Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Redirecting


  • This topic is locked This topic is locked
13 replies to this topic

#1 raymondcarter

raymondcarter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:21 AM

Posted 16 July 2012 - 08:48 AM

Hello Bleeping Computer Gurus, around the end of last week my Google searches started to be redirected. Ran Malbytes and a spyware scanner and nothing so I'm thinking I have a rootkit. Here are the requested logs, please tell me what you think.

Thank you in advance for your time and assistance!


DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_31
Run by Administrator at 1:22:08 on 2012-07-15
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1535.414 [GMT -5:00]
.
AV: Avira Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
FW: COMODO Firewall *Enabled*
.
============== Running Processes ===============
.
C:\Program Files\COMODO\COMODO livePCsupport\CLPSLS.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\WINDOWS\system32\AbtSvcHost_.exe
C:\WINDOWS\System32\svchost.exe -k Akamai
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Avanquest Connection Manager\NomadSvr.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RegSrvc.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\rpcnet.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS\system32\TpScrLk.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Avanquest Connection Manager\Nomad.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Akamai\netsession_win.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Akamai\netsession_win.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\program files\real\realplayer\update\realsched.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.ntreis.net/
uInternet Settings,ProxyOverride = <local>
BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\program files\orbitdownloader\orbitcth.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\ie\divxhtml5\DivXHTML5.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office14\GROOVEEX.DLL
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~2\office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Grab Pro: {c55bbcd6-41ad-48ad-9953-3609c48eacc7} - c:\program files\orbitdownloader\GrabPro.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Connection Manager] "c:\program files\avanquest connection manager\Nomad.exe" /runstart /show
uRun: [EPSON Stylus CX7400 Series] c:\windows\system32\spool\drivers\w32x86\3\e_faticda.exe /fu "c:\windows\temp\E_SF95.tmp" /EF "HKCU"
uRun: [Akamai NetSession Interface] "c:\documents and settings\administrator\local settings\application data\akamai\netsession_win.exe"
uRun: [Mozilla] rundll32.exe "c:\documents and settings\administrator\local settings\application data\opac bright ideas\mozilla\gglgyct.dll",CreateInstance
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe
mRun: [TPKBDLED] c:\windows\system32\TpScrLk.exe
mRun: [TP4EX] tp4ex.exe
mRun: [EZEJMNAP] c:\progra~1\thinkpad\utilit~1\EzEjMnAp.Exe
mRun: [TPKMAPHELPER] c:\program files\thinkpad\utilities\TpKmapAp.exe -helper
mRun: [BMMGAG] RunDll32 c:\progra~1\thinkpad\utilit~1\pwrmonit.dll,StartPwrMonitor
mRun: [BMMLREF] c:\program files\thinkpad\utilities\BMMLREF.EXE
mRun: [BMMMONWND] rundll32.exe c:\progra~1\thinkpad\utilit~1\BatInfEx.dll,BMMAutonomicMonitor
mRun: [BLOG] rundll32.exe c:\progra~1\thinkpad\utilit~1\BatLogEx.DLL,StartBattLog
mRun: [TheLaptopLock] c:\program files\the laptoplock\LaptopLock.exe /startup
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSCONFIG.EXE /auto
mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
dRun: [Connection Manager] "c:\program files\avanquest connection manager\Nomad.exe" /runstart
dRun: [Mozilla] rundll32.exe "c:\documents and settings\administrator\local settings\application data\opac bright ideas\mozilla\gglgyct.dll",CreateInstance
IE: &Download by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/202
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\micros~2\office14\ONBttnIE.dll/105
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1274107656014
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://pfizeruc.webex.com/client/T27L10NSP11EP22-11090-Pfizer/webex/ieatgpc.cab
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{AC6C5739-8A7D-4291-9F3C-205D5E78CB34} : DhcpNameServer = 192.168.1.254
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: tpfnf2 - notifyf2.dll
Notify: tphotkey - tphklock.dll
AppInit_DLLs: c:\windows\system32\guard32.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office14\GROOVEEX.DLL
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\administrator\application data\mozilla\firefox\profiles\cm889gj7.default\
FF - prefs.js: browser.startup.homepage - about:home
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=Z192&form=ZGAADF&install_date=20111204&q=
FF - prefs.js: network.proxy.type - 0
FF - component: c:\documents and settings\administrator\application data\mozilla\firefox\profiles\cm889gj7.default\extensions\jsobrier@zscaler.com\platform\winnt_x86-msvc\components\mozpopen.dll
FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll
FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordlegacyext.dll
FF - plugin: c:\documents and settings\administrator\local settings\application data\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprpchromebrowserrecordext.dll
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\progra~1\micros~2\office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\micros~2\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\update\1.3.21.99\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npdeployJava1.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.10411.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\nprpplugin.dll
FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll
FF - plugin: c:\program files\real\realplayer\netscape6\nprpplugin.dll
FF - plugin: c:\program files\research in motion limited\blackberry app world browser plugin\npappworld.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_2_202_233.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_3_300_265.dll
.
============= SERVICES / DRIVERS ===============
.
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [2012-6-29 36000]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [2012-3-11 494968]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2012-3-11 31704]
R1 ISODisk;ISODisk;c:\windows\system32\drivers\ISODisk.sys [2010-5-3 9600]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R1 TPPWR;TPPWR;c:\windows\system32\drivers\TPPWR.SYS [2006-11-15 16384]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-11 116608]
R2 AbtSvcHost;AbtSvcHost;c:\windows\system32\AbtSvcHost_.exe [2010-10-23 78768]
R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2004-8-3 14336]
R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\avira\antivir desktop\sched.exe [2012-6-29 86224]
R2 AntiVirService;Avira Realtime Protection;c:\program files\avira\antivir desktop\avguard.exe [2012-6-29 110032]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2012-6-29 83392]
R2 CLPSLS;COMODO livePCsupport Service;c:\program files\comodo\comodo livepcsupport\CLPSLS.exe [2010-2-12 148744]
R2 cmdAgent;COMODO Internet Security Helper Service;c:\program files\comodo\comodo internet security\cmdagent.exe [2012-3-11 1983232]
R2 Nomad;Connection Manager;c:\program files\avanquest connection manager\NomadSvr.exe [2011-2-8 40960]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2011-3-9 92592]
R3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
S0 tccwwqsd;tccwwqsd;c:\windows\system32\drivers\vtxngn.sys --> c:\windows\system32\drivers\vtxngn.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-3-28 136176]
S2 rpcld;Remote Procedure Call (RPC) LD;c:\documents and settings\all users\application data\rpcnet\bin\rpcld.exe --> c:\documents and settings\all users\application data\rpcnet\bin\rpcld.exe [?]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-10 250056]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-3-28 136176]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\microsoft office\office14\GROOVE.EXE [2010-1-21 30963576]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-4-29 113120]
S3 SWNC8UA3;Sierra Wireless MUX NDIS Driver (UMTSA3);c:\windows\system32\drivers\swnc8ua3.sys [2009-3-31 190080]
S3 SWUMXA3;Sierra Wireless USB MUX Driver (UMTSA3);c:\windows\system32\drivers\swumxa3.sys [2009-5-4 148096]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2004-8-3 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2012-07-14 22:43:07 25992 ----a-w- c:\windows\system32\pgdfgsvc.exe
2012-07-12 00:56:01 9822920 ----a-w- c:\windows\system32\FlashPlayerInstaller.exe
2012-07-07 05:59:30 -------- d-----w- c:\program files\VideoLAN
2012-07-07 05:34:07 -------- d-----w- c:\documents and settings\administrator\application data\Joymasher
2012-07-06 09:17:18 -------- d-----w- C:\reel clips
2012-07-03 07:14:17 11776 ----a-w- c:\program files\mozilla firefox\plugins\nprjplug.dll
2012-07-03 07:13:43 -------- d-----w- c:\program files\common files\xing shared
2012-07-03 07:13:26 150736 ----a-w- c:\program files\mozilla firefox\plugins\nppl3260.dll
2012-07-03 07:13:03 129176 ----a-w- c:\program files\mozilla firefox\plugins\nprpplugin.dll
2012-06-30 00:48:55 -------- d-----w- c:\documents and settings\administrator\application data\Avira
2012-06-30 00:42:18 36000 ----a-w- c:\windows\system32\drivers\avkmgr.sys
2012-06-30 00:42:17 83392 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2012-06-30 00:41:52 -------- d-----w- c:\program files\Avira
2012-06-30 00:41:52 -------- d-----w- c:\documents and settings\all users\application data\Avira
2012-06-23 05:48:54 -------- d-----w- c:\documents and settings\administrator\application data\CDisplayEx
2012-06-23 04:44:28 -------- d-----w- c:\program files\CDisplayEx
2012-06-19 14:27:29 -------- d-----w- c:\documents and settings\administrator\local settings\application data\Thunderbird
2012-06-17 15:40:18 421200 ----a-w- c:\program files\mozilla firefox\msvcp100.dll
2012-06-17 15:40:17 770384 ----a-w- c:\program files\mozilla firefox\msvcr100.dll
.
==================== Find3M ====================
.
2012-07-14 22:17:40 17920 ----a-w- c:\windows\system32\rpcnetp.exe
2012-07-13 03:14:19 58288 ----a-w- c:\windows\system32\rpcnet.dll
2012-07-12 00:56:34 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-07-12 00:56:33 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-07-03 16:12:45 17920 ----a-w- c:\windows\system32\rpcnetp.dll
2012-07-03 07:12:53 499712 ----a-w- c:\windows\system32\msvcp71.dll
2012-07-03 07:12:53 348160 ----a-w- c:\windows\system32\msvcr71.dll
2012-06-13 13:19:59 1866112 ----a-w- c:\windows\system32\win32k.sys
2012-06-08 14:54:02 58288 ------w- c:\windows\system32\rpcnet.exe
2012-06-05 15:50:25 1372672 ------w- c:\windows\system32\msxml6.dll
2012-06-05 15:50:25 1172480 ----a-w- c:\windows\system32\msxml3.dll
2012-06-04 17:42:57 49592 ----a-w- c:\windows\system32\pkgslv.exe
2012-06-04 17:42:56 46008 ----a-w- c:\windows\system32\pkgmgr.dll
2012-06-04 04:32:08 152576 ----a-w- c:\windows\system32\schannel.dll
2012-06-02 20:19:44 22040 ----a-w- c:\windows\system32\wucltui.dll.mui
2012-06-02 20:19:38 219160 ----a-w- c:\windows\system32\wuaucpl.cpl
2012-06-02 20:19:38 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2012-06-02 20:19:34 15384 ----a-w- c:\windows\system32\wuapi.dll.mui
2012-06-02 20:19:30 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui
2012-06-02 20:18:58 275696 ----a-w- c:\windows\system32\mucltui.dll
2012-06-02 20:18:58 214256 ----a-w- c:\windows\system32\muweb.dll
2012-06-02 20:18:58 17136 ----a-w- c:\windows\system32\mucltui.dll.mui
2012-05-31 13:22:09 599040 ----a-w- c:\windows\system32\crypt32.dll
2012-05-16 15:08:26 916992 ----a-w- c:\windows\system32\wininet.dll
2012-05-11 14:42:33 43520 ------w- c:\windows\system32\licmgr10.dll
2012-05-11 14:42:33 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-05-11 11:38:02 385024 ------w- c:\windows\system32\html.iec
2012-05-04 13:12:30 2192640 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-05-04 12:32:19 2069120 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-05-02 13:46:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
.
============= FINISH: 1:24:31.66 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,623 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:21 AM

Posted 21 July 2012 - 08:50 AM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/460886 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows, you should not bother creating a GMER log.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:21 AM

Posted 21 July 2012 - 10:37 PM

Greetings and Welcome to The Forums!!

My name is Gringo and I'll be glad to help you with your computer problems.

I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of us

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the Watch Topic Button, select Immediate Notification, and click on Proceed. This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of hartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

Security Check

  • Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.



Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#4 raymondcarter

raymondcarter
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:21 AM

Posted 22 July 2012 - 08:40 AM

Hello Gringo;

Thank you for your help. Please see below for the checkup log.

Google is still redirecting though with less frequency than before. Before I received your reply I'd ran Avira and Malbytes in safe mode and deleted some files and uninstalled some programs. The system started to work faster than before but google is still redirecting.

I will post the combofix results in another box below this one.

