Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Search Engine Trojans/Rootkits, Blue Screen when attempting GMER


  • This topic is locked This topic is locked
10 replies to this topic

#1 LVG26

LVG26

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:47 AM

Posted 23 July 2012 - 11:34 PM

Help! After running AVG Anti-virus, which removed a few viruses it informed me that there were rootkits that needed attention. Below are what AVG Anti-Virus identified:

Scan "Whole computer scan" completed.
Rootkits;"15";"0";"15"
Folders selected for scanning:;"Whole computer scan"
Scan started:;"Monday, July 23, 2012, 10:51:15 AM"
Scan finished:;"Monday, July 23, 2012, 12:37:19 PM (1 hour(s) 46 minute(s) 4 second(s))"
Total object scanned:;"745895"
User who launched the scan:;"User"

Rootkits
;"File";"Infection";"Result"
;"C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS";"IRP hook, \Driver\Disk IRP_MJ_CLOSE -> CLASSPNP.SYS

ClassDebugPrint+0x618";"Object is white-listed (critical/system file that should not be removed)"
;"C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS";"IRP hook, \Driver\Disk IRP_MJ_CREATE -> CLASSPNP.SYS

ClassDebugPrint+0x618";"Object is white-listed (critical/system file that should not be removed)"
;"C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS";"IRP hook, \Driver\Disk IRP_MJ_DEVICE_CONTROL -> CLASSPNP.SYS

ClassIoComplete+0x1C8";"Object is white-listed (critical/system file that should not be removed)"
;"C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS";"IRP hook, \Driver\Disk IRP_MJ_FLUSH_BUFFERS -> CLASSPNP.SYS

ClassIoComplete+0xEF";"Object is white-listed (critical/system file that should not be removed)"
;"C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS";"IRP hook, \Driver\Disk IRP_MJ_INTERNAL_DEVICE_CONTROL -> CLASSPNP.SYS

ClassInternalIoControl";"Object is white-listed (critical/system file that should not be removed)"
;"C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS";"IRP hook, \Driver\Disk IRP_MJ_PNP -> CLASSPNP.SYS

ClassDebugPrint+0x6FB";"Object is white-listed (critical/system file that should not be removed)"
;"C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS";"IRP hook, \Driver\Disk IRP_MJ_POWER -> CLASSPNP.SYS

ClassForwardIrpSynchronous+0xD8";"Object is white-listed (critical/system file that should not be removed)"
;"C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS";"IRP hook, \Driver\Disk IRP_MJ_READ -> CLASSPNP.SYS

ClassCompleteRequest+0x13C";"Object is white-listed (critical/system file that should not be removed)"
;"C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS";"IRP hook, \Driver\Disk IRP_MJ_SHUTDOWN -> CLASSPNP.SYS

ClassIoComplete+0xEF";"Object is white-listed (critical/system file that should not be removed)"
;"C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS";"IRP hook, \Driver\Disk IRP_MJ_SYSTEM_CONTROL -> CLASSPNP.SYS

ClassInitialize+0x666";"Object is white-listed (critical/system file that should not be removed)"
;"C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS";"IRP hook, \Driver\Disk IRP_MJ_WRITE -> CLASSPNP.SYS

ClassCompleteRequest+0x13C";"Object is white-listed (critical/system file that should not be removed)"
;"C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS";"IRP hook, \Driver\ViaIde IRP_MJ_INTERNAL_DEVICE_CONTROL -> PCIIDEX.SYS

PciIdeXDebugPrint+0x2E38";"Object is white-listed (critical/system file that should not be removed)"
;"C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS";"IRP hook, \Driver\ViaIde IRP_MJ_PNP -> PCIIDEX.SYS

PciIdeXDebugPrint+0x2D80";"Object is white-listed (critical/system file that should not be removed)"
;"C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS";"IRP hook, \Driver\ViaIde IRP_MJ_POWER -> PCIIDEX.SYS +0x692";"Object is

white-listed (critical/system file that should not be removed)"
;"C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS";"IRP hook, \Driver\ViaIde IRP_MJ_SYSTEM_CONTROL -> PCIIDEX.SYS

PciIdeXDebugPrint+0x2DB4";"Object is white-listed (critical/system file that should not be removed)"



I learned from here that GMER would be a fine application in identifying and thus removing the rootkits, but after installing it and running a scan, the malware triggers a bluescreen reset. This is true in safe mode too. (I tried DDS per the Preparation Guide, but it would only freeze up during the scan...well after 3 minutes, and despite my closing all other applications and temporarily disabling AVG Anti-Virus.)

The bluescreen prompted me to this previous forum post (http://www.bleepingcomputer.com/forums/topic441594.html), using that as a guide I ran a the ESET online scanner and it reported 40 (!) threats! The log is as follows:

C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\p7qib26h.default\extensions\{83e133c8-5fe4-4ad2-b29d-53ef3019e7af}\chrome.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\p7qib26h.default\extensions\{83e133c8-5fe4-4ad2-b29d-53ef3019e7af}\chrome\xulcache.jar JS/Agent.NDO trojan
C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\ikot1udb.default\extensions\{83e133c8-5fe4-4ad2-b29d-53ef3019e7af}\chrome.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\ikot1udb.default\extensions\{83e133c8-5fe4-4ad2-b29d-53ef3019e7af}\chrome\xulcache.jar JS/Agent.NDO trojan
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\o8modtpi.default\extensions\{83e133c8-5fe4-4ad2-b29d-53ef3019e7af}\chrome.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\o8modtpi.default\extensions\{83e133c8-5fe4-4ad2-b29d-53ef3019e7af}\chrome\xulcache.jar JS/Agent.NDO trojan
C:\Documents and Settings\User\Application Data\Sun\Java\Deployment\cache\6.0\32\49fe26a0-64c8fc7b Java/TrojanDownloader.OpenStream.NCM trojan
C:\Documents and Settings\User\Local Settings\Application Data\nvv.exe.vir a variant of Win32/Kryptik.QKG trojan
C:\Documents and Settings\User\Local Settings\Application Data\Adobe\AdobeUpdate\Adobeupdt32.dll.vir a variant of Win32/Kryptik.TXQ trojan
C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\User Data\Default\Default\fkebbmeomikoijcdpchmamogpbnlcdcl\contentscript.js Win32/TrojanDownloader.Tracur.F trojan
C:\Documents and Settings\User\Local Settings\Temp\ICReinstall\cnet2_rt60ln90_exe.exe a variant of Win32/InstallCore.D application
C:\Documents and Settings\User\Local Settings\Temp\is1598539481\786192_Setup.EXE Win32/OpenCandy application
C:\Documents and Settings\User\My Documents\Downloads\cnet2_rt60ln90_exe.exe a variant of Win32/InstallCore.D application
C:\Documents and Settings\User\My Documents\Downloads\imf-setup(1).exe a variant of Win32/Toolbar.Widgi application
C:\Documents and Settings\User\My Documents\Downloads\imf-setup(2).exe a variant of Win32/Toolbar.Widgi application
C:\Documents and Settings\User\My Documents\Downloads\imf-setup.exe a variant of Win32/Toolbar.Widgi application
C:\Documents and Settings\User\My Documents\Downloads\is360setup.exe a variant of Win32/Toolbar.Widgi application
C:\Program Files\Application Updater\ApplicationUpdater.exe probably a variant of Win32/Toolbar.Widgi application
C:\Program Files\Common Files\Spigot\Search Settings\SearchSettings.exe a variant of Win32/Toolbar.Widgi application
C:\Program Files\Common Files\Spigot\wtxpcom\components\WidgiToolbarFF.dll a variant of Win32/Toolbar.Widgi application
C:\Program Files\Common Files\Spigot\wtxpcom\components\WidgiToolbarFF.dll.5 a variant of Win32/Toolbar.Widgi application
C:\Program Files\Common Files\Spigot\wtxpcom\components\WidgiToolbarFF.dll.6 a variant of Win32/Toolbar.Widgi application
C:\Program Files\Common Files\Spigot\wtxpcom\components\WidgiToolbarFF.dll.7 a variant of Win32/Toolbar.Widgi application
C:\Program Files\Common Files\Spigot\wtxpcom\components\WidgiToolbarFF.dll.8 a variant of Win32/Toolbar.Widgi application
C:\Program Files\IObit Toolbar\IE\4.7\iobitToolbarIE.dll a variant of Win32/Toolbar.Widgi application
C:\System Volume Information\_restore{6FFFEFAF-208F-4C34-A8B8-164D0D2A749F}\RP1364\A0276030.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{6FFFEFAF-208F-4C34-A8B8-164D0D2A749F}\RP1364\A0276031.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{6FFFEFAF-208F-4C34-A8B8-164D0D2A749F}\RP1364\A0276032.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{6FFFEFAF-208F-4C34-A8B8-164D0D2A749F}\RP1364\A0276033.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{6FFFEFAF-208F-4C34-A8B8-164D0D2A749F}\RP1364\A0276091.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{6FFFEFAF-208F-4C34-A8B8-164D0D2A749F}\RP1364\A0276092.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{6FFFEFAF-208F-4C34-A8B8-164D0D2A749F}\RP1364\A0276093.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{6FFFEFAF-208F-4C34-A8B8-164D0D2A749F}\RP1364\A0276094.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{6FFFEFAF-208F-4C34-A8B8-164D0D2A749F}\RP1364\A0277092.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{6FFFEFAF-208F-4C34-A8B8-164D0D2A749F}\RP1364\A0277093.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{6FFFEFAF-208F-4C34-A8B8-164D0D2A749F}\RP1364\A0277094.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{6FFFEFAF-208F-4C34-A8B8-164D0D2A749F}\RP1367\A0277267.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{6FFFEFAF-208F-4C34-A8B8-164D0D2A749F}\RP1367\A0277268.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{6FFFEFAF-208F-4C34-A8B8-164D0D2A749F}\RP1367\A0277269.manifest Win32/TrojanDownloader.Tracur.F trojan
Operating memory a variant of Win32/Toolbar.Widgi application

