{1C007A26-2A82-4B10-B1D4-DDD34B65C796}\newport3.exe
2012-05-01 18:33 . 2012-05-01 18:33 274432 ----a-r- c:\documents and settings\opctadmin.OPCT\Application Data\Microsoft\Installer\{1C007A26-2A82-4B10-B1D4-DDD34B65C796}\newport3.exe
2012-05-01 18:08 . 2012-05-01 18:08 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2012-05-01 18:08 . 2012-05-01 18:08 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
.
.
((((((((((((((((((((((((((((( SnapShot@2012-07-05_00.23.04 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-07-06 00:28 . 2012-07-06 00:28 16384 c:\windows\Temp\Perflib_Perfdata_6a0.dat
+ 2012-05-01 18:09 . 2011-06-21 21:46 167936 c:\windows\system32\drivers\wpshelper.sys
- 2012-05-01 18:09 . 2010-09-11 02:32 167936 c:\windows\system32\drivers\wpshelper.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim"="c:\program files\AIM\aim.exe" [2012-02-29 4321112]
"CLRHost"="c:\blp\API\Office Tools\bbxlcmd.exe" [2012-05-17 273408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2010-01-25 115560]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2011-09-16 63048]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-04-04 843712]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
.
c:\documents and settings\bmeglio\Start Menu\Programs\Startup\
Flash Messaging Startup.lnk - c:\program files\m50\m50.exe [2003-3-13 385024]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [2012-5-1 82026]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2012-05-21 19:27 87424 ----a-w- c:\windows\system32\LMIinit.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\persistentroutes]
"138.20.0.0,255.255.0.0,192.168.80.193,1"=""
"144.14.0.0,255.255.0.0,192.168.80.193,1"=""
"63.75.60.0,255.255.252.0,192.168.80.197,1"=""
"199.105.176.0,255.255.248.0,192.168.80.206,1"=""
"199.105.184.0,255.255.254.0,192.168.80.206,1"=""
"69.184.0.0,255.255.0.0,192.168.80.206,1"=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"=
"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
.
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [1/31/2012 9:30 PM 374152]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [9/16/2011 2:10 PM 12856]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [6/28/2012 8:15 PM 106656]
R3 FLMckUsb;AuthenTec TruePrint USB Driver for AES 3400, 3500, and 4000 Fingerprint Sensors;c:\windows\system32\drivers\ATTchWDF.sys [5/1/2012 7:46 PM 64000]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [5/1/2012 7:59 PM 257224]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [12/2/2009 4:02 PM 23888]
S3 PricingPubDM_PRIMARY;Eze Pricing Service PRIMARY;c:\program files\Eze Castle Software\EzePricing\PricingPublisherSvc.exe [11/22/2006 12:38 PM 2157056]
S3 SentrySvcDM_PRIMARY;Eze Sentry PRIMARY;c:\program files\Eze Castle Software\Common\SentrySvc.exe [11/22/2006 12:38 PM 1952256]
S3 StaticPricePubService_PRIMARY;Eze Static Pricing Publisher PRIMARY;c:\program files\Eze Castle Software\EzePricing\StaticPricingPublisherSvc.exe [11/22/2006 12:38 PM 1981952]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2012-07-06 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-01 11:16]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: csfb.com\www
TCP: Interfaces\{804B68F6-E537-4FDB-BC38-2AB5EB860AED}: NameServer = 192.168.80.22,192.168.80.242
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-07-05 20:30
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(968)
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll
.
- - - - - - - > 'winlogon.exe'(520)
c:\windows\system32\LMIinit.dll
.
- - - - - - - > 'explorer.exe'(796)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Symantec\Symantec Endpoint Protection\Smc.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\LogMeIn\x86\RaMaint.exe
c:\program files\LogMeIn\x86\LogMeIn.exe
c:\program files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
c:\windows\system32\rdpclip.exe
c:\program files\Symantec\Symantec Endpoint Protection\SmcGui.exe
c:\windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
c:\blp\api\office tools\bxlaui.exe
.
**************************************************************************
.
Completion time: 2012-07-05 20:34:58 - machine was rebooted
ComboFix-quarantined-files.txt 2012-07-06 00:34
ComboFix2.txt 2012-07-05 00:28
.
Pre-Run: 127,961,817,088 bytes free
Post-Run: 128,069,480,448 bytes free
.
- - End Of File - - CAC39441BEA5251E5C2F345F6A0494E7

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:12 AM

Posted 05 July 2012 - 09:01 PM

Hello

I would like to see a report that combofix makes.

extra combofix report

  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box
C:\Qoobox\Add-Remove Programs.txt
  • click ok

copy and paste the report into this topic for me to review

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:12 AM

Posted 07 July 2012 - 11:31 PM

Greetings


I have not heard from you in a couple of days so I am coming by to check on you to see if you are having problems or you just need some more time.

Also to remind you that it is very important that we finish the process completely so as to not get reinfected. I will let you know when we are complete and I will ask to remove our tools




Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#14 thonczarenko

thonczarenko
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:11:12 PM

Posted 10 July 2012 - 01:05 PM

Sorry Gringo! I was away for a few days and just got back. I will perform the last task you suggested tonight.

Thank you,
Todd

#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:12 AM

Posted 11 July 2012 - 12:05 AM

no problem and see you later



gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users