Results of screen317's Security Check version 0.99.43
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````Antivirus/Firewall Check:``````````````
Windows Security Center service is not running! This report may not be accurate!
Avira Desktop
Antivirus up to date!
`````````Anti-malware/Other Utilities Check:`````````
Spybot - Search & Destroy
SUPERAntiSpyware
Malwarebytes Anti-Malware version 1.62.0.1300
CCleaner
Java™ 6 Update 31
Java™ 7 Update 5
Adobe Flash Player 11.3.300.265
Adobe Reader X (10.1.3)
Mozilla Firefox 13.0.1 Firefox out of Date!
Mozilla Thunderbird 13.0.1 Thunderbird out of Date!
````````Process Check: objlist.exe by Laurent````````
Avira Antivir avgnt.exe
Avira Antivir avguard.exe
Comodo Firewall cmdagent.exe
Comodo Firewall cfp.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C:: 11% Defragment your hard drive soon!
````````````````````End of Log``````````````````````

ComboFix 12-07-21.01 - Administrator 07/22/2012 8:02.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1535.910 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: Avira Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
FW: COMODO Firewall *Enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
.
.
((((((((((((((((((((((((( Files Created from 2012-06-22 to 2012-07-22 )))))))))))))))))))))))))))))))
.
.
2012-07-22 05:37 . 2012-07-22 05:37 -------- d-----w- c:\windows\LastGood
2012-07-14 22:43 . 2012-07-14 22:43 25992 ----a-w- c:\windows\system32\pgdfgsvc.exe
2012-07-12 00:56 . 2012-07-12 00:56 9822920 ----a-w- c:\windows\system32\FlashPlayerInstaller.exe
2012-07-07 06:01 . 2012-07-07 06:01 -------- d-----w- c:\documents and settings\Administrator\Application Data\dvdcss
2012-07-07 06:01 . 2012-07-09 02:30 -------- d-----w- c:\documents and settings\Administrator\Application Data\vlc
2012-07-07 05:59 . 2012-07-07 05:59 -------- d-----w- c:\program files\VideoLAN
2012-07-07 05:34 . 2012-07-07 05:34 -------- d-----w- c:\documents and settings\Administrator\Application Data\Joymasher
2012-07-07 05:07 . 2012-07-13 01:13 -------- d-----w- c:\documents and settings\Administrator\Application Data\Media Player Classic
2012-07-06 09:17 . 2012-07-08 20:44 -------- d-----w- C:\reel clips
2012-07-03 07:14 . 2012-07-03 07:14 11776 ----a-w- c:\program files\Mozilla Firefox\plugins\nprjplug.dll
2012-07-03 07:13 . 2012-07-03 07:13 -------- d-----w- c:\program files\Common Files\xing shared
2012-07-03 07:13 . 2012-07-03 07:13 150736 ----a-w- c:\program files\Mozilla Firefox\plugins\nppl3260.dll
2012-07-03 07:13 . 2012-07-03 07:13 129176 ----a-w- c:\program files\Mozilla Firefox\plugins\nprpplugin.dll
2012-06-30 00:48 . 2012-06-30 00:48 -------- d-----w- c:\documents and settings\Administrator\Application Data\Avira
2012-06-30 00:42 . 2012-04-27 15:20 137928 ----a-w- c:\windows\system32\drivers\avipbb.sys
2012-06-30 00:42 . 2012-04-17 02:18 36000 ----a-w- c:\windows\system32\drivers\avkmgr.sys
2012-06-30 00:42 . 2012-04-25 05:32 83392 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2012-06-30 00:41 . 2012-06-30 00:41 -------- d-----w- c:\program files\Avira
2012-06-30 00:41 . 2012-06-30 00:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2012-06-23 05:48 . 2012-06-23 06:35 -------- d-----w- c:\documents and settings\Administrator\Application Data\CDisplayEx
2012-06-23 04:44 . 2012-06-23 04:45 -------- d-----w- c:\program files\CDisplayEx
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-21 12:56 . 2010-03-18 16:48 17920 ----a-w- c:\windows\system32\rpcnetp.exe
2012-07-21 05:04 . 2010-03-16 23:37 58288 ----a-w- c:\windows\system32\rpcnet.dll
2012-07-21 05:04 . 2010-03-16 23:37 58288 ------w- c:\windows\system32\rpcnet.exe
2012-07-21 04:47 . 2010-03-18 16:49 17920 ----a-w- c:\windows\system32\rpcnetp.dll
2012-07-12 00:56 . 2012-04-11 00:17 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-07-12 00:56 . 2012-03-21 06:10 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-07-03 18:46 . 2010-03-15 02:05 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-07-03 07:12 . 2003-03-19 05:14 499712 ----a-w- c:\windows\system32\msvcp71.dll
2012-07-03 07:12 . 2003-02-21 13:42 348160 ----a-w- c:\windows\system32\msvcr71.dll
2012-06-13 13:19 . 2004-08-04 03:17 1866112 ----a-w- c:\windows\system32\win32k.sys
2012-06-05 15:50 . 2008-04-14 00:12 1372672 ------w- c:\windows\system32\msxml6.dll
2012-06-05 15:50 . 2004-08-04 04:56 1172480 ----a-w- c:\windows\system32\msxml3.dll
2012-06-04 17:42 . 2010-08-20 19:22 49592 ----a-w- c:\windows\system32\pkgslv.exe
2012-06-04 17:42 . 2010-08-20 19:22 46008 ----a-w- c:\windows\system32\pkgmgr.dll
2012-06-04 04:32 . 2004-08-04 04:56 152576 ----a-w- c:\windows\system32\schannel.dll
2012-06-02 20:19 . 2007-06-28 22:34 22040 ----a-w- c:\windows\system32\wucltui.dll.mui
2012-06-02 20:19 . 2007-06-28 22:34 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2012-06-02 20:19 . 2006-11-15 17:12 329240 ----a-w- c:\windows\system32\wucltui.dll
2012-06-02 20:19 . 2006-11-15 17:12 210968 ----a-w- c:\windows\system32\wuweb.dll
2012-06-02 20:19 . 2006-11-15 17:12 219160 ----a-w- c:\windows\system32\wuaucpl.cpl
2012-06-02 20:19 . 2010-03-15 23:35 15384 ----a-w- c:\windows\system32\wuapi.dll.mui
2012-06-02 20:19 . 2006-11-15 17:38 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 20:19 . 2006-11-15 17:12 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 20:19 . 2006-11-15 17:12 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-02 20:19 . 2004-08-04 04:56 97304 ----a-w- c:\windows\system32\cdm.dll
2012-06-02 20:19 . 2007-06-28 22:34 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui
2012-06-02 20:19 . 2006-11-15 17:12 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 20:19 . 2006-11-15 17:12 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 20:18 . 2010-05-17 14:07 214256 ----a-w- c:\windows\system32\muweb.dll
2012-06-02 20:18 . 2007-07-03 22:46 17136 ----a-w- c:\windows\system32\mucltui.dll.mui
2012-06-02 20:18 . 2007-02-20 21:49 275696 ----a-w- c:\windows\system32\mucltui.dll
2012-05-31 13:22 . 2004-08-04 04:56 599040 ----a-w- c:\windows\system32\crypt32.dll
2012-05-16 15:08 . 2004-08-04 04:56 916992 ----a-w- c:\windows\system32\wininet.dll
2012-05-11 14:42 . 2004-08-04 04:56 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-05-11 14:42 . 2004-08-04 04:56 43520 ------w- c:\windows\system32\licmgr10.dll
2012-05-11 11:38 . 2004-08-04 02:59 385024 ------w- c:\windows\system32\html.iec
2012-05-04 13:12 . 2004-08-04 03:20 2192640 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-05-04 12:32 . 2004-08-03 22:59 2069120 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-05-02 13:46 . 2006-11-15 17:10 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-06-17 15:40 . 2012-02-16 05:01 85472 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot_2012-07-15_21.43.22 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-07-21 04:46 . 2012-07-21 04:46 16384 c:\windows\Temp\Perflib_Perfdata_924.dat
+ 2012-07-20 05:02 . 2012-07-21 04:46 32768 c:\windows\Temp\History\History.IE5\MSHist012012072020120721\index.dat
+ 2010-08-20 19:22 . 2009-11-03 00:51 9728 c:\windows\system32\wceprv.dll
+ 2012-07-19 23:46 . 2012-07-19 23:46 863744 c:\windows\Installer\90ab5f4.msi
+ 2012-07-19 23:13 . 2012-07-19 23:13 1530368 c:\windows\Installer\8e00d10.msi
+ 2012-07-19 23:01 . 2012-07-19 23:01 9474048 c:\windows\Installer\8e00cd8.msi
+ 2012-07-19 23:41 . 2012-07-19 23:41 17379840 c:\windows\Installer\90ab5ee.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Administrator\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Administrator\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Administrator\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Administrator\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Connection Manager"="c:\program files\Avanquest Connection Manager\Nomad.exe" [2008-07-10 106496]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-05-26 344064]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 1388544]
"TPKBDLED"="c:\windows\system32\TpScrLk.exe" [2002-10-09 40960]
"TP4EX"="tp4ex.exe" [2005-10-17 65536]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2006-09-13 237568]
"TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2006-06-03 856064]
"BMMGAG"="c:\progra~1\ThinkPad\UTILIT~1\pwrmonit.dll" [2005-04-20 110592]
"BMMLREF"="c:\program files\ThinkPad\Utilities\BMMLREF.EXE" [2005-04-20 20480]
"BMMMONWND"="c:\progra~1\ThinkPad\UTILIT~1\BatInfEx.dll" [2005-04-20 396288]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2005-04-20 208896]
"TheLaptopLock"="c:\program files\The LaptopLock\LaptopLock.exe" [2007-02-01 397312]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2012-03-12 6749512]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2012-05-02 348624]
"TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2012-07-03 296096]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2012-04-19 421888]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Connection Manager"="c:\program files\Avanquest Connection Manager\Nomad.exe" [2008-07-10 106496]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2005-07-06 05:45 28672 ----a-w- c:\windows\system32\notifyf2.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2005-12-01 02:16 24576 ----a-w- c:\windows\system32\tphklock.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\guard32.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\CLPSLS]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rpcnet]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^Dropbox.lnk]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\Dropbox.lnk
backup=c:\windows\pss\Dropbox.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^MagicDisc.lnk]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\MagicDisc.lnk
backup=c:\windows\pss\MagicDisc.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^OpenOffice.org 3.2.lnk]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\OpenOffice.org 3.2.lnk
backup=c:\windows\pss\OpenOffice.org 3.2.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Absolute Notifier]
2010-10-08 16:01 86184 ----a-w- c:\program files\Absolute Software\Absolute Notifier\AbsoluteNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-01-03 07:37 843712 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
2003-06-27 14:53 88363 ----a-w- c:\windows\AGRSMMSG.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2012-02-21 02:28 59240 ----a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCSSync]
2010-01-21 22:22 91520 ----a-w- c:\program files\Microsoft Office\Office14\BCSSync.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2011-07-28 23:08 1259376 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
2006-11-13 18:39 1289000 ----a-w- c:\program files\Microsoft ActiveSync\wcescomm.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2005-05-12 04:12 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OfficeSyncProcess]
2010-01-16 14:54 717696 ----a-w- c:\program files\Microsoft Office\Office14\MSOSYNC.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2012-04-19 01:56 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RIMBBLaunchAgent.exe]
2011-02-18 16:47 79192 ----a-w- c:\program files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2012-05-30 06:10 1242448 ----a-w- c:\program files\Steam\Steam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2012-01-18 19:02 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2012-07-13 01:10 3905408 ----a-w- c:\program files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
2008-07-04 04:17 118784 ------w- c:\program files\Synaptics\SynTP\SynTPLpr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2012-07-03 07:12 296096 ----a-w- c:\program files\Real\realplayer\Update\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPHOTKEY]
2006-07-25 16:19 94208 ----a-w- c:\progra~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AllAlertsDisabled"=dword:00000001
"TermService"=dword:00000001
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [6/29/2012 7:42 PM 36000]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [3/11/2012 9:13 PM 494968]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [3/11/2012 9:13 PM 31704]
R1 ISODisk;ISODisk;c:\windows\system32\drivers\ISODisk.sys [5/3/2010 7:26 PM 9600]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 11:27 AM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 4:55 PM 67664]
R1 TPPWR;TPPWR;c:\windows\system32\drivers\TPPWR.SYS [11/15/2006 4:46 PM 16384]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [8/11/2011 6:38 PM 116608]
R2 AbtSvcHost;AbtSvcHost;c:\windows\system32\AbtSvcHost_.exe [10/23/2010 7:31 PM 78768]
R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [6/29/2012 7:42 PM 86224]
R2 CLPSLS;COMODO livePCsupport Service;c:\program files\COMODO\COMODO livePCsupport\CLPSLS.exe [2/12/2010 7:23 PM 148744]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [1/9/2010 8:37 PM 4640000]
S0 tccwwqsd;tccwwqsd;c:\windows\system32\drivers\vtxngn.sys --> c:\windows\system32\drivers\vtxngn.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [3/28/2010 12:43 PM 136176]
S2 Nomad;Connection Manager;c:\program files\Avanquest Connection Manager\NomadSvr.exe [2/8/2011 5:34 PM 40960]
