Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ESET found U\80000000.@ a variant of Win32/Sirefef.FA trojan


  • This topic is locked This topic is locked
20 replies to this topic

#1 AKMAN2011

AKMAN2011

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:11:23 AM

Posted 02 July 2012 - 12:32 AM

See previous thread and scans run:
http://www.bleepingcomputer.com/forums/topic458725.html/page__pid__2748161#entry2748161

DDS scan below:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_30
Run by Daniel Wetherall at 21:22:37 on 2012-07-01
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.213 [GMT -8:00]
.
AV: Norton Internet Security *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe
C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDFME\WDFME.exe
C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\AVG Secure Search\vprot.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe
C:\Program Files\WinZip\WZQKPICK32.EXE
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Common Files\AVG Secure Search\ScriptHelperInstaller\11.2.0\ScriptHelper.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Skype\Toolbars\Shared\SkypeNames2.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://isearch.avg.com/?cid={978F07EA-F83E-4FCF-822F-7A5B79E7F746}&mid=acfaf84e9d1a4b7d898db62e4b4ac0ea-bef42c023c6b2d4dfb70cc7ee3003f3163d89d9e&lang=en&ds=hk011&pr=sa&d=2012-06-30 19:51:05&v=11.1.0.12&sap=hp
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: dsWebAllowBHO Class: {2f85d76c-0569-466f-a488-493e6bd0e955} - c:\program files\windows desktop search\dsWebAllow.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: AVG Security Toolbar: {95b7759c-8c7f-4bf1-b163-73684a933233} - c:\program files\avg secure search\11.1.0.12\AVG Secure Search_toolbar.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.7227.1100\swg.dll
BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
BHO: 1 (0x1) - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - No File
TB: {BA52B914-B692-46c4-B683-905236F6F655} - No File
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\19.5.0.145\coIEPlg.dll
TB: AVG Security Toolbar: {95b7759c-8c7f-4bf1-b163-73684a933233} - c:\program files\avg secure search\11.1.0.12\AVG Secure Search_toolbar.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
{e7df6bff-55a5-4eb7-a673-4ed3e9456d39}
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [BCMSMMSG] BCMSMMSG.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [vProt] "c:\program files\avg secure search\vprot.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wddmst~1.lnk - c:\program files\western digital\wd smartware\wd drive manager\WDDMStatus.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK32.EXE
IE: &MSN Search - c:\program files\msn toolbar suite\tb\02.05.0001.1119\en-us\msntb.dll/search.htm
IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html
IE: Open in new background tab - c:\program files\windows live toolbar\components\en-us\msntabres.dll.mui/229?28860ac5a7a4b3488f182ae63de3b
IE: Open in new foreground tab - c:\program files\windows live toolbar\components\en-us\msntabres.dll.mui/230?28860ac5a7a4b3488f182ae63de3b
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
LSP: mswsock.dll
Trusted Zone: intuit.com\ttlc
Trusted Zone: turbotax.com
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.2.0/GarminAxControl.CAB
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/9/b/d/9bdc68ef-6a9f-4505-8fb8-d0d2d160e512/LegitCheckControl.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} - hxxp://www.napster.com/client/isetup.cab
DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} - hxxp://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?323
TCP: DhcpNameServer = 209.165.131.12 209.165.131.13
TCP: Interfaces\{1FAD372E-9F27-43DF-9456-891AA8A66C64} : DhcpNameServer = 209.165.131.12 209.165.131.13
TCP: Interfaces\{B7041A0D-15FC-497D-BE08-BF45F3E7840B} : DhcpNameServer = 209.165.131.12 209.165.131.13
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\common files\avg secure search\viprotocolinstaller\11.2.0\ViProtocol.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\daniel wetherall\application data\mozilla\firefox\profiles\m14p40hv.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3106777&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - AVG Secure Search
FF - prefs.js: browser.startup.homepage - hxxp://search.conduit.com/?ctid=CT3106777&SearchSource=13
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprpchromebrowserrecordext.dll
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.2432.1652\npCIDetect14.dll
FF - plugin: c:\program files\google\update\1.3.21.111\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.10411.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\picasa2\npPicasa2.dll
FF - plugin: c:\program files\picasa2\npPicasa3.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
.
============= SERVICES / DRIVERS ===============
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nis\1306020.00a\symds.sys [2012-3-27 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1306020.00a\symefa.sys [2012-3-27 905336]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_19.1.0.28\definitions\bashdefs\20120317.002\BHDrvx86.sys [2012-3-17 820856]
R1 ccSet_NIS;Norton Internet Security Settings Manager;c:\windows\system32\drivers\nis\1306020.00a\ccsetx86.sys [2012-3-27 132744]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nis\1306020.00a\ironx86.sys [2012-3-27 149624]
R2 IntuitUpdateServiceV4;Intuit Update Service v4;c:\program files\common files\intuit\update service v4\IntuitUpdateService.exe [2011-8-25 13672]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-6-29 654408]
R2 WDDMService;WDDMService;c:\program files\western digital\wd smartware\wd drive manager\WDDMService.exe [2011-12-12 238592]
R2 WDFME;WD File Management Engine;c:\program files\western digital\wd smartware\front parlor\wdfme\WDFME.exe [2011-12-12 1060864]
R2 WDSC;WD File Management Shadow Engine;c:\program files\western digital\wd smartware\front parlor\WDSC.exe [2011-12-12 484352]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2012-3-27 106104]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-6-29 22344]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2011-12-11 11520]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-11-7 135664]
S2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe --> c:\progra~1\mcafee\viruss~1\mcshield.exe [?]
S2 NIS;Norton Internet Security;c:\program files\norton internet security\engine\19.6.2.10\ccsvchst.exe [2012-3-27 138232]
S2 vToolbarUpdater11.2.0;vToolbarUpdater11.2.0;c:\program files\common files\avg secure search\vtoolbarupdater\11.2.0\ToolbarUpdater.exe [2012-6-30 935008]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-12 257696]
S3 camvid40;Philips SPC 900NC PC Camera;c:\windows\system32\drivers\camdrv41.sys [2009-12-14 1239552]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-11-7 135664]
S3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_19.1.0.28\definitions\ipsdefs\20120327.002\IDSXpx86.sys [2012-3-27 356280]
S3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe --> c:\progra~1\mcafee\viruss~1\mcsysmon.exe [?]
S3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_19.1.0.28\definitions\virusdefs\20120327.008\NAVENG.SYS [2012-3-27 86136]
S3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_19.1.0.28\definitions\virusdefs\20120327.008\NAVEX15.SYS [2012-3-27 1576312]
S3 SymDSMon;SymDSMon;c:\windows\system32\drivers\SymDSMon.sys [2012-3-26 128248]
S3 SYMSpeedDisk;SYMSpeedDisk;c:\windows\system32\drivers\SymSpeedDisk.sys [2012-3-26 108800]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 DiskDoctorService;Norton Disk Doctor Service;c:\program files\norton utilities 15\tools\disk doctor\DiskDoctorSrv.exe [2012-3-26 1029480]
S4 SpeedDiskService;Norton SpeedDisk Service;c:\program files\norton utilities 15\tools\speeddisk\SpeedDiskSrv.exe [2012-3-26 1037672]
.
=============== Created Last 30 ================
.
2012-07-01 03:58:35 -------- d-----w- c:\documents and settings\daniel wetherall\local settings\application data\WinZip
2012-07-01 03:51:28 -------- d-----w- c:\documents and settings\daniel wetherall\local settings\application data\AVG Secure Search
2012-07-01 03:51:06 -------- d-----w- c:\documents and settings\daniel wetherall\application data\AVG Secure Search
2012-07-01 03:51:03 -------- d-----w- c:\documents and settings\all users\application data\AVG Secure Search
2012-07-01 03:50:58 -------- d-----w- c:\program files\common files\AVG Secure Search
2012-07-01 03:50:56 -------- d-----w- c:\program files\AVG Secure Search
2012-06-30 02:51:53 -------- d-----w- c:\documents and settings\daniel wetherall\application data\Malwarebytes
2012-06-30 02:51:26 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2012-06-30 02:51:25 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-30 02:51:25 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-06-29 05:46:42 163840 ----a-w- c:\windows\system32\igfxres.dll
2012-06-29 05:36:50 2192640 ----a-w- c:\windows\system32\OLD2.tmp
2012-06-29 03:57:01 -------- d-----w- c:\documents and settings\daniel wetherall\local settings\application data\NPE
2012-06-14 01:20:39 521728 ------w- c:\windows\system32\dllcache\jsdbgui.dll
.
==================== Find3M ====================
.
2012-06-02 23:19:44 22040 ----a-w- c:\windows\system32\wucltui.dll.mui
2012-06-02 23:19:38 219160 ----a-w- c:\windows\system32\wuaucpl.cpl
2012-06-02 23:19:38 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2012-06-02 23:19:34 15384 ----a-w- c:\windows\system32\wuapi.dll.mui
2012-06-02 23:19:30 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui
2012-06-02 23:18:58 275696 ----a-w- c:\windows\system32\mucltui.dll
2012-06-02 23:18:58 214256 ----a-w- c:\windows\system32\muweb.dll
2012-06-02 23:18:58 17136 ----a-w- c:\windows\system32\mucltui.dll.mui
2012-05-31 13:22:09 599040 ----a-w- c:\windows\system32\crypt32.dll
2012-05-16 15:08:26 916992 ----a-w- c:\windows\system32\wininet.dll
2012-05-15 13:20:33 1863168 ----a-w- c:\windows\system32\win32k.sys
2012-05-11 14:42:33 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-05-11 14:42:33 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-05-11 11:38:02 385024 ----a-w- c:\windows\system32\html.iec
2012-05-05 15:55:26 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-05-05 15:55:25 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-05-04 13:12:30 2192640 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-05-04 12:32:19 2069120 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-05-02 13:46:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
.
============= FINISH: 21:25:23.30 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 AKMAN2011

AKMAN2011
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:11:23 AM

Posted 02 July 2012 - 03:15 AM

GMER crashed. Will try a reboot and then rerun it. By the way, defogger was not run during the scans in the last thread.

#3 AKMAN2011

AKMAN2011
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:11:23 AM

Posted 02 July 2012 - 09:47 AM

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-07-02 06:45:58
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 Maxtor_6E040L0 rev.NAR61590
Running: e96346gs.exe; Driver: C:\DOCUME~1\DANIEL~1\LOCALS~1\Temp\pxtdapow.sys


