Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Live security Platinum


  • This topic is locked This topic is locked
37 replies to this topic

#1 jwh Bob

jwh Bob

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Luxembourg
  • Local time:05:57 PM

Posted 29 June 2012 - 01:11 PM

Hi,

as I've been redirected here, I think it might be an idea to copy my previous post from there:



So far I followed some of the instructions I found in another Topic:

in safe mode:

TDSSkiller


aswMBR


ESET online scanner

As far as I understand the logs hereafter neither TDSSkiller nor aswMBR found something, but ESET did: found 71 infections, could clean 70 of them.
Unfortunately I didn't save that log (yes, you're right, blame me).

Then I did ESET in "normal mode. Got 2more files and cleaned them and this time I saved the log too.

Went to get: http://www.techspot.com/downloads/4716-malwarebytes-anti-malware.html

Malwarebytes found each time, but, as fare as I understand, wan't able to delete.

Did malwarebytes several times, alway with the same result. After re-booting announces that there is some more and tries to quarantine.

At this level I stopped, hoping you could guide me further.

Many thanks for your time

Bob


Here come the logs:

16:11:52.0669 1680 TDSS rootkit removing tool 2.7.42.0 Jun 25 2012 21:18:44
16:11:52.0731 1680 ============================================================
16:11:52.0731 1680 Current date / time: 2012/06/28 16:11:52.0731
16:11:52.0731 1680 SystemInfo:
16:11:52.0731 1680
16:11:52.0731 1680 OS Version: 6.1.7601 ServicePack: 1.0
16:11:52.0731 1680 Product type: Workstation
16:11:52.0731 1680 ComputerName: S26
16:11:52.0731 1680 UserName: sabre
16:11:52.0731 1680 Windows directory: C:\Windows
16:11:52.0731 1680 System windows directory: C:\Windows
16:11:52.0731 1680 Processor architecture: Intel x86
16:11:52.0731 1680 Number of processors: 2
16:11:52.0731 1680 Page size: 0x1000
16:11:52.0731 1680 Boot type: Safe boot with network
16:11:52.0731 1680 ============================================================
16:11:53.0449 1680 Drive \Device\Harddisk0\DR0 - Size: 0x25433D6000 (149.05 Gb), SectorSize: 0x200, Cylinders: 0x4C01, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000050
16:11:53.0449 1680 ============================================================
16:11:53.0449 1680 \Device\Harddisk0\DR0:
16:11:53.0449 1680 MBR partitions:
16:11:53.0449 1680 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x800, BlocksNum 0x1FF800
16:11:53.0449 1680 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x200000, BlocksNum 0x12190800
16:11:53.0449 1680 \Device\Harddisk0\DR0\Partition2: MBR, Type 0x7, StartLBA 0x12390800, BlocksNum 0x684000
16:11:53.0449 1680 ============================================================
16:11:53.0464 1680 C: <-> \Device\Harddisk0\DR0\Partition1
16:11:53.0495 1680 D: <-> \Device\Harddisk0\DR0\Partition2
16:11:53.0495 1680 ============================================================
16:11:53.0495 1680 Initialize success
16:11:53.0495 1680 ============================================================
16:12:36.0208 0676 ============================================================
16:12:36.0208 0676 Scan started
16:12:36.0208 0676 Mode: Manual; TDLFS;
16:12:36.0208 0676 ============================================================
16:12:36.0520 0676 1394ohci (1b133875b8aa8ac48969bd3458afe9f5) C:\Windows\system32\drivers\1394ohci.sys
16:12:36.0520 0676 1394ohci - ok
16:12:36.0583 0676 ac.sharedstore (00659e56339389469473aec41587e706) C:\Program Files\Common Files\ActivIdentity\ac.sharedstore.exe
16:12:36.0583 0676 ac.sharedstore - ok
16:12:36.0630 0676 ACPI (cea80c80bed809aa0da6febc04733349) C:\Windows\system32\drivers\ACPI.sys
16:12:36.0630 0676 ACPI - ok
16:12:36.0661 0676 AcpiPmi (1efbc664abff416d1d07db115dcb264f) C:\Windows\system32\drivers\acpipmi.sys
16:12:36.0661 0676 AcpiPmi - ok
16:12:36.0739 0676 ADIHdAudAddService (6c61bceb60c2c187e6f96001fd69493e) C:\Windows\system32\drivers\ADIHdAud.sys
16:12:36.0739 0676 ADIHdAudAddService - ok
16:12:36.0770 0676 adp94xx (21e785ebd7dc90a06391141aac7892fb) C:\Windows\system32\DRIVERS\adp94xx.sys
16:12:36.0786 0676 adp94xx - ok
16:12:36.0801 0676 adpahci (0c676bc278d5b59ff5abd57bbe9123f2) C:\Windows\system32\DRIVERS\adpahci.sys
16:12:36.0801 0676 adpahci - ok
16:12:36.0817 0676 adpu320 (7c7b5ee4b7b822ec85321fe23a27db33) C:\Windows\system32\DRIVERS\adpu320.sys
16:12:36.0817 0676 adpu320 - ok
16:12:36.0864 0676 AEADIFilters (4dc6b0772d1698f04fc79053a21c8260) C:\Windows\system32\AEADISRV.EXE
16:12:36.0864 0676 AEADIFilters - ok
16:12:36.0879 0676 AeLookupSvc (8b5eefeec1e6d1a72a06c526628ad161) C:\Windows\System32\aelupsvc.dll
16:12:36.0879 0676 AeLookupSvc - ok
16:12:36.0942 0676 AFD (9ebbba55060f786f0fcaa3893bfa2806) C:\Windows\system32\drivers\afd.sys
16:12:36.0942 0676 AFD - ok
16:12:36.0973 0676 agp440 (507812c3054c21cef746b6ee3d04dd6e) C:\Windows\system32\drivers\agp440.sys
16:12:36.0973 0676 agp440 - ok
16:12:37.0004 0676 aic78xx (8b30250d573a8f6b4bd23195160d8707) C:\Windows\system32\DRIVERS\djsvs.sys
16:12:37.0004 0676 aic78xx - ok
16:12:37.0035 0676 ALG (18a54e132947cd98fea9accc57f98f13) C:\Windows\System32\alg.exe
16:12:37.0035 0676 ALG - ok
16:12:37.0051 0676 aliide (0d40bcf52ea90fc7df2aeab6503dea44) C:\Windows\system32\drivers\aliide.sys
16:12:37.0066 0676 aliide - ok
16:12:37.0066 0676 amdagp (3c6600a0696e90a463771c7422e23ab5) C:\Windows\system32\drivers\amdagp.sys
16:12:37.0082 0676 amdagp - ok
16:12:37.0082 0676 amdide (cd5914170297126b6266860198d1d4f0) C:\Windows\system32\drivers\amdide.sys
16:12:37.0082 0676 amdide - ok
16:12:37.0113 0676 AmdK8 (00dda200d71bac534bf56a9db5dfd666) C:\Windows\system32\DRIVERS\amdk8.sys
16:12:37.0113 0676 AmdK8 - ok
16:12:37.0129 0676 AmdPPM (3cbf30f5370fda40dd3e87df38ea53b6) C:\Windows\system32\DRIVERS\amdppm.sys
16:12:37.0129 0676 AmdPPM - ok
16:12:37.0144 0676 amdsata (d320bf87125326f996d4904fe24300fc) C:\Windows\system32\drivers\amdsata.sys
16:12:37.0144 0676 amdsata - ok
16:12:37.0160 0676 amdsbs (ea43af0c423ff267355f74e7a53bdaba) C:\Windows\system32\DRIVERS\amdsbs.sys
16:12:37.0160 0676 amdsbs - ok
16:12:37.0176 0676 amdxata (46387fb17b086d16dea267d5be23a2f2) C:\Windows\system32\drivers\amdxata.sys
16:12:37.0176 0676 amdxata - ok
16:12:37.0207 0676 AppID (aea177f783e20150ace5383ee368da19) C:\Windows\system32\drivers\appid.sys
16:12:37.0207 0676 AppID - ok
16:12:37.0238 0676 AppIDSvc (62a9c86cb6085e20db4823e4e97826f5) C:\Windows\System32\appidsvc.dll
16:12:37.0238 0676 AppIDSvc - ok
16:12:37.0269 0676 Appinfo (fb1959012294d6ad43e5304df65e3c26) C:\Windows\System32\appinfo.dll
16:12:37.0269 0676 Appinfo - ok
16:12:37.0363 0676 Application Updater (592f7ae254995274e166eec95c28f551) C:\Program Files\Application Updater\ApplicationUpdater.exe
16:12:37.0378 0676 Application Updater - ok
16:12:37.0425 0676 AppMgmt (a45d184df6a8803da13a0b329517a64a) C:\Windows\System32\appmgmts.dll
16:12:37.0425 0676 AppMgmt - ok
16:12:37.0441 0676 arc (2932004f49677bd84dbc72edb754ffb3) C:\Windows\system32\DRIVERS\arc.sys
16:12:37.0456 0676 arc - ok
16:12:37.0456 0676 arcsas (5d6f36c46fd283ae1b57bd2e9feb0bc7) C:\Windows\system32\DRIVERS\arcsas.sys
16:12:37.0472 0676 arcsas - ok
16:12:37.0488 0676 AsyncMac (add2ade1c2b285ab8378d2daaf991481) C:\Windows\system32\DRIVERS\asyncmac.sys
16:12:37.0488 0676 AsyncMac - ok
16:12:37.0566 0676 atapi (338c86357871c167a96ab976519bf59e) C:\Windows\system32\drivers\atapi.sys
16:12:37.0566 0676 atapi - ok
16:12:37.0612 0676 AudioEndpointBuilder (ce3b4e731638d2ef62fcb419be0d39f0) C:\Windows\System32\Audiosrv.dll
16:12:37.0612 0676 AudioEndpointBuilder - ok
16:12:37.0612 0676 Audiosrv (ce3b4e731638d2ef62fcb419be0d39f0) C:\Windows\System32\Audiosrv.dll
16:12:37.0612 0676 Audiosrv - ok
16:12:37.0722 0676 AVP (5e3f0aaea4642bf184deea311c7201de) C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations MP4\avp.exe
16:12:37.0722 0676 AVP - ok
16:12:37.0753 0676 AxInstSV (6e30d02aac9cac84f421622e3a2f6178) C:\Windows\System32\AxInstSV.dll
16:12:37.0753 0676 AxInstSV - ok
16:12:37.0784 0676 b06bdrv (1a231abec60fd316ec54c66715543cec) C:\Windows\system32\DRIVERS\bxvbdx.sys
16:12:37.0800 0676 b06bdrv - ok
16:12:37.0831 0676 b57nd60x (bd8869eb9cde6bbe4508d869929869ee) C:\Windows\system32\DRIVERS\b57nd60x.sys
16:12:37.0831 0676 b57nd60x - ok
16:12:37.0878 0676 BDESVC (ee1e9c3bb8228ae423dd38db69128e71) C:\Windows\System32\bdesvc.dll
16:12:37.0878 0676 BDESVC - ok
16:12:37.0909 0676 Beep (505506526a9d467307b3c393dedaf858) C:\Windows\system32\drivers\Beep.sys
16:12:37.0909 0676 Beep - ok
16:12:37.0940 0676 BITS (e585445d5021971fae10393f0f1c3961) C:\Windows\System32\qmgr.dll
16:12:37.0956 0676 BITS - ok
16:12:37.0971 0676 blbdrive (2287078ed48fcfc477b05b20cf38f36f) C:\Windows\system32\DRIVERS\blbdrive.sys
16:12:37.0971 0676 blbdrive - ok
16:12:37.0987 0676 bowser (8f2da3028d5fcbd1a060a3de64cd6506) C:\Windows\system32\DRIVERS\bowser.sys
16:12:37.0987 0676 bowser - ok
16:12:38.0018 0676 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\DRIVERS\BrFiltLo.sys
16:12:38.0018 0676 BrFiltLo - ok
16:12:38.0034 0676 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\DRIVERS\BrFiltUp.sys
16:12:38.0034 0676 BrFiltUp - ok
16:12:38.0065 0676 Browser (6e11f33d14d020f58d5e02e4d67dfa19) C:\Windows\System32\browser.dll
16:12:38.0065 0676 Browser - ok
16:12:38.0080 0676 Brserid (845b8ce732e67f3b4133164868c666ea) C:\Windows\System32\Drivers\Brserid.sys
16:12:38.0080 0676 Brserid - ok
16:12:38.0096 0676 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\System32\Drivers\BrSerWdm.sys
16:12:38.0096 0676 BrSerWdm - ok
16:12:38.0096 0676 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\System32\Drivers\BrUsbMdm.sys
16:12:38.0096 0676 BrUsbMdm - ok
16:12:38.0112 0676 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\System32\Drivers\BrUsbSer.sys
16:12:38.0112 0676 BrUsbSer - ok
16:12:38.0127 0676 BTHMODEM (ed3df7c56ce0084eb2034432fc56565a) C:\Windows\system32\DRIVERS\bthmodem.sys
16:12:38.0127 0676 BTHMODEM - ok
16:12:38.0158 0676 bthserv (1df19c96eef6c29d1c3e1a8678e07190) C:\Windows\system32\bthserv.dll
16:12:38.0158 0676 bthserv - ok
16:12:38.0190 0676 cdfs (77ea11b065e0a8ab902d78145ca51e10) C:\Windows\system32\DRIVERS\cdfs.sys
16:12:38.0190 0676 cdfs - ok
16:12:38.0221 0676 cdrom (be167ed0fdb9c1fa1133953c18d5a6c9) C:\Windows\system32\drivers\cdrom.sys
16:12:38.0221 0676 cdrom - ok
16:12:38.0268 0676 CertPropSvc (319c6b309773d063541d01df8ac6f55f) C:\Windows\System32\certprop.dll
16:12:38.0268 0676 CertPropSvc - ok
16:12:38.0283 0676 circlass (3fe3fe94a34df6fb06e6418d0f6a0060) C:\Windows\system32\DRIVERS\circlass.sys
16:12:38.0283 0676 circlass - ok
16:12:38.0314 0676 CLFS (635181e0e9bbf16871bf5380d71db02d) C:\Windows\system32\CLFS.sys
16:12:38.0314 0676 CLFS - ok
16:12:38.0377 0676 clr_optimization_v2.0.50727_32 (d88040f816fda31c3b466f0fa0918f29) C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
16:12:38.0377 0676 clr_optimization_v2.0.50727_32 - ok
16:12:38.0455 0676 clr_optimization_v4.0.30319_32 (c5a75eb48e2344abdc162bda79e16841) C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
16:12:38.0470 0676 clr_optimization_v4.0.30319_32 - ok
16:12:38.0486 0676 CmBatt (dea805815e587dad1dd2c502220b5616) C:\Windows\system32\DRIVERS\CmBatt.sys
16:12:38.0502 0676 CmBatt - ok
16:12:38.0517 0676 cmdide (c537b1db64d495b9b4717b4d6d9edbf2) C:\Windows\system32\drivers\cmdide.sys
16:12:38.0517 0676 cmdide - ok
16:12:38.0533 0676 CNG (6427525d76f61d0c519b008d3680e8e7) C:\Windows\system32\Drivers\cng.sys
16:12:38.0533 0676 CNG - ok
16:12:38.0548 0676 Compbatt (a6023d3823c37043986713f118a89bee) C:\Windows\system32\DRIVERS\compbatt.sys
16:12:38.0548 0676 Compbatt - ok
16:12:38.0595 0676 CompositeBus (cbe8c58a8579cfe5fccf809e6f114e89) C:\Windows\system32\drivers\CompositeBus.sys
16:12:38.0595 0676 CompositeBus - ok
16:12:38.0611 0676 COMSysApp - ok
16:12:38.0611 0676 crcdisk (2c4ebcfc84a9b44f209dff6c6e6c61d1) C:\Windows\system32\DRIVERS\crcdisk.sys
16:12:38.0626 0676 crcdisk - ok
16:12:38.0658 0676 CryptSvc (06e771aa596b8761107ab57e99f128d7) C:\Windows\system32\cryptsvc.dll
16:12:38.0658 0676 CryptSvc - ok
16:12:38.0720 0676 CSC (3c2177a897b4ca2788c6fb0c3fd81d4b) C:\Windows\system32\drivers\csc.sys
16:12:38.0720 0676 CSC - ok
16:12:38.0736 0676 CscService (15f93b37f6801943360d9eb42485d5d3) C:\Windows\System32\cscsvc.dll
16:12:38.0767 0676 CscService - ok
16:12:38.0782 0676 DcomLaunch (7660f01d3b38aca1747e397d21d790af) C:\Windows\system32\rpcss.dll
16:12:38.0782 0676 DcomLaunch - ok
16:12:38.0798 0676 defragsvc (8d6e10a2d9a5eed59562d9b82cf804e1) C:\Windows\System32\defragsvc.dll
16:12:38.0814 0676 defragsvc - ok
16:12:38.0876 0676 DfsC (f024449c97ec1e464aaffda18593db88) C:\Windows\system32\Drivers\dfsc.sys
16:12:38.0876 0676 DfsC - ok
16:12:38.0907 0676 Dhcp (e9e01eb683c132f7fa27cd607b8a2b63) C:\Windows\system32\dhcpcore.dll
16:12:38.0923 0676 Dhcp - ok
16:12:38.0938 0676 discache (1a050b0274bfb3890703d490f330c0da) C:\Windows\system32\drivers\discache.sys
16:12:38.0938 0676 discache - ok
16:12:38.0970 0676 Disk (565003f326f99802e68ca78f2a68e9ff) C:\Windows\system32\DRIVERS\disk.sys
16:12:38.0970 0676 Disk - ok
16:12:39.0001 0676 Dnscache (33ef4861f19a0736b11314aad9ae28d0) C:\Windows\System32\dnsrslvr.dll
16:12:39.0001 0676 Dnscache - ok
16:12:39.0032 0676 dot3svc (366ba8fb4b7bb7435e3b9eacb3843f67) C:\Windows\System32\dot3svc.dll
16:12:39.0032 0676 dot3svc - ok
16:12:39.0048 0676 DPS (8ec04ca86f1d68da9e11952eb85973d6) C:\Windows\system32\dps.dll
16:12:39.0048 0676 DPS - ok
16:12:39.0079 0676 drmkaud (b918e7c5f9bf77202f89e1a9539f2eb4) C:\Windows\system32\drivers\drmkaud.sys
16:12:39.0079 0676 drmkaud - ok
16:12:39.0126 0676 DXGKrnl (23f5d28378a160352ba8f817bd8c71cb) C:\Windows\System32\drivers\dxgkrnl.sys
16:12:39.0126 0676 DXGKrnl - ok
16:12:39.0157 0676 e1kexpress (d92c55f009673aa3fb5469cb3586fd96) C:\Windows\system32\DRIVERS\e1k6232.sys
16:12:39.0157 0676 e1kexpress - ok
16:12:39.0188 0676 EapHost (8600142fa91c1b96367d3300ad0f3f3a) C:\Windows\System32\eapsvc.dll
16:12:39.0188 0676 EapHost - ok
16:12:39.0282 0676 ebdrv (024e1b5cac09731e4d868e64dbfb4ab0) C:\Windows\system32\DRIVERS\evbdx.sys
16:12:39.0391 0676 ebdrv - ok
16:12:39.0469 0676 EFS (81951f51e318aecc2d68559e47485cc4) C:\Windows\System32\lsass.exe
16:12:39.0469 0676 EFS - ok
16:12:39.0516 0676 ehRecvr (a8c362018efc87beb013ee28f29c0863) C:\Windows\ehome\ehRecvr.exe
16:12:39.0516 0676 ehRecvr - ok
16:12:39.0531 0676 ehSched (d389bff34f80caede417bf9d1507996a) C:\Windows\ehome\ehsched.exe
16:12:39.0547 0676 ehSched - ok
16:12:39.0594 0676 elxstor (0ed67910c8c326796faa00b2bf6d9d3c) C:\Windows\system32\DRIVERS\elxstor.sys
16:12:39.0594 0676 elxstor - ok
16:12:39.0625 0676 ErrDev (8fc3208352dd3912c94367a206ab3f11) C:\Windows\system32\drivers\errdev.sys
16:12:39.0625 0676 ErrDev - ok
16:12:39.0656 0676 EventSystem (f6916efc29d9953d5d0df06882ae8e16) C:\Windows\system32\es.dll
16:12:39.0656 0676 EventSystem - ok
16:12:39.0687 0676 exfat (2dc9108d74081149cc8b651d3a26207f) C:\Windows\system32\drivers\exfat.sys
16:12:39.0687 0676 exfat - ok
16:12:39.0703 0676 fastfat (7e0ab74553476622fb6ae36f73d97d35) C:\Windows\system32\drivers\fastfat.sys
16:12:39.0703 0676 fastfat - ok
16:12:39.0750 0676 Fax (967ea5b213e9984cbe270205df37755b) C:\Windows\system32\fxssvc.exe
16:12:39.0765 0676 Fax - ok
16:12:39.0781 0676 fdc (e817a017f82df2a1f8cfdbda29388b29) C:\Windows\system32\DRIVERS\fdc.sys
16:12:39.0781 0676 fdc - ok
16:12:39.0796 0676 fdPHost (f3222c893bd2f5821a0179e5c71e88fb) C:\Windows\system32\fdPHost.dll
16:12:39.0796 0676 fdPHost - ok
16:12:39.0812 0676 FDResPub (7dbe8cbfe79efbdeb98c9fb08d3a9a5b) C:\Windows\system32\fdrespub.dll
16:12:39.0812 0676 FDResPub - ok
16:12:39.0828 0676 FileInfo (6cf00369c97f3cf563be99be983d13d8) C:\Windows\system32\drivers\fileinfo.sys
16:12:39.0828 0676 FileInfo - ok
16:12:39.0828 0676 Filetrace (42c51dc94c91da21cb9196eb64c45db9) C:\Windows\system32\drivers\filetrace.sys
16:12:39.0828 0676 Filetrace - ok
16:12:39.0859 0676 flpydisk (87907aa70cb3c56600f1c2fb8841579b) C:\Windows\system32\DRIVERS\flpydisk.sys
16:12:39.0859 0676 flpydisk - ok
16:12:39.0874 0676 FltMgr (7520ec808e0c35e0ee6f841294316653) C:\Windows\system32\drivers\fltmgr.sys
16:12:39.0874 0676 FltMgr - ok
16:12:39.0921 0676 FontCache (b3a5ec6b6b6673db7e87c2bcdbddc074) C:\Windows\system32\FntCache.dll
16:12:39.0937 0676 FontCache - ok
16:12:39.0999 0676 FontCache3.0.0.0 (e56f39f6b7fda0ac77a79b0fd3de1a2f) C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
16:12:39.0999 0676 FontCache3.0.0.0 - ok
16:12:40.0030 0676 FsDepends (1a16b57943853e598cff37fe2b8cbf1d) C:\Windows\system32\drivers\FsDepends.sys
16:12:40.0030 0676 FsDepends - ok
16:12:40.0046 0676 Fs_Rec (7dae5ebcc80e45d3253f4923dc424d05) C:\Windows\system32\drivers\Fs_Rec.sys
16:12:40.0046 0676 Fs_Rec - ok
16:12:40.0093 0676 fvevol (8a73e79089b282100b9393b644cb853b) C:\Windows\system32\DRIVERS\fvevol.sys
16:12:40.0093 0676 fvevol - ok
16:12:40.0108 0676 gagp30kx (65ee0c7a58b65e74ae05637418153938) C:\Windows\system32\DRIVERS\gagp30kx.sys
16:12:40.0124 0676 gagp30kx - ok
16:12:40.0155 0676 gpsvc (e897eaf5ed6ba41e081060c9b447a673) C:\Windows\System32\gpsvc.dll
16:12:40.0186 0676 gpsvc - ok
16:12:40.0249 0676 gusvc (c1b577b2169900f4cf7190c39f085794) C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
16:12:40.0264 0676 gusvc - ok
16:12:40.0280 0676 hcw85cir (c44e3c2bab6837db337ddee7544736db) C:\Windows\system32\drivers\hcw85cir.sys
16:12:40.0280 0676 hcw85cir - ok
16:12:40.0327 0676 HdAudAddService (a5ef29d5315111c80a5c1abad14c8972) C:\Windows\system32\drivers\HdAudio.sys
16:12:40.0327 0676 HdAudAddService - ok
16:12:40.0358 0676 HDAudBus (9036377b8a6c15dc2eec53e489d159b5) C:\Windows\system32\drivers\HDAudBus.sys
16:12:40.0358 0676 HDAudBus - ok
16:12:40.0389 0676 HECI (88a67c34e37186665e916fd347b50d19) C:\Windows\system32\DRIVERS\HECI.sys
16:12:40.0389 0676 HECI - ok
16:12:40.0405 0676 HidBatt (1d58a7f3e11a9731d0eaaaa8405acc36) C:\Windows\system32\DRIVERS\HidBatt.sys
16:12:40.0405 0676 HidBatt - ok
16:12:40.0420 0676 HidBth (89448f40e6df260c206a193a4683ba78) C:\Windows\system32\DRIVERS\hidbth.sys
16:12:40.0420 0676 HidBth - ok
16:12:40.0436 0676 HidIr (cf50b4cf4a4f229b9f3c08351f99ca5e) C:\Windows\system32\DRIVERS\hidir.sys
16:12:40.0436 0676 HidIr - ok
16:12:40.0483 0676 hidserv (2bc6f6a1992b3a77f5f41432ca6b3b6b) C:\Windows\system32\hidserv.dll
16:12:40.0483 0676 hidserv - ok
16:12:40.0530 0676 HidUsb (10c19f8290891af023eaec0832e1eb4d) C:\Windows\system32\drivers\hidusb.sys
16:12:40.0530 0676 HidUsb - ok
16:12:40.0561 0676 hkmsvc (196b4e3f4cccc24af836ce58facbb699) C:\Windows\system32\kmsvc.dll
16:12:40.0561 0676 hkmsvc - ok
16:12:40.0576 0676 HomeGroupListener (6658f4404de03d75fe3ba09f7aba6a30) C:\Windows\system32\ListSvc.dll
16:12:40.0576 0676 HomeGroupListener - ok
16:12:40.0608 0676 HomeGroupProvider (dbc02d918fff1cad628acbe0c0eaa8e8) C:\Windows\system32\provsvc.dll
16:12:40.0608 0676 HomeGroupProvider - ok
16:12:40.0701 0676 HpSAMD (295fdc419039090eb8b49ffdbb374549) C:\Windows\system32\drivers\HpSAMD.sys
16:12:40.0701 0676 HpSAMD - ok
16:12:40.0795 0676 HTTP (871917b07a141bff43d76d8844d48106) C:\Windows\system32\drivers\HTTP.sys
16:12:40.0810 0676 HTTP - ok
16:12:40.0842 0676 hwpolicy (0c4e035c7f105f1299258c90886c64c5) C:\Windows\system32\drivers\hwpolicy.sys
16:12:40.0842 0676 hwpolicy - ok
16:12:40.0873 0676 i8042prt (f151f0bdc47f4a28b1b20a0818ea36d6) C:\Windows\system32\drivers\i8042prt.sys
16:12:40.0888 0676 i8042prt - ok
16:12:40.0904 0676 iaStor (d483687eace0c065ee772481a96e05f5) C:\Windows\system32\drivers\iastor.sys
16:12:40.0920 0676 iaStor - ok
16:12:40.0951 0676 iaStorV (5cd5f9a5444e6cdcb0ac89bd62d8b76e) C:\Windows\system32\drivers\iaStorV.sys
16:12:40.0951 0676 iaStorV - ok
16:12:41.0029 0676 idsvc (c521d7eb6497bb1af6afa89e322fb43c) C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
16:12:41.0044 0676 idsvc - ok
16:12:41.0294 0676 igfx (8266ae06df974e5ba047b3e9e9e70b3f) C:\Windows\system32\DRIVERS\igdkmd32.sys
16:12:41.0434 0676 igfx - ok
16:12:41.0575 0676 iirsp (4173ff5708f3236cf25195fecd742915) C:\Windows\system32\DRIVERS\iirsp.sys
16:12:41.0590 0676 iirsp - ok
16:12:41.0622 0676 IKEEXT (f95622f161474511b8d80d6b093aa610) C:\Windows\System32\ikeext.dll
16:12:41.0637 0676 IKEEXT - ok
16:12:41.0668 0676 intelide (a0f12f2c9ba6c72f3987ce780e77c130) C:\Windows\system32\drivers\intelide.sys
16:12:41.0668 0676 intelide - ok
16:12:41.0700 0676 intelppm (3b514d27bfc4accb4037bc6685f766e0) C:\Windows\system32\DRIVERS\intelppm.sys
16:12:41.0700 0676 intelppm - ok
16:12:41.0731 0676 IPBusEnum (acb364b9075a45c0736e5c47be5cae19) C:\Windows\system32\ipbusenum.dll
16:12:41.0731 0676 IPBusEnum - ok
16:12:41.0746 0676 IpFilterDriver (709d1761d3b19a932ff0238ea6d50200) C:\Windows\system32\DRIVERS\ipfltdrv.sys
16:12:41.0746 0676 IpFilterDriver - ok
16:12:41.0762 0676 IPMIDRV (4bd7134618c1d2a27466a099062547bf) C:\Windows\system32\drivers\IPMIDrv.sys
16:12:41.0778 0676 IPMIDRV - ok
16:12:41.0793 0676 IPNAT (a5fa468d67abcdaa36264e463a7bb0cd) C:\Windows\system32\drivers\ipnat.sys
16:12:41.0793 0676 IPNAT - ok
16:12:41.0824 0676 IRENUM (42996cff20a3084a56017b7902307e9f) C:\Windows\system32\drivers\irenum.sys
16:12:41.0824 0676 IRENUM - ok
16:12:41.0840 0676 isapnp (1f32bb6b38f62f7df1a7ab7292638a35) C:\Windows\system32\drivers\isapnp.sys
16:12:41.0840 0676 isapnp - ok
16:12:41.0856 0676 iScsiPrt (cb7a9abb12b8415bce5d74994c7ba3ae) C:\Windows\system32\drivers\msiscsi.sys
16:12:41.0856 0676 iScsiPrt - ok
16:12:41.0887 0676 kbdclass (adef52ca1aeae82b50df86b56413107e) C:\Windows\system32\drivers\kbdclass.sys
16:12:41.0887 0676 kbdclass - ok
16:12:41.0902 0676 kbdhid (9e3ced91863e6ee98c24794d05e27a71) C:\Windows\system32\drivers\kbdhid.sys
16:12:41.0902 0676 kbdhid - ok
16:12:41.0918 0676 KeyIso (81951f51e318aecc2d68559e47485cc4) C:\Windows\system32\lsass.exe
16:12:41.0918 0676 KeyIso - ok
16:12:41.0949 0676 kl1 (a884729b0e98cd93d6511de6d58cdc98) C:\Windows\system32\DRIVERS\kl1.sys
16:12:41.0949 0676 kl1 - ok
16:12:41.0949 0676 KLFLTDEV (adda474c9b18fd829a6c8351485c4842) C:\Windows\system32\DRIVERS\klfltdev.sys
16:12:41.0949 0676 KLFLTDEV - ok
16:12:41.0980 0676 KLIF (9d51d6f7845f0248c67a8a36cd7cdf05) C:\Windows\system32\DRIVERS\klif.sys
16:12:41.0980 0676 KLIF - ok
16:12:42.0012 0676 KLIM6 (00dc8637480a8a26df1407d8207781c8) C:\Windows\system32\DRIVERS\klim6.sys
16:12:42.0012 0676 KLIM6 - ok
16:12:42.0074 0676 klnagent (b86a7b6a99ae9738abc299bb4e8d26d7) C:\Program Files\Kaspersky Lab\NetworkAgent 8\klnagent.exe
16:12:42.0074 0676 klnagent - ok
16:12:42.0105 0676 KSecDD (f4647bb23db9038a7536cf6b68f4207f) C:\Windows\system32\Drivers\ksecdd.sys
16:12:42.0105 0676 KSecDD - ok
16:12:42.0121 0676 KSecPkg (e73cae53bbb72ba26918492c6b4c229d) C:\Windows\system32\Drivers\ksecpkg.sys
16:12:42.0121 0676 KSecPkg - ok
16:12:42.0152 0676 KtmRm (89a7b9cc98d0d80c6f31b91c0a310fcd) C:\Windows\system32\msdtckrm.dll
16:12:42.0152 0676 KtmRm - ok
16:12:42.0199 0676 L8042Kbd (d1968dea7baff4a917858c384339cec8) C:\Windows\system32\DRIVERS\L8042Kbd.sys
16:12:42.0199 0676 L8042Kbd - ok
16:12:42.0199 0676 L8042mou (d6fc755ff505d99e6cc73e83492310df) C:\Windows\system32\DRIVERS\L8042mou.Sys
16:12:42.0199 0676 L8042mou - ok
16:12:42.0246 0676 LanmanServer (d64af876d53eca3668bb97b51b4e70ab) C:\Windows\system32\srvsvc.dll
16:12:42.0246 0676 LanmanServer - ok
16:12:42.0261 0676 LanmanWorkstation (58405e4f68ba8e4057c6e914f326aba2) C:\Windows\System32\wkssvc.dll
16:12:42.0261 0676 LanmanWorkstation - ok
16:12:42.0324 0676 LBTServ (a0f7dc0080e4f97dc97de08b699e231b) C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
16:12:42.0324 0676 LBTServ - ok
16:12:42.0355 0676 LHidFilt (24e0ddb99aeccf86bb37702611761459) C:\Windows\system32\DRIVERS\LHidFilt.Sys
16:12:42.0355 0676 LHidFilt - ok
16:12:42.0386 0676 lltdio (f7611ec07349979da9b0ae1f18ccc7a6) C:\Windows\system32\DRIVERS\lltdio.sys
16:12:42.0386 0676 lltdio - ok
16:12:42.0417 0676 lltdsvc (5700673e13a2117fa3b9020c852c01e2) C:\Windows\System32\lltdsvc.dll
16:12:42.0417 0676 lltdsvc - ok
16:12:42.0433 0676 lmhosts (55ca01ba19d0006c8f2639b6c045e08b) C:\Windows\System32\lmhsvc.dll
16:12:42.0433 0676 lmhosts - ok
16:12:42.0464 0676 LMouFilt (d58b330d318361a66a9fe60d7c9b4951) C:\Windows\system32\DRIVERS\LMouFilt.Sys
16:12:42.0464 0676 LMouFilt - ok
16:12:42.0464 0676 LMouKE (c149bdad13194df16ea33f9f601ed7bf) C:\Windows\system32\DRIVERS\LMouKE.Sys
16:12:42.0464 0676 LMouKE - ok
16:12:42.0480 0676 LMS (2763a02188ffb04287f5034ec5b6b451) C:\Program Files\Intel\AMT\LMS.exe
16:12:42.0480 0676 LMS - ok
16:12:42.0526 0676 LSI_FC (eb119a53ccf2acc000ac71b065b78fef) C:\Windows\system32\DRIVERS\lsi_fc.sys
16:12:42.0526 0676 LSI_FC - ok
16:12:42.0542 0676 LSI_SAS (8ade1c877256a22e49b75d1cc9161f9c) C:\Windows\system32\DRIVERS\lsi_sas.sys
16:12:42.0542 0676 LSI_SAS - ok
16:12:42.0542 0676 LSI_SAS2 (dc9dc3d3daa0e276fd2ec262e38b11e9) C:\Windows\system32\DRIVERS\lsi_sas2.sys
16:12:42.0542 0676 LSI_SAS2 - ok
16:12:42.0558 0676 LSI_SCSI (0a036c7d7cab643a7f07135ac47e0524) C:\Windows\system32\DRIVERS\lsi_scsi.sys
16:12:42.0558 0676 LSI_SCSI - ok
16:12:42.0573 0676 luafv (6703e366cc18d3b6e534f5cf7df39cee) C:\Windows\system32\drivers\luafv.sys
16:12:42.0573 0676 luafv - ok
16:12:42.0604 0676 Mcx2Svc (bfb9ee8ee977efe85d1a3105abef6dd1) C:\Windows\system32\Mcx2Svc.dll
16:12:42.0604 0676 Mcx2Svc - ok
16:12:42.0620 0676 megasas (0fff5b045293002ab38eb1fd1fc2fb74) C:\Windows\system32\DRIVERS\megasas.sys
16:12:42.0636 0676 megasas - ok
16:12:42.0651 0676 MegaSR (dcbab2920c75f390caf1d29f675d03d6) C:\Windows\system32\DRIVERS\MegaSR.sys
16:12:42.0667 0676 MegaSR - ok
16:12:42.0682 0676 MMCSS (146b6f43a673379a3c670e86d89be5ea) C:\Windows\system32\mmcss.dll
16:12:42.0682 0676 MMCSS - ok
16:12:42.0698 0676 Modem (f001861e5700ee84e2d4e52c712f4964) C:\Windows\system32\drivers\modem.sys
16:12:42.0698 0676 Modem - ok
16:12:42.0729 0676 monitor (79d10964de86b292320e9dfe02282a23) C:\Windows\system32\DRIVERS\monitor.sys
16:12:42.0729 0676 monitor - ok
16:12:42.0760 0676 mouclass (fb18cc1d4c2e716b6b903b0ac0cc0609) C:\Windows\system32\drivers\mouclass.sys
16:12:42.0760 0676 mouclass - ok
16:12:42.0792 0676 mouhid (2c388d2cd01c9042596cf3c8f3c7b24d) C:\Windows\system32\DRIVERS\mouhid.sys
16:12:42.0792 0676 mouhid - ok
16:12:42.0823 0676 mountmgr (fc8771f45ecccfd89684e38842539b9b) C:\Windows\system32\drivers\mountmgr.sys
16:12:42.0823 0676 mountmgr - ok
16:12:42.0854 0676 mpio (2d699fb6e89ce0d8da14ecc03b3edfe0) C:\Windows\system32\drivers\mpio.sys
16:12:42.0854 0676 mpio - ok
16:12:42.0885 0676 mpsdrv (ad2723a7b53dd1aacae6ad8c0bfbf4d0) C:\Windows\system32\drivers\mpsdrv.sys
16:12:42.0885 0676 mpsdrv - ok
16:12:42.0901 0676 MRxDAV (ceb46ab7c01c9f825f8cc6babc18166a) C:\Windows\system32\drivers\mrxdav.sys
16:12:42.0901 0676 MRxDAV - ok
16:12:42.0932 0676 mrxsmb (5d16c921e3671636c0eba3bbaac5fd25) C:\Windows\system32\DRIVERS\mrxsmb.sys
16:12:42.0932 0676 mrxsmb - ok
16:12:42.0963 0676 mrxsmb10 (6d17a4791aca19328c685d256349fefc) C:\Windows\system32\DRIVERS\mrxsmb10.sys
16:12:42.0963 0676 mrxsmb10 - ok
16:12:42.0979 0676 mrxsmb20 (b81f204d146000be76651a50670a5e9e) C:\Windows\system32\DRIVERS\mrxsmb20.sys
16:12:42.0979 0676 mrxsmb20 - ok
16:12:42.0994 0676 msahci (012c5f4e9349e711e11e0f19a8589f0a) C:\Windows\system32\drivers\msahci.sys
16:12:42.0994 0676 msahci - ok
16:12:43.0010 0676 msdsm (55055f8ad8be27a64c831322a780a228) C:\Windows\system32\drivers\msdsm.sys
16:12:43.0026 0676 msdsm - ok
16:12:43.0041 0676 MSDTC (e1bce74a3bd9902b72599c0192a07e27) C:\Windows\System32\msdtc.exe
16:12:43.0041 0676 MSDTC - ok
16:12:43.0088 0676 Msfs (daefb28e3af5a76abcc2c3078c07327f) C:\Windows\system32\drivers\Msfs.sys
16:12:43.0088 0676 Msfs - ok
16:12:43.0088 0676 mshidkmdf (3e1e5767043c5af9367f0056295e9f84) C:\Windows\System32\drivers\mshidkmdf.sys
16:12:43.0088 0676 mshidkmdf - ok
16:12:43.0119 0676 msisadrv (0a4e5757ae09fa9622e3158cc1aef114) C:\Windows\system32\drivers\msisadrv.sys
16:12:43.0119 0676 msisadrv - ok
16:12:43.0150 0676 MSiSCSI (90f7d9e6b6f27e1a707d4a297f077828) C:\Windows\system32\iscsiexe.dll
16:12:43.0150 0676 MSiSCSI - ok
16:12:43.0150 0676 msiserver - ok
16:12:43.0197 0676 MSKSSRV (8c0860d6366aaffb6c5bb9df9448e631) C:\Windows\system32\drivers\MSKSSRV.sys
16:12:43.0197 0676 MSKSSRV - ok
16:12:43.0213 0676 MSPCLOCK (3ea8b949f963562cedbb549eac0c11ce) C:\Windows\system32\drivers\MSPCLOCK.sys
