Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

nfected: Rootkit. IRP hook, \Driver\atapi DriverStartIo


  • This topic is locked This topic is locked
40 replies to this topic

#1 Bela70

Bela70

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:10:07 AM

Posted 09 July 2012 - 11:10 PM

I came across another topic dealing with the same issue. The poster did not respond so it was closed. I followed the initial steps and ran the programs that were suggested. DeFogger, DDS and RKUnHooker. Pasting the results with this message. Thanks in advance for any and all help!

DDS


.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_30
Run by NEW ADMINISTRATOR at 16:24:19 on 2012-07-08
.
============== Running Processes ===============
.
.
============== Pseudo HJT Report ===============
.
uURLSearchHooks: H - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: AVG Do Not Track: {31332eef-cb9f-458f-afeb-d30e9a66b6ba} - c:\program files\avg\avg2012\avgdtiex.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
TB: {98279C38-DE4B-4BCF-93C9-8EC26069D6F4} - No File
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
TB: {07B18EA9-A523-4961-B6BB-170DE4475CCA} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [AROReminder]
uRun: [KB00755838.exe] "c:\documents and settings\new administrator\application data\KB00755838.exe"
uRun: [MsgCenterExe] "c:\program files\common files\real\update_ob\RealOneMessageCenter.exe" -osboot
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /minimized /regrun
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [DrvLsnr] c:\program files\analog devices\soundmax\DrvLsnr.exe
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [volmgr] %APPDATA%\volmgr.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
mRun: [AVG_TRAY] "c:\program files\avg\avg2012\avgtray.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
dPolicies-system: DisableTaskMgr = 1 (0x1)
IE: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZRxdm103YYUS
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - c:\program files\avg\avg2012\avgdtiex.dll
LSP: mswsock.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1340694546796
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1341538715531
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 24.159.64.23 24.217.201.67 66.189.0.100
TCP: Interfaces\{7379C362-F35F-474F-B43E-E95B81F272B5} : DhcpNameServer = 24.159.64.23 24.217.201.67 66.189.0.100
Handler: intu-help-qb1 - {9B0F96C7-2E4B-433e-ABF3-043BA1B54AE3} - c:\program files\intuit\quickbooks 2008\HelpAsyncPluggableProtocol.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg2012\avgpp.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxsrvc.dll
Notify: LMIinit - LMIinit.dll
Notify: NecUsb3Sevices - USB3Sw32.dll
Notify: Service Pack 3 - WlLogonEvent
Notify: USB3Sw32 - USB3Sw32.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Eudora's Shell Extension: {edb0e980-90bd-11d4-8599-0008c7d3b6f8} - c:\program files\qualcomm\eudora\EuShlExt.dll
Hosts: 95.64.61.131 www.google.com
Hosts: 95.64.61.132 www.bing.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\new administrator\application data\mozilla\firefox\profiles\gxszfaij.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://charter.net/
FF - prefs.js: keyword.URL - hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZRxdm103YYUS&fl=0&ptb=jZ4bi8VJwAp6V3u9N.RQAA&url=http://search.mywebsearch.com/mywebsearch/dft_redir.jhtml&st=kwd&searchfor=
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprpchromebrowserrecordext.dll
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.1.10329.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\nprpplugin.dll
FF - plugin: c:\program files\real\realplayer\netscape6\nprpplugin.dll
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true);user_pref(extentions.y2layers.installId, 08439bd5-efb4-450f-81a9-c05f8be9af4a
FF - user.js: extentions.y2layers.defaultEnableAppsList - Buzzdock,BuzzdockTease,DropDownDeals,DropDownDeals,
.
============= SERVICES / DRIVERS ===============
.
.
=============== Created Last 30 ================
.
2012-07-08 18:22:29 388096 ----a-r- c:\documents and settings\new administrator\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2012-07-08 18:22:27 -------- d-----w- c:\program files\Trend Micro
2012-07-05 23:02:58 -------- d-----w- c:\documents and settings\new administrator\application data\AVG2012
2012-07-05 22:55:19 -------- d-----w- c:\documents and settings\new administrator\application data\Ocha
2012-07-05 22:55:19 -------- d-----w- c:\documents and settings\new administrator\application data\Obci
2012-07-05 22:55:19 -------- d-----w- c:\documents and settings\new administrator\application data\Aqolni
2012-07-05 22:53:35 -------- d--h--w- C:\$AVG
2012-07-05 22:09:02 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-06-28 05:28:59 -------- d-----w- c:\windows\system32\drivers\AVG
2012-06-28 05:28:59 -------- d-----w- c:\documents and settings\all users\application data\AVG2012
2012-06-26 07:20:43 -------- d-----w- c:\documents and settings\all users\application data\MFAData
2012-06-26 07:13:41 15384 ----a-w- c:\windows\system32\wuapi.dll.mui
2012-06-26 03:19:42 -------- d-----w- c:\documents and settings\new administrator\application data\Malwarebytes
2012-06-26 03:19:16 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2012-06-26 03:19:13 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-26 03:19:13 -------- d-----w- c:\program files\Fun
2012-06-26 03:06:39 -------- d-----w- c:\documents and settings\new administrator\application data\TeamViewer
2012-06-26 02:33:22 -------- d-----r- c:\program files\Skype
2012-06-26 02:26:27 11776 ----a-w- c:\program files\mozilla firefox\plugins\nprjplug.dll
2012-06-26 02:25:51 -------- d-----w- c:\program files\common files\xing shared
2012-06-26 02:25:21 150696 ----a-w- c:\program files\mozilla firefox\plugins\nppl3260.dll
2012-06-26 02:25:12 129144 ----a-w- c:\program files\mozilla firefox\plugins\nprpplugin.dll
2012-06-20 01:52:26 -------- d-----w- c:\documents and settings\new administrator\application data\ChYCwkUVrOtPuSi
2012-06-18 01:23:07 88576 ----a-w- c:\windows\system32\Baspxp32.dll
2012-06-18 01:22:22 -------- d-----w- c:\program files\Broadcom
.
==================== Find3M ====================
.
2012-07-05 22:55:30 294018 ----a-w- c:\windows\system32\shimg.dll
2012-06-26 02:24:55 499712 ----a-w- c:\windows\system32\msvcp71.dll
2012-06-26 02:24:55 348160 ----a-w- c:\windows\system32\msvcr71.dll
2012-06-04 21:35:26 222448 ----a-w- c:\windows\system32\muweb.dll
2012-06-02 19:19:44 22040 ----a-w- c:\windows\system32\wucltui.dll.mui
2012-06-02 19:19:38 219160 ----a-w- c:\windows\system32\wuaucpl.cpl
2012-06-02 19:19:38 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2012-06-02 19:19:30 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui
2012-06-02 19:18:58 275696 ----a-w- c:\windows\system32\mucltui.dll
2012-06-02 19:18:58 17136 ----a-w- c:\windows\system32\mucltui.dll.mui
2012-04-19 08:50:26 24896 ----a-w- c:\windows\system32\drivers\avgidshx.sys
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST380011A rev.8.01 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x85F3749F]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x85f3e740]; MOV EAX, [0x85f3e8b4]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 nt!IofCallDriver[0x804E13B9] -> \Device\Harddisk0\DR0[0x86360AB8]
3 CLASSPNP[0xF7616FD7] -> nt!IofCallDriver[0x804E13B9] -> \Device\00000063[0x863DD518]
5 ACPI[0xF758D620] -> nt!IofCallDriver[0x804E13B9] -> [0x863CABD0]
\Driver\atapi[0x85F86230] -> IRP_MJ_CREATE -> 0x85F3749F
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x85F372C6
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 16:27:46.06 ===============



RKU


RkU Version: 3.8.389.593, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #2
==============================================
>Drivers
==============================================
0x804D7000 C:\WINDOWS\system32\ntoskrnl.exe 2265088 bytes (Microsoft Corporation, NT Kernel & System)
0x804D7000 PnpManager 2265088 bytes
0x804D7000 RAW 2265088 bytes
0x804D7000 WMIxWDM 2265088 bytes
0xBF800000 Win32k 1859584 bytes
0xBF800000 C:\WINDOWS\System32\win32k.sys 1859584 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xBF068000 C:\WINDOWS\System32\ialmdd5.DLL 843776 bytes (Intel Corporation, DirectDraw® Driver for Intel® Graphics Technology)
0xF6E77000 C:\WINDOWS\system32\DRIVERS\ialmnt5.sys 774144 bytes (Intel Corporation, Intel Graphics Miniport Driver)
0xF6D4B000 C:\WINDOWS\system32\drivers\smwdm.sys 581632 bytes (Analog Devices, Inc., SoundMAX Integrated Digital Audio )
0xF7418000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0xEE8C3000 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0xF6C59000 C:\WINDOWS\system32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)
0xEEA61000 C:\WINDOWS\system32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0xB2101000 C:\WINDOWS\system32\DRIVERS\srv.sys 360448 bytes (Microsoft Corporation, Server driver)
0xEE9B9000 C:\WINDOWS\system32\DRIVERS\avgtdix.sys 294912 bytes (AVG Technologies CZ, s.r.o., AVG Network connection watcher)
0xBF136000 C:\WINDOWS\System32\ATMFD.DLL 290816 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)
0xB1A87000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)
0xEE88B000 C:\WINDOWS\system32\DRIVERS\avgldx86.sys 229376 bytes (AVG Technologies CZ, s.r.o., AVG AVI Loader Driver)
0xEEA29000 C:\WINDOWS\system32\DRIVERS\tcpip6.sys 229376 bytes (Microsoft Corporation, IPv6 driver)
0xF6CB7000 C:\WINDOWS\system32\DRIVERS\rdpdr.sys 196608 bytes (Microsoft Corporation, Microsoft RDP Device redirector)
0xF6E10000 C:\WINDOWS\system32\DRIVERS\b57xp32.sys 192512 bytes (Broadcom Corporation, Broadcom NetXtreme Gigabit Ethernet NDIS5.1 Driver.)
0xF7587000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
0xB24D4000 C:\WINDOWS\system32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0xF73EB000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0xABFFC000 C:\WINDOWS\system32\drivers\kmixer.sys 176128 bytes (Microsoft Corporation, Kernel Mode Audio Mixer)
0xEE933000 C:\WINDOWS\system32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0xBF03F000 C:\WINDOWS\System32\ialmdev5.DLL 167936 bytes (Intel Corporation, Component GHAL Driver)
0xEE980000 C:\WINDOWS\system32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0xF7531000 dmio.sys 155648 bytes (Microsoft Corp., Veritas Software, NT Disk Manager I/O Driver)
0xB25A1000 C:\WINDOWS\System32\Drivers\Fastfat.SYS 147456 bytes (Microsoft Corporation, Fast FAT File System Driver)
0xF6D27000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0xF6E3F000 C:\WINDOWS\system32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xF6DD9000 C:\WINDOWS\system32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0xEE95E000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0xB1E10000 C:\WINDOWS\system32\DRIVERS\avgidsdriverx.sys 135168 bytes (AVG Technologies CZ, s.r.o. , IDS Application Activity Monitor Driver.)
0x80700000 ACPI_HAL 134400 bytes
0x80700000 C:\WINDOWS\system32\hal.dll 134400 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xF74E1000 fltmgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xF7557000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0xBF020000 C:\WINDOWS\System32\ialmdnt5.dll 126976 bytes (Intel Corporation, Controller Hub for Intel Graphics Driver)
0xF73D1000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0xF6D0F000 C:\WINDOWS\system32\drivers\aeaudio.sys 98304 bytes (Andrea Electronics Corporation, Andrea Audio Noise Cancellation Driver)
0xF7519000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0xB2589000 C:\WINDOWS\System32\Drivers\dump_atapi.sys 98304 bytes
0xF7501000 C:\WINDOWS\System32\Drivers\SCSIPORT.SYS 98304 bytes (Microsoft Corporation, SCSI Port Driver)
0xF74B8000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xF6CF8000 C:\WINDOWS\system32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0xB2524000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
0xF6DFC000 C:\WINDOWS\system32\DRIVERS\parport.sys 81920 bytes (Microsoft Corporation, Parallel Port Driver)
0xF6E63000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0xEEABA000 C:\WINDOWS\system32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xF74A5000 WudfPf.sys 77824 bytes (Microsoft Corporation, Windows Driver Foundation - User-mode Driver Framework Platform Driver)
0xBF000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xF74CF000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)
0xF7576000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xF6CE7000 C:\WINDOWS\system32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
0xEEB1D000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)
0xF7626000 C:\WINDOWS\system32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xF7646000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0xF7636000 C:\WINDOWS\system32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)
0xB276D000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
0xF7706000 C:\WINDOWS\system32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xF7726000 C:\WINDOWS\system32\DRIVERS\avgmfx86.sys 57344 bytes (AVG Technologies CZ, s.r.o., AVG Resident Shield Minifilter Driver)
0xBF012000 C:\WINDOWS\System32\ialmrnt5.dll 57344 bytes (Intel Corporation, Controller Hub for Intel Graphics Driver)
0xF7616000 C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
0xF7666000 C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xF75F6000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0xF7686000 C:\WINDOWS\system32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0xF7776000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xF7846000 C:\WINDOWS\system32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)
0xF75E6000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
0xF7676000 C:\WINDOWS\system32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0xF75D6000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xF7826000 C:\WINDOWS\system32\drivers\LMIRfsDriver.sys 40960 bytes (LogMeIn, Inc., LogMeIn Rfs Drivemap Driver)
0xF76C6000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0xF76A6000 C:\WINDOWS\system32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
0xEE19A000 C:\WINDOWS\System32\Drivers\BlackBox.SYS 36864 bytes (RKU Driver)
0xF7606000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0xF7786000 C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS 36864 bytes (Microsoft Corporation, Hid Class Library)
0xF7656000 C:\WINDOWS\system32\DRIVERS\intelppm.sys 36864 bytes (Microsoft Corporation, Processor Device Driver)
0xF7696000 C:\WINDOWS\system32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0xF7766000 C:\WINDOWS\system32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
0xF7746000 C:\WINDOWS\system32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xF7866000 cercsr6.sys 32768 bytes (Adaptec, Inc., DELL CERC SATA1.5/6ch Miniport Driver)
0xF799E000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0xF792E000 C:\WINDOWS\system32\DRIVERS\usbehci.sys 32768 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0xF786E000 avgrkx86.sys 28672 bytes (AVG Technologies CZ, s.r.o., AVG Anti-Rootkit Driver)
0xF7946000 C:\WINDOWS\system32\DRIVERS\fdc.sys 28672 bytes (Microsoft Corporation, Floppy Disk Controller Driver)
0xF7986000 C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
0xB2A35000 C:\DOCUME~1\NEWADM~1\LOCALS~1\Temp\mbr.sys 28672 bytes
0xF7856000 C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0xF794E000 C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys 24576 bytes (GEAR Software Inc., CD DVD Filter)
0xF793E000 C:\WINDOWS\system32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
0xF7936000 C:\WINDOWS\system32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
0xF7926000 C:\WINDOWS\system32\DRIVERS\usbuhci.sys 24576 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
0xF798E000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0xB320C000 C:\WINDOWS\system32\DRIVERS\avgidsfilterx.sys 20480 bytes (AVG Technologies CZ, s.r.o. , IDS Application Activity Monitor Filter Driver.)
0xF796E000 C:\WINDOWS\system32\DRIVERS\flpydisk.sys 20480 bytes (Microsoft Corporation, Floppy Driver)
0xF7996000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xF785E000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0xF795E000 C:\WINDOWS\system32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xF7966000 C:\WINDOWS\system32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel® mini-port/call-manager driver)
0xF7956000 C:\WINDOWS\system32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
0xF78CE000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
0xF79EE000 avgidshx.sys 16384 bytes (AVG Technologies CZ, s.r.o. , IDS Application Activity Monitor Helper Driver.)
0xF7A92000 C:\WINDOWS\system32\DRIVERS\kbdhid.sys 16384 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xF73A5000 C:\WINDOWS\system32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
0xB9F0D000 C:\WINDOWS\system32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
0xB253D000 C:\WINDOWS\system32\DRIVERS\avgidsshimx.sys 12288 bytes (AVG Technologies CZ, s.r.o. , IDS Application Activity Monitor Loader Driver.)
0xF79EA000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0xB3465000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0xF7A86000 C:\WINDOWS\system32\DRIVERS\hidusb.sys 12288 bytes (Microsoft Corporation, USB Miniport Driver for Input Devices)
0x85E00000 C:\WINDOWS\system32\KDCOM.DLL 12288 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0xF7A96000 C:\WINDOWS\system32\DRIVERS\mouhid.sys 12288 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xF7AC2000 C:\WINDOWS\system32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0xF6F40000 C:\WINDOWS\system32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0xF7ABA000 C:\WINDOWS\system32\DRIVERS\tunmp.sys 12288 bytes (Microsoft Corporation, Microsoft Tunnel Interface Driver)
0xF7B0A000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
0xF7ADA000 dmload.sys 8192 bytes (Microsoft Corp., Veritas Software., NT Disk Manager Startup Driver)
0xF7B8A000 C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS 8192 bytes
0xF7B08000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
0xF7AD8000 intelide.sys 8192 bytes (Microsoft Corporation, Intel PCI IDE Driver)
0xF7B0C000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
0xF7B0E000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xF7AF4000 C:\WINDOWS\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0xF7AFC000 C:\WINDOWS\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xF7AD6000 C:\WINDOWS\system32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0xF7C19000 C:\WINDOWS\system32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0xF7BE8000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0xF7C18000 C:\WINDOWS\system32\DRIVERS\lmimirr.sys 4096 bytes (LogMeIn, Inc., LogMeIn Mirror Miniport Driver)
0xF7CA5000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
0xF7B9E000 pciide.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
!!!!!!!!!!!Hidden driver: 0x85F372C6 ?_empty_? 3386 bytes
==============================================
>Stealth
==============================================
0xF7519000 WARNING: suspicious driver modification [atapi.sys::0x85F372C6]
WARNING: Virus alike driver modification [bthpan.sys]
WARNING: Virus alike driver modification [sffp_mmc.sys]
WARNING: Virus alike driver modification [hsfdpsp2.sys]
WARNING: Virus alike driver modification [atinrvxx.sys]
WARNING: Virus alike driver modification [mup.sys]
WARNING: Virus alike driver modification [sffp_sd.sys]
WARNING: Virus alike driver modification [irenum.sys]
WARNING: Virus alike driver modification [wadv08nt.sys]
WARNING: Virus alike driver modification [ati1mdxx.sys]
WARNING: Virus alike driver modification [acpiec.sys]
WARNING: Virus alike driver modification [cpqdap01.sys]
WARNING: Virus alike driver modification [wadv07nt.sys]
WARNING: Virus alike driver modification [mdmxsdk.sys]
WARNING: Virus alike driver modification [wadv09nt.sys]
WARNING: Virus alike driver modification [sffdisk.sys]
WARNING: Virus alike driver modification [wadv11nt.sys]
WARNING: Virus alike driver modification [pcmcia.sys]
WARNING: Virus alike driver modification [nikedrv.sys]
WARNING: Virus alike driver modification [rio8drv.sys]
WARNING: Virus alike driver modification [riodrv.sys]
WARNING: Virus alike driver modification [ws2ifsl.sys]
WARNING: Virus alike driver modification [tdpipe.sys]
WARNING: Virus alike driver modification [ati1pdxx.sys]
WARNING: Virus alike driver modification [fsvga.sys]
WARNING: Virus alike driver modification [usbvideo.sys]
WARNING: Virus alike driver modification [tunmp.sys]
WARNING: Virus alike driver modification [nwlnkflt.sys]
WARNING: Virus alike driver modification [ftdisk.sys]
WARNING: Virus alike driver modification [mtlmnt5.sys]
WARNING: Virus alike driver modification [mutohpen.sys]
WARNING: Virus alike driver modification [usb8023.sys]
WARNING: Virus alike driver modification [usb8023x.sys]
WARNING: Virus alike driver modification [slnt7554.sys]
WARNING: Virus alike driver modification [fltmgr.sys]
WARNING: Virus alike driver modification [mtlstrm.sys]
WARNING: Virus alike driver modification [slwdmsup.sys]
WARNING: Virus alike driver modification [recagent.sys]
WARNING: Virus alike driver modification [atinmdxx.sys]
WARNING: Virus alike driver modification [atinttxx.sys]
WARNING: Virus alike driver modification [cbidf2k.sys]
WARNING: Virus alike driver modification [rdpwd.sys]
WARNING: Virus alike driver modification [diskdump.sys]
WARNING: Virus alike driver modification [wacompen.sys]
WARNING: Virus alike driver modification [asyncmac.sys]
WARNING: Virus alike driver modification [atinpdxx.sys]
WARNING: Virus alike driver modification [fastfat.sys]
WARNING: Virus alike driver modification [hdaudbus.sys]
WARNING: Virus alike driver modification [smclib.sys]
WARNING: Virus alike driver modification [tape.sys]
WARNING: Virus alike driver modification [usbscan.sys]
WARNING: Virus alike driver modification [dmio.sys]
WARNING: Virus alike driver modification [usbintel.sys]
WARNING: Virus alike driver modification [nwrdr.sys]
WARNING: Virus alike driver modification [s3gnbm.sys]
WARNING: Virus alike driver modification [bthenum.sys]
WARNING: Virus alike driver modification [ntmtlfax.sys]
WARNING: Virus alike driver modification [ndis.sys]
WARNING: Virus alike driver modification [acpi.sys]
WARNING: Virus alike driver modification [bthusb.sys]
WARNING: Virus alike driver modification [nv4_mini.sys]
WARNING: Virus alike driver modification [hidir.sys]
WARNING: Virus alike driver modification [partmgr.sys]
WARNING: Virus alike driver modification [rmcast.sys]
WARNING: Virus alike driver modification [secdrv.sys]
WARNING: Virus alike driver modification [ipinip.sys]
WARNING: Virus alike driver modification [ati1ttxx.sys]
WARNING: Virus alike driver modification [tsbvcap.sys]
WARNING: Virus alike driver modification [tdtcp.sys]
WARNING: Virus alike driver modification [hsfbs2s2.sys]
WARNING: Virus alike driver modification [watv06nt.sys]
WARNING: Virus alike driver modification [tcpip6.sys]
WARNING: Virus alike driver modification [pciidex.sys]
WARNING: Virus alike driver modification [sonydcam.sys]
WARNING: Virus alike driver modification [watv10nt.sys]
WARNING: Virus alike driver modification [hidbth.sys]
WARNING: Virus alike driver modification [usbcamd.sys]
WARNING: Virus alike driver modification [usbcamd2.sys]
WARNING: Virus alike driver modification [cinemst2.sys]
WARNING: Virus alike driver modification [ati1snxx.sys]
WARNING: Virus alike driver modification [USBSTOR.SYS]
WARNING: Virus alike driver modification [bthport.sys]
WARNING: Virus alike driver modification [atinsnxx.sys]
WARNING: Virus alike driver modification [ati1xbxx.sys]
WARNING: Virus alike driver modification [modem.sys]
WARNING: Virus alike driver modification [rndismp.sys]
WARNING: Virus alike driver modification [rndismpx.sys]
WARNING: Virus alike driver modification [ati1raxx.sys]
WARNING: Virus alike driver modification [atmepvc.sys]
WARNING: Virus alike driver modification [atinxbxx.sys]
WARNING: Virus alike driver modification [usbccgp.sys]
WARNING: Virus alike driver modification [nwlnkfwd.sys]
WARNING: Virus alike driver modification [ati2mtaa.sys]
WARNING: Virus alike driver modification [ipfltdrv.sys]
WARNING: Virus alike driver modification [rawwan.sys]
WARNING: Virus alike driver modification [ati1xsxx.sys]
WARNING: Virus alike driver modification [atmuni.sys]
WARNING: Virus alike driver modification [processr.sys]
WARNING: Virus alike driver modification [disk.sys]
WARNING: Virus alike driver modification [ati1tuxx.sys]
WARNING: Virus alike driver modification [bthprint.sys]
WARNING: Virus alike driver modification [ip6fw.sys]
WARNING: Virus alike driver modification [crusoe.sys]
WARNING: Virus alike driver modification [isapnp.sys]
WARNING: Virus alike driver modification [amdk6.sys]
WARNING: Virus alike driver modification [amdk7.sys]
WARNING: Virus alike driver modification [bthmodem.sys]
WARNING: Virus alike driver modification [wpdusb.sys]
WARNING: Virus alike driver modification [cercsr6.sys]
WARNING: Virus alike driver modification [nmnt.sys]
WARNING: Virus alike driver modification [slntamr.sys]
WARNING: Virus alike driver modification [sisagp.sys]
WARNING: Virus alike driver modification [usbaapl.sys]
WARNING: Virus alike driver modification [viaagp.sys]
WARNING: Virus alike driver modification [agp440.sys]
WARNING: Virus alike driver modification [mountmgr.sys]
WARNING: Virus alike driver modification [alim1541.sys]
WARNING: Virus alike driver modification [p3.sys]
WARNING: Virus alike driver modification [amdagp.sys]
WARNING: Virus alike driver modification [uagp35.sys]
WARNING: Virus alike driver modification [agpcpq.sys]
WARNING: Virus alike driver modification [mtxparhm.sys]
WARNING: Virus alike driver modification [gagp30kx.sys]
WARNING: Virus alike driver modification [irbus.sys]
WARNING: Virus alike driver modification [stream.sys]
WARNING: Virus alike driver modification [classpnp.sys]
WARNING: Virus alike driver modification [mspqm.sys]
WARNING: Virus alike driver modification [tosdvd.sys]
WARNING: Virus alike driver modification [atinraxx.sys]
WARNING: Virus alike driver modification [volsnap.sys]
WARNING: Virus alike driver modification [mspclock.sys]
WARNING: Virus alike driver modification [intelide.sys]
WARNING: Virus alike driver modification [atmlane.sys]
WARNING: Virus alike driver modification [nwlnkspx.sys]
WARNING: Virus alike driver modification [ati1btxx.sys]
WARNING: Virus alike driver modification [ntfs.sys]
WARNING: Virus alike driver modification [atinbtxx.sys]
WARNING: Virus alike driver modification [vdmindvd.sys]
WARNING: Virus alike driver modification [dmload.sys]
WARNING: Virus alike driver modification [rootmdm.sys]
WARNING: Virus alike driver modification [smbali.sys]
WARNING: Virus alike driver modification [rfcomm.sys]
WARNING: Virus alike driver modification [atmarpc.sys]
WARNING: Virus alike driver modification [arp1394.sys]
WARNING: Virus alike driver modification [nic1394.sys]
WARNING: Virus alike driver modification [nwlnknb.sys]
WARNING: Virus alike driver modification [atinxsxx.sys]
WARNING: Virus alike driver modification [ati1rvxx.sys]
WARNING: Virus alike driver modification [mf.sys]
WARNING: Virus alike driver modification [udfs.sys]
WARNING: Virus alike driver modification [parvdm.sys]
WARNING: Virus alike driver modification [pci.sys]
WARNING: Virus alike driver modification [hsfcxts2.sys]
WARNING: Virus alike driver modification [ati2mtag.sys]
WARNING: Virus alike driver modification [bridge.sys]
WARNING: Virus alike driver modification [atintuxx.sys]
WARNING: Virus alike driver modification [sr.sys]
WARNING: Virus alike driver modification [mskssrv.sys]
WARNING: Virus alike driver modification [nvraid.sys]
WARNING: Virus alike driver modification [mcd.sys]
WARNING: Virus alike driver modification [WudfPf.sys]
WARNING: Virus alike driver modification [sdbus.sys]
WARNING: Virus alike driver modification [dmboot.sys]
WARNING: Virus alike driver modification [WudfRd.sys]
WARNING: Virus alike driver modification [nwlnkipx.sys]
WARNING: Virus alike driver modification [mqac.sys]
WARNING: Virus alike driver modification [NvAtaBus.sys]
WARNING: Virus alike driver modification [ksecdd.sys]
WARNING: Virus alike driver modification [slnthal.sys]
WARNING: Virus alike driver modification [scsiport.sys]

BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,729 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:07 AM

Posted 14 July 2012 - 11:15 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/460020 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows, you should not bother creating a GMER log.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 Bela70

Bela70
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:10:07 AM

Posted 15 July 2012 - 12:42 PM

Win XP, 32 bit OS
Yes I do have OS disc, but currently the drive is unavailable. Will not boot off of CD. Drive changes name from CD to DVD-R to DVD-RAM
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
.
==== Disk Partitions =========================
.
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
No restore point in system.
.
==== Installed Programs ======================
.
Adobe AIR
Adobe Flash Player 10 Plugin
Adobe Flash Player 11 ActiveX
Adobe Media Player
Adobe Reader 8.3.1
Apple Application Support
Apple Mobile Device Support
Apple Software Update
AVG 2012
Broadcom Management Programs
Broadcom NetXtreme Ethernet Controller
Critical Update for Windows Media Player 11 (KB959772)
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB2570791)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
HP Product Detection
Intel® Extreme Graphics 2 Driver
iTunes
Java Auto Updater
Java™ 6 Update 30
Java™ 6 Update 4
Java™ 6 Update 7
Malwarebytes Anti-Malware version 1.61.0.1400
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2656353)
Microsoft .NET Framework 1.1 Security Update (KB2656370)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Mozilla Firefox 11.0 (x86 en-US)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 Parser and SDK
NetAssistant
NetAssistant for Firefox
OpenOffice.org 2.4
QuickBooks Pro 2008
QuickTime
RealNetworks - Microsoft Visual C++ 2008 Runtime
RealPlayer
RealUpgrade 1.1
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Windows Internet Explorer 7 (KB2183461)
Security Update for Windows Internet Explorer 7 (KB2360131)
Security Update for Windows Internet Explorer 7 (KB2416400)
Security Update for Windows Internet Explorer 7 (KB2482017)
Security Update for Windows Internet Explorer 7 (KB2497640)
Security Update for Windows Internet Explorer 7 (KB2530548)
Security Update for Windows Internet Explorer 7 (KB2544521)
Security Update for Windows Internet Explorer 7 (KB2559049)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Internet Explorer 7 (KB978207)
Security Update for Windows Internet Explorer 7 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2503665)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2510581)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2536276)
Security Update for Windows XP (KB2544893)
Security Update for Windows XP (KB2555917)
Security Update for Windows XP (KB2562937)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2567680)
Security Update for Windows XP (KB2570222)
Security Update for Windows XP (KB2570947)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981349)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
Skype™ 3.8
Skype™ 5.10
SoundMAX
Spelling Dictionaries Support For Adobe Reader 8
SupportSoft Assisted Service
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows Internet Explorer 7 (KB980182)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB2541763)
Update for Windows XP (KB2607712)
Update for Windows XP (KB2616676)
Update for Windows XP (KB942763)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
.
==== End Of File ===========================


GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-07-15 13:39:41
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort0 ST380011A rev.8.01
Running: 68hkx4ip.exe; Driver: C:\DOCUME~1\NEWADM~1\LOCALS~1\Temp\pxldypow.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwNotifyChangeKey [0xB8D5E004]
SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwNotifyChangeMultipleKeys [0xB8D5E0D4]
SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwOpenProcess [0xB8D5DD76]
SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateProcess [0xB8D5DE1E]
SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateThread [0xB8D5DEBA]
SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwWriteVirtualMemory [0xB8D5DF56]

---- Kernel code sections - GMER 1.0.15 ----

? C:\DOCUME~1\NEWADM~1\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[1188] kernel32.dll!WriteFile 7C810E27 5 Bytes JMP 0090000C
.text C:\WINDOWS\System32\svchost.exe[1188] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 0E88000A
.text C:\WINDOWS\System32\svchost.exe[1188] USER32.dll!WindowFromPoint 7E429766 5 Bytes JMP 0EDE000A
.text C:\WINDOWS\System32\svchost.exe[1188] USER32.dll!GetForegroundWindow 7E429823 5 Bytes JMP 0EDF000A
.text C:\WINDOWS\System32\svchost.exe[1188] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 00DD000A
.text C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe[3472] kernel32.dll!WriteFile 7C810E27 5 Bytes JMP 00B2000C
.text C:\program files\real\realplayer\update\realsched.exe[3784] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 5 Bytes [33, C0, C2, 04, 00] {XOR EAX, EAX; RET 0x4}

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs avgidsfilterx.sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 85F352C6
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP0T0L0-3 85F352C6
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 85F352C6
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort2 85F352C6
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort3 85F352C6
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T0L0-12 85F352C6

AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat avgidsfilterx.sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 TDL4@MBR code has been found <-- ROOTKIT !!!
Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\$NtUninstallKB825$\2095284261 0 bytes
File C:\WINDOWS\$NtUninstallKB825$\2095284261\@ 2048 bytes
File C:\WINDOWS\$NtUninstallKB825$\2095284261\bckfg.tmp 995 bytes
File C:\WINDOWS\$NtUninstallKB825$\2095284261\cfg.ini 509 bytes
File C:\WINDOWS\$NtUninstallKB825$\2095284261\Desktop.ini 4608 bytes
File C:\WINDOWS\$NtUninstallKB825$\2095284261\keywords 131 bytes
File C:\WINDOWS\$NtUninstallKB825$\2095284261\kwrd.dll 223744 bytes
File C:\WINDOWS\$NtUninstallKB825$\2095284261\L 0 bytes
File C:\WINDOWS\$NtUninstallKB825$\2095284261\L\eikogrfs 64512 bytes
File C:\WINDOWS\$NtUninstallKB825$\2095284261\lsflt7.ver 314 bytes
File C:\WINDOWS\$NtUninstallKB825$\2095284261\U 0 bytes
File C:\WINDOWS\$NtUninstallKB825$\2095284261\U\00000001.@ 2048 bytes
File C:\WINDOWS\$NtUninstallKB825$\2095284261\U\00000002.@ 224768 bytes
File C:\WINDOWS\$NtUninstallKB825$\2095284261\U\00000004.@ 1024 bytes
File C:\WINDOWS\$NtUninstallKB825$\2095284261\U\80000000.@ 1024 bytes
File C:\WINDOWS\$NtUninstallKB825$\2095284261\U\80000004.@ 12800 bytes
File C:\WINDOWS\$NtUninstallKB825$\2095284261\U\80000032.@ 98304 bytes
File C:\WINDOWS\$NtUninstallKB825$\304266514 0 bytes

---- EOF - GMER 1.0.15 ----

#4 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:11:07 AM

Posted 15 July 2012 - 02:37 PM

Bela70,

:welcome: to BleepingComputer.
We sincerely apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Posted Image One or more of the identified infections is a backdoor trojan (in this case, ZeroAccess) and password stealer.

This type of infection allows hackers to access and remotely control your computer, log keystrokes, steal critical system information, and download and execute files without your knowledge.
If you do any banking or other financial transactions on the PC or if it contains any other sensitive information, then from a clean computer, change all passwords where applicable.
It would also be wise to contact those same financial institutions to appraise them of your situation.


I highly suggest you take a look at the two links provided below:
1. How Do I Handle Possible Identify Theft, Internet Fraud, and CC Fraud?
2. When should I re-format? How should I reinstall?

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.


:step1: TDSSkiller
  • Download TDSSKiller.exe and save it to your desktop.
  • Double-click TDSSKiller.exe to run it.
  • Under "Objects to scan" ensure both "Services and Drivers" and "Boot Sectors" are checked.
  • Click Start scan and allow it to scan for Malicious objects.
  • If malicious objects are found, the default action will be Cure, ensure Cure is selected then click Continue.
  • If suspicious objects are detected, the default action will be Skip, ensure Skip is selected then click Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now and allow the computer to reboot.
  • A log will be created on your root (usually C:) drive. The log is like UtilityName.Version_Date_Time_log.txt.
    for example, C:\TDSSKiller.2.4.1.2_20.04.2010_15.31.43_log.txt
  • If no reboot is required, click on Report. A log file should appear.
  • Please post the contents of the logfile in your next reply



:step2: Install Recovery Console and Run ComboFix

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Posted Image
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.


In your next reply, please include:
  • TDSSkiller log
  • Combofix log
  • Feedback from you - how is your computer running now? Please be as descriptive as possible.

Edited by jntkwx, 15 July 2012 - 02:37 PM.

Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#5 Bela70

Bela70
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:10:07 AM

Posted 15 July 2012 - 06:29 PM

Hi Jason,

thanks for the reply. I ran TDSSKiller, but am having a problem running the Combofix. Two issues actually with it. First is I am doing this remotely to help a friend who is a senior citizen out. It appears that Combofixer is shutting Team Viewer down. Second issue is on reboot, AVG reactivates along with what I believe is a bogus Norton program. Norton orginally showed in Add/Remove Programs, but would not remove. It no longer shows, but Combofixer is saying it is still there. I have been able to shut it down via Task Manager, but again on reboot it comes up.

AVG and this Norton seem to be causing Combofixer to time out.

I would LOVE to reinstall the OS, but I need to get the drive free'd from this infection first since it is not being recognized.

Going to keep working on getting Combofixer to run in the mean time

#6 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:11:07 AM

Posted 15 July 2012 - 06:37 PM

Bela70,

Combofix is likely shutting TeamViewer down. Unfortunately, there may not be a way to fix this remotely.

Since TDSSkiller has finished, please post that log.
Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#7 Bela70

Bela70
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:10:07 AM

Posted 15 July 2012 - 06:45 PM

ComboFix 12-07-14.01 - NEW ADMINISTRATOR 07/15/2012 19:22:55.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.462 [GMT -4:00]
Running from: c:\documents and settings\NEW ADMINISTRATOR\Desktop\Programs\ComboFix.exe
AV: AVG Anti-Virus Free Edition 2012 *Enabled/Outdated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Norton Security Suite *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Security Suite *Enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\docume~1\NEWADM~1\LOCALS~1\Temp\TeamViewer\Version6\tv_w32.dll
c:\documents and settings\NEW ADMINISTRATOR\Local Settings\Temp\TeamViewer\Version6\tv_w32.dll
c:\windows\$NtUninstallKB825$\304266514
.
---- Previous Run -------
.
c:\documents and settings\NetworkService\Application Data\PriceGong
c:\documents and settings\NEW ADMINISTRATOR\Application Data\.#
c:\documents and settings\NEW ADMINISTRATOR\Application Data\CzPycS1iv3n4m6WOpenCloud Security.ico
c:\documents and settings\NEW ADMINISTRATOR\Application Data\d6E8R9YwUOpenCloud Security.ico
c:\documents and settings\NEW ADMINISTRATOR\Application Data\Microsoft\Internet Explorer\Quick Launch\PC Optimizer Pro.lnk
c:\documents and settings\NEW ADMINISTRATOR\Application Data\PriceGong
c:\documents and settings\NEW ADMINISTRATOR\Application Data\UhYCwkVrlNx0c2bOpenCloud Security.ico
C:\Skype
c:\windows\$NtUninstallKB825$
c:\windows\$NtUninstallKB825$\2095284261\@
c:\windows\$NtUninstallKB825$\2095284261\bckfg.tmp
c:\windows\$NtUninstallKB825$\2095284261\cfg.ini
c:\windows\$NtUninstallKB825$\2095284261\Desktop.ini
c:\windows\$NtUninstallKB825$\2095284261\keywords
c:\windows\$NtUninstallKB825$\2095284261\kwrd.dll
c:\windows\$NtUninstallKB825$\2095284261\L\eikogrfs
c:\windows\$NtUninstallKB825$\2095284261\lsflt7.ver
c:\windows\$NtUninstallKB825$\2095284261\U\00000001.@
c:\windows\$NtUninstallKB825$\2095284261\U\00000002.@
c:\windows\$NtUninstallKB825$\2095284261\U\00000004.@
c:\windows\$NtUninstallKB825$\2095284261\U\80000000.@
c:\windows\$NtUninstallKB825$\2095284261\U\80000004.@
c:\windows\$NtUninstallKB825$\2095284261\U\80000032.@
c:\windows\Downloaded Program Files\f3initialsetup1.0.1.1.inf
c:\windows\Installer\{ea2929e4-1ad0-e8ae-9bae-11af8a1d75d1}\@
c:\windows\Installer\{ea2929e4-1ad0-e8ae-9bae-11af8a1d75d1}\L\00000004.@
c:\windows\Installer\{ea2929e4-1ad0-e8ae-9bae-11af8a1d75d1}\U\00000004.@
c:\windows\Installer\{ea2929e4-1ad0-e8ae-9bae-11af8a1d75d1}\U\00000008.@
c:\windows\Installer\{ea2929e4-1ad0-e8ae-9bae-11af8a1d75d1}\U\000000cb.@
c:\windows\Installer\{ea2929e4-1ad0-e8ae-9bae-11af8a1d75d1}\U\80000000.@
c:\windows\Installer\{ea2929e4-1ad0-e8ae-9bae-11af8a1d75d1}\U\80000032.@
c:\windows\system32\crt.dat
c:\windows\system32\dllcache\dlimport.exe
c:\windows\system32\msssc.dll
c:\windows\system32\shimg.dll
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_MYWEBSEARCHSERVICE
-------\Legacy_MYWEBSEARCHSERVICE
.
.
((((((((((((((((((((((((( Files Created from 2012-06-15 to 2012-07-15 )))))))))))))))))))))))))))))))
.
.
2012-07-15 23:10 . 2012-07-15 23:10 -------- d-----w- c:\windows\LastGood.Tmp
2012-07-15 21:14 . 2012-07-15 21:14 -------- d-----w- C:\TDSSKiller_Quarantine
2012-07-08 18:22 . 2012-07-08 18:22 388096 ----a-r- c:\documents and settings\NEW ADMINISTRATOR\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2012-07-08 18:22 . 2012-07-08 18:22 -------- d-----w- c:\program files\Trend Micro
2012-07-05 23:02 . 2012-07-05 23:02 -------- d-----w- c:\documents and settings\NEW ADMINISTRATOR\Application Data\AVG2012
2012-07-05 22:55 . 2012-07-06 01:30 -------- d-----w- c:\documents and settings\NEW ADMINISTRATOR\Application Data\Obci
2012-07-05 22:55 . 2012-07-05 22:56 -------- d-----w- c:\documents and settings\NEW ADMINISTRATOR\Application Data\Aqolni
2012-07-05 22:55 . 2012-07-05 22:55 -------- d-----w- c:\documents and settings\NEW ADMINISTRATOR\Application Data\Ocha
2012-07-05 22:53 . 2012-07-05 22:53 -------- d-----w- C:\$AVG
2012-07-05 22:09 . 2012-07-06 00:24 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-06-28 05:28 . 2012-07-15 16:52 -------- d-----w- c:\windows\system32\drivers\AVG
2012-06-28 05:28 . 2012-07-08 18:16 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG2012
2012-06-26 07:20 . 2012-07-08 16:44 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2012-06-26 07:13 . 2012-06-02 19:19 15384 ----a-w- c:\windows\system32\wuapi.dll.mui
2012-06-26 06:05 . 2012-06-26 06:05 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Mozilla
2012-06-26 04:50 . 2012-06-26 04:50 -------- d-----w- c:\documents and settings\Administrator
2012-06-26 03:19 . 2012-06-26 03:19 -------- d-----w- c:\documents and settings\NEW ADMINISTRATOR\Application Data\Malwarebytes
2012-06-26 03:19 . 2012-06-26 03:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-06-26 03:19 . 2012-06-26 05:02 -------- d-----w- c:\program files\Fun
2012-06-26 03:19 . 2012-04-04 19:56 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-26 03:06 . 2012-07-08 16:25 -------- d-----w- c:\documents and settings\NEW ADMINISTRATOR\Application Data\TeamViewer
2012-06-26 02:34 . 2012-07-05 23:45 -------- d-----w- c:\documents and settings\NEW ADMINISTRATOR\Application Data\Skype
2012-06-26 02:33 . 2012-06-26 02:33 -------- d-----w- c:\program files\Common Files\Skype
2012-06-26 02:33 . 2012-06-26 02:33 -------- d-----r- c:\program files\Skype
2012-06-26 02:26 . 2012-06-26 02:26 11776 ----a-w- c:\program files\Mozilla Firefox\plugins\nprjplug.dll
2012-06-26 02:25 . 2012-06-26 02:25 -------- d-----w- c:\program files\Common Files\xing shared
2012-06-26 02:25 . 2012-06-26 02:25 150696 ----a-w- c:\program files\Mozilla Firefox\plugins\nppl3260.dll
2012-06-26 02:25 . 2012-06-26 02:25 129144 ----a-w- c:\program files\Mozilla Firefox\plugins\nprpplugin.dll
2012-06-20 01:52 . 2012-06-20 01:52 -------- d-----w- c:\documents and settings\NEW ADMINISTRATOR\Application Data\ChYCwkUVrOtPuSi
2012-06-18 01:23 . 2008-06-06 13:03 88576 ----a-w- c:\windows\system32\Baspxp32.dll
2012-06-18 01:22 . 2012-06-18 01:23 -------- d-----w- c:\program files\Broadcom
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-06-26 02:24 . 2003-03-19 00:14 499712 ----a-w- c:\windows\system32\msvcp71.dll
2012-06-26 02:24 . 2003-02-21 08:42 348160 ----a-w- c:\windows\system32\msvcr71.dll
2012-06-04 21:35 . 2008-05-28 18:05 210968 ----a-w- c:\windows\system32\wuweb.dll
2012-06-04 21:35 . 2007-07-30 23:18 222448 ----a-w- c:\windows\system32\muweb.dll
2012-06-02 19:19 . 2007-07-30 23:18 22040 ----a-w- c:\windows\system32\wucltui.dll.mui
2012-06-02 19:19 . 2008-05-28 18:05 329240 ----a-w- c:\windows\system32\wucltui.dll
2012-06-02 19:19 . 2008-05-28 18:05 219160 ----a-w- c:\windows\system32\wuaucpl.cpl
2012-06-02 19:19 . 2007-07-30 23:19 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2012-06-02 19:19 . 2008-05-28 18:05 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 19:19 . 2008-05-28 18:05 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-02 19:19 . 2007-07-30 23:19 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 19:19 . 2004-08-04 12:00 97304 ----a-w- c:\windows\system32\cdm.dll
2012-06-02 19:19 . 2007-07-30 23:18 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui
2012-06-02 19:19 . 2008-05-28 18:05 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 19:19 . 2008-05-28 18:05 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 19:18 . 2008-05-30 15:35 275696 ----a-w- c:\windows\system32\mucltui.dll
2012-06-02 19:18 . 2008-05-30 15:35 17136 ----a-w- c:\windows\system32\mucltui.dll.mui
2012-04-19 08:50 . 2012-04-19 08:50 24896 ----a-w- c:\windows\system32\drivers\avgidshx.sys
2012-03-13 04:39 . 2012-03-19 17:27 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2012-06-07 17425072]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-11-02 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-11-02 126976]
"DrvLsnr"="c:\program files\Analog Devices\SoundMAX\DrvLsnr.exe" [2003-05-08 69632]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2012-04-05 2587008]
.
c:\documents and settings\User\Start Menu\Programs\Startup\
OpenOffice.org 2.4.lnk - c:\program files\OpenOffice.org 2.4\program\quickstart.exe [2008-1-21 393216]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2009-4-24 972064]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-10-22 21:42 87352 ----a-w- c:\windows\system32\LMIinit.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
c:\windows\system32\dumprep 0 -u [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2011-03-30 01:59 937920 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-08-31 01:57 40368 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-06-15 20:33 141624 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-19 02:16 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2012-06-26 02:24 296056 ----a-w- c:\program files\Real\RealPlayer\Update\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SkypeUpdate"=2 (0x2)
"QBFCService"=3 (0x3)
"iPod Service"=3 (0x3)
"Apple Mobile Device"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015
"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:@xpsp2res.dll,-22017
.
R0 AVGIDSHX;AVGIDSHX;c:\windows\system32\drivers\avgidshx.sys [4/19/2012 4:50 AM 24896]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [1/31/2012 4:46 AM 31952]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2/22/2012 5:25 AM 235216]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [3/19/2012 5:17 AM 301248]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2012\avgidsagent.exe [7/4/2012 5:25 PM 5160568]
R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2012\avgwdsvc.exe [2/14/2012 4:53 AM 193288]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\avgidsdriverx.sys [12/23/2011 1:32 PM 139856]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\avgidsfilterx.sys [12/23/2011 1:32 PM 24144]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshimx.sys [12/23/2011 1:32 PM 17232]
S2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\LogMeIn\x86\RaInfo.sys --> c:\program files\LogMeIn\x86\RaInfo.sys [?]
S2 NecUsb3;USB3 Service;c:\windows\System32\svchost.exe -k NecUsb3Sevic [8/4/2004 8:00 AM 14336]
S2 X4HSEx;X4HSEx;\??\c:\program files\Free Ride Games\X4HSEx.Sys --> c:\program files\Free Ride Games\X4HSEx.Sys [?]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [7/5/2012 6:09 PM 40776]
S3 MFE_RR;MFE_RR;\??\c:\docume~1\NEWADM~1\LOCALS~1\Temp\mfe_rr.sys --> c:\docume~1\NEWADM~1\LOCALS~1\Temp\mfe_rr.sys [?]
S4 QuickBooksDB18;QuickBooksDB18;c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB18 --> c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB18 [?]
S4 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [6/7/2012 7:12 PM 160944]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
NecUsb3Sevic REG_MULTI_SZ NecUsb3
.
Contents of the 'Scheduled Tasks' folder
.
2012-07-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 15:50]
.
.
------- Supplementary Scan -------
.
TCP: DhcpNameServer = 24.159.64.23 24.217.201.67 66.189.0.100
FF - ProfilePath - c:\documents and settings\NEW ADMINISTRATOR\Application Data\Mozilla\Firefox\Profiles\gxszfaij.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://charter.net/
FF - prefs.js: keyword.URL - hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZRxdm103YYUS&fl=0&ptb=jZ4bi8VJwAp6V3u9N.RQAA&url=http://search.mywebsearch.com/mywebsearch/dft_redir.jhtml&st=kwd&searchfor=
FF - prefs.js: network.proxy.type - 0
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true);user_pref(extentions.y2layers.installId, 08439bd5-efb4-450f-81a9-c05f8be9af4a
FF - user.js: extentions.y2layers.defaultEnableAppsList - Buzzdock,BuzzdockTease,DropDownDeals,DropDownDeals,
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKCU-Run-AROReminder - (no file)
HKCU-Run-KB00755838.exe - c:\documents and settings\NEW ADMINISTRATOR\Application Data\KB00755838.exe
HKCU-Run-MsgCenterExe - c:\program files\Common Files\Real\Update_OB\RealOneMessageCenter.exe
HKLM-Run-volmgr - c:\documents and settings\NEW ADMINISTRATOR\Application Data\volmgr.exe
ShellExecuteHooks-{EDB0E980-90BD-11D4-8599-0008C7D3B6F8} - c:\program files\Qualcomm\Eudora\EuShlExt.dll
Notify-KERNEL32 - (no file)
Notify-NecUsb3Sevices - USB3Sw32.dll
Notify-Service Pack 3 - WlLogonEvent
Notify-USB3Sw32 - USB3Sw32.dll
SafeBoot-91286580.sys
MSConfigStartUp-LogMeIn GUI - c:\program files\LogMeIn\x86\LogMeInSystray.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-07-15 19:33
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(776)
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll
.
- - - - - - - > 'explorer.exe'(2160)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\LMIRfsClientNP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\program files\AVG\AVG2012\avgnsx.exe
c:\program files\AVG\AVG2012\avgemcx.exe
c:\program files\AVG\AVG2012\avgrsx.exe
c:\program files\AVG\AVG2012\avgcsrvx.exe
.
**************************************************************************
.
Completion time: 2012-07-15 19:41:16 - machine was rebooted
ComboFix-quarantined-files.txt 2012-07-15 23:41
.
Pre-Run: 65,574,514,688 bytes free
Post-Run: 65,471,344,640 bytes free
.
- - End Of File - - 7B1450DB1A870D4CC23C88996718B82E