---- System - GMER 1.0.15 ----

SSDT 86D42628 ZwAlertResumeThread
SSDT 86D426E8 ZwAlertThread
SSDT 86D403C0 ZwAllocateVirtualMemory
SSDT 86D443D8 ZwAssignProcessToJobObject
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwCreateKey [0xEDF8ED40]
SSDT 86D43670 ZwCreateMutant
SSDT 86D44B28 ZwCreateSymbolicLinkObject
SSDT 86FF8460 ZwCreateThread
SSDT 86D44498 ZwDebugActiveProcess
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteKey [0xEDF8EFC0]
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xEDF8F680]
SSDT 86D482E8 ZwDuplicateObject
SSDT 86D5C2B0 ZwFreeVirtualMemory
SSDT 86D43358 ZwImpersonateAnonymousToken
SSDT 86D43438 ZwImpersonateThread
SSDT 86D43B28 ZwLoadDriver
SSDT 86D5C1D0 ZwMapViewOfSection
SSDT 86D435D0 ZwOpenEvent
SSDT 86DB3320 ZwOpenProcess
SSDT 86FD59B0 ZwOpenProcessToken
SSDT 86D43C08 ZwOpenSection
SSDT 86DB3250 ZwOpenThread
SSDT 86D44BF8 ZwProtectVirtualMemory
SSDT 86D41E10 ZwResumeThread
SSDT 86D50F08 ZwSetContextThread
SSDT 86DAEDB8 ZwSetInformationProcess
SSDT 86D43E50 ZwSetSystemInformation
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xEDF8F910]
SSDT 86D438D0 ZwSuspendProcess
SSDT 86DAED80 ZwSuspendThread
SSDT 87042308 ZwTerminateProcess
SSDT 86D54958 ZwTerminateThread
SSDT 86E5DC98 ZwUnmapViewOfSection
SSDT 86E36F38 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!_abnormal_termination + 15C 804E27C8 4 Bytes [E8, 82, D4, 86]
? riakkii.sys The system cannot find the file specified. !
? SYMDS.SYS The system cannot find the file specified. !
? SYMEFA.SYS The system cannot find the file specified. !
? C:\DOCUME~1\DANIEL~1\LOCALS~1\Temp\aswMBR.sys The system cannot find the file specified. !
? C:\DOCUME~1\DANIEL~1\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !
? C:\DOCUME~1\DANIEL~1\LOCALS~1\Temp\pxtdapob.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\internet explorer\iexplore.exe[428] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215505 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[428] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9A65 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[428] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD0DD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[428] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDAD4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[428] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E25466C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[428] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E7207 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[428] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E7139 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[428] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E71A4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[428] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E700A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[428] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E706C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[428] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E726A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[428] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E70CE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[428] ole32.dll!CoCreateInstance 774FF1BC 5 Bytes JMP 3E2EDB30 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[428] ole32.dll!OleLoadFromStream 7752983B 5 Bytes JMP 3E3E756F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[528] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215505 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[528] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9A65 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[528] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD0DD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[528] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDAD4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[528] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E25466C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[528] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E7207 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[528] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E7139 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[528] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E71A4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[528] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E700A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[528] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E706C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[528] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E726A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[528] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E70CE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[528] ole32.dll!CoCreateInstance 774FF1BC 5 Bytes JMP 3E2EDB30 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[528] ole32.dll!OleLoadFromStream 7752983B 5 Bytes JMP 3E3E756F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2524] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215505 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2524] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9A65 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2524] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD0DD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2524] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDAD4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2524] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E25466C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2524] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E7207 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2524] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E7139 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2524] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E71A4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2524] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E700A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2524] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E706C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2524] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E726A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2524] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E70CE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2524] ole32.dll!CoCreateInstance 774FF1BC 5 Bytes JMP 3E2EDB30 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2524] ole32.dll!OleLoadFromStream 7752983B 5 Bytes JMP 3E3E756F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3188] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215505 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3188] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDAD4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3188] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E7207 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3188] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E7139 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3188] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E71A4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3188] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E700A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3188] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E706C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3188] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E726A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3188] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E70CE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Udfs \UdfsCdRom tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Udfs \UdfsDisk tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Cdfs \Cdfs tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

---- Registry - GMER 1.0.15 ----

Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{25336920-03F9-11CF-8FD0-00AA00686F13}\iexplore@Count 17985

---- EOF - GMER 1.0.15 ----

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:23 PM

Posted 02 July 2012 - 11:19 PM

Greetings and Welcome to The Forums!!

My name is Gringo and I'll be glad to help you with your computer problems.

I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of us

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the Watch Topic Button, select Immediate Notification, and click on Proceed. This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of hartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

Security Check

  • Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.



Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 AKMAN2011

AKMAN2011
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:11:23 AM

Posted 03 July 2012 - 02:25 AM

Results of screen317's Security Check version 0.99.42
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````Antivirus/Firewall Check:``````````````
Windows Security Center service is not running! This report may not be accurate!
AVG Security Toolbar
ESET Online Scanner v3
OneCare Advisor (Windows Live Toolbar)
Norton Internet Security
`````````Anti-malware/Other Utilities Check:`````````
WinPatrol
SpywareBlaster 4.6
Malwarebytes Anti-Malware version 1.61.0.1400
Java™ 6 Update 30
Java version out of Date!
Mozilla Firefox (8.0.1)
Google Chrome 19.0.1084.56
Google Chrome 20.0.1132.47
````````Process Check: objlist.exe by Laurent````````
WinPatrol winpatrol.exe
Malwarebytes Anti-Malware mbamservice.exe
Malwarebytes Anti-Malware mbamgui.exe
BillP Studios WinPatrol winpatrol.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C:: 13% Defragment your hard drive soon!
````````````````````End of Log``````````````````````

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:23 PM

Posted 03 July 2012 - 02:48 AM

very good - now I would like to see the combofix report


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 AKMAN2011

AKMAN2011
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:11:23 AM

Posted 03 July 2012 - 11:01 AM

Had a hard time 'turning off' anti software in order to run combofix. MBAM locked up computer; had to force reboot; then wouldn't reboot due to a INFO txtsetup.sif status 14 problem. Got through that then Norton Internet Security was completely unresponsive. I didn't see a process running but combofix complained. Double clicking icons and tabs did nothing although the pop up menu came up. The only tab that worked was uninstall. I ended up having to uninstall NIS and Norton Utility Tools to be safe. Combofix still complained but I ran it anyways. Lot attached:


ComboFix 12-07-02.01 - Daniel 07/03/2012 0:51.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.317 [GMT -8:00]
Running from: c:\documents and settings\Daniel\Desktop\ComboFix.exe
AV: Norton Internet Security *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *Enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\Daniel\Application Data\1F6600
c:\windows\Installer\{fce2e324-2357-c921-40df-863d6e732892}\@
c:\windows\Installer\{fce2e324-2357-c921-40df-863d6e732892}\L\00000004.@
c:\windows\Installer\{fce2e324-2357-c921-40df-863d6e732892}\L\201d3dde
c:\windows\Installer\{fce2e324-2357-c921-40df-863d6e732892}\L\55490ac4
c:\windows\Installer\{fce2e324-2357-c921-40df-863d6e732892}\U\00000004.@
c:\windows\Installer\{fce2e324-2357-c921-40df-863d6e732892}\U\000000cb.@
c:\windows\Installer\{fce2e324-2357-c921-40df-863d6e732892}\U\80000032.@
c:\windows\system32\OLD2.tmp
.
.
((((((((((((((((((((((((( Files Created from 2012-06-03 to 2012-07-03 )))))))))))))))))))))))))))))))
.
.
2012-07-01 03:58 . 2012-07-01 03:58 -------- d-----w- c:\documents and settings\Daniel\Local Settings\Application Data\WinZip
2012-07-01 03:51 . 2012-07-01 03:51 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZip
2012-07-01 03:51 . 2012-07-01 03:51 -------- d-----w- c:\documents and settings\Daniel\Local Settings\Application Data\AVG Secure Search
2012-07-01 03:51 . 2012-07-01 03:51 -------- d-----w- c:\documents and settings\Daniel\Application Data\AVG Secure Search
2012-07-01 03:51 . 2012-07-01 03:59 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Secure Search
2012-07-01 03:50 . 2012-07-01 03:51 -------- d-----w- c:\program files\Common Files\AVG Secure Search
2012-07-01 03:50 . 2012-07-01 03:51 -------- d-----w- c:\program files\AVG Secure Search
2012-06-30 02:51 . 2012-06-30 02:51 -------- d-----w- c:\documents and settings\Daniel\Application Data\Malwarebytes
2012-06-30 02:51 . 2012-06-30 02:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-06-30 02:51 . 2012-06-30 02:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-06-30 02:51 . 2012-04-04 23:56 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-29 05:46 . 2005-06-22 08:43 163840 ----a-w- c:\windows\system32\igfxres.dll
2012-06-29 03:57 . 2012-06-29 03:57 -------- d-----w- c:\documents and settings\Daniel\Local Settings\Application Data\NPE
2012-06-27 05:37 . 2012-06-27 05:37 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2012-06-14 01:20 . 2012-05-11 14:42 521728 ------w- c:\windows\system32\dllcache\jsdbgui.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-06-02 23:19 . 2007-06-08 00:19 22040 ----a-w- c:\windows\system32\wucltui.dll.mui
2012-06-02 23:19 . 2007-06-08 00:19 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2012-06-02 23:19 . 2004-08-26 05:34 329240 ----a-w- c:\windows\system32\wucltui.dll
2012-06-02 23:19 . 2004-08-26 05:34 219160 ----a-w- c:\windows\system32\wuaucpl.cpl
2012-06-02 23:19 . 2004-08-26 05:34 210968 ----a-w- c:\windows\system32\wuweb.dll
2012-06-02 23:19 . 2007-06-08 00:19 15384 ----a-w- c:\windows\system32\wuapi.dll.mui
2012-06-02 23:19 . 2005-05-26 12:16 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 23:19 . 2004-08-26 05:34 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-02 23:19 . 2002-08-29 11:00 97304 ----a-w- c:\windows\system32\cdm.dll
2012-06-02 23:19 . 2002-08-29 11:00 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 23:19 . 2007-06-08 00:19 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui
2012-06-02 23:19 . 2004-08-26 05:34 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 23:19 . 2002-08-29 11:00 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 23:18 . 2007-06-11 18:41 17136 ----a-w- c:\windows\system32\mucltui.dll.mui
2012-06-02 23:18 . 2006-11-03 13:21 275696 ----a-w- c:\windows\system32\mucltui.dll
2012-06-02 23:18 . 2006-11-03 13:21 214256 ----a-w- c:\windows\system32\muweb.dll
2012-05-31 13:22 . 2003-03-20 22:18 599040 ----a-w- c:\windows\system32\crypt32.dll
2012-05-16 15:08 . 2004-02-07 02:05 916992 ----a-w- c:\windows\system32\wininet.dll
2012-05-15 13:20 . 2002-08-29 11:00 1863168 ----a-w- c:\windows\system32\win32k.sys
2012-05-11 14:42 . 2002-08-29 11:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-05-11 14:42 . 2002-08-29 11:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-05-11 11:38 . 2004-08-04 05:59 385024 ----a-w- c:\windows\system32\html.iec
2012-05-05 15:55 . 2012-04-12 15:46 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-05-05 15:55 . 2011-05-23 04:44 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-05-04 13:12 . 1980-01-01 06:00 2192640 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-05-04 12:32 . 1980-01-01 06:00 2069120 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-05-02 13:46 . 2002-08-29 11:00 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-11-21 04:04 . 2011-12-14 08:22 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}]
2012-07-01 03:50 2074208 ----a-w- c:\program files\AVG Secure Search\11.1.0.12\AVG Secure Search_toolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{95B7759C-8C7F-4BF1-B163-73684A933233}"= "c:\program files\AVG Secure Search\11.1.0.12\AVG Secure Search_toolbar.dll" [2012-07-01 2074208]
.
[HKEY_CLASSES_ROOT\clsid\{95b7759c-8c7f-4bf1-b163-73684a933233}]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj.1]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-04 68856]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-06-22 126976]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 122880]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-10-24 421888]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2011-05-15 325512]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-06-22 155648]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408]
"vProt"="c:\program files\AVG Secure Search\vprot.exe" [2012-07-01 1107552]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
WDDMStatus.lnk - c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe [2011-3-9 3986944]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK32.EXE [2012-4-4 603536]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2006-03-13 233472]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ \0
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
R2 IntuitUpdateServiceV4;Intuit Update Service v4;c:\program files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe [8/25/2011 6:53 PM 13672]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [6/29/2012 6:51 PM 654408]
R2 vToolbarUpdater11.2.0;vToolbarUpdater11.2.0;c:\program files\Common Files\AVG Secure Search\vToolbarUpdater\11.2.0\ToolbarUpdater.exe [6/30/2012 7:51 PM 935008]
R2 WDDMService;WDDMService;c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [12/12/2011 1:24 AM 238592]
R2 WDFME;WD File Management Engine;c:\program files\Western Digital\WD SmartWare\Front Parlor\WDFME\WDFME.exe [12/12/2011 1:24 AM 1060864]
R2 WDSC;WD File Management Shadow Engine;c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSC.exe [12/12/2011 1:25 AM 484352]
R3 MBAMProtector;MBAMProtector;c:\windows\SYSTEM32\DRIVERS\mbam.sys [6/29/2012 6:51 PM 22344]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [11/7/2009 11:39 AM 135664]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SYSTEM32\Macromed\Flash\FlashPlayerUpdateService.exe [4/12/2012 7:46 AM 257696]
S3 camvid40;Philips SPC 900NC PC Camera;c:\windows\SYSTEM32\DRIVERS\camdrv41.sys [12/14/2009 12:47 AM 1239552]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [11/7/2009 11:39 AM 135664]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\SYSTEM32\DRIVERS\wdcsam.sys [12/11/2011 8:20 PM 11520]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2012-07-03 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-12 15:55]
.
2012-07-03 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 20:20]
.
2012-07-01 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-02-02 06:17]
.
2012-07-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-11-07 19:39]
.
2012-07-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-11-07 19:39]
.
2012-07-03 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2425240458-456833205-2956304666-1008.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-11-30 01:02]
.
2012-07-03 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2425240458-456833205-2956304666-1008.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-11-30 01:02]
.
2012-07-03 c:\windows\Tasks\User_Feed_Synchronization-{AAC5E664-32BC-4EF2-941E-1ED90989F9D4}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 13:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://isearch.avg.com/?cid={978F07EA-F83E-4FCF-822F-7A5B79E7F746}&mid=acfaf84e9d1a4b7d898db62e4b4ac0ea-bef42c023c6b2d4dfb70cc7ee3003f3163d89d9e&lang=en&ds=hk011&pr=sa&d=2012-06-30 19:51&v=11.1.0.12&sap=hp
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &MSN Search - c:\program files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll/search.htm
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html
IE: Open in new background tab - c:\program files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/229?28860ac5a7a4b3488f182ae63de3b
IE: Open in new foreground tab - c:\program files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/230?28860ac5a7a4b3488f182ae63de3b
Trusted Zone: intuit.com\ttlc
Trusted Zone: turbotax.com
TCP: DhcpNameServer = 209.165.131.12 209.165.131.13
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\Common Files\AVG Secure Search\ViProtocolInstaller\11.2.0\ViProtocol.dll
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.2.0/GarminAxControl.CAB
FF - ProfilePath - c:\documents and settings\Daniel Wetherall\Application Data\Mozilla\Firefox\Profiles\m14p40hv.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3106777&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.startup.homepage - hxxp://isearch.avg.com?cid=%7Bda32c06b-0349-4f7a-98ec-4a7a0da5e6d1%7D&mid=acfaf84e9d1a4b7d898db62e4b4ac0ea-bef42c023c6b2d4dfb70cc7ee3003f3163d89d9e&ds=hk011&v=11.1.0.12&lang=en&pr=sa&d=2012-06-30%2019%3A51%3A05&sap=hp
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-07-03 01:18
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2425240458-456833205-2956304666-1008\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
Completion time: 2012-07-03 01:25:37
ComboFix-quarantined-files.txt 2012-07-03 09:25
.
Pre-Run: 11,544,748,032 bytes free
Post-Run: 12,128,620,544 bytes free
.
- - End Of File - - 1BCF28754BABE3221A742FCF646172F4

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:23 PM

Posted 03 July 2012 - 01:30 PM

Greetings

I want you to run these next,

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • it will ask to download extra definitions - ALLOW IT