16:12:43.0213 0676 MSPCLOCK - ok
16:12:43.0213 0676 MSPQM (f456e973590d663b1073e9c463b40932) C:\Windows\system32\drivers\MSPQM.sys
16:12:43.0213 0676 MSPQM - ok
16:12:43.0228 0676 MsRPC (0e008fc4819d238c51d7c93e7b41e560) C:\Windows\system32\drivers\MsRPC.sys
16:12:43.0228 0676 MsRPC - ok
16:12:43.0260 0676 mssmbios (fc6b9ff600cc585ea38b12589bd4e246) C:\Windows\system32\drivers\mssmbios.sys
16:12:43.0260 0676 mssmbios - ok
16:12:43.0275 0676 MSTEE (b42c6b921f61a6e55159b8be6cd54a36) C:\Windows\system32\drivers\MSTEE.sys
16:12:43.0275 0676 MSTEE - ok
16:12:43.0291 0676 MTConfig (33599130f44e1f34631cea241de8ac84) C:\Windows\system32\DRIVERS\MTConfig.sys
16:12:43.0291 0676 MTConfig - ok
16:12:43.0306 0676 Mup (159fad02f64e6381758c990f753bcc80) C:\Windows\system32\Drivers\mup.sys
16:12:43.0306 0676 Mup - ok
16:12:43.0338 0676 napagent (61d57a5d7c6d9afe10e77dae6e1b445e) C:\Windows\system32\qagentRT.dll
16:12:43.0338 0676 napagent - ok
16:12:43.0369 0676 NativeWifiP (26384429fcd85d83746f63e798ab1480) C:\Windows\system32\DRIVERS\nwifi.sys
16:12:43.0369 0676 NativeWifiP - ok
16:12:43.0400 0676 NDIS (e7c54812a2aaf43316eb6930c1ffa108) C:\Windows\system32\drivers\ndis.sys
16:12:43.0416 0676 NDIS - ok
16:12:43.0447 0676 NdisCap (0e1787aa6c9191d3d319e8bafe86f80c) C:\Windows\system32\DRIVERS\ndiscap.sys
16:12:43.0447 0676 NdisCap - ok
16:12:43.0462 0676 NdisTapi (e4a8aec125a2e43a9e32afeea7c9c888) C:\Windows\system32\DRIVERS\ndistapi.sys
16:12:43.0462 0676 NdisTapi - ok
16:12:43.0478 0676 Ndisuio (d8a65dafb3eb41cbb622745676fcd072) C:\Windows\system32\DRIVERS\ndisuio.sys
16:12:43.0478 0676 Ndisuio - ok
16:12:43.0509 0676 NdisWan (38fbe267e7e6983311179230facb1017) C:\Windows\system32\DRIVERS\ndiswan.sys
16:12:43.0509 0676 NdisWan - ok
16:12:43.0525 0676 NDProxy (a4bdc541e69674fbff1a8ff00be913f2) C:\Windows\system32\drivers\NDProxy.sys
16:12:43.0525 0676 NDProxy - ok
16:12:43.0556 0676 NetBIOS (80b275b1ce3b0e79909db7b39af74d51) C:\Windows\system32\DRIVERS\netbios.sys
16:12:43.0556 0676 NetBIOS - ok
16:12:43.0603 0676 NetBT (280122ddcf04b378edd1ad54d71c1e54) C:\Windows\system32\DRIVERS\netbt.sys
16:12:43.0603 0676 NetBT - ok
16:12:43.0634 0676 Netlogon (81951f51e318aecc2d68559e47485cc4) C:\Windows\system32\lsass.exe
16:12:43.0634 0676 Netlogon - ok
16:12:43.0665 0676 Netman (7cccfca7510684768da22092d1fa4db2) C:\Windows\System32\netman.dll
16:12:43.0665 0676 Netman - ok
16:12:43.0681 0676 netprofm (8c338238c16777a802d6a9211eb2ba50) C:\Windows\System32\netprofm.dll
16:12:43.0696 0676 netprofm - ok
16:12:43.0759 0676 NetTcpPortSharing (f476ec40033cdb91efbe73eb99b8362d) C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
16:12:43.0759 0676 NetTcpPortSharing - ok
16:12:43.0790 0676 nfrd960 (1d85c4b390b0ee09c7a46b91efb2c097) C:\Windows\system32\DRIVERS\nfrd960.sys
16:12:43.0790 0676 nfrd960 - ok
16:12:43.0837 0676 NlaSvc (912084381d30d8b89ec4e293053f4710) C:\Windows\System32\nlasvc.dll
16:12:43.0837 0676 NlaSvc - ok
16:12:43.0837 0676 Npfs (1db262a9f8c087e8153d89bef3d2235f) C:\Windows\system32\drivers\Npfs.sys
16:12:43.0837 0676 Npfs - ok
16:12:43.0868 0676 nsi (ba387e955e890c8a88306d9b8d06bf17) C:\Windows\system32\nsisvc.dll
16:12:43.0868 0676 nsi - ok
16:12:43.0884 0676 nsiproxy (e9a0a4d07e53d8fea2bb8387a3293c58) C:\Windows\system32\drivers\nsiproxy.sys
16:12:43.0884 0676 nsiproxy - ok
16:12:43.0930 0676 Ntfs (81189c3d7763838e55c397759d49007a) C:\Windows\system32\drivers\Ntfs.sys
16:12:43.0962 0676 Ntfs - ok
16:12:43.0962 0676 Null (f9756a98d69098dca8945d62858a812c) C:\Windows\system32\drivers\Null.sys
16:12:43.0977 0676 Null - ok
16:12:43.0993 0676 nvraid (b3e25ee28883877076e0e1ff877d02e0) C:\Windows\system32\drivers\nvraid.sys
16:12:43.0993 0676 nvraid - ok
16:12:44.0008 0676 nvstor (4380e59a170d88c4f1022eff6719a8a4) C:\Windows\system32\drivers\nvstor.sys
16:12:44.0008 0676 nvstor - ok
16:12:44.0024 0676 nv_agp (5a0983915f02bae73267cc2a041f717d) C:\Windows\system32\drivers\nv_agp.sys
16:12:44.0024 0676 nv_agp - ok
16:12:44.0040 0676 ohci1394 (08a70a1f2cdde9bb49b885cb817a66eb) C:\Windows\system32\drivers\ohci1394.sys
16:12:44.0040 0676 ohci1394 - ok
16:12:44.0071 0676 p2pimsvc (82a8521ddc60710c3d3d3e7325209bec) C:\Windows\system32\pnrpsvc.dll
16:12:44.0071 0676 p2pimsvc - ok
16:12:44.0086 0676 p2psvc (59c3ddd501e39e006dac31bf55150d91) C:\Windows\system32\p2psvc.dll
16:12:44.0102 0676 p2psvc - ok
16:12:44.0133 0676 Parport (2ea877ed5dd9713c5ac74e8ea7348d14) C:\Windows\system32\DRIVERS\parport.sys
16:12:44.0133 0676 Parport - ok
16:12:44.0164 0676 partmgr (3f34a1b4c5f6475f320c275e63afce9b) C:\Windows\system32\drivers\partmgr.sys
16:12:44.0164 0676 partmgr - ok
16:12:44.0180 0676 Parvdm (eb0a59f29c19b86479d36b35983daadc) C:\Windows\system32\DRIVERS\parvdm.sys
16:12:44.0180 0676 Parvdm - ok
16:12:44.0211 0676 PcaSvc (358ab7956d3160000726574083dfc8a6) C:\Windows\System32\pcasvc.dll
16:12:44.0211 0676 PcaSvc - ok
16:12:44.0242 0676 pci (673e55c3498eb970088e812ea820aa8f) C:\Windows\system32\drivers\pci.sys
16:12:44.0242 0676 pci - ok
16:12:44.0242 0676 pciide (afe86f419014db4e5593f69ffe26ce0a) C:\Windows\system32\drivers\pciide.sys
16:12:44.0258 0676 pciide - ok
16:12:44.0274 0676 pcmcia (f396431b31693e71e8a80687ef523506) C:\Windows\system32\DRIVERS\pcmcia.sys
16:12:44.0274 0676 pcmcia - ok
16:12:44.0289 0676 pcw (250f6b43d2b613172035c6747aeeb19f) C:\Windows\system32\drivers\pcw.sys
16:12:44.0289 0676 pcw - ok
16:12:44.0305 0676 PEAUTH (9e0104ba49f4e6973749a02bf41344ed) C:\Windows\system32\drivers\peauth.sys
16:12:44.0320 0676 PEAUTH - ok
16:12:44.0352 0676 PeerDistSvc (af4d64d2a57b9772cf3801950b8058a6) C:\Windows\system32\peerdistsvc.dll
16:12:44.0367 0676 PeerDistSvc - ok
16:12:44.0430 0676 pla (414bba67a3ded1d28437eb66aeb8a720) C:\Windows\system32\pla.dll
16:12:44.0461 0676 pla - ok
16:12:44.0554 0676 PlugPlay (ec7bc28d207da09e79b3e9faf8b232ca) C:\Windows\system32\umpnpmgr.dll
16:12:44.0554 0676 PlugPlay - ok
16:12:44.0570 0676 PNRPAutoReg (63ff8572611249931eb16bb8eed6afc8) C:\Windows\system32\pnrpauto.dll
16:12:44.0586 0676 PNRPAutoReg - ok
16:12:44.0601 0676 PNRPsvc (82a8521ddc60710c3d3d3e7325209bec) C:\Windows\system32\pnrpsvc.dll
16:12:44.0601 0676 PNRPsvc - ok
16:12:44.0632 0676 PolicyAgent (53946b69ba0836bd95b03759530c81ec) C:\Windows\System32\ipsecsvc.dll
16:12:44.0632 0676 PolicyAgent - ok
16:12:44.0664 0676 Power (f87d30e72e03d579a5199ccb3831d6ea) C:\Windows\system32\umpo.dll
16:12:44.0664 0676 Power - ok
16:12:44.0695 0676 PptpMiniport (631e3e205ad6d86f2aed6a4a8e69f2db) C:\Windows\system32\DRIVERS\raspptp.sys
16:12:44.0710 0676 PptpMiniport - ok
16:12:44.0710 0676 Processor (85b1e3a0c7585bc4aae6899ec6fcf011) C:\Windows\system32\DRIVERS\processr.sys
16:12:44.0726 0676 Processor - ok
16:12:44.0757 0676 ProfSvc (cadefac453040e370a1bdff3973be00d) C:\Windows\system32\profsvc.dll
16:12:44.0757 0676 ProfSvc - ok
16:12:44.0788 0676 ProtectedStorage (81951f51e318aecc2d68559e47485cc4) C:\Windows\system32\lsass.exe
16:12:44.0788 0676 ProtectedStorage - ok
16:12:44.0820 0676 Psched (6270ccae2a86de6d146529fe55b3246a) C:\Windows\system32\DRIVERS\pacer.sys
16:12:44.0820 0676 Psched - ok
16:12:44.0851 0676 ql2300 (ab95ecf1f6659a60ddc166d8315b0751) C:\Windows\system32\DRIVERS\ql2300.sys
16:12:44.0882 0676 ql2300 - ok
16:12:44.0944 0676 ql40xx (b4dd51dd25182244b86737dc51af2270) C:\Windows\system32\DRIVERS\ql40xx.sys
16:12:44.0944 0676 ql40xx - ok
16:12:44.0976 0676 QWAVE (31ac809e7707eb580b2bdb760390765a) C:\Windows\system32\qwave.dll
16:12:44.0991 0676 QWAVE - ok
16:12:45.0007 0676 QWAVEdrv (584078ca1b95ca72df2a27c336f9719d) C:\Windows\system32\drivers\qwavedrv.sys
16:12:45.0007 0676 QWAVEdrv - ok
16:12:45.0022 0676 RasAcd (30a81b53c766d0133bb86d234e5556ab) C:\Windows\system32\DRIVERS\rasacd.sys
16:12:45.0022 0676 RasAcd - ok
16:12:45.0038 0676 RasAgileVpn (57ec4aef73660166074d8f7f31c0d4fd) C:\Windows\system32\DRIVERS\AgileVpn.sys
16:12:45.0038 0676 RasAgileVpn - ok
16:12:45.0069 0676 RasAuto (a60f1839849c0c00739787fd5ec03f13) C:\Windows\System32\rasauto.dll
16:12:45.0069 0676 RasAuto - ok
16:12:45.0085 0676 Rasl2tp (d9f91eafec2815365cbe6d167e4e332a) C:\Windows\system32\DRIVERS\rasl2tp.sys
16:12:45.0085 0676 Rasl2tp - ok
16:12:45.0116 0676 RasMan (cb9e04dc05eacf5b9a36ca276d475006) C:\Windows\System32\rasmans.dll
16:12:45.0116 0676 RasMan - ok
16:12:45.0147 0676 RasPppoe (0fe8b15916307a6ac12bfb6a63e45507) C:\Windows\system32\DRIVERS\raspppoe.sys
16:12:45.0147 0676 RasPppoe - ok
16:12:45.0147 0676 RasSstp (44101f495a83ea6401d886e7fd70096b) C:\Windows\system32\DRIVERS\rassstp.sys
16:12:45.0147 0676 RasSstp - ok
16:12:45.0163 0676 rdbss (d528bc58a489409ba40334ebf96a311b) C:\Windows\system32\DRIVERS\rdbss.sys
16:12:45.0163 0676 rdbss - ok
16:12:45.0163 0676 rdpbus (0d8f05481cb76e70e1da06ee9f0da9df) C:\Windows\system32\DRIVERS\rdpbus.sys
16:12:45.0163 0676 rdpbus - ok
16:12:45.0194 0676 RDPCDD (23dae03f29d253ae74c44f99e515f9a1) C:\Windows\system32\DRIVERS\RDPCDD.sys
16:12:45.0194 0676 RDPCDD - ok
16:12:45.0225 0676 RDPDR (b973fcfc50dc1434e1970a146f7e3885) C:\Windows\system32\drivers\rdpdr.sys
16:12:45.0225 0676 RDPDR - ok
16:12:45.0272 0676 RDPENCDD (5a53ca1598dd4156d44196d200c94b8a) C:\Windows\system32\drivers\rdpencdd.sys
16:12:45.0272 0676 RDPENCDD - ok
16:12:45.0272 0676 RDPREFMP (44b0a53cd4f27d50ed461dae0c0b4e1f) C:\Windows\system32\drivers\rdprefmp.sys
16:12:45.0272 0676 RDPREFMP - ok
16:12:45.0319 0676 RDPWD (f031683e6d1fea157abb2ff260b51e61) C:\Windows\system32\drivers\RDPWD.sys
16:12:45.0319 0676 RDPWD - ok
16:12:45.0350 0676 rdyboost (518395321dc96fe2c9f0e96ac743b656) C:\Windows\system32\drivers\rdyboost.sys
16:12:45.0366 0676 rdyboost - ok
16:12:45.0381 0676 RemoteAccess (7b5e1419717fac363a31cc302895217a) C:\Windows\System32\mprdim.dll
16:12:45.0381 0676 RemoteAccess - ok
16:12:45.0412 0676 RemoteRegistry (cb9a8683f4ef2bf99e123d79950d7935) C:\Windows\system32\regsvc.dll
16:12:45.0412 0676 RemoteRegistry - ok
16:12:45.0428 0676 RpcEptMapper (78d072f35bc45d9e4e1b61895c152234) C:\Windows\System32\RpcEpMap.dll
16:12:45.0428 0676 RpcEptMapper - ok
16:12:45.0444 0676 RpcLocator (94d36c0e44677dd26981d2bfeef2a29d) C:\Windows\system32\locator.exe
16:12:45.0444 0676 RpcLocator - ok
16:12:45.0475 0676 RpcSs (7660f01d3b38aca1747e397d21d790af) C:\Windows\system32\rpcss.dll
16:12:45.0475 0676 RpcSs - ok
16:12:45.0506 0676 rspndr (032b0d36ad92b582d869879f5af5b928) C:\Windows\system32\DRIVERS\rspndr.sys
16:12:45.0506 0676 rspndr - ok
16:12:45.0537 0676 s3cap (7fa7f2e249a5dcbb7970630e15e1f482) C:\Windows\system32\drivers\vms3cap.sys
16:12:45.0537 0676 s3cap - ok
16:12:45.0553 0676 SamSs (81951f51e318aecc2d68559e47485cc4) C:\Windows\system32\lsass.exe
16:12:45.0553 0676 SamSs - ok
16:12:45.0568 0676 sbp2port (05d860da1040f111503ac416ccef2bca) C:\Windows\system32\drivers\sbp2port.sys
16:12:45.0568 0676 sbp2port - ok
16:12:45.0600 0676 SCardSvr (8fc518ffe9519c2631d37515a68009c4) C:\Windows\System32\SCardSvr.dll
16:12:45.0600 0676 SCardSvr - ok
16:12:45.0615 0676 scfilter (0693b5ec673e34dc147e195779a4dcf6) C:\Windows\system32\DRIVERS\scfilter.sys
16:12:45.0631 0676 scfilter - ok
16:12:45.0662 0676 Schedule (a04bb13f8a72f8b6e8b4071723e4e336) C:\Windows\system32\schedsvc.dll
16:12:45.0693 0676 Schedule - ok
16:12:45.0709 0676 SCPolicySvc (319c6b309773d063541d01df8ac6f55f) C:\Windows\System32\certprop.dll
16:12:45.0709 0676 SCPolicySvc - ok
16:12:45.0724 0676 SDRSVC (08236c4bce5edd0a0318a438af28e0f7) C:\Windows\System32\SDRSVC.dll
16:12:45.0740 0676 SDRSVC - ok
16:12:45.0771 0676 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys
16:12:45.0771 0676 secdrv - ok
16:12:45.0802 0676 seclogon (a59b3a4442c52060cc7a85293aa3546f) C:\Windows\system32\seclogon.dll
16:12:45.0802 0676 seclogon - ok
16:12:45.0818 0676 SENS (dcb7fcdcc97f87360f75d77425b81737) C:\Windows\System32\sens.dll
16:12:45.0818 0676 SENS - ok
16:12:45.0834 0676 SensrSvc (50087fe1ee447009c9cc2997b90de53f) C:\Windows\system32\sensrsvc.dll
16:12:45.0834 0676 SensrSvc - ok
16:12:45.0865 0676 Serenum (9ad8b8b515e3df6acd4212ef465de2d1) C:\Windows\system32\DRIVERS\serenum.sys
16:12:45.0865 0676 Serenum - ok
16:12:45.0865 0676 Serial (5fb7fcea0490d821f26f39cc5ea3d1e2) C:\Windows\system32\DRIVERS\serial.sys
16:12:45.0865 0676 Serial - ok
16:12:45.0896 0676 sermouse (79bffb520327ff916a582dfea17aa813) C:\Windows\system32\DRIVERS\sermouse.sys
16:12:45.0896 0676 sermouse - ok
16:12:45.0927 0676 SessionEnv (4ae380f39a0032eab7dd953030b26d28) C:\Windows\system32\sessenv.dll
16:12:45.0927 0676 SessionEnv - ok
16:12:45.0943 0676 sffdisk (9f976e1eb233df46fce808d9dea3eb9c) C:\Windows\system32\drivers\sffdisk.sys
16:12:45.0943 0676 sffdisk - ok
16:12:45.0943 0676 sffp_mmc (932a68ee27833cfd57c1639d375f2731) C:\Windows\system32\drivers\sffp_mmc.sys
16:12:45.0943 0676 sffp_mmc - ok
16:12:45.0958 0676 sffp_sd (6d4ccaedc018f1cf52866bbbaa235982) C:\Windows\system32\drivers\sffp_sd.sys
16:12:45.0958 0676 sffp_sd - ok
16:12:45.0974 0676 sfloppy (db96666cc8312ebc45032f30b007a547) C:\Windows\system32\DRIVERS\sfloppy.sys
16:12:45.0974 0676 sfloppy - ok
16:12:46.0005 0676 ShellHWDetection (414da952a35bf5d50192e28263b40577) C:\Windows\System32\shsvcs.dll
16:12:46.0021 0676 ShellHWDetection - ok
16:12:46.0036 0676 sisagp (2565cac0dc9fe0371bdce60832582b2e) C:\Windows\system32\drivers\sisagp.sys
16:12:46.0052 0676 sisagp - ok
16:12:46.0083 0676 SiSRaid2 (a9f0486851becb6dda1d89d381e71055) C:\Windows\system32\DRIVERS\SiSRaid2.sys
16:12:46.0083 0676 SiSRaid2 - ok
16:12:46.0099 0676 SiSRaid4 (3727097b55738e2f554972c3be5bc1aa) C:\Windows\system32\DRIVERS\sisraid4.sys
16:12:46.0099 0676 SiSRaid4 - ok
16:12:46.0130 0676 Smb (3e21c083b8a01cb70ba1f09303010fce) C:\Windows\system32\DRIVERS\smb.sys
16:12:46.0130 0676 Smb - ok
16:12:46.0146 0676 SNMPTRAP (6a984831644eca1a33ffeae4126f4f37) C:\Windows\System32\snmptrap.exe
16:12:46.0146 0676 SNMPTRAP - ok
16:12:46.0161 0676 spldr (95cf1ae7527fb70f7816563cbc09d942) C:\Windows\system32\drivers\spldr.sys
16:12:46.0161 0676 spldr - ok
16:12:46.0192 0676 Spooler (866a43013535dc8587c258e43579c764) C:\Windows\System32\spoolsv.exe
16:12:46.0208 0676 Spooler - ok
16:12:46.0286 0676 sppsvc (cf87a1de791347e75b98885214ced2b8) C:\Windows\system32\sppsvc.exe
16:12:46.0348 0676 sppsvc - ok
16:12:46.0411 0676 sppuinotify (b0180b20b065d89232a78a40fe56eaa6) C:\Windows\system32\sppuinotify.dll
16:12:46.0411 0676 sppuinotify - ok
16:12:46.0442 0676 srv (e4c2764065d66ea1d2d3ebc28fe99c46) C:\Windows\system32\DRIVERS\srv.sys
16:12:46.0442 0676 srv - ok
16:12:46.0458 0676 srv2 (03f0545bd8d4c77fa0ae1ceedfcc71ab) C:\Windows\system32\DRIVERS\srv2.sys
16:12:46.0473 0676 srv2 - ok
16:12:46.0473 0676 srvnet (be6bd660caa6f291ae06a718a4fa8abc) C:\Windows\system32\DRIVERS\srvnet.sys
16:12:46.0473 0676 srvnet - ok
16:12:46.0504 0676 SSDPSRV (d887c9fd02ac9fa880f6e5027a43e118) C:\Windows\System32\ssdpsrv.dll
16:12:46.0504 0676 SSDPSRV - ok
16:12:46.0520 0676 SstpSvc (d318f23be45d5e3a107469eb64815b50) C:\Windows\system32\sstpsvc.dll
16:12:46.0520 0676 SstpSvc - ok
16:12:46.0536 0676 stexstor (db32d325c192b801df274bfd12a7e72b) C:\Windows\system32\DRIVERS\stexstor.sys
16:12:46.0536 0676 stexstor - ok
16:12:46.0567 0676 StiSvc (e1fb3706030fb4578a0d72c2fc3689e4) C:\Windows\System32\wiaservc.dll
16:12:46.0582 0676 StiSvc - ok
16:12:46.0598 0676 storflt (472af0311073dceceaa8fa18ba2bdf89) C:\Windows\system32\drivers\vmstorfl.sys
16:12:46.0598 0676 storflt - ok
16:12:46.0629 0676 StorSvc (0bf669f0a910beda4a32258d363af2a5) C:\Windows\system32\storsvc.dll
16:12:46.0629 0676 StorSvc - ok
16:12:46.0645 0676 storvsc (dcaffd62259e0bdb433dd67b5bb37619) C:\Windows\system32\drivers\storvsc.sys
16:12:46.0645 0676 storvsc - ok
16:12:46.0645 0676 swenum (e58c78a848add9610a4db6d214af5224) C:\Windows\system32\drivers\swenum.sys
16:12:46.0645 0676 swenum - ok
16:12:46.0660 0676 swprv (a28bd92df340e57b024ba433165d34d7) C:\Windows\System32\swprv.dll
16:12:46.0676 0676 swprv - ok
16:12:46.0723 0676 SysMain (36650d618ca34c9d357dfd3d89b2c56f) C:\Windows\system32\sysmain.dll
16:12:46.0738 0676 SysMain - ok
16:12:46.0770 0676 TabletInputService (763fecdc3d30c815fe72dd57936c6cd1) C:\Windows\System32\TabSvc.dll
16:12:46.0785 0676 TabletInputService - ok
16:12:46.0801 0676 TapiSrv (613bf4820361543956909043a265c6ac) C:\Windows\System32\tapisrv.dll
16:12:46.0801 0676 TapiSrv - ok
16:12:46.0816 0676 TBS (b799d9fdb26111737f58288d8dc172d9) C:\Windows\System32\tbssvc.dll
16:12:46.0832 0676 TBS - ok
16:12:46.0910 0676 Tcpip (7fa2e0f8b072bd04b77b421480b6cc22) C:\Windows\system32\drivers\tcpip.sys
16:12:46.0941 0676 Tcpip - ok
16:12:46.0972 0676 TCPIP6 (7fa2e0f8b072bd04b77b421480b6cc22) C:\Windows\system32\DRIVERS\tcpip.sys
16:12:46.0972 0676 TCPIP6 - ok
16:12:47.0019 0676 tcpipreg (cca24162e055c3714ce5a88b100c64ed) C:\Windows\system32\drivers\tcpipreg.sys
16:12:47.0019 0676 tcpipreg - ok
16:12:47.0050 0676 TDPIPE (1cb91b2bd8f6dd367dfc2ef26fd751b2) C:\Windows\system32\drivers\tdpipe.sys
16:12:47.0050 0676 TDPIPE - ok
16:12:47.0082 0676 TDTCP (2c2c5afe7ee4f620d69c23c0617651a8) C:\Windows\system32\drivers\tdtcp.sys
16:12:47.0082 0676 TDTCP - ok
16:12:47.0128 0676 tdx (b459575348c20e8121d6039da063c704) C:\Windows\system32\DRIVERS\tdx.sys
16:12:47.0128 0676 tdx - ok
16:12:47.0144 0676 TermDD (04dbf4b01ea4bf25a9a3e84affac9b20) C:\Windows\system32\drivers\termdd.sys
16:12:47.0144 0676 TermDD - ok
16:12:47.0191 0676 TermService (382c804c92811be57829d8e550a900e2) C:\Windows\System32\termsrv.dll
16:12:47.0206 0676 TermService - ok
16:12:47.0222 0676 Themes (42fb6afd6b79d9fe07381609172e7ca4) C:\Windows\system32\themeservice.dll
16:12:47.0222 0676 Themes - ok
16:12:47.0253 0676 THREADORDER (146b6f43a673379a3c670e86d89be5ea) C:\Windows\system32\mmcss.dll
16:12:47.0253 0676 THREADORDER - ok
16:12:47.0284 0676 TPM (5ad05191dc8b444a7ba4d79b76c42a30) C:\Windows\system32\drivers\tpm.sys
16:12:47.0284 0676 TPM - ok
16:12:47.0316 0676 TrkWks (4792c0378db99a9bc2ae2de6cfff0c3a) C:\Windows\System32\trkwks.dll
16:12:47.0316 0676 TrkWks - ok
16:12:47.0362 0676 TrustedInstaller (2c49b175aee1d4364b91b531417fe583) C:\Windows\servicing\TrustedInstaller.exe
16:12:47.0362 0676 TrustedInstaller - ok
16:12:47.0378 0676 tssecsrv (254bb140eee3c59d6114c1a86b636877) C:\Windows\system32\DRIVERS\tssecsrv.sys
16:12:47.0378 0676 tssecsrv - ok
16:12:47.0425 0676 TsUsbFlt (fd1d6c73e6333be727cbcc6054247654) C:\Windows\system32\drivers\tsusbflt.sys
16:12:47.0425 0676 TsUsbFlt - ok
16:12:47.0472 0676 tunnel (b2fa25d9b17a68bb93d58b0556e8c90d) C:\Windows\system32\DRIVERS\tunnel.sys
16:12:47.0472 0676 tunnel - ok
16:12:47.0487 0676 uagp35 (750fbcb269f4d7dd2e420c56b795db6d) C:\Windows\system32\DRIVERS\uagp35.sys
16:12:47.0487 0676 uagp35 - ok
16:12:47.0518 0676 udfs (ee43346c7e4b5e63e54f927babbb32ff) C:\Windows\system32\DRIVERS\udfs.sys
16:12:47.0518 0676 udfs - ok
16:12:47.0550 0676 UI0Detect (8344fd4fce927880aa1aa7681d4927e5) C:\Windows\system32\UI0Detect.exe
16:12:47.0550 0676 UI0Detect - ok
16:12:47.0581 0676 uliagpkx (44e8048ace47befbfdc2e9be4cbc8880) C:\Windows\system32\drivers\uliagpkx.sys
16:12:47.0581 0676 uliagpkx - ok
16:12:47.0612 0676 umbus (d295bed4b898f0fd999fcfa9b32b071b) C:\Windows\system32\drivers\umbus.sys
16:12:47.0612 0676 umbus - ok
16:12:47.0628 0676 UmPass (7550ad0c6998ba1cb4843e920ee0feac) C:\Windows\system32\DRIVERS\umpass.sys
16:12:47.0643 0676 UmPass - ok
16:12:47.0674 0676 UmRdpService (409994a8eaceee4e328749c0353527a0) C:\Windows\System32\umrdp.dll
16:12:47.0674 0676 UmRdpService - ok
16:12:47.0752 0676 UNS (d47e82866a6ff02dae9cedf127c4bee0) C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe
16:12:47.0830 0676 UNS - ok
16:12:47.0908 0676 upnphost (833fbb672460efce8011d262175fad33) C:\Windows\System32\upnphost.dll
16:12:47.0908 0676 upnphost - ok
16:12:47.0940 0676 usbccgp (bd9c55d7023c5de374507acc7a14e2ac) C:\Windows\system32\DRIVERS\usbccgp.sys
16:12:47.0940 0676 usbccgp - ok
16:12:47.0955 0676 usbcir (04ec7cec62ec3b6d9354eee93327fc82) C:\Windows\system32\drivers\usbcir.sys
16:12:47.0955 0676 usbcir - ok
16:12:47.0971 0676 usbehci (f92de757e4b7ce9c07c5e65423f3ae3b) C:\Windows\system32\DRIVERS\usbehci.sys
16:12:47.0971 0676 usbehci - ok
16:12:48.0002 0676 usbhub (8dc94aec6a7e644a06135ae7506dc2e9) C:\Windows\system32\DRIVERS\usbhub.sys
16:12:48.0002 0676 usbhub - ok
16:12:48.0033 0676 usbohci (e185d44fac515a18d9deddc23c2cdf44) C:\Windows\system32\drivers\usbohci.sys
16:12:48.0033 0676 usbohci - ok
16:12:48.0049 0676 usbprint (797d862fe0875e75c7cc4c1ad7b30252) C:\Windows\system32\DRIVERS\usbprint.sys
16:12:48.0049 0676 usbprint - ok
16:12:48.0064 0676 USBSTOR (f991ab9cc6b908db552166768176896a) C:\Windows\system32\DRIVERS\USBSTOR.SYS
16:12:48.0064 0676 USBSTOR - ok
16:12:48.0064 0676 usbuhci (68df884cf41cdada664beb01daf67e3d) C:\Windows\system32\DRIVERS\usbuhci.sys
16:12:48.0064 0676 usbuhci - ok
16:12:48.0080 0676 UxSms (081e6e1c91aec36758902a9f727cd23c) C:\Windows\System32\uxsms.dll
16:12:48.0080 0676 UxSms - ok
16:12:48.0096 0676 VaultSvc (81951f51e318aecc2d68559e47485cc4) C:\Windows\system32\lsass.exe
16:12:48.0096 0676 VaultSvc - ok
16:12:48.0127 0676 vdrvroot (a059c4c3edb09e07d21a8e5c0aabd3cb) C:\Windows\system32\drivers\vdrvroot.sys
16:12:48.0127 0676 vdrvroot - ok
16:12:48.0142 0676 vds (c3cd30495687c2a2f66a65ca6fd89be9) C:\Windows\System32\vds.exe
16:12:48.0158 0676 vds - ok
16:12:48.0174 0676 vga (17c408214ea61696cec9c66e388b14f3) C:\Windows\system32\DRIVERS\vgapnp.sys
16:12:48.0189 0676 vga - ok
16:12:48.0205 0676 VgaSave (8e38096ad5c8570a6f1570a61e251561) C:\Windows\System32\drivers\vga.sys
16:12:48.0205 0676 VgaSave - ok
16:12:48.0220 0676 vhdmp (5461686cca2fda57b024547733ab42e3) C:\Windows\system32\drivers\vhdmp.sys
16:12:48.0220 0676 vhdmp - ok
16:12:48.0252 0676 viaagp (c829317a37b4bea8f39735d4b076e923) C:\Windows\system32\drivers\viaagp.sys
16:12:48.0252 0676 viaagp - ok
16:12:48.0267 0676 ViaC7 (e02f079a6aa107f06b16549c6e5c7b74) C:\Windows\system32\DRIVERS\viac7.sys
16:12:48.0267 0676 ViaC7 - ok
16:12:48.0283 0676 viaide (e43574f6a56a0ee11809b48c09e4fd3c) C:\Windows\system32\drivers\viaide.sys
16:12:48.0283 0676 viaide - ok
16:12:48.0314 0676 vmbus (c2f2911156fdc7817c52829c86da494e) C:\Windows\system32\drivers\vmbus.sys
16:12:48.0314 0676 vmbus - ok
16:12:48.0330 0676 VMBusHID (d4d77455211e204f370d08f4963063ce) C:\Windows\system32\drivers\VMBusHID.sys
16:12:48.0330 0676 VMBusHID - ok
16:12:48.0345 0676 volmgr (4c63e00f2f4b5f86ab48a58cd990f212) C:\Windows\system32\drivers\volmgr.sys
16:12:48.0345 0676 volmgr - ok
16:12:48.0376 0676 volmgrx (b5bb72067ddddbbfb04b2f89ff8c3c87) C:\Windows\system32\drivers\volmgrx.sys
16:12:48.0376 0676 volmgrx - ok
16:12:48.0423 0676 volsnap (f497f67932c6fa693d7de2780631cfe7) C:\Windows\system32\drivers\volsnap.sys
16:12:48.0423 0676 volsnap - ok
16:12:48.0454 0676 vsmraid (9dfa0cc2f8855a04816729651175b631) C:\Windows\system32\DRIVERS\vsmraid.sys
16:12:48.0454 0676 vsmraid - ok
16:12:48.0501 0676 VSS (209a3b1901b83aeb8527ed211cce9e4c) C:\Windows\system32\vssvc.exe
16:12:48.0517 0676 VSS - ok
16:12:48.0532 0676 vwifibus (90567b1e658001e79d7c8bbd3dde5aa6) C:\Windows\System32\drivers\vwifibus.sys
16:12:48.0532 0676 vwifibus - ok
16:12:48.0564 0676 W32Time (55187fd710e27d5095d10a472c8baf1c) C:\Windows\system32\w32time.dll
16:12:48.0564 0676 W32Time - ok
16:12:48.0579 0676 WacomPen (de3721e89c653aa281428c8a69745d90) C:\Windows\system32\DRIVERS\wacompen.sys
16:12:48.0579 0676 WacomPen - ok
16:12:48.0610 0676 WANARP (3c3c78515f5ab448b022bdf5b8ffdd2e) C:\Windows\system32\DRIVERS\wanarp.sys
16:12:48.0610 0676 WANARP - ok
16:12:48.0610 0676 Wanarpv6 (3c3c78515f5ab448b022bdf5b8ffdd2e) C:\Windows\system32\DRIVERS\wanarp.sys
16:12:48.0610 0676 Wanarpv6 - ok
16:12:48.0688 0676 WatAdminSvc (353a04c273ec58475d8633e75ccd5604) C:\Windows\system32\Wat\WatAdminSvc.exe
16:12:48.0735 0676 WatAdminSvc - ok
16:12:48.0782 0676 wbengine (691e3285e53dca558e1a84667f13e15a) C:\Windows\system32\wbengine.exe
16:12:48.0813 0676 wbengine - ok
16:12:48.0844 0676 WbioSrvc (9614b5d29dc76ac3c29f6d2d3aa70e67) C:\Windows\System32\wbiosrvc.dll
16:12:48.0844 0676 WbioSrvc - ok
16:12:48.0907 0676 wcncsvc (34eee0dfaadb4f691d6d5308a51315dc) C:\Windows\System32\wcncsvc.dll
16:12:48.0907 0676 wcncsvc - ok
16:12:48.0938 0676 WcsPlugInService (5d930b6357a6d2af4d7653bdabbf352f) C:\Windows\System32\WcsPlugInService.dll
16:12:48.0938 0676 WcsPlugInService - ok
16:12:49.0000 0676 Wd (1112a9badacb47b7c0bb0392e3158dff) C:\Windows\system32\DRIVERS\wd.sys
16:12:49.0000 0676 Wd - ok
16:12:49.0016 0676 Wdf01000 (9950e3d0f08141c7e89e64456ae7dc73) C:\Windows\system32\drivers\Wdf01000.sys
16:12:49.0032 0676 Wdf01000 - ok
16:12:49.0032 0676 WdiServiceHost (46ef9dc96265fd0b423db72e7c38c2a5) C:\Windows\system32\wdi.dll
16:12:49.0032 0676 WdiServiceHost - ok
16:12:49.0032 0676 WdiSystemHost (46ef9dc96265fd0b423db72e7c38c2a5) C:\Windows\system32\wdi.dll
16:12:49.0047 0676 WdiSystemHost - ok
16:12:49.0063 0676 WebClient (a9d880f97530d5b8fee278923349929d) C:\Windows\System32\webclnt.dll
16:12:49.0063 0676 WebClient - ok
16:12:49.0094 0676 Wecsvc (760f0afe937a77cff27153206534f275) C:\Windows\system32\wecsvc.dll
16:12:49.0094 0676 Wecsvc - ok
16:12:49.0110 0676 wercplsupport (ac804569bb2364fb6017370258a4091b) C:\Windows\System32\wercplsupport.dll
16:12:49.0110 0676 wercplsupport - ok
16:12:49.0125 0676 WerSvc (08e420d873e4fd85241ee2421b02c4a4) C:\Windows\System32\WerSvc.dll
16:12:49.0125 0676 WerSvc - ok
16:12:49.0156 0676 WfpLwf (8b9a943f3b53861f2bfaf6c186168f79) C:\Windows\system32\DRIVERS\wfplwf.sys
16:12:49.0156 0676 WfpLwf - ok
16:12:49.0156 0676 WIMMount (5cf95b35e59e2a38023836fff31be64c) C:\Windows\system32\drivers\wimmount.sys
16:12:49.0156 0676 WIMMount - ok
16:12:49.0156 0676 WinHttpAutoProxySvc - ok
16:12:49.0219 0676 Winmgmt (f62e510b6ad4c21eb9fe8668ed251826) C:\Windows\system32\wbem\WMIsvc.dll
16:12:49.0219 0676 Winmgmt - ok
16:12:49.0266 0676 WinRM (1b91cd34ea3a90ab6a4ef0550174f4cc) C:\Windows\system32\WsmSvc.dll
16:12:49.0281 0676 WinRM - ok
16:12:49.0328 0676 Wlansvc (16935c98ff639d185086a3529b1f2067) C:\Windows\System32\wlansvc.dll
16:12:49.0344 0676 Wlansvc - ok
16:12:49.0406 0676 WmiAcpi (0217679b8fca58714c3bf2726d2ca84e) C:\Windows\system32\drivers\wmiacpi.sys
16:12:49.0406 0676 WmiAcpi - ok
16:12:49.0453 0676 wmiApSrv (6eb6b66517b048d87dc1856ddf1f4c3f) C:\Windows\system32\wbem\WmiApSrv.exe
16:12:49.0453 0676 wmiApSrv - ok
16:12:49.0531 0676 WMPNetworkSvc (3b40d3a61aa8c21b88ae57c58ab3122e) C:\Program Files\Windows Media Player\wmpnetwk.exe
16:12:49.0546 0676 WMPNetworkSvc - ok
16:12:49.0562 0676 WPCSvc (a2f0ec770a92f2b3f9de6d518e11409c) C:\Windows\System32\wpcsvc.dll
16:12:49.0578 0676 WPCSvc - ok
16:12:49.0593 0676 WPDBusEnum (aa53356d60af47eacc85bc617a4f3f66) C:\Windows\system32\wpdbusenum.dll
16:12:49.0593 0676 WPDBusEnum - ok
16:12:49.0624 0676 ws2ifsl (6db3276587b853bf886b69528fdb048c) C:\Windows\system32\drivers\ws2ifsl.sys
16:12:49.0624 0676 ws2ifsl - ok
16:12:49.0624 0676 WSearch - ok
16:12:49.0687 0676 wuauserv (fc3ec24fce372c89423e015a2ac1a31e) C:\Windows\system32\wuaueng.dll
16:12:49.0718 0676 wuauserv - ok
16:12:49.0796 0676 WudfPf (e714a1c0354636837e20ccbf00888ee7) C:\Windows\system32\drivers\WudfPf.sys
16:12:49.0812 0676 WudfPf - ok
16:12:49.0843 0676 WUDFRd (1023ee888c9b47178c5293ed5336ab69) C:\Windows\system32\DRIVERS\WUDFRd.sys
16:12:49.0843 0676 WUDFRd - ok
16:12:49.0890 0676 wudfsvc (8d1e1e529a2c9e9b6a85b55a345f7629) C:\Windows\System32\WUDFSvc.dll
16:12:49.0890 0676 wudfsvc - ok
16:12:49.0905 0676 WwanSvc (ff2d745b560f7c71b31f30f4d49f73d2) C:\Windows\System32\wwansvc.dll
16:12:49.0921 0676 WwanSvc - ok
16:12:49.0936 0676 MBR (0x1B8) (a36c5e4f47e84449ff07ed3517b43a31) \Device\Harddisk0\DR0
16:12:50.0217 0676 \Device\Harddisk0\DR0 - ok
16:12:50.0264 0676 Boot (0x1200) (59072999f9d8546d9962d5c1d4bd89f7) \Device\Harddisk0\DR0\Partition0
16:12:50.0264 0676 \Device\Harddisk0\DR0\Partition0 - ok
16:12:50.0264 0676 Boot (0x1200) (a5e7ffb36c83fcd89cf93e5b2fc55c6a) \Device\Harddisk0\DR0\Partition1
16:12:50.0264 0676 \Device\Harddisk0\DR0\Partition1 - ok
16:12:50.0295 0676 Boot (0x1200) (c99ee472b61100017298154de1733902) \Device\Harddisk0\DR0\Partition2
16:12:50.0295 0676 \Device\Harddisk0\DR0\Partition2 - ok
16:12:50.0295 0676 ============================================================
16:12:50.0295 0676 Scan finished
16:12:50.0295 0676 ============================================================
16:12:50.0311 0640 Detected object count: 0
16:12:50.0311 0640 Actual detected object count: 0
16:15:06.0655 2032 Deinitialize success



aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-06-28 16:14:39
-----------------------------
16:14:39.854 OS Version: Windows 6.1.7601 Service Pack 1
16:14:39.854 Number of processors: 2 586 0x170A
16:14:39.854 ComputerName: S26 UserName:
16:15:02.537 Initialize success
16:16:39.772 AVAST engine defs: 12062800
16:17:03.187 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
16:17:03.203 Disk 0 Vendor: ST316031 HP34 Size: 152627MB BusType: 3
16:17:03.203 Disk 0 MBR read successfully
16:17:03.203 Disk 0 MBR scan
16:17:03.203 Disk 0 Windows 7 default MBR code
16:17:03.218 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 1023 MB offset 2048
16:17:03.234 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 148257 MB offset 2097152
16:17:03.265 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 3336 MB offset 305727488
16:17:03.296 Disk 0 scanning sectors +312559616
16:17:03.359 Disk 0 scanning C:\Windows\system32\drivers
16:17:12.282 Service scanning
16:17:28.194 Modules scanning
16:17:33.779 Disk 0 trace - called modules:
16:17:33.810 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll iastor.sys
16:17:33.810 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x85537568]
16:17:33.810 3 CLASSPNP.SYS[881ab59e] -> nt!IofCallDriver -> [0x8473c900]
16:17:33.826 5 ACPI.sys[87a203d4] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0x83e19028]
16:17:35.682 AVAST engine scan C:\Windows
16:17:37.133 AVAST engine scan C:\Windows\system32
16:19:41.200 AVAST engine scan C:\Windows\system32\drivers
16:19:51.293 AVAST engine scan C:\Users\sabre
16:27:57.123 AVAST engine scan C:\ProgramData
16:30:44.308 Scan finished successfully
16:50:06.354 Disk 0 MBR has been saved successfully to "C:\Users\sabre\Documents\MBR.dat"
16:50:06.354 The log file has been saved successfully to "C:\Users\sabre\Documents\aswMBR.txt"