S2 rpcld;Remote Procedure Call (RPC) LD;c:\documents and settings\All Users\Application Data\Rpcnet\Bin\rpcld.exe --> c:\documents and settings\All Users\Application Data\Rpcnet\Bin\rpcld.exe [?]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [4/10/2012 7:17 PM 250056]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [3/28/2010 12:43 PM 136176]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [1/21/2010 5:51 PM 30963576]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [4/29/2012 9:30 AM 113120]
S3 SWNC8UA3;Sierra Wireless MUX NDIS Driver (UMTSA3);c:\windows\system32\drivers\swnc8ua3.sys [3/31/2009 2:45 PM 190080]
S3 SWUMXA3;Sierra Wireless USB MUX Driver (UMTSA3);c:\windows\system32\drivers\swumxa3.sys [5/4/2009 3:57 PM 148096]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - kwtdqpoc
.
Contents of the 'Scheduled Tasks' folder
.
2012-07-22 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-11 00:56]
.
2012-07-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 22:57]
.
2012-07-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-28 17:42]
.
2012-07-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-28 17:42]
.
2012-07-21 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2085096134-731914049-1346186850-500.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-06-21 17:00]
.
2012-07-22 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2085096134-731914049-1346186850-500.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-06-21 17:00]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ntreis.net/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\cm889gj7.default\
FF - prefs.js: browser.startup.homepage - about:home
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=Z192&form=ZGAADF&install_date=20111204&q=
FF - prefs.js: network.proxy.type - 0
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-TomTomHOME - c:\program files\TomTom HOME 2\TomTomHOMERunner.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-07-22 08:23
Windows 5.1.2600 Service Pack 3 NTFS
.
detected NTDLL code modification:
ZwClose
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
c:\documents and settings\Administrator\Application Data\Dropbox\shellext\l\500bffae 124 bytes
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2085096134-731914049-1346186850-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,06,42,d1,8c,11,10,9f,4e,9a,43,d0,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,d6,13,57,d5,94,28,df,43,8a,37,40,\
.
[HKEY_LOCAL_MACHINE\software\Microsoft\DbgagD\1*]
"value"="?\06\06\04\0f\1e\18s"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(852)
c:\windows\system32\guard32.dll
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\tphklock.dll
c:\windows\system32\notifyf2.dll
.
- - - - - - - > 'lsass.exe'(908)
c:\windows\system32\guard32.dll
.
- - - - - - - > 'explorer.exe'(3168)
c:\windows\system32\WININET.dll
c:\documents and settings\Administrator\Application Data\Dropbox\bin\DropboxExt.14.dll
c:\progra~1\COMMON~1\MICROS~1\OFFICE14\Cultures\office.odf
c:\progra~1\MICROS~2\Office14\1033\GrooveIntlResource.dll
c:\windows\system32\ieframe.dll
c:\progra~1\ThinkPad\UTILIT~1\pwrmonit.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2012-07-22 08:30:32
ComboFix-quarantined-files.txt 2012-07-22 13:30
ComboFix2.txt 2012-07-15 21:50
.
Pre-Run: 20,504,842,240 bytes free
Post-Run: 20,565,200,896 bytes free
.
- - End Of File - - 2BDA7D97CA6439B2DA60AE8556912BBA

#5 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:21 AM

Posted 22 July 2012 - 11:25 AM

Greetings

Lets see if these find anything, in which browsers are you getting redirected - verify all that are installed

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • it will ask to download extra definitions - ALLOW IT
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

If you have any problems running either one come back and let me know

please reply with the reports from TDSSKiller and aswMBR

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#6 raymondcarter

raymondcarter
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:21 AM

Posted 23 July 2012 - 09:03 AM

Hi Gringo;

It was redirecting in Firefox, although since running combofix and security check it has not done it. I also have explorer but rarely use it. I have not seen any redirect from there. After running security check I updated Firefox after noticing that it was out of date.

Here are the logs from TDS killer and aswMBR.

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-07-23 00:03:38
-----------------------------
00:03:38.074 OS Version: Windows 5.1.2600 Service Pack 3
00:03:38.074 Number of processors: 1 586 0x905
00:03:38.084 ComputerName: IBMT41LAPTOP UserName:
00:03:56.075 Initialize success
00:05:37.367 AVAST engine defs: 12072201
00:28:32.839 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
00:28:32.839 Disk 0 Vendor: HTS541080G9AT00 MB4IA60A Size: 76319MB BusType: 3
00:28:32.959 Disk 0 MBR read successfully
00:28:32.959 Disk 0 MBR scan
00:28:33.270 Disk 0 unknown MBR code
00:28:33.340 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 76316 MB offset 63
00:28:33.640 Disk 0 scanning sectors +156295440
00:28:34.101 Disk 0 scanning C:\WINDOWS\system32\drivers
00:29:05.877 Service scanning
00:30:23.388 Modules scanning
00:30:40.332 Disk 0 trace - called modules:
00:30:40.352 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys
00:30:40.352 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a5d5ab8]
00:30:40.683 3 CLASSPNP.SYS[f7637fd7] -> nt!IofCallDriver -> \Device\00000089[0x8a5ee9e8]
00:30:40.683 5 ACPI.sys[f75ae620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x8a592d98]
00:30:41.925 AVAST engine scan C:\WINDOWS
00:30:55.234 AVAST engine scan C:\WINDOWS\system32
00:47:43.954 AVAST engine scan C:\WINDOWS\system32\drivers
00:48:19.966 AVAST engine scan C:\Documents and Settings\Administrator
01:17:59.104 AVAST engine scan C:\Documents and Settings\All Users
02:35:19.968 Scan finished successfully
08:32:22.702 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\MBR.dat"
08:32:22.702 The log file has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\aswMBR.txt"



20:05:00.0988 5056 TDSS rootkit removing tool 2.7.46.0 Jul 16 2012 22:10:11
20:05:02.0370 5056 ============================================================
20:05:02.0370 5056 Current date / time: 2012/07/22 20:05:02.0370
20:05:02.0370 5056 SystemInfo:
20:05:02.0370 5056
20:05:02.0370 5056 OS Version: 5.1.2600 ServicePack: 3.0
20:05:02.0370 5056 Product type: Workstation
20:05:02.0370 5056 ComputerName: IBMT41LAPTOP
20:05:02.0370 5056 UserName: Administrator
20:05:02.0370 5056 Windows directory: C:\WINDOWS
20:05:02.0370 5056 System windows directory: C:\WINDOWS
20:05:02.0370 5056 Processor architecture: Intel x86
20:05:02.0370 5056 Number of processors: 1
20:05:02.0370 5056 Page size: 0x1000
20:05:02.0370 5056 Boot type: Normal boot
20:05:02.0370 5056 ============================================================
20:05:07.0848 5056 Drive \Device\Harddisk0\DR0 - Size: 0x12A1F16000 (74.53 Gb), SectorSize: 0x200, Cylinders: 0x2861, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xF0, Type 'K0', Flags 0x00000054
20:05:07.0858 5056 ============================================================
20:05:07.0858 5056 \Device\Harddisk0\DR0:
20:05:07.0858 5056 MBR partitions:
20:05:07.0858 5056 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x950E0D1
20:05:07.0858 5056 ============================================================
20:05:07.0998 5056 C: <-> \Device\Harddisk0\DR0\Partition0
20:05:08.0008 5056 ============================================================
20:05:08.0008 5056 Initialize success
20:05:08.0008 5056 ============================================================
20:05:16.0240 5288 ============================================================
20:05:16.0240 5288 Scan started
20:05:16.0240 5288 Mode: Manual;
20:05:16.0240 5288 ============================================================
20:05:16.0671 5288 !SASCORE (c0393eb99a6c72c6bef9bfc4a72b33a6) C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
20:05:16.0711 5288 !SASCORE - ok
20:05:17.0131 5288 Abiosdsk - ok
20:05:17.0151 5288 abp480n5 - ok
20:05:17.0232 5288 AbtSvcHost (ad142284a4505f8c5054854d430b0ccd) C:\WINDOWS\system32\AbtSvcHost_.exe
20:05:17.0262 5288 AbtSvcHost - ok
20:05:17.0422 5288 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
20:05:17.0572 5288 ACPI - ok
20:05:17.0602 5288 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
20:05:17.0632 5288 ACPIEC - ok
20:05:17.0682 5288 ACS (4db2f17ad06c170eab5f6f36973f5e9c) C:\WINDOWS\system32\acs.exe
20:05:17.0722 5288 ACS - ok
20:05:17.0903 5288 AdobeFlashPlayerUpdateSvc (5e1a953c6472e7bb644892a4d0df5e72) C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
20:05:17.0903 5288 AdobeFlashPlayerUpdateSvc - ok
20:05:17.0923 5288 adpu160m - ok
20:05:18.0023 5288 aeaudio (9f59ae2de835641fbb0c6afd80d8fa9b) C:\WINDOWS\system32\drivers\aeaudio.sys
20:05:18.0113 5288 aeaudio - ok
20:05:18.0193 5288 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
20:05:18.0313 5288 aec - ok
20:05:18.0373 5288 AegisP (91f3df93f40a74d222cd166fe95db633) C:\WINDOWS\system32\DRIVERS\AegisP.sys
20:05:18.0403 5288 AegisP - ok
20:05:18.0634 5288 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
20:05:18.0684 5288 AFD - ok
20:05:19.0244 5288 AgereSoftModem (aff071b6290776e1fa162837c35eac78) C:\WINDOWS\system32\DRIVERS\AGRSM.sys
20:05:19.0715 5288 AgereSoftModem - ok
20:05:19.0775 5288 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
20:05:19.0795 5288 agp440 - ok
20:05:19.0805 5288 Aha154x - ok
20:05:19.0825 5288 aic78u2 - ok
20:05:19.0835 5288 aic78xx - ok
20:05:19.0895 5288 Alerter (a9a3daa780ca6c9671a19d52456705b4) C:\WINDOWS\system32\alrsvc.dll
20:05:19.0915 5288 Alerter - ok
20:05:19.0966 5288 ALG (8c515081584a38aa007909cd02020b3d) C:\WINDOWS\System32\alg.exe
20:05:20.0006 5288 ALG - ok
20:05:20.0026 5288 AliIde - ok
20:05:20.0036 5288 amsint - ok
20:05:20.0346 5288 AntiVirSchedulerService (0a1cc583e8147004e4ad4625d7fbf88c) C:\Program Files\Avira\AntiVir Desktop\sched.exe
20:05:20.0376 5288 AntiVirSchedulerService - ok
20:05:20.0466 5288 AntiVirService (c9a36ef935aced86aedf93e97e606911) C:\Program Files\Avira\AntiVir Desktop\avguard.exe
20:05:20.0506 5288 AntiVirService - ok
20:05:20.0616 5288 AppMgmt (d8849f77c0b66226335a59d26cb4edc6) C:\WINDOWS\System32\appmgmts.dll
20:05:20.0717 5288 AppMgmt - ok
20:05:20.0937 5288 AR5211 (655d16ae3156986eba366a50dc2696d3) C:\WINDOWS\system32\DRIVERS\ar5211.sys
20:05:21.0217 5288 AR5211 - ok
20:05:21.0227 5288 asc - ok
20:05:21.0237 5288 asc3350p - ok
20:05:21.0257 5288 asc3550 - ok
20:05:21.0468 5288 aspnet_state (776acefa0ca9df0faa51a5fb2f435705) C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe
20:05:21.0588 5288 aspnet_state - ok
20:05:21.0648 5288 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
20:05:21.0688 5288 AsyncMac - ok
20:05:21.0748 5288 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
20:05:21.0748 5288 atapi - ok
20:05:21.0768 5288 Atdisk - ok
20:05:21.0948 5288 Ati HotKey Poller (4a243ffb3837d16371533cd6fe8aadc2) C:\WINDOWS\system32\Ati2evxx.exe
20:05:22.0069 5288 Ati HotKey Poller - ok
20:05:22.0529 5288 ati2mtag (cfb737fb9e2c8f508baf14a4a8bedf22) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
20:05:22.0990 5288 ati2mtag - ok
20:05:23.0040 5288 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
20:05:23.0090 5288 Atmarpc - ok
20:05:23.0150 5288 AudioSrv (def7a7882bec100fe0b2ce2549188f9d) C:\WINDOWS\System32\audiosrv.dll
20:05:23.0160 5288 AudioSrv - ok
20:05:23.0210 5288 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
20:05:23.0390 5288 audstub - ok
20:05:23.0461 5288 avgntflt (d5541f0afb767e85fc412fc609d96a74) C:\WINDOWS\system32\DRIVERS\avgntflt.sys
20:05:23.0541 5288 avgntflt - ok
20:05:23.0651 5288 avipbb (7d967a682d4694df7fa57d63a2db01fe) C:\WINDOWS\system32\DRIVERS\avipbb.sys
20:05:23.0741 5288 avipbb - ok
20:05:23.0801 5288 avkmgr (53e56450da16a1a7f0d002f511113f67) C:\WINDOWS\system32\DRIVERS\avkmgr.sys
20:05:23.0861 5288 avkmgr - ok
20:05:23.0921 5288 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
20:05:23.0951 5288 Beep - ok
20:05:24.0162 5288 BITS (574738f61fca2935f5265dc4e5691314) C:\WINDOWS\system32\qmgr.dll
20:05:24.0302 5288 BITS - ok
20:05:24.0392 5288 Browser (a06ce3399d16db864f55faeb1f1927a9) C:\WINDOWS\System32\browser.dll
20:05:24.0412 5288 Browser - ok
20:05:24.0482 5288 BVRPMPR5 (892239517221696f62a31f8a895ffce8) C:\WINDOWS\system32\drivers\BVRPMPR5.SYS
20:05:24.0552 5288 BVRPMPR5 - ok
20:05:24.0702 5288 catchme - ok
20:05:24.0732 5288 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
20:05:24.0762 5288 cbidf2k - ok
20:05:24.0782 5288 cd20xrnt - ok
20:05:24.0823 5288 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
20:05:24.0863 5288 Cdaudio - ok
20:05:24.0923 5288 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
20:05:24.0973 5288 Cdfs - ok
20:05:25.0023 5288 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
20:05:25.0063 5288 Cdrom - ok
20:05:25.0073 5288 Changer - ok
20:05:25.0103 5288 CiSvc (1cfe720eb8d93a7158a4ebc3ab178bde) C:\WINDOWS\system32\cisvc.exe
20:05:25.0123 5288 CiSvc - ok