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

If you have any problems running either one come back and let me know

please reply with the reports from TDSSKiller and aswMBR

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 AKMAN2011

AKMAN2011
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:11:23 AM

Posted 04 July 2012 - 01:20 AM

Having problems with aswMBR crashing. Attached is the TDS log.

22:17:53.0610 3344 TDSS rootkit removing tool 2.7.44.0 Jul 2 2012 20:01:08
22:17:54.0221 3344 ============================================================
22:17:54.0221 3344 Current date / time: 2012/07/03 22:17:54.0221
22:17:54.0221 3344 SystemInfo:
22:17:54.0221 3344
22:17:54.0221 3344 OS Version: 5.1.2600 ServicePack: 3.0
22:17:54.0221 3344 Product type: Workstation
22:17:54.0221 3344 ComputerName: DAN
22:17:54.0221 3344 UserName: Daniel Wetherall
22:17:54.0221 3344 Windows directory: C:\WINDOWS
22:17:54.0221 3344 System windows directory: C:\WINDOWS
22:17:54.0221 3344 Processor architecture: Intel x86
22:17:54.0221 3344 Number of processors: 1
22:17:54.0221 3344 Page size: 0x1000
22:17:54.0221 3344 Boot type: Normal boot
22:17:54.0221 3344 ============================================================
22:17:59.0669 3344 Drive \Device\Harddisk0\DR0 - Size: 0x9925B0000 (38.29 Gb), SectorSize: 0x200, Cylinders: 0x1386, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
22:17:59.0719 3344 ============================================================
22:17:59.0719 3344 \Device\Harddisk0\DR0:
22:17:59.0719 3344 MBR partitions:
22:17:59.0719 3344 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0xFB04, BlocksNum 0x4C7F241
22:17:59.0719 3344 ============================================================
22:17:59.0809 3344 C: <-> \Device\Harddisk0\DR0\Partition0
22:17:59.0889 3344 ============================================================
22:17:59.0889 3344 Initialize success
22:17:59.0889 3344 ============================================================
22:18:03.0604 2420 ============================================================
22:18:03.0604 2420 Scan started
22:18:03.0604 2420 Mode: Manual;
22:18:03.0604 2420 ============================================================
22:18:04.0946 2420 Abiosdsk - ok
22:18:05.0016 2420 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\System32\DRIVERS\ABP480N5.SYS
22:18:05.0026 2420 abp480n5 - ok
22:18:05.0127 2420 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
22:18:05.0177 2420 ACPI - ok
22:18:05.0237 2420 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
22:18:05.0237 2420 ACPIEC - ok
22:18:05.0918 2420 AdobeFlashPlayerUpdateSvc (76d5a3d2a50402a0b9b6ed13c4371e79) C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
22:18:05.0988 2420 AdobeFlashPlayerUpdateSvc - ok
22:18:06.0358 2420 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\System32\DRIVERS\adpu160m.sys
22:18:06.0509 2420 adpu160m - ok
22:18:06.0649 2420 aeaudio (11c04b17ed2abbb4833694bcd644ac90) C:\WINDOWS\system32\drivers\aeaudio.sys
22:18:06.0669 2420 aeaudio - ok
22:18:06.0879 2420 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
22:18:06.0929 2420 aec - ok
22:18:07.0200 2420 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
22:18:07.0250 2420 AFD - ok
22:18:07.0440 2420 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\System32\DRIVERS\agp440.sys
22:18:07.0450 2420 agp440 - ok
22:18:07.0580 2420 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\System32\DRIVERS\agpCPQ.sys
22:18:07.0720 2420 agpCPQ - ok
22:18:07.0901 2420 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\System32\DRIVERS\aha154x.sys
22:18:07.0971 2420 Aha154x - ok
22:18:08.0081 2420 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\System32\DRIVERS\aic78u2.sys
22:18:08.0101 2420 aic78u2 - ok
22:18:08.0351 2420 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\System32\DRIVERS\aic78xx.sys
22:18:08.0541 2420 aic78xx - ok
22:18:08.0732 2420 Alerter (a9a3daa780ca6c9671a19d52456705b4) C:\WINDOWS\system32\alrsvc.dll
22:18:08.0822 2420 Alerter - ok
22:18:09.0022 2420 ALG (8c515081584a38aa007909cd02020b3d) C:\WINDOWS\System32\alg.exe
22:18:09.0072 2420 ALG - ok
22:18:09.0202 2420 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\System32\DRIVERS\aliide.sys
22:18:09.0313 2420 AliIde - ok
22:18:09.0523 2420 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\System32\DRIVERS\alim1541.sys
22:18:09.0623 2420 alim1541 - ok
22:18:09.0723 2420 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\System32\DRIVERS\amdagp.sys
22:18:09.0783 2420 amdagp - ok
22:18:09.0853 2420 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\System32\DRIVERS\amsint.sys
22:18:09.0853 2420 amsint - ok
22:18:10.0885 2420 AOL ACS (c4d9f3f3678d03f9f43bd8749632a298) C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
22:18:11.0516 2420 AOL ACS - ok
22:18:11.0946 2420 AppMgmt - ok
22:18:12.0087 2420 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\System32\DRIVERS\asc.sys
22:18:12.0097 2420 asc - ok
22:18:12.0137 2420 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\System32\DRIVERS\asc3350p.sys
22:18:12.0147 2420 asc3350p - ok
22:18:12.0207 2420 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\System32\DRIVERS\asc3550.sys
22:18:12.0207 2420 asc3550 - ok
22:18:12.0367 2420 aspnet_state (0e5e4957549056e2bf2c49f4f6b601ad) C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
22:18:12.0497 2420 aspnet_state - ok
22:18:12.0557 2420 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
22:18:12.0557 2420 AsyncMac - ok
22:18:12.0617 2420 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
22:18:12.0617 2420 atapi - ok
22:18:12.0637 2420 Atdisk - ok
22:18:12.0687 2420 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
22:18:12.0717 2420 Atmarpc - ok
22:18:12.0768 2420 AudioSrv (def7a7882bec100fe0b2ce2549188f9d) C:\WINDOWS\System32\audiosrv.dll
22:18:12.0778 2420 AudioSrv - ok
22:18:12.0838 2420 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
22:18:12.0838 2420 audstub - ok
22:18:12.0898 2420 bcm4sbxp (068523d2cd260069b19ad68adea0d739) C:\WINDOWS\system32\DRIVERS\bcm4sbxp.sys
22:18:12.0918 2420 bcm4sbxp - ok
22:18:13.0358 2420 BCMModem (41347688046d49cde0f6d138a534f73d) C:\WINDOWS\system32\DRIVERS\BCMSM.sys
22:18:13.0719 2420 BCMModem - ok
22:18:13.0779 2420 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
22:18:13.0779 2420 Beep - ok
22:18:13.0969 2420 BITS (574738f61fca2935f5265dc4e5691314) C:\WINDOWS\system32\qmgr.dll
22:18:14.0099 2420 BITS - ok
22:18:14.0170 2420 Browser (a06ce3399d16db864f55faeb1f1927a9) C:\WINDOWS\System32\browser.dll
22:18:14.0200 2420 Browser - ok
22:18:14.0220 2420 bvrp_pci - ok
22:18:14.0700 2420 camvid40 (ca6adc35527d3ae877624997049f1fab) C:\WINDOWS\system32\DRIVERS\camdrv41.sys
22:18:15.0141 2420 camvid40 - ok
22:18:15.0251 2420 catchme - ok
22:18:15.0672 2420 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\System32\DRIVERS\cbidf2k.sys
22:18:15.0682 2420 cbidf - ok
22:18:15.0692 2420 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
22:18:15.0692 2420 cbidf2k - ok
22:18:15.0742 2420 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
22:18:15.0752 2420 CCDECODE - ok
22:18:15.0812 2420 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\System32\DRIVERS\cd20xrnt.sys
22:18:15.0822 2420 cd20xrnt - ok
22:18:15.0852 2420 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
22:18:15.0862 2420 Cdaudio - ok
22:18:15.0922 2420 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
22:18:15.0952 2420 Cdfs - ok
22:18:16.0002 2420 Cdr4_xp (bf79e659c506674c0497cc9c61f1a165) C:\WINDOWS\system32\drivers\Cdr4_xp.sys
22:18:16.0002 2420 Cdr4_xp - ok
22:18:16.0012 2420 Cdralw2k (2c41cd49d82d5fd85c72d57b6ca25471) C:\WINDOWS\system32\drivers\Cdralw2k.sys
22:18:16.0022 2420 Cdralw2k - ok
22:18:16.0052 2420 cdrbsdrv (351735695e9ead93de6af85d8beb1ca8) C:\WINDOWS\system32\drivers\cdrbsdrv.sys
22:18:16.0062 2420 cdrbsdrv - ok
22:18:16.0122 2420 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
22:18:16.0142 2420 Cdrom - ok
22:18:16.0172 2420 Changer - ok
22:18:16.0233 2420 CiSvc (1cfe720eb8d93a7158a4ebc3ab178bde) C:\WINDOWS\system32\cisvc.exe
22:18:16.0233 2420 CiSvc - ok
22:18:16.0353 2420 ClipSrv (34cbe729f38138217f9c80212a2a0c82) C:\WINDOWS\system32\clipsrv.exe
22:18:16.0363 2420 ClipSrv - ok
22:18:16.0513 2420 clr_optimization_v2.0.50727_32 (d87acaed61e417bba546ced5e7e36d9c) C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
22:18:16.0713 2420 clr_optimization_v2.0.50727_32 - ok
22:18:16.0843 2420 clr_optimization_v4.0.30319_32 (c5a75eb48e2344abdc162bda79e16841) C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
22:18:16.0903 2420 clr_optimization_v4.0.30319_32 - ok
22:18:16.0974 2420 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\System32\DRIVERS\cmdide.sys
22:18:16.0974 2420 CmdIde - ok
22:18:16.0984 2420 COMSysApp - ok
22:18:17.0034 2420 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\System32\DRIVERS\cpqarray.sys
22:18:17.0034 2420 Cpqarray - ok
22:18:17.0104 2420 CryptSvc (3d4e199942e29207970e04315d02ad3b) C:\WINDOWS\System32\cryptsvc.dll
22:18:17.0134 2420 CryptSvc - ok
22:18:17.0254 2420 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\System32\DRIVERS\dac2w2k.sys
22:18:17.0324 2420 dac2w2k - ok
22:18:17.0374 2420 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\System32\DRIVERS\dac960nt.sys
22:18:17.0374 2420 dac960nt - ok
22:18:17.0554 2420 DcomLaunch (6b27a5c03dfb94b4245739065431322c) C:\WINDOWS\system32\rpcss.dll
22:18:17.0685 2420 DcomLaunch - ok
22:18:17.0775 2420 Dhcp (5e38d7684a49cacfb752b046357e0589) C:\WINDOWS\System32\dhcpcsvc.dll
22:18:17.0825 2420 Dhcp - ok
22:18:17.0865 2420 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
22:18:17.0885 2420 Disk - ok
22:18:17.0905 2420 dmadmin - ok
22:18:18.0225 2420 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
22:18:18.0506 2420 dmboot - ok
22:18:18.0576 2420 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
22:18:18.0626 2420 dmio - ok
22:18:18.0696 2420 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
22:18:18.0696 2420 dmload - ok
22:18:18.0746 2420 dmserver (57edec2e5f59f0335e92f35184bc8631) C:\WINDOWS\System32\dmserver.dll
22:18:18.0766 2420 dmserver - ok
22:18:18.0816 2420 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
22:18:18.0846 2420 DMusic - ok
22:18:18.0896 2420 Dnscache (5f7e24fa9eab896051ffb87f840730d2) C:\WINDOWS\System32\dnsrslvr.dll
22:18:18.0926 2420 Dnscache - ok
22:18:19.0017 2420 Dot3svc (0f0f6e687e5e15579ef4da8dd6945814) C:\WINDOWS\System32\dot3svc.dll
22:18:19.0067 2420 Dot3svc - ok
22:18:19.0137 2420 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\System32\DRIVERS\dpti2o.sys
22:18:19.0137 2420 dpti2o - ok
22:18:19.0217 2420 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
22:18:19.0217 2420 drmkaud - ok
22:18:19.0297 2420 drvmcdb (96bc8f872f0270c10edc3931f1c03776) C:\WINDOWS\system32\drivers\drvmcdb.sys
22:18:19.0327 2420 drvmcdb - ok
22:18:19.0367 2420 drvnddm (5afbec7a6ac61b211633dfdb1d9e0c89) C:\WINDOWS\system32\drivers\drvnddm.sys
22:18:19.0377 2420 drvnddm - ok
22:18:19.0537 2420 DSBrokerService (fe80901578e7e3da70299a5aeb2b7fbd) C:\Program Files\DellSupport\brkrsvc.exe
22:18:19.0557 2420 DSBrokerService - ok
22:18:19.0617 2420 DSproct (413f2d5f9d802688242c23b38f767ecb) C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys
22:18:19.0627 2420 DSproct - ok
22:18:19.0697 2420 dsunidrv (dfeabb7cfffadea4a912ab95bdc3177a) C:\WINDOWS\system32\DRIVERS\dsunidrv.sys
22:18:19.0708 2420 dsunidrv - ok
22:18:19.0788 2420 EapHost (2187855a7703adef0cef9ee4285182cc) C:\WINDOWS\System32\eapsvc.dll
22:18:19.0798 2420 EapHost - ok
22:18:19.0858 2420 EL90XBC (6e883bf518296a40959131c2304af714) C:\WINDOWS\system32\DRIVERS\el90xbc5.sys
22:18:19.0888 2420 EL90XBC - ok
22:18:19.0948 2420 ERSvc (bc93b4a066477954555966d77fec9ecb) C:\WINDOWS\System32\ersvc.dll
22:18:19.0958 2420 ERSvc - ok
22:18:20.0038 2420 Eventlog (65df52f5b8b6e9bbd183505225c37315) C:\WINDOWS\system32\services.exe
22:18:20.0088 2420 Eventlog - ok
22:18:20.0328 2420 EventSystem (d4991d98f2db73c60d042f1aef79efae) C:\WINDOWS\System32\es.dll
22:18:20.0639 2420 EventSystem - ok
22:18:20.0749 2420 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
22:18:20.0799 2420 Fastfat - ok
22:18:20.0879 2420 FastUserSwitchingCompatibility (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
22:18:20.0929 2420 FastUserSwitchingCompatibility - ok
22:18:21.0069 2420 Fax (e97d6a8684466df94ff3bc24fb787a07) C:\WINDOWS\system32\fxssvc.exe
22:18:21.0160 2420 Fax - ok
22:18:21.0230 2420 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
22:18:21.0250 2420 Fdc - ok
22:18:21.0310 2420 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
22:18:21.0330 2420 Fips - ok
22:18:21.0360 2420 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
