Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Generic_C.mmi redirecting me and shutting down antivirus


  • This topic is locked This topic is locked
15 replies to this topic

#1 drpepperdrinker

drpepperdrinker

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:31 AM

Posted 23 July 2012 - 02:11 PM

AVG keeps popping up a threat with the system.exe file which is whitelisted. The description says it is a trojan dropper called generic_c.mmi I've been searching your threads and it seems to be pretty popular so here are my log files from tdsskiller and aswmbr and the threat list from the eset online scanner. Thanks in advance for any help.
Windows 7 x64


00:24:21.0749 6640 TDSS rootkit removing tool 2.7.46.0 Jul 16 2012 22:10:11
00:24:22.0075 6640 ============================================================
00:24:22.0075 6640 Current date / time: 2012/07/23 00:24:22.0075
00:24:22.0075 6640 SystemInfo:
00:24:22.0075 6640
00:24:22.0075 6640 OS Version: 6.1.7600 ServicePack: 0.0
00:24:22.0075 6640 Product type: Workstation
00:24:22.0076 6640 ComputerName: PHILPHILSON-PC
00:24:22.0076 6640 UserName: Phil Philson
00:24:22.0076 6640 Windows directory: C:\Windows
00:24:22.0076 6640 System windows directory: C:\Windows
00:24:22.0076 6640 Running under WOW64
00:24:22.0076 6640 Processor architecture: Intel x64
00:24:22.0076 6640 Number of processors: 2
00:24:22.0076 6640 Page size: 0x1000
00:24:22.0076 6640 Boot type: Normal boot
00:24:22.0076 6640 ============================================================
00:24:23.0235 6640 Drive \Device\Harddisk1\DR1 - Size: 0x25432CDE00 (149.05 Gb), SectorSize: 0x200, Cylinders: 0x50C1, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xF0, Type 'K0', Flags 0x00000040
00:24:28.0040 6640 Drive \Device\Harddisk0\DR0 - Size: 0x4A85C4DE00 (298.09 Gb), SectorSize: 0x200, Cylinders: 0x9801, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000040
00:24:28.0045 6640 ============================================================
00:24:28.0045 6640 \Device\Harddisk1\DR1:
00:24:28.0045 6640 MBR partitions:
00:24:28.0045 6640 \Device\Harddisk1\DR1\Partition0: MBR, Type 0x7, StartLBA 0x800, BlocksNum 0x32000
00:24:28.0045 6640 \Device\Harddisk1\DR1\Partition1: MBR, Type 0x7, StartLBA 0x32800, BlocksNum 0x129E6000
00:24:28.0045 6640 \Device\Harddisk0\DR0:
00:24:28.0045 6640 MBR partitions:
00:24:28.0046 6640 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x254297C1
00:24:28.0046 6640 ============================================================
00:24:28.0113 6640 C: <-> \Device\Harddisk1\DR1\Partition1
00:24:28.0137 6640 F: <-> \Device\Harddisk0\DR0\Partition0
00:24:28.0137 6640 ============================================================
00:24:28.0137 6640 Initialize success
00:24:28.0137 6640 ============================================================
00:24:51.0988 6472 ============================================================
00:24:51.0988 6472 Scan started
00:24:51.0988 6472 Mode: Manual; TDLFS;
00:24:51.0988 6472 ============================================================
00:24:54.0192 6472 1394ohci (1b00662092f9f9568b995902f0cc40d5) C:\Windows\system32\DRIVERS\1394ohci.sys
00:24:54.0206 6472 1394ohci - ok
00:24:54.0239 6472 ACPI (6f11e88748cdefd2f76aa215f97ddfe5) C:\Windows\system32\DRIVERS\ACPI.sys
00:24:54.0253 6472 ACPI - ok
00:24:54.0277 6472 AcpiPmi (63b05a0420ce4bf0e4af6dcc7cada254) C:\Windows\system32\DRIVERS\acpipmi.sys
00:24:54.0279 6472 AcpiPmi - ok
00:24:54.0342 6472 adfs (2f0683fd2df1d92e891caca14b45a8c1) C:\Windows\system32\drivers\adfs.sys
00:24:54.0343 6472 adfs - ok
00:24:54.0389 6472 adp94xx (2f6b34b83843f0c5118b63ac634f5bf4) C:\Windows\system32\DRIVERS\adp94xx.sys
00:24:54.0406 6472 adp94xx - ok
00:24:54.0462 6472 adpahci (597f78224ee9224ea1a13d6350ced962) C:\Windows\system32\DRIVERS\adpahci.sys
00:24:54.0475 6472 adpahci - ok
00:24:54.0495 6472 adpu320 (e109549c90f62fb570b9540c4b148e54) C:\Windows\system32\DRIVERS\adpu320.sys
00:24:54.0501 6472 adpu320 - ok
00:24:54.0538 6472 AeLookupSvc (4b78b431f225fd8624c5655cb1de7b61) C:\Windows\System32\aelupsvc.dll
00:24:54.0539 6472 AeLookupSvc - ok
00:24:54.0606 6472 AFD (db9d6c6b2cd95a9ca414d045b627422e) C:\Windows\system32\drivers\afd.sys
00:24:54.0625 6472 AFD - ok
00:24:54.0735 6472 AfterFLICS v3 (d9ea0bc7b02654e437d11ad8ef54b089) C:\Program Files (x86)\AFLICS\AfterFLICS.exe
00:24:54.0737 6472 AfterFLICS v3 - ok
00:24:54.0786 6472 agp440 (608c14dba7299d8cb6ed035a68a15799) C:\Windows\system32\DRIVERS\agp440.sys
00:24:54.0794 6472 agp440 - ok
00:24:54.0809 6472 ALG (3290d6946b5e30e70414990574883ddb) C:\Windows\System32\alg.exe
00:24:54.0817 6472 ALG - ok
00:24:54.0830 6472 aliide (5812713a477a3ad7363c7438ca2ee038) C:\Windows\system32\DRIVERS\aliide.sys
00:24:54.0831 6472 aliide - ok
00:24:54.0876 6472 AMD External Events Utility (a359974eaac83a435497c52f62a2e590) C:\Windows\system32\atiesrxx.exe
00:24:54.0877 6472 AMD External Events Utility - ok
00:24:54.0880 6472 amdide (1ff8b4431c353ce385c875f194924c0c) C:\Windows\system32\DRIVERS\amdide.sys
00:24:54.0897 6472 amdide - ok
00:24:54.0930 6472 AmdK8 (7024f087cff1833a806193ef9d22cda9) C:\Windows\system32\DRIVERS\amdk8.sys
00:24:54.0938 6472 AmdK8 - ok
00:24:55.0320 6472 amdkmdag (60216b0e704584de6d5a9f59e9c34c47) C:\Windows\system32\DRIVERS\atikmdag.sys
00:24:55.0519 6472 amdkmdag - ok
00:24:55.0628 6472 amdkmdap (6b4e9261b613b047a9a145f328889968) C:\Windows\system32\DRIVERS\atikmpag.sys
00:24:55.0630 6472 amdkmdap - ok
00:24:55.0687 6472 AmdPPM (1e56388b3fe0d031c44144eb8c4d6217) C:\Windows\system32\DRIVERS\amdppm.sys
00:24:55.0694 6472 AmdPPM - ok
00:24:55.0747 6472 amdsata (ec7ebab00a4d8448bab68d1e49b4beb9) C:\Windows\system32\drivers\amdsata.sys
00:24:55.0763 6472 amdsata - ok
00:24:55.0790 6472 amdsbs (f67f933e79241ed32ff46a4f29b5120b) C:\Windows\system32\DRIVERS\amdsbs.sys
00:24:55.0797 6472 amdsbs - ok
00:24:55.0811 6472 amdxata (db27766102c7bf7e95140a2aa81d042e) C:\Windows\system32\drivers\amdxata.sys
00:24:55.0828 6472 amdxata - ok
00:24:55.0865 6472 androidusb (4de0d5d747a73797c95a97dcce5018b5) C:\Windows\system32\Drivers\ssadadb.sys
00:24:55.0881 6472 androidusb - ok
00:24:55.0924 6472 AppID (42fd751b27fa0e9c69bb39f39e409594) C:\Windows\system32\drivers\appid.sys
00:24:55.0932 6472 AppID - ok
00:24:55.0964 6472 AppIDSvc (0bc381a15355a3982216f7172f545de1) C:\Windows\System32\appidsvc.dll
00:24:55.0973 6472 AppIDSvc - ok
00:24:55.0982 6472 Appinfo (d065be66822847b7f127d1f90158376e) C:\Windows\System32\appinfo.dll
00:24:55.0990 6472 Appinfo - ok
00:24:56.0146 6472 Apple Mobile Device (f401929ee0cc92bfe7f15161ca535383) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
00:24:56.0147 6472 Apple Mobile Device - ok
00:24:56.0176 6472 AppMgmt (4aba3e75a76195a3e38ed2766c962899) C:\Windows\System32\appmgmts.dll
00:24:56.0192 6472 AppMgmt - ok
00:24:56.0226 6472 arc (c484f8ceb1717c540242531db7845c4e) C:\Windows\system32\DRIVERS\arc.sys
00:24:56.0242 6472 arc - ok
00:24:56.0282 6472 arcsas (019af6924aefe7839f61c830227fe79c) C:\Windows\system32\DRIVERS\arcsas.sys
00:24:56.0291 6472 arcsas - ok
00:24:56.0407 6472 aspnet_state (9217d874131ae6ff8f642f124f00a555) C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
00:24:56.0415 6472 aspnet_state - ok
00:24:56.0450 6472 AsyncMac (769765ce2cc62867468cea93969b2242) C:\Windows\system32\DRIVERS\asyncmac.sys
00:24:56.0451 6472 AsyncMac - ok
00:24:56.0474 6472 atapi (02062c0b390b7729edc9e69c680a6f3c) C:\Windows\system32\DRIVERS\atapi.sys
00:24:56.0474 6472 atapi - ok
00:24:56.0808 6472 atikmdag (60216b0e704584de6d5a9f59e9c34c47) C:\Windows\system32\DRIVERS\atikmdag.sys
00:24:56.0849 6472 atikmdag - ok
00:24:56.0965 6472 AudioEndpointBuilder (07721a77180edd4d39ccb865bf63c7fd) C:\Windows\System32\Audiosrv.dll
00:24:56.0968 6472 AudioEndpointBuilder - ok
00:24:56.0974 6472 AudioSrv (07721a77180edd4d39ccb865bf63c7fd) C:\Windows\System32\Audiosrv.dll
00:24:56.0977 6472 AudioSrv - ok
00:24:57.0285 6472 AVGIDSAgent (d67719bcfde5798f5c30d14efed3bcaf) C:\Program Files (x86)\AVG\AVG2012\AVGIDSAgent.exe
00:24:57.0307 6472 AVGIDSAgent - ok
00:24:57.0430 6472 AVGIDSDriver (1b2e9fcdc26dc7c81d4131430e2dc936) C:\Windows\system32\DRIVERS\avgidsdrivera.sys
00:24:57.0431 6472 AVGIDSDriver - ok
00:24:57.0467 6472 AVGIDSFilter (0f293406f64b48d5d2f0d3a1117f3a83) C:\Windows\system32\DRIVERS\avgidsfiltera.sys
00:24:57.0468 6472 AVGIDSFilter - ok
00:24:57.0510 6472 AVGIDSHA (cffc3a4a638f462e0561cb368b9a7a3a) C:\Windows\system32\DRIVERS\avgidsha.sys
00:24:57.0527 6472 AVGIDSHA - ok
00:24:57.0571 6472 Avgldx64 (59955b4c288dd2a8b9fd2cd5158355c5) C:\Windows\system32\DRIVERS\avgldx64.sys
00:24:57.0573 6472 Avgldx64 - ok
00:24:57.0613 6472 Avgmfx64 (a6aec362aae5e2dda7445e7690cb0f33) C:\Windows\system32\DRIVERS\avgmfx64.sys
00:24:57.0614 6472 Avgmfx64 - ok
00:24:57.0676 6472 Avgrkx64 (645c7f0a0e39758a0024a9b1748273c0) C:\Windows\system32\DRIVERS\avgrkx64.sys
00:24:57.0692 6472 Avgrkx64 - ok
00:24:57.0713 6472 Avgtdia (1bee674ad792b1c63bb0dac5fa724b23) C:\Windows\system32\DRIVERS\avgtdia.sys
00:24:57.0715 6472 Avgtdia - ok
00:24:57.0823 6472 avgwd (ea1145debcd508fd25bd1e95c4346929) C:\Program Files (x86)\AVG\AVG2012\avgwdsvc.exe
00:24:57.0825 6472 avgwd - ok
00:24:57.0856 6472 AxInstSV (b20b5fa5ca050e9926e4d1db81501b32) C:\Windows\System32\AxInstSV.dll
00:24:57.0864 6472 AxInstSV - ok
00:24:57.0912 6472 b06bdrv (3e5b191307609f7514148c6832bb0842) C:\Windows\system32\DRIVERS\bxvbda.sys
00:24:57.0932 6472 b06bdrv - ok
00:24:57.0973 6472 b57nd60a (b5ace6968304a3900eeb1ebfd9622df2) C:\Windows\system32\DRIVERS\b57nd60a.sys
00:24:57.0987 6472 b57nd60a - ok
00:24:58.0148 6472 BCM43XX (fb4fda64f2e8552eaeb5986c3f34462c) C:\Windows\system32\DRIVERS\bcmwl664.sys
00:24:58.0161 6472 BCM43XX - ok
00:24:58.0264 6472 BDESVC (fde360167101b4e45a96f939f388aeb0) C:\Windows\System32\bdesvc.dll
00:24:58.0272 6472 BDESVC - ok
00:24:58.0307 6472 Beep (16a47ce2decc9b099349a5f840654746) C:\Windows\system32\drivers\Beep.sys
00:24:58.0308 6472 Beep - ok
00:24:58.0338 6472 blbdrive (61583ee3c3a17003c4acd0475646b4d3) C:\Windows\system32\DRIVERS\blbdrive.sys
00:24:58.0346 6472 blbdrive - ok
00:24:58.0459 6472 Bonjour Service (ebbcd5dfbb1de70e8f4af8fa59e401fd) C:\Program Files\Bonjour\mDNSResponder.exe
00:24:58.0461 6472 Bonjour Service - ok
00:24:58.0517 6472 bowser (19d20159708e152267e53b66677a4995) C:\Windows\system32\DRIVERS\bowser.sys
00:24:58.0518 6472 bowser - ok
00:24:58.0545 6472 BrFiltLo (f09eee9edc320b5e1501f749fde686c8) C:\Windows\system32\DRIVERS\BrFiltLo.sys
00:24:58.0546 6472 BrFiltLo - ok
00:24:58.0564 6472 BrFiltUp (b114d3098e9bdb8bea8b053685831be6) C:\Windows\system32\DRIVERS\BrFiltUp.sys
00:24:58.0565 6472 BrFiltUp - ok
00:24:58.0601 6472 Browser (94fbc06f294d58d02361918418f996e3) C:\Windows\System32\browser.dll
00:24:58.0602 6472 Browser - ok
00:24:58.0642 6472 Brserid (43bea8d483bf1870f018e2d02e06a5bd) C:\Windows\System32\Drivers\Brserid.sys
00:24:58.0655 6472 Brserid - ok
00:24:58.0672 6472 BrSerWdm (a6eca2151b08a09caceca35c07f05b42) C:\Windows\System32\Drivers\BrSerWdm.sys
00:24:58.0687 6472 BrSerWdm - ok
00:24:58.0699 6472 BrUsbMdm (b79968002c277e869cf38bd22cd61524) C:\Windows\System32\Drivers\BrUsbMdm.sys
00:24:58.0701 6472 BrUsbMdm - ok
00:24:58.0711 6472 BrUsbSer (a87528880231c54e75ea7a44943b38bf) C:\Windows\System32\Drivers\BrUsbSer.sys
00:24:58.0712 6472 BrUsbSer - ok
00:24:58.0727 6472 BTHMODEM (9da669f11d1f894ab4eb69bf546a42e8) C:\Windows\system32\DRIVERS\bthmodem.sys
00:24:58.0734 6472 BTHMODEM - ok
00:24:58.0778 6472 bthserv (95f9c2976059462cbbf227f7aab10de9) C:\Windows\system32\bthserv.dll
00:24:58.0785 6472 bthserv - ok
00:24:58.0802 6472 cdfs (b8bd2bb284668c84865658c77574381a) C:\Windows\system32\DRIVERS\cdfs.sys
00:24:58.0809 6472 cdfs - ok
00:24:58.0844 6472 cdrom (83d2d75e1efb81b3450c18131443f7db) C:\Windows\system32\DRIVERS\cdrom.sys
00:24:58.0852 6472 cdrom - ok
00:24:58.0889 6472 CertPropSvc (312e2f82af11e79906898ac3e3d58a1f) C:\Windows\System32\certprop.dll
00:24:58.0897 6472 CertPropSvc - ok
00:24:58.0920 6472 circlass (d7cd5c4e1b71fa62050515314cfb52cf) C:\Windows\system32\DRIVERS\circlass.sys
00:24:58.0986 6472 circlass - ok
00:24:59.0014 6472 CLFS (fe1ec06f2253f691fe36217c592a0206) C:\Windows\system32\CLFS.sys
00:24:59.0026 6472 CLFS - ok
00:24:59.0086 6472 clr_optimization_v2.0.50727_32 (d88040f816fda31c3b466f0fa0918f29) C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
00:24:59.0136 6472 clr_optimization_v2.0.50727_32 - ok
00:24:59.0196 6472 clr_optimization_v2.0.50727_64 (d1ceea2b47cb998321c579651ce3e4f8) C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
00:24:59.0211 6472 clr_optimization_v2.0.50727_64 - ok
00:24:59.0312 6472 clr_optimization_v4.0.30319_32 (c5a75eb48e2344abdc162bda79e16841) C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
00:24:59.0328 6472 clr_optimization_v4.0.30319_32 - ok
00:24:59.0427 6472 clr_optimization_v4.0.30319_64 (c6f9af94dcd58122a4d7e89db6bed29d) C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
00:24:59.0432 6472 clr_optimization_v4.0.30319_64 - ok
00:24:59.0481 6472 CmBatt (0840155d0bddf1190f84a663c284bd33) C:\Windows\system32\DRIVERS\CmBatt.sys
00:24:59.0482 6472 CmBatt - ok
00:24:59.0501 6472 cmdide (e19d3f095812725d88f9001985b94edd) C:\Windows\system32\DRIVERS\cmdide.sys
00:24:59.0503 6472 cmdide - ok
00:24:59.0553 6472 CNG (937beb186a735aca91d717044a49d17e) C:\Windows\system32\Drivers\cng.sys
00:24:59.0572 6472 CNG - ok
00:24:59.0594 6472 Compbatt (102de219c3f61415f964c88e9085ad14) C:\Windows\system32\DRIVERS\compbatt.sys
00:24:59.0610 6472 Compbatt - ok
00:24:59.0636 6472 CompositeBus (f26b3a86f6fa87ca360b879581ab4123) C:\Windows\system32\DRIVERS\CompositeBus.sys
00:24:59.0644 6472 CompositeBus - ok
00:24:59.0661 6472 COMSysApp - ok
00:24:59.0816 6472 CoordinatorServiceHost (d15de7c911fd2f37ee71c3fbe82c8b79) C:\Program Files\SolidWorks Corp\SolidWorks\swScheduler\DTSCoordinatorService.exe
00:24:59.0824 6472 CoordinatorServiceHost - ok
00:24:59.0862 6472 crcdisk (1c827878a998c18847245fe1f34ee597) C:\Windows\system32\DRIVERS\crcdisk.sys
00:24:59.0863 6472 crcdisk - ok
00:24:59.0910 6472 CryptSvc (8c57411b66282c01533cb776f98ad384) C:\Windows\system32\cryptsvc.dll
00:24:59.0911 6472 CryptSvc - ok
00:24:59.0938 6472 CSC (4a6173c2279b498cd8f57cae504564cb) C:\Windows\system32\drivers\csc.sys
00:24:59.0965 6472 CSC - ok
00:24:59.0996 6472 CscService (873fbf927c06e5cee04dec617502f8fd) C:\Windows\System32\cscsvc.dll
00:24:59.0999 6472 CscService - ok
00:25:00.0053 6472 DcomLaunch (7266972e86890e2b30c0c322e906b027) C:\Windows\system32\rpcss.dll
00:25:00.0057 6472 DcomLaunch - ok
00:25:00.0158 6472 DCPFLICS (cdff105bd660c4cb336dd359b7186cf3) C:\Program Files (x86)\DCPFLICS\DCPFLICS.exe
00:25:00.0159 6472 DCPFLICS - ok
00:25:00.0199 6472 defragsvc (3cec7631a84943677aa8fa8ee5b6b43d) C:\Windows\System32\defragsvc.dll
00:25:00.0212 6472 defragsvc - ok
00:25:00.0279 6472 DfsC (9c253ce7311ca60fc11c774692a13208) C:\Windows\system32\Drivers\dfsc.sys
00:25:00.0287 6472 DfsC - ok
00:25:00.0338 6472 Dhcp (ce3b9562d997f69b330d181a8875960f) C:\Windows\system32\dhcpcore.dll
00:25:00.0340 6472 Dhcp - ok
00:25:00.0364 6472 discache (13096b05847ec78f0977f2c0f79e9ab3) C:\Windows\system32\drivers\discache.sys
00:25:00.0373 6472 discache - ok
00:25:00.0402 6472 Disk (9819eee8b5ea3784ec4af3b137a5244c) C:\Windows\system32\DRIVERS\disk.sys
00:25:00.0411 6472 Disk - ok
00:25:00.0454 6472 Dnscache (85cf424c74a1d5ec33533e1dbff9920a) C:\Windows\System32\dnsrslvr.dll
00:25:00.0456 6472 Dnscache - ok
00:25:00.0488 6472 dot3svc (14452acdb09b70964c8c21bf80a13acb) C:\Windows\System32\dot3svc.dll
00:25:00.0502 6472 dot3svc - ok
00:25:00.0514 6472 DPS (8c2ba6bea949ee6e68385f5692bafb94) C:\Windows\system32\dps.dll
00:25:00.0516 6472 DPS - ok
00:25:00.0550 6472 drmkaud (9b19f34400d24df84c858a421c205754) C:\Windows\system32\drivers\drmkaud.sys
00:25:00.0551 6472 drmkaud - ok
00:25:00.0594 6472 DXGKrnl (1633b9abf52784a1331476397a48cbef) C:\Windows\System32\drivers\dxgkrnl.sys
00:25:00.0599 6472 DXGKrnl - ok
00:25:00.0611 6472 EapHost (e2dda8726da9cb5b2c4000c9018a9633) C:\Windows\System32\eapsvc.dll
00:25:00.0612 6472 EapHost - ok
00:25:00.0748 6472 ebdrv (dc5d737f51be844d8c82c695eb17372f) C:\Windows\system32\DRIVERS\evbda.sys
00:25:00.0818 6472 ebdrv - ok
00:25:01.0218 6472 EFS (156f6159457d0aa7e59b62681b56eb90) C:\Windows\System32\lsass.exe
00:25:01.0219 6472 EFS - ok
00:25:01.0282 6472 ehRecvr (47c071994c3f649f23d9cd075ac9304a) C:\Windows\ehome\ehRecvr.exe
00:25:01.0339 6472 ehRecvr - ok
00:25:01.0370 6472 ehSched (4705e8ef9934482c5bb488ce28afc681) C:\Windows\ehome\ehsched.exe
00:25:01.0411 6472 ehSched - ok
00:25:01.0478 6472 elxstor (0e5da5369a0fcaea12456dd852545184) C:\Windows\system32\DRIVERS\elxstor.sys
00:25:01.0502 6472 elxstor - ok
00:25:01.0517 6472 ErrDev (34a3c54752046e79a126e15c51db409b) C:\Windows\system32\DRIVERS\errdev.sys
00:25:01.0518 6472 ErrDev - ok
00:25:01.0571 6472 EventSystem (4166f82be4d24938977dd1746be9b8a0) C:\Windows\system32\es.dll
00:25:01.0574 6472 EventSystem - ok
00:25:01.0593 6472 exfat (a510c654ec00c1e9bdd91eeb3a59823b) C:\Windows\system32\drivers\exfat.sys
00:25:01.0608 6472 exfat - ok
00:25:01.0633 6472 fastfat (0adc83218b66a6db380c330836f3e36d) C:\Windows\system32\drivers\fastfat.sys
00:25:01.0647 6472 fastfat - ok
00:25:01.0696 6472 Fax (d607b2f1bee3992aa6c2c92c0a2f0855) C:\Windows\system32\fxssvc.exe
00:25:01.0719 6472 Fax - ok
00:25:01.0739 6472 fdc (d765d19cd8ef61f650c384f62fac00ab) C:\Windows\system32\DRIVERS\fdc.sys
00:25:01.0756 6472 fdc - ok
00:25:01.0768 6472 fdPHost (0438cab2e03f4fb61455a7956026fe86) C:\Windows\system32\fdPHost.dll
00:25:01.0769 6472 fdPHost - ok
00:25:01.0783 6472 FDResPub (802496cb59a30349f9a6dd22d6947644) C:\Windows\system32\fdrespub.dll
00:25:01.0784 6472 FDResPub - ok
00:25:01.0795 6472 FileInfo (655661be46b5f5f3fd454e2c3095b930) C:\Windows\system32\drivers\fileinfo.sys
00:25:01.0803 6472 FileInfo - ok
00:25:01.0815 6472 Filetrace (5f671ab5bc87eea04ec38a6cd5962a47) C:\Windows\system32\drivers\filetrace.sys
00:25:01.0831 6472 Filetrace - ok
00:25:01.0990 6472 FLEXnet Licensing Service (73081cf28f0ae20a52ca4f67cee6e6b0) C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
00:25:02.0018 6472 FLEXnet Licensing Service - ok
00:25:02.0115 6472 FLEXnet Licensing Service 64 (64ab6f28047744b9b19c97459c2ab31b) C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe
00:25:02.0146 6472 FLEXnet Licensing Service 64 - ok
00:25:02.0237 6472 flpydisk (c172a0f53008eaeb8ea33fe10e177af5) C:\Windows\system32\DRIVERS\flpydisk.sys
00:25:02.0238 6472 flpydisk - ok
00:25:02.0262 6472 FltMgr (f7866af72abbaf84b1fa5aa195378c59) C:\Windows\system32\drivers\fltmgr.sys
00:25:02.0264 6472 FltMgr - ok
00:25:02.0336 6472 FontCache (bc00505cfda789ed3be95d2ff38c4875) C:\Windows\system32\FntCache.dll
00:25:02.0362 6472 FontCache - ok
00:25:02.0437 6472 FontCache3.0.0.0 (8d89e3131c27fdd6932189cb785e1b7a) C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
00:25:02.0453 6472 FontCache3.0.0.0 - ok
00:25:02.0485 6472 FsDepends (d43703496149971890703b4b1b723eac) C:\Windows\system32\drivers\FsDepends.sys
00:25:02.0501 6472 FsDepends - ok
00:25:02.0530 6472 Fs_Rec (e95ef8547de20cf0603557c0cf7a9462) C:\Windows\system32\drivers\Fs_Rec.sys
00:25:02.0532 6472 Fs_Rec - ok
00:25:02.0571 6472 fvevol (ae87ba80d0ec3b57126ed2cdc15b24ed) C:\Windows\system32\DRIVERS\fvevol.sys
00:25:02.0586 6472 fvevol - ok
00:25:02.0615 6472 gagp30kx (8c778d335c9d272cfd3298ab02abe3b6) C:\Windows\system32\DRIVERS\gagp30kx.sys
00:25:02.0631 6472 gagp30kx - ok
00:25:02.0665 6472 GEARAspiWDM (e403aacf8c7bb11375122d2464560311) C:\Windows\system32\DRIVERS\GEARAspiWDM.sys
00:25:02.0666 6472 GEARAspiWDM - ok
00:25:02.0762 6472 Giraffic - ok
00:25:02.0815 6472 gpsvc (fe5ab4525bc2ec68b9119a6e5d40128b) C:\Windows\System32\gpsvc.dll
00:25:02.0819 6472 gpsvc - ok
00:25:02.0839 6472 hcw85cir (f2523ef6460fc42405b12248338ab2f0) C:\Windows\system32\drivers\hcw85cir.sys
00:25:02.0848 6472 hcw85cir - ok
00:25:02.0897 6472 HdAudAddService (6410f6f415b2a5a9037224c41da8bf12) C:\Windows\system32\drivers\HdAudio.sys
00:25:02.0908 6472 HdAudAddService - ok
00:25:02.0933 6472 HDAudBus (0a49913402747a0b67de940fb42cbdbb) C:\Windows\system32\DRIVERS\HDAudBus.sys
00:25:02.0940 6472 HDAudBus - ok
00:25:02.0956 6472 HidBatt (78e86380454a7b10a5eb255dc44a355f) C:\Windows\system32\DRIVERS\HidBatt.sys
00:25:02.0972 6472 HidBatt - ok
00:25:02.0988 6472 HidBth (7fd2a313f7afe5c4dab14798c48dd104) C:\Windows\system32\DRIVERS\hidbth.sys
00:25:02.0996 6472 HidBth - ok
00:25:03.0010 6472 HidIr (0a77d29f311b88cfae3b13f9c1a73825) C:\Windows\system32\DRIVERS\hidir.sys
00:25:03.0018 6472 HidIr - ok
00:25:03.0035 6472 hidserv (bd9eb3958f213f96b97b1d897dee006d) C:\Windows\system32\hidserv.dll
00:25:03.0051 6472 hidserv - ok
00:25:03.0097 6472 HidUsb (b3bf6b5b50006def50b66306d99fcf6f) C:\Windows\system32\DRIVERS\hidusb.sys
00:25:03.0114 6472 HidUsb - ok
00:25:03.0135 6472 hkmsvc (efa58ede58dd74388ffd04cb32681518) C:\Windows\system32\kmsvc.dll
00:25:03.0143 6472 hkmsvc - ok
00:25:03.0164 6472 HomeGroupListener (046b2673767ca626e2cfb7fdf735e9e8) C:\Windows\system32\ListSvc.dll
00:25:03.0187 6472 HomeGroupListener - ok
00:25:03.0224 6472 HomeGroupProvider (06a7422224d9865a5613710a089987df) C:\Windows\system32\provsvc.dll
00:25:03.0226 6472 HomeGroupProvider - ok
00:25:03.0279 6472 HpSAMD (0886d440058f203eba0e1825e4355914) C:\Windows\system32\DRIVERS\HpSAMD.sys
00:25:03.0287 6472 HpSAMD - ok
00:25:03.0353 6472 HTTP (cee049cac4efa7f4e1e4ad014414a5d4) C:\Windows\system32\drivers\HTTP.sys
00:25:03.0356 6472 HTTP - ok
00:25:03.0367 6472 hwpolicy (f17766a19145f111856378df337a5d79) C:\Windows\system32\drivers\hwpolicy.sys
00:25:03.0368 6472 hwpolicy - ok
00:25:03.0401 6472 i8042prt (fa55c73d4affa7ee23ac4be53b4592d3) C:\Windows\system32\DRIVERS\i8042prt.sys
00:25:03.0409 6472 i8042prt - ok
00:25:03.0455 6472 iaStorV (b75e45c564e944a2657167d197ab29da) C:\Windows\system32\drivers\iaStorV.sys
00:25:03.0483 6472 iaStorV - ok
00:25:03.0590 6472 idsvc (2f2be70d3e02b6fa877921ab9516d43c) C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\infocard.exe
00:25:03.0612 6472 idsvc - ok
00:25:03.0656 6472 iirsp (5c18831c61933628f5bb0ea2675b9d21) C:\Windows\system32\DRIVERS\iirsp.sys
00:25:03.0664 6472 iirsp - ok
00:25:03.0724 6472 IKEEXT (c5b4683680df085b57bc53e5ef34861f) C:\Windows\System32\ikeext.dll
00:25:03.0745 6472 IKEEXT - ok
00:25:03.0767 6472 intelide (f00f20e70c6ec3aa366910083a0518aa) C:\Windows\system32\DRIVERS\intelide.sys
00:25:03.0768 6472 intelide - ok
00:25:03.0798 6472 intelppm (ada036632c664caa754079041cf1f8c1) C:\Windows\system32\DRIVERS\intelppm.sys
00:25:03.0799 6472 intelppm - ok
00:25:03.0809 6472 IPBusEnum (098a91c54546a3b878dad6a7e90a455b) C:\Windows\system32\ipbusenum.dll
00:25:03.0816 6472 IPBusEnum - ok
00:25:03.0840 6472 IpFilterDriver (722dd294df62483cecaae6e094b4d695) C:\Windows\system32\DRIVERS\ipfltdrv.sys
00:25:03.0848 6472 IpFilterDriver - ok
00:25:03.0868 6472 IPMIDRV (e2b4a4494db7cb9b89b55ca268c337c5) C:\Windows\system32\DRIVERS\IPMIDrv.sys
00:25:03.0876 6472 IPMIDRV - ok
00:25:03.0897 6472 IPNAT (af9b39a7e7b6caa203b3862582e9f2d0) C:\Windows\system32\drivers\ipnat.sys
00:25:03.0904 6472 IPNAT - ok
00:25:04.0028 6472 iPod Service (a9ab99ee7d39725eafec82732d2b3271) C:\Program Files\iPod\bin\iPodService.exe
00:25:04.0032 6472 iPod Service - ok
00:25:04.0054 6472 IRENUM (3abf5e7213eb28966d55d58b515d5ce9) C:\Windows\system32\drivers\irenum.sys
00:25:04.0056 6472 IRENUM - ok
00:25:04.0086 6472 isapnp (2f7b28dc3e1183e5eb418df55c204f38) C:\Windows\system32\DRIVERS\isapnp.sys
00:25:04.0087 6472 isapnp - ok
00:25:04.0158 6472 iScsiPrt (fa4d2557de56d45b0a346f93564be6e1) C:\Windows\system32\DRIVERS\msiscsi.sys
00:25:04.0173 6472 iScsiPrt - ok
00:25:04.0206 6472 kbdclass (bc02336f1cba7dcc7d1213bb588a68a5) C:\Windows\system32\DRIVERS\kbdclass.sys
00:25:04.0207 6472 kbdclass - ok
00:25:04.0233 6472 kbdhid (6def98f8541e1b5dceb2c822a11f7323) C:\Windows\system32\DRIVERS\kbdhid.sys
00:25:04.0249 6472 kbdhid - ok
00:25:04.0286 6472 KeyIso (156f6159457d0aa7e59b62681b56eb90) C:\Windows\system32\lsass.exe
00:25:04.0288 6472 KeyIso - ok
00:25:04.0303 6472 KSecDD (16c1b906fc5ead84769f90b736b6bf0e) C:\Windows\system32\Drivers\ksecdd.sys
00:25:04.0311 6472 KSecDD - ok
00:25:04.0324 6472 KSecPkg (0b711550c56444879d71c7daabda6c83) C:\Windows\system32\Drivers\ksecpkg.sys
00:25:04.0332 6472 KSecPkg - ok
00:25:04.0343 6472 ksthunk (6869281e78cb31a43e969f06b57347c4) C:\Windows\system32\drivers\ksthunk.sys
00:25:04.0359 6472 ksthunk - ok
00:25:04.0412 6472 KtmRm (6ab66e16aa859232f64deb66887a8c9c) C:\Windows\system32\msdtckrm.dll
00:25:04.0442 6472 KtmRm - ok
00:25:04.0477 6472 LanmanServer (81f1d04d4d0e433099365127375fd501) C:\Windows\system32\srvsvc.dll
00:25:04.0479 6472 LanmanServer - ok
00:25:04.0507 6472 LanmanWorkstation (27026eac8818e8a6c00a1cad2f11d29a) C:\Windows\System32\wkssvc.dll
00:25:04.0510 6472 LanmanWorkstation - ok
00:25:04.0538 6472 lltdio (1538831cf8ad2979a04c423779465827) C:\Windows\system32\DRIVERS\lltdio.sys
00:25:04.0539 6472 lltdio - ok
00:25:04.0576 6472 lltdsvc (c1185803384ab3feed115f79f109427f) C:\Windows\System32\lltdsvc.dll
00:25:04.0591 6472 lltdsvc - ok
00:25:04.0606 6472 lmhosts (f993a32249b66c9d622ea5592a8b76b8) C:\Windows\System32\lmhsvc.dll
00:25:04.0607 6472 lmhosts - ok
00:25:04.0646 6472 LSI_FC (1a93e54eb0ece102495a51266dcdb6a6) C:\Windows\system32\DRIVERS\lsi_fc.sys
00:25:04.0654 6472 LSI_FC - ok
00:25:04.0676 6472 LSI_SAS (1047184a9fdc8bdbff857175875ee810) C:\Windows\system32\DRIVERS\lsi_sas.sys
00:25:04.0697 6472 LSI_SAS - ok
00:25:04.0709 6472 LSI_SAS2 (30f5c0de1ee8b5bc9306c1f0e4a75f93) C:\Windows\system32\DRIVERS\lsi_sas2.sys
00:25:04.0716 6472 LSI_SAS2 - ok
00:25:04.0728 6472 LSI_SCSI (0504eacaff0d3c8aed161c4b0d369d4a) C:\Windows\system32\DRIVERS\lsi_scsi.sys
00:25:04.0736 6472 LSI_SCSI - ok
00:25:04.0771 6472 luafv (43d0f98e1d56ccddb0d5254cff7b356e) C:\Windows\system32\drivers\luafv.sys
00:25:04.0772 6472 luafv - ok
00:25:04.0786 6472 Mcx2Svc (f84c8f1000bc11e3b7b23cbd3baff111) C:\Windows\system32\Mcx2Svc.dll
00:25:04.0794 6472 Mcx2Svc - ok
00:25:04.0819 6472 megasas (a55805f747c6edb6a9080d7c633bd0f4) C:\Windows\system32\DRIVERS\megasas.sys
00:25:04.0827 6472 megasas - ok
00:25:04.0849 6472 MegaSR (baf74ce0072480c3b6b7c13b2a94d6b3) C:\Windows\system32\DRIVERS\MegaSR.sys
00:25:04.0862 6472 MegaSR - ok
00:25:05.0013 6472 mi-raysat_3dsmax2013_64 (0af89452a8ce3928168f4e5b2208c68b) C:\Program Files\Autodesk\3ds Max 2013\NVIDIA\raysat_3dsmax2013_64server.exe
00:25:05.0014 6472 mi-raysat_3dsmax2013_64 - ok
00:25:05.0150 6472 Microsoft Office Groove Audit Service (7c4c76b39d5525c4a465e0be32528e19) C:\Program Files (x86)\Microsoft Office\Office12\GrooveAuditService.exe
00:25:05.0157 6472 Microsoft Office Groove Audit Service - ok
00:25:05.0194 6472 MMCSS (e40e80d0304a73e8d269f7141d77250b) C:\Windows\system32\mmcss.dll
00:25:05.0196 6472 MMCSS - ok
00:25:05.0217 6472 Modem (800ba92f7010378b09f9ed9270f07137) C:\Windows\system32\drivers\modem.sys
00:25:05.0225 6472 Modem - ok
00:25:05.0264 6472 monitor (b03d591dc7da45ece20b3b467e6aadaa) C:\Windows\system32\DRIVERS\monitor.sys
00:25:05.0264 6472 monitor - ok
00:25:05.0320 6472 mouclass (7d27ea49f3c1f687d357e77a470aea99) C:\Windows\system32\DRIVERS\mouclass.sys
00:25:05.0321 6472 mouclass - ok
00:25:05.0374 6472 mouhid (d3bf052c40b0c4166d9fd86a4288c1e6) C:\Windows\system32\DRIVERS\mouhid.sys
00:25:05.0399 6472 mouhid - ok
00:25:05.0410 6472 mountmgr (791af66c4d0e7c90a3646066386fb571) C:\Windows\system32\drivers\mountmgr.sys
00:25:05.0418 6472 mountmgr - ok
00:25:05.0526 6472 MozillaMaintenance (46297fa8e30a6007f14118fc2b942fbc) C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
00:25:05.0529 6472 MozillaMaintenance - ok
00:25:05.0584 6472 MpFilter (c177a7ebf5e8a0b596f618870516cab8) C:\Windows\system32\DRIVERS\MpFilter.sys
00:25:05.0586 6472 MpFilter - ok
00:25:05.0625 6472 mpio (609d1d87649ecc19796f4d76d4c15cea) C:\Windows\system32\DRIVERS\mpio.sys
00:25:05.0633 6472 mpio - ok
00:25:05.0649 6472 MpNWMon (8fbf6b31fe8af1833d93c5913d5b4d55) C:\Windows\system32\DRIVERS\MpNWMon.sys
00:25:05.0657 6472 MpNWMon - ok
00:25:05.0692 6472 mpsdrv (6c38c9e45ae0ea2fa5e551f2ed5e978f) C:\Windows\system32\drivers\mpsdrv.sys
00:25:05.0700 6472 mpsdrv - ok
00:25:05.0725 6472 MRxDAV (30524261bb51d96d6fcbac20c810183c) C:\Windows\system32\drivers\mrxdav.sys
00:25:05.0732 6472 MRxDAV - ok
00:25:05.0775 6472 mrxsmb (040d62a9d8ad28922632137acdd984f2) C:\Windows\system32\DRIVERS\mrxsmb.sys
00:25:05.0776 6472 mrxsmb - ok
00:25:05.0796 6472 mrxsmb10 (f0067552f8f9b33d7c59403ab808a3cb) C:\Windows\system32\DRIVERS\mrxsmb10.sys
00:25:05.0797 6472 mrxsmb10 - ok
00:25:05.0808 6472 mrxsmb20 (3c142d31de9f2f193218a53fe2632051) C:\Windows\system32\DRIVERS\mrxsmb20.sys
00:25:05.0809 6472 mrxsmb20 - ok
00:25:05.0821 6472 msahci (5c37497276e3b3a5488b23a326a754b7) C:\Windows\system32\DRIVERS\msahci.sys
00:25:05.0829 6472 msahci - ok
00:25:05.0852 6472 msdsm (8d27b597229aed79430fb9db3bcbfbd0) C:\Windows\system32\DRIVERS\msdsm.sys
00:25:05.0859 6472 msdsm - ok
00:25:05.0894 6472 MSDTC (de0ece52236cfa3ed2dbfc03f28253a8) C:\Windows\System32\msdtc.exe
00:25:05.0901 6472 MSDTC - ok
00:25:05.0949 6472 Msfs (aa3fb40e17ce1388fa1bedab50ea8f96) C:\Windows\system32\drivers\Msfs.sys
00:25:05.0966 6472 Msfs - ok
00:25:05.0977 6472 mshidkmdf (f9d215a46a8b9753f61767fa72a20326) C:\Windows\System32\drivers\mshidkmdf.sys
00:25:05.0978 6472 mshidkmdf - ok
00:25:05.0986 6472 msisadrv (d916874bbd4f8b07bfb7fa9b3ccae29d) C:\Windows\system32\DRIVERS\msisadrv.sys
00:25:05.0987 6472 msisadrv - ok
00:25:06.0026 6472 MSiSCSI (808e98ff49b155c522e6400953177b08) C:\Windows\system32\iscsiexe.dll
00:25:06.0033 6472 MSiSCSI - ok
00:25:06.0035 6472 msiserver - ok
00:25:06.0057 6472 MSKSSRV (49ccf2c4fea34ffad8b1b59d49439366) C:\Windows\system32\drivers\MSKSSRV.sys
00:25:06.0058 6472 MSKSSRV - ok
00:25:06.0068 6472 MSPCLOCK (bdd71ace35a232104ddd349ee70e1ab3) C:\Windows\system32\drivers\MSPCLOCK.sys
00:25:06.0069 6472 MSPCLOCK - ok
00:25:06.0078 6472 MSPQM (4ed981241db27c3383d72092b618a1d0) C:\Windows\system32\drivers\MSPQM.sys
00:25:06.0079 6472 MSPQM - ok
00:25:06.0121 6472 MsRPC (89cb141aa8616d8c6a4610fa26c60964) C:\Windows\system32\drivers\MsRPC.sys
00:25:06.0136 6472 MsRPC - ok
00:25:06.0149 6472 mssmbios (0eed230e37515a0eaee3c2e1bc97b288) C:\Windows\system32\DRIVERS\mssmbios.sys
00:25:06.0149 6472 mssmbios - ok
00:25:06.0165 6472 MSTEE (2e66f9ecb30b4221a318c92ac2250779) C:\Windows\system32\drivers\MSTEE.sys
00:25:06.0166 6472 MSTEE - ok
00:25:06.0182 6472 MTConfig (7ea404308934e675bffde8edf0757bcd) C:\Windows\system32\DRIVERS\MTConfig.sys
00:25:06.0183 6472 MTConfig - ok
00:25:06.0215 6472 Mup (f9a18612fd3526fe473c1bda678d61c8) C:\Windows\system32\Drivers\mup.sys