17:10:34.0138 1420 TDSS rootkit removing tool 2.7.45.0 Jul 9 2012 12:46:35
17:10:34.0591 1420 ============================================================
17:10:34.0591 1420 Current date / time: 2012/07/15 17:10:34.0591
17:10:34.0591 1420 SystemInfo:
17:10:34.0591 1420
17:10:34.0591 1420 OS Version: 5.1.2600 ServicePack: 3.0
17:10:34.0591 1420 Product type: Workstation
17:10:34.0591 1420 ComputerName: STATION3
17:10:34.0591 1420 UserName: NEW ADMINISTRATOR
17:10:34.0591 1420 Windows directory: C:\WINDOWS
17:10:34.0591 1420 System windows directory: C:\WINDOWS
17:10:34.0591 1420 Processor architecture: Intel x86
17:10:34.0591 1420 Number of processors: 2
17:10:34.0591 1420 Page size: 0x1000
17:10:34.0591 1420 Boot type: Normal boot
17:10:34.0591 1420 ============================================================
17:10:44.0076 1420 Drive \Device\Harddisk0\DR0 - Size: 0x12A1F16000 (74.53 Gb), SectorSize: 0x200, Cylinders: 0x2861, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xF0, Type 'K0', Flags 0x00000054
17:10:44.0107 1420 ============================================================
17:10:44.0107 1420 \Device\Harddisk0\DR0:
17:10:44.0107 1420 MBR partitions:
17:10:44.0107 1420 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x950A5C1
17:10:44.0107 1420 ============================================================
17:10:44.0154 1420 C: <-> \Device\Harddisk0\DR0\Partition0
17:10:44.0169 1420 ============================================================
17:10:44.0169 1420 Initialize success
17:10:44.0169 1420 ============================================================
17:11:30.0904 2452 ============================================================
17:11:30.0904 2452 Scan started
17:11:30.0904 2452 Mode: Manual;
17:11:30.0904 2452 ============================================================
17:11:35.0185 2452 6to4 (c07d5197410aab28d0d93f943f59656d) C:\WINDOWS\System32\6to4svc.dll
17:11:35.0216 2452 6to4 - ok
17:11:35.0357 2452 7ce38025 ( Rootkit.Win32.PMax.gen ) - infected
17:11:35.0357 2452 7ce38025 - detected Rootkit.Win32.PMax.gen (0)
17:11:35.0607 2452 Abiosdsk - ok
17:11:35.0638 2452 abp480n5 - ok
17:11:35.0763 2452 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
17:11:35.0841 2452 ACPI - ok
17:11:35.0950 2452 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
17:11:35.0966 2452 ACPIEC - ok
17:11:36.0044 2452 adpu160m - ok
17:11:36.0107 2452 aeaudio (e696e749bedcda8b23757b8b5ea93780) C:\WINDOWS\system32\drivers\aeaudio.sys
17:11:36.0122 2452 aeaudio - ok
17:11:36.0232 2452 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
17:11:36.0247 2452 aec - ok
17:11:36.0357 2452 AFD (355556d9e580915118cd7ef736653a89) C:\WINDOWS\System32\drivers\afd.sys
17:11:36.0372 2452 AFD - ok
17:11:36.0466 2452 Aha154x - ok
17:11:36.0638 2452 aic78u2 - ok
17:11:36.0669 2452 aic78xx - ok
17:11:36.0716 2452 Alerter (a9a3daa780ca6c9671a19d52456705b4) C:\WINDOWS\system32\alrsvc.dll
17:11:36.0732 2452 Alerter - ok
17:11:36.0857 2452 ALG (8c515081584a38aa007909cd02020b3d) C:\WINDOWS\System32\alg.exe
17:11:36.0857 2452 ALG - ok
17:11:36.0888 2452 AliIde - ok
17:11:36.0904 2452 amsint - ok
17:11:37.0107 2452 Apple Mobile Device (2e3e53a6aef23e24f402c7855b9b1542) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
17:11:37.0122 2452 Apple Mobile Device - ok
17:11:37.0216 2452 AppMgmt (d8849f77c0b66226335a59d26cb4edc6) C:\WINDOWS\System32\appmgmts.dll
17:11:37.0232 2452 AppMgmt - ok
17:11:37.0310 2452 asc - ok
17:11:37.0341 2452 asc3350p - ok
17:11:37.0404 2452 asc3550 - ok
17:11:37.0685 2452 aspnet_state (0e5e4957549056e2bf2c49f4f6b601ad) C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
17:11:37.0747 2452 aspnet_state - ok
17:11:38.0138 2452 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
17:11:38.0138 2452 AsyncMac - ok
17:11:38.0185 2452 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
17:11:38.0185 2452 atapi - ok
17:11:38.0232 2452 Atdisk - ok
17:11:38.0747 2452 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
17:11:38.0747 2452 Atmarpc - ok
17:11:38.0888 2452 AudioSrv (def7a7882bec100fe0b2ce2549188f9d) C:\WINDOWS\System32\audiosrv.dll
17:11:38.0888 2452 AudioSrv - ok
17:11:39.0044 2452 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
17:11:39.0044 2452 audstub - ok
17:11:39.0591 2452 AVGIDSAgent (d67719bcfde5798f5c30d14efed3bcaf) C:\Program Files\AVG\AVG2012\avgidsagent.exe
17:11:39.0825 2452 AVGIDSAgent - ok
17:11:39.0950 2452 AVGIDSDriver (1074f787080068c71303b61fae7e7ca4) C:\WINDOWS\system32\DRIVERS\avgidsdriverx.sys
17:11:39.0997 2452 AVGIDSDriver - ok
17:11:40.0232 2452 AVGIDSFilter (61a7e0b02f82cff3db2445bbe50b3589) C:\WINDOWS\system32\DRIVERS\avgidsfilterx.sys
17:11:40.0278 2452 AVGIDSFilter - ok
17:11:40.0513 2452 AVGIDSHX (d63d83659eedf60b3a3e620281a888e5) C:\WINDOWS\system32\DRIVERS\avgidshx.sys
17:11:40.0528 2452 AVGIDSHX - ok
17:11:40.0622 2452 AVGIDSShim (baf975b72062f53d327788e99d64197e) C:\WINDOWS\system32\DRIVERS\avgidsshimx.sys
17:11:40.0638 2452 AVGIDSShim - ok
17:11:40.0716 2452 Avgldx86 (dda6a2a18841e4c9172bb85958b8d948) C:\WINDOWS\system32\DRIVERS\avgldx86.sys
17:11:40.0747 2452 Avgldx86 - ok
17:11:40.0857 2452 Avgmfx86 (ccdd61545aaea265977e4b1efdc74e8c) C:\WINDOWS\system32\DRIVERS\avgmfx86.sys
17:11:40.0857 2452 Avgmfx86 - ok
17:11:41.0216 2452 Avgrkx86 (1fd90b28d2c3100bf4500199c8ad6358) C:\WINDOWS\system32\DRIVERS\avgrkx86.sys
17:11:41.0216 2452 Avgrkx86 - ok
17:11:41.0294 2452 Avgtdix (1263f2554ace925c237a40b4c568d815) C:\WINDOWS\system32\DRIVERS\avgtdix.sys
17:11:41.0310 2452 Avgtdix - ok
17:11:41.0685 2452 avgwd (ea1145debcd508fd25bd1e95c4346929) C:\Program Files\AVG\AVG2012\avgwdsvc.exe
17:11:41.0700 2452 avgwd - ok
17:11:41.0794 2452 b57w2k (5175e788bcd1cb7345ab21f3e14369d2) C:\WINDOWS\system32\DRIVERS\b57xp32.sys
17:11:41.0810 2452 b57w2k - ok
17:11:41.0888 2452 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
17:11:41.0888 2452 Beep - ok
17:11:42.0247 2452 BITS (574738f61fca2935f5265dc4e5691314) C:\WINDOWS\system32\qmgr.dll
17:11:42.0310 2452 BITS - ok
17:11:42.0528 2452 Blfp (9b53d428de0a2566a03499d7aa48dec4) C:\WINDOWS\system32\DRIVERS\baspxp32.sys
17:11:42.0544 2452 Blfp - ok
17:11:42.0778 2452 Browser (a06ce3399d16db864f55faeb1f1927a9) C:\WINDOWS\System32\browser.dll
17:11:42.0778 2452 Browser - ok
17:11:42.0888 2452 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
17:11:42.0903 2452 cbidf2k - ok
17:11:42.0935 2452 cd20xrnt - ok
17:11:42.0997 2452 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
17:11:43.0044 2452 Cdaudio - ok
17:11:43.0091 2452 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
17:11:43.0091 2452 Cdfs - ok
17:11:43.0185 2452 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
17:11:43.0200 2452 Cdrom - ok
17:11:43.0232 2452 cercsr6 (84853b3fd012251690570e9e7e43343f) C:\WINDOWS\system32\drivers\cercsr6.sys
17:11:43.0278 2452 cercsr6 - ok
17:11:43.0310 2452 Changer - ok
17:11:43.0482 2452 CiSvc (1cfe720eb8d93a7158a4ebc3ab178bde) C:\WINDOWS\system32\cisvc.exe
17:11:43.0482 2452 CiSvc - ok
17:11:43.0513 2452 ClipSrv (34cbe729f38138217f9c80212a2a0c82) C:\WINDOWS\system32\clipsrv.exe
17:11:43.0528 2452 ClipSrv - ok
17:11:43.0747 2452 clr_optimization_v2.0.50727_32 (d87acaed61e417bba546ced5e7e36d9c) C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
17:11:43.0903 2452 clr_optimization_v2.0.50727_32 - ok
17:11:44.0310 2452 CmdIde - ok
17:11:44.0341 2452 COMSysApp - ok
17:11:44.0482 2452 Cpqarray - ok
17:11:44.0622 2452 CryptSvc (3d4e199942e29207970e04315d02ad3b) C:\WINDOWS\System32\cryptsvc.dll
17:11:44.0638 2452 CryptSvc - ok
17:11:44.0716 2452 dac2w2k - ok
17:11:44.0825 2452 dac960nt - ok
17:11:45.0028 2452 DcomLaunch (6b27a5c03dfb94b4245739065431322c) C:\WINDOWS\system32\rpcss.dll
17:11:45.0060 2452 DcomLaunch - ok
17:11:45.0216 2452 Dhcp (5e38d7684a49cacfb752b046357e0589) C:\WINDOWS\System32\dhcpcsvc.dll
17:11:45.0232 2452 Dhcp - ok
17:11:45.0419 2452 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
17:11:45.0450 2452 Disk - ok
17:11:45.0528 2452 dmadmin - ok
17:11:46.0216 2452 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
17:11:46.0278 2452 dmboot - ok
17:11:46.0482 2452 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
17:11:46.0497 2452 dmio - ok
17:11:46.0528 2452 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
17:11:46.0528 2452 dmload - ok
17:11:46.0747 2452 dmserver (57edec2e5f59f0335e92f35184bc8631) C:\WINDOWS\System32\dmserver.dll
17:11:46.0763 2452 dmserver - ok
17:11:46.0903 2452 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
17:11:46.0903 2452 DMusic - ok
17:11:47.0232 2452 Dnscache (5f7e24fa9eab896051ffb87f840730d2) C:\WINDOWS\System32\dnsrslvr.dll
17:11:47.0232 2452 Dnscache - ok
17:11:47.0544 2452 Dot3svc (0f0f6e687e5e15579ef4da8dd6945814) C:\WINDOWS\System32\dot3svc.dll
17:11:47.0560 2452 Dot3svc - ok
17:11:47.0700 2452 dpti2o - ok
17:11:47.0794 2452 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
17:11:47.0810 2452 drmkaud - ok
17:11:47.0903 2452 EapHost (2187855a7703adef0cef9ee4285182cc) C:\WINDOWS\System32\eapsvc.dll
17:11:47.0903 2452 EapHost - ok
17:11:47.0966 2452 ERSvc (bc93b4a066477954555966d77fec9ecb) C:\WINDOWS\System32\ersvc.dll
17:11:47.0966 2452 ERSvc - ok
17:11:48.0091 2452 Eventlog (65df52f5b8b6e9bbd183505225c37315) C:\WINDOWS\system32\services.exe
17:11:48.0107 2452 Eventlog - ok
17:11:48.0232 2452 EventSystem (d4991d98f2db73c60d042f1aef79efae) C:\WINDOWS\system32\es.dll
17:11:48.0247 2452 EventSystem - ok
17:11:48.0357 2452 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
17:11:48.0372 2452 Fastfat - ok
17:11:48.0841 2452 FastUserSwitchingCompatibility (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
17:11:48.0888 2452 FastUserSwitchingCompatibility - ok
17:11:49.0263 2452 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
17:11:49.0263 2452 Fdc - ok
17:11:49.0403 2452 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
17:11:49.0419 2452 Fips - ok
17:11:49.0513 2452 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
17:11:49.0513 2452 Flpydisk - ok
17:11:49.0716 2452 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
17:11:49.0732 2452 FltMgr - ok
17:11:49.0919 2452 FontCache3.0.0.0 (8ba7c024070f2b7fdd98ed8a4ba41789) c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
17:11:49.0919 2452 FontCache3.0.0.0 - ok
17:11:50.0028 2452 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
17:11:50.0028 2452 Fs_Rec - ok
17:11:50.0122 2452 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
17:11:50.0138 2452 Ftdisk - ok
17:11:50.0732 2452 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
17:11:50.0732 2452 GEARAspiWDM - ok
17:11:50.0763 2452 GMSIPCI - ok
17:11:50.0997 2452 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
17:11:51.0013 2452 Gpc - ok
17:11:51.0107 2452 helpsvc (4fcca060dfe0c51a09dd5c3843888bcd) C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll
17:11:51.0107 2452 helpsvc - ok
17:11:51.0216 2452 HidServ (deb04da35cc871b6d309b77e1443c796) C:\WINDOWS\System32\hidserv.dll
17:11:51.0232 2452 HidServ - ok
17:11:51.0419 2452 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
17:11:51.0419 2452 HidUsb - ok
17:11:51.0544 2452 hkmsvc (8878bd685e490239777bfe51320b88e9) C:\WINDOWS\System32\kmsvc.dll
17:11:51.0560 2452 hkmsvc - ok
17:11:51.0653 2452 hpn - ok
17:11:51.0841 2452 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
17:11:51.0857 2452 HTTP - ok
17:11:52.0060 2452 HTTPFilter (6100a808600f44d999cebdef8841c7a3) C:\WINDOWS\System32\w3ssl.dll
17:11:52.0060 2452 HTTPFilter - ok
17:11:52.0169 2452 i2omgmt - ok
17:11:52.0388 2452 i2omp - ok
17:11:52.0435 2452 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
17:11:52.0450 2452 i8042prt - ok
17:11:52.0591 2452 ialm (d4405bd2b6e95efdc8e674ed4032874f) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
17:11:52.0653 2452 ialm - ok
17:11:53.0028 2452 idsvc (c01ac32dc5c03076cfb852cb5da5229c) c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
17:11:56.0325 2452 idsvc - ok
17:11:56.0403 2452 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
17:11:56.0403 2452 Imapi - ok
17:11:56.0778 2452 ImapiService (30deaf54a9755bb8546168cfe8a6b5e1) C:\WINDOWS\system32\imapi.exe
17:11:56.0794 2452 ImapiService - ok
17:11:56.0903 2452 ini910u - ok
17:11:56.0950 2452 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
17:11:56.0982 2452 IntelIde - ok
17:11:57.0200 2452 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
17:11:57.0232 2452 intelppm - ok
17:11:57.0310 2452 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
17:11:57.0310 2452 Ip6Fw - ok
17:11:57.0357 2452 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
17:11:57.0372 2452 IpFilterDriver - ok
17:11:57.0450 2452 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
17:11:57.0466 2452 IpInIp - ok
17:11:57.0591 2452 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
17:11:57.0591 2452 IpNat - ok
17:11:57.0888 2452 iPod Service (8f610078437a459948480407f4db91ea) C:\Program Files\iPod\bin\iPodService.exe
17:11:57.0903 2452 iPod Service - ok
17:11:57.0982 2452 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
17:11:57.0982 2452 IPSec - ok
17:11:58.0013 2452 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
17:11:58.0013 2452 IRENUM - ok
17:11:58.0122 2452 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
17:11:58.0122 2452 isapnp - ok
17:11:58.0513 2452 JavaQuickStarterService (9aa67569d5257462e230767510b0c815) C:\Program Files\Java\jre6\bin\jqs.exe
17:11:58.0528 2452 JavaQuickStarterService - ok
17:11:58.0591 2452 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
17:11:58.0591 2452 Kbdclass - ok
17:11:58.0700 2452 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
17:11:58.0700 2452 kbdhid - ok
17:11:58.0747 2452 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
17:11:58.0747 2452 kmixer - ok
17:11:58.0888 2452 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
17:11:58.0903 2452 KSecDD - ok
17:11:59.0028 2452 lanmanserver (3a7c3cbe5d96b8ae96ce81f0b22fb527) C:\WINDOWS\System32\srvsvc.dll
17:11:59.0044 2452 lanmanserver - ok
17:11:59.0153 2452 lanmanworkstation (a8888a5327621856c0cec4e385f69309) C:\WINDOWS\System32\wkssvc.dll
17:11:59.0169 2452 lanmanworkstation - ok
17:11:59.0232 2452 lbrtfdc - ok
17:11:59.0528 2452 LmHosts (a7db739ae99a796d91580147e919cc59) C:\WINDOWS\System32\lmhsvc.dll
17:11:59.0528 2452 LmHosts - ok
17:11:59.0888 2452 LMIInfo - ok
17:12:00.0028 2452 lmimirr (4477689e2d8ae6b78ba34c9af4cc1ed1) C:\WINDOWS\system32\DRIVERS\lmimirr.sys
17:12:00.0044 2452 lmimirr - ok
17:12:00.0466 2452 LMIRfsClientNP - ok
17:12:00.0747 2452 LMIRfsDriver (3faa563ddf853320f90259d455a01d79) C:\WINDOWS\system32\drivers\LMIRfsDriver.sys
17:12:00.0763 2452 LMIRfsDriver - ok
17:12:00.0810 2452 MBAMSwissArmy (0db7527db188c7d967a37bb51bbf3963) C:\WINDOWS\system32\drivers\mbamswissarmy.sys
17:12:00.0825 2452 MBAMSwissArmy - ok
17:12:01.0028 2452 Messenger (986b1ff5814366d71e0ac5755c88f2d3) C:\WINDOWS\System32\msgsvc.dll
17:12:01.0044 2452 Messenger - ok
17:12:01.0263 2452 MFE_RR - ok
17:12:01.0325 2452 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
17:12:01.0325 2452 mnmdd - ok
17:12:01.0528 2452 mnmsrvc (d18f1f0c101d06a1c1adf26eed16fcdd) C:\WINDOWS\system32\mnmsrvc.exe
17:12:01.0528 2452 mnmsrvc - ok
17:12:01.0700 2452 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
17:12:01.0700 2452 Modem - ok
17:12:01.0731 2452 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
17:12:01.0731 2452 Mouclass - ok
17:12:01.0825 2452 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
17:12:01.0841 2452 mouhid - ok
17:12:01.0935 2452 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
17:12:01.0950 2452 MountMgr - ok
17:12:01.0997 2452 mraid35x - ok
17:12:02.0122 2452 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
17:12:02.0138 2452 MRxDAV - ok
17:12:02.0356 2452 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
17:12:11.0622 2452 MRxSmb - ok
17:12:11.0716 2452 MSDTC (a137f1470499a205abbb9aafb3b6f2b1) C:\WINDOWS\system32\msdtc.exe
17:12:11.0716 2452 MSDTC - ok
17:12:11.0763 2452 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
17:12:11.0763 2452 Msfs - ok
17:12:11.0872 2452 MSIServer - ok
17:12:11.0981 2452 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
17:12:11.0981 2452 MSKSSRV - ok
17:12:12.0278 2452 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
17:12:12.0278 2452 MSPCLOCK - ok
17:12:12.0310 2452 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
17:12:12.0310 2452 MSPQM - ok
17:12:12.0403 2452 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
17:12:12.0403 2452 mssmbios - ok
17:12:12.0466 2452 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
17:12:12.0466 2452 Mup - ok
17:12:12.0591 2452 napagent (0102140028fad045756796e1c685d695) C:\WINDOWS\System32\qagentrt.dll
17:12:12.0622 2452 napagent - ok
17:12:12.0685 2452 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
17:12:12.0700 2452 NDIS - ok
17:12:12.0794 2452 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
17:12:12.0810 2452 NdisTapi - ok
17:12:12.0872 2452 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
17:12:12.0872 2452 Ndisuio - ok
17:12:12.0950 2452 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
17:12:12.0950 2452 NdisWan - ok
17:12:13.0044 2452 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
17:12:13.0044 2452 NDProxy - ok
17:12:13.0060 2452 NecUsb3 - ok
17:12:13.0153 2452 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
17:12:13.0153 2452 NetBIOS - ok
17:12:13.0185 2452 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
17:12:13.0200 2452 NetBT - ok
17:12:13.0278 2452 NetDDE (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe
17:12:13.0294 2452 NetDDE - ok
17:12:13.0356 2452 NetDDEdsdm (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe
17:12:13.0372 2452 NetDDEdsdm - ok
17:12:13.0388 2452 Netlogon (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
17:12:13.0388 2452 Netlogon - ok
17:12:13.0497 2452 Netman (13e67b55b3abd7bf3fe7aae5a0f9a9de) C:\WINDOWS\System32\netman.dll
17:12:13.0513 2452 Netman - ok
17:12:13.0669 2452 NetTcpPortSharing (d34612c5d02d026535b3095d620626ae) c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
17:12:13.0685 2452 NetTcpPortSharing - ok
17:12:13.0778 2452 Nla (943337d786a56729263071623bbb9de5) C:\WINDOWS\System32\mswsock.dll
17:12:13.0794 2452 Nla - ok
17:12:13.0888 2452 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
17:12:13.0903 2452 Npfs - ok
17:12:13.0997 2452 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
17:12:14.0028 2452 Ntfs - ok
17:12:14.0044 2452 NtLmSsp (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
17:12:14.0060 2452 NtLmSsp - ok
17:12:14.0122 2452 NtmsSvc (156f64a3345bd23c600655fb4d10bc08) C:\WINDOWS\system32\ntmssvc.dll
17:12:14.0169 2452 NtmsSvc - ok
17:12:14.0263 2452 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
17:12:14.0278 2452 Null - ok
17:12:14.0310 2452 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
17:12:14.0310 2452 NwlnkFlt - ok
17:12:14.0388 2452 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
17:12:14.0403 2452 NwlnkFwd - ok
17:12:14.0513 2452 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
17:12:14.0513 2452 Parport - ok
17:12:14.0544 2452 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
17:12:14.0544 2452 PartMgr - ok
17:12:14.0716 2452 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
17:12:14.0716 2452 ParVdm - ok
17:12:14.0731 2452 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
17:12:14.0747 2452 PCI - ok
17:12:14.0841 2452 PCIDump - ok
17:12:14.0966 2452 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
17:12:14.0966 2452 PCIIde - ok
17:12:15.0388 2452 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
17:12:15.0403 2452 Pcmcia - ok
17:12:15.0435 2452 PDCOMP - ok
17:12:15.0466 2452 PDFRAME - ok
17:12:15.0575 2452 PDRELI - ok
17:12:15.0606 2452 PDRFRAME - ok
17:12:15.0731 2452 perc2 - ok
17:12:15.0763 2452 perc2hib - ok
17:12:16.0013 2452 PlugPlay (65df52f5b8b6e9bbd183505225c37315) C:\WINDOWS\system32\services.exe
17:12:16.0028 2452 PlugPlay - ok
17:12:16.0106 2452 PolicyAgent (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
17:12:16.0122 2452 PolicyAgent - ok
17:12:16.0231 2452 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
17:12:16.0247 2452 PptpMiniport - ok
17:12:16.0263 2452 ProtectedStorage (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
17:12:16.0278 2452 ProtectedStorage - ok
17:12:16.0372 2452 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
17:12:16.0372 2452 PSched - ok
17:12:16.0450 2452 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
17:12:16.0450 2452 Ptilink - ok
17:12:16.0575 2452 QBCFMonitorService (175494c00a40925ceb6f71514734e8f2) C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
17:12:16.0575 2452 QBCFMonitorService - ok
17:12:16.0685 2452 QBFCService (bab30d2799754f6ea22f0b9076311793) C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
17:12:16.0731 2452 QBFCService - ok
17:12:16.0794 2452 ql1080 - ok
17:12:16.0935 2452 Ql10wnt - ok
17:12:16.0981 2452 ql12160 - ok
17:12:17.0060 2452 ql1240 - ok
17:12:17.0091 2452 ql1280 - ok
17:12:17.0169 2452 QuickBooksDB18 - ok
17:12:17.0325 2452 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
17:12:17.0325 2452 RasAcd - ok
17:12:17.0466 2452 RasAuto (ad188be7bdf94e8df4ca0a55c00a5073) C:\WINDOWS\System32\rasauto.dll
17:12:17.0466 2452 RasAuto - ok
17:12:17.0638 2452 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
17:12:17.0638 2452 Rasl2tp - ok
17:12:17.0763 2452 RasMan (76a9a3cbeadd68cc57cda5e1d7448235) C:\WINDOWS\System32\rasmans.dll
17:12:17.0778 2452 RasMan - ok
17:12:17.0872 2452 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
17:12:17.0872 2452 RasPppoe - ok
17:12:17.0950 2452 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
17:12:17.0966 2452 Raspti - ok
17:12:18.0075 2452 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
17:12:18.0122 2452 Rdbss - ok
17:12:18.0216 2452 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
17:12:18.0216 2452 RDPCDD - ok
17:12:18.0638 2452 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
17:12:18.0653 2452 rdpdr - ok
17:12:18.0778 2452 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
17:12:18.0825 2452 RDPWD - ok
17:12:18.0919 2452 RDSessMgr (3c37bf86641bda977c3bf8a840f3b7fa) C:\WINDOWS\system32\sessmgr.exe
17:12:18.0934 2452 RDSessMgr - ok
17:12:19.0028 2452 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
17:12:19.0028 2452 redbook - ok
17:12:19.0153 2452 RemoteAccess (7e699ff5f59b5d9de5390e3c34c67cf5) C:\WINDOWS\System32\mprdim.dll
17:12:19.0153 2452 RemoteAccess - ok
17:12:19.0263 2452 RemoteRegistry (5b19b557b0c188210a56a6b699d90b8f) C:\WINDOWS\system32\regsvc.dll
17:12:19.0278 2452 RemoteRegistry - ok
17:12:19.0372 2452 RpcLocator (aaed593f84afa419bbae8572af87cf6a) C:\WINDOWS\system32\locator.exe
17:12:19.0388 2452 RpcLocator - ok
17:12:19.0559 2452 RpcSs (6b27a5c03dfb94b4245739065431322c) C:\WINDOWS\system32\rpcss.dll
17:12:19.0559 2452 RpcSs - ok
17:12:19.0716 2452 RSVP (471b3f9741d762abe75e9deea4787e47) C:\WINDOWS\system32\rsvp.exe
17:12:19.0731 2452 RSVP - ok
17:12:19.0825 2452 SamSs (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
17:12:19.0825 2452 SamSs - ok
17:12:19.0997 2452 SCardSvr (86d007e7a654b9a71d1d7d856b104353) C:\WINDOWS\System32\SCardSvr.exe
17:12:20.0013 2452 SCardSvr - ok
17:12:20.0091 2452 Schedule (0a9a7365a1ca4319aa7c1d6cd8e4eafa) C:\WINDOWS\system32\schedsvc.dll
17:12:20.0106 2452 Schedule - ok
17:12:20.0497 2452 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
17:12:20.0528 2452 Secdrv - ok
17:12:20.0763 2452 seclogon (cbe612e2bb6a10e3563336191eda1250) C:\WINDOWS\System32\seclogon.dll
17:12:20.0778 2452 seclogon - ok
17:12:20.0950 2452 SENS (7fdd5d0684eca8c1f68b4d99d124dcd0) C:\WINDOWS\system32\sens.dll
17:12:20.0950 2452 SENS - ok
17:12:21.0200 2452 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
17:12:21.0200 2452 serenum - ok
17:12:21.0591 2452 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
17:12:21.0606 2452 Sfloppy - ok
17:12:21.0778 2452 ShellHWDetection (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
17:12:21.0778 2452 ShellHWDetection - ok
17:12:21.0809 2452 Simbad - ok
17:12:22.0231 2452 SkypeUpdate (ddaa5f4a6b958fc313ebd02dd925752f) C:\Program Files\Skype\Updater\Updater.exe
17:12:22.0247 2452 SkypeUpdate - ok
17:12:22.0513 2452 smwdm (fa3368a7039f5abaa4b933703ac34763) C:\WINDOWS\system32\drivers\smwdm.sys
17:12:22.0544 2452 smwdm - ok
17:12:22.0809 2452 SoundMAX Agent Service (default) (3978f082274f723ad5a0a8058c2417dd) C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
17:12:22.0809 2452 SoundMAX Agent Service (default) - ok
17:12:23.0091 2452 Sparrow - ok
17:12:23.0231 2452 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
17:12:23.0231 2452 splitter - ok
17:12:23.0528 2452 Spooler (60784f891563fb1b767f70117fc2428f) C:\WINDOWS\system32\spoolsv.exe
17:12:23.0544 2452 Spooler - ok
17:12:23.0809 2452 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
17:12:23.0809 2452 sr - ok
17:12:23.0966 2452 srservice (3805df0ac4296a34ba4bf93b346cc378) C:\WINDOWS\system32\srsvc.dll
17:12:23.0981 2452 srservice - ok
17:12:24.0278 2452 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
17:12:24.0309 2452 Srv - ok
17:12:24.0934 2452 SSDPSRV (0a5679b3714edab99e357057ee88fca6) C:\WINDOWS\System32\ssdpsrv.dll
17:12:24.0934 2452 SSDPSRV - ok
17:12:25.0122 2452 stisvc (8bad69cbac032d4bbacfce0306174c30) C:\WINDOWS\system32\wiaservc.dll
17:12:25.0153 2452 stisvc - ok
17:12:25.0403 2452 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
17:12:25.0403 2452 swenum - ok
17:12:25.0653 2452 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
17:12:25.0653 2452 swmidi - ok
17:12:25.0856 2452 SwPrv - ok
17:12:26.0075 2452 symc810 - ok
17:12:26.0247 2452 symc8xx - ok
17:12:26.0403 2452 sym_hi - ok
17:12:26.0731 2452 sym_u3 - ok
17:12:26.0778 2452 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
17:12:26.0778 2452 sysaudio - ok
17:12:26.0934 2452 SysmonLog (c7abbc59b43274b1109df6b24d617051) C:\WINDOWS\system32\smlogsvc.exe
17:12:26.0934 2452 SysmonLog - ok
17:12:27.0153 2452 TapiSrv (3cb78c17bb664637787c9a1c98f79c38) C:\WINDOWS\System32\tapisrv.dll
17:12:32.0091 2452 TapiSrv - ok
17:12:32.0216 2452 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
17:12:32.0231 2452 Tcpip - ok
17:12:32.0356 2452 Tcpip6 (4e53bbcc4be37d7a4bd6ef1098c89ff7) C:\WINDOWS\system32\DRIVERS\tcpip6.sys
17:12:32.0372 2452 Tcpip6 - ok
17:12:32.0653 2452 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
17:12:32.0653 2452 TDPIPE - ok
17:12:32.0809 2452 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
17:12:32.0809 2452 TDTCP - ok
17:12:32.0919 2452 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
17:12:32.0919 2452 TermDD - ok
17:12:33.0028 2452 TermService (ff3477c03be7201c294c35f684b3479f) C:\WINDOWS\System32\termsrv.dll
17:12:33.0075 2452 TermService - ok
17:12:33.0247 2452 Themes (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
17:12:33.0247 2452 Themes - ok
17:12:33.0669 2452 TlntSvr (db7205804759ff62c34e3efd8a4cc76a) C:\WINDOWS\system32\tlntsvr.exe
17:12:33.0684 2452 TlntSvr - ok
17:12:34.0231 2452 TosIde - ok
17:12:34.0403 2452 TrkWks (55bca12f7f523d35ca3cb833c725f54e) C:\WINDOWS\system32\trkwks.dll
17:12:34.0403 2452 TrkWks - ok
17:12:35.0200 2452 tunmp (8f861eda21c05857eb8197300a92501c) C:\WINDOWS\system32\DRIVERS\tunmp.sys
17:12:35.0200 2452 tunmp - ok
17:12:35.0388 2452 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
17:12:35.0388 2452 Udfs - ok
17:12:35.0403 2452 ultra - ok
17:12:35.0731 2452 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
17:12:35.0763 2452 Update - ok
17:12:35.0888 2452 upnphost (1ebafeb9a3fbdc41b8d9c7f0f687ad91) C:\WINDOWS\System32\upnphost.dll
17:12:35.0888 2452 upnphost - ok
17:12:35.0997 2452 UPS (05365fb38fca1e98f7a566aaaf5d1815) C:\WINDOWS\System32\ups.exe
17:12:35.0997 2452 UPS - ok
17:12:36.0153 2452 USBAAPL (4b8a9c16b6d9258ed99c512aecb8c555) C:\WINDOWS\system32\Drivers\usbaapl.sys
17:12:36.0184 2452 USBAAPL - ok
17:12:36.0356 2452 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
17:12:36.0356 2452 usbccgp - ok
17:12:36.0466 2452 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
17:12:36.0481 2452 usbehci - ok
17:12:36.0653 2452 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
17:12:36.0653 2452 usbhub - ok
17:12:36.0747 2452 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
17:12:36.0747 2452 usbscan - ok
17:12:36.0856 2452 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
17:12:36.0872 2452 USBSTOR - ok
17:12:37.0184 2452 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
17:12:37.0216 2452 usbuhci - ok
17:12:37.0356 2452 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
17:12:37.0356 2452 VgaSave - ok
17:12:37.0559 2452 ViaIde - ok
17:12:37.0591 2452 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
17:12:38.0106 2452 VolSnap - ok
17:12:38.0200 2452 VSS (7a9db3a67c333bf0bd42e42b8596854b) C:\WINDOWS\System32\vssvc.exe
17:12:38.0231 2452 VSS - ok
17:12:38.0341 2452 W32Time (54af4b1d5459500ef0937f6d33b1914f) C:\WINDOWS\system32\w32time.dll
17:12:38.0356 2452 W32Time - ok
17:12:38.0497 2452 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
17:12:38.0512 2452 Wanarp - ok
17:12:38.0622 2452 WDICA - ok
17:12:38.0825 2452 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
17:12:38.0841 2452 wdmaud - ok
17:12:38.0950 2452 WebClient (77a354e28153ad2d5e120a5a8687bc06) C:\WINDOWS\System32\webclnt.dll
17:12:38.0950 2452 WebClient - ok
17:12:39.0184 2452 winmgmt (2d0e4ed081963804ccc196a0929275b5) C:\WINDOWS\system32\wbem\WMIsvc.dll
17:12:39.0231 2452 winmgmt - ok
17:12:39.0387 2452 WmdmPmSN (c51b4a5c05a5475708e3c81c7765b71d) C:\WINDOWS\system32\MsPMSNSv.dll
17:12:39.0434 2452 WmdmPmSN - ok
17:12:39.0606 2452 Wmi (e76f8807070ed04e7408a86d6d3a6137) C:\WINDOWS\System32\advapi32.dll
17:12:39.0637 2452 Wmi - ok
17:12:39.0716 2452 WmiApSrv (e0673f1106e62a68d2257e376079f821) C:\WINDOWS\system32\wbem\wmiapsrv.exe
17:12:39.0731 2452 WmiApSrv - ok
17:12:39.0966 2452 WMPNetworkSvc (f74e3d9a7fa9556c3bbb14d4e5e63d3b) C:\Program Files\Windows Media Player\WMPNetwk.exe
17:12:40.0512 2452 WMPNetworkSvc - ok
17:12:40.0684 2452 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys
17:12:40.0684 2452 WpdUsb - ok
17:12:40.0841 2452 wuauserv (35321fb577cdc98ce3eb3a3eb9e4610a) C:\WINDOWS\system32\wuauserv.dll
17:12:40.0856 2452 wuauserv - ok
17:12:40.0950 2452 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
17:12:40.0966 2452 WudfPf - ok
17:12:41.0106 2452 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
17:12:41.0106 2452 WudfRd - ok
17:12:41.0200 2452 WudfSvc (05231c04253c5bc30b26cbaae680ed89) C:\WINDOWS\System32\WUDFSvc.dll
17:12:41.0216 2452 WudfSvc - ok
17:12:41.0387 2452 WZCSVC (81dc3f549f44b1c1fff022dec9ecf30b) C:\WINDOWS\System32\wzcsvc.dll
17:12:41.0419 2452 WZCSVC - ok
17:12:41.0466 2452 X4HSEx - ok
17:12:41.0512 2452 xmlprov (295d21f14c335b53cb8154e5b1f892b9) C:\WINDOWS\System32\xmlprov.dll
17:12:41.0528 2452 xmlprov - ok
17:12:41.0637 2452 MBR (0x1B8) (faee7e40dfb0440ad2cfc39befa1f4c2) \Device\Harddisk0\DR0
17:12:41.0669 2452 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - infected
17:12:41.0669 2452 \Device\Harddisk0\DR0 - detected Rootkit.Boot.Pihar.b (0)
17:12:41.0700 2452 Boot (0x1200) (2ceaf628cd5a542fb48710ffdf960848) \Device\Harddisk0\DR0\Partition0
17:12:41.0700 2452 \Device\Harddisk0\DR0\Partition0 - ok
17:12:41.0731 2452 ============================================================
17:12:41.0731 2452 Scan finished
17:12:41.0731 2452 ============================================================
17:12:41.0841 3600 Detected object count: 2
17:12:41.0841 3600 Actual detected object count: 2
17:14:26.0949 3600 HKLM\SYSTEM\ControlSet001\services\7ce38025 - will be deleted on reboot
17:14:26.0949 3600 HKLM\SYSTEM\ControlSet002\services\7ce38025 - will be deleted on reboot
17:14:27.0074 3600 C:\WINDOWS\629203836:2199683034.exe - will be deleted on reboot
17:14:27.0074 3600 7ce38025 ( Rootkit.Win32.PMax.gen ) - User select action: Delete
17:14:28.0934 3600 \Device\Harddisk0\DR0\# - copied to quarantine
17:14:28.0981 3600 \Device\Harddisk0\DR0 - copied to quarantine
17:14:29.0465 3600 \Device\Harddisk0\DR0\TDLFS\phm - copied to quarantine
17:14:29.0527 3600 \Device\Harddisk0\DR0\TDLFS\ph.dll - copied to quarantine
17:14:29.0543 3600 \Device\Harddisk0\DR0\TDLFS\phx.dll - copied to quarantine
17:14:29.0590 3600 \Device\Harddisk0\DR0\TDLFS\phdata - copied to quarantine
17:14:29.0637 3600 \Device\Harddisk0\DR0\TDLFS\phd - copied to quarantine
17:14:29.0684 3600 \Device\Harddisk0\DR0\TDLFS\phdx - copied to quarantine
17:14:29.0684 3600 \Device\Harddisk0\DR0\TDLFS\phs - copied to quarantine
17:14:29.0699 3600 \Device\Harddisk0\DR0\TDLFS\phld - copied to quarantine
17:14:29.0699 3600 \Device\Harddisk0\DR0\TDLFS\phln - copied to quarantine
17:14:29.0731 3600 \Device\Harddisk0\DR0\TDLFS\phlx - copied to quarantine
17:14:29.0809 3600 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - will be cured on reboot
17:14:29.0840 3600 \Device\Harddisk0\DR0 - ok
17:14:30.0887 3600 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - User select action: Cure