It is at this point I presume that I would need to execute an OTM script, but as you may have guessed I would like to seek expert (like Sempai) one-on-one guidance before proceeding.

Thank you in advance for your time and attention to this matter.

Attached Files



BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,624 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:47 PM

Posted 29 July 2012 - 02:00 AM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/462183 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows, you should not bother creating a GMER log.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 nasdaq

nasdaq

  • Malware Response Team
  • 38,936 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:47 PM

Posted 02 August 2012 - 08:35 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

If you are still with us please post the logs requested in the previous post.

I will review them.

#4 LVG26

LVG26
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:47 AM

Posted 07 August 2012 - 07:31 PM

Hi nasdaq, thanks for your help. I am still unable to get a DDS log, despite my disabling my AV and unplugging the ethernet cable. It takes longer than 3 minutes and a log never ends up popping up.

Miraculously, I was able to get a GMER log however, without any triggering of a blue-screen crash. I will go ahead and post that here.

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-08-05 16:51:25
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Scsi\viamraid1Port2Path0Target0Lun0 WDC_WD80 rev.07.0
Running: rt60ln90.exe; Driver: C:\DOCUME~1\User\LOCALS~1\Temp\kwdcyuoc.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwNotifyChangeKey [0x93C2C004]
SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwNotifyChangeMultipleKeys [0x93C2C0D4]
SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwOpenProcess [0x93C2BD76]
SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateProcess [0x93C2BE1E]
SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateThread [0x93C2BEBA]
SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwWriteVirtualMemory [0x93C2BF56]

---- Kernel code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xF7522000, 0x1B85E6, 0xE8000020]
init C:\WINDOWS\System32\Drivers\ArcRec.SYS entry point in "init" section [0xF8A59138]

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs avgidsfilterx.sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
AttachedDevice \FileSystem\Ntfs \Ntfs mozy.sys (Mozy Change Monitor Filter Driver/Mozy, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat avgidsfilterx.sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
AttachedDevice \FileSystem\Fastfat \Fat mozy.sys (Mozy Change Monitor Filter Driver/Mozy, Inc.)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Classes\.ics@ icsfile
Reg HKLM\SOFTWARE\Classes\.ics@Content Type text/calendar
Reg HKLM\SOFTWARE\Classes\.pcx@ MediaImpression Photo File
Reg HKLM\SOFTWARE\Classes\.pcx@MediaImpression Backup MediaImpression Photo File
Reg HKLM\SOFTWARE\Classes\.vcs@ vcsfile
Reg HKLM\SOFTWARE\Classes\icsfile@ iCalendar File
Reg HKLM\SOFTWARE\Classes\icsfile\DefaultIcon
Reg HKLM\SOFTWARE\Classes\icsfile\DefaultIcon@ C:\PROGRA~1\MICROS~2\Office10\1033\OUTLLIBR.DLL,41
Reg HKLM\SOFTWARE\Classes\icsfile\shell
Reg HKLM\SOFTWARE\Classes\icsfile\shell\open
Reg HKLM\SOFTWARE\Classes\icsfile\shell\open\command
Reg HKLM\SOFTWARE\Classes\icsfile\shell\open\command@ "C:\PROGRA~1\MICROS~2\Office10\OUTLOOK.EXE" /ical "%1"
Reg HKLM\SOFTWARE\Classes\LLM@ LocalLicenseManager
Reg HKLM\SOFTWARE\Classes\LLM\CLSID
Reg HKLM\SOFTWARE\Classes\LLM\CLSID@ {28C52B68-23D6-44CE-B923-B6E51FF47DB2}
Reg HKLM\SOFTWARE\Classes\LLM\CurVer
Reg HKLM\SOFTWARE\Classes\LLM\CurVer@ LLM.1
Reg HKLM\SOFTWARE\Classes\LLM.1@ LocalLicenseManager
Reg HKLM\SOFTWARE\Classes\LLM.1\CLSID
Reg HKLM\SOFTWARE\Classes\LLM.1\CLSID@ {28C52B68-23D6-44CE-B923-B6E51FF47DB2}
Reg HKLM\SOFTWARE\Classes\MediaImpression Photo File\DefaultIcon
Reg HKLM\SOFTWARE\Classes\MediaImpression Photo File\DefaultIcon@ C:\Program Files\Kodak\MediaImpression\PhotoViewer.exe, 0
Reg HKLM\SOFTWARE\Classes\MediaImpression Photo File\shell
Reg HKLM\SOFTWARE\Classes\MediaImpression Photo File\shell\open
Reg HKLM\SOFTWARE\Classes\MediaImpression Photo File\shell\open\command
Reg HKLM\SOFTWARE\Classes\MediaImpression Photo File\shell\open\command@ "C:\Program Files\Kodak\MediaImpression\PhotoViewer.exe" "%1"
Reg HKLM\SOFTWARE\Classes\MediaImpression Video/Music File\DefaultIcon
Reg HKLM\SOFTWARE\Classes\MediaImpression Video/Music File\DefaultIcon@ C:\Program Files\Kodak\MediaImpression\MediaPlayer.exe, 0
Reg HKLM\SOFTWARE\Classes\MediaImpression Video/Music File\shell
Reg HKLM\SOFTWARE\Classes\MediaImpression Video/Music File\shell\open
Reg HKLM\SOFTWARE\Classes\MediaImpression Video/Music File\shell\open\command
Reg HKLM\SOFTWARE\Classes\MediaImpression Video/Music File\shell\open\command@ "C:\Program Files\Kodak\MediaImpression\MediaPlayer.exe" "%1"
Reg HKLM\SOFTWARE\Classes\vcsfile@ vCalendar File
Reg HKLM\SOFTWARE\Classes\vcsfile\DefaultIcon
Reg HKLM\SOFTWARE\Classes\vcsfile\DefaultIcon@ C:\PROGRA~1\MICROS~2\Office10\1033\OUTLLIBR.DLL,41
Reg HKLM\SOFTWARE\Classes\vcsfile\shell
Reg HKLM\SOFTWARE\Classes\vcsfile\shell\open
Reg HKLM\SOFTWARE\Classes\vcsfile\shell\open\command
Reg HKLM\SOFTWARE\Classes\vcsfile\shell\open\command@ "C:\PROGRA~1\MICROS~2\Office10\OUTLOOK.EXE" /vcal "%1"