00:25:06.0223 6472 Mup - ok
00:25:06.0264 6472 napagent (4987e079a4530fa737a128be54b63b12) C:\Windows\system32\qagentRT.dll
00:25:06.0289 6472 napagent - ok
00:25:06.0333 6472 NativeWifiP (1ea3749c4114db3e3161156ffffa6b33) C:\Windows\system32\DRIVERS\nwifi.sys
00:25:06.0335 6472 NativeWifiP - ok
00:25:06.0469 6472 NBService (2637f26312ecceeb6f110e95f1ece243) C:\Program Files (x86)\Nero\Nero 7\Nero BackItUp\NBService.exe
00:25:06.0504 6472 NBService - ok
00:25:06.0569 6472 NDIS (cad515dbd07d082bb317d9928ce8962c) C:\Windows\system32\drivers\ndis.sys
00:25:06.0598 6472 NDIS - ok
00:25:06.0626 6472 NdisCap (9f9a1f53aad7da4d6fef5bb73ab811ac) C:\Windows\system32\DRIVERS\ndiscap.sys
00:25:06.0635 6472 NdisCap - ok
00:25:06.0661 6472 NdisTapi (30639c932d9fef22b31268fe25a1b6e5) C:\Windows\system32\DRIVERS\ndistapi.sys
00:25:06.0669 6472 NdisTapi - ok
00:25:06.0697 6472 Ndisuio (f105ba1e22bf1f2ee8f005d4305e4bec) C:\Windows\system32\DRIVERS\ndisuio.sys
00:25:06.0698 6472 Ndisuio - ok
00:25:06.0712 6472 NdisWan (557dfab9ca1fcb036ac77564c010dad3) C:\Windows\system32\DRIVERS\ndiswan.sys
00:25:06.0728 6472 NdisWan - ok
00:25:06.0737 6472 NDProxy (659b74fb74b86228d6338d643cd3e3cf) C:\Windows\system32\drivers\NDProxy.sys
00:25:06.0753 6472 NDProxy - ok
00:25:06.0767 6472 NetBIOS (86743d9f5d2b1048062b14b1d84501c4) C:\Windows\system32\DRIVERS\netbios.sys
00:25:06.0775 6472 NetBIOS - ok
00:25:06.0812 6472 NetBT (9162b273a44ab9dce5b44362731d062a) C:\Windows\system32\DRIVERS\netbt.sys
00:25:06.0827 6472 NetBT - ok
00:25:06.0869 6472 Netlogon (156f6159457d0aa7e59b62681b56eb90) C:\Windows\system32\lsass.exe
00:25:06.0870 6472 Netlogon - ok
00:25:06.0920 6472 Netman (847d3ae376c0817161a14a82c8922a9e) C:\Windows\System32\netman.dll
00:25:06.0933 6472 Netman - ok
00:25:07.0044 6472 NetMsmqActivator (d22cd77d4f0d63d1169bb35911bff12d) C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
00:25:07.0052 6472 NetMsmqActivator - ok
00:25:07.0054 6472 NetPipeActivator (d22cd77d4f0d63d1169bb35911bff12d) C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
00:25:07.0055 6472 NetPipeActivator - ok
00:25:07.0093 6472 netprofm (5f28111c648f1e24f7dbc87cdeb091b8) C:\Windows\System32\netprofm.dll
00:25:07.0111 6472 netprofm - ok
00:25:07.0127 6472 NetTcpActivator (d22cd77d4f0d63d1169bb35911bff12d) C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
00:25:07.0128 6472 NetTcpActivator - ok
00:25:07.0131 6472 NetTcpPortSharing (d22cd77d4f0d63d1169bb35911bff12d) C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
00:25:07.0132 6472 NetTcpPortSharing - ok
00:25:07.0195 6472 nfrd960 (77889813be4d166cdab78ddba990da92) C:\Windows\system32\DRIVERS\nfrd960.sys
00:25:07.0211 6472 nfrd960 - ok
00:25:07.0252 6472 NisDrv (5f7d72cbcdd025af1f38fdeee5646968) C:\Windows\system32\DRIVERS\NisDrvWFP.sys
00:25:07.0253 6472 NisDrv - ok
00:25:07.0448 6472 NisSrv (566ddd5d82520da01d75f81428ac4c38) c:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe
00:25:07.0459 6472 NisSrv - ok
00:25:07.0501 6472 NlaSvc (d9a0ce66046d6efa0c61baa885cba0a8) C:\Windows\System32\nlasvc.dll
00:25:07.0514 6472 NlaSvc - ok
00:25:07.0523 6472 Npfs (1e4c4ab5c9b8dd13179bbdc75a2a01f7) C:\Windows\system32\drivers\Npfs.sys
00:25:07.0539 6472 Npfs - ok
00:25:07.0550 6472 nsi (d54bfdf3e0c953f823b3d0bfe4732528) C:\Windows\system32\nsisvc.dll
00:25:07.0551 6472 nsi - ok
00:25:07.0575 6472 nsiproxy (e7f5ae18af4168178a642a9247c63001) C:\Windows\system32\drivers\nsiproxy.sys
00:25:07.0583 6472 nsiproxy - ok
00:25:07.0671 6472 Ntfs (378e0e0dfea67d98ae6ea53adbbd76bc) C:\Windows\system32\drivers\Ntfs.sys
00:25:07.0706 6472 Ntfs - ok
00:25:07.0784 6472 Null (9899284589f75fa8724ff3d16aed75c1) C:\Windows\system32\drivers\Null.sys
00:25:07.0785 6472 Null - ok
00:25:07.0829 6472 nvraid (a4d9c9a608a97f59307c2f2600edc6a4) C:\Windows\system32\drivers\nvraid.sys
00:25:07.0837 6472 nvraid - ok
00:25:07.0872 6472 nvstor (6c1d5f70e7a6a3fd1c90d840edc048b9) C:\Windows\system32\drivers\nvstor.sys
00:25:07.0887 6472 nvstor - ok
00:25:07.0921 6472 nv_agp (270d7cd42d6e3979f6dd0146650f0e05) C:\Windows\system32\DRIVERS\nv_agp.sys
00:25:07.0928 6472 nv_agp - ok
00:25:08.0050 6472 odserv (1f0e05dff4f5a833168e49be1256f002) C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE
00:25:08.0063 6472 odserv - ok
00:25:08.0091 6472 ohci1394 (3589478e4b22ce21b41fa1bfc0b8b8a0) C:\Windows\system32\DRIVERS\ohci1394.sys
00:25:08.0099 6472 ohci1394 - ok
00:25:08.0170 6472 ose (5a432a042dae460abe7199b758e8606c) C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
00:25:08.0178 6472 ose - ok
00:25:08.0235 6472 p2pimsvc (3eac4455472cc2c97107b5291e0dcafe) C:\Windows\system32\pnrpsvc.dll
00:25:08.0245 6472 p2pimsvc - ok
00:25:08.0268 6472 p2psvc (927463ecb02179f88e4b9a17568c63c3) C:\Windows\system32\p2psvc.dll
00:25:08.0286 6472 p2psvc - ok
00:25:08.0323 6472 Parport (0086431c29c35be1dbc43f52cc273887) C:\Windows\system32\DRIVERS\parport.sys
00:25:08.0331 6472 Parport - ok
00:25:08.0343 6472 partmgr (7daa117143316c4a1537e074a5a9eaf0) C:\Windows\system32\drivers\partmgr.sys
00:25:08.0351 6472 partmgr - ok
00:25:08.0375 6472 PcaSvc (3aeaa8b561e63452c655dc0584922257) C:\Windows\System32\pcasvc.dll
00:25:08.0390 6472 PcaSvc - ok
00:25:08.0411 6472 pci (f36f6504009f2fb0dfd1b17a116ad74b) C:\Windows\system32\DRIVERS\pci.sys
00:25:08.0412 6472 pci - ok
00:25:08.0423 6472 pciide (b5b8b5ef2e5cb34df8dcf8831e3534fa) C:\Windows\system32\DRIVERS\pciide.sys
00:25:08.0425 6472 pciide - ok
00:25:08.0456 6472 pcmcia (b2e81d4e87ce48589f98cb8c05b01f2f) C:\Windows\system32\DRIVERS\pcmcia.sys
00:25:08.0471 6472 pcmcia - ok
00:25:08.0496 6472 pcw (d6b9c2e1a11a3a4b26a182ffef18f603) C:\Windows\system32\drivers\pcw.sys
00:25:08.0504 6472 pcw - ok
00:25:08.0701 6472 PDMWorks Workgroup Server (e6370e8c7c6ac314682a768b38e66963) C:\Program Files (x86)\PDMWorks Workgroup\Vault\pdmwService.exe
00:25:08.0715 6472 PDMWorks Workgroup Server - ok
00:25:08.0831 6472 PEAUTH (68769c3356b3be5d1c732c97b9a80d6e) C:\Windows\system32\drivers\peauth.sys
00:25:08.0856 6472 PEAUTH - ok
00:25:08.0931 6472 PeerDistSvc (b9b0a4299dd2d76a4243f75fd54dc680) C:\Windows\system32\peerdistsvc.dll
00:25:08.0963 6472 PeerDistSvc - ok
00:25:09.0030 6472 PerfHost (e495e408c93141e8fc72dc0c6046ddfa) C:\Windows\SysWow64\perfhost.exe
00:25:09.0032 6472 PerfHost - ok
00:25:09.0131 6472 pla (557e9a86f65f0de18c9b6751dfe9d3f1) C:\Windows\system32\pla.dll
00:25:09.0161 6472 pla - ok
00:25:09.0224 6472 PlugPlay (98b1721b8718164293b9701b98c52d77) C:\Windows\system32\umpnpmgr.dll
00:25:09.0228 6472 PlugPlay - ok
00:25:09.0253 6472 PNRPAutoReg (7195581cec9bb7d12abe54036acc2e38) C:\Windows\system32\pnrpauto.dll
00:25:09.0319 6472 PNRPAutoReg - ok
00:25:09.0366 6472 PNRPsvc (3eac4455472cc2c97107b5291e0dcafe) C:\Windows\system32\pnrpsvc.dll
00:25:09.0368 6472 PNRPsvc - ok
00:25:09.0412 6472 PolicyAgent (166eb40d1f5b47e615de3d0fffe5f243) C:\Windows\System32\ipsecsvc.dll
00:25:09.0439 6472 PolicyAgent - ok
00:25:09.0468 6472 Power (6ba9d927dded70bd1a9caded45f8b184) C:\Windows\system32\umpo.dll
00:25:09.0471 6472 Power - ok
00:25:09.0527 6472 PptpMiniport (27cc19e81ba5e3403c48302127bda717) C:\Windows\system32\DRIVERS\raspptp.sys
00:25:09.0535 6472 PptpMiniport - ok
00:25:09.0569 6472 Processor (0d922e23c041efb1c3fac2a6f943c9bf) C:\Windows\system32\DRIVERS\processr.sys
00:25:09.0585 6472 Processor - ok
00:25:09.0623 6472 ProfSvc (f381975e1f4346de875cb07339ce8d3a) C:\Windows\system32\profsvc.dll
00:25:09.0625 6472 ProfSvc - ok
00:25:09.0666 6472 ProtectedStorage (156f6159457d0aa7e59b62681b56eb90) C:\Windows\system32\lsass.exe
00:25:09.0668 6472 ProtectedStorage - ok
00:25:09.0691 6472 Psched (ee992183bd8eaefd9973f352e587a299) C:\Windows\system32\DRIVERS\pacer.sys
00:25:09.0697 6472 Psched - ok
00:25:09.0746 6472 PTSimBus (225d3660f926fe761bc8ce10c512aa02) C:\Windows\system32\DRIVERS\PTSimBus.sys
00:25:09.0756 6472 PTSimBus - ok
00:25:09.0770 6472 PTSimHid (bd2194786abaf4860f41118c0c103e7b) C:\Windows\system32\DRIVERS\PTSimHid.sys
00:25:09.0777 6472 PTSimHid - ok
00:25:09.0817 6472 PxHlpa64 (bc08f7f3c53cbee68670ed1314e290fd) C:\Windows\system32\Drivers\PxHlpa64.sys
00:25:09.0825 6472 PxHlpa64 - ok
00:25:09.0899 6472 ql2300 (a53a15a11ebfd21077463ee2c7afeef0) C:\Windows\system32\DRIVERS\ql2300.sys
00:25:09.0938 6472 ql2300 - ok
00:25:10.0049 6472 ql40xx (4f6d12b51de1aaeff7dc58c4d75423c8) C:\Windows\system32\DRIVERS\ql40xx.sys
00:25:10.0057 6472 ql40xx - ok
00:25:10.0100 6472 QWAVE (906191634e99aea92c4816150bda3732) C:\Windows\system32\qwave.dll
00:25:10.0115 6472 QWAVE - ok
00:25:10.0124 6472 QWAVEdrv (76707bb36430888d9ce9d705398adb6c) C:\Windows\system32\drivers\qwavedrv.sys
00:25:10.0133 6472 QWAVEdrv - ok
00:25:10.0146 6472 RasAcd (5a0da8ad5762fa2d91678a8a01311704) C:\Windows\system32\DRIVERS\rasacd.sys
00:25:10.0148 6472 RasAcd - ok
00:25:10.0181 6472 RasAgileVpn (7ecff9b22276b73f43a99a15a6094e90) C:\Windows\system32\DRIVERS\AgileVpn.sys
00:25:10.0189 6472 RasAgileVpn - ok
00:25:10.0201 6472 RasAuto (8f26510c5383b8dbe976de1cd00fc8c7) C:\Windows\System32\rasauto.dll
00:25:10.0208 6472 RasAuto - ok
00:25:10.0225 6472 Rasl2tp (87a6e852a22991580d6d39adc4790463) C:\Windows\system32\DRIVERS\rasl2tp.sys
00:25:10.0233 6472 Rasl2tp - ok
00:25:10.0256 6472 RasMan (47394ed3d16d053f5906efe5ab51cc83) C:\Windows\System32\rasmans.dll
00:25:10.0269 6472 RasMan - ok
00:25:10.0295 6472 RasPppoe (855c9b1cd4756c5e9a2aa58a15f58c25) C:\Windows\system32\DRIVERS\raspppoe.sys
00:25:10.0312 6472 RasPppoe - ok
00:25:10.0325 6472 RasSstp (e8b1e447b008d07ff47d016c2b0eeecb) C:\Windows\system32\DRIVERS\rassstp.sys
00:25:10.0341 6472 RasSstp - ok
00:25:10.0377 6472 rdbss (3bac8142102c15d59a87757c1d41dce5) C:\Windows\system32\DRIVERS\rdbss.sys
00:25:10.0395 6472 rdbss - ok
00:25:10.0410 6472 rdpbus (302da2a0539f2cf54d7c6cc30c1f2d8d) C:\Windows\system32\DRIVERS\rdpbus.sys
00:25:10.0418 6472 rdpbus - ok
00:25:10.0427 6472 RDPCDD (cea6cc257fc9b7715f1c2b4849286d24) C:\Windows\system32\DRIVERS\RDPCDD.sys
00:25:10.0428 6472 RDPCDD - ok
00:25:10.0454 6472 RDPDR (9706b84dbabfc4b4ca46c5a82b14dfa3) C:\Windows\system32\drivers\rdpdr.sys
00:25:10.0461 6472 RDPDR - ok
00:25:10.0489 6472 RDPENCDD (bb5971a4f00659529a5c44831af22365) C:\Windows\system32\drivers\rdpencdd.sys
00:25:10.0490 6472 RDPENCDD - ok
00:25:10.0503 6472 RDPREFMP (216f3fa57533d98e1f74ded70113177a) C:\Windows\system32\drivers\rdprefmp.sys
00:25:10.0504 6472 RDPREFMP - ok
00:25:10.0533 6472 RDPWD (8a3e6bea1c53ea6177fe2b6eba2c80d7) C:\Windows\system32\drivers\RDPWD.sys
00:25:10.0548 6472 RDPWD - ok
00:25:10.0586 6472 rdyboost (634b9a2181d98f15941236886164ec8b) C:\Windows\system32\drivers\rdyboost.sys
00:25:10.0599 6472 rdyboost - ok
00:25:10.0635 6472 RemoteAccess (254fb7a22d74e5511c73a3f6d802f192) C:\Windows\System32\mprdim.dll
00:25:10.0642 6472 RemoteAccess - ok
00:25:10.0667 6472 RemoteRegistry (e4d94f24081440b5fc5aa556c7c62702) C:\Windows\system32\regsvc.dll
00:25:10.0674 6472 RemoteRegistry - ok
00:25:10.0687 6472 RpcEptMapper (e4dc58cf7b3ea515ae917ff0d402a7bb) C:\Windows\System32\RpcEpMap.dll
00:25:10.0689 6472 RpcEptMapper - ok
00:25:10.0714 6472 RpcLocator (d5ba242d4cf8e384db90e6a8ed850b8c) C:\Windows\system32\locator.exe
00:25:10.0716 6472 RpcLocator - ok
00:25:10.0747 6472 RpcSs (7266972e86890e2b30c0c322e906b027) C:\Windows\system32\rpcss.dll
00:25:10.0751 6472 RpcSs - ok
00:25:10.0787 6472 rspndr (ddc86e4f8e7456261e637e3552e804ff) C:\Windows\system32\DRIVERS\rspndr.sys
00:25:10.0787 6472 rspndr - ok
00:25:10.0844 6472 RTL8167 (abcb5a38a0d85bdf69b7877e1ad1eed5) C:\Windows\system32\DRIVERS\Rt64win7.sys
00:25:10.0858 6472 RTL8167 - ok
00:25:10.0880 6472 s3cap (88af6e02ab19df7fd07ecdf9c91e9af6) C:\Windows\system32\DRIVERS\vms3cap.sys
00:25:10.0882 6472 s3cap - ok
00:25:10.0920 6472 SamSs (156f6159457d0aa7e59b62681b56eb90) C:\Windows\system32\lsass.exe
00:25:10.0921 6472 SamSs - ok
00:25:10.0944 6472 sbp2port (e3bbb89983daf5622c1d50cf49f28227) C:\Windows\system32\DRIVERS\sbp2port.sys
00:25:10.0952 6472 sbp2port - ok
00:25:11.0002 6472 SCardSvr (9b7395789e3791a3b6d000fe6f8b131e) C:\Windows\System32\SCardSvr.dll
00:25:11.0011 6472 SCardSvr - ok
00:25:11.0025 6472 scfilter (c94da20c7e3ba1dca269bc8460d98387) C:\Windows\system32\DRIVERS\scfilter.sys
00:25:11.0041 6472 scfilter - ok
00:25:11.0087 6472 Schedule (624d0f5ff99428bb90a5b8a4123e918e) C:\Windows\system32\schedsvc.dll
00:25:11.0094 6472 Schedule - ok
00:25:11.0118 6472 SCPolicySvc (312e2f82af11e79906898ac3e3d58a1f) C:\Windows\System32\certprop.dll
00:25:11.0119 6472 SCPolicySvc - ok
00:25:11.0133 6472 SDRSVC (765a27c3279ce11d14cb9e4f5869fca5) C:\Windows\System32\SDRSVC.dll
00:25:11.0150 6472 SDRSVC - ok
00:25:11.0212 6472 secdrv (3ea8a16169c26afbeb544e0e48421186) C:\Windows\system32\drivers\secdrv.sys
00:25:11.0213 6472 secdrv - ok
00:25:11.0235 6472 seclogon (463b386ebc70f98da5dff85f7e654346) C:\Windows\system32\seclogon.dll
00:25:11.0243 6472 seclogon - ok
00:25:11.0254 6472 SENS (c32ab8fa018ef34c0f113bd501436d21) C:\Windows\System32\sens.dll
00:25:11.0256 6472 SENS - ok
00:25:11.0267 6472 SensrSvc (0336cffafaab87a11541f1cf1594b2b2) C:\Windows\system32\sensrsvc.dll
00:25:11.0275 6472 SensrSvc - ok
00:25:11.0301 6472 Serenum (cb624c0035412af0debec78c41f5ca1b) C:\Windows\system32\DRIVERS\serenum.sys
00:25:11.0334 6472 Serenum - ok
00:25:11.0365 6472 Serial (c1d8e28b2c2adfaec4ba89e9fda69bd6) C:\Windows\system32\DRIVERS\serial.sys
00:25:11.0406 6472 Serial - ok
00:25:11.0427 6472 sermouse (1c545a7d0691cc4a027396535691c3e3) C:\Windows\system32\DRIVERS\sermouse.sys
00:25:11.0435 6472 sermouse - ok
00:25:11.0464 6472 SessionEnv (c3bc61ce47ff6f4e88ab8a3b429a36af) C:\Windows\system32\sessenv.dll
00:25:11.0471 6472 SessionEnv - ok
00:25:11.0489 6472 sffdisk (a554811bcd09279536440c964ae35bbf) C:\Windows\system32\DRIVERS\sffdisk.sys
00:25:11.0490 6472 sffdisk - ok
00:25:11.0502 6472 sffp_mmc (ff414f0baefeba59bc6c04b3db0b87bf) C:\Windows\system32\DRIVERS\sffp_mmc.sys
00:25:11.0503 6472 sffp_mmc - ok
00:25:11.0521 6472 sffp_sd (178298f767fe638c9fedcbdef58bb5e4) C:\Windows\system32\DRIVERS\sffp_sd.sys
00:25:11.0522 6472 sffp_sd - ok
00:25:11.0552 6472 sfloppy (a9d601643a1647211a1ee2ec4e433ff4) C:\Windows\system32\DRIVERS\sfloppy.sys
00:25:11.0554 6472 sfloppy - ok
00:25:11.0601 6472 ShellHWDetection (0298ac45d0efffb2db4baa7dd186e7bf) C:\Windows\System32\shsvcs.dll
00:25:11.0604 6472 ShellHWDetection - ok
00:25:11.0634 6472 SiSRaid2 (843caf1e5fde1ffd5ff768f23a51e2e1) C:\Windows\system32\DRIVERS\SiSRaid2.sys
00:25:11.0642 6472 SiSRaid2 - ok
00:25:11.0662 6472 SiSRaid4 (6a6c106d42e9ffff8b9fcb4f754f6da4) C:\Windows\system32\DRIVERS\sisraid4.sys
00:25:11.0678 6472 SiSRaid4 - ok
00:25:11.0681 6472 skfxeqvf - ok
00:25:11.0701 6472 Smb (548260a7b8654e024dc30bf8a7c5baa4) C:\Windows\system32\DRIVERS\smb.sys
00:25:11.0709 6472 Smb - ok
00:25:11.0755 6472 SNMPTRAP (6313f223e817cc09aa41811daa7f541d) C:\Windows\System32\snmptrap.exe
00:25:11.0758 6472 SNMPTRAP - ok
00:25:11.0873 6472 SolidWorks Licensing Service (4945020bc094c322571184a6e8056b3a) C:\Program Files (x86)\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
00:25:11.0893 6472 SolidWorks Licensing Service - ok
00:25:11.0928 6472 spldr (b9e31e5cacdfe584f34f730a677803f9) C:\Windows\system32\drivers\spldr.sys
00:25:11.0930 6472 spldr - ok
00:25:11.0973 6472 Spooler (f8e1fa03cb70d54a9892ac88b91d1e7b) C:\Windows\System32\spoolsv.exe
00:25:11.0977 6472 Spooler - ok
00:25:12.0107 6472 sppsvc (913d843498553a1bc8f8dbad6358e49f) C:\Windows\system32\sppsvc.exe
00:25:12.0182 6472 sppsvc - ok
00:25:12.0273 6472 sppuinotify (93d7d61317f3d4bc4f4e9f8a96a7de45) C:\Windows\system32\sppuinotify.dll
00:25:12.0282 6472 sppuinotify - ok
00:25:12.0371 6472 sptd (602884696850c86434530790b110e8eb) C:\Windows\system32\Drivers\sptd.sys
00:25:12.0372 6472 Suspicious file (NoAccess): C:\Windows\system32\Drivers\sptd.sys. md5: 602884696850c86434530790b110e8eb
00:25:12.0373 6472 sptd ( LockedFile.Multi.Generic ) - warning
00:25:12.0373 6472 sptd - detected LockedFile.Multi.Generic (1)
00:25:12.0437 6472 srv (2408c0366d96bcdf63e8f1c78e4a29c5) C:\Windows\system32\DRIVERS\srv.sys
00:25:12.0439 6472 srv - ok
00:25:12.0460 6472 srv2 (76548f7b818881b47d8d1ae1be9c11f8) C:\Windows\system32\DRIVERS\srv2.sys
00:25:12.0463 6472 srv2 - ok
00:25:12.0506 6472 srvnet (0af6e19d39c70844c5caa8fb0183c36e) C:\Windows\system32\DRIVERS\srvnet.sys
00:25:12.0510 6472 srvnet - ok
00:25:12.0564 6472 ssadbus (8f8324ed1de63ffc7b1a02cd2d963c72) C:\Windows\system32\DRIVERS\ssadbus.sys
00:25:12.0579 6472 ssadbus - ok
00:25:12.0612 6472 ssadmdfl (58221efcb74167b73667f0024c661ce0) C:\Windows\system32\DRIVERS\ssadmdfl.sys
00:25:12.0613 6472 ssadmdfl - ok
00:25:12.0640 6472 ssadmdm (4da7c71bfac5ad71255b7e4cab980163) C:\Windows\system32\DRIVERS\ssadmdm.sys
00:25:12.0648 6472 ssadmdm - ok
00:25:12.0692 6472 SSDPSRV (51b52fbd583cde8aa9ba62b8b4298f33) C:\Windows\System32\ssdpsrv.dll
00:25:12.0706 6472 SSDPSRV - ok
00:25:12.0718 6472 SstpSvc (ab7aebf58dad8daab7a6c45e6a8885cb) C:\Windows\system32\sstpsvc.dll
00:25:12.0726 6472 SstpSvc - ok
00:25:12.0749 6472 stexstor (f3817967ed533d08327dc73bc4d5542a) C:\Windows\system32\DRIVERS\stexstor.sys
00:25:12.0757 6472 stexstor - ok
00:25:12.0802 6472 stisvc (52d0e33b681bd0f33fdc08812fee4f7d) C:\Windows\System32\wiaservc.dll
00:25:12.0821 6472 stisvc - ok
00:25:12.0840 6472 storflt (ffd7a6f15b14234b5b0e5d49e7961895) C:\Windows\system32\DRIVERS\vmstorfl.sys
00:25:12.0848 6472 storflt - ok
00:25:12.0868 6472 storvsc (8fccbefc5c440b3c23454656e551b09a) C:\Windows\system32\DRIVERS\storvsc.sys
00:25:12.0876 6472 storvsc - ok
00:25:12.0891 6472 swenum (d01ec09b6711a5f8e7e6564a4d0fbc90) C:\Windows\system32\DRIVERS\swenum.sys
00:25:12.0892 6472 swenum - ok
00:25:13.0028 6472 SwitchBoard (f577910a133a592234ebaad3f3afa258) C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
00:25:13.0030 6472 SwitchBoard - ok
00:25:13.0076 6472 swprv (e08e46fdd841b7184194011ca1955a0b) C:\Windows\System32\swprv.dll
00:25:13.0094 6472 swprv - ok
00:25:13.0165 6472 SysMain (3c1284516a62078fb68f768de4f1a7be) C:\Windows\system32\sysmain.dll
00:25:13.0205 6472 SysMain - ok
00:25:13.0298 6472 Tablet2k - ok
00:25:13.0457 6472 TabletInputService (238935c3cf2854886dc7cbb2a0e2cc66) C:\Windows\System32\TabSvc.dll
00:25:13.0460 6472 TabletInputService - ok
00:25:13.0480 6472 TapiSrv (884264ac597b690c5707c89723bb8e7b) C:\Windows\System32\tapisrv.dll
00:25:13.0493 6472 TapiSrv - ok
00:25:13.0502 6472 TBS (1be03ac720f4d302ea01d40f588162f6) C:\Windows\System32\tbssvc.dll
00:25:13.0505 6472 TBS - ok
00:25:13.0569 6472 TClass2k (530a7f0966493dd437e4342f12ccd63b) C:\Windows\system32\DRIVERS\TClass2k.sys
00:25:13.0578 6472 TClass2k - ok
00:25:13.0690 6472 Tcpip (f18f56efc0bfb9c87ba01c37b27f4da5) C:\Windows\system32\drivers\tcpip.sys
00:25:13.0734 6472 Tcpip - ok
00:25:13.0884 6472 TCPIP6 (f18f56efc0bfb9c87ba01c37b27f4da5) C:\Windows\system32\DRIVERS\tcpip.sys
00:25:13.0892 6472 TCPIP6 - ok
00:25:13.0969 6472 tcpipreg (76d078af6f587b162d50210f761eb9ed) C:\Windows\system32\drivers\tcpipreg.sys
00:25:13.0978 6472 tcpipreg - ok
00:25:13.0997 6472 TDPIPE (3371d21011695b16333a3934340c4e7c) C:\Windows\system32\drivers\tdpipe.sys
00:25:13.0998 6472 TDPIPE - ok
00:25:14.0020 6472 TDTCP (e4245bda3190a582d55ed09e137401a9) C:\Windows\system32\drivers\tdtcp.sys
00:25:14.0022 6472 TDTCP - ok
00:25:14.0045 6472 tdx (079125c4b17b01fcaeebce0bcb290c0f) C:\Windows\system32\DRIVERS\tdx.sys
00:25:14.0052 6472 tdx - ok
00:25:14.0065 6472 TermDD (c448651339196c0e869a355171875522) C:\Windows\system32\DRIVERS\termdd.sys
00:25:14.0066 6472 TermDD - ok
00:25:14.0116 6472 TermService (0f05ec2887bfe197ad82a13287d2f404) C:\Windows\System32\termsrv.dll
00:25:14.0148 6472 TermService - ok
00:25:14.0158 6472 Themes (f0344071948d1a1fa732231785a0664c) C:\Windows\system32\themeservice.dll
00:25:14.0160 6472 Themes - ok
00:25:14.0184 6472 THREADORDER (e40e80d0304a73e8d269f7141d77250b) C:\Windows\system32\mmcss.dll
00:25:14.0185 6472 THREADORDER - ok
00:25:14.0201 6472 TrkWks (7e7afd841694f6ac397e99d75cead49d) C:\Windows\System32\trkwks.dll
00:25:14.0217 6472 TrkWks - ok
00:25:14.0272 6472 TrustedInstaller (840f7fb849f5887a49ba18c13b2da920) C:\Windows\servicing\TrustedInstaller.exe
00:25:14.0279 6472 TrustedInstaller - ok
00:25:14.0290 6472 tssecsrv (61b96c26131e37b24e93327a0bd1fb95) C:\Windows\system32\DRIVERS\tssecsrv.sys
00:25:14.0306 6472 tssecsrv - ok
00:25:14.0336 6472 tunnel (3836171a2cdf3af8ef10856db9835a70) C:\Windows\system32\DRIVERS\tunnel.sys
00:25:14.0344 6472 tunnel - ok
00:25:14.0361 6472 uagp35 (b4dd609bd7e282bfc683cec7eaaaad67) C:\Windows\system32\DRIVERS\uagp35.sys
00:25:14.0369 6472 uagp35 - ok
00:25:14.0400 6472 UCTblHid (01662b4865fdb282677b11cf416757ce) C:\Windows\system32\DRIVERS\UCTblHid.sys
00:25:14.0407 6472 UCTblHid - ok
00:25:14.0539 6472 udfs (d47baead86c65d4f4069d7ce0a4edceb) C:\Windows\system32\DRIVERS\udfs.sys
00:25:14.0556 6472 udfs - ok
00:25:14.0587 6472 UI0Detect (3cbdec8d06b9968aba702eba076364a1) C:\Windows\system32\UI0Detect.exe
00:25:14.0611 6472 UI0Detect - ok
00:25:14.0651 6472 uliagpkx (4bfe1bc28391222894cbf1e7d0e42320) C:\Windows\system32\DRIVERS\uliagpkx.sys
00:25:14.0660 6472 uliagpkx - ok
00:25:14.0689 6472 umbus (eab6c35e62b1b0db0d1b48b671d3a117) C:\Windows\system32\DRIVERS\umbus.sys
00:25:14.0697 6472 umbus - ok
00:25:14.0713 6472 UmPass (b2e8e8cb557b156da5493bbddcc1474d) C:\Windows\system32\DRIVERS\umpass.sys
00:25:14.0715 6472 UmPass - ok
00:25:14.0738 6472 UmRdpService (af0ac98ee5077eb844413eb54287fde3) C:\Windows\System32\umrdp.dll
00:25:14.0753 6472 UmRdpService - ok
00:25:14.0780 6472 upnphost (d47ec6a8e81633dd18d2436b19baf6de) C:\Windows\System32\upnphost.dll
00:25:14.0793 6472 upnphost - ok
00:25:14.0833 6472 USBAAPL64 (fb251567f41bc61988b26731dec19e4b) C:\Windows\system32\Drivers\usbaapl64.sys
00:25:14.0889 6472 USBAAPL64 - ok
00:25:14.0923 6472 usbccgp (7b6a127c93ee590e4d79a5f2a76fe46f) C:\Windows\system32\DRIVERS\usbccgp.sys
00:25:14.0932 6472 usbccgp - ok
00:25:14.0969 6472 usbcir (af0892a803fdda7492f595368e3b68e7) C:\Windows\system32\DRIVERS\usbcir.sys
00:25:14.0976 6472 usbcir - ok
00:25:15.0017 6472 usbehci (92969ba5ac44e229c55a332864f79677) C:\Windows\system32\DRIVERS\usbehci.sys
00:25:15.0033 6472 usbehci - ok
00:25:15.0076 6472 usbhub (e7df1cfd28ca86b35ef5add0735ceef3) C:\Windows\system32\DRIVERS\usbhub.sys
00:25:15.0088 6472 usbhub - ok
00:25:15.0110 6472 usbohci (f1bb1e55f1e7a65c5839ccc7b36d773e) C:\Windows\system32\drivers\usbohci.sys
00:25:15.0118 6472 usbohci - ok
00:25:15.0158 6472 usbprint (73188f58fb384e75c4063d29413cee3d) C:\Windows\system32\DRIVERS\usbprint.sys
00:25:15.0174 6472 usbprint - ok
00:25:15.0210 6472 USBSTOR (f39983647bc1f3e6100778ddfe9dce29) C:\Windows\system32\DRIVERS\USBSTOR.SYS
00:25:15.0218 6472 USBSTOR - ok
00:25:15.0227 6472 usbuhci (bc3070350a491d84b518d7cca9abd36f) C:\Windows\system32\DRIVERS\usbuhci.sys
00:25:15.0235 6472 usbuhci - ok
00:25:15.0261 6472 UxSms (edbb23cbcf2cdf727d64ff9b51a6070e) C:\Windows\System32\uxsms.dll
00:25:15.0263 6472 UxSms - ok
00:25:15.0305 6472 VaultSvc (156f6159457d0aa7e59b62681b56eb90) C:\Windows\system32\lsass.exe
00:25:15.0306 6472 VaultSvc - ok
00:25:15.0618 6472 vdrvroot (c5c876ccfc083ff3b128f933823e87bd) C:\Windows\system32\DRIVERS\vdrvroot.sys
00:25:15.0684 6472 vdrvroot - ok
00:25:15.0848 6472 vds (44d73e0bbc1d3c8981304ba15135c2f2) C:\Windows\System32\vds.exe
00:25:15.0875 6472 vds - ok
00:25:15.0892 6472 vga (da4da3f5e02943c2dc8c6ed875de68dd) C:\Windows\system32\DRIVERS\vgapnp.sys
00:25:15.0900 6472 vga - ok
00:25:15.0914 6472 VgaSave (53e92a310193cb3c03bea963de7d9cfc) C:\Windows\System32\drivers\vga.sys
00:25:15.0930 6472 VgaSave - ok
00:25:15.0962 6472 vhdmp (c82e748660f62a242b2dfac1442f22a4) C:\Windows\system32\DRIVERS\vhdmp.sys
00:25:15.0977 6472 vhdmp - ok
00:25:15.0995 6472 viaide (e5689d93ffe4e5d66c0178761240dd54) C:\Windows\system32\DRIVERS\viaide.sys
00:25:15.0997 6472 viaide - ok
00:25:16.0028 6472 vmbus (1501699d7eda984abc4155a7da5738d1) C:\Windows\system32\DRIVERS\vmbus.sys
00:25:16.0052 6472 vmbus - ok
00:25:16.0072 6472 VMBusHID (ae10c35761889e65a6f7176937c5592c) C:\Windows\system32\DRIVERS\VMBusHID.sys
00:25:16.0080 6472 VMBusHID - ok
00:25:16.0111 6472 volmgr (2b1a3dae2b4e70dbba822b7a03fbd4a3) C:\Windows\system32\DRIVERS\volmgr.sys
00:25:16.0118 6472 volmgr - ok
00:25:16.0140 6472 volmgrx (99b0cbb569ca79acaed8c91461d765fb) C:\Windows\system32\drivers\volmgrx.sys
00:25:16.0153 6472 volmgrx - ok
00:25:16.0176 6472 volsnap (58f82eed8ca24b461441f9c3e4f0bf5c) C:\Windows\system32\DRIVERS\volsnap.sys
00:25:16.0189 6472 volsnap - ok
00:25:16.0225 6472 vsmraid (5e2016ea6ebaca03c04feac5f330d997) C:\Windows\system32\DRIVERS\vsmraid.sys
00:25:16.0232 6472 vsmraid - ok
00:25:16.0321 6472 VSS (787898bf9fb6d7bd87a36e2d95c899ba) C:\Windows\system32\vssvc.exe
00:25:16.0365 6472 VSS - ok
00:25:16.0455 6472 vwifibus (36d4720b72b5c5d9cb2b9c29e9df67a1) C:\Windows\system32\DRIVERS\vwifibus.sys
00:25:16.0456 6472 vwifibus - ok
00:25:16.0479 6472 vwififlt (6a3d66263414ff0d6fa754c646612f3f) C:\Windows\system32\DRIVERS\vwififlt.sys
00:25:16.0487 6472 vwififlt - ok
00:25:16.0514 6472 W32Time (1c9d80cc3849b3788048078c26486e1a) C:\Windows\system32\w32time.dll
00:25:16.0534 6472 W32Time - ok
00:25:16.0554 6472 WacomPen (4e9440f4f152a7b944cb1663d3935a3e) C:\Windows\system32\DRIVERS\wacompen.sys
00:25:16.0562 6472 WacomPen - ok
00:25:16.0601 6472 WANARP (47ca49400643effd3f1c9a27e1d69324) C:\Windows\system32\DRIVERS\wanarp.sys
00:25:16.0608 6472 WANARP - ok
00:25:16.0612 6472 Wanarpv6 (47ca49400643effd3f1c9a27e1d69324) C:\Windows\system32\DRIVERS\wanarp.sys
00:25:16.0613 6472 Wanarpv6 - ok
00:25:16.0703 6472 wbengine (5ab1bb85bd8b5089cc5d64200dedae68) C:\Windows\system32\wbengine.exe
00:25:16.0740 6472 wbengine - ok
00:25:16.0816 6472 WbioSrvc (3aa101e8edab2db4131333f4325c76a3) C:\Windows\System32\wbiosrvc.dll
00:25:16.0832 6472 WbioSrvc - ok
00:25:16.0884 6472 wcncsvc (dd1bae8ebfc653824d29ccf8c9054d68) C:\Windows\System32\wcncsvc.dll
00:25:16.0913 6472 wcncsvc - ok
00:25:16.0938 6472 WcsPlugInService (20f7441334b18cee52027661df4a6129) C:\Windows\System32\WcsPlugInService.dll
00:25:16.0946 6472 WcsPlugInService - ok
00:25:16.0974 6472 Wd (72889e16ff12ba0f235467d6091b17dc) C:\Windows\system32\DRIVERS\wd.sys
00:25:16.0982 6472 Wd - ok
00:25:17.0021 6472 Wdf01000 (441bd2d7b4f98134c3a4f9fa570fd250) C:\Windows\system32\drivers\Wdf01000.sys
00:25:17.0036 6472 Wdf01000 - ok
00:25:17.0051 6472 WdiServiceHost (bf1fc3f79b863c914687a737c2f3d681) C:\Windows\system32\wdi.dll
00:25:17.0059 6472 WdiServiceHost - ok
00:25:17.0063 6472 WdiSystemHost (bf1fc3f79b863c914687a737c2f3d681) C:\Windows\system32\wdi.dll
00:25:17.0065 6472 WdiSystemHost - ok
00:25:17.0119 6472 WebClient (733006127f235be7c35354ebee7b9a7b) C:\Windows\System32\webclnt.dll
00:25:17.0133 6472 WebClient - ok
00:25:17.0157 6472 Wecsvc (c749025a679c5103e575e3b48e092c43) C:\Windows\system32\wecsvc.dll
00:25:17.0171 6472 Wecsvc - ok
00:25:17.0195 6472 wercplsupport (7e591867422dc788b9e5bd337a669a08) C:\Windows\System32\wercplsupport.dll
00:25:17.0203 6472 wercplsupport - ok
00:25:17.0237 6472 WerSvc (6d137963730144698cbd10f202e9f251) C:\Windows\System32\WerSvc.dll
00:25:17.0244 6472 WerSvc - ok
00:25:17.0295 6472 WfpLwf (611b23304bf067451a9fdee01fbdd725) C:\Windows\system32\DRIVERS\wfplwf.sys
00:25:17.0296 6472 WfpLwf - ok
00:25:17.0318 6472 WIMMount (05ecaec3e4529a7153b3136ceb49f0ec) C:\Windows\system32\drivers\wimmount.sys
00:25:17.0320 6472 WIMMount - ok
00:25:17.0328 6472 WinHttpAutoProxySvc - ok
00:25:17.0395 6472 Winmgmt (19b07e7e8915d701225da41cb3877306) C:\Windows\system32\wbem\WMIsvc.dll
00:25:17.0409 6472 Winmgmt - ok
00:25:17.0501 6472 WinRM (41fbb751936b387f9179e7f03a74fe29) C:\Windows\system32\WsmSvc.dll
00:25:17.0548 6472 WinRM - ok
00:25:17.0721 6472 WinTabService (cb95270393dd2fcb370efd24126f94bd) C:\Windows\System32\Drivers\WTSRV.EXE
00:25:17.0722 6472 WinTabService - ok
00:25:17.0792 6472 WinUsb (817eaff5d38674edd7713b9dfb8e9791) C:\Windows\system32\DRIVERS\WinUsb.sys
00:25:17.0800 6472 WinUsb - ok
00:25:17.0857 6472 Wlansvc (4fada86e62f18a1b2f42ba18ae24e6aa) C:\Windows\System32\wlansvc.dll
00:25:17.0864 6472 Wlansvc - ok
00:25:17.0895 6472 WmiAcpi (f6ff8944478594d0e414d3f048f0d778) C:\Windows\system32\DRIVERS\wmiacpi.sys
00:25:17.0897 6472 WmiAcpi - ok
00:25:17.0960 6472 wmiApSrv (38b84c94c5a8af291adfea478ae54f93) C:\Windows\system32\wbem\WmiApSrv.exe
00:25:17.0975 6472 wmiApSrv - ok
00:25:18.0009 6472 WMPNetworkSvc - ok
00:25:18.0021 6472 WPCSvc (96c6e7100d724c69fcf9e7bf590d1dca) C:\Windows\System32\wpcsvc.dll
00:25:18.0025 6472 WPCSvc - ok
00:25:18.0043 6472 WPDBusEnum (2e57ddf2880a7e52e76f41c7e96d327b) C:\Windows\system32\wpdbusenum.dll
00:25:18.0058 6472 WPDBusEnum - ok
00:25:18.0070 6472 ws2ifsl (6bcc1d7d2fd2453957c5479a32364e52) C:\Windows\system32\drivers\ws2ifsl.sys
00:25:18.0078 6472 ws2ifsl - ok
00:25:18.0082 6472 WSearch - ok
00:25:18.0097 6472 WudfPf (7cadc74271dd6461c452c271b30bd378) C:\Windows\system32\drivers\WudfPf.sys
00:25:18.0098 6472 WudfPf - ok
00:25:18.0147 6472 WUDFRd (3b197af0fff08aa66b6b2241ca538d64) C:\Windows\system32\DRIVERS\WUDFRd.sys
00:25:18.0154 6472 WUDFRd - ok
00:25:18.0188 6472 wudfsvc (b551d6637aa0e132c18ac6e504f7b79b) C:\Windows\System32\WUDFSvc.dll
00:25:18.0191 6472 wudfsvc - ok
00:25:18.0211 6472 WwanSvc (9a3452b3c2a46c073166c5cf49fad1ae) C:\Windows\System32\wwansvc.dll
00:25:18.0234 6472 WwanSvc - ok
00:25:18.0270 6472 MBR (0x1B8) (c0dcf0ac171db02db8b0014c5d767cf1) \Device\Harddisk1\DR1
00:25:18.0299 6472 \Device\Harddisk1\DR1 ( Rootkit.Boot.Pihar.b ) - infected
00:25:18.0299 6472 \Device\Harddisk1\DR1 - detected Rootkit.Boot.Pihar.b (0)
00:25:18.0330 6472 \Device\Harddisk1\DR1 ( TDSS File System ) - warning
00:25:18.0330 6472 \Device\Harddisk1\DR1 - detected TDSS File System (1)
00:25:18.0348 6472 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
00:25:18.0690 6472 \Device\Harddisk0\DR0 ( TDSS File System ) - warning
00:25:18.0690 6472 \Device\Harddisk0\DR0 - detected TDSS File System (1)
00:25:18.0715 6472 Boot (0x1200) (09e4479cb9a0875eab7f957c34d4a0a2) \Device\Harddisk1\DR1\Partition0
00:25:18.0716 6472 \Device\Harddisk1\DR1\Partition0 - ok
00:25:18.0728 6472 Boot (0x1200) (bebd3f0275dc3911ee0dafb1a843c3e8) \Device\Harddisk1\DR1\Partition1
00:25:18.0729 6472 \Device\Harddisk1\DR1\Partition1 - ok
00:25:18.0731 6472 Boot (0x1200) (520f88b25a09e62c59cbb8326cff3d65) \Device\Harddisk0\DR0\Partition0
00:25:18.0732 6472 \Device\Harddisk0\DR0\Partition0 - ok
00:25:18.0733 6472 ============================================================
00:25:18.0733 6472 Scan finished
00:25:18.0733 6472 ============================================================
00:25:18.0740 6760 Detected object count: 4
00:25:18.0740 6760 Actual detected object count: 4


aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-07-23 00:45:47
-----------------------------
00:45:47.655 OS Version: Windows x64 6.1.7600
00:45:47.656 Number of processors: 2 586 0x170A
00:45:47.656 ComputerName: PHILPHILSON-PC UserName: Phil Philson
00:45:51.910 Initialize success
01:01:10.251 AVAST engine defs: 12072201
01:03:10.606 Disk 0 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP5T0L0-5
01:03:10.608 Disk 0 Vendor: WDC_WD3200AAJS-22L7A0 01.03E01 Size: 305244MB BusType: 3
01:03:10.610 Disk 1 (boot) \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP2T0L0-2
01:03:10.611 Disk 1 Vendor: Maxtor_6G160E0 KA101UW0 Size: 152626MB BusType: 3
01:03:10.614 Device \Driver\atapi -> MajorFunction fffffa80097515c4
01:03:10.617 Disk 1 MBR read successfully
01:03:10.619 Disk 1 MBR scan
01:03:10.623 Disk 1 MBR:Pihar-C [Rtk]
01:03:10.625 Disk 1 TDL4@MBR code has been found
01:03:10.628 Disk 1 Windows 7 default MBR code found via API
01:03:10.631 Disk 1 MBR hidden
01:03:10.634 Disk 1 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048
01:03:10.661 Disk 1 Partition 2 00 07 HPFS/NTFS NTFS 152524 MB offset 206848
01:03:10.666 Disk 1 MBR [TDL4] **ROOTKIT**
01:03:10.670 Disk 1 trace - called modules:
01:03:10.675 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys >>UNKNOWN [0xfffffa800aa85330]<<15194934.sys >>UNKNOWN [0xfffffa80097515c4]<<
01:03:10.678 1 nt!IofCallDriver -> \Device\Harddisk1\DR1[0xfffffa80092d8060]
01:03:10.682 3 CLASSPNP.SYS[fffff8800124d43f] -> nt!IofCallDriver -> [0xfffffa8009042580]
01:03:10.686 5 ACPI.sys[fffff8800108a781] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-2[0xfffffa80090a7060]
01:03:10.690 \Driver\atapi[0xfffffa8009571e70] -> IRP_MJ_CREATE -> 0xfffffa80097515c4
01:03:13.102 AVAST engine scan C:\Windows
01:03:15.925 AVAST engine scan C:\Windows\system32
01:05:01.999 File: C:\Windows\assembly\GAC_32\Desktop.ini **INFECTED** Win32:Sirefef-PL [Rtk]
01:05:04.155 File: C:\Windows\assembly\GAC_64\Desktop.ini **INFECTED** Win32:Sirefef-PL [Rtk]
01:07:04.759 AVAST engine scan C:\Windows\system32\drivers
01:07:17.477 AVAST engine scan C:\Users\Phil Philson
01:08:22.758 Disk 1 MBR has been saved successfully to "C:\Users\Phil Philson\Desktop\MBR.dat"
01:08:22.765 The log file has been saved successfully to "C:\Users\Phil Philson\Desktop\aswMBR.txt"