The second ESET:
C:\Windows\Installer\{58a5fa40-1f89-a3f0-5a7c-fbfe742ecbda}\U\80000000.@ a variant of Win32/Sirefef.FA trojan cleaned by deleting - quarantined
C:\Windows\Installer\{58a5fa40-1f89-a3f0-5a7c-fbfe742ecbda}\U\800000cb.@ probably a variant of Win32/Agent.TEO trojan cleaned by deleting - quarantined



Malwarebytes Anti-Malware (Trial) 1.61.0.1400
www.malwarebytes.org

Database version: v2012.06.28.09

Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 9.0.8112.16421
sabre :: S26 [administrator]

Protection: Enabled

28/06/2012 18:58:44
mbam-log-2012-06-28 (19-59-40).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 355319
Time elapsed: 57 minute(s), 55 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 2
HKCU\SOFTWARE\CLASSES\CLSID\{42AEDC87-2188-41FD-B9A3-0C966FEABEC1}\INPROCSERVER32 (Trojan.Zaccess) -> No action taken.
HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Live Security Platinum (Rogue.LiveSecurityPlatinum) -> No action taken.

Registry Values Detected: 1
HKCU\SOFTWARE\CLASSES\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32| (Trojan.Zaccess) -> Data: C:\Users\sabre\AppData\Local\{58a5fa40-1f89-a3f0-5a7c-fbfe742ecbda}\n. -> No action taken.

Registry Data Items Detected: 1
HKLM\SOFTWARE\Microsoft\Security Center|UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Folders Detected: 0
(No malicious items detected)

Files Detected: 3
C:\Windows\Installer\{58a5fa40-1f89-a3f0-5a7c-fbfe742ecbda}\U\00000001.@ (Trojan.Small) -> No action taken.
C:\Windows\Installer\{58a5fa40-1f89-a3f0-5a7c-fbfe742ecbda}\U\80000000.@ (Trojan.Sirefef) -> No action taken.
C:\Windows\Installer\{58a5fa40-1f89-a3f0-5a7c-fbfe742ecbda}\U\800000cb.@ (Rootkit.0Access) -> No action taken.

(end)



After a few minutes I had already an answer:

Hello, due to this item in the ESET log, \U\80000000.@ a variant of Win32/Sirefef.
We need to get a deeper look.