---- EOF - GMER 1.0.15 ----

#5 nasdaq

nasdaq

  • Malware Response Team
  • 38,936 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:47 PM

Posted 08 August 2012 - 07:52 AM

To complete these instructions you will need Malwarebytes

Please download Malwarebytes Anti-Malware and save it to your desktop.
  • alternate download link 2
    • Make sure you are connected to the Internet.
    • Double-click on Download_mbam-setup.exe to install the application.
    • When the installation begins, follow the prompts and do not make any changes to default settings.
    • When installation has finished, make sure you leave both of these checked:[list]
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

For complete or visual instructions on installing and running Malwarebytes Anti-Malware please read this link

Save the Malwarebytes Anti-Malware log once it's complete.
===

Step 1. Download TDSSKiller.exe
http://support.kaspersky.com/downloads/utils/tdsskiller.exe

Step 2. Place TDSSKiller.exe in Malwarebytes Chameleon folder.
C:\Program Files\Malwarebytes' Anti-Malware\Chameleon
or on 64 bit system.
C:\Program Files (x86)\Malwarebytes' Anti-Malware\Chameleon

Step 3. Install the Chameleon driver by doing the following:
Press the Windows key + R and in the Run box, copy and paste the following command then press Enter.

"C:\Program Files\Malwarebytes' Anti-Malware\Chameleon\mbam-chameleon.exe" /o <- include the quotes.
or on a 64 bit system.
C:\Program Files (x86)\\Malwarebytes' Anti-Malware\Chameleon\mbam-chameleon.exe" /o[/b]

A black DOS prompt will appear with a prompt to press any key to continue, please do.

Step 4. Execute TDSSKiller.exe by doubleclicking on it.
On a Windows Vista or 7 Right click the .exe and run as an Administrator.
Press Start Scan
If Malicious objects are found, ensure Cure is selected (it should be by default)
Click Continue then click Reboot now
Once complete, a log will be produced at the root drive which is typically C:\
For example, C:\TDSSKiller.version_date_time_log.txt

Attach that log and the MBAM as log as well.

===

p.s. you can Download both tool a the same time.
When ready execute the instructions.

#6 LVG26

LVG26
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:47 AM

Posted 10 August 2012 - 12:33 AM

Thanks nasdaq, here is the Malwarebytes and TDSS killer logs as requested.

Malwarebytes Anti-Malware (Trial) 1.62.0.1300
www.malwarebytes.org

Database version: v2012.08.10.01

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
User :: GREENFAMILYCPU [administrator]

Protection: Enabled

8/9/2012 6:00:52 PM
mbam-log-2012-08-09 (18-00-52).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 237006
Time elapsed: 7 minute(s), 43 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 1
HKCR\.fsharproj (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 3
HKLM\SOFTWARE\Microsoft\Security Center|AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Security Center|FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Security Center|UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Documents and Settings\User\Local Settings\Application Data\nvv.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.

(end)


TDSS Killer Log:

18:43:18.0046 2392 TDSS rootkit removing tool 2.7.48.0 Jul 24 2012 13:16:32
18:43:19.0718 2392 ============================================================
18:43:19.0718 2392 Current date / time: 2012/08/09 18:43:19.0718
18:43:19.0718 2392 SystemInfo:
18:43:19.0718 2392
18:43:19.0718 2392 OS Version: 5.1.2600 ServicePack: 3.0
18:43:19.0718 2392 Product type: Workstation
18:43:19.0718 2392 ComputerName: GREENFAMILYCPU
18:43:19.0718 2392 Windows directory: C:\WINDOWS
18:43:19.0718 2392 System windows directory: C:\WINDOWS
18:43:19.0718 2392 Processor architecture: Intel x86
18:43:19.0718 2392 Number of processors: 2
18:43:19.0718 2392 Page size: 0x1000
18:43:19.0718 2392 Boot type: Normal boot
18:43:19.0718 2392 ============================================================
18:43:21.0828 2392 Drive \Device\Harddisk0\DR0 - Size: 0x12A2480000 (74.54 Gb), SectorSize: 0x200, Cylinders: 0x2602, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000058
18:43:21.0875 2392 ============================================================
18:43:21.0875 2392 \Device\Harddisk0\DR0:
18:43:21.0875 2392 MBR partitions:
18:43:21.0875 2392 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x9512343
18:43:21.0875 2392 ============================================================
18:43:21.0906 2392 C: <-> \Device\Harddisk0\DR0\Partition0
18:43:21.0921 2392 ============================================================
18:43:21.0921 2392 Initialize success
18:43:21.0921 2392 ============================================================
18:43:33.0515 3100 ============================================================
18:43:33.0515 3100 Scan started
18:43:33.0515 3100 Mode: Manual;
18:43:33.0515 3100 ============================================================
18:43:33.0703 3100 19013 (34804da52276661c31422b5b98edbeb7) C:\WINDOWS\system32\DRIVERS\19013
18:43:33.0703 3100 19013 - ok
18:43:33.0703 3100 Abiosdsk - ok
18:43:33.0718 3100 abp480n5 - ok
18:43:33.0812 3100 ACDaemon (adc420616c501b45d26c0fd3ef1e54e4) C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
18:43:33.0843 3100 ACDaemon - ok
18:43:33.0890 3100 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
18:43:33.0906 3100 ACPI - ok
18:43:33.0921 3100 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
18:43:33.0937 3100 ACPIEC - ok
18:43:33.0937 3100 adpu160m - ok
18:43:33.0968 3100 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
18:43:33.0968 3100 aec - ok
18:43:34.0015 3100 Afc (fe3ea6e9afc1a78e6edca121e006afb7) C:\WINDOWS\system32\drivers\Afc.sys
18:43:34.0015 3100 Afc - ok
18:43:34.0062 3100 AFD (355556d9e580915118cd7ef736653a89) C:\WINDOWS\System32\drivers\afd.sys
18:43:34.0062 3100 AFD - ok
18:43:34.0093 3100 Aha154x - ok
18:43:34.0093 3100 aic78u2 - ok
18:43:34.0093 3100 aic78xx - ok
18:43:34.0218 3100 ALCXWDM (35045a23957a71ba649740741e69408c) C:\WINDOWS\system32\drivers\ALCXWDM.SYS
18:43:34.0281 3100 ALCXWDM - ok
18:43:34.0343 3100 Alerter (a9a3daa780ca6c9671a19d52456705b4) C:\WINDOWS\system32\alrsvc.dll
18:43:34.0343 3100 Alerter - ok
18:43:34.0359 3100 ALG (8c515081584a38aa007909cd02020b3d) C:\WINDOWS\System32\alg.exe
18:43:34.0359 3100 ALG - ok
18:43:34.0375 3100 AliIde - ok
18:43:34.0375 3100 amsint - ok
18:43:34.0437 3100 ArcCD (a82f1a1b09593c73efd02a59dc94920c) C:\WINDOWS\system32\drivers\ArcCD.sys
18:43:34.0437 3100 ArcCD - ok
18:43:34.0453 3100 ArcRec (1af9061b61741a912368ab4dc309d25e) C:\WINDOWS\system32\drivers\ArcRec.sys
18:43:34.0453 3100 ArcRec - ok
18:43:34.0468 3100 ArcUdfs (3ee9e41102a2c6b8f7dbad5d44abda05) C:\WINDOWS\system32\drivers\ArcUdfs.sys
18:43:34.0468 3100 ArcUdfs - ok
18:43:34.0484 3100 asc - ok
18:43:34.0484 3100 asc3350p - ok
18:43:34.0500 3100 asc3550 - ok
18:43:34.0609 3100 aspnet_state (0e5e4957549056e2bf2c49f4f6b601ad) C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
18:43:34.0671 3100 aspnet_state - ok
18:43:34.0687 3100 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
18:43:34.0687 3100 AsyncMac - ok
18:43:34.0718 3100 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
18:43:34.0734 3100 atapi - ok
18:43:34.0734 3100 Atdisk - ok
18:43:34.0796 3100 Ati HotKey Poller (b8dbf155eae86b1468feea472e94aefb) C:\WINDOWS\system32\Ati2evxx.exe
18:43:34.0812 3100 Ati HotKey Poller - ok
18:43:34.0875 3100 ATI Smart (ad1865c5e1842c8ba06be3b1799315aa) C:\WINDOWS\system32\ati2sgag.exe
18:43:34.0906 3100 ATI Smart - ok
18:43:35.0046 3100 ati2mtag (1db0e5f78a67307f9c68d777873c1164) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
18:43:35.0140 3100 ati2mtag - ok
18:43:35.0234 3100 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
18:43:35.0234 3100 Atmarpc - ok
18:43:35.0265 3100 AudioSrv (def7a7882bec100fe0b2ce2549188f9d) C:\WINDOWS\System32\audiosrv.dll
18:43:35.0265 3100 AudioSrv - ok
18:43:35.0312 3100 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
18:43:35.0312 3100 audstub - ok
18:43:35.0578 3100 AVGIDSAgent (d67719bcfde5798f5c30d14efed3bcaf) C:\Program Files\AVG\AVG2012\avgidsagent.exe
18:43:35.0718 3100 AVGIDSAgent - ok
18:43:35.0812 3100 AVGIDSDriver (1074f787080068c71303b61fae7e7ca4) C:\WINDOWS\system32\DRIVERS\avgidsdriverx.sys
18:43:35.0812 3100 AVGIDSDriver - ok
18:43:35.0859 3100 AVGIDSFilter (61a7e0b02f82cff3db2445bbe50b3589) C:\WINDOWS\system32\DRIVERS\avgidsfilterx.sys
18:43:35.0875 3100 AVGIDSFilter - ok
18:43:35.0921 3100 AVGIDSHX (d63d83659eedf60b3a3e620281a888e5) C:\WINDOWS\system32\DRIVERS\avgidshx.sys
18:43:35.0921 3100 AVGIDSHX - ok
18:43:35.0968 3100 AVGIDSShim (baf975b72062f53d327788e99d64197e) C:\WINDOWS\system32\DRIVERS\avgidsshimx.sys
18:43:35.0968 3100 AVGIDSShim - ok
18:43:36.0015 3100 Avgldx86 (dda6a2a18841e4c9172bb85958b8d948) C:\WINDOWS\system32\DRIVERS\avgldx86.sys
18:43:36.0031 3100 Avgldx86 - ok
18:43:36.0062 3100 Avgmfx86 (ccdd61545aaea265977e4b1efdc74e8c) C:\WINDOWS\system32\DRIVERS\avgmfx86.sys
18:43:36.0062 3100 Avgmfx86 - ok
18:43:36.0062 3100 Avgrkx86 (1fd90b28d2c3100bf4500199c8ad6358) C:\WINDOWS\system32\DRIVERS\avgrkx86.sys
18:43:36.0078 3100 Avgrkx86 - ok
18:43:36.0109 3100 Avgtdix (1263f2554ace925c237a40b4c568d815) C:\WINDOWS\system32\DRIVERS\avgtdix.sys
18:43:36.0125 3100 Avgtdix - ok
18:43:36.0171 3100 avgwd (ea1145debcd508fd25bd1e95c4346929) C:\Program Files\AVG\AVG2012\avgwdsvc.exe
18:43:36.0171 3100 avgwd - ok
18:43:36.0234 3100 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
18:43:36.0234 3100 Beep - ok
18:43:36.0281 3100 BITS (574738f61fca2935f5265dc4e5691314) C:\WINDOWS\system32\qmgr.dll
18:43:36.0328 3100 BITS - ok
18:43:36.0375 3100 Browser (a06ce3399d16db864f55faeb1f1927a9) C:\WINDOWS\System32\browser.dll
18:43:36.0390 3100 Browser - ok
18:43:36.0421 3100 BrScnUsb (92a964547b96d697e5e9ed43b4297f5a) C:\WINDOWS\system32\DRIVERS\BrScnUsb.sys
18:43:36.0421 3100 BrScnUsb - ok
18:43:36.0453 3100 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
18:43:36.0468 3100 cbidf2k - ok
18:43:36.0484 3100 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
18:43:36.0484 3100 CCDECODE - ok
18:43:36.0500 3100 cd20xrnt - ok
18:43:36.0531 3100 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
18:43:36.0531 3100 Cdaudio - ok
18:43:36.0578 3100 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
18:43:36.0578 3100 Cdfs - ok
18:43:36.0625 3100 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
18:43:36.0640 3100 Cdrom - ok
18:43:36.0640 3100 Changer - ok
18:43:36.0687 3100 CiSvc (1cfe720eb8d93a7158a4ebc3ab178bde) C:\WINDOWS\system32\cisvc.exe
18:43:36.0687 3100 CiSvc - ok
18:43:36.0734 3100 ClipSrv (34cbe729f38138217f9c80212a2a0c82) C:\WINDOWS\system32\clipsrv.exe
18:43:36.0734 3100 ClipSrv - ok
18:43:36.0828 3100 clr_optimization_v2.0.50727_32 (d87acaed61e417bba546ced5e7e36d9c) C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
18:43:36.0890 3100 clr_optimization_v2.0.50727_32 - ok
18:43:36.0890 3100 CmdIde - ok
18:43:36.0890 3100 COMSysApp - ok
18:43:36.0921 3100 Cpqarray - ok
18:43:36.0968 3100 CryptSvc (3d4e199942e29207970e04315d02ad3b) C:\WINDOWS\System32\cryptsvc.dll
18:43:36.0968 3100 CryptSvc - ok
18:43:36.0984 3100 dac2w2k - ok
18:43:36.0984 3100 dac960nt - ok
18:43:37.0031 3100 DcomLaunch (6b27a5c03dfb94b4245739065431322c) C:\WINDOWS\system32\rpcss.dll
18:43:37.0046 3100 DcomLaunch - ok
18:43:37.0093 3100 Dhcp (5e38d7684a49cacfb752b046357e0589) C:\WINDOWS\System32\dhcpcsvc.dll
18:43:37.0093 3100 Dhcp - ok
18:43:37.0156 3100 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
18:43:37.0156 3100 Disk - ok
18:43:37.0156 3100 dmadmin - ok
18:43:37.0218 3100 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