Eset
C:\Program Files (x86)\Veoh Networks\VeohWebPlayer\qlipso-qlipso-silent-us.exe a variant of Win32/Toolbar.Zugo application cleaned by deleting - quarantined
C:\ProgramData\Microsoft\Windows\DRM\2171.tmp Win64/Olmarik.AD trojan cleaned by deleting - quarantined
C:\ProgramData\Microsoft\Windows\DRM\2172.tmp Win64/Olmarik.AD trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\23.07.2012_00.24.22\mbr0000\tdlfs0000\tsk0000.dta Win32/Olmarik.AWO trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\23.07.2012_00.24.22\mbr0000\tdlfs0000\tsk0001.dta Win64/Olmarik.AD trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\23.07.2012_00.24.22\mbr0000\tdlfs0000\tsk0003.dta Win64/Olmarik.AC trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\23.07.2012_00.24.22\mbr0000\tdlfs0000\tsk0007.dta Win32/Olmarik.AWO trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\23.07.2012_00.24.22\mbr0000\tdlfs0000\tsk0008.dta Win64/Olmarik.X trojan cleaned by deleting - quarantined
C:\Windows\Installer\{8c17a966-1822-741c-2d9f-7110ed132370}\U\00000008.@ Win64/Agent.BA trojan cleaned by deleting - quarantined
C:\Windows\Installer\{8c17a966-1822-741c-2d9f-7110ed132370}\U\80000032.@ a variant of Win32/Sirefef.FD trojan cleaned by deleting - quarantined
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\87PNE7G9\contact-us[1].txt HTML/ScrInject.B.Gen virus deleted - quarantined
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PL18F5YW\index[1].htm JS/Iframe.CV trojan cleaned by deleting - quarantined
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PWF5UGZL\index[1].htm JS/Iframe.CV trojan cleaned by deleting - quarantined
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PWF5UGZL\index[2].htm JS/Iframe.CV trojan cleaned by deleting - quarantined
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QUM4P5S6\kittyflix_com[1].txt HTML/ScrInject.B.Gen virus deleted - quarantined
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SNY73PD2\index[1].htm JS/Iframe.CV trojan cleaned by deleting - quarantined
C:\Windows\Temp\L.class a variant of Java/Agent.EQ trojan cleaned by deleting - quarantined
F:\Documents and Settings\Phil Philson\Local Settings\Application Data\{8B566AEE-5139-45A2-BF1A-480412A0416A}\chrome\content\overlay.xul probably a variant of Win32/Agent.NVQFFQI trojan cleaned by deleting - quarantined
F:\Documents and Settings\Phil Philson\Local Settings\Temp\gh860lc1f7.log a variant of Win32/Gootkit.J trojan cleaned by deleting - quarantined
F:\Documents and Settings\Phil Philson\Local Settings\Temp\wscramexno.tmp multiple threats deleted - quarantined
F:\Documents and Settings\Phil Philson\Local Settings\Temp\NERO1003378\unit_app_75\Toolbar.exe Win32/Toolbar.AskSBar application cleaned by deleting - quarantined
Operating memory a variant of Win32/Sirefef.EZ trojan