20:05:25.0163 5288 ClipSrv (34cbe729f38138217f9c80212a2a0c82) C:\WINDOWS\system32\clipsrv.exe
20:05:25.0193 5288 ClipSrv - ok
20:05:25.0353 5288 CLPSLS (cb2d26ea66f91f88d12436f6794b2d1e) C:\Program Files\COMODO\COMODO livePCsupport\CLPSLS.exe
20:05:25.0403 5288 CLPSLS - ok
20:05:25.0584 5288 clr_optimization_v2.0.50727_32 (d87acaed61e417bba546ced5e7e36d9c) C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
20:05:25.0684 5288 clr_optimization_v2.0.50727_32 - ok
20:05:25.0814 5288 clr_optimization_v4.0.30319_32 (c5a75eb48e2344abdc162bda79e16841) C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
20:05:25.0944 5288 clr_optimization_v4.0.30319_32 - ok
20:05:26.0004 5288 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
20:05:26.0044 5288 CmBatt - ok
20:05:26.0875 5288 cmdAgent (907324001ae25ac5959c91eaa34cabae) C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
20:05:27.0576 5288 cmdAgent - ok
20:05:28.0137 5288 cmdGuard (bee235831f8e3f0baaca18b39d285cf5) C:\WINDOWS\system32\DRIVERS\cmdguard.sys
20:05:28.0318 5288 cmdGuard - ok
20:05:28.0368 5288 cmdHlp (de548946f36cab62fec2e6aa0149a619) C:\WINDOWS\system32\DRIVERS\cmdhlp.sys
20:05:28.0388 5288 cmdHlp - ok
20:05:28.0388 5288 CmdIde - ok
20:05:28.0438 5288 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
20:05:28.0478 5288 Compbatt - ok
20:05:28.0488 5288 COMSysApp - ok
20:05:28.0518 5288 Cpqarray - ok
20:05:28.0608 5288 CryptSvc (3d4e199942e29207970e04315d02ad3b) C:\WINDOWS\System32\cryptsvc.dll
20:05:28.0628 5288 CryptSvc - ok
20:05:28.0638 5288 dac2w2k - ok
20:05:28.0648 5288 dac960nt - ok
20:05:28.0858 5288 DcomLaunch (6b27a5c03dfb94b4245739065431322c) C:\WINDOWS\system32\rpcss.dll
20:05:28.0999 5288 DcomLaunch - ok
20:05:29.0059 5288 Dhcp (5e38d7684a49cacfb752b046357e0589) C:\WINDOWS\System32\dhcpcsvc.dll
20:05:29.0109 5288 Dhcp - ok
20:05:29.0129 5288 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
20:05:29.0169 5288 Disk - ok
20:05:29.0179 5288 dmadmin - ok
20:05:29.0549 5288 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
20:05:29.0860 5288 dmboot - ok
20:05:29.0950 5288 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
20:05:30.0030 5288 dmio - ok
20:05:30.0070 5288 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
20:05:30.0090 5288 dmload - ok
20:05:30.0120 5288 dmserver (57edec2e5f59f0335e92f35184bc8631) C:\WINDOWS\System32\dmserver.dll
20:05:30.0160 5288 dmserver - ok
20:05:30.0210 5288 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
20:05:30.0260 5288 DMusic - ok
20:05:30.0310 5288 Dnscache (5f7e24fa9eab896051ffb87f840730d2) C:\WINDOWS\System32\dnsrslvr.dll
20:05:30.0330 5288 Dnscache - ok
20:05:30.0441 5288 Dot3svc (0f0f6e687e5e15579ef4da8dd6945814) C:\WINDOWS\System32\dot3svc.dll
20:05:30.0511 5288 Dot3svc - ok
20:05:30.0521 5288 dpti2o - ok
20:05:30.0571 5288 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
20:05:30.0611 5288 drmkaud - ok
20:05:30.0741 5288 E1000 (c42009e37e377ae55968768e521e05c3) C:\WINDOWS\system32\DRIVERS\e1000325.sys
20:05:30.0851 5288 E1000 - ok
20:05:30.0901 5288 EapHost (2187855a7703adef0cef9ee4285182cc) C:\WINDOWS\System32\eapsvc.dll
20:05:30.0951 5288 EapHost - ok
20:05:31.0001 5288 EGATHDRV (938f1ec77ba35858248e584b2d2e9776) C:\WINDOWS\system32\EGATHDRV.SYS
20:05:31.0031 5288 EGATHDRV - ok
20:05:31.0061 5288 ERSvc (bc93b4a066477954555966d77fec9ecb) C:\WINDOWS\System32\ersvc.dll
20:05:31.0071 5288 ERSvc - ok
20:05:31.0152 5288 Eventlog (65df52f5b8b6e9bbd183505225c37315) C:\WINDOWS\system32\services.exe
20:05:31.0202 5288 Eventlog - ok
20:05:31.0342 5288 EventSystem (d4991d98f2db73c60d042f1aef79efae) C:\WINDOWS\system32\es.dll
20:05:31.0432 5288 EventSystem - ok
20:05:32.0023 5288 EvtEng (788c72b145c75a7ee5f5d6a32542d912) C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
20:05:32.0173 5288 EvtEng - ok
20:05:32.0253 5288 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
20:05:32.0323 5288 Fastfat - ok
20:05:32.0423 5288 FastUserSwitchingCompatibility (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
20:05:32.0463 5288 FastUserSwitchingCompatibility - ok
20:05:32.0534 5288 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
20:05:32.0594 5288 Fdc - ok
20:05:32.0634 5288 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
20:05:32.0684 5288 Fips - ok
20:05:33.0024 5288 FLEXnet Licensing Service (d778107d7c2a19d7e7a884a9f0d79581) C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
20:05:33.0305 5288 FLEXnet Licensing Service - ok
20:05:33.0345 5288 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
20:05:33.0385 5288 Flpydisk - ok
20:05:33.0455 5288 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
20:05:33.0545 5288 FltMgr - ok
20:05:33.0675 5288 FontCache3.0.0.0 (8ba7c024070f2b7fdd98ed8a4ba41789) c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
20:05:33.0715 5288 FontCache3.0.0.0 - ok
20:05:33.0775 5288 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
20:05:33.0795 5288 Fs_Rec - ok
20:05:33.0876 5288 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
20:05:33.0966 5288 Ftdisk - ok
20:05:34.0016 5288 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
20:05:34.0056 5288 Gpc - ok
20:05:34.0166 5288 gupdate (f02a533f517eb38333cb12a9e8963773) C:\Program Files\Google\Update\GoogleUpdate.exe
20:05:34.0166 5288 gupdate - ok
20:05:34.0176 5288 gupdatem (f02a533f517eb38333cb12a9e8963773) C:\Program Files\Google\Update\GoogleUpdate.exe
20:05:34.0176 5288 gupdatem - ok
20:05:34.0246 5288 helpsvc (4fcca060dfe0c51a09dd5c3843888bcd) C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll
20:05:34.0256 5288 helpsvc - ok
20:05:34.0266 5288 HidServ - ok
20:05:34.0306 5288 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
20:05:34.0336 5288 HidUsb - ok
20:05:34.0406 5288 hkmsvc (8878bd685e490239777bfe51320b88e9) C:\WINDOWS\System32\kmsvc.dll
20:05:34.0456 5288 hkmsvc - ok
20:05:34.0466 5288 hpn - ok
20:05:34.0516 5288 HPZid412 (9f1d80908658eb7f1bf70809e0b51470) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
20:05:34.0567 5288 HPZid412 - ok
20:05:34.0597 5288 HPZipr12 (f7e3e9d50f9cd3de28085a8fdaa0a1c3) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
20:05:34.0627 5288 HPZipr12 - ok
20:05:34.0667 5288 HPZius12 (cf1b7951b4ec8d13f3c93b74bb2b461b) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
20:05:34.0707 5288 HPZius12 - ok
20:05:34.0857 5288 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
20:05:34.0947 5288 HTTP - ok
20:05:35.0007 5288 HTTPFilter (6100a808600f44d999cebdef8841c7a3) C:\WINDOWS\System32\w3ssl.dll
20:05:35.0027 5288 HTTPFilter - ok
20:05:35.0037 5288 i2omgmt - ok
20:05:35.0047 5288 i2omp - ok
20:05:35.0107 5288 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
20:05:35.0157 5288 i8042prt - ok
20:05:35.0207 5288 IBMPMDRV (bf648877413f6160e480814a24942b65) C:\WINDOWS\system32\DRIVERS\ibmpmdrv.sys
20:05:35.0258 5288 IBMPMDRV - ok
20:05:35.0298 5288 IBMPMSVC (a75ce11915e4ecc5e1597d6e0f7bb2db) C:\WINDOWS\system32\ibmpmsvc.exe
20:05:35.0318 5288 IBMPMSVC - ok
20:05:35.0458 5288 IDriverT (1cf03c69b49acb70c722df92755c0c8c) C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
20:05:35.0518 5288 IDriverT - ok
20:05:35.0959 5288 idsvc (c01ac32dc5c03076cfb852cb5da5229c) c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
20:05:36.0309 5288 idsvc - ok
20:05:36.0379 5288 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
20:05:36.0419 5288 Imapi - ok
20:05:36.0529 5288 ImapiService (30deaf54a9755bb8546168cfe8a6b5e1) C:\WINDOWS\system32\imapi.exe
20:05:36.0650 5288 ImapiService - ok
20:05:36.0670 5288 ini910u - ok
20:05:36.0760 5288 Inspect (f89849cf13805ef49da64a8a63193af7) C:\WINDOWS\system32\DRIVERS\inspect.sys
20:05:36.0790 5288 Inspect - ok
20:05:36.0810 5288 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
20:05:36.0840 5288 IntelIde - ok
20:05:36.0890 5288 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
20:05:36.0930 5288 intelppm - ok
20:05:37.0381 5288 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
20:05:37.0421 5288 Ip6Fw - ok
20:05:37.0461 5288 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
20:05:37.0481 5288 IpFilterDriver - ok
20:05:37.0501 5288 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
20:05:37.0571 5288 IpInIp - ok
20:05:37.0651 5288 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
20:05:37.0741 5288 IpNat - ok
20:05:37.0811 5288 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
20:05:37.0881 5288 IPSec - ok
20:05:37.0961 5288 irda (aca5e7b54409f9cb5eed97ed0c81120e) C:\WINDOWS\system32\DRIVERS\irda.sys
20:05:38.0021 5288 irda - ok
20:05:38.0042 5288 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
20:05:38.0062 5288 IRENUM - ok
20:05:38.0122 5288 Irmon (49cc4533ce897cb2e93c1e84a818fde5) C:\WINDOWS\System32\irmon.dll
20:05:38.0132 5288 Irmon - ok
20:05:38.0172 5288 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
20:05:38.0202 5288 isapnp - ok
20:05:38.0262 5288 ISODisk (96f2f5884d02535e2d4dfc849836f4a6) C:\WINDOWS\system32\drivers\ISODisk.sys
20:05:38.0292 5288 ISODisk - ok
20:05:38.0532 5288 JavaQuickStarterService (4f2143570d2250ca4c4a4c98553c82cd) C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe
20:05:38.0532 5288 JavaQuickStarterService - ok
20:05:38.0582 5288 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
20:05:38.0612 5288 Kbdclass - ok
20:05:38.0722 5288 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
20:05:38.0833 5288 kmixer - ok
20:05:38.0903 5288 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
20:05:38.0933 5288 KSecDD - ok
20:05:39.0043 5288 lanmanserver (3a7c3cbe5d96b8ae96ce81f0b22fb527) C:\WINDOWS\System32\srvsvc.dll
20:05:39.0073 5288 lanmanserver - ok
20:05:39.0173 5288 lanmanworkstation (a8888a5327621856c0cec4e385f69309) C:\WINDOWS\System32\wkssvc.dll
20:05:39.0223 5288 lanmanworkstation - ok
20:05:39.0243 5288 lbrtfdc - ok
20:05:39.0313 5288 LmHosts (a7db739ae99a796d91580147e919cc59) C:\WINDOWS\System32\lmhsvc.dll
20:05:39.0313 5288 LmHosts - ok
20:05:39.0413 5288 mcdbus (8fd868e32459ece2a1bb0169f513d31e) C:\WINDOWS\system32\DRIVERS\mcdbus.sys
20:05:39.0494 5288 mcdbus - ok
20:05:39.0854 5288 MDM (11f714f85530a2bd134074dc30e99fca) C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
20:05:39.0974 5288 MDM - ok
20:05:40.0014 5288 Messenger (986b1ff5814366d71e0ac5755c88f2d3) C:\WINDOWS\System32\msgsvc.dll
20:05:40.0054 5288 Messenger - ok
20:05:40.0155 5288 Microsoft SharePoint Workspace Audit Service - ok
20:05:40.0205 5288 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
20:05:40.0235 5288 mnmdd - ok
20:05:40.0285 5288 mnmsrvc (d18f1f0c101d06a1c1adf26eed16fcdd) C:\WINDOWS\system32\mnmsrvc.exe
20:05:40.0325 5288 mnmsrvc - ok
20:05:40.0395 5288 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
20:05:40.0425 5288 Modem - ok
20:05:40.0485 5288 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
20:05:40.0545 5288 Mouclass - ok
20:05:40.0605 5288 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
20:05:40.0625 5288 mouhid - ok
20:05:40.0685 5288 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
20:05:40.0725 5288 MountMgr - ok
20:05:40.0836 5288 MozillaMaintenance (46297fa8e30a6007f14118fc2b942fbc) C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe
20:05:40.0876 5288 MozillaMaintenance - ok
20:05:40.0886 5288 mraid35x - ok
20:05:40.0976 5288 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
20:05:41.0066 5288 MRxDAV - ok
20:05:41.0306 5288 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
20:05:41.0466 5288 MRxSmb - ok
20:05:41.0517 5288 MSDTC (a137f1470499a205abbb9aafb3b6f2b1) C:\WINDOWS\system32\msdtc.exe
20:05:41.0557 5288 MSDTC - ok
20:05:41.0617 5288 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
20:05:41.0727 5288 Msfs - ok
20:05:41.0757 5288 MSIRCOMM (95c6432151ccff8617352f8e616a1aa4) C:\WINDOWS\system32\DRIVERS\MSIRCOMM.sys
20:05:41.0827 5288 MSIRCOMM - ok
20:05:41.0847 5288 MSIServer - ok
20:05:41.0857 5288 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
20:05:41.0887 5288 MSKSSRV - ok
20:05:41.0917 5288 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
20:05:41.0947 5288 MSPCLOCK - ok
20:05:41.0957 5288 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
20:05:41.0977 5288 MSPQM - ok
20:05:42.0017 5288 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
20:05:42.0027 5288 mssmbios - ok
20:05:42.0117 5288 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
20:05:42.0157 5288 Mup - ok
20:05:42.0328 5288 napagent (0102140028fad045756796e1c685d695) C:\WINDOWS\System32\qagentrt.dll
20:05:42.0458 5288 napagent - ok
20:05:42.0568 5288 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
20:05:42.0668 5288 NDIS - ok
20:05:42.0718 5288 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
20:05:42.0718 5288 NdisTapi - ok
20:05:42.0758 5288 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
20:05:42.0788 5288 Ndisuio - ok
20:05:42.0848 5288 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
20:05:42.0909 5288 NdisWan - ok
20:05:43.0029 5288 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
20:05:43.0049 5288 NDProxy - ok
20:05:43.0099 5288 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
20:05:43.0189 5288 NetBIOS - ok
20:05:43.0299 5288 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
20:05:43.0419 5288 NetBT - ok