18:43:37.0265 3100 dmboot - ok
18:43:37.0312 3100 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
18:43:37.0312 3100 dmio - ok
18:43:37.0328 3100 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
18:43:37.0328 3100 dmload - ok
18:43:37.0375 3100 dmserver (57edec2e5f59f0335e92f35184bc8631) C:\WINDOWS\System32\dmserver.dll
18:43:37.0375 3100 dmserver - ok
18:43:37.0406 3100 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
18:43:37.0421 3100 DMusic - ok
18:43:37.0468 3100 Dnscache (5f7e24fa9eab896051ffb87f840730d2) C:\WINDOWS\System32\dnsrslvr.dll
18:43:37.0484 3100 Dnscache - ok
18:43:37.0531 3100 Dot3svc (0f0f6e687e5e15579ef4da8dd6945814) C:\WINDOWS\System32\dot3svc.dll
18:43:37.0531 3100 Dot3svc - ok
18:43:37.0531 3100 dpti2o - ok
18:43:37.0578 3100 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
18:43:37.0578 3100 drmkaud - ok
18:43:37.0625 3100 EapHost (2187855a7703adef0cef9ee4285182cc) C:\WINDOWS\System32\eapsvc.dll
18:43:37.0625 3100 EapHost - ok
18:43:37.0671 3100 ERSvc (bc93b4a066477954555966d77fec9ecb) C:\WINDOWS\System32\ersvc.dll
18:43:37.0671 3100 ERSvc - ok
18:43:37.0718 3100 Eventlog (65df52f5b8b6e9bbd183505225c37315) C:\WINDOWS\system32\services.exe
18:43:37.0718 3100 Eventlog - ok
18:43:37.0781 3100 EventSystem (d4991d98f2db73c60d042f1aef79efae) C:\WINDOWS\system32\es.dll
18:43:37.0796 3100 EventSystem - ok
18:43:37.0843 3100 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
18:43:37.0843 3100 Fastfat - ok
18:43:37.0890 3100 FastUserSwitchingCompatibility (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
18:43:37.0890 3100 FastUserSwitchingCompatibility - ok
18:43:37.0937 3100 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
18:43:37.0953 3100 Fdc - ok
18:43:38.0000 3100 FETNDIS (e9648254056bce81a85380c0c3647dc4) C:\WINDOWS\system32\DRIVERS\fetnd5.sys
18:43:38.0000 3100 FETNDIS - ok
18:43:38.0015 3100 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
18:43:38.0031 3100 Fips - ok
18:43:38.0062 3100 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
18:43:38.0062 3100 Flpydisk - ok
18:43:38.0109 3100 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
18:43:38.0109 3100 FltMgr - ok
18:43:38.0234 3100 FontCache3.0.0.0 (8ba7c024070f2b7fdd98ed8a4ba41789) C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
18:43:38.0234 3100 FontCache3.0.0.0 - ok
18:43:38.0281 3100 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
18:43:38.0281 3100 Fs_Rec - ok
18:43:38.0328 3100 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
18:43:38.0328 3100 Ftdisk - ok
18:43:38.0343 3100 gameenum (065639773d8b03f33577f6cdaea21063) C:\WINDOWS\system32\DRIVERS\gameenum.sys
18:43:38.0343 3100 gameenum - ok
18:43:38.0390 3100 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
18:43:38.0390 3100 GEARAspiWDM - ok
18:43:38.0421 3100 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
18:43:38.0437 3100 Gpc - ok
18:43:38.0562 3100 gupdate (f02a533f517eb38333cb12a9e8963773) C:\Program Files\Google\Update\GoogleUpdate.exe
18:43:38.0562 3100 gupdate - ok
18:43:38.0562 3100 gupdatem (f02a533f517eb38333cb12a9e8963773) C:\Program Files\Google\Update\GoogleUpdate.exe
18:43:38.0562 3100 gupdatem - ok
18:43:38.0656 3100 helpsvc (4fcca060dfe0c51a09dd5c3843888bcd) C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll
18:43:38.0656 3100 helpsvc - ok
18:43:38.0703 3100 HidServ (deb04da35cc871b6d309b77e1443c796) C:\WINDOWS\System32\hidserv.dll
18:43:38.0703 3100 HidServ - ok
18:43:38.0750 3100 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
18:43:38.0750 3100 hidusb - ok
18:43:38.0796 3100 hkmsvc (8878bd685e490239777bfe51320b88e9) C:\WINDOWS\System32\kmsvc.dll
18:43:38.0796 3100 hkmsvc - ok
18:43:38.0796 3100 hpn - ok
18:43:38.0843 3100 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
18:43:38.0859 3100 HTTP - ok
18:43:38.0906 3100 HTTPFilter (6100a808600f44d999cebdef8841c7a3) C:\WINDOWS\System32\w3ssl.dll
18:43:38.0906 3100 HTTPFilter - ok
18:43:38.0921 3100 i2omgmt - ok
18:43:38.0921 3100 i2omp - ok
18:43:38.0968 3100 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
18:43:38.0968 3100 i8042prt - ok
18:43:39.0078 3100 IDriverT (1cf03c69b49acb70c722df92755c0c8c) C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
18:43:39.0078 3100 IDriverT - ok
18:43:39.0156 3100 idsvc (c01ac32dc5c03076cfb852cb5da5229c) C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
18:43:39.0187 3100 idsvc - ok
18:43:39.0234 3100 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
18:43:39.0234 3100 Imapi - ok
18:43:39.0250 3100 ini910u - ok
18:43:39.0250 3100 IntelIde - ok
18:43:39.0296 3100 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
18:43:39.0312 3100 intelppm - ok
18:43:39.0343 3100 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
18:43:39.0343 3100 Ip6Fw - ok
18:43:39.0390 3100 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
18:43:39.0390 3100 IpFilterDriver - ok
18:43:39.0421 3100 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
18:43:39.0437 3100 IpInIp - ok
18:43:39.0468 3100 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
18:43:39.0468 3100 IpNat - ok
18:43:39.0531 3100 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
18:43:39.0531 3100 IPSec - ok
18:43:39.0578 3100 irda (aca5e7b54409f9cb5eed97ed0c81120e) C:\WINDOWS\system32\DRIVERS\irda.sys
18:43:39.0578 3100 irda - ok
18:43:39.0609 3100 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
18:43:39.0609 3100 IRENUM - ok
18:43:39.0640 3100 Irmon (49cc4533ce897cb2e93c1e84a818fde5) C:\WINDOWS\System32\irmon.dll
18:43:39.0656 3100 Irmon - ok
18:43:39.0687 3100 irsir (0501f0b9ab08425f8c0eacbdcc04aa32) C:\WINDOWS\system32\DRIVERS\irsir.sys
18:43:39.0687 3100 irsir - ok
18:43:39.0718 3100 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
18:43:39.0718 3100 isapnp - ok
18:43:39.0875 3100 JavaQuickStarterService (126a16f569122ae00ad3d12ef831d651) C:\Program Files\Java\jre6\bin\jqs.exe
18:43:39.0875 3100 JavaQuickStarterService - ok
18:43:39.0890 3100 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
18:43:39.0890 3100 Kbdclass - ok
18:43:39.0937 3100 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
18:43:39.0937 3100 kbdhid - ok
18:43:40.0000 3100 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
18:43:40.0000 3100 kmixer - ok
18:43:40.0031 3100 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
18:43:40.0031 3100 KSecDD - ok
18:43:40.0093 3100 lanmanserver (3a7c3cbe5d96b8ae96ce81f0b22fb527) C:\WINDOWS\System32\srvsvc.dll
18:43:40.0109 3100 lanmanserver - ok
18:43:40.0156 3100 lanmanworkstation (a8888a5327621856c0cec4e385f69309) C:\WINDOWS\System32\wkssvc.dll
18:43:40.0156 3100 lanmanworkstation - ok
18:43:40.0171 3100 lbrtfdc - ok
18:43:40.0218 3100 LmHosts (a7db739ae99a796d91580147e919cc59) C:\WINDOWS\System32\lmhsvc.dll
18:43:40.0218 3100 LmHosts - ok
18:43:40.0250 3100 mbamchameleon (6c1b3c47915a8bf6bd752c9d476b1ca5) C:\WINDOWS\system32\drivers\mbamchameleon.sys
18:43:40.0265 3100 mbamchameleon - ok
18:43:40.0281 3100 MBAMProtector (6dfe7f2e8e8a337263aa5c92a215f161) C:\WINDOWS\system32\drivers\mbam.sys
18:43:40.0281 3100 MBAMProtector - ok
18:43:40.0343 3100 MBAMService (43683e970f008c93c9429ef428147a54) C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
18:43:40.0343 3100 MBAMService - ok
18:43:40.0375 3100 MCSTRM (5bb01b9f582259d1fb7653c5c1da3653) C:\WINDOWS\system32\drivers\MCSTRM.sys
18:43:40.0375 3100 MCSTRM - ok
18:43:40.0421 3100 Messenger (986b1ff5814366d71e0ac5755c88f2d3) C:\WINDOWS\System32\msgsvc.dll
18:43:40.0421 3100 Messenger - ok
18:43:40.0453 3100 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
18:43:40.0453 3100 mnmdd - ok
18:43:40.0500 3100 mnmsrvc (d18f1f0c101d06a1c1adf26eed16fcdd) C:\WINDOWS\system32\mnmsrvc.exe
18:43:40.0500 3100 mnmsrvc - ok
18:43:40.0546 3100 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
18:43:40.0546 3100 Modem - ok
18:43:40.0578 3100 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
18:43:40.0578 3100 Mouclass - ok
18:43:40.0625 3100 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
18:43:40.0640 3100 mouhid - ok
18:43:40.0671 3100 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
18:43:40.0671 3100 MountMgr - ok
18:43:40.0750 3100 mozybackup (e04a6cdeea88ced1618d3f867a564b7f) C:\Program Files\MozyHome\mozybackup.exe
18:43:40.0750 3100 mozybackup - ok
18:43:40.0765 3100 mozyFilter (e071f07600540ca92197ebfbd9b0c9ae) C:\WINDOWS\system32\DRIVERS\mozy.sys
18:43:40.0765 3100 mozyFilter - ok
18:43:40.0781 3100 mraid35x - ok
18:43:40.0828 3100 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