#8 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:11:07 AM

Posted 15 July 2012 - 06:53 PM

Bela70,

Combofix and TDSSkiller did run successfully, and have fixed the infections.

We'll fix the remnants of Norton once we've removed all the infections.

:step1: Rerun Malwarebytes
Open Malwarebytes, click on the Update tab, and click the check for Updates button.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

:step2: FSS
Please download Farbar Service Scanner and run it on the computer with the issue.
  • Make sure the following options are checked:

    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center/Action Center
    • Windows Update
    • Windows Defender
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

:step3: I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image
      icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.

In your next reply, please include:
  • Malwarebytes log
  • FSS log
  • ESET log
  • How's the computer running now? Please be as descriptive as possible.

Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#9 Bela70

Bela70
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:10:07 AM

Posted 15 July 2012 - 08:46 PM

Farbar Service Scanner Version: 08-07-2012
Ran by NEW ADMINISTRATOR (administrator) on 15-07-2012 at 20:16:55
Running from "C:\Documents and Settings\NEW ADMINISTRATOR\Desktop\Programs"
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
Avgtdix(10) Gpc(3) IPSec(5) NetBT(6) PSched(7) Tcpip(4) Tcpip6(8)
0x0A000000050000000100000002000000030000000400000008000000090000000A0000000600000007000000
IpSec Tag value is correct.