22:18:21.0360 2420 Flpydisk - ok
22:18:21.0440 2420 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
22:18:21.0490 2420 FltMgr - ok
22:18:21.0630 2420 FontCache3.0.0.0 (8ba7c024070f2b7fdd98ed8a4ba41789) c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
22:18:21.0660 2420 FontCache3.0.0.0 - ok
22:18:21.0720 2420 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
22:18:21.0730 2420 Fs_Rec - ok
22:18:21.0831 2420 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
22:18:21.0881 2420 Ftdisk - ok
22:18:21.0931 2420 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
22:18:21.0951 2420 Gpc - ok
22:18:21.0991 2420 grmnusb (cd007d03a9284bfe67d49c01213132bf) C:\WINDOWS\system32\drivers\grmnusb.sys
22:18:22.0001 2420 grmnusb - ok
22:18:22.0191 2420 gupdate (8f0de4fef8201e306f9938b0905ac96a) C:\Program Files\Google\Update\GoogleUpdate.exe
22:18:22.0251 2420 gupdate - ok
22:18:22.0261 2420 gupdatem (8f0de4fef8201e306f9938b0905ac96a) C:\Program Files\Google\Update\GoogleUpdate.exe
22:18:22.0271 2420 gupdatem - ok
22:18:22.0431 2420 gusvc (408ddd80eede47175f6844817b90213e) C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
22:18:22.0492 2420 gusvc - ok
22:18:22.0592 2420 helpsvc (4fcca060dfe0c51a09dd5c3843888bcd) C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll
22:18:22.0602 2420 helpsvc - ok
22:18:22.0632 2420 HidServ - ok
22:18:22.0672 2420 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
22:18:22.0672 2420 HidUsb - ok
22:18:22.0742 2420 hkmsvc (8878bd685e490239777bfe51320b88e9) C:\WINDOWS\System32\kmsvc.dll
22:18:22.0762 2420 hkmsvc - ok
22:18:22.0822 2420 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\System32\DRIVERS\hpn.sys
22:18:22.0842 2420 hpn - ok
22:18:22.0892 2420 HPZid412 (d03d10f7ded688fecf50f8fbf1ea9b8a) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
22:18:22.0922 2420 HPZid412 - ok
22:18:22.0952 2420 HPZipr12 (89f41658929393487b6b7d13c8528ce3) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
22:18:22.0962 2420 HPZipr12 - ok
22:18:22.0982 2420 HPZius12 (abcb05ccdbf03000354b9553820e39f8) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
22:18:22.0992 2420 HPZius12 - ok
22:18:23.0122 2420 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
22:18:23.0213 2420 HTTP - ok
22:18:23.0273 2420 HTTPFilter (6100a808600f44d999cebdef8841c7a3) C:\WINDOWS\System32\w3ssl.dll
22:18:23.0273 2420 HTTPFilter - ok
22:18:23.0333 2420 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
22:18:23.0343 2420 i2omgmt - ok
22:18:23.0373 2420 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\System32\DRIVERS\i2omp.sys
22:18:23.0383 2420 i2omp - ok
22:18:23.0423 2420 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
22:18:23.0443 2420 i8042prt - ok
22:18:23.0543 2420 i81x (06b7ef73ba5f302eecc294cdf7e19702) C:\WINDOWS\system32\DRIVERS\i81xnt5.sys
22:18:23.0603 2420 i81x - ok
22:18:23.0653 2420 iAimFP0 (7b5b44efe5eb9dadfb8ee29700885d23) C:\WINDOWS\system32\DRIVERS\wADV01nt.sys
22:18:23.0663 2420 iAimFP0 - ok
22:18:23.0673 2420 iAimFP1 (eb1f6bab6c22ede0ba551b527475f7e9) C:\WINDOWS\system32\DRIVERS\wADV02NT.sys
22:18:23.0683 2420 iAimFP1 - ok
22:18:23.0703 2420 iAimFP2 (03ce989d846c1aa81145cb22fcb86d06) C:\WINDOWS\system32\DRIVERS\wADV05NT.sys
22:18:23.0703 2420 iAimFP2 - ok
22:18:23.0753 2420 iAimFP3 (525849b4469de021d5d61b4db9be3a9d) C:\WINDOWS\system32\DRIVERS\wSiINTxx.sys
22:18:23.0763 2420 iAimFP3 - ok
22:18:23.0803 2420 iAimFP4 (589c2bcdb5bd602bf7b63d210407ef8c) C:\WINDOWS\system32\DRIVERS\wVchNTxx.sys
22:18:23.0813 2420 iAimFP4 - ok
22:18:23.0884 2420 iAimTV0 (d83bdd5c059667a2f647a6be5703a4d2) C:\WINDOWS\system32\DRIVERS\wATV01nt.sys
22:18:23.0904 2420 iAimTV0 - ok
22:18:23.0934 2420 iAimTV1 (ed968d23354daa0d7c621580c012a1f6) C:\WINDOWS\system32\DRIVERS\wATV02NT.sys
22:18:23.0944 2420 iAimTV1 - ok
22:18:23.0964 2420 iAimTV2 - ok
22:18:23.0994 2420 iAimTV3 (d738273f218a224c1ddac04203f27a84) C:\WINDOWS\system32\DRIVERS\wATV04nt.sys
22:18:24.0014 2420 iAimTV3 - ok
22:18:24.0034 2420 iAimTV4 (0052d118995cbab152daabe6106d1442) C:\WINDOWS\system32\DRIVERS\wCh7xxNT.sys
22:18:24.0054 2420 iAimTV4 - ok
22:18:24.0374 2420 ialm (44b7d5a4f2bd9fe21aea0bb0bace38c4) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
22:18:24.0895 2420 ialm - ok
22:18:25.0095 2420 IDriverT (1cf03c69b49acb70c722df92755c0c8c) C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
22:18:25.0115 2420 IDriverT - ok
22:18:25.0566 2420 idsvc (c01ac32dc5c03076cfb852cb5da5229c) c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
22:18:25.0866 2420 idsvc - ok
22:18:26.0167 2420 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
22:18:26.0217 2420 Imapi - ok
22:18:26.0357 2420 ImapiService (30deaf54a9755bb8546168cfe8a6b5e1) C:\WINDOWS\system32\imapi.exe
22:18:26.0417 2420 ImapiService - ok
22:18:26.0497 2420 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\System32\DRIVERS\ini910u.sys
22:18:26.0507 2420 ini910u - ok
22:18:26.0547 2420 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
22:18:26.0547 2420 IntelIde - ok
22:18:26.0597 2420 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
22:18:26.0617 2420 intelppm - ok
22:18:26.0748 2420 IntuitUpdateService (3dc635b66dd7412e1c9c3a77b8d78f25) C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
22:18:26.0758 2420 IntuitUpdateService - ok
22:18:26.0818 2420 IntuitUpdateServiceV4 (1663a135865f0ba6e853353e98e67f2a) C:\Program Files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
22:18:26.0818 2420 IntuitUpdateServiceV4 - ok
22:18:26.0868 2420 ip6fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
22:18:26.0878 2420 ip6fw - ok
22:18:26.0938 2420 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
22:18:26.0958 2420 IpFilterDriver - ok
22:18:26.0978 2420 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
22:18:26.0998 2420 IpInIp - ok
22:18:27.0088 2420 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
22:18:27.0148 2420 IpNat - ok
22:18:27.0208 2420 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
22:18:27.0238 2420 IPSec - ok
22:18:27.0298 2420 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
22:18:27.0308 2420 IRENUM - ok
22:18:27.0369 2420 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
22:18:27.0379 2420 isapnp - ok
22:18:27.0549 2420 JavaQuickStarterService (9aa67569d5257462e230767510b0c815) C:\Program Files\Java\jre6\bin\jqs.exe
22:18:27.0599 2420 JavaQuickStarterService - ok
22:18:27.0659 2420 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
22:18:27.0669 2420 Kbdclass - ok
22:18:27.0719 2420 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
22:18:27.0729 2420 kbdhid - ok
22:18:27.0809 2420 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
22:18:27.0809 2420 kmixer - ok
22:18:27.0879 2420 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
22:18:27.0919 2420 KSecDD - ok
22:18:27.0989 2420 lanmanserver (3a7c3cbe5d96b8ae96ce81f0b22fb527) C:\WINDOWS\System32\srvsvc.dll
22:18:28.0019 2420 lanmanserver - ok
22:18:28.0110 2420 lanmanworkstation (a8888a5327621856c0cec4e385f69309) C:\WINDOWS\System32\wkssvc.dll
22:18:28.0150 2420 lanmanworkstation - ok
22:18:28.0170 2420 lbrtfdc - ok
22:18:28.0250 2420 LmHosts (a7db739ae99a796d91580147e919cc59) C:\WINDOWS\System32\lmhsvc.dll
22:18:28.0250 2420 LmHosts - ok
22:18:28.0290 2420 MBAMProtector (fb097bbc1a18f044bd17bd2fccf97865) C:\WINDOWS\system32\drivers\mbam.sys
22:18:28.0310 2420 MBAMProtector - ok
22:18:28.0570 2420 MBAMService (ba400ed640bca1eae5c727ae17c10207) C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
22:18:28.0781 2420 MBAMService - ok
22:18:28.0791 2420 McShield - ok
22:18:28.0811 2420 MCSTRM - ok
22:18:28.0821 2420 McSysmon - ok
22:18:29.0031 2420 MDM (11f714f85530a2bd134074dc30e99fca) C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
22:18:29.0131 2420 MDM - ok
22:18:29.0231 2420 Messenger (986b1ff5814366d71e0ac5755c88f2d3) C:\WINDOWS\System32\msgsvc.dll
22:18:29.0241 2420 Messenger - ok
22:18:29.0301 2420 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
22:18:29.0301 2420 mnmdd - ok
22:18:29.0361 2420 mnmsrvc (d18f1f0c101d06a1c1adf26eed16fcdd) C:\WINDOWS\System32\mnmsrvc.exe
22:18:29.0371 2420 mnmsrvc - ok
22:18:29.0442 2420 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
22:18:29.0452 2420 Modem - ok
22:18:29.0532 2420 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys
22:18:29.0532 2420 MODEMCSA - ok
22:18:29.0582 2420 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
22:18:29.0602 2420 Mouclass - ok
22:18:29.0642 2420 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
22:18:29.0642 2420 mouhid - ok
22:18:29.0702 2420 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
22:18:29.0732 2420 MountMgr - ok
22:18:29.0802 2420 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\System32\DRIVERS\mraid35x.sys
22:18:29.0802 2420 mraid35x - ok
22:18:29.0902 2420 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
22:18:29.0962 2420 MRxDAV - ok
22:18:30.0173 2420 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
22:18:30.0343 2420 MRxSmb - ok
22:18:30.0393 2420 MSDTC (a137f1470499a205abbb9aafb3b6f2b1) C:\WINDOWS\System32\msdtc.exe
22:18:30.0393 2420 MSDTC - ok
22:18:30.0473 2420 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
22:18:30.0473 2420 Msfs - ok
22:18:30.0493 2420 MSIServer - ok
22:18:30.0523 2420 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
22:18:30.0523 2420 MSKSSRV - ok
22:18:30.0563 2420 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
22:18:30.0563 2420 MSPCLOCK - ok
22:18:30.0603 2420 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
22:18:30.0603 2420 MSPQM - ok
22:18:30.0653 2420 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
22:18:30.0663 2420 mssmbios - ok
22:18:30.0703 2420 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
22:18:30.0703 2420 MSTEE - ok
22:18:30.0783 2420 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
22:18:30.0823 2420 Mup - ok
22:18:30.0884 2420 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
22:18:30.0924 2420 NABTSFEC - ok
22:18:31.0064 2420 napagent (0102140028fad045756796e1c685d695) C:\WINDOWS\System32\qagentrt.dll
22:18:31.0164 2420 napagent - ok
22:18:31.0264 2420 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
22:18:31.0324 2420 NDIS - ok
22:18:31.0384 2420 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
22:18:31.0384 2420 NdisIP - ok
22:18:31.0414 2420 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
22:18:31.0424 2420 NdisTapi - ok
22:18:31.0444 2420 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
22:18:31.0454 2420 Ndisuio - ok
22:18:31.0525 2420 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
22:18:31.0555 2420 NdisWan - ok
22:18:31.0605 2420 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
22:18:31.0615 2420 NDProxy - ok
22:18:31.0675 2420 Net Driver HPZ12 (9eac175ba34898308620c1984c881845) C:\WINDOWS\system32\HPZinw12.dll
22:18:31.0695 2420 Net Driver HPZ12 - ok
22:18:31.0755 2420 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
22:18:31.0765 2420 NetBIOS - ok
22:18:31.0845 2420 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
22:18:31.0905 2420 NetBT - ok
22:18:31.0995 2420 NetDDE (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe
22:18:32.0035 2420 NetDDE - ok
22:18:32.0045 2420 NetDDEdsdm (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe
22:18:32.0045 2420 NetDDEdsdm - ok
22:18:32.0105 2420 Netlogon (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
22:18:32.0105 2420 Netlogon - ok
22:18:32.0226 2420 Netman (13e67b55b3abd7bf3fe7aae5a0f9a9de) C:\WINDOWS\System32\netman.dll
22:18:32.0316 2420 Netman - ok
22:18:32.0496 2420 NetTcpPortSharing (d34612c5d02d026535b3095d620626ae) c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
22:18:32.0546 2420 NetTcpPortSharing - ok
22:18:32.0676 2420 Nla (943337d786a56729263071623bbb9de5) C:\WINDOWS\System32\mswsock.dll
22:18:32.0756 2420 Nla - ok
22:18:32.0816 2420 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
22:18:32.0826 2420 Npfs - ok
22:18:33.0047 2420 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
22:18:33.0237 2420 Ntfs - ok
22:18:33.0307 2420 NtLmSsp (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\System32\lsass.exe
22:18:33.0307 2420 NtLmSsp - ok
22:18:33.0547 2420 NtmsSvc (156f64a3345bd23c600655fb4d10bc08) C:\WINDOWS\system32\ntmssvc.dll
22:18:33.0678 2420 NtmsSvc - ok
22:18:33.0738 2420 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
22:18:33.0738 2420 Null - ok
22:18:34.0559 2420 nv (2b298519edbfcf451d43e0f1e8f1006d) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
22:18:35.0230 2420 nv - ok
22:18:35.0670 2420 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
22:18:35.0670 2420 NwlnkFlt - ok
22:18:35.0711 2420 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