18:43:40.0843 3100 MRxDAV - ok
18:43:40.0906 3100 MRxSmb (0dc719e9b15e902346e87e9dcd5751fa) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
18:43:40.0906 3100 MRxSmb - ok
18:43:40.0968 3100 MSDTC (a137f1470499a205abbb9aafb3b6f2b1) C:\WINDOWS\system32\msdtc.exe
18:43:40.0968 3100 MSDTC - ok
18:43:41.0000 3100 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
18:43:41.0000 3100 Msfs - ok
18:43:41.0000 3100 MSIServer - ok
18:43:41.0031 3100 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
18:43:41.0031 3100 MSKSSRV - ok
18:43:41.0031 3100 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
18:43:41.0046 3100 MSPCLOCK - ok
18:43:41.0046 3100 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
18:43:41.0046 3100 MSPQM - ok
18:43:41.0078 3100 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
18:43:41.0078 3100 mssmbios - ok
18:43:41.0109 3100 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
18:43:41.0140 3100 MSTEE - ok
18:43:41.0171 3100 ms_mpu401 (ca3e22598f411199adc2dfee76cd0ae0) C:\WINDOWS\system32\drivers\msmpu401.sys
18:43:41.0171 3100 ms_mpu401 - ok
18:43:41.0203 3100 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
18:43:41.0203 3100 Mup - ok
18:43:41.0234 3100 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
18:43:41.0250 3100 NABTSFEC - ok
18:43:41.0281 3100 napagent (0102140028fad045756796e1c685d695) C:\WINDOWS\System32\qagentrt.dll
18:43:41.0296 3100 napagent - ok
18:43:41.0328 3100 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
18:43:41.0343 3100 NDIS - ok
18:43:41.0359 3100 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
18:43:41.0359 3100 NdisIP - ok
18:43:41.0390 3100 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
18:43:41.0390 3100 NdisTapi - ok
18:43:41.0390 3100 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
18:43:41.0406 3100 Ndisuio - ok
18:43:41.0421 3100 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
18:43:41.0421 3100 NdisWan - ok
18:43:41.0468 3100 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
18:43:41.0468 3100 NDProxy - ok
18:43:41.0484 3100 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
18:43:41.0484 3100 NetBIOS - ok
18:43:41.0500 3100 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
18:43:41.0500 3100 NetBT - ok
18:43:41.0546 3100 NetDDE (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe
18:43:41.0562 3100 NetDDE - ok
18:43:41.0578 3100 NetDDEdsdm (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe
18:43:41.0578 3100 NetDDEdsdm - ok
18:43:41.0609 3100 Netlogon (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
18:43:41.0625 3100 Netlogon - ok
18:43:41.0671 3100 Netman (13e67b55b3abd7bf3fe7aae5a0f9a9de) C:\WINDOWS\System32\netman.dll
18:43:41.0671 3100 Netman - ok
18:43:41.0765 3100 NetTcpPortSharing (d34612c5d02d026535b3095d620626ae) C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
18:43:41.0765 3100 NetTcpPortSharing - ok
18:43:41.0828 3100 Nla (943337d786a56729263071623bbb9de5) C:\WINDOWS\System32\mswsock.dll
18:43:41.0843 3100 Nla - ok
18:43:41.0875 3100 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
18:43:41.0875 3100 Npfs - ok
18:43:41.0921 3100 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
18:43:41.0953 3100 Ntfs - ok
18:43:41.0953 3100 NtLmSsp (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
18:43:41.0953 3100 NtLmSsp - ok
18:43:42.0015 3100 NtmsSvc (156f64a3345bd23c600655fb4d10bc08) C:\WINDOWS\system32\ntmssvc.dll
18:43:42.0031 3100 NtmsSvc - ok
18:43:42.0046 3100 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
18:43:42.0046 3100 Null - ok
18:43:42.0156 3100 nv (2b298519edbfcf451d43e0f1e8f1006d) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
18:43:42.0203 3100 nv - ok
18:43:42.0328 3100 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
18:43:42.0328 3100 NwlnkFlt - ok
18:43:42.0359 3100 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
18:43:42.0359 3100 NwlnkFwd - ok
18:43:42.0375 3100 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
18:43:42.0375 3100 Parport - ok
18:43:42.0390 3100 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
18:43:42.0390 3100 PartMgr - ok
18:43:42.0421 3100 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
18:43:42.0437 3100 ParVdm - ok
18:43:42.0453 3100 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
18:43:42.0453 3100 PCI - ok
18:43:42.0453 3100 PCIDump - ok
18:43:42.0468 3100 PCIIde - ok
18:43:42.0500 3100 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
18:43:42.0500 3100 Pcmcia - ok
18:43:42.0500 3100 PDCOMP - ok
18:43:42.0515 3100 PDFRAME - ok
18:43:42.0515 3100 PDRELI - ok
18:43:42.0531 3100 PDRFRAME - ok
18:43:42.0531 3100 perc2 - ok
18:43:42.0546 3100 perc2hib - ok
18:43:42.0593 3100 pfc (6c1618a07b49e3873582b6449e744088) C:\WINDOWS\system32\drivers\pfc.sys
18:43:42.0593 3100 pfc - ok
18:43:42.0640 3100 PlugPlay (65df52f5b8b6e9bbd183505225c37315) C:\WINDOWS\system32\services.exe
18:43:42.0640 3100 PlugPlay - ok
18:43:42.0687 3100 PolicyAgent (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
18:43:42.0687 3100 PolicyAgent - ok
18:43:42.0718 3100 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
18:43:42.0718 3100 PptpMiniport - ok
18:43:42.0718 3100 ProtectedStorage (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
18:43:42.0718 3100 ProtectedStorage - ok
18:43:42.0734 3100 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
18:43:42.0734 3100 PSched - ok
18:43:42.0781 3100 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
18:43:42.0781 3100 Ptilink - ok
18:43:42.0781 3100 ql1080 - ok
18:43:42.0796 3100 Ql10wnt - ok
18:43:42.0796 3100 ql12160 - ok
18:43:42.0812 3100 ql1240 - ok
18:43:42.0812 3100 ql1280 - ok
18:43:42.0828 3100 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
18:43:42.0828 3100 RasAcd - ok
18:43:42.0859 3100 RasAuto (ad188be7bdf94e8df4ca0a55c00a5073) C:\WINDOWS\System32\rasauto.dll
18:43:42.0859 3100 RasAuto - ok
18:43:42.0906 3100 Rasirda (0207d26ddf796a193ccd9f83047bb5fc) C:\WINDOWS\system32\DRIVERS\rasirda.sys
18:43:42.0906 3100 Rasirda - ok
18:43:42.0953 3100 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
18:43:42.0953 3100 Rasl2tp - ok
18:43:43.0000 3100 RasMan (76a9a3cbeadd68cc57cda5e1d7448235) C:\WINDOWS\System32\rasmans.dll
18:43:43.0015 3100 RasMan - ok
18:43:43.0031 3100 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
18:43:43.0031 3100 RasPppoe - ok
18:43:43.0031 3100 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
18:43:43.0046 3100 Raspti - ok
18:43:43.0093 3100 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
18:43:43.0109 3100 Rdbss - ok
18:43:43.0109 3100 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
18:43:43.0109 3100 RDPCDD - ok
18:43:43.0156 3100 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
18:43:43.0156 3100 RDPWD - ok
18:43:43.0203 3100 RDSessMgr (3c37bf86641bda977c3bf8a840f3b7fa) C:\WINDOWS\system32\sessmgr.exe
18:43:43.0218 3100 RDSessMgr - ok
18:43:43.0250 3100 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
18:43:43.0250 3100 redbook - ok
18:43:43.0281 3100 RemoteAccess (7e699ff5f59b5d9de5390e3c34c67cf5) C:\WINDOWS\System32\mprdim.dll
18:43:43.0281 3100 RemoteAccess - ok
18:43:43.0312 3100 RpcLocator (aaed593f84afa419bbae8572af87cf6a) C:\WINDOWS\system32\locator.exe
18:43:43.0328 3100 RpcLocator - ok
18:43:43.0343 3100 RpcSs (6b27a5c03dfb94b4245739065431322c) C:\WINDOWS\system32\rpcss.dll
18:43:43.0343 3100 RpcSs - ok
18:43:43.0406 3100 RSVP (471b3f9741d762abe75e9deea4787e47) C:\WINDOWS\system32\rsvp.exe
18:43:43.0406 3100 RSVP - ok
18:43:43.0421 3100 SamSs (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
18:43:43.0421 3100 SamSs - ok
18:43:43.0437 3100 SCardSvr (86d007e7a654b9a71d1d7d856b104353) C:\WINDOWS\System32\SCardSvr.exe
18:43:43.0453 3100 SCardSvr - ok
18:43:43.0500 3100 Schedule (0a9a7365a1ca4319aa7c1d6cd8e4eafa) C:\WINDOWS\system32\schedsvc.dll
18:43:43.0515 3100 Schedule - ok
18:43:43.0562 3100 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
18:43:43.0578 3100 Secdrv - ok
18:43:43.0609 3100 seclogon (cbe612e2bb6a10e3563336191eda1250) C:\WINDOWS\System32\seclogon.dll
18:43:43.0625 3100 seclogon - ok
18:43:43.0671 3100 SENS (7fdd5d0684eca8c1f68b4d99d124dcd0) C:\WINDOWS\system32\sens.dll
18:43:43.0671 3100 SENS - ok
18:43:43.0687 3100 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
18:43:43.0687 3100 serenum - ok
18:43:43.0703 3100 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
18:43:43.0703 3100 Serial - ok
18:43:43.0734 3100 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