20:05:43.0509 5288 NetDDE (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe
20:05:43.0569 5288 NetDDE - ok
20:05:43.0579 5288 NetDDEdsdm (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe
20:05:43.0579 5288 NetDDEdsdm - ok
20:05:43.0620 5288 Netlogon (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
20:05:43.0630 5288 Netlogon - ok
20:05:43.0720 5288 Netman (13e67b55b3abd7bf3fe7aae5a0f9a9de) C:\WINDOWS\System32\netman.dll
20:05:43.0790 5288 Netman - ok
20:05:43.0960 5288 NetTcpPortSharing (d34612c5d02d026535b3095d620626ae) c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
20:05:44.0040 5288 NetTcpPortSharing - ok
20:05:44.0170 5288 Nla (943337d786a56729263071623bbb9de5) C:\WINDOWS\System32\mswsock.dll
20:05:44.0260 5288 Nla - ok
20:05:44.0401 5288 Nomad (be77f9dc0bddcea88b86eacdcf65aa4e) C:\Program Files\Avanquest Connection Manager\NomadSvr.exe
20:05:44.0401 5288 Nomad - ok
20:05:44.0481 5288 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
20:05:44.0611 5288 Npfs - ok
20:05:44.0671 5288 NSCIRDA (2adc0ca9945c65284b3d19bc18765974) C:\WINDOWS\system32\DRIVERS\nscirda.sys
20:05:44.0761 5288 NSCIRDA - ok
20:05:45.0012 5288 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
20:05:45.0252 5288 Ntfs - ok
20:05:45.0272 5288 NtLmSsp (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
20:05:45.0272 5288 NtLmSsp - ok
20:05:45.0482 5288 NtmsSvc (156f64a3345bd23c600655fb4d10bc08) C:\WINDOWS\system32\ntmssvc.dll
20:05:45.0672 5288 NtmsSvc - ok
20:05:45.0723 5288 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
20:05:45.0733 5288 Null - ok
20:05:45.0783 5288 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
20:05:45.0803 5288 NwlnkFlt - ok
20:05:45.0843 5288 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
20:05:45.0893 5288 NwlnkFwd - ok
20:05:46.0023 5288 ose (9d10f99a6712e28f8acd5641e3a7ea6b) C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
20:05:46.0183 5288 ose - ok
20:05:48.0467 5288 osppsvc (358a9cca612c68eb2f07ddad4ce1d8d7) C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
20:05:50.0169 5288 osppsvc - ok
20:05:50.0600 5288 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
20:05:50.0660 5288 Parport - ok
20:05:50.0690 5288 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
20:05:50.0730 5288 PartMgr - ok
20:05:50.0760 5288 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
20:05:50.0790 5288 ParVdm - ok
20:05:50.0830 5288 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
20:05:50.0880 5288 PCI - ok
20:05:50.0890 5288 PCIDump - ok
20:05:50.0920 5288 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
20:05:50.0940 5288 PCIIde - ok
20:05:51.0000 5288 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
20:05:51.0060 5288 Pcmcia - ok
20:05:51.0070 5288 PCTINDIS5 - ok
20:05:51.0080 5288 PDCOMP - ok
20:05:51.0090 5288 PDFRAME - ok
20:05:51.0100 5288 PDRELI - ok
20:05:51.0120 5288 PDRFRAME - ok
20:05:51.0130 5288 perc2 - ok
20:05:51.0140 5288 perc2hib - ok
20:05:51.0251 5288 PlugPlay (65df52f5b8b6e9bbd183505225c37315) C:\WINDOWS\system32\services.exe
20:05:51.0251 5288 PlugPlay - ok
20:05:51.0331 5288 Pml Driver HPZ12 (9d84376931440f3679beef2a414fa493) C:\WINDOWS\system32\HPZipm12.exe
20:05:51.0431 5288 Pml Driver HPZ12 - ok
20:05:51.0461 5288 PolicyAgent (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
20:05:51.0461 5288 PolicyAgent - ok
20:05:51.0511 5288 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
20:05:51.0581 5288 PptpMiniport - ok
20:05:51.0601 5288 ProtectedStorage (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
20:05:51.0601 5288 ProtectedStorage - ok
20:05:51.0631 5288 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
20:05:51.0671 5288 PSched - ok
20:05:51.0721 5288 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
20:05:51.0761 5288 Ptilink - ok
20:05:51.0831 5288 PxHelp20 (e42e3433dbb4cffe8fdd91eab29aea8e) C:\WINDOWS\system32\Drivers\PxHelp20.sys
20:05:51.0881 5288 PxHelp20 - ok
20:05:51.0891 5288 ql1080 - ok
20:05:51.0901 5288 Ql10wnt - ok
20:05:51.0911 5288 ql12160 - ok
20:05:51.0931 5288 ql1240 - ok
20:05:51.0942 5288 ql1280 - ok
20:05:52.0142 5288 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
20:05:52.0162 5288 RasAcd - ok
20:05:52.0222 5288 RasAuto (ad188be7bdf94e8df4ca0a55c00a5073) C:\WINDOWS\System32\rasauto.dll
20:05:52.0302 5288 RasAuto - ok
20:05:52.0362 5288 Rasirda (0207d26ddf796a193ccd9f83047bb5fc) C:\WINDOWS\system32\DRIVERS\rasirda.sys
20:05:52.0392 5288 Rasirda - ok
20:05:52.0452 5288 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
20:05:52.0492 5288 Rasl2tp - ok
20:05:52.0612 5288 RasMan (76a9a3cbeadd68cc57cda5e1d7448235) C:\WINDOWS\System32\rasmans.dll
20:05:52.0673 5288 RasMan - ok
20:05:52.0713 5288 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
20:05:52.0753 5288 RasPppoe - ok
20:05:52.0783 5288 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
20:05:52.0813 5288 Raspti - ok
20:05:52.0923 5288 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
20:05:53.0013 5288 Rdbss - ok
20:05:53.0053 5288 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
20:05:53.0083 5288 RDPCDD - ok
20:05:53.0193 5288 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
20:05:53.0273 5288 rdpdr - ok
20:05:53.0404 5288 RDPWD (6589db6e5969f8eee594cf71171c5028) C:\WINDOWS\system32\drivers\RDPWD.sys
20:05:53.0454 5288 RDPWD - ok
20:05:53.0534 5288 RDSessMgr (3c37bf86641bda977c3bf8a840f3b7fa) C:\WINDOWS\system32\sessmgr.exe
20:05:53.0644 5288 RDSessMgr - ok
20:05:53.0694 5288 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
20:05:53.0744 5288 redbook - ok
20:05:53.0844 5288 RegSrvc (0c539ab4bc6137747d57ed25ccd107e3) C:\WINDOWS\system32\RegSrvc.exe
20:05:53.0884 5288 RegSrvc - ok
20:05:53.0954 5288 RemoteAccess (7e699ff5f59b5d9de5390e3c34c67cf5) C:\WINDOWS\System32\mprdim.dll
20:05:53.0994 5288 RemoteAccess - ok
20:05:54.0075 5288 RemoteRegistry (5b19b557b0c188210a56a6b699d90b8f) C:\WINDOWS\system32\regsvc.dll
20:05:54.0095 5288 RemoteRegistry - ok
20:05:54.0305 5288 RichVideo (2fcead838e64a79250046dd2a15b6a8a) C:\Program Files\CyberLink\Shared files\RichVideo.exe
20:05:54.0385 5288 RichVideo - ok
20:05:54.0455 5288 RimUsb (616eac1b0e48b236a5a9b8ae07fdb81c) C:\WINDOWS\system32\Drivers\RimUsb.sys
20:05:54.0495 5288 RimUsb - ok
20:05:54.0565 5288 RimVSerPort (2c4fb2e9f039287767c384e46ee91030) C:\WINDOWS\system32\DRIVERS\RimSerial.sys
20:05:54.0615 5288 RimVSerPort - ok
20:05:54.0675 5288 ROOTMODEM (d8b0b4ade32574b2d9c5cc34dc0dbbe7) C:\WINDOWS\system32\Drivers\RootMdm.sys
20:05:54.0695 5288 ROOTMODEM - ok
20:05:54.0886 5288 rpcld (b1574dcb4ae3efacc24aa87b4ae6fc55) C:\Documents and Settings\All Users\Application Data\Rpcnet\Bin\rpcld.exe
20:05:54.0886 5288 Suspicious file (NoAccess): C:\Documents and Settings\All Users\Application Data\Rpcnet\Bin\rpcld.exe. md5: b1574dcb4ae3efacc24aa87b4ae6fc55
20:05:54.0896 5288 rpcld ( LockedFile.Multi.Generic ) - warning
20:05:54.0896 5288 rpcld - detected LockedFile.Multi.Generic (1)
20:05:54.0966 5288 RpcLocator (aaed593f84afa419bbae8572af87cf6a) C:\WINDOWS\system32\locator.exe
20:05:55.0006 5288 RpcLocator - ok
20:05:55.0086 5288 rpcnet (6684437f3628ef237c354f77d33426d1) C:\WINDOWS\system32\rpcnet.exe
20:05:55.0106 5288 rpcnet - ok
20:05:55.0306 5288 RpcSs (6b27a5c03dfb94b4245739065431322c) C:\WINDOWS\System32\rpcss.dll
20:05:55.0316 5288 RpcSs - ok
20:05:55.0386 5288 RSVP (471b3f9741d762abe75e9deea4787e47) C:\WINDOWS\system32\rsvp.exe
20:05:55.0467 5288 RSVP - ok
20:05:55.0927 5288 S24EventMonitor (c17c3a529ce14012f9731a6e264c1911) C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
20:05:56.0248 5288 S24EventMonitor - ok
20:05:56.0348 5288 s24trans (d40f1e33d9153df7f5e2881b1f9c56e9) C:\WINDOWS\system32\DRIVERS\s24trans.sys
20:05:56.0378 5288 s24trans - ok
20:05:56.0428 5288 SamSs (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
20:05:56.0438 5288 SamSs - ok
20:05:56.0548 5288 SASDIFSV (39763504067962108505bff25f024345) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
20:05:56.0678 5288 SASDIFSV - ok
20:05:56.0718 5288 SASKUTIL (77b9fc20084b48408ad3e87570eb4a85) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
20:05:56.0778 5288 SASKUTIL - ok
20:05:56.0849 5288 SCardSvr (86d007e7a654b9a71d1d7d856b104353) C:\WINDOWS\System32\SCardSvr.exe
20:05:56.0919 5288 SCardSvr - ok
20:05:57.0039 5288 Schedule (0a9a7365a1ca4319aa7c1d6cd8e4eafa) C:\WINDOWS\system32\schedsvc.dll
20:05:57.0109 5288 Schedule - ok
20:05:57.0169 5288 Secdrv (72dffa33f8ed1c847075eee2c1e790ee) C:\WINDOWS\system32\DRIVERS\secdrv.sys
20:05:57.0199 5288 Secdrv - ok
20:05:57.0239 5288 seclogon (cbe612e2bb6a10e3563336191eda1250) C:\WINDOWS\System32\seclogon.dll
20:05:57.0249 5288 seclogon - ok
20:05:57.0279 5288 SENS (7fdd5d0684eca8c1f68b4d99d124dcd0) C:\WINDOWS\system32\sens.dll
20:05:57.0299 5288 SENS - ok
20:05:57.0329 5288 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
20:05:57.0359 5288 serenum - ok
20:05:57.0409 5288 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
20:05:57.0469 5288 Serial - ok
20:05:57.0540 5288 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
20:05:57.0650 5288 Sfloppy - ok
20:05:57.0830 5288 SharedAccess (83f41d0d89645d7235c051ab1d9523ac) C:\WINDOWS\System32\ipnathlp.dll
20:05:57.0980 5288 SharedAccess - ok
20:05:58.0080 5288 ShellHWDetection (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
20:05:58.0080 5288 ShellHWDetection - ok
20:05:58.0090 5288 Simbad - ok
20:05:58.0241 5288 smwdm (1319ea66a96250d59665d133c0ff7cd0) C:\WINDOWS\system32\drivers\smwdm.sys
20:05:58.0321 5288 smwdm - ok
20:05:58.0371 5288 SoundMAX Agent Service (default) (3978f082274f723ad5a0a8058c2417dd) C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
20:05:58.0391 5288 SoundMAX Agent Service (default) - ok
20:05:58.0411 5288 Sparrow - ok
20:05:58.0451 5288 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
20:05:58.0491 5288 splitter - ok
20:05:58.0561 5288 Spooler (60784f891563fb1b767f70117fc2428f) C:\WINDOWS\system32\spoolsv.exe
20:05:58.0591 5288 Spooler - ok
20:05:58.0671 5288 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
20:05:58.0731 5288 sr - ok
20:05:58.0851 5288 srservice (3805df0ac4296a34ba4bf93b346cc378) C:\WINDOWS\system32\srsvc.dll
20:05:58.0912 5288 srservice - ok
20:05:59.0092 5288 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
20:05:59.0222 5288 Srv - ok
20:05:59.0302 5288 SSDPSRV (0a5679b3714edab99e357057ee88fca6) C:\WINDOWS\System32\ssdpsrv.dll
20:05:59.0332 5288 SSDPSRV - ok
20:05:59.0382 5288 ssmdrv (a36ee93698802cd899f98bfd553d8185) C:\WINDOWS\system32\DRIVERS\ssmdrv.sys
20:05:59.0432 5288 ssmdrv - ok
20:05:59.0452 5288 Steam Client Service - ok
20:05:59.0633 5288 stisvc (8bad69cbac032d4bbacfce0306174c30) C:\WINDOWS\system32\wiaservc.dll
20:05:59.0673 5288 stisvc - ok
20:05:59.0733 5288 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
20:05:59.0773 5288 swenum - ok
20:05:59.0823 5288 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
20:05:59.0873 5288 swmidi - ok
20:05:59.0893 5288 swmsflt - ok
20:06:00.0013 5288 SWNC8UA3 (384b7805c856b92bb6662fca26acdb4d) C:\WINDOWS\system32\DRIVERS\swnc8ua3.sys
20:06:00.0093 5288 SWNC8UA3 - ok
20:06:00.0103 5288 SwPrv - ok
20:06:00.0183 5288 SWUMXA3 (086f352446a171acd850ccdef6632310) C:\WINDOWS\system32\DRIVERS\swumxa3.sys
20:06:00.0273 5288 SWUMXA3 - ok
20:06:00.0283 5288 symc810 - ok
20:06:00.0304 5288 symc8xx - ok
20:06:00.0314 5288 sym_hi - ok
20:06:00.0324 5288 sym_u3 - ok
20:06:00.0464 5288 SynTP (d7dc30b8b41e7a913c3fccc0631e72ec) C:\WINDOWS\system32\DRIVERS\SynTP.sys
20:06:00.0594 5288 SynTP - ok
20:06:00.0644 5288 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
20:06:00.0694 5288 sysaudio - ok
20:06:00.0754 5288 SysmonLog (c7abbc59b43274b1109df6b24d617051) C:\WINDOWS\system32\smlogsvc.exe
20:06:00.0814 5288 SysmonLog - ok
20:06:00.0944 5288 TapiSrv (3cb78c17bb664637787c9a1c98f79c38) C:\WINDOWS\System32\tapisrv.dll
20:06:01.0025 5288 TapiSrv - ok
20:06:01.0045 5288 tccwwqsd - ok
20:06:01.0255 5288 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
20:06:01.0375 5288 Tcpip - ok
20:06:01.0415 5288 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
20:06:01.0455 5288 TDPIPE - ok
20:06:01.0485 5288 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
20:06:01.0525 5288 TDTCP - ok
20:06:01.0565 5288 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
20:06:01.0605 5288 TermDD - ok
20:06:01.0776 5288 TermService (ff3477c03be7201c294c35f684b3479f) C:\WINDOWS\System32\termsrv.dll
20:06:01.0876 5288 TermService - ok
20:06:01.0976 5288 Themes (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
20:06:01.0976 5288 Themes - ok
20:06:02.0046 5288 TlntSvr (db7205804759ff62c34e3efd8a4cc76a) C:\WINDOWS\system32\tlntsvr.exe
20:06:02.0106 5288 TlntSvr - ok
20:06:02.0126 5288 TosIde - ok
20:06:02.0176 5288 TPHKDRV (29f3601d4233a53f819010fee8c04a60) C:\WINDOWS\system32\drivers\TPHKDRV.sys
20:06:02.0196 5288 TPHKDRV - ok
20:06:02.0286 5288 TPkd (a00dbb3ccf4e0821dd531db8746a1374) C:\WINDOWS\system32\drivers\TPkd.sys
20:06:02.0336 5288 TPkd - ok
20:06:02.0397 5288 TpKmpSVC (dfb268ff0a6dcb9280015ff527f892ff) C:\WINDOWS\system32\TpKmpSVC.exe
20:06:02.0437 5288 TpKmpSVC - ok
20:06:02.0477 5288 TPPWR (8d6678aaab7ca42a71999e7b931cdf1d) C:\WINDOWS\system32\drivers\Tppwr.sys