So we did and here are the logs

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421
Run by sabre at 19:06:33 on 2012-06-29
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.1977.1029 [GMT 2:00]
.
AV: Kaspersky Anti-Virus *Enabled/Outdated* {56547CC9-C9B2-849D-8FEF-A496150D6A06}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Kaspersky Anti-Virus *Enabled/Updated* {ED359D2D-EF88-8B13-B55F-9FE46E8A20BB}
FW: Kaspersky Anti-Virus *Enabled* {6E6FFDEC-83DD-85C5-A4B0-0DA3EBDE2D7D}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Program Files\Common Files\ActivIdentity\ac.sharedstore.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\ActivIdentity\ActivClient\acevents.exe
C:\Windows\system32\AEADISRV.EXE
C:\Program Files\Application Updater\ApplicationUpdater.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations MP4\avp.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Kaspersky Lab\NetworkAgent 8\klnagent.exe
C:\Program Files\Intel\AMT\LMS.exe
C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskhost.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe
C:\Program Files\ActivIdentity\ActivClient\acevents.exe
C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations MP4\avp.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\SpamPal\spampal.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: pdfforge Toolbar: {b922d405-6d13-4a2b-ae89-08a030da4402} -
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: pdfforge Toolbar: {b922d405-6d13-4a2b-ae89-08a030da4402} -
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [picon] "c:\program files\common files\intel\privacy icon\PrivacyIconClient.exe" -startup
mRun: [acevents] "c:\program files\actividentity\activclient\acevents.exe"
mRun: [accrdsub] "c:\program files\actividentity\activclient\accrdsub.exe"
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky anti-virus 6.0 for windows workstations mp4\avp.exe"
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [<NO NAME>]
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
StartupFolder: c:\users\sabre\appdata\roaming\micros~1\windows\startm~1\programs\startup\spampal.lnk - c:\program files\spampal\spampal.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
uPolicies-explorer: HideSCAHealth = 1 (0x1)
mPolicies-explorer: NoWelcomeScreen = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: Add to Anti-Banner - c:\program files\kaspersky lab\kaspersky anti-virus 6.0 for windows workstations mp4\ie_banner_deny.htm
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a}
IE: {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - {85E0B171-04FA-11D1-B7DA-00A0C90348D6} - c:\program files\kaspersky lab\kaspersky anti-virus 6.0 for windows workstations mp4\scieplgn.dll
Trusted Zone: agentware.net
Trusted Zone: sabre.com
Trusted Zone: servico.be\www
Trusted Zone: servico.be\www
DPF: {2D36AF92-04D3-11D8-B719-0000865F231B} - hxxps://my.sabre.com/jars/TMinReqX.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: Interfaces\{E5B51FF0-4D8E-467B-ACCF-5EDA45E6EDD4} : NameServer = 10.62.124.200,194.154.192.101
Notify: igfxcui - igfxdev.dll
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
AppInit_DLLs: c:\progra~1\kasper~1\kasper~1.0fo\adialhk.dll
.
============= SERVICES / DRIVERS ===============
.
R1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;c:\windows\system32\drivers\klim6.sys [2009-9-14 22104]
R2 ac.sharedstore;ActivIdentity Shared Store Service;c:\program files\common files\actividentity\ac.sharedstore.exe [2009-6-4 207400]
R2 Application Updater;Application Updater;c:\program files\application updater\ApplicationUpdater.exe [2012-6-13 792512]
R2 AVP;Kaspersky Anti-Virus 6.0;c:\program files\kaspersky lab\kaspersky anti-virus 6.0 for windows workstations mp4\avp.exe [2010-3-13 311680]
R2 klnagent;Kaspersky Lab Network Agent;c:\program files\kaspersky lab\networkagent 8\klnagent.exe [2010-3-10 136352]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-6-28 654408]
R2 UNS;Intel® Management and Security Application User Notification Service;c:\program files\common files\intel\privacy icon\uns\UNS.exe [2010-3-29 2066968]
R3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\drivers\e1k6232.sys [2010-3-29 202408]
R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\drivers\klfltdev.sys [2009-9-4 24848]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-6-28 22344]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-14 229888]
S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-14 20992]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-6-21 52224]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-6-24 1343400]
.
=============== Created Last 30 ================
.
2012-06-28 16:55:12 -------- d-----w- c:\users\sabre\appdata\roaming\Malwarebytes
2012-06-28 16:55:05 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-28 16:55:05 -------- d-----w- c:\programdata\Malwarebytes
2012-06-28 16:55:05 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-06-28 14:53:07 -------- d-----w- c:\program files\ESET
2012-06-28 13:24:08 -------- d-----w- c:\programdata\F4D55F3B0001D22300000B25B4EB238B
2012-06-26 06:12:43 6762896 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{c656b377-f783-4d5a-adeb-c6cc4bc022dd}\mpengine.dll
2012-06-25 06:22:47 2422272 ----a-w- c:\windows\system32\wucltux.dll
2012-06-25 06:22:39 88576 ----a-w- c:\windows\system32\wudriver.dll
2012-06-25 06:22:21 33792 ----a-w- c:\windows\system32\wuapp.exe
2012-06-25 06:22:21 171904 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-20 07:06:57 -------- d-----w- c:\program files\Application Updater
2012-06-20 07:06:56 -------- d-----w- c:\program files\pdfforge Toolbar
2012-06-20 07:06:56 -------- d-----w- c:\program files\common files\Spigot
2012-06-14 07:05:33 2342400 ----a-w- c:\windows\system32\msi.dll
2012-06-14 07:05:33 183808 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-06-14 07:05:32 2343936 ----a-w- c:\windows\system32\win32k.sys
2012-06-14 07:05:31 8192 ----a-w- c:\windows\system32\rdrmemptylst.exe
2012-06-14 07:05:31 58880 ----a-w- c:\windows\system32\rdpwsx.dll
2012-06-14 07:05:31 164352 ----a-w- c:\windows\system32\profsvc.dll
2012-06-14 07:05:31 129536 ----a-w- c:\windows\system32\rdpcorekmts.dll
2012-06-14 07:05:27 140288 ----a-w- c:\windows\system32\cryptsvc.dll
2012-06-14 07:05:27 1158656 ----a-w- c:\windows\system32\crypt32.dll
2012-06-14 07:05:27 103936 ----a-w- c:\windows\system32\cryptnet.dll
.
==================== Find3M ====================
.
2012-05-17 22:45:37 1800192 ----a-w- c:\windows\system32\jscript9.dll
2012-05-17 22:35:47 1129472 ----a-w- c:\windows\system32\wininet.dll
2012-05-17 22:35:39 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2012-05-17 22:29:45 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2012-05-17 22:24:45 2382848 ----a-w- c:\windows\system32\mshtml.tlb
.
============= FINISH: 19:16:16.14 ===============



GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-06-29 19:51:33
Windows 6.1.7601 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 ST316031 rev.HP34
Running: gmer.exe; Driver: C:\Users\sabre\AppData\Local\Temp\fxldypow.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwAdjustPrivilegesToken [0x8DD4BAC6]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwClose [0x8DD4C298]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwConnectPort [0x8DD4C6C0]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwCreateFile [0x8DD5048C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwCreateNamedPipeFile [0x8DD4B98C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwCreateSymbolicLinkObject [0x8DD4D76E]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwCreateThread [0x8DD4C03C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwDebugActiveProcess [0x8DD4D1A0]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwDeviceIoControlFile [0x8DD4C492]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwDuplicateObject [0x8DD4DBB0]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwFsControlFile [0x8DD4C344]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwLoadDriver [0x8DD4D232]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwOpenFile [0x8DD502D0]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwOpenProcess [0x8DD4BCF6]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwOpenSection [0x8DD4D798]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwOpenThread [0x8DD4BBF8]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwQueueApcThread [0x8DD4D4C6]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwReplaceKey [0x8DD4AE5C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwRequestWaitReplyPort [0x8DD4D026]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwRestoreKey [0x8DD4AFBE]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwResumeThread [0x8DD4DA84]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwSaveKey [0x8DD4AC5E]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwSecureConnectPort [0x8DD4C582]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwSetContextThread [0x8DD4C13C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwSetSecurityObject [0x8DD4D32C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwSetSystemInformation [0x8DD4D7C2]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwSuspendProcess [0x8DD4D8A6]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwSuspendThread [0x8DD4D962]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwSystemDebugControl [0x8DD4D0CC]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwTerminateProcess [0x8DD4BE90]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwTerminateThread [0x8DD4BDE6]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwWriteVirtualMemory [0x8DD4BF70]

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwRollbackEnlistment + 140D 82A543C9 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82A8DD52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text ntkrnlpa.exe!KeRemoveQueueEx + 10D7 82A94D8C 4 Bytes [C6, BA, D4, 8D]
.text ntkrnlpa.exe!KeRemoveQueueEx + 116F 82A94E24 4 Bytes [98, C2, D4, 8D] {CWDE ; RET 0x8dd4}
.text ntkrnlpa.exe!KeRemoveQueueEx + 1193 82A94E48 4 Bytes [C0, C6, D4, 8D]
.text ntkrnlpa.exe!KeRemoveQueueEx + 11AF 82A94E64 4 Bytes [8C, 04, D5, 8D]
.text ntkrnlpa.exe!KeRemoveQueueEx + 11D3 82A94E88 4 Bytes [8C, B9, D4, 8D]
.text ...
? System32\drivers\npixda.sys The system cannot find the path specified. !
? C:\Users\sabre\AppData\Local\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

? C:\Windows\system32\services.exe[548] C:\Windows\system32\smss.exe image checksum mismatch; time/date stamp mismatch; unknown module: MSWSOCK.dll
? C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations MP4\avp.exe[1816] C:\Windows\system32\kernel32.dll time/date stamp mismatch; unknown module: KERNELBASE.dll
.text C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations MP4\avp.exe[1816] USER32.dll!NotifyWinEvent + 6AE 7791D66C 4 Bytes [50, 12, 4A, 6D] {PUSH EAX; ADC CL, [EDX+0x6d]}
.text C:\Program Files\Internet Explorer\iexplore.exe[3112] kernel32.dll!CreateThread 7707DCC2 5 Bytes JMP 6ACA75CB C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3112] USER32.dll!EnableWindow 77908D02 5 Bytes JMP 6ACE9EAC C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3112] USER32.dll!CallNextHookEx 7790ABE1 5 Bytes JMP 6AD07FDF C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3112] USER32.dll!UnhookWindowsHookEx 7790ADF9 5 Bytes JMP 6AD2ECE0 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3112] USER32.dll!DefWindowProcA 7790BB1C 7 Bytes JMP 6ACA97F5 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3112] USER32.dll!CreateWindowExA 7790BF40 5 Bytes JMP 6ACB362B C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3112] USER32.dll!SetWindowsHookExW 7790E30C 5 Bytes JMP 6ACE25AC C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3112] USER32.dll!CreateWindowExW 7790EC7C 5 Bytes JMP 6AD103B7 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3112] USER32.dll!DefWindowProcW 7791507D 7 Bytes JMP 6AD08042 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3112] USER32.dll!DialogBoxParamW 77923B9B 5 Bytes JMP 6AC4187B C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3112] USER32.dll!DialogBoxIndirectParamW 77933B7F 5 Bytes JMP 6AE38D86 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3112] USER32.dll!DialogBoxParamA 7794CF42 5 Bytes JMP 6AE38D21 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3112] USER32.dll!DialogBoxIndirectParamA 7794D274 5 Bytes JMP 6AE38DEB C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3112] USER32.dll!MessageBoxIndirectA 7795E869 5 Bytes JMP 6AE38CA8 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3112] USER32.dll!MessageBoxIndirectW 7795E963 5 Bytes JMP 6AE38C2F C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3112] USER32.dll!MessageBoxExA 7795E9C9 5 Bytes JMP 6AE38BCB C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3112] USER32.dll!MessageBoxExW 7795E9ED 5 Bytes JMP 6AE38B67 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3112] ole32.dll!OleLoadFromStream 773F6143 5 Bytes JMP 6AE3955F C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3136] USER32.dll!EnableWindow 77908D02 5 Bytes JMP 6ACE9EAC C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3136] USER32.dll!DialogBoxParamW 77923B9B 5 Bytes JMP 6AC4187B C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3136] USER32.dll!DialogBoxIndirectParamW 77933B7F 5 Bytes JMP 6AE38D86 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3136] USER32.dll!DialogBoxParamA 7794CF42 5 Bytes JMP 6AE38D21 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3136] USER32.dll!DialogBoxIndirectParamA 7794D274 5 Bytes JMP 6AE38DEB C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3136] USER32.dll!MessageBoxIndirectA 7795E869 5 Bytes JMP 6AE38CA8 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3136] USER32.dll!MessageBoxIndirectW 7795E963 5 Bytes JMP 6AE38C2F C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3136] USER32.dll!MessageBoxExA 7795E9C9 5 Bytes JMP 6AE38BCB C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3136] USER32.dll!MessageBoxExW 7795E9ED 5 Bytes JMP 6AE38B67 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3204] kernel32.dll!CreateThread 7707DCC2 5 Bytes JMP 6ACA75CB C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3204] USER32.dll!EnableWindow 77908D02 5 Bytes JMP 6ACE9EAC C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3204] USER32.dll!CallNextHookEx 7790ABE1 5 Bytes JMP 6AD07FDF C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3204] USER32.dll!UnhookWindowsHookEx 7790ADF9 5 Bytes JMP 6AD2ECE0 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3204] USER32.dll!DefWindowProcA 7790BB1C 7 Bytes JMP 6ACA97F5 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3204] USER32.dll!CreateWindowExA 7790BF40 5 Bytes JMP 6ACB362B C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3204] USER32.dll!SetWindowsHookExW 7790E30C 5 Bytes JMP 6ACE25AC C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3204] USER32.dll!CreateWindowExW 7790EC7C 5 Bytes JMP 6AD103B7 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3204] USER32.dll!DefWindowProcW 7791507D 7 Bytes JMP 6AD08042 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3204] USER32.dll!DialogBoxParamW 77923B9B 5 Bytes JMP 6AC4187B C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3204] USER32.dll!DialogBoxIndirectParamW 77933B7F 5 Bytes JMP 6AE38D86 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3204] USER32.dll!DialogBoxParamA 7794CF42 5 Bytes JMP 6AE38D21 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3204] USER32.dll!DialogBoxIndirectParamA 7794D274 5 Bytes JMP 6AE38DEB C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3204] USER32.dll!MessageBoxIndirectA 7795E869 5 Bytes JMP 6AE38CA8 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3204] USER32.dll!MessageBoxIndirectW 7795E963 5 Bytes JMP 6AE38C2F C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3204] USER32.dll!MessageBoxExA 7795E9C9 5 Bytes JMP 6AE38BCB C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3204] USER32.dll!MessageBoxExW 7795E9ED 5 Bytes JMP 6AE38B67 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3204] ole32.dll!OleLoadFromStream 773F6143 5 Bytes JMP 6AE3955F C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
? C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations MP4\avp.exe[3560] C:\Windows\system32\kernel32.dll time/date stamp mismatch; unknown module: KERNELBASE.dll
.text C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations MP4\avp.exe[3560] USER32.dll!NotifyWinEvent + 6AE 7791D66C 4 Bytes [50, 12, 4A, 6D] {PUSH EAX; ADC CL, [EDX+0x6d]}

---- Devices - GMER 1.0.15 ----

Device \Driver\ACPI_HAL \Device\00000048 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice \Driver\tdx \Device\Tcp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Udp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
AttachedDevice \Driver\tdx \Device\RawIp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)

---- EOF - GMER 1.0.15 ----



Thanks for your time and patience

Bob

BC AdBot (Login to Remove)

 


#2 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:57 AM

Posted 30 June 2012 - 09:01 AM

Hello and welcome. Please follow these guidelines while we work on your PC:
  • Malware removal is a sometimes lengthy and tedious process. Please stick with the thread until I’ve given you the “All clear.” Absence of symptoms does not mean your machine is clean!
  • Please do not run any scans or install/uninstall any applications without being directed to do so.
  • Please note that the forum is very busy and if I don't hear from you within five days this thread will be closed.
Posted Image Download Farbar Recovery Scan Tool and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.[/list]

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#3 jwh Bob

jwh Bob
  • Topic Starter

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Luxembourg
  • Local time:05:57 PM

Posted 01 July 2012 - 10:30 AM

Hi RPMcMurphy,

Glad you found time to answer so quickly to my problem!

As this PC is a part of a network I worried that it could infect others, so I gave instructions not to use it and I just turn it on to do the requested actions. As this causes some problems here, do you think I could lower these restrictions.

So here's the scan result:

Thanks
Bob



Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 30-06-2012 02
Ran by SYSTEM at 01-07-2012 17:09:03
Running from G:\
Windows 7 Professional (X86) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe [1314816 2009-07-01] (Analog Devices, Inc.)
HKLM\...\Run: [picon] "C:\Program Files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe" -startup [796696 2009-07-24] (Intel Corporation)
HKLM\...\Run: [acevents] "C:\Program Files\ActivIdentity\ActivClient\acevents.exe" [153640 2009-06-03] (ActivIdentity)
HKLM\...\Run: [accrdsub] "C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe" [400936 2009-06-03] (ActivIdentity)
HKLM\...\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations MP4\avp.exe" [311680 2010-03-12] (Kaspersky Lab)
HKLM\...\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE [x]
HKLM\...\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [246504 2010-01-11] (Sun Microsystems, Inc.)
HKLM\...\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe [136216 2010-08-25] (Intel Corporation)
HKLM\...\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe [171032 2010-08-25] (Intel Corporation)
HKLM\...\Run: [Persistence] C:\Windows\system32\igfxpers.exe [170520 2010-08-25] (Intel Corporation)
HKLM\...\Run: [] [x]
HKLM\...\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray [462408 2012-04-04] (Malwarebytes Corporation)
Winlogon\Notify\igfxcui: igfxdev.dll (Intel Corporation)
Winlogon\Notify\LBTWlgn: c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll [X]
AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0FO\adialhk.dll
Tcpip\..\Interfaces\{E5B51FF0-4D8E-467B-ACCF-5EDA45E6EDD4}: [NameServer]10.62.124.200,194.154.192.101
Startup: C:\Users\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk
ShortcutTarget: Logitech SetPoint.lnk -> C:\Program Files\Logitech\SetPoint\SetPoint.exe (Logitech, Inc.)
Startup: C:\Users\sabre\Start Menu\Programs\Startup\SpamPal.lnk
ShortcutTarget: SpamPal.lnk -> C:\Program Files\SpamPal\spampal.exe ()

================================ Services (Whitelisted) ==================

2 ac.sharedstore; C:\Program Files\Common Files\ActivIdentity\ac.sharedstore.exe [207400 2009-06-03] (ActivIdentity)
2 AEADIFilters; C:\Windows\System32\AEADISRV.EXE [90112 2009-07-01] (Andrea Electronics Corporation)
2 Application Updater; "C:\Program Files\Application Updater\ApplicationUpdater.exe" [792512 2012-06-13] (Spigot, Inc.)
2 AVP; "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations MP4\avp.exe" -r [311680 2010-03-12] (Kaspersky Lab)
3 ehRecvr; C:\Windows\ehome\ehRecvr.exe [556544 2010-11-20] (Microsoft Corporation)
3 ehSched; C:\Windows\ehome\ehsched.exe [94720 2009-07-13] (Microsoft Corporation)
2 eventlog; C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted [20992 2009-07-13] (Microsoft Corporation)
2 klnagent; "C:\Program Files\Kaspersky Lab\NetworkAgent 8\klnagent.exe" [136352 2010-03-10] (Kaspersky Lab)
3 LBTServ; C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe [121360 2008-05-01] (Logitech, Inc.)
2 LMS; C:\Program Files\Intel\AMT\LMS.exe [174616 2009-07-24] (Intel Corporation)
2 MBAMService; "C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe" [654408 2012-04-04] (Malwarebytes Corporation)
2 UNS; C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe [2066968 2009-07-24] (Intel Corporation)
3 wbengine; "C:\Windows\system32\wbengine.exe" [1203200 2010-11-20] (Microsoft Corporation)

========================== Drivers (Whitelisted) =============

3 ADIHdAudAddService; C:\Windows\System32\drivers\ADIHdAud.sys [381440 2009-07-01] (Analog Devices, Inc.)
1 kl1; C:\Windows\System32\DRIVERS\kl1.sys [126480 2009-11-12] (Kaspersky Lab)
3 KLFLTDEV; C:\Windows\System32\DRIVERS\klfltdev.sys [24848 2009-09-03] (Kaspersky Lab)
1 KLIF; C:\Windows\System32\DRIVERS\klif.sys [233560 2010-12-01] (Kaspersky Lab)
1 KLIM6; C:\Windows\System32\DRIVERS\klim6.sys [22104 2010-12-01] (Kaspersky Lab ZAO)
3 L8042Kbd; C:\Windows\System32\DRIVERS\L8042Kbd.sys [20240 2008-02-28] (Logitech, Inc.)
3 L8042mou; C:\Windows\System32\DRIVERS\L8042mou.Sys [63120 2008-02-28] (Logitech, Inc.)
3 LHidFilt; C:\Windows\System32\DRIVERS\LHidFilt.Sys [35344 2008-02-28] (Logitech, Inc.)
3 LMouFilt; C:\Windows\System32\DRIVERS\LMouFilt.Sys [36880 2008-02-28] (Logitech, Inc.)
3 LMouKE; C:\Windows\System32\DRIVERS\LMouKE.Sys [79120 2008-02-28] (Logitech, Inc.)
3 MBAMProtector; \??\C:\Windows\system32\drivers\mbam.sys [22344 2012-04-04] (Malwarebytes Corporation)