18:43:43.0750 3100 Sfloppy - ok
18:43:43.0796 3100 SharedAccess (83f41d0d89645d7235c051ab1d9523ac) C:\WINDOWS\System32\ipnathlp.dll
18:43:43.0812 3100 SharedAccess - ok
18:43:43.0859 3100 ShellHWDetection (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
18:43:43.0859 3100 ShellHWDetection - ok
18:43:43.0875 3100 Simbad - ok
18:43:43.0890 3100 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
18:43:43.0906 3100 SLIP - ok
18:43:43.0937 3100 SNDMI13 (44998d12a6609c7b4d4b51b9fe669c74) C:\WINDOWS\system32\DRIVERS\sndmi13.sys
18:43:43.0953 3100 SNDMI13 - ok
18:43:43.0968 3100 Sparrow - ok
18:43:44.0000 3100 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
18:43:44.0000 3100 splitter - ok
18:43:44.0046 3100 Spooler (60784f891563fb1b767f70117fc2428f) C:\WINDOWS\system32\spoolsv.exe
18:43:44.0062 3100 Spooler - ok
18:43:44.0109 3100 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
18:43:44.0109 3100 sr - ok
18:43:44.0156 3100 srservice (3805df0ac4296a34ba4bf93b346cc378) C:\WINDOWS\system32\srsvc.dll
18:43:44.0171 3100 srservice - ok
18:43:44.0203 3100 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
18:43:44.0234 3100 Srv - ok
18:43:44.0265 3100 SSDPSRV (0a5679b3714edab99e357057ee88fca6) C:\WINDOWS\System32\ssdpsrv.dll
18:43:44.0265 3100 SSDPSRV - ok
18:43:44.0296 3100 stisvc (8bad69cbac032d4bbacfce0306174c30) C:\WINDOWS\system32\wiaservc.dll
18:43:44.0312 3100 stisvc - ok
18:43:44.0359 3100 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
18:43:44.0359 3100 streamip - ok
18:43:44.0359 3100 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
18:43:44.0375 3100 swenum - ok
18:43:44.0390 3100 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
18:43:44.0390 3100 swmidi - ok
18:43:44.0406 3100 SwPrv - ok
18:43:44.0406 3100 symc810 - ok
18:43:44.0421 3100 symc8xx - ok
18:43:44.0421 3100 sym_hi - ok
18:43:44.0437 3100 sym_u3 - ok
18:43:44.0437 3100 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
18:43:44.0453 3100 sysaudio - ok
18:43:44.0484 3100 SysmonLog (c7abbc59b43274b1109df6b24d617051) C:\WINDOWS\system32\smlogsvc.exe
18:43:44.0484 3100 SysmonLog - ok
18:43:44.0531 3100 TapiSrv (3cb78c17bb664637787c9a1c98f79c38) C:\WINDOWS\System32\tapisrv.dll
18:43:44.0546 3100 TapiSrv - ok
18:43:44.0593 3100 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
18:43:44.0609 3100 Tcpip - ok
18:43:44.0625 3100 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
18:43:44.0640 3100 TDPIPE - ok
18:43:44.0640 3100 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
18:43:44.0656 3100 TDTCP - ok
18:43:44.0671 3100 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
18:43:44.0687 3100 TermDD - ok
18:43:44.0734 3100 TermService (ff3477c03be7201c294c35f684b3479f) C:\WINDOWS\System32\termsrv.dll
18:43:44.0750 3100 TermService - ok
18:43:44.0781 3100 Themes (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
18:43:44.0781 3100 Themes - ok
18:43:44.0796 3100 TosIde - ok
18:43:44.0843 3100 TrkWks (55bca12f7f523d35ca3cb833c725f54e) C:\WINDOWS\system32\trkwks.dll
18:43:44.0843 3100 TrkWks - ok
18:43:44.0890 3100 uagp35 (d85938f272d1bcf3db3a31fc0a048928) C:\WINDOWS\system32\DRIVERS\uagp35.sys
18:43:44.0890 3100 uagp35 - ok
18:43:44.0906 3100 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
18:43:44.0906 3100 Udfs - ok
18:43:44.0906 3100 ultra - ok
18:43:44.0953 3100 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
18:43:44.0968 3100 Update - ok
18:43:45.0031 3100 upnphost (1ebafeb9a3fbdc41b8d9c7f0f687ad91) C:\WINDOWS\System32\upnphost.dll
18:43:45.0046 3100 upnphost - ok
18:43:45.0078 3100 UPS (05365fb38fca1e98f7a566aaaf5d1815) C:\WINDOWS\System32\ups.exe
18:43:45.0093 3100 UPS - ok
18:43:45.0093 3100 USBAAPL - ok
18:43:45.0109 3100 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
18:43:45.0109 3100 usbccgp - ok
18:43:45.0156 3100 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
18:43:45.0156 3100 usbehci - ok
18:43:45.0171 3100 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
18:43:45.0171 3100 usbhub - ok
18:43:45.0203 3100 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
18:43:45.0203 3100 usbprint - ok
18:43:45.0250 3100 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
18:43:45.0250 3100 usbscan - ok
18:43:45.0296 3100 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
18:43:45.0296 3100 USBSTOR - ok
18:43:45.0328 3100 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
18:43:45.0343 3100 usbuhci - ok
18:43:45.0375 3100 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
18:43:45.0375 3100 VgaSave - ok
18:43:45.0421 3100 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
18:43:45.0421 3100 ViaIde - ok
18:43:45.0468 3100 viamraid (0363e216e4eb5052969c96608934dbde) C:\WINDOWS\system32\drivers\viamraid.sys
18:43:45.0484 3100 viamraid - ok
18:43:45.0500 3100 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
18:43:45.0515 3100 VolSnap - ok
18:43:45.0578 3100 VSS (7a9db3a67c333bf0bd42e42b8596854b) C:\WINDOWS\System32\vssvc.exe
18:43:45.0593 3100 VSS - ok
18:43:45.0718 3100 vToolbarUpdater11.2.0 (8ed347bad8d1fb7c40b593bfb01786d2) C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\11.2.0\ToolbarUpdater.exe
18:43:45.0750 3100 vToolbarUpdater11.2.0 - ok
18:43:45.0812 3100 W32Time (54af4b1d5459500ef0937f6d33b1914f) C:\WINDOWS\system32\w32time.dll
18:43:45.0828 3100 W32Time - ok
18:43:45.0875 3100 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
18:43:45.0890 3100 Wanarp - ok
18:43:45.0953 3100 WDC_SAM (d6efaf429fd30c5df613d220e344cce7) C:\WINDOWS\system32\DRIVERS\wdcsam.sys
18:43:45.0953 3100 WDC_SAM - ok
18:43:46.0046 3100 WDDMService (0220362deb2a21551b418d61f3153347) C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe
18:43:46.0046 3100 WDDMService - ok
18:43:46.0046 3100 WDICA - ok
18:43:46.0093 3100 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
18:43:46.0109 3100 wdmaud - ok
18:43:46.0187 3100 WDSmartWareBackgroundService (138ab06adbbf300aa804d7974a5aec82) C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe
18:43:46.0187 3100 WDSmartWareBackgroundService - ok
18:43:46.0234 3100 WebClient (77a354e28153ad2d5e120a5a8687bc06) C:\WINDOWS\System32\webclnt.dll
18:43:46.0234 3100 WebClient - ok
18:43:46.0328 3100 winmgmt (2d0e4ed081963804ccc196a0929275b5) C:\WINDOWS\system32\wbem\WMIsvc.dll
18:43:46.0343 3100 winmgmt - ok
18:43:46.0406 3100 WinRM (18f347402da544a780949b8fdf83351b) C:\WINDOWS\system32\WsmSvc.dll
18:43:46.0437 3100 WinRM - ok
18:43:46.0531 3100 WLSetupSvc (94a85e956a065e23e0010a6a7826243b) C:\Program Files\Windows Live\installer\WLSetupSvc.exe
18:43:46.0546 3100 WLSetupSvc - ok
18:43:46.0593 3100 WmdmPmSN (c51b4a5c05a5475708e3c81c7765b71d) C:\WINDOWS\system32\MsPMSNSv.dll
18:43:46.0593 3100 WmdmPmSN - ok
18:43:46.0656 3100 WmiApSrv (e0673f1106e62a68d2257e376079f821) C:\WINDOWS\system32\wbem\wmiapsrv.exe
18:43:46.0656 3100 WmiApSrv - ok
18:43:46.0734 3100 WMPNetworkSvc (f74e3d9a7fa9556c3bbb14d4e5e63d3b) C:\Program Files\Windows Media Player\WMPNetwk.exe
18:43:46.0765 3100 WMPNetworkSvc - ok
18:43:46.0781 3100 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\Drivers\wpdusb.sys
18:43:46.0781 3100 WpdUsb - ok
18:43:46.0828 3100 wscsvc (7c278e6408d1dce642230c0585a854d5) C:\WINDOWS\system32\wscsvc.dll
18:43:46.0828 3100 wscsvc - ok
18:43:46.0859 3100 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
18:43:46.0875 3100 WSTCODEC - ok
18:43:46.0906 3100 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
18:43:46.0906 3100 WudfPf - ok
18:43:46.0921 3100 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
18:43:46.0921 3100 WudfRd - ok
18:43:46.0937 3100 WudfSvc (05231c04253c5bc30b26cbaae680ed89) C:\WINDOWS\System32\WUDFSvc.dll
18:43:46.0953 3100 WudfSvc - ok
18:43:47.0031 3100 WZCSVC (81dc3f549f44b1c1fff022dec9ecf30b) C:\WINDOWS\System32\wzcsvc.dll
18:43:47.0062 3100 WZCSVC - ok
18:43:47.0109 3100 xmlprov (295d21f14c335b53cb8154e5b1f892b9) C:\WINDOWS\System32\xmlprov.dll
18:43:47.0109 3100 xmlprov - ok
18:43:47.0140 3100 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
18:43:47.0531 3100 \Device\Harddisk0\DR0 - ok
18:43:47.0546 3100 Boot (0x1200) (df35656faa19623e5287a07fa57d29e3) \Device\Harddisk0\DR0\Partition0
18:43:47.0546 3100 \Device\Harddisk0\DR0\Partition0 - ok
18:43:47.0546 3100 ============================================================
18:43:47.0546 3100 Scan finished
18:43:47.0546 3100 ============================================================
18:43:47.0546 2640 Detected object count: 0
18:43:47.0546 2640 Actual detected object count: 0