20:06:02.0507 5288 TPPWR - ok
20:06:02.0587 5288 TrkWks (55bca12f7f523d35ca3cb833c725f54e) C:\WINDOWS\system32\trkwks.dll
20:06:02.0627 5288 TrkWks - ok
20:06:02.0667 5288 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
20:06:02.0717 5288 Udfs - ok
20:06:02.0737 5288 ultra - ok
20:06:02.0907 5288 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
20:06:03.0098 5288 Update - ok
20:06:03.0218 5288 upnphost (1ebafeb9a3fbdc41b8d9c7f0f687ad91) C:\WINDOWS\System32\upnphost.dll
20:06:03.0318 5288 upnphost - ok
20:06:03.0348 5288 UPS (05365fb38fca1e98f7a566aaaf5d1815) C:\WINDOWS\System32\ups.exe
20:06:03.0378 5288 UPS - ok
20:06:03.0468 5288 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
20:06:03.0518 5288 usbccgp - ok
20:06:03.0568 5288 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
20:06:03.0648 5288 usbehci - ok
20:06:03.0688 5288 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
20:06:03.0738 5288 usbhub - ok
20:06:03.0769 5288 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
20:06:03.0819 5288 usbohci - ok
20:06:03.0879 5288 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
20:06:03.0919 5288 usbprint - ok
20:06:03.0969 5288 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
20:06:03.0999 5288 usbscan - ok
20:06:04.0039 5288 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
20:06:04.0069 5288 USBSTOR - ok
20:06:04.0109 5288 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
20:06:04.0149 5288 usbuhci - ok
20:06:04.0179 5288 usb_rndisx (b6cc50279d6cd28e090a5d33244adc9a) C:\WINDOWS\system32\DRIVERS\usb8023x.sys
20:06:04.0209 5288 usb_rndisx - ok
20:06:04.0249 5288 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
20:06:04.0279 5288 VgaSave - ok
20:06:04.0299 5288 ViaIde - ok
20:06:04.0339 5288 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
20:06:04.0399 5288 VolSnap - ok
20:06:04.0540 5288 VSS (7a9db3a67c333bf0bd42e42b8596854b) C:\WINDOWS\System32\vssvc.exe
20:06:04.0740 5288 VSS - ok
20:06:04.0850 5288 W32Time (54af4b1d5459500ef0937f6d33b1914f) C:\WINDOWS\system32\w32time.dll
20:06:04.0910 5288 W32Time - ok
20:06:05.0221 5288 w70n51 (8e5cf571c00c806ed7c08dbb74356646) C:\WINDOWS\system32\DRIVERS\w70n51.sys
20:06:05.0471 5288 w70n51 - ok
20:06:05.0531 5288 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
20:06:05.0671 5288 Wanarp - ok
20:06:05.0741 5288 wceusbsh (46a247f6617526afe38b6f12f5512120) C:\WINDOWS\system32\DRIVERS\wceusbsh.sys
20:06:05.0811 5288 wceusbsh - ok
20:06:06.0132 5288 Wdf01000 (d918617b46457b9ac28027722e30f647) C:\WINDOWS\system32\Drivers\wdf01000.sys
20:06:06.0322 5288 Wdf01000 - ok
20:06:06.0332 5288 WDICA - ok
20:06:06.0422 5288 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
20:06:06.0482 5288 wdmaud - ok
20:06:06.0553 5288 WebClient (77a354e28153ad2d5e120a5a8687bc06) C:\WINDOWS\System32\webclnt.dll
20:06:06.0603 5288 WebClient - ok
20:06:06.0773 5288 winmgmt (2d0e4ed081963804ccc196a0929275b5) C:\WINDOWS\system32\wbem\WMIsvc.dll
20:06:06.0823 5288 winmgmt - ok
20:06:07.0304 5288 WinRM (18f347402da544a780949b8fdf83351b) C:\WINDOWS\system32\WsmSvc.dll
20:06:07.0744 5288 WinRM - ok
20:06:07.0824 5288 WmdmPmSN (c51b4a5c05a5475708e3c81c7765b71d) C:\WINDOWS\system32\MsPMSNSv.dll
20:06:07.0864 5288 WmdmPmSN - ok
20:06:08.0155 5288 Wmi (e76f8807070ed04e7408a86d6d3a6137) C:\WINDOWS\System32\advapi32.dll
20:06:08.0365 5288 Wmi - ok
20:06:08.0475 5288 WmiApSrv (e0673f1106e62a68d2257e376079f821) C:\WINDOWS\system32\wbem\wmiapsrv.exe
20:06:08.0555 5288 WmiApSrv - ok
20:06:09.0086 5288 WMPNetworkSvc (f74e3d9a7fa9556c3bbb14d4e5e63d3b) C:\Program Files\Windows Media Player\WMPNetwk.exe
20:06:09.0477 5288 WMPNetworkSvc - ok
20:06:09.0997 5288 WPFFontCache_v0400 (dcf3e3edf5109ee8bc02fe6e1f045795) C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe
20:06:10.0288 5288 WPFFontCache_v0400 - ok
20:06:10.0588 5288 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
20:06:10.0648 5288 WS2IFSL - ok
20:06:10.0729 5288 wscsvc (7c278e6408d1dce642230c0585a854d5) C:\WINDOWS\system32\wscsvc.dll
20:06:10.0789 5288 wscsvc - ok
20:06:10.0829 5288 wuauserv (35321fb577cdc98ce3eb3a3eb9e4610a) C:\WINDOWS\system32\wuauserv.dll
20:06:10.0829 5288 wuauserv - ok
20:06:10.0909 5288 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
20:06:10.0959 5288 WudfPf - ok
20:06:11.0029 5288 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
20:06:11.0089 5288 WudfRd - ok
20:06:11.0149 5288 WudfSvc (05231c04253c5bc30b26cbaae680ed89) C:\WINDOWS\System32\WUDFSvc.dll
20:06:11.0189 5288 WudfSvc - ok
20:06:11.0430 5288 WZCSVC (81dc3f549f44b1c1fff022dec9ecf30b) C:\WINDOWS\System32\wzcsvc.dll
20:06:11.0600 5288 WZCSVC - ok
20:06:11.0700 5288 xmlprov (295d21f14c335b53cb8154e5b1f892b9) C:\WINDOWS\System32\xmlprov.dll
20:06:11.0780 5288 xmlprov - ok
20:06:11.0860 5288 MBR (0x1B8) (37bd9064f4f83a9f92eee7828f163f90) \Device\Harddisk0\DR0
20:06:11.0960 5288 \Device\Harddisk0\DR0 - ok
20:06:11.0970 5288 Boot (0x1200) (e0af248da1c5ab55c5c6d5f53c00606e) \Device\Harddisk0\DR0\Partition0
20:06:11.0970 5288 \Device\Harddisk0\DR0\Partition0 - ok
20:06:11.0970 5288 ============================================================
20:06:11.0970 5288 Scan finished
20:06:11.0970 5288 ============================================================
20:06:11.0990 6068 Detected object count: 1
20:06:11.0990 6068 Actual detected object count: 1
20:06:48.0933 6068 rpcld ( LockedFile.Multi.Generic ) - skipped by user
20:06:48.0933 6068 rpcld ( LockedFile.Multi.Generic ) - User select action: Skip

#7 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:21 AM

Posted 23 July 2012 - 12:41 PM

Greetings raymondcarter

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#8 raymondcarter

raymondcarter
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:21 AM

Posted 23 July 2012 - 08:14 PM

Hi Gringo;

The biggest change I've noticed since running these programs is that the computer is hanging less. I also haven't been redirected in several days now.

Below is the log, let me know if you think I am clear.



ComboFix 12-07-24.01 - Administrator 07/23/2012 19:41:51.4.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1535.962 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
AV: Avira Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
FW: COMODO Firewall *Enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
.
.
((((((((((((((((((((((((( Files Created from 2012-06-24 to 2012-07-24 )))))))))))))))))))))))))))))))
.
.
2012-07-23 14:05 . 2012-07-23 14:05 -------- d-----w- c:\windows\LastGood
2012-07-23 00:57 . 2012-07-23 00:57 -------- d-----w- c:\program files\Common Files\Java
2012-07-23 00:56 . 2012-07-23 00:56 -------- d-----w- c:\program files\Oracle
2012-07-23 00:55 . 2012-07-23 00:55 -------- d-----w- c:\documents and settings\Administrator\Application Data\Oracle
2012-07-23 00:55 . 2012-07-06 03:06 772544 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-07-14 22:43 . 2012-07-14 22:43 25992 ----a-w- c:\windows\system32\pgdfgsvc.exe
2012-07-12 00:56 . 2012-07-12 00:56 9822920 ----a-w- c:\windows\system32\FlashPlayerInstaller.exe
2012-07-07 06:01 . 2012-07-07 06:01 -------- d-----w- c:\documents and settings\Administrator\Application Data\dvdcss
2012-07-07 06:01 . 2012-07-09 02:30 -------- d-----w- c:\documents and settings\Administrator\Application Data\vlc
2012-07-07 05:59 . 2012-07-07 05:59 -------- d-----w- c:\program files\VideoLAN
2012-07-07 05:34 . 2012-07-07 05:34 -------- d-----w- c:\documents and settings\Administrator\Application Data\Joymasher
2012-07-07 05:07 . 2012-07-13 01:13 -------- d-----w- c:\documents and settings\Administrator\Application Data\Media Player Classic
2012-07-06 09:17 . 2012-07-08 20:44 -------- d-----w- C:\reel clips
2012-07-03 07:14 . 2012-07-03 07:14 11776 ----a-w- c:\program files\Mozilla Firefox\plugins\nprjplug.dll
2012-07-03 07:13 . 2012-07-03 07:13 -------- d-----w- c:\program files\Common Files\xing shared
2012-07-03 07:13 . 2012-07-03 07:13 150736 ----a-w- c:\program files\Mozilla Firefox\plugins\nppl3260.dll
2012-07-03 07:13 . 2012-07-03 07:13 129176 ----a-w- c:\program files\Mozilla Firefox\plugins\nprpplugin.dll
2012-06-30 00:48 . 2012-06-30 00:48 -------- d-----w- c:\documents and settings\Administrator\Application Data\Avira
2012-06-30 00:42 . 2012-04-27 15:20 137928 ----a-w- c:\windows\system32\drivers\avipbb.sys
2012-06-30 00:42 . 2012-04-17 02:18 36000 ----a-w- c:\windows\system32\drivers\avkmgr.sys
2012-06-30 00:42 . 2012-04-25 05:32 83392 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2012-06-30 00:41 . 2012-06-30 00:41 -------- d-----w- c:\program files\Avira
2012-06-30 00:41 . 2012-06-30 00:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-24 00:07 . 2010-03-18 16:48 17920 ----a-w- c:\windows\system32\rpcnetp.exe
2012-07-23 04:33 . 2010-03-16 23:37 58288 ----a-w- c:\windows\system32\rpcnet.dll
2012-07-21 05:04 . 2010-03-16 23:37 58288 ------w- c:\windows\system32\rpcnet.exe
2012-07-21 04:47 . 2010-03-18 16:49 17920 ----a-w- c:\windows\system32\rpcnetp.dll
2012-07-12 00:56 . 2012-04-11 00:17 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-07-12 00:56 . 2012-03-21 06:10 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-07-06 03:07 . 2012-03-20 15:45 143872 ----a-w- c:\windows\system32\javacpl.cpl
2012-07-06 03:06 . 2010-05-15 02:01 687544 ----a-w- c:\windows\system32\deployJava1.dll
2012-07-03 18:46 . 2010-03-15 02:05 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-07-03 07:12 . 2003-03-19 05:14 499712 ----a-w- c:\windows\system32\msvcp71.dll
2012-07-03 07:12 . 2003-02-21 13:42 348160 ----a-w- c:\windows\system32\msvcr71.dll
2012-06-13 13:19 . 2004-08-04 03:17 1866112 ----a-w- c:\windows\system32\win32k.sys
2012-06-05 15:50 . 2008-04-14 00:12 1372672 ------w- c:\windows\system32\msxml6.dll
2012-06-05 15:50 . 2004-08-04 04:56 1172480 ----a-w- c:\windows\system32\msxml3.dll
2012-06-04 17:42 . 2010-08-20 19:22 49592 ----a-w- c:\windows\system32\pkgslv.exe
2012-06-04 17:42 . 2010-08-20 19:22 46008 ----a-w- c:\windows\system32\pkgmgr.dll
2012-06-04 04:32 . 2004-08-04 04:56 152576 ----a-w- c:\windows\system32\schannel.dll
2012-06-02 20:19 . 2007-06-28 22:34 22040 ----a-w- c:\windows\system32\wucltui.dll.mui
2012-06-02 20:19 . 2007-06-28 22:34 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2012-06-02 20:19 . 2006-11-15 17:12 329240 ----a-w- c:\windows\system32\wucltui.dll
2012-06-02 20:19 . 2006-11-15 17:12 210968 ----a-w- c:\windows\system32\wuweb.dll
2012-06-02 20:19 . 2006-11-15 17:12 219160 ----a-w- c:\windows\system32\wuaucpl.cpl
2012-06-02 20:19 . 2010-03-15 23:35 15384 ----a-w- c:\windows\system32\wuapi.dll.mui
2012-06-02 20:19 . 2006-11-15 17:38 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 20:19 . 2006-11-15 17:12 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 20:19 . 2006-11-15 17:12 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-02 20:19 . 2004-08-04 04:56 97304 ----a-w- c:\windows\system32\cdm.dll
2012-06-02 20:19 . 2007-06-28 22:34 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui
2012-06-02 20:19 . 2006-11-15 17:12 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 20:19 . 2006-11-15 17:12 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 20:18 . 2010-05-17 14:07 214256 ----a-w- c:\windows\system32\muweb.dll
2012-06-02 20:18 . 2007-07-03 22:46 17136 ----a-w- c:\windows\system32\mucltui.dll.mui
2012-06-02 20:18 . 2007-02-20 21:49 275696 ----a-w- c:\windows\system32\mucltui.dll
2012-05-31 13:22 . 2004-08-04 04:56 599040 ----a-w- c:\windows\system32\crypt32.dll
2012-05-16 15:08 . 2004-08-04 04:56 916992 ----a-w- c:\windows\system32\wininet.dll
2012-05-11 14:42 . 2004-08-04 04:56 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-05-11 14:42 . 2004-08-04 04:56 43520 ------w- c:\windows\system32\licmgr10.dll
2012-05-11 11:38 . 2004-08-04 02:59 385024 ------w- c:\windows\system32\html.iec
2012-05-04 13:12 . 2004-08-04 03:20 2192640 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-05-04 12:32 . 2004-08-03 22:59 2069120 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-05-02 13:46 . 2006-11-15 17:10 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-07-22 13:48 . 2012-02-16 05:01 136672 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot_2012-07-15_21.43.22 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-07-23 04:33 . 2012-07-23 04:33 16384 c:\windows\Temp\Perflib_Perfdata_560.dat
+ 2010-08-20 19:22 . 2009-11-03 00:51 9728 c:\windows\system32\wceprv.dll
+ 2012-07-23 00:55 . 2012-07-06 03:06 227760 c:\windows\system32\javaws.exe
+ 2012-07-23 00:55 . 2012-07-23 00:54 174064 c:\windows\system32\javaw.exe
+ 2012-07-23 00:55 . 2012-07-23 00:54 174064 c:\windows\system32\java.exe
+ 2012-07-23 00:57 . 2012-07-23 00:57 176128 c:\windows\Installer\9795b2d.msi
+ 2012-07-23 00:56 . 2012-07-23 00:56 457216 c:\windows\Installer\9795b1f.msi
+ 2012-07-23 00:54 . 2012-07-23 00:54 863744 c:\windows\Installer\9795b1b.msi
+ 2012-07-19 23:13 . 2012-07-19 23:13 1530368 c:\windows\Installer\8e00d10.msi
+ 2012-07-19 23:01 . 2012-07-19 23:01 9474048 c:\windows\Installer\8e00cd8.msi