22:18:35.0721 2420 NwlnkFwd - ok
22:18:35.0791 2420 omci (53d5f1278d9edb21689bbbcecc09108d) C:\WINDOWS\system32\DRIVERS\omci.sys
22:18:35.0791 2420 omci - ok
22:18:35.0931 2420 ose (7a56cf3e3f12e8af599963b16f50fb6a) C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
22:18:35.0961 2420 ose - ok
22:18:36.0031 2420 P3 (c90018bafdc7098619a4a95b046b30f3) C:\WINDOWS\system32\DRIVERS\p3.sys
22:18:36.0041 2420 P3 - ok
22:18:36.0101 2420 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
22:18:36.0131 2420 Parport - ok
22:18:36.0181 2420 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
22:18:36.0191 2420 PartMgr - ok
22:18:36.0261 2420 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
22:18:36.0261 2420 ParVdm - ok
22:18:36.0331 2420 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
22:18:36.0351 2420 PCI - ok
22:18:36.0371 2420 PCIDump - ok
22:18:36.0432 2420 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
22:18:36.0432 2420 PCIIde - ok
22:18:36.0522 2420 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
22:18:36.0562 2420 Pcmcia - ok
22:18:36.0582 2420 PDCOMP - ok
22:18:36.0602 2420 PDFRAME - ok
22:18:36.0612 2420 PDRELI - ok
22:18:36.0632 2420 PDRFRAME - ok
22:18:36.0702 2420 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\System32\DRIVERS\perc2.sys
22:18:36.0712 2420 perc2 - ok
22:18:36.0742 2420 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\System32\DRIVERS\perc2hib.sys
22:18:36.0742 2420 perc2hib - ok
22:18:36.0832 2420 PlugPlay (65df52f5b8b6e9bbd183505225c37315) C:\WINDOWS\system32\services.exe
22:18:36.0842 2420 PlugPlay - ok
22:18:36.0902 2420 Pml Driver HPZ12 (75cf9de0a67af916ed591743dfb69694) C:\WINDOWS\system32\HPZipm12.dll
22:18:36.0922 2420 Pml Driver HPZ12 - ok
22:18:36.0972 2420 PolicyAgent (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
22:18:36.0972 2420 PolicyAgent - ok
22:18:37.0022 2420 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
22:18:37.0042 2420 PptpMiniport - ok
22:18:37.0082 2420 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
22:18:37.0103 2420 Processor - ok
22:18:37.0113 2420 ProtectedStorage (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
22:18:37.0113 2420 ProtectedStorage - ok
22:18:37.0173 2420 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
22:18:37.0193 2420 PSched - ok
22:18:37.0273 2420 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
22:18:37.0283 2420 Ptilink - ok
22:18:37.0343 2420 PxHelp20 (49452bfcec22f36a7a9b9c2181bc3042) C:\WINDOWS\system32\DRIVERS\PxHelp20.sys
22:18:37.0353 2420 PxHelp20 - ok
22:18:37.0413 2420 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\System32\DRIVERS\ql1080.sys
22:18:37.0433 2420 ql1080 - ok
22:18:37.0463 2420 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\System32\DRIVERS\ql10wnt.sys
22:18:37.0483 2420 Ql10wnt - ok
22:18:37.0513 2420 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\System32\DRIVERS\ql12160.sys
22:18:37.0543 2420 ql12160 - ok
22:18:37.0613 2420 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\System32\DRIVERS\ql1240.sys
22:18:37.0633 2420 ql1240 - ok
22:18:37.0673 2420 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\System32\DRIVERS\ql1280.sys
22:18:37.0693 2420 ql1280 - ok
22:18:37.0753 2420 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
22:18:37.0763 2420 RasAcd - ok
22:18:37.0844 2420 RasAuto (ad188be7bdf94e8df4ca0a55c00a5073) C:\WINDOWS\System32\rasauto.dll
22:18:37.0874 2420 RasAuto - ok
22:18:37.0944 2420 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
22:18:37.0964 2420 Rasl2tp - ok
22:18:38.0084 2420 RasMan (76a9a3cbeadd68cc57cda5e1d7448235) C:\WINDOWS\System32\rasmans.dll
22:18:38.0144 2420 RasMan - ok
22:18:38.0194 2420 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
22:18:38.0204 2420 RasPppoe - ok
22:18:38.0284 2420 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
22:18:38.0294 2420 Raspti - ok
22:18:38.0394 2420 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
22:18:38.0454 2420 Rdbss - ok
22:18:38.0474 2420 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
22:18:38.0474 2420 RDPCDD - ok
22:18:38.0585 2420 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
22:18:38.0645 2420 rdpdr - ok
22:18:38.0755 2420 RDPWD (6589db6e5969f8eee594cf71171c5028) C:\WINDOWS\system32\drivers\RDPWD.sys
22:18:38.0805 2420 RDPWD - ok
22:18:38.0905 2420 RDSessMgr (3c37bf86641bda977c3bf8a840f3b7fa) C:\WINDOWS\system32\sessmgr.exe
22:18:38.0955 2420 RDSessMgr - ok
22:18:39.0025 2420 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
22:18:39.0055 2420 redbook - ok
22:18:39.0125 2420 RemoteAccess (7e699ff5f59b5d9de5390e3c34c67cf5) C:\WINDOWS\System32\mprdim.dll
22:18:39.0145 2420 RemoteAccess - ok
22:18:39.0246 2420 RpcLocator (aaed593f84afa419bbae8572af87cf6a) C:\WINDOWS\System32\locator.exe
22:18:39.0276 2420 RpcLocator - ok
22:18:39.0446 2420 RpcSs (6b27a5c03dfb94b4245739065431322c) C:\WINDOWS\System32\rpcss.dll
22:18:39.0456 2420 RpcSs - ok
22:18:39.0586 2420 RSVP (471b3f9741d762abe75e9deea4787e47) C:\WINDOWS\System32\rsvp.exe
22:18:39.0636 2420 RSVP - ok
22:18:39.0686 2420 SamSs (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
22:18:39.0686 2420 SamSs - ok
22:18:39.0786 2420 SCardSvr (86d007e7a654b9a71d1d7d856b104353) C:\WINDOWS\System32\SCardSvr.exe
22:18:39.0816 2420 SCardSvr - ok
22:18:39.0937 2420 Schedule (0a9a7365a1ca4319aa7c1d6cd8e4eafa) C:\WINDOWS\system32\schedsvc.dll
22:18:39.0997 2420 Schedule - ok
22:18:40.0057 2420 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
22:18:40.0067 2420 Secdrv - ok
22:18:40.0127 2420 seclogon (cbe612e2bb6a10e3563336191eda1250) C:\WINDOWS\System32\seclogon.dll
22:18:40.0127 2420 seclogon - ok
22:18:40.0177 2420 SENS (7fdd5d0684eca8c1f68b4d99d124dcd0) C:\WINDOWS\system32\sens.dll
22:18:40.0197 2420 SENS - ok
22:18:40.0267 2420 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
22:18:40.0277 2420 serenum - ok
22:18:40.0337 2420 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
22:18:40.0357 2420 Serial - ok
22:18:40.0437 2420 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
22:18:40.0437 2420 Sfloppy - ok
22:18:40.0598 2420 SharedAccess (83f41d0d89645d7235c051ab1d9523ac) C:\WINDOWS\System32\ipnathlp.dll
22:18:40.0708 2420 SharedAccess - ok
22:18:40.0788 2420 ShellHWDetection (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
22:18:40.0788 2420 ShellHWDetection - ok
22:18:40.0808 2420 Simbad - ok
22:18:40.0878 2420 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\System32\DRIVERS\sisagp.sys
22:18:40.0898 2420 sisagp - ok
22:18:40.0978 2420 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
22:18:40.0978 2420 SLIP - ok
22:18:41.0228 2420 smwdm (31fd0707c7dbe715234f2823b27214fe) C:\WINDOWS\system32\drivers\smwdm.sys
22:18:41.0429 2420 smwdm - ok
22:18:41.0489 2420 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\System32\DRIVERS\sparrow.sys
22:18:41.0499 2420 Sparrow - ok
22:18:41.0549 2420 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
22:18:41.0549 2420 splitter - ok
22:18:41.0609 2420 Spooler (60784f891563fb1b767f70117fc2428f) C:\WINDOWS\system32\spoolsv.exe
22:18:41.0629 2420 Spooler - ok
22:18:41.0699 2420 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
22:18:41.0729 2420 sr - ok
22:18:41.0829 2420 srservice (3805df0ac4296a34ba4bf93b346cc378) C:\WINDOWS\system32\srsvc.dll
22:18:41.0889 2420 srservice - ok
22:18:42.0070 2420 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
22:18:42.0180 2420 Srv - ok
22:18:42.0230 2420 sscdbhk5 (98625722ad52b40305e74aaa83c93086) C:\WINDOWS\system32\drivers\sscdbhk5.sys
22:18:42.0230 2420 sscdbhk5 - ok
22:18:42.0310 2420 SSDPSRV (0a5679b3714edab99e357057ee88fca6) C:\WINDOWS\System32\ssdpsrv.dll
22:18:42.0330 2420 SSDPSRV - ok
22:18:42.0400 2420 ssrtln (d79412e3942c8a257253487536d5a994) C:\WINDOWS\system32\drivers\ssrtln.sys
22:18:42.0410 2420 ssrtln - ok
22:18:42.0570 2420 stisvc (8bad69cbac032d4bbacfce0306174c30) C:\WINDOWS\system32\wiaservc.dll
22:18:42.0681 2420 stisvc - ok
22:18:42.0731 2420 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
22:18:42.0731 2420 streamip - ok
22:18:42.0781 2420 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
22:18:42.0781 2420 swenum - ok
22:18:42.0831 2420 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
22:18:42.0851 2420 swmidi - ok
22:18:42.0871 2420 SwPrv - ok
22:18:42.0931 2420 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\System32\DRIVERS\symc810.sys
22:18:42.0941 2420 symc810 - ok
22:18:42.0991 2420 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\System32\DRIVERS\symc8xx.sys
22:18:43.0001 2420 symc8xx - ok
22:18:43.0031 2420 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\System32\DRIVERS\sym_hi.sys
22:18:43.0041 2420 sym_hi - ok
22:18:43.0071 2420 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\System32\DRIVERS\sym_u3.sys
22:18:43.0091 2420 sym_u3 - ok
22:18:43.0161 2420 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
22:18:43.0181 2420 sysaudio - ok
22:18:43.0261 2420 SysmonLog (c7abbc59b43274b1109df6b24d617051) C:\WINDOWS\system32\smlogsvc.exe
22:18:43.0291 2420 SysmonLog - ok
22:18:43.0412 2420 TapiSrv (3cb78c17bb664637787c9a1c98f79c38) C:\WINDOWS\System32\tapisrv.dll
22:18:43.0492 2420 TapiSrv - ok
22:18:43.0652 2420 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
22:18:43.0782 2420 Tcpip - ok
22:18:43.0832 2420 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
22:18:43.0842 2420 TDPIPE - ok
22:18:43.0872 2420 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
22:18:43.0892 2420 TDTCP - ok
22:18:43.0952 2420 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
22:18:43.0972 2420 TermDD - ok
22:18:44.0123 2420 TermService (ff3477c03be7201c294c35f684b3479f) C:\WINDOWS\System32\termsrv.dll
22:18:44.0213 2420 TermService - ok
22:18:44.0363 2420 tfsnboio (d0177776e11b0b3f272eebd262a69661) C:\WINDOWS\system32\dla\tfsnboio.sys
22:18:44.0383 2420 tfsnboio - ok
22:18:44.0423 2420 tfsncofs (599804bc938b8305a5422319774da871) C:\WINDOWS\system32\dla\tfsncofs.sys
22:18:44.0433 2420 tfsncofs - ok
22:18:44.0473 2420 tfsndrct (a1902c00adc11c4d83f8e3ed947a6a32) C:\WINDOWS\system32\dla\tfsndrct.sys
22:18:44.0473 2420 tfsndrct - ok
22:18:44.0503 2420 tfsndres (d8ddb3f2b1bef15cff6728d89c042c61) C:\WINDOWS\system32\dla\tfsndres.sys
22:18:44.0503 2420 tfsndres - ok
22:18:44.0563 2420 tfsnifs (c4f2dea75300971cdaee311007de138d) C:\WINDOWS\system32\dla\tfsnifs.sys
22:18:44.0593 2420 tfsnifs - ok
22:18:44.0633 2420 tfsnopio (272925be0ea919f08286d2ee6f102b0f) C:\WINDOWS\system32\dla\tfsnopio.sys
22:18:44.0643 2420 tfsnopio - ok
22:18:44.0663 2420 tfsnpool (7b7d955e5cebc2fb88b03ef875d52a2f) C:\WINDOWS\system32\dla\tfsnpool.sys
22:18:44.0673 2420 tfsnpool - ok
22:18:44.0754 2420 tfsnudf (e3d01263109d800c1967c12c10a0b018) C:\WINDOWS\system32\dla\tfsnudf.sys
22:18:44.0814 2420 tfsnudf - ok
22:18:44.0894 2420 tfsnudfa (b9e9c377906e3a65bc74598fff7f7458) C:\WINDOWS\system32\dla\tfsnudfa.sys
22:18:44.0934 2420 tfsnudfa - ok
22:18:45.0034 2420 Themes (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
22:18:45.0044 2420 Themes - ok
22:18:45.0104 2420 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\System32\DRIVERS\toside.sys
22:18:45.0114 2420 TosIde - ok
22:18:45.0204 2420 TrkWks (55bca12f7f523d35ca3cb833c725f54e) C:\WINDOWS\system32\trkwks.dll
22:18:45.0244 2420 TrkWks - ok
22:18:45.0314 2420 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
22:18:45.0354 2420 Udfs - ok
22:18:45.0414 2420 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\System32\DRIVERS\ultra.sys
22:18:45.0435 2420 ultra - ok
22:18:45.0635 2420 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
22:18:45.0765 2420 Update - ok
22:18:45.0875 2420 upnphost (1ebafeb9a3fbdc41b8d9c7f0f687ad91) C:\WINDOWS\System32\upnphost.dll
22:18:45.0945 2420 upnphost - ok
22:18:45.0995 2420 UPS (05365fb38fca1e98f7a566aaaf5d1815) C:\WINDOWS\System32\ups.exe
22:18:46.0005 2420 UPS - ok
22:18:46.0075 2420 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
22:18:46.0095 2420 usbaudio - ok
22:18:46.0166 2420 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
22:18:46.0186 2420 usbccgp - ok
22:18:46.0226 2420 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
22:18:46.0236 2420 usbehci - ok
22:18:46.0296 2420 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
22:18:46.0316 2420 usbhub - ok
22:18:46.0366 2420 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
22:18:46.0376 2420 usbprint - ok
22:18:46.0426 2420 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
22:18:46.0436 2420 usbscan - ok
22:18:46.0466 2420 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
22:18:46.0476 2420 USBSTOR - ok
22:18:46.0506 2420 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
22:18:46.0516 2420 usbuhci - ok