---------------

Thanks again for your help.

LVG

Attached Files



#7 nasdaq

nasdaq

  • Malware Response Team
  • 38,936 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:47 PM

Posted 10 August 2012 - 08:12 AM

Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your Anti-Virus and Anti-Spyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Close any open browsers, and all other programs working. Make sure you save your file if working on a document.
  • Do not install any other programs until this if fixed.[/b]
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Some Rookit infection may damage your boot sector. The Windows Recovery Console may be needed to restore it. Do not bypass this installation. You may regret it.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Note: If you have difficulty properly disabling your protection programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html

Do not mouse click ComboFix's window while it's running. That may cause it to stall

Note: If after running ComboFix you get this error message "Illegal operation attempted on a registry key that has been marked for deletion." when attempting to run a program all you need to do is restart the computer to reset the registry.
===

Third party programs if not up to date can be the cause of infiltration an infection.

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===

  • Please close all open programs and internet browsers.
  • Double click on adwcleaner.exe to run the tool.
  • Click on Delete.
  • Confirm each time with OK.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile in your reply.
  • You can find the logfile at C:\AdwCleaner[Sn].txt as well - n is the order number.

Please post the 3 logs and let me know if the problem persists.

#8 LVG26

LVG26
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:47 AM

Posted 13 August 2012 - 08:42 PM

This weekend I attempted to run combofix, but it stated that it found an AV scanner from an AV program I have long ago (supposedly) removed from my system (via Add/Remove programs on Windows). When I run combofix anyways it appears to freeze up after a short while (under 10 minutes), and I suspect that this ghost AV scanner may be the culprit.

Should I go ahead and perform the other procedures in the mean time? I tried searching for any file on my hard drive that may represent the AV (the program was from CA [Computer Associates] Anti-Virus btw) but after an hour or two the search didn't find anything. Do you know any other way I am may find and disable this, at this point, unauthorized scanner? Should I contact the company (despite the fact that they have terrible customer service, which was the reason for removing the program in the first place) and see if they have any suggestions?

#9 nasdaq

nasdaq

  • Malware Response Team
  • 38,936 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:47 PM

Posted 14 August 2012 - 07:19 AM

I found this article that may help you remove this tool completely.
https://support.ca.com/irj/portal/anonymous/kbtech?searchID=TEC569553&docid=569553&bypass=yes&fromscreen=kbresults
Hope it helps.

Lets continue with these scans.

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===


  • Download OTL to your Desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Check the boxes beside LOP Check and Purity Check.
  • Under the Custom Scan box paste this in

    netsvcs
    %SYSTEMDRIVE%\*.exe
    %systemroot%\system32\drivers\*.sys /90
    %systemroot%\*. /mp /s
    c:\$recycle.bin\*.* /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    explorer.exe
    svchost.exe
    userinit.exe
    qmgr.dll
    proquota.exe
    kernel32.dll
    ndis.sys
    autochk.exe
    spoolsv.exe
    xmlprov.dll
    ntmssvc.dll
    mswsock.dll
    Beep.SYS
    ntfs.sys
    termsrv.dll
    sfcfiles.dll
    st3shark.sys
    ahcix86.sys
    srsvc.dll
    /md5stop
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them all in.
===

#10 nasdaq

nasdaq

  • Malware Response Team
  • 38,936 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:47 PM

Posted 20 August 2012 - 09:34 AM

Are you still with me?

#11 LVG26

LVG26
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:47 AM

Posted 25 August 2012 - 01:58 PM

Yes. Such as it is, I am working on this during the weekend. I'll follow the article you found to remove CA and go from there. I'll post my results or an update this afternoon.

LG




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users