BC AdBot (Login to Remove)

 


#2 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:10:31 AM

Posted 23 July 2012 - 02:39 PM

Good evening. :)

Please go here, follow steps six, seven and eight as best you can, skipping those that you cannot run for any reason, and then post accordingly into this thread.

So long, and thanks for all the fish.

 

 


#3 drpepperdrinker

drpepperdrinker
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:31 AM

Posted 23 July 2012 - 09:14 PM

The generic_c.mmi trojan dropper is still opening up web pages, and popping up from avg showing system.exe as a threat. I ran through steps six, and seven from the thread you directed me to(running defogger then DDS tool). I did not run step eight because I am running windows 7 x64 and it says not to create a GMER log in a 64 bit system. I have pasted in the text from the DDS.txt file created. I have created a zipped version of the attach.txt result from the DDS tool, but it said not to post it unless specifically asked to do so. Thank you.

DDS.txt


.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_22
Run by Phil Philson at 20:48:20 on 2012-07-23
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.10238.8252 [GMT -5:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Program Files (x86)\AFLICS\AfterFLICS.exe
C:\Windows\system32\atieclxx.exe
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Program Files (x86)\Common Files\Microsoft Shared\Ink\TabTip32.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\AVG\AVG2012\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files (x86)\DCPFLICS\DCPFLICS.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Giraffic\Veoh_GirafficWatchdog.exe
C:\Program Files\Autodesk\3ds Max 2013\NVIDIA\raysat_3dsmax2013_64server.exe
C:\Program Files (x86)\PDMWorks Workgroup\Vault\pdmwService.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Windows\System32\StikyNot.exe
C:\Program Files (x86)\Veoh Networks\VeohWebPlayer\veohwebplayer.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files (x86)\Common Files\SolidWorks Installation Manager\BackgroundDownloading\sldBgDwld.exe
C:\Program Files (x86)\Giraffic\Veoh_Giraffic.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\Drivers\WTSRV.EXE
C:\Program Files (x86)\AVG\AVG2012\AVGIDSAgent.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe
C:\Program Files (x86)\AVG\AVG2012\avgtray.exe
C:\Program Files (x86)\Real\RealPlayer\Update\realsched.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\acrotray.exe
C:\Windows\SysWOW64\WTClient.exe
C:\Program Files (x86)\AVG\AVG2012\avgnsa.exe
C:\Program Files (x86)\AVG\AVG2012\avgrsa.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files (x86)\AVG\AVG2012\avgcsrva.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe
C:\Windows\system32\sppsvc.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
mWinlogon: Userinit=userinit.exeC:\Windows\system32\config\systemprofile\AppData\Roaming\appconf32.exe,
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe

\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - C:

\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
BHO: AVG Do Not Track: {31332eef-cb9f-458f-afeb-d30e9a66b6ba} - C:\Program Files (x86)\AVG\AVG2012\avgdtiex.dll
BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - C:\Program Files (x86)\DivX\DivX

Plus Web Player\npdivx32.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - C:\Program Files (x86)\AVG\AVG2012\avgssie.dll
BHO: DivX HiQ: {593ddec6-7468-4cdd-90e1-42dadaa222e9} - C:\Program Files (x86)\DivX\DivX Plus Web Player

\npdivx32.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - C:\Program Files (x86)\Microsoft Office

\Office12\GrooveShellExtensions.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - C:\Program Files (x86)\Common

Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin

\jp2ssv.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat

\ActiveX\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX

\AcroIEFavClient.dll
uRun: [RESTART_STICKY_NOTES] C:\Windows\System32\StikyNot.exe
uRun: [VeohPlugin] "C:\Program Files (x86)\Veoh Networks\VeohWebPlayer\veohwebplayer.exe"
uRun: [Akamai NetSession Interface] "C:\Users\Phil Philson\AppData\Local\Akamai\netsession_win.exe"
uRun: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
uRun: [AdobeBridge]
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
mRun: [DivXUpdate] "C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [AVG_TRAY] "C:\Program Files (x86)\AVG\AVG2012\avgtray.exe"
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [TkBellExe] "C:\Program Files (x86)\Real\RealPlayer\update\realsched.exe" -osboot
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun: [SwitchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
mRun: [AdobeCS6ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS6ServiceManager\CS6ServiceManager.exe"

-launchedbylogin
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [<NO NAME>]
mRun: [Adobe Acrobat Speed Launcher] "C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe"
mRun: [Acrobat Assistant 8.0] "C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe"
mRun: [WTClient] WTClient.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\SOLIDW~1.LNK - C:\Program Files (x86)\Common

Files\SolidWorks Installation Manager\BackgroundDownloading\sldBgDwld.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Append Link Target to Existing PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX

\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX

\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX

\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX

\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~2\Office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:

\PROGRA~2\MICROS~2\Office12\ONBttnIE.dll
IE: {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - C:\Program Files (x86)\AVG

\AVG2012\avgdtiex.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:

\PROGRA~2\MICROS~2\Office12\REFIEBAR.DLL
LSP: mswsock.dll
DPF: {22945A69-1191-4DCF-9E6F-409BDE94D101} - hxxp://dl-

ak.solidworks.com/nonsecure/edrawings/e2012sp01/12.1.0.130/cab//eModelsStandard.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{978B4040-BFDD-46AF-8D31-D3193F2B594C} : DhcpNameServer = 192.168.0.1
TCP: Interfaces\{978B4040-BFDD-46AF-8D31-D3193F2B594C}\C696E6B6379737 : DhcpNameServer = 192.168.0.1
TCP: Interfaces\{978B4040-BFDD-46AF-8D31-D3193F2B594C}\C696E6B6379737F5F475F52313438303 : DhcpNameServer =

192.168.0.1
TCP: Interfaces\{978B4040-BFDD-46AF-8D31-D3193F2B594C}\C696E6B6379737F5F475F52383834303 : DhcpNameServer =

192.168.0.1
TCP: Interfaces\{978B4040-BFDD-46AF-8D31-D3193F2B594C}\C696E6B6379737F5F475F55333034313 : DhcpNameServer =

192.168.0.1
TCP: Interfaces\{978B4040-BFDD-46AF-8D31-D3193F2B594C}\C696E6B6379737F5F475F55393637373 : DhcpNameServer =

192.168.0.1
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files (x86)\Microsoft Office

\Office12\GrooveSystemServices.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG2012\avgpp.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - C:\Program Files (x86)\Microsoft

Office\Office12\GrooveShellExtensions.dll
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe

\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: RealPlayer Download and Record Plugin for Internet Explorer: {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:

\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
BHO-X64: AVG Do Not Track: {31332EEF-CB9F-458F-AFEB-D30E9A66B6BA} - C:\Program Files (x86)\AVG\AVG2012\avgdtiex.dll
BHO-X64: AVG Do Not Track - No File
BHO-X64: DivX Plus Web Player HTML5 <video>: {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files (x86)\DivX

\DivX Plus Web Player\npdivx32.dll
BHO-X64: Increase performance and video formats for your HTML5 <video> - No File
BHO-X64: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG2012\avgssie.dll
BHO-X64: WormRadar.com IESiteBlocker.NavFilter - No File
BHO-X64: DivX HiQ: {593DDEC6-7468-4cdd-90E1-42DADAA222E9} - C:\Program Files (x86)\DivX\DivX Plus Web Player

\npdivx32.dll
BHO-X64: Use the DivX Plus Web Player to watch web videos with less interruptions and smoother playback on

supported sites - No File
BHO-X64: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft

Office\Office12\GrooveShellExtensions.dll
BHO-X64: Adobe PDF Conversion Toolbar Helper: {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files

(x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java

\jre6\bin\jp2ssv.dll
BHO-X64: SmartSelect Class: {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files (x86)\Common Files\Adobe

\Acrobat\ActiveX\AcroIEFavClient.dll
BHO-X64: SmartSelect - No File
TB-X64: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat

\ActiveX\AcroIEFavClient.dll
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun-x64: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
mRun-x64: [DivXUpdate] "C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
mRun-x64: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun-x64: [AVG_TRAY] "C:\Program Files (x86)\AVG\AVG2012\avgtray.exe"
mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun-x64: [TkBellExe] "C:\Program Files (x86)\Real\RealPlayer\update\realsched.exe" -osboot
mRun-x64: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun-x64: [SwitchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
mRun-x64: [AdobeCS6ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS6ServiceManager

\CS6ServiceManager.exe" -launchedbylogin
mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun-x64: [(Default)]
mRun-x64: [Adobe Acrobat Speed Launcher] "C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe"
mRun-x64: [Acrobat Assistant 8.0] "C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe"
mRun-x64: [WTClient] WTClient.exe
SEH-X64: Groove GFS Stub Execution Hook: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files (x86)\Microsoft

Office\Office12\GrooveShellExtensions.dll
Hosts: 94.63.147.17 www.bing.com
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Phil Philson\AppData\Roaming\Mozilla\Firefox\Profiles\jt6i463z.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - component: C:\Program Files (x86)\Adobe\Adobe Contribute CS5\Plugins\FirefoxPlugin\{01A8CA0A-4C96-465b-A49B-

65C46FAD54F9}\components\Contribute.dll
FF - component: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\components

\nprpffbrowserrecordext.dll
FF - component: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\components

\nprpffbrowserrecordlegacyext.dll
FF - component: C:\Users\Phil Philson\AppData\Roaming\Mozilla\Firefox\Profiles\jt6i463z.default\extensions

\piclens@cooliris.com\components\cooliris.dll
FF - plugin: C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Air\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\DivX\DivX OVS Helper\npovshelper.dll
FF - plugin: C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npContribute.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\nprpplugin.dll
FF - plugin: c:\program files (x86)\real\realplayer\Netscape6\nprpplugin.dll
FF - plugin: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll
FF - plugin: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
FF - plugin: C:\Users\Phil Philson\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_3_300_262.dll
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSHA;AVGIDSHA;C:\Windows\system32\DRIVERS\avgidsha.sys --> C:\Windows\system32\DRIVERS\avgidsha.sys [?]
R0 Avgrkx64;AVG Anti-Rootkit Driver;C:\Windows\system32\DRIVERS\avgrkx64.sys --> C:\Windows\system32\DRIVERS

\avgrkx64.sys [?]
R0 PxHlpa64;PxHlpa64;C:\Windows\system32\Drivers\PxHlpa64.sys --> C:\Windows\system32\Drivers\PxHlpa64.sys [?]
R1 Avgldx64;AVG AVI Loader Driver;C:\Windows\system32\DRIVERS\avgldx64.sys --> C:\Windows\system32\DRIVERS

\avgldx64.sys [?]
R1 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;C:\Windows\system32\DRIVERS\avgmfx64.sys --> C:\Windows

\system32\DRIVERS\avgmfx64.sys [?]
R1 Avgtdia;AVG TDI Driver;C:\Windows\system32\DRIVERS\avgtdia.sys --> C:\Windows\system32\DRIVERS\avgtdia.sys [?]
R1 MpFilter;Microsoft Malware Protection Driver;C:\Windows\system32\DRIVERS\MpFilter.sys --> C:\Windows

\system32\DRIVERS\MpFilter.sys [?]
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS

\vwififlt.sys [?]
R2 AfterFLICS v3;AfterFLICS v3;C:\Program Files (x86)\AFLICS\AfterFLICS.exe [2012-7-18 135170]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe --> C:\Windows

\system32\atiesrxx.exe [?]
R2 AVGIDSAgent;AVGIDSAgent;C:\Program Files (x86)\AVG\AVG2012\avgidsagent.exe [2012-7-4 5160568]
R2 avgwd;AVG WatchDog;C:\Program Files (x86)\AVG\AVG2012\avgwdsvc.exe [2012-2-14 193288]
R2 Giraffic;Veoh Giraffic Video Accelerator;C:\Program Files (x86)\Giraffic\Veoh_GirafficWatchdog.exe --service -->

C:\Program Files (x86)\Giraffic\Veoh_GirafficWatchdog.exe --service [?]
R2 mi-raysat_3dsmax2013_64;mental ray 3.10 Satellite for Autodesk 3ds Max 2013 64-bit;C:\Program Files\Autodesk\3ds

Max 2013\NVIDIA\raysat_3dsmax2013_64server.exe [2011-9-14 86016]
R2 PDMWorks Workgroup Server;SolidWorks Workgroup PDM Server;C:\Program Files (x86)\PDMWorks Workgroup\Vault

\pdmwService.exe [2010-11-24 3276800]
R3 amdkmdag;amdkmdag;C:\Windows\system32\DRIVERS\atikmdag.sys --> C:\Windows\system32\DRIVERS\atikmdag.sys [?]
R3 amdkmdap;amdkmdap;C:\Windows\system32\DRIVERS\atikmpag.sys --> C:\Windows\system32\DRIVERS\atikmpag.sys [?]
R3 AVGIDSDriver;AVGIDSDriver;C:\Windows\system32\DRIVERS\avgidsdrivera.sys --> C:\Windows\system32\DRIVERS

\avgidsdrivera.sys [?]
R3 AVGIDSFilter;AVGIDSFilter;C:\Windows\system32\DRIVERS\avgidsfiltera.sys --> C:\Windows\system32\DRIVERS

\avgidsfiltera.sys [?]
R3 PTSimBus;PenTablet Bus Enumerator;C:\Windows\system32\DRIVERS\PTSimBus.sys --> C:\Windows\system32\DRIVERS

\PTSimBus.sys [?]
R3 PTSimHid;PenTablet Simulated HID MiniDriver;C:\Windows\system32\DRIVERS\PTSimHid.sys --> C:\Windows

\system32\DRIVERS\PTSimHid.sys [?]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS

\Rt64win7.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework

\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET

\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 androidusb;SAMSUNG Android Composite ADB Interface Driver;C:\Windows\system32\Drivers\ssadadb.sys --> C:

\Windows\system32\Drivers\ssadadb.sys [?]
S3 CoordinatorServiceHost;SW Distributed TS Coordinator Service;C:\Program Files\SolidWorks Corp\SolidWorks

\swScheduler\DTSCoordinatorService.exe [2011-10-1 89160]
S3 FLEXnet Licensing Service 64;FLEXnet Licensing Service 64;C:\Program Files\Common Files\Macrovision Shared

\FLEXnet Publisher\FNPLicensingService64.exe [2011-1-3 1432400]
S3 MozillaMaintenance;Mozilla Maintenance Service;C:\Program Files (x86)\Mozilla Maintenance Service

\maintenanceservice.exe [2012-4-25 113120]
S3 MpNWMon;Microsoft Malware Protection Network Driver;C:\Windows\system32\DRIVERS\MpNWMon.sys --> C:\Windows

\system32\DRIVERS\MpNWMon.sys [?]
S3 NisDrv;Microsoft Network Inspection System;C:\Windows\system32\DRIVERS\NisDrvWFP.sys --> C:\Windows

\system32\DRIVERS\NisDrvWFP.sys [?]
S3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-4-27

288272]
S3 ssadbus;SAMSUNG Android USB Composite Device driver (WDM);C:\Windows\system32\DRIVERS\ssadbus.sys --> C:

\Windows\system32\DRIVERS\ssadbus.sys [?]
S3 ssadmdfl;SAMSUNG Android USB Modem (Filter);C:\Windows\system32\DRIVERS\ssadmdfl.sys --> C:\Windows

\system32\DRIVERS\ssadmdfl.sys [?]
S3 ssadmdm;SAMSUNG Android USB Modem Drivers;C:\Windows\system32\DRIVERS\ssadmdm.sys --> C:\Windows

\system32\DRIVERS\ssadmdm.sys [?]
S3 SwitchBoard;Adobe SwitchBoard;C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-2-19

517096]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys --> C:\Windows\system32\Drivers

\usbaapl64.sys [?]
.
=============== Created Last 30 ================
.
2012-07-23 06:10:17 -------- d-----w- C:\Program Files (x86)\ESET
2012-07-23 05:44:44 -------- d-----w- C:\TDSSKiller_Quarantine
2012-07-22 06:11:24 -------- d-sh--w- C:\Windows\SysWow64\%APPDATA%
2012-07-22 01:57:04 -------- d-----w- C:\Windows\SysWow64\TabletPmt
2012-07-22 01:57:04 -------- d-----w- C:\Program Files (x86)\TABLET
2012-07-21 02:43:41 9133488 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates

\{B0F9761A-9813-487A-B5E5-6467C484173B}\mpengine.dll
2012-07-18 20:10:44 -------- d-----w- C:\FumeFX61200188
2012-07-18 19:19:38 -------- d-----w- C:\Program Files (x86)\AFLICS
2012-07-18 19:19:03 225280 ------w- C:\Program Files (x86)\Common Files\InstallShield\IScript

\IScript.dll
2012-07-18 19:19:03 176128 ------w- C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel

32\iuser.dll
2012-07-18 19:19:02 77824 ------w- C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel

32\ctor.dll
2012-07-18 19:19:02 32768 ------w- C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel

32\objectps.dll
2012-07-18 01:13:39 -------- d-----w- C:\Program Files\Common Files\ChaosGroup
2012-07-18 01:13:27 -------- d-----w- C:\Program Files\Chaos Group
2012-07-03 22:08:32 927800 ------w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates

\{6CCCD940-61CE-48CA-B9B8-3DBFEA8F6BEE}\gapaengine.dll
2012-07-02 21:47:45 -------- d-----w- C:\Users\Phil Philson\AppData\Local\Macromedia
2012-07-02 00:55:39 -------- d-----w- C:\ProgramData\ALM
2012-07-02 00:46:17 -------- d-----w- C:\Users\Phil Philson\Adobe Flash Builder 4.6
2012-07-02 00:07:28 -------- d-----w- C:\Users\Phil Philson\AppData\Local\Adobe
.
==================== Find3M ====================
.
2012-07-22 21:09:53 70344 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2012-07-22 21:09:53 426184 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2012-06-02 22:15:31 2622464 ----a-w- C:\Windows\System32\wucltux.dll
2012-06-02 22:15:08 99840 ----a-w- C:\Windows\System32\wudriver.dll
2012-06-02 20:19:42 186752 ----a-w- C:\Windows\System32\wuwebv.dll
2012-06-02 20:15:12 36864 ----a-w- C:\Windows\System32\wuapp.exe
2012-05-25 06:33:05 499712 ----a-w- C:\Windows\SysWow64\msvcp71.dll
2012-05-25 06:33:05 348160 ----a-w- C:\Windows\SysWow64\msvcr71.dll
.
============= FINISH: 20:50:41.07 ===============

#4 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:10:31 AM

Posted 24 July 2012 - 02:18 PM

Good evening. :)

Will you open the log again, click on Format and ensure that Wordwrap is unchecked. If it isn't, uncheck it. Close the file and the re-open it and post the contents again - the extra lines that the first post contains makes it difficult to read.
Will you also attach the zipped file in your next reply so that I can take a peek, thanks.

So long, and thanks for all the fish.

 

 


#5 drpepperdrinker

drpepperdrinker
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:31 AM

Posted 24 July 2012 - 07:36 PM

Here is my message reposted without Wordwrap on and with the attach.zip file attached.

The generic_c.mmi trojan dropper is still opening up web pages, and popping up from avg showing system.exe as a threat. I ran through steps six, and seven from the thread you directed me to(running defogger then DDS tool). I did not run step eight because I am running windows 7 x64 and it says not to create a GMER log in a 64 bit system. I have pasted in the text from the DDS.txt file created. I have created and attached a zipped version of the attach.txt result from the DDS tool. Thank you.