========================== NetSvcs (Whitelisted) ===========


============ One Month Created Files and Folders ==============

2012-06-29 09:51 - 2012-06-29 09:51 - 00022769 ____A C:\Users\sabre\Desktop\ark.txt
2012-06-29 09:27 - 2012-06-29 09:27 - 00000000 ____D C:\Users\sabre\Desktop\gmer
2012-06-29 09:24 - 2012-06-29 09:24 - 00294216 ____A C:\Users\sabre\Desktop\gmer.zip
2012-06-29 09:18 - 2012-06-29 09:18 - 00011000 ____A C:\Users\sabre\Desktop\Attach.txt
2012-06-29 09:18 - 2012-06-29 09:18 - 00010577 ____A C:\Users\sabre\Desktop\DDS.txt
2012-06-29 09:04 - 2012-06-29 09:04 - 00607260 ____R (Swearware) C:\Users\sabre\Desktop\dds.scr
2012-06-29 09:03 - 2012-06-29 09:03 - 00000472 ____A C:\Users\sabre\Desktop\defogger_disable.log
2012-06-29 09:03 - 2012-06-29 09:03 - 00000000 ____A C:\Users\sabre\defogger_reenable
2012-06-28 08:55 - 2012-06-28 08:55 - 00001073 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-06-28 08:55 - 2012-06-28 08:55 - 00000000 ____D C:\Users\sabre\AppData\Roaming\Malwarebytes
2012-06-28 08:55 - 2012-06-28 08:55 - 00000000 ____D C:\Users\All Users\Malwarebytes
2012-06-28 08:55 - 2012-06-28 08:55 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2012-06-28 08:55 - 2012-04-04 05:56 - 00022344 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-06-28 08:52 - 2012-06-28 08:52 - 00000298 ____A C:\Users\sabre\Downloads\eset.txt
2012-06-28 08:16 - 2012-06-28 08:16 - 10063000 ____A (Malwarebytes Corporation ) C:\Users\sabre\Downloads\mbam-setup-1.61.0.1400.exe
2012-06-28 06:53 - 2012-06-28 06:53 - 00000000 ____D C:\Program Files\ESET
2012-06-28 06:52 - 2012-06-28 06:53 - 02322184 ____A (ESET) C:\Users\sabre\Downloads\esetsmartinstaller_enu.exe
2012-06-28 06:50 - 2012-06-28 06:50 - 00002010 ____A C:\Users\sabre\Documents\aswMBR.txt
2012-06-28 06:50 - 2012-06-28 06:50 - 00000512 ____A C:\Users\sabre\Documents\MBR.dat
2012-06-28 06:14 - 2012-06-28 06:14 - 04731392 ____A (AVAST Software) C:\Users\sabre\Downloads\aswMBR.exe
2012-06-28 06:11 - 2012-06-28 06:11 - 02128984 ____A (Kaspersky Lab ZAO) C:\Users\sabre\Downloads\tdsskiller.exe
2012-06-28 05:24 - 2012-06-28 07:05 - 00000000 ____D C:\Users\All Users\F4D55F3B0001D22300000B25B4EB238B
2012-06-27 05:08 - 2012-06-27 06:48 - 02199028 ____A C:\Users\sabre\Documents\Zypern.rtf
2012-06-24 22:22 - 2012-06-02 14:19 - 01933848 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-06-24 22:22 - 2012-06-02 14:19 - 00577048 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2012-06-24 22:22 - 2012-06-02 14:19 - 00053784 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-24 22:22 - 2012-06-02 14:19 - 00045080 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-24 22:22 - 2012-06-02 14:19 - 00035864 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
2012-06-24 22:22 - 2012-06-02 14:12 - 02422272 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-06-24 22:22 - 2012-06-02 14:12 - 00088576 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2012-06-24 22:22 - 2012-06-02 05:19 - 00171904 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-06-24 22:22 - 2012-06-02 05:12 - 00033792 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
2012-06-22 01:40 - 2012-06-22 01:40 - 00001982 ____A C:\Users\sabre\Desktop\S35 Marie.RDP
2012-06-19 23:06 - 2012-06-19 23:06 - 00000000 ____D C:\Program Files\pdfforge Toolbar
2012-06-19 23:06 - 2012-06-19 23:06 - 00000000 ____D C:\Program Files\Common Files\Spigot
2012-06-19 23:06 - 2012-06-19 23:06 - 00000000 ____D C:\Program Files\Application Updater
2012-06-14 07:05 - 2012-05-17 15:11 - 12314624 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-06-14 07:05 - 2012-05-17 14:48 - 09737728 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-06-14 07:05 - 2012-05-17 14:45 - 01800192 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-06-14 07:05 - 2012-05-17 14:36 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-06-14 07:05 - 2012-05-17 14:35 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-06-14 07:05 - 2012-05-17 14:35 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-06-14 07:05 - 2012-05-17 14:33 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-06-14 07:05 - 2012-05-17 14:31 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-06-14 07:05 - 2012-05-17 14:29 - 00716800 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-06-14 07:05 - 2012-05-17 14:29 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-06-14 07:05 - 2012-05-17 14:27 - 01793024 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-06-14 07:05 - 2012-05-17 14:25 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-06-14 07:05 - 2012-05-17 14:24 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-06-14 07:05 - 2012-05-17 14:20 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-06-13 23:05 - 2012-05-14 17:05 - 02343936 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-06-13 23:05 - 2012-04-30 20:44 - 00164352 ____A (Microsoft Corporation) C:\Windows\System32\profsvc.dll
2012-06-13 23:05 - 2012-04-27 19:17 - 00183808 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys
2012-06-13 23:05 - 2012-04-25 20:45 - 00129536 ____A (Microsoft Corporation) C:\Windows\System32\rdpcorekmts.dll
2012-06-13 23:05 - 2012-04-25 20:45 - 00058880 ____A (Microsoft Corporation) C:\Windows\System32\rdpwsx.dll
2012-06-13 23:05 - 2012-04-25 20:41 - 00008192 ____A (Microsoft Corporation) C:\Windows\System32\rdrmemptylst.exe
2012-06-13 23:05 - 2012-04-23 20:36 - 01158656 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll
2012-06-13 23:05 - 2012-04-23 20:36 - 00140288 ____A (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll
2012-06-13 23:05 - 2012-04-23 20:36 - 00103936 ____A (Microsoft Corporation) C:\Windows\System32\cryptnet.dll
2012-06-13 23:05 - 2012-04-07 03:26 - 02342400 ____A (Microsoft Corporation) C:\Windows\System32\msi.dll
2012-06-06 04:04 - 2012-06-06 04:04 - 02810877 ____A C:\Users\sabre\Documents\DER 289931149 Biel.eps


============ 3 Months Modified Files ========================

2012-07-01 06:54 - 2009-07-25 04:54 - 00726142 ____A C:\Windows\System32\PerfStringBackup.INI
2012-07-01 06:54 - 2009-07-13 20:34 - 00009920 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-07-01 06:54 - 2009-07-13 20:34 - 00009920 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-07-01 06:49 - 2010-04-06 03:21 - 00000120 ____A C:\Windows\System32\config\netlogon.ftl
2012-07-01 06:49 - 2009-07-13 20:53 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-07-01 06:49 - 2009-07-13 20:39 - 00092683 ____A C:\Windows\setupact.log
2012-06-29 10:27 - 2010-03-29 07:26 - 01772632 ____A C:\Windows\WindowsUpdate.log
2012-06-29 09:51 - 2012-06-29 09:51 - 00022769 ____A C:\Users\sabre\Desktop\ark.txt
2012-06-29 09:24 - 2012-06-29 09:24 - 00294216 ____A C:\Users\sabre\Desktop\gmer.zip
2012-06-29 09:18 - 2012-06-29 09:18 - 00011000 ____A C:\Users\sabre\Desktop\Attach.txt
2012-06-29 09:18 - 2012-06-29 09:18 - 00010577 ____A C:\Users\sabre\Desktop\DDS.txt
2012-06-29 09:04 - 2012-06-29 09:04 - 00607260 ____R (Swearware) C:\Users\sabre\Desktop\dds.scr
2012-06-29 09:03 - 2012-06-29 09:03 - 00000472 ____A C:\Users\sabre\Desktop\defogger_disable.log
2012-06-29 09:03 - 2012-06-29 09:03 - 00000000 ____A C:\Users\sabre\defogger_reenable
2012-06-29 08:57 - 2010-04-06 02:23 - 00125054 ____A C:\Windows\PFRO.log
2012-06-28 08:55 - 2012-06-28 08:55 - 00001073 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-06-28 08:52 - 2012-06-28 08:52 - 00000298 ____A C:\Users\sabre\Downloads\eset.txt
2012-06-28 08:16 - 2012-06-28 08:16 - 10063000 ____A (Malwarebytes Corporation ) C:\Users\sabre\Downloads\mbam-setup-1.61.0.1400.exe
2012-06-28 06:53 - 2012-06-28 06:52 - 02322184 ____A (ESET) C:\Users\sabre\Downloads\esetsmartinstaller_enu.exe
2012-06-28 06:50 - 2012-06-28 06:50 - 00002010 ____A C:\Users\sabre\Documents\aswMBR.txt
2012-06-28 06:50 - 2012-06-28 06:50 - 00000512 ____A C:\Users\sabre\Documents\MBR.dat
2012-06-28 06:14 - 2012-06-28 06:14 - 04731392 ____A (AVAST Software) C:\Users\sabre\Downloads\aswMBR.exe
2012-06-28 06:11 - 2012-06-28 06:11 - 02128984 ____A (Kaspersky Lab ZAO) C:\Users\sabre\Downloads\tdsskiller.exe
2012-06-28 05:27 - 2010-04-08 07:41 - 00010445 ____A C:\Users\sabre\sslvpn-client.log
2012-06-28 05:27 - 2010-04-08 07:41 - 00001712 ____A C:\Users\sabre\sslvpn-client-out-err.log
2012-06-28 04:31 - 2010-04-08 23:54 - 00000181 ____A C:\Users\sabre\irisplus-iplusdcs.properties
2012-06-28 03:49 - 2010-08-27 00:06 - 00000095 ____A C:\Users\sabre\sslvpn-config.properties
2012-06-28 03:49 - 2010-04-08 07:41 - 00000824 ____A C:\Windows\System32\Drivers\etc\hosts.bak
2012-06-28 03:49 - 2010-04-08 07:41 - 00000000 ____A C:\Windows\System32\Drivers\etc\lmhosts.bak
2012-06-27 06:48 - 2012-06-27 05:08 - 02199028 ____A C:\Users\sabre\Documents\Zypern.rtf
2012-06-22 01:40 - 2012-06-22 01:40 - 00001982 ____A C:\Users\sabre\Desktop\S35 Marie.RDP
2012-06-14 23:04 - 2009-07-13 20:33 - 00289576 ____A C:\Windows\System32\FNTCACHE.DAT
2012-06-14 07:08 - 2010-03-29 00:04 - 56731752 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-06-06 04:04 - 2012-06-06 04:04 - 02810877 ____A C:\Users\sabre\Documents\DER 289931149 Biel.eps
2012-06-02 14:19 - 2012-06-24 22:22 - 01933848 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-06-02 14:19 - 2012-06-24 22:22 - 00577048 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2012-06-02 14:19 - 2012-06-24 22:22 - 00053784 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-02 14:19 - 2012-06-24 22:22 - 00045080 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-02 14:19 - 2012-06-24 22:22 - 00035864 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
2012-06-02 14:12 - 2012-06-24 22:22 - 02422272 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-06-02 14:12 - 2012-06-24 22:22 - 00088576 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2012-06-02 05:19 - 2012-06-24 22:22 - 00171904 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-06-02 05:12 - 2012-06-24 22:22 - 00033792 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
2012-05-17 15:11 - 2012-06-14 07:05 - 12314624 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-05-17 14:48 - 2012-06-14 07:05 - 09737728 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-05-17 14:45 - 2012-06-14 07:05 - 01800192 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-05-17 14:36 - 2012-06-14 07:05 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-05-17 14:35 - 2012-06-14 07:05 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-05-17 14:35 - 2012-06-14 07:05 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-05-17 14:33 - 2012-06-14 07:05 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-05-17 14:31 - 2012-06-14 07:05 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-05-17 14:29 - 2012-06-14 07:05 - 00716800 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-05-17 14:29 - 2012-06-14 07:05 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-05-17 14:27 - 2012-06-14 07:05 - 01793024 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-05-17 14:25 - 2012-06-14 07:05 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-05-17 14:24 - 2012-06-14 07:05 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-05-17 14:20 - 2012-06-14 07:05 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-05-14 17:05 - 2012-06-13 23:05 - 02343936 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-05-02 06:17 - 2011-11-09 05:48 - 00000193 ____A C:\Windows\WORDPAD.INI
2012-04-30 20:44 - 2012-06-13 23:05 - 00164352 ____A (Microsoft Corporation) C:\Windows\System32\profsvc.dll
2012-04-27 19:17 - 2012-06-13 23:05 - 00183808 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys
2012-04-25 20:45 - 2012-06-13 23:05 - 00129536 ____A (Microsoft Corporation) C:\Windows\System32\rdpcorekmts.dll
2012-04-25 20:45 - 2012-06-13 23:05 - 00058880 ____A (Microsoft Corporation) C:\Windows\System32\rdpwsx.dll
2012-04-25 20:41 - 2012-06-13 23:05 - 00008192 ____A (Microsoft Corporation) C:\Windows\System32\rdrmemptylst.exe
2012-04-23 20:36 - 2012-06-13 23:05 - 01158656 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll
2012-04-23 20:36 - 2012-06-13 23:05 - 00140288 ____A (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll
2012-04-23 20:36 - 2012-06-13 23:05 - 00103936 ____A (Microsoft Corporation) C:\Windows\System32\cryptnet.dll
2012-04-10 03:57 - 2012-04-10 03:57 - 06532202 ____A C:\Users\sabre\Documents\DER 287547947 Vinciotti.tif
2012-04-07 03:26 - 2012-06-13 23:05 - 02342400 ____A (Microsoft Corporation) C:\Windows\System32\msi.dll
2012-04-04 05:56 - 2012-06-28 08:55 - 00022344 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys

ZeroAccess:
C:\Windows\Installer\{58a5fa40-1f89-a3f0-5a7c-fbfe742ecbda}
C:\Windows\Installer\{58a5fa40-1f89-a3f0-5a7c-fbfe742ecbda}\@
C:\Windows\Installer\{58a5fa40-1f89-a3f0-5a7c-fbfe742ecbda}\L
C:\Windows\Installer\{58a5fa40-1f89-a3f0-5a7c-fbfe742ecbda}\U
C:\Windows\Installer\{58a5fa40-1f89-a3f0-5a7c-fbfe742ecbda}\U\00000001.@
C:\Windows\Installer\{58a5fa40-1f89-a3f0-5a7c-fbfe742ecbda}\U\80000000.@
C:\Windows\Installer\{58a5fa40-1f89-a3f0-5a7c-fbfe742ecbda}\U\800000cb.@

ZeroAccess:
C:\Users\sabre\AppData\Local\{58a5fa40-1f89-a3f0-5a7c-fbfe742ecbda}
C:\Users\sabre\AppData\Local\{58a5fa40-1f89-a3f0-5a7c-fbfe742ecbda}\@
C:\Users\sabre\AppData\Local\{58a5fa40-1f89-a3f0-5a7c-fbfe742ecbda}\L
C:\Users\sabre\AppData\Local\{58a5fa40-1f89-a3f0-5a7c-fbfe742ecbda}\U

========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe A302BBFF2A7278C0E239EE5D471D86A9 ZeroAccess <==== ATTENTION!.
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

========================= Memory info ======================

Percentage of memory in use: 27%
Total physical RAM: 1977.25 MB
Available physical RAM: 1439.81 MB
Total Pagefile: 1977.25 MB
Available Pagefile: 1452.75 MB
Total Virtual: 2047.88 MB
Available Virtual: 1968.7 MB

======================= Partitions =========================

1 Drive c: (OS) (Fixed) (Total:144.78 GB) (Free:115.04 GB) NTFS
2 Drive e: (HP_RECOVERY) (Fixed) (Total:3.26 GB) (Free:0.34 GB) NTFS
4 Drive g: () (Removable) (Total:3.72 GB) (Free:2.46 GB) FAT32
5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
6 Drive y: (SYSTEM) (Fixed) (Total:1 GB) (Free:0.69 GB) NTFS ==>[System with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 149 GB 9 MB
Disk 1 Online 3820 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 1023 MB 1024 KB
Partition 2 Primary 144 GB 1024 MB
Partition 3 Primary 3336 MB 145 GB

==================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 Y SYSTEM NTFS Partition 1023 MB Healthy

==================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C OS NTFS Partition 144 GB Healthy

==================================================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 E HP_RECOVERY NTFS Partition 3336 MB Healthy

==================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
* Partition 1 Primary 3820 MB 0 B

==================================================================================

Disk: 1
There is no partition selected.

There is no partition selected.
Please select a partition and try again.

==================================================================================

==========================================================

Last Boot: 2012-06-24 23:23

======================= End Of Log ==========================

#4 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:57 AM

Posted 01 July 2012 - 11:28 AM

Hi,

There is minimal risk in using the other PCs on your network. Just don't share files, etc. for now. Please do this next:

Posted Image Boot to System Recovery Options and run FRST again.
  • Type the following in the edit box after "Search:".

    services.exe
  • Click Search button and post the log (Search.txt) it makes to your reply.

Edited by RPMcMurphy, 01 July 2012 - 01:12 PM.

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#5 jwh Bob

jwh Bob
  • Topic Starter

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Luxembourg
  • Local time:05:57 PM

Posted 02 July 2012 - 06:52 AM

Hi,

Back again with a (very short) log:

Farbar Recovery Scan Tool Version: 30-06-2012 02
Ran by SYSTEM at 2012-07-02 13:45:25
Running from G:\

================== Search: "services.exe" ===================

C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe
[2009-07-13 15:11] - [2009-07-13 17:14] - 0259072 ____A (Microsoft Corporation) 5F1B6A9C35D3D5CA72D6D6FDEF9747D6

C:\Windows\System32\services.exe
[2009-07-13 15:11] - [2009-07-13 17:14] - 0259072 ____A (Microsoft Corporation) A302BBFF2A7278C0E239EE5D471D86A9

=== End Of Search ===

Cheers

Bob

#6 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:57 AM

Posted 02 July 2012 - 12:39 PM

Please do this next:

Posted Image Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flashdrive as fixlist.txt

Replace: C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe  C:\Windows\System32\services.exe
C:\Windows\Installer\{58a5fa40-1f89-a3f0-5a7c-fbfe742ecbda}
C:\Users\sabre\AppData\Local\{58a5fa40-1f89-a3f0-5a7c-fbfe742ecbda}
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Now please enter System Recovery Options again.
  • Select Command Prompt
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst.exe and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press the Fix button just once and wait.
  • The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.
Posted Image Download Combofix from either of the links below, and save it to your desktop.

Link 1
Link 2

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link
--------------------------------------------------------------------

Double click on ComboFix.exe & follow the prompts.
  • If you have trouble, stop and post back. Do not try to repeatedly run comboFix!
  • When finished, it will produce a report for you.
.
Note: If after running ComboFix you receive a message stating, "Illegal Operation Attempted on a registery key that has been marked for deletion" rebooting your computer will resolve the problem.

Please include the following in your next post:
  • Fixlog.txt from your flash drive
  • ComboFix log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#7 jwh Bob

jwh Bob
  • Topic Starter

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Luxembourg
  • Local time:05:57 PM

Posted 03 July 2012 - 06:47 AM

Back again, two remarks

- had problems to disable kaspersky. "disable" not an option. "pause protection" didn't help much...
- during combofix scan a window "pev.exe has stopped working" acame up twice.

Here are the logs:

Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 30-06-2012 02
Ran by SYSTEM at 2012-07-03 13:10:07 Run:1
Running from G:\

==============================================

C:\Windows\System32\services.exe moved successfully.
C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe copied successfully to C:\Windows\System32\services.exe
C:\Windows\Installer\{58a5fa40-1f89-a3f0-5a7c-fbfe742ecbda} moved successfully.
C:\Users\sabre\AppData\Local\{58a5fa40-1f89-a3f0-5a7c-fbfe742ecbda} moved successfully.

==== End of Fixlog ====




ComboFix 12-07-02.01 - sabre 03/07/2012 13:18:54.1.2 - x86
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.1977.1083 [GMT 2:00]
Running from: c:\users\sabre\Desktop\ComboFix.exe
AV: Kaspersky Anti-Virus *Enabled/Outdated* {56547CC9-C9B2-849D-8FEF-A496150D6A06}
FW: Kaspersky Anti-Virus *Enabled* {6E6FFDEC-83DD-85C5-A4B0-0DA3EBDE2D7D}
SP: Kaspersky Anti-Virus *Enabled/Updated* {ED359D2D-EF88-8B13-B55F-9FE46E8A20BB}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
* Resident AV is active
.
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\sabre\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Live Security Platinum
c:\users\sabre\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Live Security Platinum\Live Security Platinum.lnk
c:\windows\system32\drivers\etc\lmhosts
.
.
((((((((((((((((((((((((( Files Created from 2012-06-03 to 2012-07-03 )))))))))))))))))))))))))))))))
.
.
2012-07-03 11:23 . 2012-07-03 11:28 -------- d-----w- c:\users\sabre\AppData\Local\temp
2012-07-03 11:23 . 2012-07-03 11:23 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-07-03 11:23 . 2012-07-03 11:23 -------- d-----w- c:\users\Utilisateur\AppData\Local\temp
2012-07-03 11:23 . 2012-07-03 11:23 -------- d-----w- c:\users\manager\AppData\Local\temp
2012-07-02 01:08 . 2012-07-02 01:09 -------- d-----w- C:\FRST
2012-06-28 16:55 . 2012-06-28 16:55 -------- d-----w- c:\users\sabre\AppData\Roaming\Malwarebytes
2012-06-28 16:55 . 2012-06-28 16:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-06-28 16:55 . 2012-06-28 16:55 -------- d-----w- c:\programdata\Malwarebytes
2012-06-28 16:55 . 2012-04-04 13:56 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-28 14:53 . 2012-06-28 14:53 -------- d-----w- c:\program files\ESET
2012-06-28 13:24 . 2012-06-28 15:05 -------- d-----w- c:\programdata\F4D55F3B0001D22300000B25B4EB238B
2012-06-26 06:12 . 2012-05-31 03:41 6762896 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{C656B377-F783-4D5A-ADEB-C6CC4BC022DD}\mpengine.dll
2012-06-25 06:22 . 2012-06-02 22:19 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-25 06:22 . 2012-06-02 22:19 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-25 06:22 . 2012-06-02 22:19 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-25 06:22 . 2012-06-02 22:12 2422272 ----a-w- c:\windows\system32\wucltux.dll
2012-06-25 06:22 . 2012-06-02 22:19 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-25 06:22 . 2012-06-02 22:19 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-25 06:22 . 2012-06-02 22:12 88576 ----a-w- c:\windows\system32\wudriver.dll
2012-06-25 06:22 . 2012-06-02 13:19 171904 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-25 06:22 . 2012-06-02 13:12 33792 ----a-w- c:\windows\system32\wuapp.exe
2012-06-20 07:06 . 2012-06-20 07:06 -------- d-----w- c:\program files\Application Updater
2012-06-20 07:06 . 2012-06-20 07:06 -------- d-----w- c:\program files\pdfforge Toolbar
2012-06-20 07:06 . 2012-06-20 07:06 -------- d-----w- c:\program files\Common Files\Spigot
2012-06-14 07:05 . 2012-04-28 03:17 183808 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-06-14 07:05 . 2012-04-07 11:26 2342400 ----a-w- c:\windows\system32\msi.dll
2012-06-14 07:05 . 2012-05-15 01:05 2343936 ----a-w- c:\windows\system32\win32k.sys
2012-06-14 07:05 . 2012-05-01 04:44 164352 ----a-w- c:\windows\system32\profsvc.dll
2012-06-14 07:05 . 2012-04-26 04:45 58880 ----a-w- c:\windows\system32\rdpwsx.dll
2012-06-14 07:05 . 2012-04-26 04:45 129536 ----a-w- c:\windows\system32\rdpcorekmts.dll
2012-06-14 07:05 . 2012-04-26 04:41 8192 ----a-w- c:\windows\system32\rdrmemptylst.exe
2012-06-14 07:05 . 2012-04-24 04:36 140288 ----a-w- c:\windows\system32\cryptsvc.dll
2012-06-14 07:05 . 2012-04-24 04:36 1158656 ----a-w- c:\windows\system32\crypt32.dll
2012-06-14 07:05 . 2012-04-24 04:36 103936 ----a-w- c:\windows\system32\cryptnet.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-05-25 07:07 . 2012-05-25 07:07 163048 ----a-w- c:\programdata\Microsoft\Windows\Sqm\Manifest\Sqm10141.bin
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2009-07-01 1314816]
"picon"="c:\program files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe" [2009-07-24 796696]
"acevents"="c:\program files\ActivIdentity\ActivClient\acevents.exe" [2009-06-03 153640]
"accrdsub"="c:\program files\ActivIdentity\ActivClient\accrdsub.exe" [2009-06-03 400936]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations MP4\avp.exe" [2010-03-13 311680]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 76304]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-08-25 136216]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-08-25 171032]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-08-25 170520]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408]
.
c:\users\sabre\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
SpamPal.lnk - c:\program files\SpamPal\spampal.exe [2005-10-24 387616]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2010-4-6 805392]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 00:42 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\KASPER~1\KASPER~1.0FO\adialhk.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
.
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
S1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;c:\windows\system32\DRIVERS\klim6.sys [x]
S2 ac.sharedstore;ActivIdentity Shared Store Service;c:\program files\Common Files\ActivIdentity\ac.sharedstore.exe [x]
S2 Application Updater;Application Updater;c:\program files\Application Updater\ApplicationUpdater.exe [x]
S2 klnagent;Kaspersky Lab Network Agent;c:\program files\Kaspersky Lab\NetworkAgent 8\klnagent.exe [x]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [x]
S2 UNS;Intel® Management and Security Application User Notification Service;c:\program files\Common Files\Intel\Privacy Icon\UNS\UNS.exe [x]
S3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\DRIVERS\e1k6232.sys [x]
S3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\DRIVERS\klfltdev.sys [x]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
GPSvcGroup REG_MULTI_SZ GPSvc
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Anti-Banner - c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations MP4\ie_banner_deny.htm
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a}
Trusted Zone: agentware.net
Trusted Zone: sabre.com
Trusted Zone: servico.be\www
Trusted Zone: servico.be\www
TCP: Interfaces\{E5B51FF0-4D8E-467B-ACCF-5EDA45E6EDD4}: NameServer = 10.62.124.200,194.154.192.101
DPF: {2D36AF92-04D3-11D8-B719-0000865F231B} - hxxps://my.sabre.com/jars/TMinReqX.dll
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(3532)
c:\program files\Logitech\SetPoint\lgscroll.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\AEADISRV.EXE
c:\program files\Intel\AMT\LMS.exe
c:\windows\system32\WUDFHost.exe
c:\windows\servicing\TrustedInstaller.exe
c:\windows\system32\taskhost.exe
c:\windows\system32\conhost.exe
c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
.
**************************************************************************
.
Completion time: 2012-07-03 13:32:52 - machine was rebooted
ComboFix-quarantined-files.txt 2012-07-03 11:32
.
Pre-Run: 123 885 682 688 bytes free
Post-Run: 124 068 171 776 bytes free
.
- - End Of File - - 6D0BFA4E4960FA2EE01BE53F0B1D96FC