22:18:46.0546 2420 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
22:18:46.0566 2420 VgaSave - ok
22:18:46.0636 2420 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\System32\DRIVERS\viaagp.sys
22:18:46.0656 2420 viaagp - ok
22:18:46.0716 2420 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\System32\DRIVERS\viaide.sys
22:18:46.0726 2420 ViaIde - ok
22:18:46.0766 2420 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
22:18:46.0796 2420 VolSnap - ok
22:18:46.0947 2420 VSS (7a9db3a67c333bf0bd42e42b8596854b) C:\WINDOWS\System32\vssvc.exe
22:18:47.0047 2420 VSS - ok
22:18:47.0507 2420 vToolbarUpdater11.2.0 (8ed347bad8d1fb7c40b593bfb01786d2) C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\11.2.0\ToolbarUpdater.exe
22:18:47.0808 2420 vToolbarUpdater11.2.0 - ok
22:18:48.0229 2420 w32time (54af4b1d5459500ef0937f6d33b1914f) C:\WINDOWS\system32\w32time.dll
22:18:48.0329 2420 w32time - ok
22:18:48.0459 2420 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
22:18:48.0469 2420 Wanarp - ok
22:18:48.0529 2420 wanatw (0a716c08cb13c3a8f4f51e882dbf7416) C:\WINDOWS\system32\DRIVERS\wanatw4.sys
22:18:48.0539 2420 wanatw - ok
22:18:48.0589 2420 WDC_SAM (d6efaf429fd30c5df613d220e344cce7) C:\WINDOWS\system32\DRIVERS\wdcsam.sys
22:18:48.0599 2420 WDC_SAM - ok
22:18:48.0819 2420 WDDMService (bf847a3972cc6b5ce26e0ea742dd52d9) C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe
22:18:48.0899 2420 WDDMService - ok
22:18:49.0360 2420 WDFME (b5966f1dff6e20576f3c8c2d93d129fd) C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDFME\WDFME.exe
22:18:49.0691 2420 WDFME - ok
22:18:50.0091 2420 WDICA - ok
22:18:50.0161 2420 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
22:18:50.0191 2420 wdmaud - ok
22:18:50.0492 2420 WDSC (92f0088ca18bb08bb596ef2608256f8a) C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSC.exe
22:18:50.0642 2420 WDSC - ok
22:18:50.0702 2420 WebClient (77a354e28153ad2d5e120a5a8687bc06) C:\WINDOWS\System32\webclnt.dll
22:18:50.0742 2420 WebClient - ok
22:18:50.0892 2420 winmgmt (2d0e4ed081963804ccc196a0929275b5) C:\WINDOWS\system32\wbem\WMIsvc.dll
22:18:50.0932 2420 winmgmt - ok
22:18:51.0033 2420 WmdmPmSN (c51b4a5c05a5475708e3c81c7765b71d) C:\WINDOWS\system32\MsPMSNSv.dll
22:18:51.0053 2420 WmdmPmSN - ok
22:18:51.0183 2420 WmiApSrv (e0673f1106e62a68d2257e376079f821) C:\WINDOWS\System32\wbem\wmiapsrv.exe
22:18:51.0223 2420 WmiApSrv - ok
22:18:51.0623 2420 WMPNetworkSvc (f74e3d9a7fa9556c3bbb14d4e5e63d3b) C:\Program Files\Windows Media Player\WMPNetwk.exe
22:18:51.0914 2420 WMPNetworkSvc - ok
22:18:52.0034 2420 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\Drivers\wpdusb.sys
22:18:52.0044 2420 WpdUsb - ok
22:18:52.0515 2420 WPFFontCache_v0400 (dcf3e3edf5109ee8bc02fe6e1f045795) C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe
22:18:52.0755 2420 WPFFontCache_v0400 - ok
22:18:52.0825 2420 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
22:18:52.0825 2420 WS2IFSL - ok
22:18:52.0885 2420 wscsvc (7c278e6408d1dce642230c0585a854d5) C:\WINDOWS\system32\wscsvc.dll
22:18:52.0925 2420 wscsvc - ok
22:18:52.0985 2420 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
22:18:52.0985 2420 WSTCODEC - ok
22:18:53.0045 2420 wuauserv (35321fb577cdc98ce3eb3a3eb9e4610a) C:\WINDOWS\system32\wuauserv.dll
22:18:53.0045 2420 wuauserv - ok
22:18:53.0116 2420 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
22:18:53.0156 2420 WudfPf - ok
22:18:53.0226 2420 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
22:18:53.0256 2420 WudfRd - ok
22:18:53.0336 2420 WudfSvc (05231c04253c5bc30b26cbaae680ed89) C:\WINDOWS\System32\WUDFSvc.dll
22:18:53.0356 2420 WudfSvc - ok
22:18:53.0566 2420 WZCSVC (81dc3f549f44b1c1fff022dec9ecf30b) C:\WINDOWS\System32\wzcsvc.dll
22:18:53.0726 2420 WZCSVC - ok
22:18:53.0817 2420 xmlprov (295d21f14c335b53cb8154e5b1f892b9) C:\WINDOWS\System32\xmlprov.dll
22:18:53.0867 2420 xmlprov - ok
22:18:53.0957 2420 {6080A529-897E-4629-A488-ABA0C29B635E} (61002db7b6efb5711685b9d79b8e8ce6) C:\WINDOWS\system32\drivers\ialmsbw.sys
22:18:54.0007 2420 {6080A529-897E-4629-A488-ABA0C29B635E} - ok
22:18:54.0077 2420 {D31A0762-0CEB-444e-ACFF-B049A1F6FE91} (35ce2baa708ea038ab72359de87bab87) C:\WINDOWS\system32\drivers\ialmkchw.sys
22:18:54.0117 2420 {D31A0762-0CEB-444e-ACFF-B049A1F6FE91} - ok
22:18:54.0157 2420 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
22:18:54.0868 2420 \Device\Harddisk0\DR0 - ok
22:18:54.0888 2420 Boot (0x1200) (809c9d0dc42c402798e233a9d5abc343) \Device\Harddisk0\DR0\Partition0
22:18:54.0888 2420 \Device\Harddisk0\DR0\Partition0 - ok
22:18:54.0898 2420 ============================================================
22:18:54.0898 2420 Scan finished
22:18:54.0898 2420 ============================================================
22:18:54.0918 3300 Detected object count: 0
22:18:54.0918 3300 Actual detected object count: 0

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:23 PM

Posted 04 July 2012 - 01:30 AM

Greetings

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

FireFox::
FF - ProfilePath - c:\documents and settings\Daniel Wetherall\Application Data\Mozilla\Firefox\Profiles\m14p40hv.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3106777&SearchSource=3&q={searchTerms}

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 AKMAN2011

AKMAN2011
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:11:23 AM

Posted 04 July 2012 - 11:24 AM

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-06-30 20:14:05
-----------------------------
20:14:05.159 OS Version: Windows 5.1.2600 Service Pack 3
20:14:05.159 Number of processors: 1 586 0x209
20:14:05.159 ComputerName: DAN UserName:
20:14:05.970 Initialize success
20:19:53.269 AVAST engine defs: 12063001
20:20:13.609 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
20:20:13.609 Disk 0 Vendor: Maxtor_6E040L0 NAR61590 Size: 39205MB BusType: 3
20:20:13.629 Disk 0 MBR read successfully
20:20:13.629 Disk 0 MBR scan
20:20:13.699 Disk 0 Windows XP default MBR code
20:20:13.709 Disk 0 Partition 1 00 DE Dell Utility Dell 4.1 31 MB offset 63
20:20:13.719 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 39166 MB offset 64260
20:20:13.729 Disk 0 scanning sectors +80276805
20:20:13.789 Disk 0 scanning C:\WINDOWS\system32\drivers
20:20:34.389 Service scanning
20:21:13.004 Modules scanning
20:21:30.039 Disk 0 trace - called modules:
20:21:30.069 ntoskrnl.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll intelide.sys PCIIDEX.SYS
20:21:30.419 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x87382030]
20:21:30.419 3 CLASSPNP.SYS[f77f5fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x87375d98]
20:21:30.609 AVAST engine scan C:\WINDOWS
20:22:24.907 AVAST engine scan C:\WINDOWS\system32
20:27:57.736 AVAST engine scan C:\WINDOWS\system32\drivers
20:28:31.495 AVAST engine scan C:\Documents and Settings\Daniel
20:46:54.971 AVAST engine scan C:\Documents and Settings\All Users
20:51:34.483 Scan finished successfully
21:01:15.887 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Daniel\Desktop\MBR.dat"
21:01:16.118 The log file has been saved successfully to "C:\Documents and Settings\Daniel\Desktop\aswMBR.txt"


aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-07-03 22:21:08
-----------------------------
22:21:08.801 OS Version: Windows 5.1.2600 Service Pack 3
22:21:08.801 Number of processors: 1 586 0x209
22:21:08.801 ComputerName: DAN UserName:
22:21:10.623 Initialize success
22:22:06.383 AVAST engine defs: 12070301
22:22:13.494 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
22:22:13.494 Disk 0 Vendor: Maxtor_6E040L0 NAR61590 Size: 39205MB BusType: 3
22:22:13.524 Disk 0 MBR read successfully
22:22:13.524 Disk 0 MBR scan
22:22:13.674 Disk 0 Windows XP default MBR code
22:22:13.694 Disk 0 Partition 1 00 DE Dell Utility Dell 4.1 31 MB offset 63
22:22:13.704 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 39166 MB offset 64260
22:22:13.724 Disk 0 scanning sectors +80276805
22:22:13.994 Disk 0 scanning C:\WINDOWS\system32\drivers
22:22:50.797 Service scanning
22:23:53.447 Modules scanning
22:24:22.259 Disk 0 trace - called modules:
22:24:22.269 ntoskrnl.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll intelide.sys
22:24:22.599 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x873a5ab8]
22:24:22.599 3 CLASSPNP.SYS[f77e5fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x873d04d0]
22:24:25.123 AVAST engine scan C:\WINDOWS
22:25:30.617 AVAST engine scan C:\WINDOWS\system32
22:37:34.608 AVAST engine scan C:\WINDOWS\system32\drivers
22:38:20.735 AVAST engine scan C:\Documents and Settings\Daniel Wetherall
22:55:48.461 AVAST engine scan C:\Documents and Settings\All Users
23:00:25.580 Scan finished successfully
08:21:44.377 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Daniel Wetherall\Desktop\MBR.dat"
08:21:44.457 The log file has been saved successfully to "C:\Documents and Settings\Daniel Wetherall\Desktop\aswMBR.txt"

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:23 PM

Posted 04 July 2012 - 12:17 PM

Greetings

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

FireFox::
FF - ProfilePath - c:\documents and settings\Daniel Wetherall\Application Data\Mozilla\Firefox\Profiles\m14p40hv.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3106777&SearchSource=3&q={searchTerms}

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 AKMAN2011

AKMAN2011
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:11:23 AM

Posted 04 July 2012 - 12:51 PM

ComboFix 12-07-04.04 - Daniel Wetherall 07/04/2012 9:09.4.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.599 [GMT -8:00]
Running from: c:\documents and settings\Daniel Wetherall\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Daniel Wetherall\Desktop\CFScript.txt.txt
AV: Norton Internet Security *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *Enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.
.
((((((((((((((((((((((((( Files Created from 2012-06-04 to 2012-07-04 )))))))))))))))))))))))))))))))
.
.
2012-07-01 03:58 . 2012-07-01 03:58 -------- d-----w- c:\documents and settings\Daniel Wetherall\Local Settings\Application Data\WinZip
2012-07-01 03:51 . 2012-07-01 03:51 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZip
2012-07-01 03:51 . 2012-07-01 03:51 -------- d-----w- c:\documents and settings\Daniel Wetherall\Local Settings\Application Data\AVG Secure Search
2012-07-01 03:51 . 2012-07-01 03:51 -------- d-----w- c:\documents and settings\Daniel Wetherall\Application Data\AVG Secure Search
2012-07-01 03:51 . 2012-07-01 03:59 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Secure Search
2012-07-01 03:50 . 2012-07-01 03:51 -------- d-----w- c:\program files\Common Files\AVG Secure Search
2012-07-01 03:50 . 2012-07-01 03:51 -------- d-----w- c:\program files\AVG Secure Search
2012-06-30 02:51 . 2012-06-30 02:51 -------- d-----w- c:\documents and settings\Daniel Wetherall\Application Data\Malwarebytes
2012-06-30 02:51 . 2012-06-30 02:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-06-30 02:51 . 2012-06-30 02:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-06-30 02:51 . 2012-04-04 23:56 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-29 05:46 . 2005-06-22 08:43 163840 ----a-w- c:\windows\system32\igfxres.dll
2012-06-29 03:57 . 2012-06-29 03:57 -------- d-----w- c:\documents and settings\Daniel Wetherall\Local Settings\Application Data\NPE
2012-06-27 05:37 . 2012-06-27 05:37 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2012-06-14 01:20 . 2012-05-11 14:42 521728 ------w- c:\windows\system32\dllcache\jsdbgui.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-06-02 23:19 . 2007-06-08 00:19 22040 ----a-w- c:\windows\system32\wucltui.dll.mui
2012-06-02 23:19 . 2007-06-08 00:19 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2012-06-02 23:19 . 2004-08-26 05:34 329240 ----a-w- c:\windows\system32\wucltui.dll
2012-06-02 23:19 . 2004-08-26 05:34 219160 ----a-w- c:\windows\system32\wuaucpl.cpl
2012-06-02 23:19 . 2004-08-26 05:34 210968 ----a-w- c:\windows\system32\wuweb.dll
2012-06-02 23:19 . 2007-06-08 00:19 15384 ----a-w- c:\windows\system32\wuapi.dll.mui
2012-06-02 23:19 . 2005-05-26 12:16 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 23:19 . 2004-08-26 05:34 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-02 23:19 . 2002-08-29 11:00 97304 ----a-w- c:\windows\system32\cdm.dll
2012-06-02 23:19 . 2002-08-29 11:00 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 23:19 . 2007-06-08 00:19 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui
2012-06-02 23:19 . 2004-08-26 05:34 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 23:19 . 2002-08-29 11:00 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 23:18 . 2007-06-11 18:41 17136 ----a-w- c:\windows\system32\mucltui.dll.mui