**** End of log ****






C:\Documents and Settings\All Users\Application Data\Fighters\SLOW-PCfighter\InstallCache\{A2EFF94A-85E9-46A6-B02A-70BA351A2D82}\SLOW-PCfighter.msi a variant of Win32/SlowPCfighter application deleted - quarantined
C:\Documents and Settings\All Users\Application Data\Tarma Installer\{DA00D550-BB91-4A26-AAE5-9172D626CAAE}\_Setupx.dll a variant of Win32/Adware.Yontoo.B application cleaned by deleting - quarantined
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\18\5f42ba12-5ed8c09d a variant of Java/Agent.DU trojan deleted - quarantined
C:\Documents and Settings\NEW ADMINISTRATOR\Application Data\Sun\Java\Deployment\cache\6.0\37\154deae5-1c8f5ac6 multiple threats deleted - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\Installer\{ea2929e4-1ad0-e8ae-9bae-11af8a1d75d1}\U\80000000.@.vir a variant of Win32/Sirefef.FA trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\Installer\{ea2929e4-1ad0-e8ae-9bae-11af8a1d75d1}\U\80000032.@.vir a variant of Win32/Sirefef.FD trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{CC0133CA-B7F5-40C5-92D0-C9DBEDDE4CAE}\RP958\A0090473.sys a variant of Win32/Rootkit.Kryptik.EE trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{CC0133CA-B7F5-40C5-92D0-C9DBEDDE4CAE}\RP958\A0091473.sys a variant of Win32/Rootkit.Kryptik.EE trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{CC0133CA-B7F5-40C5-92D0-C9DBEDDE4CAE}\RP958\A0091504.sys a variant of Win32/Rootkit.Kryptik.EE trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{CC0133CA-B7F5-40C5-92D0-C9DBEDDE4CAE}\RP958\A0091608.sys a variant of Win32/Rootkit.Kryptik.EE trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{CC0133CA-B7F5-40C5-92D0-C9DBEDDE4CAE}\RP958\A0091611.dll a variant of Win32/Adware.Lifze.R application cleaned by deleting - quarantined
C:\System Volume Information\_restore{CC0133CA-B7F5-40C5-92D0-C9DBEDDE4CAE}\RP958\A0091644.sys a variant of Win32/Rootkit.Kryptik.EE trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{CC0133CA-B7F5-40C5-92D0-C9DBEDDE4CAE}\RP958\A0092644.sys a variant of Win32/Rootkit.Kryptik.EE trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{CC0133CA-B7F5-40C5-92D0-C9DBEDDE4CAE}\RP958\A0093644.sys a variant of Win32/Rootkit.Kryptik.EE trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{CC0133CA-B7F5-40C5-92D0-C9DBEDDE4CAE}\RP958\A0094644.sys a variant of Win32/Rootkit.Kryptik.EE trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{CC0133CA-B7F5-40C5-92D0-C9DBEDDE4CAE}\RP958\A0095644.sys a variant of Win32/Rootkit.Kryptik.EE trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{CC0133CA-B7F5-40C5-92D0-C9DBEDDE4CAE}\RP958\A0096644.sys a variant of Win32/Rootkit.Kryptik.EE trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{CC0133CA-B7F5-40C5-92D0-C9DBEDDE4CAE}\RP958\A0097644.sys a variant of Win32/Rootkit.Kryptik.EE trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{CC0133CA-B7F5-40C5-92D0-C9DBEDDE4CAE}\RP958\A0098644.sys a variant of Win32/Rootkit.Kryptik.EE trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{CC0133CA-B7F5-40C5-92D0-C9DBEDDE4CAE}\RP958\A0099644.sys a variant of Win32/Rootkit.Kryptik.EE trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{CC0133CA-B7F5-40C5-92D0-C9DBEDDE4CAE}\RP958\A0100644.sys a variant of Win32/Rootkit.Kryptik.EE trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{CC0133CA-B7F5-40C5-92D0-C9DBEDDE4CAE}\RP958\A0100681.sys a variant of Win32/Rootkit.Kryptik.EE trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{CC0133CA-B7F5-40C5-92D0-C9DBEDDE4CAE}\RP958\A0101681.sys a variant of Win32/Rootkit.Kryptik.EE trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{CC0133CA-B7F5-40C5-92D0-C9DBEDDE4CAE}\RP958\A0102681.sys a variant of Win32/Rootkit.Kryptik.EE trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{CC0133CA-B7F5-40C5-92D0-C9DBEDDE4CAE}\RP958\A0103681.sys a variant of Win32/Rootkit.Kryptik.EE trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{CC0133CA-B7F5-40C5-92D0-C9DBEDDE4CAE}\RP958\A0103690.sys a variant of Win32/Rootkit.Kryptik.EE trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{CC0133CA-B7F5-40C5-92D0-C9DBEDDE4CAE}\RP958\A0103704.sys a variant of Win32/Rootkit.Kryptik.EE trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{CC0133CA-B7F5-40C5-92D0-C9DBEDDE4CAE}\RP958\A0103731.sys a variant of Win32/Rootkit.Kryptik.EE trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{CC0133CA-B7F5-40C5-92D0-C9DBEDDE4CAE}\RP958\A0103756.sys a variant of Win32/Rootkit.Kryptik.EE trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{CC0133CA-B7F5-40C5-92D0-C9DBEDDE4CAE}\RP958\A0103768.sys a variant of Win32/Rootkit.Kryptik.EE trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{CC0133CA-B7F5-40C5-92D0-C9DBEDDE4CAE}\RP958\A0103796.sys a variant of Win32/Rootkit.Kryptik.EE trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{CC0133CA-B7F5-40C5-92D0-C9DBEDDE4CAE}\RP958\A0103810.sys a variant of Win32/Rootkit.Kryptik.EE trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{CC0133CA-B7F5-40C5-92D0-C9DBEDDE4CAE}\RP958\A0107828.sys a variant of Win32/Rootkit.Kryptik.EE trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{CC0133CA-B7F5-40C5-92D0-C9DBEDDE4CAE}\RP958\A0108243.sys a variant of Win32/Rootkit.Kryptik.EE trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{CC0133CA-B7F5-40C5-92D0-C9DBEDDE4CAE}\RP958\A0108251.sys a variant of Win32/Rootkit.Kryptik.EE trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{CC0133CA-B7F5-40C5-92D0-C9DBEDDE4CAE}\RP958\A0108259.sys a variant of Win32/Rootkit.Kryptik.EE trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{CC0133CA-B7F5-40C5-92D0-C9DBEDDE4CAE}\RP958\A0108266.sys a variant of Win32/Rootkit.Kryptik.EE trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{CC0133CA-B7F5-40C5-92D0-C9DBEDDE4CAE}\RP958\A0108273.sys a variant of Win32/Rootkit.Kryptik.EE trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{CC0133CA-B7F5-40C5-92D0-C9DBEDDE4CAE}\RP958\A0108280.sys a variant of Win32/Rootkit.Kryptik.EE trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{CC0133CA-B7F5-40C5-92D0-C9DBEDDE4CAE}\RP958\A0108286.sys a variant of Win32/Rootkit.Kryptik.EE trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{CC0133CA-B7F5-40C5-92D0-C9DBEDDE4CAE}\RP958\A0108297.sys a variant of Win32/Rootkit.Kryptik.EE trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{CC0133CA-B7F5-40C5-92D0-C9DBEDDE4CAE}\RP958\A0108349.dll a variant of Win32/Adware.BlueFlareAntivirus.B application cleaned by deleting - quarantined
C:\System Volume Information\_restore{CC0133CA-B7F5-40C5-92D0-C9DBEDDE4CAE}\RP958\A0108383.exe a variant of Win32/Kryptik.UMU trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{CC0133CA-B7F5-40C5-92D0-C9DBEDDE4CAE}\RP958\A0108395.sys a variant of Win32/Rootkit.Kryptik.EE trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{CC0133CA-B7F5-40C5-92D0-C9DBEDDE4CAE}\RP960\A0112441.sys a variant of Win32/Rootkit.Kryptik.EE trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{CC0133CA-B7F5-40C5-92D0-C9DBEDDE4CAE}\RP960\A0112501.dll probably a variant of Win32/Adware.Primawega.AO application cleaned by deleting - quarantined
C:\System Volume Information\_restore{CC0133CA-B7F5-40C5-92D0-C9DBEDDE4CAE}\RP964\A0112834.ini Win32/Sirefef.EZ trojan deleted - quarantined
C:\System Volume Information\_restore{CC0133CA-B7F5-40C5-92D0-C9DBEDDE4CAE}\RP964\A0113804.exe Win32/Spy.Zbot.AAO trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{CC0133CA-B7F5-40C5-92D0-C9DBEDDE4CAE}\RP964\A0113805.ini Win32/Sirefef.EZ trojan deleted - quarantined
C:\System Volume Information\_restore{CC0133CA-B7F5-40C5-92D0-C9DBEDDE4CAE}\RP964\A0113817.ini Win32/Sirefef.EZ trojan deleted - quarantined
C:\System Volume Information\_restore{CC0133CA-B7F5-40C5-92D0-C9DBEDDE4CAE}\RP964\A0113821.exe Win32/Spy.Zbot.AAO trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{CC0133CA-B7F5-40C5-92D0-C9DBEDDE4CAE}\RP964\A0113829.ini Win32/Sirefef.EZ trojan deleted - quarantined
C:\System Volume Information\_restore{CC0133CA-B7F5-40C5-92D0-C9DBEDDE4CAE}\RP964\A0113844.ini Win32/Sirefef.EZ trojan deleted - quarantined
C:\System Volume Information\_restore{CC0133CA-B7F5-40C5-92D0-C9DBEDDE4CAE}\RP964\A0113848.ini Win32/Sirefef.EZ trojan deleted - quarantined
C:\System Volume Information\_restore{CC0133CA-B7F5-40C5-92D0-C9DBEDDE4CAE}\RP965\A0114529.ini Win32/Sirefef.EZ trojan deleted - quarantined
C:\System Volume Information\_restore{CC0133CA-B7F5-40C5-92D0-C9DBEDDE4CAE}\RP965\A0114564.exe Win32/Spy.Zbot.AAO trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{CC0133CA-B7F5-40C5-92D0-C9DBEDDE4CAE}\RP965\A0114565.dll a variant of Win32/Lukicsel.X trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{CC0133CA-B7F5-40C5-92D0-C9DBEDDE4CAE}\RP965\A0114566.exe Win32/Spy.Zbot.AAO trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{CC0133CA-B7F5-40C5-92D0-C9DBEDDE4CAE}\RP965\A0114567.exe Win32/Spy.Zbot.AAO trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{CC0133CA-B7F5-40C5-92D0-C9DBEDDE4CAE}\RP965\A0114568.exe Win32/Spy.Zbot.AAO trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{CC0133CA-B7F5-40C5-92D0-C9DBEDDE4CAE}\RP965\A0114569.exe Win32/Spy.Zbot.AAO trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{CC0133CA-B7F5-40C5-92D0-C9DBEDDE4CAE}\RP965\A0114570.exe Win32/Spy.Zbot.AAO trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{CC0133CA-B7F5-40C5-92D0-C9DBEDDE4CAE}\RP967\A0114974.msi a variant of Win32/SlowPCfighter application deleted - quarantined
C:\System Volume Information\_restore{CC0133CA-B7F5-40C5-92D0-C9DBEDDE4CAE}\RP967\A0114975.dll a variant of Win32/Adware.Yontoo.B application cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\15.07.2012_17.10.34\mbr0000\tdlfs0000\tsk0001.dta Win32/Olmarik.AWO trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\15.07.2012_17.10.34\mbr0000\tdlfs0000\tsk0002.dta Win64/Olmarik.AD trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\15.07.2012_17.10.34\mbr0000\tdlfs0000\tsk0004.dta a variant of Win32/Rootkit.Kryptik.KQ trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\15.07.2012_17.10.34\mbr0000\tdlfs0000\tsk0005.dta Win64/Olmarik.AF trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\15.07.2012_17.10.34\mbr0000\tdlfs0000\tsk0008.dta Win32/Olmarik.AWO trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\15.07.2012_17.10.34\mbr0000\tdlfs0000\tsk0009.dta Win64/Olmarik.X trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\drivers\serial.sys a variant of Win32/Rootkit.Kryptik.EE trojan unable to clean




Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Database version: v2012.07.15.10

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 7.0.5730.13
NEW ADMINISTRATOR :: STATION3 [administrator]

7/15/2012 7:59:14 PM
mbam-log-2012-07-15 (19-59-14).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 258157
Time elapsed: 16 minute(s), 22 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 1
HKCU\SOFTWARE\Fun Web Products (PUP.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

#10 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:11:07 AM

Posted 15 July 2012 - 08:49 PM

We need to create an OTL Report
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#11 Bela70

Bela70
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:10:07 AM

Posted 15 July 2012 - 09:43 PM

OTL logfile created on: 7/15/2012 10:01:56 PM - Run 1
OTL by OldTimer - Version 3.2.54.0 Folder = C:\Documents and Settings\NEW ADMINISTRATOR\Desktop\Programs
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1015.48 Mb Total Physical Memory | 442.27 Mb Available Physical Memory | 43.55% Memory free
2.39 Gb Paging File | 1.84 Gb Available in Paging File | 76.87% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.52 Gb Total Space | 60.69 Gb Free Space | 81.44% Space Free | Partition Type: NTFS

Computer Name: STATION3 | User Name: NEW ADMINISTRATOR | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/07/15 21:59:46 | 000,596,480 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\NEW ADMINISTRATOR\Desktop\Programs\OTL.exe
PRC - [2012/07/04 17:25:54 | 005,160,568 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgidsagent.exe
PRC - [2012/06/24 04:12:16 | 006,033,528 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgmfapx.exe
PRC - [2012/06/21 03:48:40 | 004,368,504 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgui.exe
PRC - [2012/06/13 03:48:26 | 000,758,392 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgrsx.exe
PRC - [2012/06/13 03:48:24 | 001,255,544 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgnsx.exe
PRC - [2012/04/05 05:12:34 | 002,587,008 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgtray.exe
PRC - [2012/03/19 05:18:12 | 000,979,840 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgemcx.exe
PRC - [2012/03/08 11:40:32 | 000,755,576 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\SoftwareDistribution\Download\44db2dc6f65744579e39a12db0457613\update\update.exe
PRC - [2012/02/14 04:53:38 | 000,193,288 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgwdsvc.exe
PRC - [2012/02/14 04:52:38 | 000,338,784 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgcsrvx.exe
PRC - [2011/08/30 13:51:32 | 007,033,216 | ---- | M] (TeamViewer GmbH) -- C:\Documents and Settings\NEW ADMINISTRATOR\Local Settings\temp\TeamViewer\Version6\TeamViewer.exe
PRC - [2011/08/30 13:51:32 | 002,157,440 | ---- | M] (TeamViewer GmbH) -- c:\Documents and Settings\NEW ADMINISTRATOR\Local Settings\temp\TeamViewer\Version6\TeamViewer_Desktop.exe
PRC - [2011/08/30 11:26:55 | 000,108,416 | ---- | M] (TeamViewer GmbH) -- C:\Documents and Settings\NEW ADMINISTRATOR\Local Settings\temp\TeamViewer\Version6\tv_w32.exe
PRC - [2009/04/23 18:49:56 | 000,020,480 | ---- | M] (Intuit) -- C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
PRC - [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2003/05/08 11:34:32 | 000,069,632 | ---- | M] (adi) -- C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
PRC - [2002/09/20 16:50:10 | 000,045,056 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe


========== Modules (No Company Name) ==========

MOD - [2012/07/15 18:18:41 | 000,212,992 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.ServiceProce#\8b84bb74d7724e147a642a1d5358feb7\System.ServiceProcess.ni.dll
MOD - [2012/07/06 00:43:18 | 007,953,408 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System\e4b5afc4da43b1c576f9322f9f2e1bfe\System.ni.dll
MOD - [2012/07/06 00:42:42 | 011,492,352 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\mscorlib\e337c89bc9f81b69d7237aa70e935900\mscorlib.ni.dll
MOD - [2008/04/13 20:11:59 | 000,014,336 | ---- | M] () -- C:\WINDOWS\system32\msdmo.dll
MOD - [2008/04/13 20:11:51 | 000,059,904 | ---- | M] () -- C:\WINDOWS\system32\devenum.dll
MOD - [2001/07/31 09:17:12 | 000,094,274 | ---- | M] () -- C:\WINDOWS\system32\HPBHealr.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- C:\WINDOWS\system32\NEUSBw32.dll -- (NecUsb3)
SRV - [2012/07/04 17:25:54 | 005,160,568 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG2012\avgidsagent.exe -- (AVGIDSAgent)
SRV - [2012/06/07 19:12:14 | 000,160,944 | R--- | M] (Skype Technologies) [Disabled | Stopped] -- C:\Program Files\Skype\Updater\Updater.exe -- (SkypeUpdate)
SRV - [2012/02/14 04:53:38 | 000,193,288 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG2012\avgwdsvc.exe -- (avgwd)
SRV - [2009/04/23 18:49:56 | 000,020,480 | ---- | M] (Intuit) [Auto | Running] -- C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe -- (QBCFMonitorService)
SRV - [2007/05/24 07:08:44 | 000,061,440 | ---- | M] (Intuit Inc.) [Disabled | Stopped] -- C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe -- (QBFCService)
SRV - [2006/09/13 10:32:12 | 000,128,536 | ---- | M] (iAnywhere Solutions, Inc.) [Disabled | Stopped] -- C:\Program Files\Intuit\QuickBooks 2008\QBDBMgrN.exe -- (QuickBooksDB18)
SRV - [2002/09/20 16:50:10 | 000,045,056 | ---- | M] (Analog Devices, Inc.) [Auto | Running] -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe -- (SoundMAX Agent Service (default))


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | Auto | Stopped] -- C:\Program Files\Free Ride Games\X4HSEx.Sys -- (X4HSEx)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\NEWADM~1\LOCALS~1\Temp\mfe_rr.sys -- (MFE_RR)
DRV - File not found [Kernel | Auto | Stopped] -- C:\Program Files\LogMeIn\x86\RaInfo.sys -- (LMIInfo)
DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)
DRV - File not found [Kernel | System | Stopped] -- -- (i2omgmt)
DRV - File not found [Kernel | On_Demand | Stopped] -- D:\INSTALL\GMSIPCI.SYS -- (GMSIPCI)
DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\ComboFix\catchme.sys -- (catchme)
DRV - [2012/04/19 04:50:26 | 000,024,896 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\avgidshx.sys -- (AVGIDSHX)
DRV - [2012/03/19 05:17:28 | 000,301,248 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avgtdix.sys -- (Avgtdix)
DRV - [2012/02/22 05:25:32 | 000,235,216 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avgldx86.sys -- (Avgldx86)
DRV - [2012/01/31 04:46:50 | 000,031,952 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\avgrkx86.sys -- (Avgrkx86)
DRV - [2011/12/23 13:32:14 | 000,041,040 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\avgmfx86.sys -- (Avgmfx86)
DRV - [2011/12/23 13:32:08 | 000,017,232 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\avgidsshimx.sys -- (AVGIDSShim)
DRV - [2011/12/23 13:32:06 | 000,024,144 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\avgidsfilterx.sys -- (AVGIDSFilter)
DRV - [2011/12/23 13:32:00 | 000,139,856 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\avgidsdriverx.sys -- (AVGIDSDriver)
DRV - [2010/02/11 08:02:15 | 000,226,880 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\tcpip6.sys -- (Tcpip6)
DRV - [2008/10/22 17:42:38 | 000,047,640 | ---- | M] (LogMeIn, Inc.) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\LMIRfsDriver.sys -- (LMIRfsDriver)
DRV - [2008/10/22 17:42:37 | 000,083,288 | ---- | M] (LogMeIn, Inc.) [File_System | Disabled | Stopped] -- C:\WINDOWS\System32\LMIRfsClientNP.dll -- (LMIRfsClientNP)
DRV - [2008/07/25 01:18:32 | 000,176,640 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)
DRV - [2008/06/06 09:15:40 | 000,098,816 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\baspxp32.sys -- (Blfp)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\..\SearchScopes,DefaultScope = {AFDBDDAA-5D3F-42EE-B79C-185A7020515B}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-2567932066-358758771-3262558787-1008\..\SearchScopes,DefaultScope = {56256A51-B582-467e-B8D4-7786EDA79AE0}
IE - HKU\S-1-5-21-2567932066-358758771-3262558787-1008\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
IE - HKU\S-1-5-21-2567932066-358758771-3262558787-1008\..\SearchScopes\{171DEBEB-C3D4-40b7-AC73-056A5EBA4A7E}: "URL" = http://websearch.ask.com/redirect?client=ie&tb=LMW2&o=16046&src=crm&q={searchTerms}&locale=en_US&apn_ptnrs=OE&apn_dtid=VIN001WTUS&apn_uid=B206550B-9806-46CD-AADD-3D0ACE133717&apn_sauid=D567EF8B-ECCB-427C-AAE3-BF62C25C83F7
IE - HKU\S-1-5-21-2567932066-358758771-3262558787-1008\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2856415
IE - HKU\S-1-5-21-2567932066-358758771-3262558787-1008\..\SearchScopes\{BB66611C-10C8-4926-940C-9336945F8ADE}: "URL" = http://www.bing.com/search?q={searchTerms}&form=IE8SRC&src=IE-SearchBox
IE - HKU\S-1-5-21-2567932066-358758771-3262558787-1008\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Yahoo"
FF - prefs.js..browser.search.order.1: "Yahoo"
FF - prefs.js..browser.search.order.2: ""
FF - prefs.js..browser.search.param.yahoo-fr: "w3i&type=W3i_DS,157,0_0,Search,20110939,6902,0,16,0"
FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.startup.homepage: "http://charter.net/"
FF - prefs.js..extensions.enabledItems: {3f963a5b-e555-4543-90e2-c3908898db71}:8.5.0.429
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: toolbar@shopathome.com:5.2.0.0
FF - prefs.js..extensions.enabledItems: FFToolbar@upromise:7.0.2.4321
FF - prefs.js..extensions.enabledItems: plugin@yontoo.com:1.20.00
FF - prefs.js..extensions.enabledItems: {635abd67-4fe9-1b23-4f01-e679fa7484c1}:2.3.8.20110620112826
FF - prefs.js..extensions.enabledItems: {b9dbe2c0-031f-4cad-911a-f4a7381d79c0}:1.0.27
FF - prefs.js..extensions.enabledItems: wecarereminder@bryan:5.0.5.0
FF - prefs.js..extensions.enabledItems: idvaultaddin@whitesky:1.0
FF - prefs.js..extensions.enabledItems: {BBDA0591-3099-440a-AA10-41764D9DB4DB}:2.0
FF - prefs.js..extensions.enabledItems: {2D3F3651-74B9-4795-BDEC-6DA2F431CB62}:5.5
FF - prefs.js..keyword.URL: "http://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZRxdm103YYUS&fl=0&ptb=jZ4bi8VJwAp6V3u9N.RQAA&url=http://search.mywebsearch.com/mywebsearch/dft_redir.jhtml&st=kwd&searchfor="
FF - prefs.js..network.proxy.no_proxies_on: "*.local"
FF - prefs.js..network.proxy.type: 0


FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.1.10329.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=15.0.4.53: c:\program files\real\realplayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprjplug;version=15.0.4.53: c:\program files\real\realplayer\Netscape6\nprjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpchromebrowserrecordext;version=15.0.4.53: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprphtml5videoshim;version=15.0.4.53: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpplugin;version=15.0.4.53: c:\program files\real\realplayer\Netscape6\nprpplugin.dll (RealPlayer)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{97E22097-9A2F-45b1-8DAF-36AD648C7EF4}: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext [2012/06/25 22:25:41 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{F53C93F1-07D5-430c-86D4-C9531B27DFAF}: C:\Program Files\AVG\AVG2012\Firefox\DoNotTrack\ [2012/07/05 18:53:59 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 11.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/06/25 22:24:32 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 11.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012/06/25 22:26:28 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\{1266764D-FC4F-4FA7-B63B-884D53B1680F}: C:\Documents and Settings\NEW ADMINISTRATOR\Application Data\NetAssistant\ [2011/09/23 11:33:11 | 000,000,000 | ---D | M]

[2011/02/09 16:13:26 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\NEW ADMINISTRATOR\Application Data\Mozilla\Extensions
[2010/04/12 16:19:19 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\NEW ADMINISTRATOR\Application Data\Mozilla\Extensions\mozswing@mozswing.org
[2012/06/25 22:11:48 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\NEW ADMINISTRATOR\Application Data\Mozilla\Firefox\Profiles\gxszfaij.default\extensions
[2012/06/25 22:11:48 | 000,000,000 | ---D | M] (Yahoo! Toolbar) -- C:\Documents and Settings\NEW ADMINISTRATOR\Application Data\Mozilla\Firefox\Profiles\gxszfaij.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
[2012/06/25 22:09:39 | 000,000,000 | ---D | M] (ShopToWin13) -- C:\Documents and Settings\NEW ADMINISTRATOR\Application Data\Mozilla\Firefox\Profiles\gxszfaij.default\extensions\{b9dbe2c0-031f-4cad-911a-f4a7381d79c0}
[2011/09/23 11:33:16 | 000,000,000 | ---D | M] (Yontoo Layers) -- C:\Documents and Settings\NEW ADMINISTRATOR\Application Data\Mozilla\Firefox\Profiles\gxszfaij.default\extensions\plugin@yontoo.com
[2011/04/05 17:52:22 | 000,009,856 | ---- | M] () -- C:\Documents and Settings\NEW ADMINISTRATOR\Application Data\Mozilla\Firefox\Profiles\gxszfaij.default\searchplugins\mywebsearch.xml
[2012/06/26 02:56:40 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2012/06/26 02:05:48 | 000,000,000 | ---D | M] (internetspooler) -- C:\Program Files\Mozilla Firefox\extensions\{9da0c3c4-1578-35cd-3795-62b71e9686ff}
[2012/03/07 20:58:43 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions\idvaultaddin@whitesky
[2012/03/13 00:39:39 | 000,097,208 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2011/11/10 06:54:13 | 000,476,904 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
[2012/06/25 22:25:12 | 000,129,144 | ---- | M] (RealPlayer) -- C:\Program Files\mozilla firefox\plugins\nprpplugin.dll
[2012/03/13 00:38:32 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2012/03/13 00:38:32 | 000,002,040 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml

O1 HOSTS File: ([2012/07/15 19:32:07 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (AVG Do Not Track) - {31332EEF-CB9F-458F-AFEB-D30E9A66B6BA} - C:\Program Files\AVG\AVG2012\avgdtiex.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O3 - HKU\S-1-5-21-2567932066-358758771-3262558787-1008\..\Toolbar\WebBrowser: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No CLSID value found.
O4 - HKLM..\Run: [AVG_TRAY] C:\Program Files\AVG\AVG2012\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe (adi)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe (Intuit Inc.)
O4 - Startup: C:\Documents and Settings\User\Start Menu\Programs\Startup\OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-2567932066-358758771-3262558787-1008\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-2567932066-358758771-3262558787-1008\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-2567932066-358758771-3262558787-1008\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-2567932066-358758771-3262558787-1008\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra Button: AVG Do Not Track - {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - C:\Program Files\AVG\AVG2012\avgdtiex.dll (AVG Technologies CZ, s.r.o.)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1340694546796 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1341538715531 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab (Java Plug-in 1.6.0_30)
O16 - DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab (Java Plug-in 1.6.0_30)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab (Java Plug-in 1.6.0_30)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 24.159.64.23 24.217.201.67 66.189.0.100
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{7379C362-F35F-474F-B43E-E95B81F272B5}: DhcpNameServer = 24.159.64.23 24.217.201.67 66.189.0.100
O18 - Protocol\Handler\intu-help-qb1 {9B0F96C7-2E4B-433e-ABF3-043BA1B54AE3} - C:\Program Files\Intuit\QuickBooks 2008\HelpAsyncPluggableProtocol.dll (TODO: <Company name>)
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG2012\avgpp.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - (igfxsrvc.dll) - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
O20 - Winlogon\Notify\LMIinit: DllName - (LMIinit.dll) - C:\WINDOWS\System32\LMIinit.dll (LogMeIn, Inc.)
O24 - Desktop WallPaper: C:\Documents and Settings\NEW ADMINISTRATOR\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\NEW ADMINISTRATOR\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/05/28 14:07:47 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O34 - HKLM BootExecute: (C:\PROGRA~1\AVG\AVG2012\avgrsx.exe /sync /restart)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2012/07/15 21:58:05 | 000,000,000 | ---D | C] -- C:\WINDOWS\LastGood
[2012/07/15 21:52:29 | 000,000,000 | ---D | C] -- C:\Temp
[2012/07/15 20:17:21 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2012/07/15 19:21:08 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2012/07/15 19:15:41 | 000,000,000 | ---D | C] -- C:\WINDOWS\pss
[2012/07/15 17:56:55 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2012/07/15 17:38:21 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2012/07/15 17:38:21 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2012/07/15 17:38:21 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2012/07/15 17:30:28 | 000,000,000 | ---D | C] -- C:\Qoobox
[2012/07/15 17:30:21 | 000,000,000 | ---D | C] -- C:\WINDOWS\erdnt
[2012/07/15 17:14:26 | 000,000,000 | ---D | C] -- C:\TDSSKiller_Quarantine
[2012/07/08 14:50:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NEW ADMINISTRATOR\Desktop\Programs
[2012/07/08 14:22:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NEW ADMINISTRATOR\Start Menu\Programs\HiJackThis
[2012/07/08 14:22:27 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2012/07/05 21:09:42 | 000,475,712 | ---- | C] (McAfee, Inc.) -- C:\Documents and Settings\NEW ADMINISTRATOR\Desktop\rootkitremover.exe
[2012/07/05 19:02:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NEW ADMINISTRATOR\Application Data\AVG2012
[2012/07/05 18:56:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\AVG
[2012/07/05 18:55:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NEW ADMINISTRATOR\Application Data\Ocha
[2012/07/05 18:55:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NEW ADMINISTRATOR\Application Data\Obci
[2012/07/05 18:55:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NEW ADMINISTRATOR\Application Data\Aqolni
[2012/07/05 18:53:35 | 000,000,000 | ---D | C] -- C:\$AVG
[2012/06/29 17:58:27 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\NEW ADMINISTRATOR\Recent
[2012/06/28 01:49:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NEW ADMINISTRATOR\Desktop\System files
[2012/06/28 01:28:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\AVG2012
[2012/06/28 01:28:59 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\AVG
[2012/06/26 03:20:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\MFAData
[2012/06/26 03:13:41 | 000,015,384 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\wuapi.dll.mui
[2012/06/26 02:05:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Mozilla
[2012/06/26 02:05:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Mozilla
[2012/06/26 00:49:25 | 000,000,000 | -HSD | C] -- C:\WINDOWS\CSC
[2012/06/25 23:19:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NEW ADMINISTRATOR\Application Data\Malwarebytes
[2012/06/25 23:19:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Fun
[2012/06/25 23:19:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2012/06/25 23:19:13 | 000,022,344 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2012/06/25 23:19:13 | 000,000,000 | ---D | C] -- C:\Program Files\Fun
[2012/06/25 23:06:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NEW ADMINISTRATOR\Application Data\TeamViewer
[2012/06/25 23:05:28 | 002,673,600 | ---- | C] (TeamViewer GmbH) -- C:\Documents and Settings\NEW ADMINISTRATOR\Desktop\TeamViewerQS_en (1).exe
[2012/06/25 22:34:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NEW ADMINISTRATOR\Application Data\Skype
[2012/06/25 22:33:23 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Skype
[2012/06/25 22:33:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Skype
[2012/06/25 22:33:22 | 000,000,000 | R--D | C] -- C:\Program Files\Skype
[2012/06/25 22:25:51 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\xing shared
[2012/06/25 22:25:22 | 000,198,832 | ---- | C] (RealNetworks, Inc.) -- C:\WINDOWS\System32\rmoc3260.dll
[2012/06/25 22:25:05 | 000,006,656 | ---- | C] (RealNetworks, Inc.) -- C:\WINDOWS\System32\pndx5016.dll
[2012/06/25 22:25:05 | 000,005,632 | ---- | C] (RealNetworks, Inc.) -- C:\WINDOWS\System32\pndx5032.dll
[2012/06/25 22:25:03 | 000,272,896 | ---- | C] (Progressive Networks) -- C:\WINDOWS\System32\pncrt.dll
[2012/06/25 22:25:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\RealNetworks
[2012/06/19 21:52:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NEW ADMINISTRATOR\Application Data\ChYCwkUVrOtPuSi
[2012/06/17 21:23:07 | 000,088,576 | ---- | C] (Broadcom Corporation) -- C:\WINDOWS\System32\Baspxp32.dll
[2012/06/17 21:23:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Broadcom
[2012/06/17 21:22:22 | 000,000,000 | ---D | C] -- C:\Program Files\Broadcom
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[30 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/07/15 22:11:51 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2012/07/15 22:03:13 | 101,553,324 | ---- | M] () -- C:\WINDOWS\System32\drivers\AVG\incavi.avm
[2012/07/15 21:55:47 | 000,012,598 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/07/15 21:55:20 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/07/15 20:25:03 | 002,137,422 | ---- | M] () -- C:\Documents and Settings\NEW ADMINISTRATOR\Desktop\SH-S202J_SB03.exe
[2012/07/15 19:56:16 | 000,000,617 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2012/07/15 19:32:07 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2012/07/15 19:18:32 | 000,000,343 | RHS- | M] () -- C:\boot.ini
[2012/07/15 17:18:04 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2012/07/08 16:20:13 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\NEW ADMINISTRATOR\defogger_reenable
[2012/07/08 14:23:31 | 000,002,471 | ---- | M] () -- C:\Documents and Settings\NEW ADMINISTRATOR\Desktop\HiJackThis.lnk
[2012/07/08 13:58:59 | 001,402,880 | ---- | M] () -- C:\Documents and Settings\NEW ADMINISTRATOR\Desktop\HiJackThis.msi
[2012/07/06 00:49:06 | 000,441,552 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2012/07/06 00:49:06 | 000,071,488 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2012/07/05 22:04:13 | 000,000,227 | ---- | M] () -- C:\Boot.bak
[2012/07/05 21:38:06 | 000,033,758 | ---- | M] () -- C:\Documents and Settings\NEW ADMINISTRATOR\Local Settings\Application Data\dt.dat
[2012/07/05 21:08:27 | 000,475,712 | ---- | M] (McAfee, Inc.) -- C:\Documents and Settings\NEW ADMINISTRATOR\Desktop\rootkitremover.exe
[2012/07/05 20:46:16 | 000,001,170 | ---- | M] () -- C:\Documents and Settings\NEW ADMINISTRATOR\Desktop\1.csv
[2012/07/05 19:45:01 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2012/07/05 18:56:46 | 000,000,702 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\AVG 2012.lnk
[2012/07/03 13:46:44 | 000,022,344 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2012/06/29 18:22:26 | 000,000,000 | ---- | M] () -- C:\WINDOWS\629203836
[2012/06/26 00:40:06 | 000,002,265 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Skype.lnk
[2012/06/25 23:05:37 | 002,673,600 | ---- | M] (TeamViewer GmbH) -- C:\Documents and Settings\NEW ADMINISTRATOR\Desktop\TeamViewerQS_en (1).exe
[2012/06/25 22:26:14 | 000,000,747 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\RealPlayer.lnk
[2012/06/25 22:25:22 | 000,198,832 | ---- | M] (RealNetworks, Inc.) -- C:\WINDOWS\System32\rmoc3260.dll
[2012/06/25 22:25:05 | 000,006,656 | ---- | M] (RealNetworks, Inc.) -- C:\WINDOWS\System32\pndx5016.dll
[2012/06/25 22:25:05 | 000,005,632 | ---- | M] (RealNetworks, Inc.) -- C:\WINDOWS\System32\pndx5032.dll
[2012/06/25 22:25:03 | 000,272,896 | ---- | M] (Progressive Networks) -- C:\WINDOWS\System32\pncrt.dll
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[30 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[2 C:\WINDOWS\System32\dllcache\*.tmp files -> C:\WINDOWS\System32\dllcache\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/07/15 22:03:13 | 101,553,324 | ---- | C] () -- C:\WINDOWS\System32\drivers\AVG\incavi.avm
[2012/07/15 21:52:13 | 002,137,422 | ---- | C] () -- C:\Documents and Settings\NEW ADMINISTRATOR\Desktop\SH-S202J_SB03.exe
[2012/07/15 19:10:52 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2012/07/15 19:10:52 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\dllcache\iacenc.dll
[2012/07/15 17:57:01 | 000,000,227 | ---- | C] () -- C:\Boot.bak
[2012/07/15 17:56:57 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2012/07/15 17:38:21 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2012/07/15 17:38:21 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2012/07/15 17:38:21 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2012/07/15 17:38:21 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2012/07/15 17:38:21 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2012/07/08 16:20:13 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\NEW ADMINISTRATOR\defogger_reenable
[2012/07/08 14:22:28 | 000,002,471 | ---- | C] () -- C:\Documents and Settings\NEW ADMINISTRATOR\Desktop\HiJackThis.lnk
[2012/07/08 14:21:40 | 001,402,880 | ---- | C] () -- C:\Documents and Settings\NEW ADMINISTRATOR\Desktop\HiJackThis.msi
[2012/07/06 00:52:34 | 000,124,048 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2012/07/05 21:38:06 | 000,033,758 | ---- | C] () -- C:\Documents and Settings\NEW ADMINISTRATOR\Local Settings\Application Data\dt.dat
[2012/07/05 20:46:15 | 000,001,170 | ---- | C] () -- C:\Documents and Settings\NEW ADMINISTRATOR\Desktop\1.csv
[2012/07/05 18:56:45 | 000,000,702 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\AVG 2012.lnk
[2012/06/29 21:30:37 | 000,001,324 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2012/06/29 20:46:17 | 000,001,324 | ---- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\d3d9caps.dat
[2012/06/25 23:19:21 | 000,000,617 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2012/06/25 22:33:24 | 000,002,265 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Skype.lnk
[2012/06/25 22:26:14 | 000,000,747 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\RealPlayer.lnk
[2012/05/13 17:43:36 | 000,105,324 | ---- | C] () -- C:\WINDOWS\System32\itusbcore.dat
[2012/03/18 20:54:31 | 000,115,686 | ---- | C] () -- C:\WINDOWS\System32\itldvupd.dat
[2012/03/18 20:54:31 | 000,000,198 | ---- | C] () -- C:\WINDOWS\System32\itlsvc.dat
[2011/09/23 12:25:17 | 000,000,064 | ---- | C] () -- C:\WINDOWS\GPlrLanc.dat
[2008/07/07 17:22:02 | 000,000,056 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\ezsidmv.dat
[2004/08/04 08:00:00 | 000,002,048 | -HS- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\{ea2929e4-1ad0-e8ae-9bae-11af8a1d75d1}\@

< End of report >




OTL Extras logfile created on: 7/15/2012 10:01:56 PM - Run 1
OTL by OldTimer - Version 3.2.54.0 Folder = C:\Documents and Settings\NEW ADMINISTRATOR\Desktop\Programs
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1015.48 Mb Total Physical Memory | 442.27 Mb Available Physical Memory | 43.55% Memory free
2.39 Gb Paging File | 1.84 Gb Available in Paging File | 76.87% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.52 Gb Total Space | 60.69 Gb Free Space | 81.44% Space Free | Partition Type: NTFS

Computer Name: STATION3 | User Name: NEW ADMINISTRATOR | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.html [@ = Reg Error: Value error.] -- Reg Error: Key error. File not found
.url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l

[HKEY_USERS\S-1-5-21-2567932066-358758771-3262558787-1008\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
https [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
InternetShortcut [open] -- rundll32.exe ieframe.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"UpdatesDisableNotify" = 0
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002
"1723:TCP" = 1723:TCP:*:Enabled:@xpsp2res.dll,-22015
"1701:UDP" = 1701:UDP:*:Enabled:@xpsp2res.dll,-22016
"500:UDP" = 500:UDP:*:Enabled:@xpsp2res.dll,-22017

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"1723:TCP" = 1723:TCP:*:Enabled:@xpsp2res.dll,-22015
"1701:UDP" = 1701:UDP:*:Enabled:@xpsp2res.dll,-22016
"500:UDP" = 500:UDP:*:Enabled:@xpsp2res.dll,-22017

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00203668-8170-44A0-BE44-B632FA4D780F}" = Adobe AIR
"{1266764D-FC4F-4FA7-B63B-884D53B1680F}" = NetAssistant
"{1EBB57D4-63FF-87CC-A0F0-D73982CF6008}" = Adobe Media Player
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{26A24AE4-039D-4CA4-87B4-2F83216011FF}" = Java™ 6 Update 30
"{28C2DED6-325B-4CC7-983A-1777C8F7FBAB}" = RealUpgrade 1.1
"{3248F0A8-6813-11D6-A77B-00B0D0160040}" = Java™ 6 Update 4
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java™ 6 Update 7
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3D9892BB-A751-4E48-ADC8-E4289956CE1D}" = QuickTime
"{45A66726-69BC-466B-A7A4-12FCBA4883D7}" = HiJackThis
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4E0C89A4-4040-47C7-AD0C-0E8226B6AFE2}" = AVG 2012
"{5A3F6A80-7913-475E-8B96-477A952CFA43}" = SupportSoft Assisted Service
"{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}" = Skype™ 3.8
"{6D12EC75-E7D3-4EAD-AB10-E1F3AFF94AA6}" = AVG 2012
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{7770E71B-2D43-4800-9CB3-5B6CAAEBEBEA}" = RealNetworks - Microsoft Visual C++ 2008 Runtime
"{7AB3A249-FB81-416B-917A-A2A10E74C503}" = iTunes
"{7BB045C3-D5E4-4620-B536-DC11AACD5942}" = Broadcom Management Programs
"{85991ED2-010C-4930-96FA-52F43C2CE98A}" = Apple Mobile Device Support
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel® Extreme Graphics 2 Driver
"{8ECB8220-F422-4BEB-9596-97033C533702}" = QuickBooks Pro 2008
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{AC76BA86-7AD7-1033-7B44-A83000000003}" = Adobe Reader 8.3.1
"{AC76BA86-7AD7-5464-3428-800000000003}" = Spelling Dictionaries Support For Adobe Reader 8
"{B2D328BE-45AD-4D92-96F9-2151490A203E}" = Apple Application Support
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C41300B9-185D-475E-BFEC-39EF732F19B1}" = Apple Software Update
"{CAE7D1D9-3794-4169-B4DD-964ADBC534EE}" = HP Product Detection
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{EE7257A2-39A2-4D2F-9DAC-F9F25B8AE1D8}" = Skype™ 5.10
"{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX
"{F870B987-18BC-45FC-9BE8-35C02DCDA10F}" = Broadcom NetXtreme Ethernet Controller
"{F87A8E11-02A4-4875-A3A5-5961081B0E4E}" = OpenOffice.org 2.4
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"AVG" = AVG 2012
"com.adobe.amp.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Adobe Media Player
"ESET Online Scanner" = ESET Online Scanner v3
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.62.0.1300
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox 11.0 (x86 en-US)" = Mozilla Firefox 11.0 (x86 en-US)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"RealPlayer 15.0" = RealPlayer
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-2567932066-358758771-3262558787-1008\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"NetAssistant 3.6.5" = NetAssistant for Firefox

========== Last 20 Event Log Errors ==========

[ Application Events ]
Error - 7/6/2012 12:10:26 AM | Computer Name = STATION3 | Source = WinMgmt | ID = 24
Description = Event provider attempted to register query "select * from __TimerEvent"
whose target class "__TimerEvent" does not exist. The query will be ignored.

Error - 7/6/2012 12:10:31 AM | Computer Name = STATION3 | Source = System.ServiceModel.Install 3.0.0.0 | ID = 0
Description = Failed to apply WMI namespace security Exception: System.Management.ManagementException:
Out of memory at System.Management.ManagementException.ThrowWithExtendedInfo(ManagementStatus
errorCode) at System.Management.ManagementObject.InvokeMethod(String methodName,
ManagementBaseObject inParameters, InvokeMethodOptions options) at System.Management.ManagementObject.InvokeMethod(String
methodName, Object[] args) at System.ServiceModel.Install.WmiInstallComponent.ApplyNamespaceDacl(OutputLevel
outputLevel)

Error - 7/6/2012 12:41:25 AM | Computer Name = STATION3 | Source = WinMgmt | ID = 24
Description = Event provider attempted to register query "Select * from BaseEvent"
whose target class "BaseEvent" does not exist. The query will be ignored.

Error - 7/6/2012 12:41:25 AM | Computer Name = STATION3 | Source = WinMgmt | ID = 24
Description = Event provider attempted to register query "Select * from BaseEvent"
whose target class "BaseEvent" does not exist. The query will be ignored.

Error - 7/6/2012 12:44:43 AM | Computer Name = STATION3 | Source = .NET Runtime Optimization Service | ID = 1101
Description = .NET Runtime Optimization Service (clr_optimization_v2.0.50727_32)
- Failed to compile: PresentationCore, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35
. Error code = 0x80070020

Error - 7/6/2012 12:51:49 AM | Computer Name = STATION3 | Source = System.ServiceModel.Install 3.0.0.0 | ID = 0
Description = Failed to apply WMI namespace security Exception: System.Management.ManagementException:
Invalid query at System.Management.ManagementException.ThrowWithExtendedInfo(ManagementStatus
errorCode) at System.Management.ManagementObject.Get() at System.Management.ManagementObject.GetMethodParameters(String
methodName, ManagementBaseObject& inParameters, IWbemClassObjectFreeThreaded& inParametersClass,
IWbemClassObjectFreeThreaded& outParametersClass) at System.Management.ManagementObject.InvokeMethod(String
methodName, Object[] args) at System.ServiceModel.Install.WmiInstallComponent.ApplyNamespaceDacl(OutputLevel
outputLevel)

Error - 7/8/2012 2:17:01 PM | Computer Name = STATION3 | Source = WinMgmt | ID = 28
Description = WinMgmt could not initialize the core parts. This could be due to
a badly installed version of WinMgmt, WinMgmt repository upgrade failure, insufficient
disk space or insufficient memory.

Error - 7/15/2012 12:27:43 PM | Computer Name = STATION3 | Source = WinMgmt | ID = 28
Description = WinMgmt could not initialize the core parts. This could be due to
a badly installed version of WinMgmt, WinMgmt repository upgrade failure, insufficient
disk space or insufficient memory.