DDS.txt


.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_22
Run by Phil Philson at 20:48:20 on 2012-07-23
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.10238.8252 [GMT -5:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Program Files (x86)\AFLICS\AfterFLICS.exe
C:\Windows\system32\atieclxx.exe
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Program Files (x86)\Common Files\Microsoft Shared\Ink\TabTip32.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\AVG\AVG2012\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files (x86)\DCPFLICS\DCPFLICS.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Giraffic\Veoh_GirafficWatchdog.exe
C:\Program Files\Autodesk\3ds Max 2013\NVIDIA\raysat_3dsmax2013_64server.exe
C:\Program Files (x86)\PDMWorks Workgroup\Vault\pdmwService.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Windows\System32\StikyNot.exe
C:\Program Files (x86)\Veoh Networks\VeohWebPlayer\veohwebplayer.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files (x86)\Common Files\SolidWorks Installation Manager\BackgroundDownloading\sldBgDwld.exe
C:\Program Files (x86)\Giraffic\Veoh_Giraffic.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\Drivers\WTSRV.EXE
C:\Program Files (x86)\AVG\AVG2012\AVGIDSAgent.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe
C:\Program Files (x86)\AVG\AVG2012\avgtray.exe
C:\Program Files (x86)\Real\RealPlayer\Update\realsched.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\acrotray.exe
C:\Windows\SysWOW64\WTClient.exe
C:\Program Files (x86)\AVG\AVG2012\avgnsa.exe
C:\Program Files (x86)\AVG\AVG2012\avgrsa.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files (x86)\AVG\AVG2012\avgcsrva.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe
C:\Windows\system32\sppsvc.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
mWinlogon: Userinit=userinit.exeC:\Windows\system32\config\systemprofile\AppData\Roaming\appconf32.exe,
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
BHO: AVG Do Not Track: {31332eef-cb9f-458f-afeb-d30e9a66b6ba} - C:\Program Files (x86)\AVG\AVG2012\avgdtiex.dll
BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - C:\Program Files (x86)\AVG\AVG2012\avgssie.dll
BHO: DivX HiQ: {593ddec6-7468-4cdd-90e1-42dadaa222e9} - C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
uRun: [RESTART_STICKY_NOTES] C:\Windows\System32\StikyNot.exe
uRun: [VeohPlugin] "C:\Program Files (x86)\Veoh Networks\VeohWebPlayer\veohwebplayer.exe"
uRun: [Akamai NetSession Interface] "C:\Users\Phil Philson\AppData\Local\Akamai\netsession_win.exe"
uRun: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
uRun: [AdobeBridge]
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
mRun: [DivXUpdate] "C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [AVG_TRAY] "C:\Program Files (x86)\AVG\AVG2012\avgtray.exe"
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [TkBellExe] "C:\Program Files (x86)\Real\RealPlayer\update\realsched.exe" -osboot
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun: [SwitchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
mRun: [AdobeCS6ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS6ServiceManager\CS6ServiceManager.exe" -launchedbylogin
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [<NO NAME>]
mRun: [Adobe Acrobat Speed Launcher] "C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe"
mRun: [Acrobat Assistant 8.0] "C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe"
mRun: [WTClient] WTClient.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\SOLIDW~1.LNK - C:\Program Files (x86)\Common Files\SolidWorks Installation Manager\BackgroundDownloading\sldBgDwld.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Append Link Target to Existing PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~2\Office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\PROGRA~2\MICROS~2\Office12\ONBttnIE.dll
IE: {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - C:\Program Files (x86)\AVG\AVG2012\avgdtiex.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~2\Office12\REFIEBAR.DLL
LSP: mswsock.dll
DPF: {22945A69-1191-4DCF-9E6F-409BDE94D101} - hxxp://dl-ak.solidworks.com/nonsecure/edrawings/e2012sp01/12.1.0.130/cab//eModelsStandard.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{978B4040-BFDD-46AF-8D31-D3193F2B594C} : DhcpNameServer = 192.168.0.1
TCP: Interfaces\{978B4040-BFDD-46AF-8D31-D3193F2B594C}\C696E6B6379737 : DhcpNameServer = 192.168.0.1
TCP: Interfaces\{978B4040-BFDD-46AF-8D31-D3193F2B594C}\C696E6B6379737F5F475F52313438303 : DhcpNameServer = 192.168.0.1
TCP: Interfaces\{978B4040-BFDD-46AF-8D31-D3193F2B594C}\C696E6B6379737F5F475F52383834303 : DhcpNameServer = 192.168.0.1
TCP: Interfaces\{978B4040-BFDD-46AF-8D31-D3193F2B594C}\C696E6B6379737F5F475F55333034313 : DhcpNameServer = 192.168.0.1
TCP: Interfaces\{978B4040-BFDD-46AF-8D31-D3193F2B594C}\C696E6B6379737F5F475F55393637373 : DhcpNameServer = 192.168.0.1
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveSystemServices.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG2012\avgpp.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: RealPlayer Download and Record Plugin for Internet Explorer: {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
BHO-X64: AVG Do Not Track: {31332EEF-CB9F-458F-AFEB-D30E9A66B6BA} - C:\Program Files (x86)\AVG\AVG2012\avgdtiex.dll
BHO-X64: AVG Do Not Track - No File
BHO-X64: DivX Plus Web Player HTML5 <video>: {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll
BHO-X64: Increase performance and video formats for your HTML5 <video> - No File
BHO-X64: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG2012\avgssie.dll
BHO-X64: WormRadar.com IESiteBlocker.NavFilter - No File
BHO-X64: DivX HiQ: {593DDEC6-7468-4cdd-90E1-42DADAA222E9} - C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll
BHO-X64: Use the DivX Plus Web Player to watch web videos with less interruptions and smoother playback on supported sites - No File
BHO-X64: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
BHO-X64: Adobe PDF Conversion Toolbar Helper: {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO-X64: SmartSelect Class: {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
BHO-X64: SmartSelect - No File
TB-X64: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun-x64: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
mRun-x64: [DivXUpdate] "C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
mRun-x64: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun-x64: [AVG_TRAY] "C:\Program Files (x86)\AVG\AVG2012\avgtray.exe"
mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun-x64: [TkBellExe] "C:\Program Files (x86)\Real\RealPlayer\update\realsched.exe" -osboot
mRun-x64: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun-x64: [SwitchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
mRun-x64: [AdobeCS6ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS6ServiceManager\CS6ServiceManager.exe" -launchedbylogin
mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun-x64: [(Default)]
mRun-x64: [Adobe Acrobat Speed Launcher] "C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe"
mRun-x64: [Acrobat Assistant 8.0] "C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe"
mRun-x64: [WTClient] WTClient.exe
SEH-X64: Groove GFS Stub Execution Hook: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
Hosts: 94.63.147.17 www.bing.com
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Phil Philson\AppData\Roaming\Mozilla\Firefox\Profiles\jt6i463z.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - component: C:\Program Files (x86)\Adobe\Adobe Contribute CS5\Plugins\FirefoxPlugin\{01A8CA0A-4C96-465b-A49B-65C46FAD54F9}\components\Contribute.dll
FF - component: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\components\nprpffbrowserrecordext.dll
FF - component: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\components\nprpffbrowserrecordlegacyext.dll
FF - component: C:\Users\Phil Philson\AppData\Roaming\Mozilla\Firefox\Profiles\jt6i463z.default\extensions\piclens@cooliris.com\components\cooliris.dll
FF - plugin: C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Air\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\DivX\DivX OVS Helper\npovshelper.dll
FF - plugin: C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npContribute.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\nprpplugin.dll
FF - plugin: c:\program files (x86)\real\realplayer\Netscape6\nprpplugin.dll
FF - plugin: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll
FF - plugin: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
FF - plugin: C:\Users\Phil Philson\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_3_300_262.dll
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSHA;AVGIDSHA;C:\Windows\system32\DRIVERS\avgidsha.sys --> C:\Windows\system32\DRIVERS\avgidsha.sys [?]
R0 Avgrkx64;AVG Anti-Rootkit Driver;C:\Windows\system32\DRIVERS\avgrkx64.sys --> C:\Windows\system32\DRIVERS\avgrkx64.sys [?]
R0 PxHlpa64;PxHlpa64;C:\Windows\system32\Drivers\PxHlpa64.sys --> C:\Windows\system32\Drivers\PxHlpa64.sys [?]
R1 Avgldx64;AVG AVI Loader Driver;C:\Windows\system32\DRIVERS\avgldx64.sys --> C:\Windows\system32\DRIVERS\avgldx64.sys [?]
R1 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;C:\Windows\system32\DRIVERS\avgmfx64.sys --> C:\Windows\system32\DRIVERS\avgmfx64.sys [?]
R1 Avgtdia;AVG TDI Driver;C:\Windows\system32\DRIVERS\avgtdia.sys --> C:\Windows\system32\DRIVERS\avgtdia.sys [?]
R1 MpFilter;Microsoft Malware Protection Driver;C:\Windows\system32\DRIVERS\MpFilter.sys --> C:\Windows\system32\DRIVERS\MpFilter.sys [?]
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
R2 AfterFLICS v3;AfterFLICS v3;C:\Program Files (x86)\AFLICS\AfterFLICS.exe [2012-7-18 135170]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe --> C:\Windows\system32\atiesrxx.exe [?]
R2 AVGIDSAgent;AVGIDSAgent;C:\Program Files (x86)\AVG\AVG2012\avgidsagent.exe [2012-7-4 5160568]
R2 avgwd;AVG WatchDog;C:\Program Files (x86)\AVG\AVG2012\avgwdsvc.exe [2012-2-14 193288]
R2 Giraffic;Veoh Giraffic Video Accelerator;C:\Program Files (x86)\Giraffic\Veoh_GirafficWatchdog.exe --service --> C:\Program Files (x86)\Giraffic\Veoh_GirafficWatchdog.exe --service [?]
R2 mi-raysat_3dsmax2013_64;mental ray 3.10 Satellite for Autodesk 3ds Max 2013 64-bit;C:\Program Files\Autodesk\3ds Max 2013\NVIDIA\raysat_3dsmax2013_64server.exe [2011-9-14 86016]
R2 PDMWorks Workgroup Server;SolidWorks Workgroup PDM Server;C:\Program Files (x86)\PDMWorks Workgroup\Vault\pdmwService.exe [2010-11-24 3276800]
R3 amdkmdag;amdkmdag;C:\Windows\system32\DRIVERS\atikmdag.sys --> C:\Windows\system32\DRIVERS\atikmdag.sys [?]
R3 amdkmdap;amdkmdap;C:\Windows\system32\DRIVERS\atikmpag.sys --> C:\Windows\system32\DRIVERS\atikmpag.sys [?]
R3 AVGIDSDriver;AVGIDSDriver;C:\Windows\system32\DRIVERS\avgidsdrivera.sys --> C:\Windows\system32\DRIVERS\avgidsdrivera.sys [?]
R3 AVGIDSFilter;AVGIDSFilter;C:\Windows\system32\DRIVERS\avgidsfiltera.sys --> C:\Windows\system32\DRIVERS\avgidsfiltera.sys [?]
R3 PTSimBus;PenTablet Bus Enumerator;C:\Windows\system32\DRIVERS\PTSimBus.sys --> C:\Windows\system32\DRIVERS\PTSimBus.sys [?]
R3 PTSimHid;PenTablet Simulated HID MiniDriver;C:\Windows\system32\DRIVERS\PTSimHid.sys --> C:\Windows\system32\DRIVERS\PTSimHid.sys [?]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 androidusb;SAMSUNG Android Composite ADB Interface Driver;C:\Windows\system32\Drivers\ssadadb.sys --> C:\Windows\system32\Drivers\ssadadb.sys [?]
S3 CoordinatorServiceHost;SW Distributed TS Coordinator Service;C:\Program Files\SolidWorks Corp\SolidWorks\swScheduler\DTSCoordinatorService.exe [2011-10-1 89160]
S3 FLEXnet Licensing Service 64;FLEXnet Licensing Service 64;C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe [2011-1-3 1432400]
S3 MozillaMaintenance;Mozilla Maintenance Service;C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-4-25 113120]
S3 MpNWMon;Microsoft Malware Protection Network Driver;C:\Windows\system32\DRIVERS\MpNWMon.sys --> C:\Windows\system32\DRIVERS\MpNWMon.sys [?]
S3 NisDrv;Microsoft Network Inspection System;C:\Windows\system32\DRIVERS\NisDrvWFP.sys --> C:\Windows\system32\DRIVERS\NisDrvWFP.sys [?]
S3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-4-27 288272]
S3 ssadbus;SAMSUNG Android USB Composite Device driver (WDM);C:\Windows\system32\DRIVERS\ssadbus.sys --> C:\Windows\system32\DRIVERS\ssadbus.sys [?]
S3 ssadmdfl;SAMSUNG Android USB Modem (Filter);C:\Windows\system32\DRIVERS\ssadmdfl.sys --> C:\Windows\system32\DRIVERS\ssadmdfl.sys [?]
S3 ssadmdm;SAMSUNG Android USB Modem Drivers;C:\Windows\system32\DRIVERS\ssadmdm.sys --> C:\Windows\system32\DRIVERS\ssadmdm.sys [?]
S3 SwitchBoard;Adobe SwitchBoard;C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-2-19 517096]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys --> C:\Windows\system32\Drivers\usbaapl64.sys [?]
.
=============== Created Last 30 ================
.
2012-07-23 06:10:17 -------- d-----w- C:\Program Files (x86)\ESET
2012-07-23 05:44:44 -------- d-----w- C:\TDSSKiller_Quarantine
2012-07-22 06:11:24 -------- d-sh--w- C:\Windows\SysWow64\%APPDATA%
2012-07-22 01:57:04 -------- d-----w- C:\Windows\SysWow64\TabletPmt
2012-07-22 01:57:04 -------- d-----w- C:\Program Files (x86)\TABLET
2012-07-21 02:43:41 9133488 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{B0F9761A-9813-487A-B5E5-6467C484173B}\mpengine.dll
2012-07-18 20:10:44 -------- d-----w- C:\FumeFX61200188
2012-07-18 19:19:38 -------- d-----w- C:\Program Files (x86)\AFLICS
2012-07-18 19:19:03 225280 ------w- C:\Program Files (x86)\Common Files\InstallShield\IScript\IScript.dll
2012-07-18 19:19:03 176128 ------w- C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iuser.dll
2012-07-18 19:19:02 77824 ------w- C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\ctor.dll
2012-07-18 19:19:02 32768 ------w- C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\objectps.dll
2012-07-18 01:13:39 -------- d-----w- C:\Program Files\Common Files\ChaosGroup
2012-07-18 01:13:27 -------- d-----w- C:\Program Files\Chaos Group
2012-07-03 22:08:32 927800 ------w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{6CCCD940-61CE-48CA-B9B8-3DBFEA8F6BEE}\gapaengine.dll
2012-07-02 21:47:45 -------- d-----w- C:\Users\Phil Philson\AppData\Local\Macromedia
2012-07-02 00:55:39 -------- d-----w- C:\ProgramData\ALM
2012-07-02 00:46:17 -------- d-----w- C:\Users\Phil Philson\Adobe Flash Builder 4.6
2012-07-02 00:07:28 -------- d-----w- C:\Users\Phil Philson\AppData\Local\Adobe
.
==================== Find3M ====================
.
2012-07-22 21:09:53 70344 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2012-07-22 21:09:53 426184 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2012-06-02 22:15:31 2622464 ----a-w- C:\Windows\System32\wucltux.dll
2012-06-02 22:15:08 99840 ----a-w- C:\Windows\System32\wudriver.dll
2012-06-02 20:19:42 186752 ----a-w- C:\Windows\System32\wuwebv.dll
2012-06-02 20:15:12 36864 ----a-w- C:\Windows\System32\wuapp.exe
2012-05-25 06:33:05 499712 ----a-w- C:\Windows\SysWow64\msvcp71.dll
2012-05-25 06:33:05 348160 ----a-w- C:\Windows\SysWow64\msvcr71.dll
.
============= FINISH: 20:50:41.07 ===============

Attached Files



#6 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:10:31 AM

Posted 25 July 2012 - 02:12 PM

Good evening. :)

Download aswMBR.exe from here and save it to your Desktop.

  • Double click the tool to run it.
  • When prompted "Would you like to download latest Avast! virus definitions?" click Yes - you may need to allow access through your firewall.
  • Click the Scan button to, well, start the scan - obvious really!
  • Once the scan reports "Scan finished successfully" click Save log.
  • On my system it offers to save it to the Desktop, which may or may not be it's default behaviour, but it's as handy a place as any.
  • You'll also see a file called MBR.dat appear as well - this is a backup that it created, just in case it's needed. Keep it handy for now.

I'd like the contents of aswMBR.txt in your next reply, if you'd be so kind.

So long, and thanks for all the fish.

 

 


#7 drpepperdrinker

drpepperdrinker
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:31 AM

Posted 25 July 2012 - 03:00 PM

The generic_c.mmi trojan dropper is still opening up web pages, and popping up from avg showing system.exe as a threat. Also the size the available space on my C: Drive keeps changing by multiple gigs. I have run the aswmbr software and here is the result. Thank you.

Windows 7 x64




aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-07-23 00:45:47
-----------------------------
00:45:47.655 OS Version: Windows x64 6.1.7600
00:45:47.656 Number of processors: 2 586 0x170A
00:45:47.656 ComputerName: PHILPHILSON-PC UserName: Phil Philson
00:45:51.910 Initialize success
01:01:10.251 AVAST engine defs: 12072201
01:03:10.606 Disk 0 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP5T0L0-5
01:03:10.608 Disk 0 Vendor: WDC_WD3200AAJS-22L7A0 01.03E01 Size: 305244MB BusType: 3
01:03:10.610 Disk 1 (boot) \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP2T0L0-2
01:03:10.611 Disk 1 Vendor: Maxtor_6G160E0 KA101UW0 Size: 152626MB BusType: 3
01:03:10.614 Device \Driver\atapi -> MajorFunction fffffa80097515c4
01:03:10.617 Disk 1 MBR read successfully
01:03:10.619 Disk 1 MBR scan
01:03:10.623 Disk 1 MBR:Pihar-C [Rtk]
01:03:10.625 Disk 1 TDL4@MBR code has been found
01:03:10.628 Disk 1 Windows 7 default MBR code found via API
01:03:10.631 Disk 1 MBR hidden
01:03:10.634 Disk 1 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048
01:03:10.661 Disk 1 Partition 2 00 07 HPFS/NTFS NTFS 152524 MB offset 206848
01:03:10.666 Disk 1 MBR [TDL4] **ROOTKIT**
01:03:10.670 Disk 1 trace - called modules:
01:03:10.675 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys >>UNKNOWN [0xfffffa800aa85330]<<15194934.sys >>UNKNOWN [0xfffffa80097515c4]<<
01:03:10.678 1 nt!IofCallDriver -> \Device\Harddisk1\DR1[0xfffffa80092d8060]
01:03:10.682 3 CLASSPNP.SYS[fffff8800124d43f] -> nt!IofCallDriver -> [0xfffffa8009042580]
01:03:10.686 5 ACPI.sys[fffff8800108a781] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-2[0xfffffa80090a7060]
01:03:10.690 \Driver\atapi[0xfffffa8009571e70] -> IRP_MJ_CREATE -> 0xfffffa80097515c4
01:03:13.102 AVAST engine scan C:\Windows
01:03:15.925 AVAST engine scan C:\Windows\system32
01:05:01.999 File: C:\Windows\assembly\GAC_32\Desktop.ini **INFECTED** Win32:Sirefef-PL [Rtk]
01:05:04.155 File: C:\Windows\assembly\GAC_64\Desktop.ini **INFECTED** Win32:Sirefef-PL [Rtk]
01:07:04.759 AVAST engine scan C:\Windows\system32\drivers
01:07:17.477 AVAST engine scan C:\Users\Phil Philson
01:08:22.758 Disk 1 MBR has been saved successfully to "C:\Users\Phil Philson\Desktop\MBR.dat"
01:08:22.765 The log file has been saved successfully to "C:\Users\Phil Philson\Desktop\aswMBR.txt"


aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-07-25 14:40:53
-----------------------------
14:40:53.445 OS Version: Windows x64 6.1.7600
14:40:53.445 Number of processors: 2 586 0x170A
14:40:53.445 ComputerName: PHILPHILSON-PC UserName: Phil Philson
14:40:57.189 Initialize success
14:41:17.546 AVAST engine defs: 12072500
14:41:22.640 Disk 0 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP5T0L0-5
14:41:22.642 Disk 0 Vendor: WDC_WD3200AAJS-22L7A0 01.03E01 Size: 305244MB BusType: 3
14:41:22.645 Disk 1 (boot) \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP2T0L0-2
14:41:22.647 Disk 1 Vendor: Maxtor_6G160E0 KA101UW0 Size: 152626MB BusType: 3
14:41:22.675 Disk 1 MBR read successfully
14:41:22.678 Disk 1 MBR scan
14:41:22.682 Disk 1 Windows 7 default MBR code
14:41:22.688 Disk 1 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048
14:41:22.701 Disk 1 Partition 2 00 07 HPFS/NTFS NTFS 152524 MB offset 206848
14:41:22.725 Disk 1 scanning C:\Windows\system32\drivers
14:41:32.574 Service scanning
14:41:53.171 Service Tablet2k C:\Windows\"%SystemRoot%\System32\Drivers\Tablet2k.sys" **LOCKED** 123
14:41:57.951 Modules scanning
14:41:57.957 Disk 1 trace - called modules:
14:41:57.982 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys ataport.SYS pciide.sys PCIIDEX.SYS hal.dll atapi.sys
14:41:57.985 1 nt!IofCallDriver -> \Device\Harddisk1\DR1[0xfffffa8009224060]
14:41:57.989 3 CLASSPNP.SYS[fffff8800191643f] -> nt!IofCallDriver -> [0xfffffa8008d4b580]
14:41:57.993 5 ACPI.sys[fffff88000ee5781] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-2[0xfffffa8008d4d060]
14:42:01.313 AVAST engine scan C:\Windows
14:42:04.185 AVAST engine scan C:\Windows\system32
14:44:50.153 File: C:\Windows\assembly\GAC_32\Desktop.ini **INFECTED** Win32:Sirefef-PL [Rtk]
14:44:52.831 File: C:\Windows\assembly\GAC_64\Desktop.ini **INFECTED** Win32:Sirefef-PL [Rtk]
14:47:18.488 AVAST engine scan C:\Windows\system32\drivers
14:47:33.581 AVAST engine scan C:\Users\Phil Philson
14:55:04.604 Disk 1 MBR has been saved successfully to "C:\Users\Phil Philson\Desktop\MBR.dat"
14:55:04.610 The log file has been saved successfully to "C:\Users\Phil Philson\Desktop\aswMBR.txt"

#8 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:10:31 AM

Posted 25 July 2012 - 05:18 PM

Take a trip to this webpage for download links and instructions for running Combofix by sUBs: http://www.bleepingcomputer.com/combofix/how-to-use-combofix *

  • When prompted to save Combofix, change the filename BEFORE saving it - any name will do, as long as it has .exe at the end.
  • Please be aware that this tool may require the PC to be rebooted so close any programs you have open before you start.
  • When CF has finished, it will produce a log - C:\ComboFix.txt - copy and paste
  • Let me know how the PC is behaving.
* There are two points to note from the instructions page:

1) The Recovery Console.

It is recommended that you install this as, in certain circumstances, it may be the difference between a successful repair and a reformat. If you are uncertain as to whether or not you already have the Recovery Console installed, simply run CF and it will prompt you if it does not detect it.
CF will complete some, but not all, of it's removal tasks without the installation of the Console, so you are free to choose whether you want to complete this step, but it is in your interests to do so.

2) Disabling your Anti-Virus.

CF has been the victim of false-positive detections on occasion and a resident AV may incorrectly identify and delete part of the tool which won't do it much good. If you don't disable your AV, you may not get the results you hoped for!

So long, and thanks for all the fish.