#8 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:57 AM

Posted 03 July 2012 - 10:27 AM

Please do this next:

Posted Image Open Notepad Go to Start> All Programs> Accessories> Notepad ( this will only work with Notepad ) and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above DirLook::

DirLook::
c:\programdata\F4D55F3B0001D22300000B25B4EB238B
Save this as CFScript to your desktop.

Then disable your security programs and drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Posted Image You have this program installed, Malwarebytes' Anti-Malware (MBAM). Please update it and run a scan.

Open MBAM
  • Click the Update tab
  • Click Check for Updates
  • If an update is found, it will download and install the latest version.
  • The program will close to update and reopen.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Uncheck any entries from C:\System Volume Information, C:\_OTL\MovedFiles or C:\Qoobox
  • Make sure that everything else is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Please include the following in your next post:
  • ComboFix log
  • MBAM log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#9 jwh Bob

jwh Bob
  • Topic Starter

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Luxembourg
  • Local time:05:57 PM

Posted 03 July 2012 - 12:17 PM

Hi,
Ain't easy - here it comes:

ComboFix 12-07-02.01 - sabre 03/07/2012 17:54:19.2.2 - x86
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.1977.1132 [GMT 2:00]
Running from: c:\users\sabre\Desktop\ComboFix.exe
Command switches used :: c:\users\sabre\Desktop\CFScript.txt
AV: Kaspersky Anti-Virus *Enabled/Outdated* {56547CC9-C9B2-849D-8FEF-A496150D6A06}
FW: Kaspersky Anti-Virus *Enabled* {6E6FFDEC-83DD-85C5-A4B0-0DA3EBDE2D7D}
SP: Kaspersky Anti-Virus *Enabled/Updated* {ED359D2D-EF88-8B13-B55F-9FE46E8A20BB}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Resident AV is active
.
.
.
((((((((((((((((((((((((( Files Created from 2012-06-03 to 2012-07-03 )))))))))))))))))))))))))))))))
.
.
2012-07-03 15:59 . 2012-07-03 15:59 -------- d-----w- c:\users\Utilisateur\AppData\Local\temp
2012-07-03 15:59 . 2012-07-03 15:59 -------- d-----w- c:\users\manager\AppData\Local\temp
2012-07-03 15:59 . 2012-07-03 15:59 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-07-03 15:55 . 2012-07-03 15:55 56200 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{C656B377-F783-4D5A-ADEB-C6CC4BC022DD}\offreg.dll
2012-07-03 11:23 . 2012-07-03 15:59 -------- d-----w- c:\users\sabre\AppData\Local\temp
2012-07-02 01:08 . 2012-07-02 01:09 -------- d-----w- C:\FRST
2012-06-28 16:55 . 2012-06-28 16:55 -------- d-----w- c:\users\sabre\AppData\Roaming\Malwarebytes
2012-06-28 16:55 . 2012-06-28 16:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-06-28 16:55 . 2012-06-28 16:55 -------- d-----w- c:\programdata\Malwarebytes
2012-06-28 16:55 . 2012-04-04 13:56 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-28 14:53 . 2012-06-28 14:53 -------- d-----w- c:\program files\ESET
2012-06-28 13:24 . 2012-06-28 15:05 -------- d-----w- c:\programdata\F4D55F3B0001D22300000B25B4EB238B
2012-06-26 06:12 . 2012-05-31 03:41 6762896 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{C656B377-F783-4D5A-ADEB-C6CC4BC022DD}\mpengine.dll
2012-06-25 06:22 . 2012-06-02 22:19 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-25 06:22 . 2012-06-02 22:19 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-25 06:22 . 2012-06-02 22:19 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-25 06:22 . 2012-06-02 22:12 2422272 ----a-w- c:\windows\system32\wucltux.dll
2012-06-25 06:22 . 2012-06-02 22:19 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-25 06:22 . 2012-06-02 22:19 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-25 06:22 . 2012-06-02 22:12 88576 ----a-w- c:\windows\system32\wudriver.dll
2012-06-25 06:22 . 2012-06-02 13:19 171904 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-25 06:22 . 2012-06-02 13:12 33792 ----a-w- c:\windows\system32\wuapp.exe
2012-06-20 07:06 . 2012-06-20 07:06 -------- d-----w- c:\program files\Application Updater
2012-06-20 07:06 . 2012-06-20 07:06 -------- d-----w- c:\program files\pdfforge Toolbar
2012-06-20 07:06 . 2012-06-20 07:06 -------- d-----w- c:\program files\Common Files\Spigot
2012-06-14 07:05 . 2012-04-28 03:17 183808 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-06-14 07:05 . 2012-04-07 11:26 2342400 ----a-w- c:\windows\system32\msi.dll
2012-06-14 07:05 . 2012-05-15 01:05 2343936 ----a-w- c:\windows\system32\win32k.sys
2012-06-14 07:05 . 2012-05-01 04:44 164352 ----a-w- c:\windows\system32\profsvc.dll
2012-06-14 07:05 . 2012-04-26 04:45 58880 ----a-w- c:\windows\system32\rdpwsx.dll
2012-06-14 07:05 . 2012-04-26 04:45 129536 ----a-w- c:\windows\system32\rdpcorekmts.dll
2012-06-14 07:05 . 2012-04-26 04:41 8192 ----a-w- c:\windows\system32\rdrmemptylst.exe
2012-06-14 07:05 . 2012-04-24 04:36 140288 ----a-w- c:\windows\system32\cryptsvc.dll
2012-06-14 07:05 . 2012-04-24 04:36 1158656 ----a-w- c:\windows\system32\crypt32.dll
2012-06-14 07:05 . 2012-04-24 04:36 103936 ----a-w- c:\windows\system32\cryptnet.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-05-25 07:07 . 2012-05-25 07:07 163048 ----a-w- c:\programdata\Microsoft\Windows\Sqm\Manifest\Sqm10141.bin
.
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\programdata\F4D55F3B0001D22300000B25B4EB238B ----
.
2012-06-28 13:24 . 2012-06-28 13:33 848 ----a-w- c:\programdata\F4D55F3B0001D22300000B25B4EB238B\F4D55F3B0001D22300000B25B4EB238B
.
.
((((((((((((((((((((((((((((( SnapShot@2012-07-03_11.28.52 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-03-29 15:48 . 2012-07-03 15:49 33522 c:\windows\System32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 04:55 . 2012-07-03 15:49 42076 c:\windows\System32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2010-04-08 14:30 . 2012-07-03 15:49 13204 c:\windows\System32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2510468370-1160216855-2732965767-1140_UserData.bin
- 2010-03-29 15:41 . 2012-07-03 11:25 49152 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-03-29 15:41 . 2012-07-03 15:44 49152 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2012-07-03 11:10 . 2012-07-03 11:25 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-07-03 15:44 . 2012-07-03 15:44 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2012-07-03 11:10 . 2012-07-03 11:25 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2012-07-03 15:44 . 2012-07-03 15:44 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2010-03-29 15:41 . 2012-07-03 15:44 835584 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2010-03-29 15:41 . 2012-07-03 11:25 835584 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:41 . 2012-07-03 15:44 327680 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-07-14 04:41 . 2012-07-03 11:25 327680 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-07-14 04:47 . 2012-07-03 11:04 273876 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2009-07-14 04:47 . 2012-07-03 11:48 273876 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2012-03-08 07:56 . 2012-07-03 11:48 13416100 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2510468370-1160216855-2732965767-1140-12288.dat
- 2012-03-08 07:56 . 2012-07-03 11:04 13416100 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2510468370-1160216855-2732965767-1140-12288.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2009-07-01 1314816]
"picon"="c:\program files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe" [2009-07-24 796696]
"acevents"="c:\program files\ActivIdentity\ActivClient\acevents.exe" [2009-06-03 153640]
"accrdsub"="c:\program files\ActivIdentity\ActivClient\accrdsub.exe" [2009-06-03 400936]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations MP4\avp.exe" [2010-03-13 311680]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 76304]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-08-25 136216]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-08-25 171032]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-08-25 170520]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408]
.
c:\users\sabre\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
SpamPal.lnk - c:\program files\SpamPal\spampal.exe [2005-10-24 387616]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2010-4-6 805392]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 00:42 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\KASPER~1\KASPER~1.0FO\adialhk.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
.
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
S1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;c:\windows\system32\DRIVERS\klim6.sys [x]
S2 ac.sharedstore;ActivIdentity Shared Store Service;c:\program files\Common Files\ActivIdentity\ac.sharedstore.exe [x]
S2 Application Updater;Application Updater;c:\program files\Application Updater\ApplicationUpdater.exe [x]
S2 klnagent;Kaspersky Lab Network Agent;c:\program files\Kaspersky Lab\NetworkAgent 8\klnagent.exe [x]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [x]
S2 UNS;Intel® Management and Security Application User Notification Service;c:\program files\Common Files\Intel\Privacy Icon\UNS\UNS.exe [x]
S3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\DRIVERS\e1k6232.sys [x]
S3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\DRIVERS\klfltdev.sys [x]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
GPSvcGroup REG_MULTI_SZ GPSvc
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Anti-Banner - c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations MP4\ie_banner_deny.htm
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a}
Trusted Zone: agentware.net
Trusted Zone: sabre.com
Trusted Zone: servico.be\www
Trusted Zone: servico.be\www
TCP: Interfaces\{E5B51FF0-4D8E-467B-ACCF-5EDA45E6EDD4}: NameServer = 10.62.124.200,194.154.192.101
DPF: {2D36AF92-04D3-11D8-B719-0000865F231B} - hxxps://my.sabre.com/jars/TMinReqX.dll
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(2284)
c:\program files\Logitech\SetPoint\lgscroll.dll
.
Completion time: 2012-07-03 18:01:18
ComboFix-quarantined-files.txt 2012-07-03 16:01
ComboFix2.txt 2012-07-03 11:32
.
Pre-Run: 124 115 808 256 bytes free
Post-Run: 123 837 304 832 bytes free
.
- - End Of File - - 19782F354AA30A488C909E6774AF82F6




Malwarebytes Anti-Malware (Trial) 1.61.0.1400
www.malwarebytes.org

Database version: v2012.07.03.05

Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 9.0.8112.16421
sabre :: S26 [administrator]

Protection: Enabled

03/07/2012 18:03:58
mbam-log-2012-07-03 (18-03-58).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 350507
Time elapsed: 56 minute(s), 7 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\FRST\Quarantine\{58a5fa40-1f89-a3f0-5a7c-fbfe742ecbda}\U\800000cb.@ (Rootkit.0Access) -> Quarantined and deleted successfully.

(end)

#10 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:57 AM

Posted 03 July 2012 - 12:23 PM

How is your computer running now? Please do this next:

Posted Image Click Start > Run or Press the Windows Key + R. copy and paste the following text into the run box that opens and press OK:
C:\Qoobox\Add-Remove Programs.txt

Post the contents of the text file that opens in your next reply.

Posted Image Go to thisLINK to run an online scannner from ESET.
  • Note: For browsers other than Internet Explorer, you will need to download and install esetsmartinstaller_enu.exe. Click on it and save the file to a convenient location. Double click on it to install and a new window will open.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • If you are using Internet Explorer, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt
  • Copy and paste that log as a reply to this topic.
Please include the following in your next post:
  • How is your computer running now?
  • Program list
  • ESET log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#11 jwh Bob

jwh Bob
  • Topic Starter

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Luxembourg
  • Local time:05:57 PM

Posted 04 July 2012 - 07:02 AM

Hi,

as I didn't work on this PC before and now it is uesed only to do what you request, I don't know if it runs fine as before. But, yes no problems except like this which has been blocked by Malwarebytes:

IP-BLOCK 83.243.11.171 (Type: outgoing, Port: 49447, Process: avp.exe)


Here are the logs:

ActivClient x86
Adobe Flash Player 10 ActiveX
BistroPortal
Caché in C:\CacheSys
CDDRV_Installer
Crystal Reports Basic Runtime for Visual Studio 2008
erLT
ESET Online Scanner v3
Eudora
Foxit Reader
Intel® Graphics Media Accelerator Driver
Intel® Active Management Technology
Java Auto Updater
Java™ 6 Update 18
Kaspersky Anti-Virus 6.0 for Windows Workstations
Kaspersky Lab Network Agent
KhalInstallWrapper
Logitech SetPoint
Logitech Updater
Malwarebytes Anti-Malware version 1.61.0.1400
Microsoft .NET Framework 4 Client Profile
Microsoft Silverlight
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
OpenOffice.org 3.2
Pdf995
PDFCreator
PdfEdit995
pdfforge Toolbar v5.9
Picasa 3
Sabre VPN
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
SoundMAX
SpamPal
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
VPNPatch_




C:\FRST\Quarantine\services.exe Win32/Sirefef.FC trojan
C:\FRST\Quarantine\{58a5fa40-1f89-a3f0-5a7c-fbfe742ecbda}\U\80000000.@ a variant of Win32/Sirefef.FA trojan
C:\Users\sabre\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\17\3e13fa51-6913f333 Win32/TrojanDownloader.Vespula.AY trojan



ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=f855b39780499f4bb91083bb2dd5b11e
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2012-06-28 03:36:44
# local_time=2012-06-28 05:36:44 (+0100, Romance Daylight Time)
# country="Luxembourg"
# lang=1033
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode=1280 16777215 100 0 67835925 67835925 0 0
# compatibility_mode=5893 16776574 66 94 5485 92526514 0 0
# compatibility_mode=8192 67108863 100 0 136 136 0 0
# scanned=138841
# found=71
# cleaned=70
# scan_time=2480
C:\$RECYCLE.BIN\S-1-5-21-2510468370-1160216855-2732965767-1140\$R13SPMR.html HTML/Refresh.AB trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\$RECYCLE.BIN\S-1-5-21-2510468370-1160216855-2732965767-1140\$R1J802Q.html JS/TrojanDownloader.Agent.NVS trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\$RECYCLE.BIN\S-1-5-21-2510468370-1160216855-2732965767-1140\$R21T2BT.html HTML/Refresh.AD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\$RECYCLE.BIN\S-1-5-21-2510468370-1160216855-2732965767-1140\$R2NGBT4.zip Win32/Oficla.GN trojan (deleted - quarantined) 00000000000000000000000000000000 C
C:\$RECYCLE.BIN\S-1-5-21-2510468370-1160216855-2732965767-1140\$R3IBDMQ.html HTML/Refresh.AA trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\$RECYCLE.BIN\S-1-5-21-2510468370-1160216855-2732965767-1140\$R3L1PXL.html HTML/Refresh.AD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\$RECYCLE.BIN\S-1-5-21-2510468370-1160216855-2732965767-1140\$R3OD5S9.zip Win32/TrojanDownloader.Bredolab.AN trojan (deleted - quarantined) 00000000000000000000000000000000 C
C:\$RECYCLE.BIN\S-1-5-21-2510468370-1160216855-2732965767-1140\$R3PY1GW.html JS/TrojanDownloader.Pegel.BR trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\$RECYCLE.BIN\S-1-5-21-2510468370-1160216855-2732965767-1140\$R3TJUC3.html probably a variant of Win32/Agent.LPBMWKB trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\$RECYCLE.BIN\S-1-5-21-2510468370-1160216855-2732965767-1140\$R46GLH6.html HTML/ScrInject.B.Gen virus (deleted - quarantined) 00000000000000000000000000000000 C
C:\$RECYCLE.BIN\S-1-5-21-2510468370-1160216855-2732965767-1140\$R4EOWT6.html probably a variant of Win32/Agent.LPBMWKB trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\$RECYCLE.BIN\S-1-5-21-2510468370-1160216855-2732965767-1140\$R4YLYS0.html JS/TrojanDownloader.Agent.NVS trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\$RECYCLE.BIN\S-1-5-21-2510468370-1160216855-2732965767-1140\$R4Z7JO4.html HTML/Refresh.AA trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\$RECYCLE.BIN\S-1-5-21-2510468370-1160216855-2732965767-1140\$R5HCCT9.zip Win32/TrojanDownloader.FakeAlert.AXP trojan (deleted - quarantined) 00000000000000000000000000000000 C
C:\$RECYCLE.BIN\S-1-5-21-2510468370-1160216855-2732965767-1140\$R5WLVD2.html JS/TrojanDownloader.Pegel.BR trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\$RECYCLE.BIN\S-1-5-21-2510468370-1160216855-2732965767-1140\$R5XWBSR.zip Win32/TrojanDownloader.FakeAlert.AXP trojan (deleted - quarantined) 00000000000000000000000000000000 C
C:\$RECYCLE.BIN\S-1-5-21-2510468370-1160216855-2732965767-1140\$R6AEAIJ.html JS/Agent.NCM trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\$RECYCLE.BIN\S-1-5-21-2510468370-1160216855-2732965767-1140\$R8IIUK0.html HTML/ScrInject.B.Gen virus (deleted - quarantined) 00000000000000000000000000000000 C
C:\$RECYCLE.BIN\S-1-5-21-2510468370-1160216855-2732965767-1140\$R8NRWJG.html HTML/Refresh.AB trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\$RECYCLE.BIN\S-1-5-21-2510468370-1160216855-2732965767-1140\$R93U2TK.zip Win32/Oficla.GN trojan (deleted - quarantined) 00000000000000000000000000000000 C
C:\$RECYCLE.BIN\S-1-5-21-2510468370-1160216855-2732965767-1140\$R9IUR9N.zip Win32/TrojanDownloader.Bredolab.AN trojan (deleted - quarantined) 00000000000000000000000000000000 C
C:\$RECYCLE.BIN\S-1-5-21-2510468370-1160216855-2732965767-1140\$RA9M1TS.zip Win32/TrojanDownloader.FakeAlert.AXP trojan (deleted - quarantined) 00000000000000000000000000000000 C
C:\$RECYCLE.BIN\S-1-5-21-2510468370-1160216855-2732965767-1140\$RAGCJ7Z.html probably a variant of Win32/Agent.MPCIHYG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\$RECYCLE.BIN\S-1-5-21-2510468370-1160216855-2732965767-1140\$RAX65JO.html JS/TrojanDownloader.Pegel.BR trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\$RECYCLE.BIN\S-1-5-21-2510468370-1160216855-2732965767-1140\$RBJB7F7.html HTML/Refresh.AL trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\$RECYCLE.BIN\S-1-5-21-2510468370-1160216855-2732965767-1140\$RCF6EYL.zip Win32/TrojanDownloader.Bredolab.AN trojan (deleted - quarantined) 00000000000000000000000000000000 C
C:\$RECYCLE.BIN\S-1-5-21-2510468370-1160216855-2732965767-1140\$RDXB16F.zip Win32/Oficla.GQ trojan (deleted - quarantined) 00000000000000000000000000000000 C
C:\$RECYCLE.BIN\S-1-5-21-2510468370-1160216855-2732965767-1140\$REJI1CB.zip Win32/TrojanDownloader.FakeAlert.AXP trojan (deleted - quarantined) 00000000000000000000000000000000 C
C:\$RECYCLE.BIN\S-1-5-21-2510468370-1160216855-2732965767-1140\$RFODGYS.html JS/TrojanDownloader.Pegel.BR trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\$RECYCLE.BIN\S-1-5-21-2510468370-1160216855-2732965767-1140\$RFZ1JFP.zip Win32/Spy.Zbot.JF trojan (deleted - quarantined) 00000000000000000000000000000000 C
C:\$RECYCLE.BIN\S-1-5-21-2510468370-1160216855-2732965767-1140\$RGGG9EJ.html HTML/ScrInject.B.Gen virus (deleted - quarantined) 00000000000000000000000000000000 C
C:\$RECYCLE.BIN\S-1-5-21-2510468370-1160216855-2732965767-1140\$RGR4YZC.html JS/TrojanDownloader.Agent.NVS trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\$RECYCLE.BIN\S-1-5-21-2510468370-1160216855-2732965767-1140\$RGTH13B.html JS/TrojanDownloader.Agent.NVS trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\$RECYCLE.BIN\S-1-5-21-2510468370-1160216855-2732965767-1140\$RH8Y4BU.zip Win32/TrojanDownloader.Bredolab.AN trojan (deleted - quarantined) 00000000000000000000000000000000 C
C:\$RECYCLE.BIN\S-1-5-21-2510468370-1160216855-2732965767-1140\$RHNU5R1.zip Win32/TrojanDownloader.Bredolab.AN trojan (deleted - quarantined) 00000000000000000000000000000000 C
C:\$RECYCLE.BIN\S-1-5-21-2510468370-1160216855-2732965767-1140\$RHVFXP7.html JS/TrojanDownloader.Agent.NVS trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\$RECYCLE.BIN\S-1-5-21-2510468370-1160216855-2732965767-1140\$RKI9MNP.html HTML/Refresh.AD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\$RECYCLE.BIN\S-1-5-21-2510468370-1160216855-2732965767-1140\$RLL2J9C.zip a variant of Win32/Kryptik.FOA trojan (deleted - quarantined) 00000000000000000000000000000000 C
C:\$RECYCLE.BIN\S-1-5-21-2510468370-1160216855-2732965767-1140\$RN37B1L.zip Win32/TrojanDownloader.Bredolab.AN trojan (deleted - quarantined) 00000000000000000000000000000000 C
C:\$RECYCLE.BIN\S-1-5-21-2510468370-1160216855-2732965767-1140\$RNSUMYI.html HTML/Refresh.AD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\$RECYCLE.BIN\S-1-5-21-2510468370-1160216855-2732965767-1140\$RO0YO9D.html HTML/Refresh.AD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\$RECYCLE.BIN\S-1-5-21-2510468370-1160216855-2732965767-1140\$RONJL29.html HTML/Refresh.AD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\$RECYCLE.BIN\S-1-5-21-2510468370-1160216855-2732965767-1140\$RP2E40W.html JS/TrojanDownloader.Pegel.BU trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\$RECYCLE.BIN\S-1-5-21-2510468370-1160216855-2732965767-1140\$RPYJ3I0.html probably a variant of Win32/Agent.LPBMWKB trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\$RECYCLE.BIN\S-1-5-21-2510468370-1160216855-2732965767-1140\$RQPSCXK.html JS/TrojanDownloader.Agent.NVS trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\$RECYCLE.BIN\S-1-5-21-2510468370-1160216855-2732965767-1140\$RQWWP0C.zip Win32/TrojanDownloader.Bredolab.AN trojan (deleted - quarantined) 00000000000000000000000000000000 C
C:\$RECYCLE.BIN\S-1-5-21-2510468370-1160216855-2732965767-1140\$RTCHXRA.zip Win32/Spy.Zbot.JF trojan (deleted - quarantined) 00000000000000000000000000000000 C
C:\$RECYCLE.BIN\S-1-5-21-2510468370-1160216855-2732965767-1140\$RTOZ3ZM.html probably a variant of Win32/Agent.LPBMWKB trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\$RECYCLE.BIN\S-1-5-21-2510468370-1160216855-2732965767-1140\$RTRZO2F.zip Win32/TrojanDownloader.Bredolab.AN trojan (deleted - quarantined) 00000000000000000000000000000000 C
C:\$RECYCLE.BIN\S-1-5-21-2510468370-1160216855-2732965767-1140\$RTZJ4U5.html HTML/Refresh.AD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\$RECYCLE.BIN\S-1-5-21-2510468370-1160216855-2732965767-1140\$RU68SZS.html JS/TrojanDownloader.Agent.NVS trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\$RECYCLE.BIN\S-1-5-21-2510468370-1160216855-2732965767-1140\$RU6QTTO.zip a variant of Win32/Kryptik.HMA trojan (deleted - quarantined) 00000000000000000000000000000000 C
C:\$RECYCLE.BIN\S-1-5-21-2510468370-1160216855-2732965767-1140\$RVDDHNM.zip Win32/Spy.Zbot.JF trojan (deleted - quarantined) 00000000000000000000000000000000 C
C:\$RECYCLE.BIN\S-1-5-21-2510468370-1160216855-2732965767-1140\$RVJCZ16.html JS/TrojanDownloader.Pegel.BR trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\$RECYCLE.BIN\S-1-5-21-2510468370-1160216855-2732965767-1140\$RW6I524.htm JS/TrojanDownloader.Agent.NVD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\$RECYCLE.BIN\S-1-5-21-2510468370-1160216855-2732965767-1140\$RXWU1N7.html HTML/Refresh.AD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\$RECYCLE.BIN\S-1-5-21-2510468370-1160216855-2732965767-1140\$RYIX0WT.html JS/TrojanDownloader.Pegel.BR trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\$RECYCLE.BIN\S-1-5-21-2510468370-1160216855-2732965767-1140\$RYLIVJC.jpg Win32/Oficla.GN trojan (deleted - quarantined) 00000000000000000000000000000000 C
C:\$RECYCLE.BIN\S-1-5-21-2510468370-1160216855-2732965767-1140\$RZVI6OK.html JS/TrojanDownloader.Pegel.BR trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Program Files\Common Files\Spigot\Search Settings\SearchSettings.exe a variant of Win32/Toolbar.Widgi application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Program Files\pdfforge Toolbar\IE\5.9\pdfforgeToolbarIE.dll a variant of Win32/Toolbar.Widgi application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\ProgramData\F4D55F3B0001D22300000B25B4EB238B\F4D55F3B0001D22300000B25B4EB238B.exe a variant of Win32/Kryptik.AHOA trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\sabre\AppData\Local\Temp\25600029.exe a variant of Win32/Kryptik.AHOA trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\sabre\AppData\Local\Temp\~!#7B3F.tmp a variant of Win32/Kryptik.AHNS trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\sabre\AppData\Local\{58a5fa40-1f89-a3f0-5a7c-fbfe742ecbda}\n a variant of Win32/Kryptik.AHNU trojan (cleaned by deleting (after the next restart) - quarantined) 00000000000000000000000000000000 C
C:\Windows\Installer\52f05.msi a variant of Win32/Toolbar.Widgi application (deleted - quarantined) 00000000000000000000000000000000 C
C:\Windows\Installer\{58a5fa40-1f89-a3f0-5a7c-fbfe742ecbda}\n a variant of Win32/Kryptik.AHNU trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Windows\Installer\{58a5fa40-1f89-a3f0-5a7c-fbfe742ecbda}\U\80000000.@ a variant of Win32/Sirefef.FA trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Windows\Installer\{58a5fa40-1f89-a3f0-5a7c-fbfe742ecbda}\U\800000cb.@ probably a variant of Win32/Agent.TEO trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Windows\Temp\pdfforgeToolbar.exe Win32/Toolbar.Widgi application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
${Memory} Win32/Sirefef.EV trojan 00000000000000000000000000000000 I
ESETSmartInstaller@High as downloader log:
all ok
esets_scanner_update returned -1 esets_gle=53251
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=f855b39780499f4bb91083bb2dd5b11e
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2012-06-28 04:40:59
# local_time=2012-06-28 06:40:59 (+0100, Romance Daylight Time)
# country="Luxembourg"
# lang=1033
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode=1280 16777215 100 0 67838998 67838998 0 0
# compatibility_mode=5893 16776574 66 94 8558 92529587 0 0
# compatibility_mode=8192 67108863 100 0 3209 3209 0 0
# scanned=139270
# found=2
# cleaned=2
# scan_time=3263
C:\Windows\Installer\{58a5fa40-1f89-a3f0-5a7c-fbfe742ecbda}\U\80000000.@ a variant of Win32/Sirefef.FA trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Windows\Installer\{58a5fa40-1f89-a3f0-5a7c-fbfe742ecbda}\U\800000cb.@ probably a variant of Win32/Agent.TEO trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
# version=7
# iexplore.exe=9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=f855b39780499f4bb91083bb2dd5b11e
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2012-07-03 06:32:23
# local_time=2012-07-03 08:32:23 (+0100, Romance Daylight Time)
# country="Luxembourg"
# lang=1033
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode=1280 16777215 100 0 68278302 68278302 0 0
# compatibility_mode=5893 16776573 100 94 306 92968891 0 0
# compatibility_mode=8192 67108863 100 0 442513 442513 0 0
# scanned=132457
# found=3
# cleaned=0
# scan_time=2644
C:\FRST\Quarantine\services.exe Win32/Sirefef.FC trojan (unable to clean) 00000000000000000000000000000000 I
C:\FRST\Quarantine\{58a5fa40-1f89-a3f0-5a7c-fbfe742ecbda}\U\80000000.@ a variant of Win32/Sirefef.FA trojan (unable to clean) 00000000000000000000000000000000 I
C:\Users\sabre\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\17\3e13fa51-6913f333 Win32/TrojanDownloader.Vespula.AY trojan (unable to clean) 00000000000000000000000000000000 I

#12 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:57 AM

Posted 05 July 2012 - 11:23 AM

How frequent are those IP blocks from MBAM? That IP address is registered to a web hosting organization in your town.

Otherwise your logs look good. All I have left for you is a software update and some very important cleanup measures that will remove those ESET detections as well:

Posted Image Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update.
  • Go to Start > Control Panel > Programs > Uninstall a program, and remove all older versions of Java.
  • Click (highlight) any item with Java Runtime Environment (JRE or J2SE or Java™ 6) in the name and select "uninstall".
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Go to this page to download the latest version. Press the download button under JRE and follow the prompts. Accept the agreement and choose the Windows x86 offline option.
  • Run the insatller you just downloaded
Posted Image Uninstall ComboFix
  • Press the Windows key + R on your keyboard or click Start -> Run. Copy and past the following text into the run box that opens and press OK:
    Combofix /Uninstall
Posted Image

Posted Image Delete the following tools along with any other logs you saved from our work:
  • DDS
  • awwMBR
  • Delete the c:\FRST folder as well as all the FRST related files from your flash drive
Posted Image Download TFC to your desktop
  • Close any open windows.
  • Double click the TFC icon to run the program
  • TFC will close all open programs itself in order to run,
  • Click the Start button to begin the process.
  • Allow TFC to run uninterrupted.
  • The program should not take long to finish it's job
  • Once its finished it should automatically reboot your machine,
  • if it doesn't, manually reboot to ensure a complete clean
Posted Image Finally, I'd like to make a couple of suggestions to help you stay clean in the future:
  • Restart any anti-malware programs that we disabled while we were cleaning your machine.
  • Keep your antivirus application and MBAM current and updated. Scan with them at least weekly.
  • Please read this post for some helpful information.
Please post once more so I know you are all set and I can mark this thread resolved. Good luck and stay safe!

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#13 jwh Bob

jwh Bob
  • Topic Starter

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Luxembourg
  • Local time:05:57 PM

Posted 05 July 2012 - 12:22 PM

Hi,

So far something regarding the IP blocks (I'll be back soon with the rest)


Ooops, I should have checked myself who that IP is. Root s.a. is not our Internet provider, but maybe they are linked somehow with them?
Uses avp.exe from Kaskersky?
Very busy, for my feeling much too busy and now since over 10 minutes no more action...
Here's the protection log

2012/07/05 18:53:14 +0200 S26 sabre MESSAGE Starting protection
2012/07/05 18:53:16 +0200 S26 sabre MESSAGE Protection started successfully
2012/07/05 18:53:19 +0200 S26 sabre MESSAGE Starting IP protection
2012/07/05 18:53:20 +0200 S26 sabre MESSAGE IP Protection started successfully
2012/07/05 18:53:27 +0200 S26 sabre MESSAGE Executing scheduled update: Daily
2012/07/05 18:53:36 +0200 S26 sabre MESSAGE Starting database refresh
2012/07/05 18:53:36 +0200 S26 sabre MESSAGE Scheduled update executed successfully: database updated from version v2012.07.03.05 to version v2012.07.05.06
2012/07/05 18:53:36 +0200 S26 sabre MESSAGE Stopping IP protection
2012/07/05 18:54:59 +0200 S26 sabre MESSAGE IP Protection stopped
2012/07/05 18:55:01 +0200 S26 sabre MESSAGE Database refreshed successfully
2012/07/05 18:55:01 +0200 S26 sabre MESSAGE Starting IP protection
2012/07/05 18:55:02 +0200 S26 sabre MESSAGE IP Protection started successfully
2012/07/05 18:55:09 +0200 S26 sabre IP-BLOCK 83.243.11.170 (Type: outgoing, Port: 49448, Process: avp.exe)
2012/07/05 18:55:09 +0200 S26 sabre IP-BLOCK 83.243.11.170 (Type: outgoing, Port: 49449, Process: avp.exe)
2012/07/05 18:55:09 +0200 S26 sabre IP-BLOCK 83.243.11.171 (Type: outgoing, Port: 49452, Process: avp.exe)
2012/07/05 18:55:09 +0200 S26 sabre IP-BLOCK 83.243.11.171 (Type: outgoing, Port: 49453, Process: avp.exe)
2012/07/05 18:55:09 +0200 S26 sabre IP-BLOCK 83.243.11.170 (Type: outgoing, Port: 49467, Process: avp.exe)
2012/07/05 18:55:09 +0200 S26 sabre IP-BLOCK 83.243.11.170 (Type: outgoing, Port: 49466, Process: avp.exe)
2012/07/05 18:55:09 +0200 S26 sabre IP-BLOCK 83.243.11.171 (Type: outgoing, Port: 49470, Process: avp.exe)
2012/07/05 18:55:09 +0200 S26 sabre IP-BLOCK 83.243.11.171 (Type: outgoing, Port: 49471, Process: avp.exe)
2012/07/05 18:55:41 +0200 S26 sabre IP-BLOCK 83.243.11.170 (Type: outgoing, Port: 49503, Process: avp.exe)
2012/07/05 18:55:41 +0200 S26 sabre IP-BLOCK 83.243.11.171 (Type: outgoing, Port: 49505, Process: avp.exe)
2012/07/05 18:55:49 +0200 S26 sabre IP-BLOCK 83.243.11.171 (Type: outgoing, Port: 49511, Process: avp.exe)
2012/07/05 18:55:49 +0200 S26 sabre IP-BLOCK 83.243.11.169 (Type: outgoing, Port: 49513, Process: avp.exe)
2012/07/05 18:55:57 +0200 S26 sabre IP-BLOCK 83.243.11.171 (Type: outgoing, Port: 49521, Process: avp.exe)
2012/07/05 18:55:57 +0200 S26 sabre IP-BLOCK 83.243.11.169 (Type: outgoing, Port: 49523, Process: avp.exe)
2012/07/05 18:56:05 +0200 S26 sabre IP-BLOCK 83.243.11.169 (Type: outgoing, Port: 49528, Process: avp.exe)
2012/07/05 18:56:05 +0200 S26 sabre IP-BLOCK 83.243.11.171 (Type: outgoing, Port: 49530, Process: avp.exe)
2012/07/05 18:56:46 +0200 S26 sabre IP-BLOCK 83.243.11.170 (Type: outgoing, Port: 49534, Process: avp.exe)
2012/07/05 18:56:46 +0200 S26 sabre IP-BLOCK 83.243.11.171 (Type: outgoing, Port: 49536, Process: avp.exe)
2012/07/05 18:56:54 +0200 S26 sabre IP-BLOCK 83.243.11.169 (Type: outgoing, Port: 49538, Process: avp.exe)
2012/07/05 18:56:54 +0200 S26 sabre IP-BLOCK 83.243.11.171 (Type: outgoing, Port: 49540, Process: avp.exe)
2012/07/05 18:57:02 +0200 S26 sabre IP-BLOCK 83.243.11.169 (Type: outgoing, Port: 49542, Process: avp.exe)
2012/07/05 18:57:02 +0200 S26 sabre IP-BLOCK 83.243.11.171 (Type: outgoing, Port: 49544, Process: avp.exe)
2012/07/05 18:57:10 +0200 S26 sabre IP-BLOCK 83.243.11.171 (Type: outgoing, Port: 49546, Process: avp.exe)
2012/07/05 18:57:10 +0200 S26 sabre IP-BLOCK 83.243.11.169 (Type: outgoing, Port: 49548, Process: avp.exe)
2012/07/05 18:58:15 +0200 S26 sabre IP-BLOCK 83.243.11.170 (Type: outgoing, Port: 49612, Process: avp.exe)
2012/07/05 18:58:15 +0200 S26 sabre IP-BLOCK 83.243.11.171 (Type: outgoing, Port: 49614, Process: avp.exe)
2012/07/05 18:58:15 +0200 S26 sabre IP-BLOCK 83.243.11.170 (Type: outgoing, Port: 49618, Process: avp.exe)
2012/07/05 18:58:15 +0200 S26 sabre IP-BLOCK 83.243.11.170 (Type: outgoing, Port: 49617, Process: avp.exe)
2012/07/05 18:58:15 +0200 S26 sabre IP-BLOCK 83.243.11.171 (Type: outgoing, Port: 49621, Process: avp.exe)
2012/07/05 18:58:15 +0200 S26 sabre IP-BLOCK 83.243.11.171 (Type: outgoing, Port: 49622, Process: avp.exe)
2012/07/05 18:58:15 +0200 S26 sabre IP-BLOCK 83.243.11.170 (Type: outgoing, Port: 49624, Process: avp.exe)
2012/07/05 18:58:15 +0200 S26 sabre IP-BLOCK 83.243.11.171 (Type: outgoing, Port: 49626, Process: avp.exe)
2012/07/05 19:01:51 +0200 S26 sabre IP-BLOCK 83.243.11.170 (Type: outgoing, Port: 49628, Process: avp.exe)
2012/07/05 19:01:51 +0200 S26 sabre IP-BLOCK 83.243.11.171 (Type: outgoing, Port: 49630, Process: avp.exe)
2012/07/05 19:01:59 +0200 S26 sabre IP-BLOCK 83.243.11.171 (Type: outgoing, Port: 49632, Process: avp.exe)
2012/07/05 19:01:59 +0200 S26 sabre IP-BLOCK 83.243.11.169 (Type: outgoing, Port: 49634, Process: avp.exe)
2012/07/05 19:01:59 +0200 S26 sabre IP-BLOCK 83.243.11.171 (Type: outgoing, Port: 49636, Process: avp.exe)
2012/07/05 19:02:00 +0200 S26 sabre IP-BLOCK 83.243.11.169 (Type: outgoing, Port: 49638, Process: avp.exe)
2012/07/05 19:02:16 +0200 S26 sabre IP-BLOCK 83.243.11.171 (Type: outgoing, Port: 49640, Process: avp.exe)
2012/07/05 19:02:16 +0200 S26 sabre IP-BLOCK 83.243.11.169 (Type: outgoing, Port: 49642, Process: avp.exe)
2012/07/05 19:03:36 +0200 S26 sabre IP-BLOCK 83.243.11.171 (Type: outgoing, Port: 49689, Process: avp.exe)
2012/07/05 19:03:36 +0200 S26 sabre IP-BLOCK 83.243.11.170 (Type: outgoing, Port: 49691, Process: avp.exe)
2012/07/05 19:03:36 +0200 S26 sabre IP-BLOCK 83.243.11.171 (Type: outgoing, Port: 49693, Process: avp.exe)
2012/07/05 19:03:36 +0200 S26 sabre IP-BLOCK 83.243.11.170 (Type: outgoing, Port: 49695, Process: avp.exe)
2012/07/05 19:09:21 +0200 S26 sabre IP-BLOCK 83.243.11.171 (Type: outgoing, Port: 49825, Process: avp.exe)
2012/07/05 19:09:21 +0200 S26 sabre IP-BLOCK 83.243.11.170 (Type: outgoing, Port: 49827, Process: avp.exe)
2012/07/05 19:10:25 +0200 S26 sabre IP-BLOCK 83.243.11.170 (Type: outgoing, Port: 49843, Process: avp.exe)
2012/07/05 19:10:25 +0200 S26 sabre IP-BLOCK 83.243.11.171 (Type: outgoing, Port: 49845, Process: avp.exe)

#14 jwh Bob

jwh Bob
  • Topic Starter

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Luxembourg
  • Local time:05:57 PM

Posted 05 July 2012 - 02:06 PM

Hi,

Did what you requested. Seems all is fine except this IP hammering on all doors.

I've installed Malwarebytes 28JUN but found the first activity in the protection logs on 03JUL. As you know I had to turn Malwarebytes down each time I did the scans, but in earlier logs like in this one:

2012/06/28 20:01:32 +0200 S26 sabre MESSAGE Starting protection
2012/06/28 20:01:34 +0200 S26 sabre MESSAGE Protection started successfully
2012/06/28 20:01:37 +0200 S26 sabre MESSAGE Starting IP protection
2012/06/28 20:01:37 +0200 S26 sabre ERROR IP protection failed: FwpmEngineOpen0 failed with error code 1753
2012/06/28 20:02:00 +0200 S26 sabre DETECTION C:\Windows\Installer\{58a5fa40-1f89-a3f0-5a7c-fbfe742ecbda}\U\800000cb.@ Rootkit.0Access QUARANTINE
2012/06/28 20:02:03 +0200 S26 sabre DETECTION C:\Windows\Installer\{58a5fa40-1f89-a3f0-5a7c-fbfe742ecbda}\U\80000000.@ Trojan.Sirefef QUARANTINE
2012/06/28 20:05:01 +0200 S26 sabre MESSAGE Starting protection
2012/06/28 20:05:03 +0200 S26 sabre MESSAGE Protection started successfully
2012/06/28 20:05:06 +0200 S26 sabre MESSAGE Starting IP protection
2012/06/28 20:05:06 +0200 S26 sabre ERROR IP protection failed: FwpmEngineOpen0 failed with error code 1753


the IP protection fails.

Wondering if I shouldn't install something on another PC to see if ther's the same behaviour.

Thanks again for getting me out of this mess

Bob

#15 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:57 AM

Posted 06 July 2012 - 02:27 PM

Those blocks are outgoing, not incoming. I don't see anything in you logs that might account for that. Do you have software that may be calling home to check for updates or something similar?

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users