Error - 7/15/2012 5:05:34 PM | Computer Name = STATION3 | Source = WinMgmt | ID = 28
Description = WinMgmt could not initialize the core parts. This could be due to
a badly installed version of WinMgmt, WinMgmt repository upgrade failure, insufficient
disk space or insufficient memory.

Error - 7/15/2012 5:21:07 PM | Computer Name = STATION3 | Source = WinMgmt | ID = 28
Description = WinMgmt could not initialize the core parts. This could be due to
a badly installed version of WinMgmt, WinMgmt repository upgrade failure, insufficient
disk space or insufficient memory.

[ System Events ]
Error - 7/15/2012 7:32:14 PM | Computer Name = STATION3 | Source = Service Control Manager | ID = 7000
Description = The LogMeIn Kernel Information Provider service failed to start due
to the following error: %%3

Error - 7/15/2012 7:32:14 PM | Computer Name = STATION3 | Source = Service Control Manager | ID = 7023
Description = The USB3 Service service terminated with the following error: %%126

Error - 7/15/2012 7:32:14 PM | Computer Name = STATION3 | Source = Service Control Manager | ID = 7000
Description = The X4HSEx service failed to start due to the following error: %%3

Error - 7/15/2012 7:33:47 PM | Computer Name = STATION3 | Source = Service Control Manager | ID = 7022
Description = The IPv6 Helper Service service hung on starting.

Error - 7/15/2012 7:33:47 PM | Computer Name = STATION3 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
i8042prt

Error - 7/15/2012 9:55:44 PM | Computer Name = STATION3 | Source = Service Control Manager | ID = 7000
Description = The LogMeIn Kernel Information Provider service failed to start due
to the following error: %%3

Error - 7/15/2012 9:55:44 PM | Computer Name = STATION3 | Source = Service Control Manager | ID = 7023
Description = The USB3 Service service terminated with the following error: %%126

Error - 7/15/2012 9:55:44 PM | Computer Name = STATION3 | Source = Service Control Manager | ID = 7000
Description = The X4HSEx service failed to start due to the following error: %%3

Error - 7/15/2012 9:57:10 PM | Computer Name = STATION3 | Source = Service Control Manager | ID = 7022
Description = The IPv6 Helper Service service hung on starting.

Error - 7/15/2012 9:57:10 PM | Computer Name = STATION3 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
i8042prt


< End of report >

#12 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:11:07 AM

Posted 15 July 2012 - 10:06 PM

Bela70,

Open notepad and copy/paste the text in the box below into it:

http://www.bleepingcomputer.com/forums/topic460020.html

Suspect[139]::
C:\WINDOWS\system32\drivers\serial.sys
C:\Documents and Settings\NetworkService\Local Settings\Application Data\{ea2929e4-1ad0-e8ae-9bae-11af8a1d75d1}\@

Files::
C:\Documents and Settings\NEW ADMINISTRATOR\Application Data\Mozilla\Firefox\Profiles\gxszfaij.default\extensions\plugin@yontoo.com
C:\Documents and Settings\NEW ADMINISTRATOR\Application Data\Mozilla\Firefox\Profiles\gxszfaij.default\searchplugins\mywebsearch.xml
C:\Documents and Settings\NEW ADMINISTRATOR\Application Data\Mozilla\Firefox\Profiles\gxszfaij.default\extensions\{b9dbe2c0-031f-4cad-911a-f4a7381d79c0}
C:\Documents and Settings\NEW ADMINISTRATOR\Application Data\Mozilla\Firefox\Profiles\gxszfaij.default\extensions\plugin@yontoo.com
C:\Documents and Settings\NEW ADMINISTRATOR\Application Data\Mozilla\Firefox\Profiles\gxszfaij.default\searchplugins\mywebsearch.xml

DirLook::
C:\Documents and Settings\NEW ADMINISTRATOR\Application Data\Ocha
C:\Documents and Settings\NEW ADMINISTRATOR\Application Data\Obci
C:\Documents and Settings\NEW ADMINISTRATOR\Application Data\Aqolni
C:\Documents and Settings\NEW ADMINISTRATOR\Application Data\ChYCwkUVrOtPuSi

Driver::
NecUsb3
X4HSEx
WDICA)
PDRFRAME
PDRELI
PDFRAME
PDCOMP
PCIDump
MFE_RR
LMIInfo
lbrtfdc
i2omgmt
GMSIPCI
Changer

Firefox::
FF - ProfilePath - c:\documents and settings\NEW ADMINISTRATOR\Application Data\Mozilla\Firefox\Profiles\gxszfaij.default\
FF - prefs.js: keyword.URL -
FF - user.js: yahoo.ytff.general.dontshowhpoffer -
FF - user.js: extentions.y2layers.defaultEnableAppsList -

Save this as CFScript.txt


Posted Image


Refering to the picture above, drag CFScript.txt into ComboFix.exe

If prompted to update Combofix, please allow it to update.

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**
When Combofix finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
Ensure you are connected to the internet and click OK on the message box.


In your next reply, please include:
  • Combofix log
  • How is the computer running now? Please be as descriptive as possible.

Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#13 Bela70

Bela70
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:10:07 AM

Posted 15 July 2012 - 10:48 PM

ComboFix 12-07-14.01 - NEW ADMINISTRATOR 07/15/2012 23:21:10.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.514 [GMT -4:00]
Running from: c:\documents and settings\NEW ADMINISTRATOR\Desktop\Programs\ComboFix.exe
Command switches used :: c:\documents and settings\NEW ADMINISTRATOR\Desktop\Programs\CFScript.txt
AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Norton Security Suite *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Security Suite *Enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\docume~1\NEWADM~1\LOCALS~1\Temp\TeamViewer\Version6\tv_w32_2012-07-15-23-18-17.dll
c:\documents and settings\NEW ADMINISTRATOR\Local Settings\Temp\TeamViewer\Version6\tv_w32_2012-07-15-23-18-17.dll
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_GMSIPCI
-------\Legacy_LMIINFO
-------\Legacy_MFE_RR
-------\Legacy_NECUSB3
-------\Legacy_X4HSEX
-------\Service_Changer
-------\Service_GMSIPCI
-------\Service_i2omgmt
-------\Service_lbrtfdc
-------\Service_LMIInfo
-------\Service_MFE_RR
-------\Service_NecUsb3
-------\Service_PCIDump
-------\Service_PDCOMP
-------\Service_PDFRAME
-------\Service_PDRELI
-------\Service_PDRFRAME
-------\Service_X4HSEx
.
.
((((((((((((((((((((((((( Files Created from 2012-06-16 to 2012-07-16 )))))))))))))))))))))))))))))))
.
.
2012-07-16 01:52 . 2012-07-16 01:52 -------- d-----w- C:\Temp
2012-07-16 00:17 . 2012-07-16 00:17 -------- d-----w- c:\program files\ESET
2012-07-15 23:10 . 2012-01-11 19:06 3072 -c----w- c:\windows\system32\dllcache\iacenc.dll
2012-07-15 23:10 . 2012-01-11 19:06 3072 ------w- c:\windows\system32\iacenc.dll
2012-07-15 21:14 . 2012-07-15 21:14 -------- d-----w- C:\TDSSKiller_Quarantine
2012-07-08 18:22 . 2012-07-08 18:22 388096 ----a-r- c:\documents and settings\NEW ADMINISTRATOR\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2012-07-08 18:22 . 2012-07-08 18:22 -------- d-----w- c:\program files\Trend Micro
2012-07-05 23:02 . 2012-07-05 23:02 -------- d-----w- c:\documents and settings\NEW ADMINISTRATOR\Application Data\AVG2012
2012-07-05 22:55 . 2012-07-06 01:30 -------- d-----w- c:\documents and settings\NEW ADMINISTRATOR\Application Data\Obci
2012-07-05 22:55 . 2012-07-05 22:56 -------- d-----w- c:\documents and settings\NEW ADMINISTRATOR\Application Data\Aqolni
2012-07-05 22:55 . 2012-07-05 22:55 -------- d-----w- c:\documents and settings\NEW ADMINISTRATOR\Application Data\Ocha
2012-07-05 22:53 . 2012-07-05 22:53 -------- d-----w- C:\$AVG
2012-06-28 05:28 . 2012-07-16 02:03 -------- d-----w- c:\windows\system32\drivers\AVG
2012-06-28 05:28 . 2012-07-08 18:16 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG2012
2012-06-26 07:20 . 2012-07-16 02:03 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2012-06-26 07:13 . 2012-06-02 19:19 15384 ----a-w- c:\windows\system32\wuapi.dll.mui
2012-06-26 06:05 . 2012-06-26 06:05 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Mozilla
2012-06-26 04:50 . 2012-06-26 04:50 -------- d-----w- c:\documents and settings\Administrator
2012-06-26 03:19 . 2012-06-26 03:19 -------- d-----w- c:\documents and settings\NEW ADMINISTRATOR\Application Data\Malwarebytes
2012-06-26 03:19 . 2012-06-26 03:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-06-26 03:19 . 2012-07-15 23:56 -------- d-----w- c:\program files\Fun
2012-06-26 03:19 . 2012-07-03 17:46 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-26 03:06 . 2012-07-08 16:25 -------- d-----w- c:\documents and settings\NEW ADMINISTRATOR\Application Data\TeamViewer
2012-06-26 02:34 . 2012-07-05 23:45 -------- d-----w- c:\documents and settings\NEW ADMINISTRATOR\Application Data\Skype
2012-06-26 02:33 . 2012-06-26 02:33 -------- d-----w- c:\program files\Common Files\Skype
2012-06-26 02:33 . 2012-06-26 02:33 -------- d-----r- c:\program files\Skype
2012-06-26 02:26 . 2012-06-26 02:26 11776 ----a-w- c:\program files\Mozilla Firefox\plugins\nprjplug.dll
2012-06-26 02:25 . 2012-06-26 02:25 -------- d-----w- c:\program files\Common Files\xing shared
2012-06-26 02:25 . 2012-06-26 02:25 150696 ----a-w- c:\program files\Mozilla Firefox\plugins\nppl3260.dll
2012-06-26 02:25 . 2012-06-26 02:25 129144 ----a-w- c:\program files\Mozilla Firefox\plugins\nprpplugin.dll
2012-06-20 01:52 . 2012-06-20 01:52 -------- d-----w- c:\documents and settings\NEW ADMINISTRATOR\Application Data\ChYCwkUVrOtPuSi
2012-06-18 01:23 . 2008-06-06 13:03 88576 ----a-w- c:\windows\system32\Baspxp32.dll
2012-06-18 01:22 . 2012-06-18 01:23 -------- d-----w- c:\program files\Broadcom
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-06-26 02:24 . 2003-03-19 00:14 499712 ----a-w- c:\windows\system32\msvcp71.dll
2012-06-26 02:24 . 2003-02-21 08:42 348160 ----a-w- c:\windows\system32\msvcr71.dll
2012-06-13 13:19 . 2004-08-04 12:00 1866112 ----a-w- c:\windows\system32\win32k.sys
2012-06-05 15:50 . 2008-04-14 00:12 1372672 ----a-w- c:\windows\system32\msxml6.dll
2012-06-05 15:50 . 2004-08-04 12:00 1172480 ----a-w- c:\windows\system32\msxml3.dll
2012-06-04 21:35 . 2008-05-28 18:05 210968 ----a-w- c:\windows\system32\wuweb.dll
2012-06-04 21:35 . 2007-07-30 23:18 222448 ----a-w- c:\windows\system32\muweb.dll
2012-06-04 04:32 . 2004-08-04 12:00 152576 ----a-w- c:\windows\system32\schannel.dll
2012-06-02 19:19 . 2007-07-30 23:18 22040 ----a-w- c:\windows\system32\wucltui.dll.mui
2012-06-02 19:19 . 2008-05-28 18:05 329240 ----a-w- c:\windows\system32\wucltui.dll
2012-06-02 19:19 . 2008-05-28 18:05 219160 ----a-w- c:\windows\system32\wuaucpl.cpl
2012-06-02 19:19 . 2007-07-30 23:19 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2012-06-02 19:19 . 2008-05-28 18:05 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 19:19 . 2008-05-28 18:05 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-02 19:19 . 2007-07-30 23:19 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 19:19 . 2004-08-04 12:00 97304 ----a-w- c:\windows\system32\cdm.dll
2012-06-02 19:19 . 2007-07-30 23:18 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui
2012-06-02 19:19 . 2008-05-28 18:05 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 19:19 . 2008-05-28 18:05 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 19:18 . 2008-05-30 15:35 275696 ----a-w- c:\windows\system32\mucltui.dll
2012-06-02 19:18 . 2008-05-30 15:35 17136 ----a-w- c:\windows\system32\mucltui.dll.mui
2012-05-31 13:22 . 2004-08-04 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2012-05-15 15:39 . 2004-08-04 12:00 832512 ----a-w- c:\windows\system32\wininet.dll
2012-05-04 13:16 . 2004-08-04 12:00 2148352 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-05-04 12:32 . 2004-08-03 22:59 2026496 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-05-02 13:46 . 2008-05-28 18:03 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-04-23 14:46 . 2004-08-04 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2012-04-23 14:46 . 2004-08-04 12:00 1830912 ------w- c:\windows\system32\inetcpl.cpl
2012-04-23 14:46 . 2004-08-04 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2012-04-19 08:50 . 2012-04-19 08:50 24896 ----a-w- c:\windows\system32\drivers\avgidshx.sys
2012-03-13 04:39 . 2012-03-19 17:27 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\documents and settings\NEW ADMINISTRATOR\Application Data\Aqolni ----
.
.
---- Directory of c:\documents and settings\NEW ADMINISTRATOR\Application Data\ChYCwkUVrOtPuSi ----
.
.
---- Directory of c:\documents and settings\NEW ADMINISTRATOR\Application Data\Obci ----
.
.
---- Directory of c:\documents and settings\NEW ADMINISTRATOR\Application Data\Ocha ----
.
2011-05-31 08:47 . 2012-07-05 22:55 415853 ----a-w- c:\documents and settings\NEW ADMINISTRATOR\Application Data\Ocha\zeaf.iwz
.
.
((((((((((((((((((((((((((((( SnapShot@2012-07-15_23.32.33 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-07-16 03:30 . 2012-07-16 03:30 16384 c:\windows\Temp\Perflib_Perfdata_730.dat
- 2008-04-14 00:12 . 2011-07-08 13:49 46080 c:\windows\system32\tzchange.exe
+ 2008-04-14 00:12 . 2011-11-08 13:46 46080 c:\windows\system32\tzchange.exe
+ 2008-05-28 20:19 . 2011-08-12 17:51 26488 c:\windows\system32\spupdsvc.exe
- 2008-05-28 20:19 . 2007-07-28 03:11 26488 c:\windows\system32\spupdsvc.exe
+ 2004-08-04 12:00 . 2012-04-23 14:46 44544 c:\windows\system32\pngfilt.dll
- 2004-08-04 12:00 . 2011-06-21 18:45 44544 c:\windows\system32\pngfilt.dll
+ 2004-08-04 12:00 . 2011-11-18 12:35 60416 c:\windows\system32\packager.exe
+ 2004-08-04 12:00 . 2011-09-26 15:41 20480 c:\windows\system32\oleaccrc.dll
- 2007-08-13 22:54 . 2011-06-21 18:45 52224 c:\windows\system32\msfeedsbs.dll
+ 2007-08-13 22:54 . 2012-04-23 14:46 52224 c:\windows\system32\msfeedsbs.dll
- 2004-08-04 12:00 . 2008-04-14 00:11 23040 c:\windows\system32\mciseq.dll
+ 2004-08-04 12:00 . 2011-10-14 14:47 23040 c:\windows\system32\mciseq.dll
- 2004-08-04 12:00 . 2011-06-21 18:45 27648 c:\windows\system32\jsproxy.dll
+ 2004-08-04 12:00 . 2012-04-23 14:46 27648 c:\windows\system32\jsproxy.dll
+ 2007-08-13 22:39 . 2012-04-23 11:33 13824 c:\windows\system32\ieudinit.exe
- 2007-08-13 22:39 . 2011-06-21 11:46 13824 c:\windows\system32\ieudinit.exe
- 2004-08-04 12:00 . 2011-06-21 18:45 44544 c:\windows\system32\iernonce.dll
+ 2004-08-04 12:00 . 2012-04-23 14:46 44544 c:\windows\system32\iernonce.dll
+ 2004-08-04 12:00 . 2012-04-23 11:33 70656 c:\windows\system32\ie4uinit.exe
- 2004-08-04 12:00 . 2011-06-21 11:46 70656 c:\windows\system32\ie4uinit.exe
+ 2007-08-13 22:36 . 2012-04-23 14:46 63488 c:\windows\system32\icardie.dll
- 2007-08-13 22:36 . 2011-06-21 18:45 63488 c:\windows\system32\icardie.dll
- 2007-08-13 22:36 . 2011-06-21 18:45 44544 c:\windows\system32\dllcache\pngfilt.dll
+ 2007-08-13 22:36 . 2012-04-23 14:46 44544 c:\windows\system32\dllcache\pngfilt.dll
+ 2004-08-04 12:00 . 2011-11-18 12:35 60416 c:\windows\system32\dllcache\packager.exe
+ 2004-08-04 12:00 . 2011-09-26 15:41 20480 c:\windows\system32\dllcache\oleaccrc.dll
+ 2008-05-28 21:11 . 2012-04-23 14:46 52224 c:\windows\system32\dllcache\msfeedsbs.dll
- 2008-05-28 21:11 . 2011-06-21 18:45 52224 c:\windows\system32\dllcache\msfeedsbs.dll
+ 2004-08-04 12:00 . 2011-10-14 14:47 23040 c:\windows\system32\dllcache\mciseq.dll
- 2004-08-04 12:00 . 2008-04-14 00:11 23040 c:\windows\system32\dllcache\mciseq.dll
+ 2004-08-04 12:00 . 2012-04-23 14:46 27648 c:\windows\system32\dllcache\jsproxy.dll
- 2004-08-04 12:00 . 2011-06-21 18:45 27648 c:\windows\system32\dllcache\jsproxy.dll
- 2008-05-28 21:11 . 2011-06-21 11:46 13824 c:\windows\system32\dllcache\ieudinit.exe
+ 2008-05-28 21:11 . 2012-04-23 11:33 13824 c:\windows\system32\dllcache\ieudinit.exe
- 2004-08-04 12:00 . 2011-06-21 18:45 44544 c:\windows\system32\dllcache\iernonce.dll
+ 2004-08-04 12:00 . 2012-04-23 14:46 44544 c:\windows\system32\dllcache\iernonce.dll
- 2004-08-04 12:00 . 2011-06-21 18:45 78336 c:\windows\system32\dllcache\ieencode.dll
+ 2004-08-04 12:00 . 2012-04-23 14:46 78336 c:\windows\system32\dllcache\ieencode.dll
- 2007-08-13 22:39 . 2011-06-21 11:46 70656 c:\windows\system32\dllcache\ie4uinit.exe
+ 2007-08-13 22:39 . 2012-04-23 11:33 70656 c:\windows\system32\dllcache\ie4uinit.exe
+ 2008-05-28 21:11 . 2012-04-23 14:46 63488 c:\windows\system32\dllcache\icardie.dll
- 2008-05-28 21:11 . 2011-06-21 18:45 63488 c:\windows\system32\dllcache\icardie.dll
- 2009-12-14 07:08 . 2011-04-26 11:07 33280 c:\windows\system32\dllcache\csrsrv.dll
+ 2009-12-14 07:08 . 2011-10-28 05:31 33280 c:\windows\system32\dllcache\csrsrv.dll
- 2004-08-04 12:00 . 2011-06-21 18:45 17408 c:\windows\system32\dllcache\corpol.dll
+ 2004-08-04 12:00 . 2012-04-23 14:46 17408 c:\windows\system32\dllcache\corpol.dll
- 2004-08-04 12:00 . 2011-04-26 11:07 33280 c:\windows\system32\csrsrv.dll
+ 2004-08-04 12:00 . 2011-10-28 05:31 33280 c:\windows\system32\csrsrv.dll
+ 2012-07-16 02:00 . 2011-06-21 18:45 44544 c:\windows\ie7updates\KB2699988-IE7\pngfilt.dll
+ 2012-07-16 02:00 . 2011-06-21 18:45 52224 c:\windows\ie7updates\KB2699988-IE7\msfeedsbs.dll
+ 2012-07-16 02:00 . 2011-06-21 18:45 27648 c:\windows\ie7updates\KB2699988-IE7\jsproxy.dll
+ 2012-07-16 02:00 . 2011-06-21 11:46 13824 c:\windows\ie7updates\KB2699988-IE7\ieudinit.exe
+ 2012-07-16 02:00 . 2011-06-21 18:45 44544 c:\windows\ie7updates\KB2699988-IE7\iernonce.dll
+ 2012-07-16 02:00 . 2011-06-21 18:45 78336 c:\windows\ie7updates\KB2699988-IE7\ieencode.dll
+ 2012-07-16 02:00 . 2011-06-21 11:46 70656 c:\windows\ie7updates\KB2699988-IE7\ie4uinit.exe
+ 2012-07-16 02:00 . 2011-06-21 18:45 63488 c:\windows\ie7updates\KB2699988-IE7\icardie.dll
+ 2012-07-16 02:00 . 2011-06-21 18:45 17408 c:\windows\ie7updates\KB2699988-IE7\corpol.dll
+ 2004-08-04 12:00 . 2012-02-29 14:10 177664 c:\windows\system32\wintrust.dll
- 2004-08-04 12:00 . 2009-12-24 06:59 177664 c:\windows\system32\wintrust.dll
+ 2004-08-04 12:00 . 2011-11-25 21:57 293376 c:\windows\system32\winsrv.dll
- 2004-08-04 12:00 . 2011-06-20 17:44 293376 c:\windows\system32\winsrv.dll
+ 2004-08-04 12:00 . 2011-10-14 14:47 176128 c:\windows\system32\winmm.dll
- 2004-08-04 12:00 . 2008-04-14 00:12 176128 c:\windows\system32\winmm.dll
- 2004-08-04 12:00 . 2009-08-25 09:17 354816 c:\windows\system32\winhttp.dll
+ 2004-08-04 12:00 . 2011-11-16 14:21 354816 c:\windows\system32\winhttp.dll
- 2004-08-04 12:00 . 2011-06-21 18:45 233472 c:\windows\system32\webcheck.dll
+ 2004-08-04 12:00 . 2012-04-23 14:46 233472 c:\windows\system32\webcheck.dll
- 2004-08-04 12:00 . 2011-06-21 18:45 106496 c:\windows\system32\url.dll
+ 2004-08-04 12:00 . 2012-04-23 14:46 106496 c:\windows\system32\url.dll
+ 2008-07-29 23:59 . 2011-09-26 15:41 611328 c:\windows\system32\uiautomationcore.dll
- 2004-08-04 12:00 . 2008-04-14 00:12 386048 c:\windows\system32\qdvd.dll
+ 2004-08-04 12:00 . 2011-11-03 15:28 386048 c:\windows\system32\qdvd.dll
+ 2004-08-04 12:00 . 2011-09-26 15:41 220160 c:\windows\system32\oleacc.dll
- 2004-08-04 12:00 . 2011-06-21 18:45 102912 c:\windows\system32\occache.dll
+ 2004-08-04 12:00 . 2012-04-23 14:46 102912 c:\windows\system32\occache.dll
- 2004-08-04 12:00 . 2011-06-21 18:45 671232 c:\windows\system32\mstime.dll
+ 2004-08-04 12:00 . 2012-04-23 14:46 671232 c:\windows\system32\mstime.dll
- 2004-08-04 12:00 . 2011-06-21 18:45 193024 c:\windows\system32\msrating.dll
+ 2004-08-04 12:00 . 2012-04-23 14:46 193024 c:\windows\system32\msrating.dll
+ 2004-08-04 12:00 . 2012-04-23 14:46 479744 c:\windows\system32\mshtmled.dll
+ 2007-08-13 22:54 . 2012-04-23 14:46 496128 c:\windows\system32\msfeeds.dll
+ 2008-05-28 18:05 . 2011-10-10 14:22 692736 c:\windows\system32\inetcomm.dll
- 2008-05-28 18:05 . 2011-05-02 15:31 692736 c:\windows\system32\inetcomm.dll
+ 2004-08-04 12:00 . 2012-02-29 14:10 148480 c:\windows\system32\imagehlp.dll
+ 2007-08-13 22:34 . 2012-04-23 14:46 268288 c:\windows\system32\iertutil.dll
- 2007-08-13 22:34 . 2011-06-21 18:45 268288 c:\windows\system32\iertutil.dll
- 2004-08-04 12:00 . 2011-06-21 18:45 192512 c:\windows\system32\iepeers.dll
+ 2004-08-04 12:00 . 2012-04-23 14:46 192512 c:\windows\system32\iepeers.dll
- 2004-08-04 12:00 . 2011-06-21 18:45 384512 c:\windows\system32\iedkcs32.dll
+ 2004-08-04 12:00 . 2012-04-23 14:46 384512 c:\windows\system32\iedkcs32.dll
- 2007-07-11 16:27 . 2011-06-21 18:45 380928 c:\windows\system32\ieapfltr.dll
+ 2007-07-11 16:27 . 2012-04-23 14:46 380928 c:\windows\system32\ieapfltr.dll
+ 2004-08-04 12:00 . 2012-04-22 06:39 161792 c:\windows\system32\ieakui.dll
- 2004-08-04 12:00 . 2011-06-20 11:27 161792 c:\windows\system32\ieakui.dll
- 2004-08-04 12:00 . 2011-06-21 18:45 230400 c:\windows\system32\ieaksie.dll
+ 2004-08-04 12:00 . 2012-04-23 14:46 230400 c:\windows\system32\ieaksie.dll
- 2004-08-04 12:00 . 2011-06-21 18:45 153088 c:\windows\system32\ieakeng.dll
+ 2004-08-04 12:00 . 2012-04-23 14:46 153088 c:\windows\system32\ieakeng.dll
+ 2008-05-28 13:57 . 2012-07-16 02:48 126912 c:\windows\system32\FNTCACHE.DAT
- 2008-05-28 13:57 . 2011-07-13 07:21 126912 c:\windows\system32\FNTCACHE.DAT
+ 2004-08-04 12:00 . 2012-04-23 14:46 133120 c:\windows\system32\extmgr.dll
- 2004-08-04 12:00 . 2011-06-21 18:45 133120 c:\windows\system32\extmgr.dll
- 2004-08-04 12:00 . 2011-02-09 13:53 186880 c:\windows\system32\encdec.dll
+ 2004-08-04 12:00 . 2011-10-18 11:13 186880 c:\windows\system32\encdec.dll
- 2004-08-04 12:00 . 2011-06-21 18:45 214528 c:\windows\system32\dxtrans.dll
+ 2004-08-04 12:00 . 2012-04-23 14:46 214528 c:\windows\system32\dxtrans.dll
+ 2004-08-04 12:00 . 2012-04-23 14:46 347136 c:\windows\system32\dxtmsft.dll
- 2004-08-04 12:00 . 2011-06-21 18:45 347136 c:\windows\system32\dxtmsft.dll
+ 2004-08-04 12:00 . 2011-08-17 13:49 138496 c:\windows\system32\drivers\afd.sys
- 2004-08-04 12:00 . 2011-02-16 13:22 138496 c:\windows\system32\drivers\afd.sys
+ 2009-12-24 06:59 . 2012-02-29 14:10 177664 c:\windows\system32\dllcache\wintrust.dll
- 2009-12-24 06:59 . 2009-12-24 06:59 177664 c:\windows\system32\dllcache\wintrust.dll
- 2010-06-18 17:45 . 2011-06-20 17:44 293376 c:\windows\system32\dllcache\winsrv.dll
+ 2010-06-18 17:45 . 2011-11-25 21:57 293376 c:\windows\system32\dllcache\winsrv.dll
+ 2011-10-14 14:47 . 2011-10-14 14:47 176128 c:\windows\system32\dllcache\winmm.dll
- 2007-08-13 22:54 . 2011-06-21 18:45 832512 c:\windows\system32\dllcache\wininet.dll
+ 2007-08-13 22:54 . 2012-05-15 15:39 832512 c:\windows\system32\dllcache\wininet.dll
+ 2008-12-16 12:30 . 2011-11-16 14:21 354816 c:\windows\system32\dllcache\winhttp.dll
- 2008-12-16 12:30 . 2009-08-25 09:17 354816 c:\windows\system32\dllcache\winhttp.dll
- 2007-08-13 22:54 . 2011-06-21 18:45 233472 c:\windows\system32\dllcache\webcheck.dll
+ 2007-08-13 22:54 . 2012-04-23 14:46 233472 c:\windows\system32\dllcache\webcheck.dll
+ 2007-08-13 22:44 . 2012-04-23 14:46 106496 c:\windows\system32\dllcache\url.dll
- 2007-08-13 22:44 . 2011-06-21 18:45 106496 c:\windows\system32\dllcache\url.dll
+ 2008-12-05 06:54 . 2012-06-04 04:32 152576 c:\windows\system32\dllcache\schannel.dll
- 2008-05-28 18:03 . 2011-06-24 14:10 139656 c:\windows\system32\dllcache\rdpwd.sys
+ 2008-05-28 18:03 . 2012-05-02 13:46 139656 c:\windows\system32\dllcache\rdpwd.sys
- 2004-08-04 12:00 . 2008-04-14 00:12 386048 c:\windows\system32\dllcache\qdvd.dll
+ 2004-08-04 12:00 . 2011-11-03 15:28 386048 c:\windows\system32\dllcache\qdvd.dll
+ 2004-08-04 12:00 . 2011-09-26 15:41 220160 c:\windows\system32\dllcache\oleacc.dll
+ 2007-08-13 22:44 . 2012-04-23 14:46 102912 c:\windows\system32\dllcache\occache.dll
- 2007-08-13 22:44 . 2011-06-21 18:45 102912 c:\windows\system32\dllcache\occache.dll
- 2004-08-04 12:00 . 2011-06-21 18:45 671232 c:\windows\system32\dllcache\mstime.dll
+ 2004-08-04 12:00 . 2012-04-23 14:46 671232 c:\windows\system32\dllcache\mstime.dll
- 2004-08-04 12:00 . 2011-06-21 18:45 193024 c:\windows\system32\dllcache\msrating.dll
+ 2004-08-04 12:00 . 2012-04-23 14:46 193024 c:\windows\system32\dllcache\msrating.dll
+ 2007-08-13 22:54 . 2012-04-23 14:46 479744 c:\windows\system32\dllcache\mshtmled.dll
+ 2008-05-28 21:11 . 2012-04-23 14:46 496128 c:\windows\system32\dllcache\msfeeds.dll
- 2008-05-28 18:05 . 2010-11-09 14:52 536576 c:\windows\system32\dllcache\msado15.dll
+ 2008-05-28 18:05 . 2012-05-28 18:16 536576 c:\windows\system32\dllcache\msado15.dll
+ 2008-05-28 18:05 . 2011-10-10 14:22 692736 c:\windows\system32\dllcache\inetcomm.dll
- 2008-05-28 18:05 . 2011-05-02 15:31 692736 c:\windows\system32\dllcache\inetcomm.dll
+ 2012-02-29 14:10 . 2012-02-29 14:10 148480 c:\windows\system32\dllcache\imagehlp.dll
+ 2007-08-13 22:43 . 2012-04-22 06:40 634488 c:\windows\system32\dllcache\iexplore.exe
+ 2008-05-28 21:11 . 2012-04-23 14:46 268288 c:\windows\system32\dllcache\iertutil.dll
- 2008-05-28 21:11 . 2011-06-21 18:45 268288 c:\windows\system32\dllcache\iertutil.dll
- 2004-08-04 12:00 . 2011-06-21 18:45 192512 c:\windows\system32\dllcache\iepeers.dll
+ 2004-08-04 12:00 . 2012-04-23 14:46 192512 c:\windows\system32\dllcache\iepeers.dll
+ 2004-08-04 12:00 . 2012-04-23 14:46 384512 c:\windows\system32\dllcache\iedkcs32.dll
- 2004-08-04 12:00 . 2011-06-21 18:45 384512 c:\windows\system32\dllcache\iedkcs32.dll
- 2008-05-28 21:11 . 2011-06-21 18:45 380928 c:\windows\system32\dllcache\ieapfltr.dll
+ 2008-05-28 21:11 . 2012-04-23 14:46 380928 c:\windows\system32\dllcache\ieapfltr.dll
- 2004-08-04 12:00 . 2011-06-20 11:27 161792 c:\windows\system32\dllcache\ieakui.dll
+ 2004-08-04 12:00 . 2012-04-22 06:39 161792 c:\windows\system32\dllcache\ieakui.dll
- 2004-08-04 12:00 . 2011-06-21 18:45 230400 c:\windows\system32\dllcache\ieaksie.dll
+ 2004-08-04 12:00 . 2012-04-23 14:46 230400 c:\windows\system32\dllcache\ieaksie.dll
+ 2004-08-04 12:00 . 2012-04-23 14:46 153088 c:\windows\system32\dllcache\ieakeng.dll
- 2004-08-04 12:00 . 2011-06-21 18:45 153088 c:\windows\system32\dllcache\ieakeng.dll
- 2004-08-04 12:00 . 2011-06-21 18:45 133120 c:\windows\system32\dllcache\extmgr.dll
+ 2004-08-04 12:00 . 2012-04-23 14:46 133120 c:\windows\system32\dllcache\extmgr.dll
- 2004-08-04 12:00 . 2011-02-09 13:53 186880 c:\windows\system32\dllcache\encdec.dll
+ 2004-08-04 12:00 . 2011-10-18 11:13 186880 c:\windows\system32\dllcache\encdec.dll
+ 2004-08-04 12:00 . 2012-04-23 14:46 214528 c:\windows\system32\dllcache\dxtrans.dll
- 2004-08-04 12:00 . 2011-06-21 18:45 214528 c:\windows\system32\dllcache\dxtrans.dll
+ 2004-08-04 12:00 . 2012-04-23 14:46 347136 c:\windows\system32\dllcache\dxtmsft.dll
- 2004-08-04 12:00 . 2011-06-21 18:45 347136 c:\windows\system32\dllcache\dxtmsft.dll
+ 2011-09-03 10:17 . 2012-05-31 13:22 599040 c:\windows\system32\dllcache\crypt32.dll
- 2011-09-03 10:17 . 2011-09-09 09:12 599040 c:\windows\system32\dllcache\crypt32.dll
+ 2008-06-20 11:40 . 2011-08-17 13:49 138496 c:\windows\system32\dllcache\afd.sys
- 2008-06-20 11:40 . 2011-02-16 13:22 138496 c:\windows\system32\dllcache\afd.sys
- 2007-08-13 22:39 . 2011-06-21 18:45 124928 c:\windows\system32\dllcache\advpack.dll
+ 2007-08-13 22:39 . 2012-04-23 14:46 124928 c:\windows\system32\dllcache\advpack.dll
+ 2004-08-04 12:00 . 2012-04-23 14:46 124928 c:\windows\system32\advpack.dll
- 2004-08-04 12:00 . 2011-06-21 18:45 124928 c:\windows\system32\advpack.dll
+ 2012-07-16 02:00 . 2011-06-21 18:45 832512 c:\windows\ie7updates\KB2699988-IE7\wininet.dll
+ 2012-07-16 02:00 . 2011-06-21 18:45 233472 c:\windows\ie7updates\KB2699988-IE7\webcheck.dll
+ 2012-07-16 02:00 . 2011-06-21 18:45 106496 c:\windows\ie7updates\KB2699988-IE7\url.dll
+ 2012-07-16 02:00 . 2012-03-08 15:40 382840 c:\windows\ie7updates\KB2699988-IE7\spuninst\updspapi.dll
+ 2012-07-16 02:00 . 2012-03-08 15:40 231288 c:\windows\ie7updates\KB2699988-IE7\spuninst\spuninst.exe
+ 2012-07-16 02:00 . 2011-06-21 18:45 102912 c:\windows\ie7updates\KB2699988-IE7\occache.dll
+ 2012-07-16 02:00 . 2011-06-21 18:45 671232 c:\windows\ie7updates\KB2699988-IE7\mstime.dll
+ 2012-07-16 02:00 . 2011-06-21 18:45 193024 c:\windows\ie7updates\KB2699988-IE7\msrating.dll
+ 2012-07-16 02:00 . 2011-06-21 18:45 478720 c:\windows\ie7updates\KB2699988-IE7\mshtmled.dll
+ 2012-07-16 02:00 . 2011-06-21 18:45 468480 c:\windows\ie7updates\KB2699988-IE7\msfeeds.dll
+ 2012-07-16 02:00 . 2011-06-20 11:29 634648 c:\windows\ie7updates\KB2699988-IE7\iexplore.exe
+ 2012-07-16 02:00 . 2011-06-21 18:45 268288 c:\windows\ie7updates\KB2699988-IE7\iertutil.dll
+ 2012-07-16 02:00 . 2011-06-21 18:45 192512 c:\windows\ie7updates\KB2699988-IE7\iepeers.dll
+ 2012-07-16 02:00 . 2011-06-21 18:45 384512 c:\windows\ie7updates\KB2699988-IE7\iedkcs32.dll
+ 2012-07-16 02:00 . 2011-06-21 18:45 380928 c:\windows\ie7updates\KB2699988-IE7\ieapfltr.dll
+ 2012-07-16 02:00 . 2011-06-20 11:27 161792 c:\windows\ie7updates\KB2699988-IE7\ieakui.dll
+ 2012-07-16 02:00 . 2011-06-21 18:45 230400 c:\windows\ie7updates\KB2699988-IE7\ieaksie.dll
+ 2012-07-16 02:00 . 2011-06-21 18:45 153088 c:\windows\ie7updates\KB2699988-IE7\ieakeng.dll
+ 2012-07-16 02:00 . 2011-06-21 18:45 133120 c:\windows\ie7updates\KB2699988-IE7\extmgr.dll
+ 2012-07-16 02:00 . 2011-06-21 18:45 214528 c:\windows\ie7updates\KB2699988-IE7\dxtrans.dll
+ 2012-07-16 02:00 . 2011-06-21 18:45 347136 c:\windows\ie7updates\KB2699988-IE7\dxtmsft.dll
+ 2012-07-16 02:00 . 2011-06-21 18:45 124928 c:\windows\ie7updates\KB2699988-IE7\advpack.dll
+ 2012-07-15 23:13 . 2012-02-09 15:43 1748992 c:\windows\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.6002.22791_x-ww_c8dff154\GdiPlus.dll
+ 2004-08-04 12:00 . 2012-04-23 14:46 1168896 c:\windows\system32\urlmon.dll
- 2004-08-04 12:00 . 2011-06-21 18:45 1168896 c:\windows\system32\urlmon.dll
+ 2004-08-04 12:00 . 2012-06-08 14:26 8462848 c:\windows\system32\shell32.dll
+ 2004-08-04 12:00 . 2011-11-03 15:28 1292288 c:\windows\system32\quartz.dll
+ 2004-08-04 12:00 . 2011-11-01 16:07 1288704 c:\windows\system32\ole32.dll
+ 2004-08-04 12:00 . 2012-04-23 14:46 3618816 c:\windows\system32\mshtml.dll
+ 2007-08-13 22:54 . 2012-04-23 14:46 6105088 c:\windows\system32\ieframe.dll
+ 2008-10-16 20:16 . 2012-06-13 13:19 1866112 c:\windows\system32\dllcache\win32k.sys
- 2007-08-13 22:54 . 2011-06-21 18:45 1168896 c:\windows\system32\dllcache\urlmon.dll
+ 2007-08-13 22:54 . 2012-04-23 14:46 1168896 c:\windows\system32\dllcache\urlmon.dll
+ 2008-06-17 19:02 . 2012-06-08 14:26 8462848 c:\windows\system32\dllcache\shell32.dll
+ 2004-08-04 12:00 . 2011-11-03 15:28 1292288 c:\windows\system32\dllcache\quartz.dll
+ 2010-07-16 12:05 . 2011-11-01 16:07 1288704 c:\windows\system32\dllcache\ole32.dll
+ 2008-10-16 20:16 . 2012-05-04 13:12 2192640 c:\windows\system32\dllcache\ntoskrnl.exe
+ 2008-10-16 20:16 . 2012-05-04 12:32 2026496 c:\windows\system32\dllcache\ntkrpamp.exe
+ 2008-10-16 20:16 . 2012-05-04 12:32 2069120 c:\windows\system32\dllcache\ntkrnlpa.exe
+ 2008-10-16 20:16 . 2012-05-04 13:16 2148352 c:\windows\system32\dllcache\ntkrnlmp.exe
- 2008-04-14 00:12 . 2009-07-31 15:05 1372672 c:\windows\system32\dllcache\msxml6.dll
+ 2008-04-14 00:12 . 2012-06-05 15:50 1372672 c:\windows\system32\dllcache\msxml6.dll
- 2008-11-14 22:23 . 2010-06-14 07:41 1172480 c:\windows\system32\dllcache\msxml3.dll
+ 2008-11-14 22:23 . 2012-06-05 15:50 1172480 c:\windows\system32\dllcache\msxml3.dll
+ 2007-08-13 22:54 . 2012-04-23 14:46 3618816 c:\windows\system32\dllcache\mshtml.dll
+ 2008-05-28 21:11 . 2012-04-23 14:46 6105088 c:\windows\system32\dllcache\ieframe.dll
+ 2012-07-16 02:00 . 2011-06-21 18:45 1168896 c:\windows\ie7updates\KB2699988-IE7\urlmon.dll
+ 2012-07-16 02:00 . 2011-07-22 16:35 3613696 c:\windows\ie7updates\KB2699988-IE7\mshtml.dll
+ 2012-07-16 02:00 . 2011-06-21 18:45 6076416 c:\windows\ie7updates\KB2699988-IE7\ieframe.dll
+ 2008-10-16 20:16 . 2012-05-04 13:12 2192640 c:\windows\Driver Cache\i386\ntoskrnl.exe
+ 2008-10-16 20:16 . 2012-05-04 12:32 2026496 c:\windows\Driver Cache\i386\ntkrpamp.exe
+ 2008-10-16 20:16 . 2012-05-04 12:32 2069120 c:\windows\Driver Cache\i386\ntkrnlpa.exe
+ 2008-10-16 20:16 . 2012-05-04 13:16 2148352 c:\windows\Driver Cache\i386\ntkrnlmp.exe
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2012-06-07 17425072]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-11-02 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-11-02 126976]
"DrvLsnr"="c:\program files\Analog Devices\SoundMAX\DrvLsnr.exe" [2003-05-08 69632]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2012-04-05 2587008]
.
c:\documents and settings\User\Start Menu\Programs\Startup\
OpenOffice.org 2.4.lnk - c:\program files\OpenOffice.org 2.4\program\quickstart.exe [2008-1-21 393216]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2009-4-24 972064]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-10-22 21:42 87352 ----a-w- c:\windows\system32\LMIinit.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
c:\windows\system32\dumprep 0 -u [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2011-03-30 01:59 937920 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-08-31 01:57 40368 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-06-15 20:33 141624 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-19 02:16 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2012-06-26 02:24 296056 ----a-w- c:\program files\Real\RealPlayer\Update\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SkypeUpdate"=2 (0x2)
"QBFCService"=3 (0x3)
"iPod Service"=3 (0x3)
"Apple Mobile Device"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015
"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:@xpsp2res.dll,-22017
.
R0 AVGIDSHX;AVGIDSHX;c:\windows\system32\drivers\avgidshx.sys [4/19/2012 4:50 AM 24896]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [1/31/2012 4:46 AM 31952]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2/22/2012 5:25 AM 235216]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [3/19/2012 5:17 AM 301248]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2012\avgidsagent.exe [7/4/2012 5:25 PM 5160568]
R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2012\avgwdsvc.exe [2/14/2012 4:53 AM 193288]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\avgidsdriverx.sys [12/23/2011 1:32 PM 139856]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\avgidsfilterx.sys [12/23/2011 1:32 PM 24144]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshimx.sys [12/23/2011 1:32 PM 17232]
S4 QuickBooksDB18;QuickBooksDB18;c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB18 --> c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB18 [?]
S4 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [6/7/2012 7:12 PM 160944]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
NecUsb3Sevic REG_MULTI_SZ NecUsb3
.
Contents of the 'Scheduled Tasks' folder
.
2012-07-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 15:50]
.
.
------- Supplementary Scan -------
.
TCP: DhcpNameServer = 24.159.64.23 24.217.201.67 66.189.0.100
FF - ProfilePath - c:\documents and settings\NEW ADMINISTRATOR\Application Data\Mozilla\Firefox\Profiles\gxszfaij.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://charter.net/
FF - prefs.js: network.proxy.type - 0
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-07-15 23:32
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(776)
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll
.
- - - - - - - > 'explorer.exe'(436)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\LMIRfsClientNP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\program files\AVG\AVG2012\avgnsx.exe
c:\program files\AVG\AVG2012\avgemcx.exe
c:\program files\AVG\AVG2012\avgrsx.exe
c:\program files\AVG\AVG2012\avgcsrvx.exe
.
**************************************************************************
.
Completion time: 2012-07-15 23:39:42 - machine was rebooted
ComboFix-quarantined-files.txt 2012-07-16 03:39
ComboFix2.txt 2012-07-15 23:41
.
Pre-Run: 65,079,447,552 bytes free
Post-Run: 65,076,801,536 bytes free
.
- - End Of File - - B614063F7602A4BE9E11FF810D0C060C

#14 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:11:07 AM

Posted 16 July 2012 - 08:20 AM

Bela70,

Looking better, but I had a typo in my last script.

Please open notepad and copy/paste the text in the box below into it:

http://www.bleepingcomputer.com/forums/topic460020.html

Suspect::[139]
C:\WINDOWS\system32\drivers\serial.sys
C:\Documents and Settings\NetworkService\Local Settings\Application Data\{ea2929e4-1ad0-e8ae-9bae-11af8a1d75d1}\@

Save this as CFScript.txt


Posted Image


Refering to the picture above, drag CFScript.txt into ComboFix.exe

If prompted to update Combofix, please allow it to update.

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**
When Combofix finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
Ensure you are connected to the internet and click OK on the message box.


In your next reply, please include:
  • Combofix log
  • How is the computer running now? Please be as descriptive as possible.

Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#15 Bela70

Bela70
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:10:07 AM

Posted 16 July 2012 - 10:47 AM

Typo's happen to the best of us Jason! Thanks for the help.

Just so I am clear, i am creating a new text file with just that small bit or am i replacing that small bit in the original larger text file?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users