 

 


#9 drpepperdrinker

drpepperdrinker
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:31 AM

Posted 26 July 2012 - 01:48 PM

After running Combofix the generic_c.mmi trojan dropper is no longer opening up web pages, or popping up from avg showing system.exe as a threat. The system is now no longer redirecting me to websites, or disabling my antivirus. It is still however fluctuating the available hard drive space by massive amounts. Thanks.
Windows 7 x64



ComboFix 12-07-26.04 - Phil Philson 07/25/2012 19:28:43.1.2 - x64
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.10238.8321 [GMT -5:00]
Running from: c:\users\Phil Philson\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\a92c98d9
C:\ReGBe.Bin
c:\users\Phil Philson\AppData\Roaming\1762df64
c:\users\Phil Philson\AppData\Roaming\AcroIEHelpe.txt
c:\users\Phil Philson\AppData\Roaming\jt6i463z.default.tmp
c:\users\Phil Philson\AppData\Roaming\srvblck2.tmp
c:\users\Phil Philson\Taskmgr.exe
c:\windows\assembly\GAC_32\Desktop.ini
c:\windows\assembly\GAC_64\Desktop.ini
c:\windows\Installer\{8c17a966-1822-741c-2d9f-7110ed132370}\@
c:\windows\Installer\{8c17a966-1822-741c-2d9f-7110ed132370}\L\00000004.@
c:\windows\Installer\{8c17a966-1822-741c-2d9f-7110ed132370}\L\201d3dde
c:\windows\Installer\{8c17a966-1822-741c-2d9f-7110ed132370}\U\00000004.@
c:\windows\Installer\{8c17a966-1822-741c-2d9f-7110ed132370}\U\00000008.@
c:\windows\Installer\{8c17a966-1822-741c-2d9f-7110ed132370}\U\000000cb.@
c:\windows\Installer\{8c17a966-1822-741c-2d9f-7110ed132370}\U\80000000.@
c:\windows\Installer\{8c17a966-1822-741c-2d9f-7110ed132370}\U\80000032.@
c:\windows\Installer\{8c17a966-1822-741c-2d9f-7110ed132370}\U\80000064.@
c:\windows\svchost.exe
c:\windows\SysWow64\config\systemprofile\0.30710840073857815.exe
.
Infected copy of c:\windows\system32\services.exe was found and disinfected
Restored copy from - c:\32788r22fwjfw\HarddiskVolumeShadowCopy1_!Windows!System32!services.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-06-26 to 2012-07-26 )))))))))))))))))))))))))))))))
.
.
2012-07-26 00:37 . 2012-07-26 00:37 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-07-23 06:10 . 2012-07-23 06:10 -------- d-----w- c:\program files (x86)\ESET
2012-07-23 05:44 . 2012-07-23 05:44 -------- d-----w- C:\TDSSKiller_Quarantine
2012-07-22 06:11 . 2012-07-22 06:11 -------- d-sh--w- c:\windows\SysWow64\%APPDATA%
2012-07-22 01:57 . 2012-07-22 01:57 -------- d-----w- c:\program files (x86)\TABLET
2012-07-22 01:57 . 2012-07-22 01:57 -------- d-----w- c:\windows\SysWow64\TabletPmt
2012-07-21 02:43 . 2012-06-29 10:04 9133488 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{B0F9761A-9813-487A-B5E5-6467C484173B}\mpengine.dll
2012-07-18 20:10 . 2012-07-18 23:43 -------- d-----w- C:\FumeFX61200188
2012-07-18 19:19 . 2012-07-18 19:31 -------- d-----w- c:\program files (x86)\AFLICS
2012-07-18 19:19 . 2001-09-05 13:18 225280 ------w- c:\program files (x86)\Common Files\InstallShield\IScript\IScript.dll
2012-07-18 19:19 . 2001-09-05 13:14 176128 ------w- c:\program files (x86)\Common Files\InstallShield\engine\6\Intel 32\iuser.dll
2012-07-18 19:19 . 2001-09-05 13:18 77824 ------w- c:\program files (x86)\Common Files\InstallShield\engine\6\Intel 32\ctor.dll
2012-07-18 19:19 . 2001-09-05 13:13 32768 ------w- c:\program files (x86)\Common Files\InstallShield\engine\6\Intel 32\objectps.dll
2012-07-18 01:13 . 2012-07-18 01:13 -------- d-----w- c:\program files\Common Files\ChaosGroup
2012-07-18 01:13 . 2012-07-18 01:13 -------- d-----w- c:\program files\Chaos Group
2012-07-03 22:08 . 2012-02-10 15:31 927800 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{6CCCD940-61CE-48CA-B9B8-3DBFEA8F6BEE}\gapaengine.dll
2012-07-02 21:47 . 2012-07-02 21:47 -------- d-----w- c:\users\Phil Philson\AppData\Local\Macromedia
2012-07-02 00:55 . 2012-07-02 00:55 -------- d-----w- c:\programdata\ALM
2012-07-02 00:46 . 2012-07-02 00:46 -------- d-----w- c:\users\Phil Philson\Adobe Flash Builder 4.6
2012-07-02 00:25 . 2012-07-02 00:25 -------- d-----w- c:\program files (x86)\Common Files\Adobe AIR
2012-07-02 00:17 . 2012-07-02 04:19 -------- d-----w- c:\program files\Adobe
2012-07-02 00:14 . 2012-07-02 04:30 -------- d-----w- c:\program files\Common Files\Adobe
2012-07-02 00:08 . 2012-07-02 04:30 -------- d-----w- c:\program files (x86)\Common Files\Adobe
2012-07-02 00:07 . 2012-07-25 07:00 -------- d-----w- c:\users\Phil Philson\AppData\Local\Adobe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-22 21:09 . 2012-04-04 21:57 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-07-22 21:09 . 2011-05-16 06:38 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-06-29 10:04 . 2011-03-24 05:47 9133488 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-06-02 22:19 . 2012-06-22 02:40 38424 ----a-w- c:\windows\system32\wups.dll
2012-06-02 22:19 . 2012-06-22 02:40 2428952 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 22:19 . 2012-06-22 02:40 57880 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 22:19 . 2012-06-22 02:40 44056 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 22:19 . 2012-06-22 02:40 701976 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 22:15 . 2012-06-22 02:40 2622464 ----a-w- c:\windows\system32\wucltux.dll
2012-06-02 22:15 . 2012-06-22 02:40 99840 ----a-w- c:\windows\system32\wudriver.dll
2012-06-02 20:19 . 2012-06-22 02:39 186752 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-02 20:15 . 2012-06-22 02:39 36864 ----a-w- c:\windows\system32\wuapp.exe
2012-05-25 06:33 . 2012-05-25 06:33 348160 ----a-w- c:\windows\SysWow64\msvcr71.dll
2012-05-25 06:33 . 2012-05-25 06:33 499712 ----a-w- c:\windows\SysWow64\msvcp71.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VeohPlugin"="c:\program files (x86)\Veoh Networks\VeohWebPlayer\veohwebplayer.exe" [2011-06-30 2648184]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-07-14 1475072]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"GrooveMonitor"="c:\program files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"DivXUpdate"="c:\program files (x86)\DivX\DivX Update\DivXUpdate.exe" [2011-03-21 1230704]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-05-31 59280]
"AVG_TRAY"="c:\program files (x86)\AVG\AVG2012\avgtray.exe" [2012-04-05 2587008]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2012-04-19 421888]
"TkBellExe"="c:\program files (x86)\Real\RealPlayer\update\realsched.exe" [2012-05-25 296056]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-06-08 421776]
"SwitchBoard"="c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"AdobeCS6ServiceManager"="c:\program files (x86)\Common Files\Adobe\CS6ServiceManager\CS6ServiceManager.exe" [2012-06-25 1073352]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-09-05 937920]
"Adobe Acrobat Speed Launcher"="c:\program files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe" [2011-09-05 36760]
"Acrobat Assistant 8.0"="c:\program files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe" [2011-09-05 2904984]
"WTClient"="WTClient.exe" [2009-10-30 32768]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
SolidWorks Background Downloader.lnk - c:\program files (x86)\Common Files\SolidWorks Installation Manager\BackgroundDownloading\sldBgDwld.exe [2011-12-14 1836104]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~2\AVG\AVG2012\avgrsa.exe /sync /restart
.
R1 skfxeqvf;skfxeqvf;c:\windows\system32\drivers\skfxeqvf.sys [x]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 androidusb;SAMSUNG Android Composite ADB Interface Driver;c:\windows\system32\Drivers\ssadadb.sys [2011-05-13 36328]
R3 CoordinatorServiceHost;SW Distributed TS Coordinator Service;c:\program files\SolidWorks Corp\SolidWorks\swScheduler\DTSCoordinatorService.exe [2011-10-01 89160]
R3 FLEXnet Licensing Service 64;FLEXnet Licensing Service 64;c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe [2012-04-28 1432400]
R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-07-19 113120]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2011-04-18 40832]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2011-04-27 84864]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-04-27 288272]
R3 ssadbus;SAMSUNG Android USB Composite Device driver (WDM);c:\windows\system32\DRIVERS\ssadbus.sys [2011-05-13 157672]
R3 ssadmdfl;SAMSUNG Android USB Modem (Filter);c:\windows\system32\DRIVERS\ssadmdfl.sys [2011-05-13 16872]
R3 ssadmdm;SAMSUNG Android USB Modem Drivers;c:\windows\system32\DRIVERS\ssadmdm.sys [2011-05-13 177640]
R3 SwitchBoard;Adobe SwitchBoard;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2012-02-15 52736]
R4 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2011-01-04 834544]
S0 AVGIDSHA;AVGIDSHA;c:\windows\system32\DRIVERS\avgidsha.sys [2012-04-19 28480]
S0 Avgrkx64;AVG Anti-Rootkit Driver;c:\windows\system32\DRIVERS\avgrkx64.sys [2012-01-31 36944]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [2011-11-03 56208]
S1 Avgldx64;AVG AVI Loader Driver;c:\windows\system32\DRIVERS\avgldx64.sys [2012-02-22 289872]
S1 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\DRIVERS\avgmfx64.sys [2011-12-23 47696]
S1 Avgtdia;AVG TDI Driver;c:\windows\system32\DRIVERS\avgtdia.sys [2012-03-19 383808]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-14 59904]
S2 AfterFLICS v3;AfterFLICS v3;c:\program files (x86)\AFLICS\AfterFLICS.exe [2011-04-15 135170]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2011-04-20 203776]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files (x86)\AVG\AVG2012\AVGIDSAgent.exe [2012-07-04 5160568]
S2 avgwd;AVG WatchDog;c:\program files (x86)\AVG\AVG2012\avgwdsvc.exe [2012-02-14 193288]
S2 Giraffic;Veoh Giraffic Video Accelerator;c:\program files (x86)\Giraffic\Veoh_GirafficWatchdog.exe [2012-07-02 2232504]
S2 mi-raysat_3dsmax2013_64;mental ray 3.10 Satellite for Autodesk 3ds Max 2013 64-bit;c:\program files\Autodesk\3ds Max 2013\NVIDIA\raysat_3dsmax2013_64server.exe [2011-09-14 86016]
S2 PDMWorks Workgroup Server;SolidWorks Workgroup PDM Server;c:\program files (x86)\PDMWorks Workgroup\Vault\pdmwService.exe [2010-11-24 3276800]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [2011-04-20 9319936]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2011-04-20 306176]
S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\DRIVERS\avgidsdrivera.sys [2011-12-23 124496]
S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\DRIVERS\avgidsfiltera.sys [2011-12-23 29776]
S3 PTSimBus;PenTablet Bus Enumerator;c:\windows\system32\DRIVERS\PTSimBus.sys [2009-06-18 27304]
S3 PTSimHid;PenTablet Simulated HID MiniDriver;c:\windows\system32\DRIVERS\PTSimHid.sys [2009-06-18 17064]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2009-03-02 187392]
.
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdobeAAMUpdater-1.0"="c:\program files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2012-04-04 446392]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: Append Link Target to Existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.0.1
CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\shell32.dll
FF - ProfilePath - c:\users\Phil Philson\AppData\Roaming\Mozilla\Firefox\Profiles\jt6i463z.default\
FF - prefs.js: browser.startup.homepage - www.google.com
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKCU-Run-RESTART_STICKY_NOTES - c:\windows\System32\StikyNot.exe
Wow6432Node-HKCU-Run-Akamai NetSession Interface - c:\users\Phil Philson\AppData\Local\Akamai\netsession_win.exe
Wow6432Node-HKCU-Run-AdobeBridge - (no file)
SafeBoot-MsMpSvc
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]
"Version"=hex:d2,94,cf,8a,f6,ff,8e,ec,04,ca,93,13,0f,9f,65,bf,f5,15,22,e4,78,
3f,94,1a,8a,34,d4,18,09,80,60,8c,d4,62,76,8b,5c,f3,99,2b,3a,0f,b6,71,00,e1,\
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_257_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_257_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]
"Version"=hex:d2,94,cf,8a,f6,ff,8e,ec,04,ca,93,13,0f,9f,65,bf,f5,15,22,e4,78,
3f,94,1a,8a,34,d4,18,09,80,60,8c,d4,62,76,8b,5c,f3,99,2b,3a,0f,b6,71,00,e1,\
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Microsoft Shared\Ink\TabTip32.exe
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\DCPFLICS\DCPFLICS.exe
c:\windows\System32\Drivers\WTSRV.EXE
c:\program files (x86)\Giraffic\Veoh_Giraffic.exe
.
**************************************************************************
.
Completion time: 2012-07-25 19:49:39 - machine was rebooted
ComboFix-quarantined-files.txt 2012-07-26 00:49
.
Pre-Run: 9,972,985,856 bytes free
Post-Run: 5,713,489,920 bytes free
.
- - End Of File - - 0B38C3271EB34C4F6EBD35A7D3467F5D

#10 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:10:31 AM

Posted 26 July 2012 - 02:30 PM

Good evening. :)

Pay a visit to the ESET Online Scanner.

  • Click the ESET Online Scanner button and a new window will open - you may need to maximise it.
  • Click the Run ESET Online Scanner button in the new window.
  • If you are using any other browser than IE, you will be prompted to download and run esetsmartinstaller_enu.exe and the scan will run from within the window that the executable opens.
  • Regardless of which browser you are using, you will be shown some terms and conditions and you will need to accept these to continue.
  • If you are running IE for this scan you will then be prompted to allow an ActiveX component to be downloaded, unless you already have it installed, and the scan will run inside IE.
  • When you see the Computer Scan Settings window, you will need to make the following changes:

    • UNCHECK Remove found threats - this is important.
    • Check Scan archives
    • Click on Advanced settings
    • Check Scan for potentially unsafe applications
  • Once ready, click Start to begin - not a surprise really!
  • The anti-virus definitions will now be downloaded, so don't forget to allow them through your firewall if prompted.
  • The above will take a little time, so now is a good time to fire up the kettle and open the biccies.
  • Once the scan has completed you will be shown the results - assuming that the scanner has found anything.
  • Click List of found threats and then Export to text file... and save the log somewhere convenient.
  • You can then close out the scanner - don't bother uninstalling it as you may need to use it again.
  • Please post the contents of this file in your next reply, or let me know that nothing was identified.

So long, and thanks for all the fish.

 

 


#11 drpepperdrinker

drpepperdrinker
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:31 AM

Posted 27 July 2012 - 12:24 AM

After running Combofix the generic_c.mmi trojan dropper is no longer opening up web pages, or popping up from avg showing system.exe as a threat. The system is now no longer redirecting me to websites, or disabling my antivirus. It is still however fluctuating the available hard drive space by massive amounts. I have run the ESET scanner and posted the log below. Thanks.

Windows 7 x64

C:\Program Files (x86)\Veoh Networks\VeohWebPlayer\OCSetupHlp.dll Win32/OpenCandy application
C:\Qoobox\Quarantine\C\Windows\Installer\{8c17a966-1822-741c-2d9f-7110ed132370}\U\00000008.@.vir Win64/Agent.BA trojan
C:\Qoobox\Quarantine\C\Windows\Installer\{8c17a966-1822-741c-2d9f-7110ed132370}\U\80000032.@.vir a variant of Win32/Sirefef.FD trojan
C:\Qoobox\Quarantine\C\Windows\System32\services.exe.vir Win64/Patched.B.Gen trojan
C:\Users\Phil Philson\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\13\6316524d-50f923b3 Java/Exploit.CVE-2011-3544.AU trojan
C:\Users\Phil Philson\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\20\2fd6e594-67ed4b2d Java/Agent.AE trojan
C:\Users\Phil Philson\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\23\1e899557-3ef0156b Java/Agent.AE trojan
C:\Users\Phil Philson\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\38\1b6211a6-5839ef15 Java/Exploit.CVE-2011-3544.F trojan
C:\Users\Phil Philson\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\56\432058b8-5197ae5a multiple threats
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\15\18cb778f-1ac51319 Java/Exploit.CVE-2012-0507.DE trojan
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\30\3eac6f9e-72fff3ba a variant of Java/Exploit.Agent.NBS trojan
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\46\3bd10d6e-7fb97da3 Java/Exploit.CVE-2011-3544.AU trojan
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\15\18cb778f-1ac51319 Java/Exploit.CVE-2012-0507.DE trojan
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\30\3eac6f9e-72fff3ba a variant of Java/Exploit.Agent.NBS trojan
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\46\3bd10d6e-7fb97da3 Java/Exploit.CVE-2011-3544.AU trojan
F:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\TV6P91L2\C0[1].php a variant of Java/TrojanDownloader.OpenStream.NAZ trojan
F:\Documents and Settings\Phil Philson\Application Data\Sun\Java\Deployment\cache\6.0\10\334136ca-6ff4f79c a variant of Java/Exploit.Agent.NAL trojan
F:\Documents and Settings\Phil Philson\Application Data\Sun\Java\Deployment\cache\6.0\14\39acf28e-2ad51208 a variant of Java/TrojanDownloader.Agent.NBK trojan
F:\Documents and Settings\Phil Philson\Application Data\Sun\Java\Deployment\cache\6.0\20\7bb99554-627c3380 a variant of Java/Exploit.CVE-2009-2843.B trojan
F:\Documents and Settings\Phil Philson\Application Data\Sun\Java\Deployment\cache\6.0\29\7adbb65d-1012bc70 multiple threats
F:\Documents and Settings\Phil Philson\Application Data\Sun\Java\Deployment\cache\6.0\31\6140ca9f-76a69930 multiple threats
F:\Documents and Settings\Phil Philson\Application Data\Sun\Java\Deployment\cache\6.0\36\1ffc5a4-7a082237 probably a variant of Java/Agent.BR trojan
F:\Documents and Settings\Phil Philson\Application Data\Sun\Java\Deployment\cache\6.0\38\1c0702e6-7a5db162 multiple threats
F:\Documents and Settings\Phil Philson\Application Data\Sun\Java\Deployment\cache\6.0\39\48771d67-48f0c23e Java/Rexec.A trojan
F:\Documents and Settings\Phil Philson\Application Data\Sun\Java\Deployment\cache\6.0\50\77c3a532-1858a7c4 multiple threats
F:\Documents and Settings\Phil Philson\Application Data\Sun\Java\Deployment\cache\6.0\53\5e185af5-735f35c1 Java/TrojanDownloader.Agent.NBM trojan
F:\Documents and Settings\Phil Philson\Application Data\Sun\Java\Deployment\cache\6.0\55\3ace5fb7-330eedc6 a variant of Java/Exploit.CVE-2009-2843.B trojan
F:\Documents and Settings\Phil Philson\Application Data\Sun\Java\Deployment\cache\6.0\57\30e22ff9-5500dc87 multiple threats
F:\Documents and Settings\Phil Philson\Application Data\Sun\Java\Deployment\cache\6.0\58\1f62c23a-651cf60a Java/TrojanDownloader.Agent.NBM trojan
F:\Documents and Settings\Phil Philson\Application Data\Sun\Java\Deployment\cache\6.0\8\6d423548-76377082 multiple threats
F:\Documents and Settings\Phil Philson\Local Settings\Temp\jar_cache5712713411262447595.tmp a variant of Java/TrojanDownloader.Agent.NAN trojan
F:\Documents and Settings\Phil Philson\Local Settings\Temp\jar_cache981399844824601590.tmp a variant of Java/Exploit.Agent.NAL trojan

#12 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:10:31 AM

Posted 27 July 2012 - 02:20 PM

Good evening. :)

Can you give me more information of the drive space issue - how much is it fluctuating by, how are you ascertaining the space, etc.., etc... Basically anything that you think may help to diagnose the issue.

So long, and thanks for all the fish.

 

 


#13 drpepperdrinker

drpepperdrinker
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:31 AM

Posted 31 July 2012 - 12:42 PM

When I go to the computer folder the C: drive has a listing of free space of the total space. It is currently showing 8.16Gb free and only an hour ago it showed more than 9Gb free. It doesn't always do this, but it will continue to drop until I am in the megabyte range and a warning comes up from the task bar saying low disk space. I believe that I actually have between 20Gb and 30Gb available. It acts as if a process is eating up my hard drive and then releases it when it is done. Almost like a temporary file is being created and then purged. Sometimes a restart will release the hard drive space back to me. As I said though. I don't think even the maximum I get back(in this case around 10.3Gb) is how much free space I should have. It only happens on the C:drive and not my second hard drive or my external when it is connected. I used a program called WinDirStat to get a visual representation of where/how my hard drive is being used. The pagefile.sys is 10Gb and the hyberfil.sys is 7.5Gb. The pagefile was set automatically and I don't know if that is larger then it is supposed to be. The Hard Drive has a 150Gb capacity. I don't know what the hyberfil.sys is. Most of the hard drive usage makes sense to me as I do have a lot of large file formats being stored(videos,3D graphics files,etc.), and a couple hard drive heavy applications(like Adobe products), but what I don't know is why it is fluctuating, and where. Any incite would help this is not more of an annoyance then an imminent threat. The computer runs fine and the generic_c.mmi trojan dropper seems to be cured. I believe this to be from some other cause. Thank you.

Windows 7 X64
150Gb Hard Drive
10Gb DDR3
Intel Core2Duo CPU E8400@ 3.0GHz 2.67GHz

#14 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:10:31 AM

Posted 01 August 2012 - 02:55 PM

Good evening. :)

Sun Java needs updating, but sometimes it doesn't go according to plan, so for this I like to use a free utility available here called Revo Uninstaller - you want the Freeware version.

Install it, run it and select the following and have it remove them, accepting the default options:


Java™ 6 Update 22
Java Auto Updater


Then go here and click on the Windows Offline link for the appropriate version of your OS in the Windows section near the top - either 32 or 64 bit.

  • Save the file somewhere accessible.
  • Double click the installation file to, unsurprisingly, install the latest version of Java.
  • I suggest that you keep the installation file, as long as you have the disc space, as it will save you downloading it again should you need to reinstall for some reason. You can also use it on any other computers you have to save bandwidth.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I don't know the cause of your space issue, and I can't say whether it is the effects of any malware or not (but I think the PC is clean), so I recommend that you start a fresh thread in this part of the forum where someone wiser may have the solution. I'll leave this thread open so that if the conclusion is that it is an infection you can post back and i'll look further into it.

Please include a link to this topic in the new thread so that the person who helps you can review it if necessary.

So long, and thanks for all the fish.

 

 


#15 drpepperdrinker

drpepperdrinker
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:31 AM

Posted 05 August 2012 - 02:10 PM

Cool. Thanks for the help.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users