2012-06-02 23:18 . 2006-11-03 13:21 275696 ----a-w- c:\windows\system32\mucltui.dll
2012-06-02 23:18 . 2006-11-03 13:21 214256 ----a-w- c:\windows\system32\muweb.dll
2012-05-31 13:22 . 2003-03-20 22:18 599040 ----a-w- c:\windows\system32\crypt32.dll
2012-05-16 15:08 . 2004-02-07 02:05 916992 ----a-w- c:\windows\system32\wininet.dll
2012-05-15 13:20 . 2002-08-29 11:00 1863168 ----a-w- c:\windows\system32\win32k.sys
2012-05-11 14:42 . 2002-08-29 11:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-05-11 14:42 . 2002-08-29 11:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-05-11 11:38 . 2004-08-04 05:59 385024 ----a-w- c:\windows\system32\html.iec
2012-05-05 15:55 . 2012-04-12 15:46 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-05-05 15:55 . 2011-05-23 04:44 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-05-04 13:12 . 1980-01-01 06:00 2192640 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-05-04 12:32 . 1980-01-01 06:00 2069120 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-05-02 13:46 . 2002-08-29 11:00 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-11-21 04:04 . 2011-12-14 08:22 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}]
2012-07-01 03:50 2074208 ----a-w- c:\program files\AVG Secure Search\11.1.0.12\AVG Secure Search_toolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{95B7759C-8C7F-4BF1-B163-73684A933233}"= "c:\program files\AVG Secure Search\11.1.0.12\AVG Secure Search_toolbar.dll" [2012-07-01 2074208]
.
[HKEY_CLASSES_ROOT\clsid\{95b7759c-8c7f-4bf1-b163-73684a933233}]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj.1]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-04 68856]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-06-22 126976]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 122880]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-10-24 421888]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2011-05-15 325512]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-06-22 155648]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408]
"vProt"="c:\program files\AVG Secure Search\vprot.exe" [2012-07-01 1107552]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
WDDMStatus.lnk - c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe [2011-3-9 3986944]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK32.EXE [2012-4-4 603536]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2006-03-13 233472]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ \0
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
.
R2 IntuitUpdateServiceV4;Intuit Update Service v4;c:\program files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe [8/25/2011 6:53 PM 13672]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [6/29/2012 6:51 PM 654408]
R2 vToolbarUpdater11.2.0;vToolbarUpdater11.2.0;c:\program files\Common Files\AVG Secure Search\vToolbarUpdater\11.2.0\ToolbarUpdater.exe [6/30/2012 7:51 PM 935008]
R2 WDDMService;WDDMService;c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [12/12/2011 1:24 AM 238592]
R2 WDFME;WD File Management Engine;c:\program files\Western Digital\WD SmartWare\Front Parlor\WDFME\WDFME.exe [12/12/2011 1:24 AM 1060864]
R2 WDSC;WD File Management Shadow Engine;c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSC.exe [12/12/2011 1:25 AM 484352]
R3 MBAMProtector;MBAMProtector;c:\windows\SYSTEM32\DRIVERS\mbam.sys [6/29/2012 6:51 PM 22344]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [11/7/2009 11:39 AM 135664]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SYSTEM32\Macromed\Flash\FlashPlayerUpdateService.exe [4/12/2012 7:46 AM 257696]
S3 camvid40;Philips SPC 900NC PC Camera;c:\windows\SYSTEM32\DRIVERS\camdrv41.sys [12/14/2009 12:47 AM 1239552]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [11/7/2009 11:39 AM 135664]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\SYSTEM32\DRIVERS\wdcsam.sys [12/11/2011 8:20 PM 11520]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - 67517892
*Deregistered* - 67517892
*Deregistered* - aswMBR
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2012-07-04 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-12 15:55]
.
2012-07-04 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 20:20]
.
2012-07-03 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-02-02 06:17]
.
2012-07-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-11-07 19:39]
.
2012-07-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-11-07 19:39]
.
2012-07-04 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2425240458-456833205-2956304666-1008.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-11-30 01:02]
.
2012-07-03 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2425240458-456833205-2956304666-1008.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-11-30 01:02]
.
2012-07-04 c:\windows\Tasks\User_Feed_Synchronization-{AAC5E664-32BC-4EF2-941E-1ED90989F9D4}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 13:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://isearch.avg.com/?cid={978F07EA-F83E-4FCF-822F-7A5B79E7F746}&mid=acfaf84e9d1a4b7d898db62e4b4ac0ea-bef42c023c6b2d4dfb70cc7ee3003f3163d89d9e&lang=en&ds=hk011&pr=sa&d=2012-06-30 19:51&v=11.1.0.12&sap=hp
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &MSN Search - c:\program files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll/search.htm
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html
IE: Open in new background tab - c:\program files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/229?28860ac5a7a4b3488f182ae63de3b
IE: Open in new foreground tab - c:\program files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/230?28860ac5a7a4b3488f182ae63de3b
Trusted Zone: intuit.com\ttlc
Trusted Zone: turbotax.com
TCP: DhcpNameServer = 209.165.131.12 209.165.131.13
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\Common Files\AVG Secure Search\ViProtocolInstaller\11.2.0\ViProtocol.dll
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.2.0/GarminAxControl.CAB
FF - ProfilePath - c:\documents and settings\Daniel Wetherall\Application Data\Mozilla\Firefox\Profiles\m14p40hv.default\
FF - prefs.js: browser.startup.homepage - hxxp://isearch.avg.com?cid=%7Bda32c06b-0349-4f7a-98ec-4a7a0da5e6d1%7D&mid=acfaf84e9d1a4b7d898db62e4b4ac0ea-bef42c023c6b2d4dfb70cc7ee3003f3163d89d9e&ds=hk011&v=11.1.0.12&lang=en&pr=sa&d=2012-06-30%2019%3A51%3A05&sap=hp
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-07-04 09:30
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2425240458-456833205-2956304666-1008\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(632)
c:\windows\system32\igfxsrvc.dll
c:\windows\system32\hccutils.DLL
.
- - - - - - - > 'explorer.exe'(2960)
c:\windows\system32\WININET.dll
c:\program files\BillP Studios\WinPatrol\PATROLPRO.DLL
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2012-07-04 09:36:40
ComboFix-quarantined-files.txt 2012-07-04 17:36
ComboFix2.txt 2012-07-03 09:25
.
Pre-Run: 11,988,750,336 bytes free
Post-Run: 12,054,159,360 bytes free
.
- - End Of File - - C4D5A991FFB7FFF710C1B4D4427F351C

#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:23 PM

Posted 04 July 2012 - 01:35 PM

These logs are looking allot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs

NOTE** Because of the cleanup process some of the programs I have listed may not be in add/remove anymore this is fine just move to the next item on the list.

You can remove these programs using add/remove or you can use the free uninstaller from Revo (Revo does allot better of a job)

Programs to remove

AVG Security Toolbar
Internet Explorer Default Page
Java™ 6 Update 30
[/list]


  • Please download and install Revo Uninstaller Free
  • Double click Revo Uninstaller to run it.
  • From the list of programs double click on The Program to remove
  • When prompted if you want to uninstall click Yes.
  • Be sure the Moderate option is selected then click Next.
  • The program will run, If prompted again click Yes
  • when the built-in uninstaller is finished click on Next.
  • Once the program has searched for leftovers click Next.
  • Check/tick the bolded items only on the list then click Delete
  • when prompted click on Yes and then on next.
  • put a check on any folders that are found and select delete
  • when prompted select yes then on next
  • Once done click Finish.
.



Install Java:

Please go here to install Java

  • click on the Free Java Download Button
  • click on Agree and start Free download
  • click on Run
  • click on run again
  • click on install
  • when install is complete click on close

Clean Out Temp Files

  • This small application you may want to keep and use once a week to keep the computer clean.

    Download CCleaner from here http://www.ccleaner.com/

  • Run the installer to install the application.
  • When it gives you the option to install Yahoo toolbar uncheck the box next to it.
  • Run CCleaner. (make sure under Windows tab all the boxes of Internet Explorer and Windows explorer are checked. Under System check Empty Recycle Bin and Temporary Files. Under Application tab all the boxes should be checked).
  • Click Run Cleaner.
  • Close CCleaner.

: Malwarebytes' Anti-Malware :

  • I would like you to rerun MBAM
  • Double-click mbam icon
  • go to the update tab at the top
  • click on check for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidentally close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Download HijackThis

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a log file button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the Analyze This button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

"information and logs"

  • In your next post I need the following

  • Log From MBAM
  • report from Hijackthis
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 AKMAN2011

AKMAN2011
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:11:23 AM

Posted 04 July 2012 - 06:09 PM

Internet Explorer Default Page did not appear to be installed as a program with REVO.

Malwarebytes Anti-Malware (Trial) 1.61.0.1400
www.malwarebytes.org

Database version: v2012.07.04.06

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Daniel Wetherall :: DAN [administrator]

Protection: Enabled

7/4/2012 2:13:27 PM
mbam-log-2012-07-04 (14-13-27).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 280985
Time elapsed: 23 minute(s), 19 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)


Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 3:02:23 PM, on 7/4/2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe
C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDFME\WDFME.exe
C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe
C:\Program Files\WinZip\WZQKPICK32.EXE
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe
C:\WINDOWS\notepad.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Daniel Wetherall\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: dsWebAllowBHO Class - {2F85D76C-0569-466F-A488-493E6BD0E955} - C:\Program Files\Windows Desktop Search\dsWebAllow.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.7227.1100\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jp2ssv.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: WDDMStatus.lnk = C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK32.EXE
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll/search.htm
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/229?28860ac5a7a4b3488f182ae63de3b
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/230?28860ac5a7a4b3488f182ae63de3b
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Garmin Communicator Plug-In - https://static.garmincdn.com/gcp/ie/2.9.2.0/GarminAxControl.CAB
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.napster.com/client/isetup.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?323
O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: Intuit Update Service v4 (IntuitUpdateServiceV4) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Oracle Corporation - C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: McAfee Real-time Scanner (McShield) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe (file missing)
O23 - Service: McAfee SystemGuards (McSysmon) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe (file missing)
O23 - Service: WDDMService - WDC - C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe
O23 - Service: WD File Management Engine (WDFME) - Unknown owner - C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDFME\WDFME.exe
O23 - Service: WD File Management Shadow Engine (WDSC) - Unknown owner - C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSC.exe

--
End of file - 10868 bytes




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users