+ 2012-07-19 23:41 . 2012-07-19 23:41 17379840 c:\windows\Installer\90ab5ee.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Administrator\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Administrator\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Administrator\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Administrator\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Connection Manager"="c:\program files\Avanquest Connection Manager\Nomad.exe" [2008-07-10 106496]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-05-26 344064]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 1388544]
"TPKBDLED"="c:\windows\system32\TpScrLk.exe" [2002-10-09 40960]
"TP4EX"="tp4ex.exe" [2005-10-17 65536]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2006-09-13 237568]
"TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2006-06-03 856064]
"BMMGAG"="c:\progra~1\ThinkPad\UTILIT~1\pwrmonit.dll" [2005-04-20 110592]
"BMMLREF"="c:\program files\ThinkPad\Utilities\BMMLREF.EXE" [2005-04-20 20480]
"BMMMONWND"="c:\progra~1\ThinkPad\UTILIT~1\BatInfEx.dll" [2005-04-20 396288]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2005-04-20 208896]
"TheLaptopLock"="c:\program files\The LaptopLock\LaptopLock.exe" [2007-02-01 397312]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2012-03-12 6749512]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2012-05-02 348624]
"TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2012-07-03 296096]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2012-04-19 421888]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Connection Manager"="c:\program files\Avanquest Connection Manager\Nomad.exe" [2008-07-10 106496]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2005-07-06 05:45 28672 ----a-w- c:\windows\system32\notifyf2.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2005-12-01 02:16 24576 ----a-w- c:\windows\system32\tphklock.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\guard32.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\CLPSLS]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rpcnet]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^Dropbox.lnk]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\Dropbox.lnk
backup=c:\windows\pss\Dropbox.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^MagicDisc.lnk]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\MagicDisc.lnk
backup=c:\windows\pss\MagicDisc.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^OpenOffice.org 3.2.lnk]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\OpenOffice.org 3.2.lnk
backup=c:\windows\pss\OpenOffice.org 3.2.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Absolute Notifier]
2010-10-08 16:01 86184 ----a-w- c:\program files\Absolute Software\Absolute Notifier\AbsoluteNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-01-03 07:37 843712 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
2003-06-27 14:53 88363 ----a-w- c:\windows\AGRSMMSG.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2012-02-21 02:28 59240 ----a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCSSync]
2010-01-21 22:22 91520 ----a-w- c:\program files\Microsoft Office\Office14\BCSSync.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2011-07-28 23:08 1259376 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
2006-11-13 18:39 1289000 ----a-w- c:\program files\Microsoft ActiveSync\wcescomm.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2005-05-12 04:12 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OfficeSyncProcess]
2010-01-16 14:54 717696 ----a-w- c:\program files\Microsoft Office\Office14\MSOSYNC.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2012-04-19 01:56 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RIMBBLaunchAgent.exe]
2011-02-18 16:47 79192 ----a-w- c:\program files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2012-05-30 06:10 1242448 ----a-w- c:\program files\Steam\Steam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2012-01-17 16:07 252296 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2012-07-13 01:10 3905408 ----a-w- c:\program files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
2008-07-04 04:17 118784 ------w- c:\program files\Synaptics\SynTP\SynTPLpr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2012-07-03 07:12 296096 ----a-w- c:\program files\Real\realplayer\Update\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPHOTKEY]
2006-07-25 16:19 94208 ----a-w- c:\progra~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AllAlertsDisabled"=dword:00000001
"TermService"=dword:00000001
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"=
.
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [6/29/2012 7:42 PM 36000]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [3/11/2012 9:13 PM 494968]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [3/11/2012 9:13 PM 31704]
R1 ISODisk;ISODisk;c:\windows\system32\drivers\ISODisk.sys [5/3/2010 7:26 PM 9600]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 11:27 AM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 4:55 PM 67664]
R1 TPPWR;TPPWR;c:\windows\system32\drivers\TPPWR.SYS [11/15/2006 4:46 PM 16384]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [8/11/2011 6:38 PM 116608]
R2 AbtSvcHost;AbtSvcHost;c:\windows\system32\AbtSvcHost_.exe [10/23/2010 7:31 PM 78768]
R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [6/29/2012 7:42 PM 86224]
R2 CLPSLS;COMODO livePCsupport Service;c:\program files\COMODO\COMODO livePCsupport\CLPSLS.exe [2/12/2010 7:23 PM 148744]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [1/9/2010 8:37 PM 4640000]
S0 tccwwqsd;tccwwqsd;c:\windows\system32\drivers\vtxngn.sys --> c:\windows\system32\drivers\vtxngn.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [3/28/2010 12:43 PM 136176]
S2 Nomad;Connection Manager;c:\program files\Avanquest Connection Manager\NomadSvr.exe [2/8/2011 5:34 PM 40960]
S2 rpcld;Remote Procedure Call (RPC) LD;c:\documents and settings\All Users\Application Data\Rpcnet\Bin\rpcld.exe --> c:\documents and settings\All Users\Application Data\Rpcnet\Bin\rpcld.exe [?]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [4/10/2012 7:17 PM 250056]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [3/28/2010 12:43 PM 136176]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [1/21/2010 5:51 PM 30963576]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [4/29/2012 9:30 AM 113120]
S3 SWNC8UA3;Sierra Wireless MUX NDIS Driver (UMTSA3);c:\windows\system32\drivers\swnc8ua3.sys [3/31/2009 2:45 PM 190080]
S3 SWUMXA3;Sierra Wireless USB MUX Driver (UMTSA3);c:\windows\system32\drivers\swumxa3.sys [5/4/2009 3:57 PM 148096]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - aswMBR
.
Contents of the 'Scheduled Tasks' folder
.
2012-07-23 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-11 00:56]
.
2012-07-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 22:57]
.
2012-07-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-28 17:42]
.
2012-07-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-28 17:42]
.
2012-07-23 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2085096134-731914049-1346186850-500.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-06-21 17:00]
.
2012-07-22 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2085096134-731914049-1346186850-500.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-06-21 17:00]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ntreis.net/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\cm889gj7.default\
FF - prefs.js: browser.startup.homepage - about:home
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=Z192&form=ZGAADF&install_date=20111204&q=
FF - prefs.js: network.proxy.type - 0
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-07-23 19:56
Windows 5.1.2600 Service Pack 3 NTFS
.
detected NTDLL code modification:
ZwClose
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2085096134-731914049-1346186850-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,06,42,d1,8c,11,10,9f,4e,9a,43,d0,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,d6,13,57,d5,94,28,df,43,8a,37,40,\
.
[HKEY_LOCAL_MACHINE\software\Microsoft\DbgagD\1*]
"value"="?\06\06\04\0f\1e\18s"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(828)
c:\windows\system32\guard32.dll
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\tphklock.dll
c:\windows\system32\msxml3.dll
c:\windows\system32\notifyf2.dll
.
- - - - - - - > 'lsass.exe'(900)
c:\windows\system32\guard32.dll
.
- - - - - - - > 'explorer.exe'(1344)
c:\windows\system32\WININET.dll
c:\documents and settings\Administrator\Application Data\Dropbox\bin\DropboxExt.14.dll
c:\progra~1\COMMON~1\MICROS~1\OFFICE14\Cultures\office.odf
c:\progra~1\MICROS~2\Office14\1033\GrooveIntlResource.dll
c:\windows\system32\ieframe.dll
c:\progra~1\ThinkPad\UTILIT~1\pwrmonit.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2012-07-23 20:02:04
ComboFix-quarantined-files.txt 2012-07-24 01:02
ComboFix2.txt 2012-07-22 13:30
ComboFix3.txt 2012-07-15 21:50
.
Pre-Run: 20,920,389,632 bytes free
Post-Run: 21,059,031,040 bytes free
.
- - End Of File - - 8689E073B7F8D89E9C5ED033E911C1E4

#9 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:21 AM

Posted 25 July 2012 - 09:42 PM

Hello

:P2P Warning!:

IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

Please note that as long as you are using any form of Peer-to-Peer networking and downloading files from non-documented sources, you can expect infestations of malware to occur
Once upon a time, P2P file sharing was fairly safe. That is no longer true. P2P programs form a direct conduit on to your computer, their security measures are easily circumvented and malware writers are increasingly exploiting them to spread their wares on to your computer. Further to that, if your P2P program is not configured correctly, your computer may be sharing more files than you realise. There have been cases where people's passwords, address books and other personal, private, and financial details have been exposed to a file sharing network by a badly configured program.

Please read these short reports on the dangers of peer-2-peer programs and file sharing.

FBI Cyber Education Letter
File sharing infects 500,000 computers
USAToday
infoworld


These logs are looking allot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs

NOTE** Because of the cleanup process some of the programs I have listed may not be in add/remove anymore this is fine just move to the next item on the list.

You can remove these programs using add/remove or you can use the free uninstaller from Revo (Revo does allot better of a job)

Programs to remove

BitTorrent
Java™ 6 Update 31
Vuze
[/list]


  • Please download and install Revo Uninstaller Free
  • Double click Revo Uninstaller to run it.
  • From the list of programs double click on The Program to remove
  • When prompted if you want to uninstall click Yes.
  • Be sure the Moderate option is selected then click Next.
  • The program will run, If prompted again click Yes
  • when the built-in uninstaller is finished click on Next.
  • Once the program has searched for leftovers click Next.
  • Check/tick the bolded items only on the list then click Delete
  • when prompted click on Yes and then on next.
  • put a check on any folders that are found and select delete
  • when prompted select yes then on next
  • Once done click Finish.
.



Install Java:

Please go here to install Java

  • click on the Free Java Download Button
  • click on Agree and start Free download
  • click on Run
  • click on run again
  • click on install
  • when install is complete click on close

Clean Out Temp Files

  • This small application you may want to keep and use once a week to keep the computer clean.

    Download CCleaner from here http://www.ccleaner.com/

  • Run the installer to install the application.
  • When it gives you the option to install Yahoo toolbar uncheck the box next to it.
  • Run CCleaner. (make sure under Windows tab all the boxes of Internet Explorer and Windows explorer are checked. Under System check Empty Recycle Bin and Temporary Files. Under Application tab all the boxes should be checked).
  • Click Run Cleaner.
  • Close CCleaner.

: Malwarebytes' Anti-Malware :

  • I would like you to rerun MBAM
  • Double-click mbam icon
  • go to the update tab at the top
  • click on check for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidentally close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Download HijackThis

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a log file button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the Analyze This button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

"information and logs"

  • In your next post I need the following

  • Log From MBAM
  • report from Hijackthis
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#10 raymondcarter

raymondcarter
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:21 AM

Posted 26 July 2012 - 01:22 AM

Hi Gringo;

The system seems to be running faster each time. Uninstalling Java 6 killed the Java update process that had seemed to be causing some problems also. The biggest items I noticed was the computer taking longer to process and hanging on occasion and these times have cut down drastically.

Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Database version: v2012.07.26.04

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Administrator :: IBMT41LAPTOP [administrator]

7/26/2012 12:34:09 AM
mbam-log-2012-07-26 (00-34-09).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 207517
Time elapsed: 23 minute(s), 52 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)


Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 1:06:16 AM, on 7/26/2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\COMODO\COMODO livePCsupport\CLPSLS.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\WINDOWS\system32\AbtSvcHost_.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\RegSrvc.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\rpcnet.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Avanquest Connection Manager\Nomad.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\Avanquest Connection Manager\NomadSvr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\All Users\Application Data\Rpcnet\Bin\rpcld.exe
C:\program files\real\realplayer\update\realsched.exe
C:\WINDOWS\notepad.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe
C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ntreis.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
O2 - BHO: Increase performance and video formats for your HTML5 <video> - {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office14\GROOVEEX.DLL
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll
O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MICROS~2\Office14\URLREDIR.DLL
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [TPKBDLED] C:\WINDOWS\system32\TpScrLk.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [BLOG] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [TheLaptopLock] C:\Program Files\The LaptopLock\LaptopLock.exe /startup
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [TkBellExe] "C:\program files\real\realplayer\update\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
O4 - HKCU\..\Run: [Connection Manager] "C:\Program Files\Avanquest Connection Manager\Nomad.exe" /runstart /show
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKUS\S-1-5-21-2085096134-731914049-1346186850-1006\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'admin acct')
O4 - HKUS\S-1-5-18\..\Run: [Connection Manager] "C:\Program Files\Avanquest Connection Manager\Nomad.exe" /runstart (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Connection Manager] "C:\Program Files\Avanquest Connection Manager\Nomad.exe" /runstart (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office14\EXCEL.EXE/3000
O8 - Extra context menu item: Se&nd to OneNote - res://C:\PROGRA~1\MICROS~2\Office14\ONBttnIE.dll/105
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra 'Tools' menuitem: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1274107656014
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://pfizeruc.webex.com/client/T27L10NSP11EP22-11090-Pfizer/webex/ieatgpc.cab
O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: SAS Core Service (!SASCORE) - SUPERAntiSpyware.com - C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
O23 - Service: ACU Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: Avira Scheduler (AntiVirSchedulerService) - Avira Operations GmbH & Co. KG - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira Realtime Protection (AntiVirService) - Avira Operations GmbH & Co. KG - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: COMODO livePCsupport Service (CLPSLS) - COMODO - C:\Program Files\COMODO\COMODO livePCsupport\CLPSLS.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe
O23 - Service: Connection Manager (Nomad) - Unknown owner - C:\Program Files\Avanquest Connection Manager\NomadSvr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: Remote Procedure Call (RPC) LD (rpcld) - Unknown owner - C:\Documents and Settings\All Users\Application Data\Rpcnet\Bin\rpcld.exe (file missing)
O23 - Service: Remote Procedure Call (RPC) Net (rpcnet) - Absolute Software Corp. - C:\WINDOWS\system32\rpcnet.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe

--
End of file - 11108 bytes

#11 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:21 AM

Posted 26 July 2012 - 01:32 AM

Greetings

These logs are looking very good, we are almost done!!! Just one more scan to go.

:Remove unneeded start-up entries:

This part of the fix is purely optional
These are programs that start up when you turn on your computer but don't need to be, any of these programs you can click on their icons (or start from the control panel) and start the program when you need it. By stopping these programs you will boot up faster and your computer will work faster.

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Run HijackThis
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):

    • O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
      O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
      O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
      O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
      O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
      O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
      O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
      O4 - HKLM\..\Run: [BLOG] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
      O4 - HKLM\..\Run: [TkBellExe] "C:\program files\real\realplayer\update\realsched.exe" -osboot
      O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
      O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
      O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application.

    NOTE**You can research each of those lines >here< and see if you want to keep them or not
    just copy the name between the brackets and paste into the search space
    O4 - HKLM\..\Run: [IntelliPoint]


NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

Eset Online Scanner

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

Go Eset web page to run an online scanner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the Run ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
  • When asked, allow the add/on to be installed
    • Click Start
  • Make sure that the option Remove found threats is unticked
  • Click on Advanced Settings, ensure the options
    Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • wait for the virus definitions to be downloaded
  • Wait for the scan to finish

When the scan is complete

  • If no threats were found
  • put a checkmark in "Uninstall application on close"
  • close program
  • report to me that nothing was found

  • If threats were found
  • click on "list of threats found"
  • click on "export to text file" and save it as ESET SCAN and save to the desktop
  • Click on back
  • put a checkmark in "Uninstall application on close"
  • click on finish
  • close program
  • copy and paste the report here


Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#12 raymondcarter

raymondcarter
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:21 AM

Posted 27 July 2012 - 12:35 PM

Hi Gringo;

Here are the items identified by ESET scanner:

C:\Qoobox\Quarantine\C\Documents and Settings\Administrator\Local Settings\Application Data\OPaC bright ideas\Mozilla\gglgyct.dll.vir a variant of Win32/Kryptik.AIZQ trojan
C:\System Volume Information\_restore{DC5CCAAC-57B7-411A-A364-7E840D45047B}\RP569\A0128193.exe a variant of Win32/CompuTrace.B application
C:\System Volume Information\_restore{DC5CCAAC-57B7-411A-A364-7E840D45047B}\RP569\A0129237.dll a variant of Win32/Kryptik.AIZQ trojan
C:\System Volume Information\_restore{DC5CCAAC-57B7-411A-A364-7E840D45047B}\RP573\A0133086.exe a variant of Win32/CompuTrace.B application
C:\System Volume Information\_restore{DC5CCAAC-57B7-411A-A364-7E840D45047B}\RP573\A0133140.exe a variant of Win32/CompuTrace.B application
C:\System Volume Information\_restore{DC5CCAAC-57B7-411A-A364-7E840D45047B}\RP582\A0135166.exe a variant of Win32/HackTool.Patcher.A application

#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:21 AM

Posted 27 July 2012 - 04:04 PM

Hello

The Online scan looks very good!! It is only reporting backups created during the course of this fix!!


C:\Qoobox\Quarantine\<-- combofix
C:\System Volume Information\<-- System restore


Very well done!! This is my general post for when your logs show no more signs of malware - Please let me know if you still are having problems with your computer and what these problems are.


:Why we need to remove some of our tools:

Some of the tools we have used to clean your computer were made by fellow malware fighters and are very powerful and if used incorrectly or at the wrong time can make the computer an expensive paper weight.
They are updated all the time and some of them more than once a day so by the time you are ready to use them again they will already be outdated.

The following procedures will implement some cleanup procedures to remove these tools. It will also reset your System Restore by flushing out previous restore points and create a new restore point. It will also remove all the backups our tools may have made.
:DeFogger:

Note** Defogger only needs to be run if it was run when we first started. If you have not already run it then skip this.

  • To re-enable your Emulation drivers, double click DeFogger to run the tool.
  • The application window will appear
  • Click the Re-enable button to re-enable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK.
Your Emulation drivers are now re-enabled.
:Uninstall ComboFix:

  • turn off all active protection software
  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box ComboFix /Uninstall and click OK.
  • Note the space between the X and the /Uninstall, it needs to be there.
  • Posted Image

:Remove the rest of our tools:

Please download OTCleanIt and save it to desktop. This tool will remove all the tools we used to clean your pc.
  • Double-click OTCleanIt.exe.
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes, if not delete it by yourself.
  • If asked to restart the computer, please do so
Note: If you receive a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the internet, please allow it to do so.

:The programs you can keep:

Some of the programs that we have used would be a good idea to keep and used often in helping to keep the computer clean. I use these programs on my computer.

Revo Uninstaller Free - this is the uninstaller that I had you download and works allot better than add/remove in windows and has saved me more than once from corrupted installs and uninstalls

CCleaner - This is a good program to clean out temp files, I would use this once a week or before any malware scan to remove unwanted temp files - It has a built in registry cleaner but I would leave that alone and not use any registry cleaner

Malwarebytes' Anti-Malware The Gold standard today in antimalware scanners

:Security programs:

One of the questions I am asked all the time is "What programs do you use" I have at this time 4 computers in my home and I have this setup on all 4 of them.


  • Microsoft Security Essentials - provides real-time protection for your home PC that guards against viruses, spyware, and other malicious software.
  • WinPatrol As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge.
  • Malwarebytes' Anti-Malware Malwarebytes' Anti-Malware is a new and powerful anti-malware tool. It is
    totally free but for real-time protection you will have to pay a small one-time fee. We used this to help clean your computer and recomend keeping it and using often. (I have upgraded to the paid version of MBAM and I am glad I did)

    Note** If you decide to install MSE you will need to uninstall your present Antivirus

:Security awareness:

The other question I am asked all the time is "How can I prevent this from happening again." and the short answer to that is to be aware of what is out there and how to start spotting dangers.

Here are some articles that are must reads and should be read by everybody in your household that uses the internet

internetsafety

Internet Safety for Kids

Here is some more reading for you from some of my colleges

PC Safety and Security - What Do I Need? from my friends at Tech Support Forum

COMPUTER SECURITY - a short guide to staying safer online from my friends at Malware Removal

quoted from Tech Support Forum

Conclusion

There is no such thing as ‘perfect security’. This applies to many things, not just computer systems. Using the above guide you should be able to take all the reasonable steps you can to prevent infection. However, the most important part of all this is you, the user. Surf sensibly and think before you download a file or click on a link. Take a few moments to assess the possible risks and you should be able to enjoy all the internet has to offer.


I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can then be closed.

I Will Keep This Open For About Three Days, If Anything Comes Up - Just Come Back And Let Me Know, after that time you will have to send me a PM

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:21 AM

Posted 29 July 2012 - 11:21 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users