Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

safe mode failing; google returns blank page & avg found Trojan horse Generic29.GJG


  • This topic is locked This topic is locked
42 replies to this topic

#1 eperkins

eperkins

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:57 AM

Posted 30 August 2012 - 08:48 AM

running:
hp pavilion 5000 laptop
windows xp home edition
SP3
running microsoft security essentials which currenlty finds no infections (it did find zbot trojan which it removed, but I think there is some residual effects remaining)
running malwarebytes pro which finds no infections

when using www.google.com, it returns a blank search page, somehow its redirecting www.google.com to 89.207.128.50
google only works if I use http://173.194.75.106/ all other seach engines work properly ie bing, yahoo,

I cannot get the computer to boot up in safe mode configurations, gets to mup.sys and returns to f8 page, only startup in normal mode

loaded antivirus avg2012 free versuib which found but cant clear the following:
"Object name";"C:\WINDOWS\system32\svchost.exe (1948):\memory_001a0000"
"Detection name";"Trojan horse Generic29.GJG"
"Object type";"file"
"SDK Type";"Core"
"Result";"Infected"
"Action history";""



"";"C:\WINDOWS\system32\svchost.exe (1948)";"Trojan horse Generic29.GJG";""

I removed avg after computer became just about unresponsive, (uninstall failed to I had to manually remove and delete registry entries)

BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:57 AM

Posted 30 August 2012 - 10:08 PM

Greetings and Welcome to The Forums!!

My name is Gringo and I'll be glad to help you with your computer problems.

I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of us

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the Watch Topic Button, select Immediate Notification, and click on Proceed. This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of hartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.


DeFogger:

  • Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger may ask you to reboot the machine, if it does - click OK
Do not re-enable these drivers until otherwise instructed.


Security Check

  • Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.


Download DDS:

  • Please download DDS by sUBs from one of the links below and save it to your desktop:

    Posted Image
    Download DDS and save it to your desktop

    Link1
    Link2
    Link3

    Please disable any anti-malware program that will block scripts from running before running DDS.

    • Double-Click on dds.scr and a command window will appear. This is normal.
    • Shortly after two logs will appear:
    • DDS.txt
    • Attach.txt
  • A window will open instructing you save & post the logs
  • Save the logs to a convenient place such as your desktop
  • Copy the contents of both logs & post in your next reply

information and logs:

  • In your next post I need the following

  • .logs from DDS
  • let me know of any problems you may have had

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 eperkins

eperkins
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:57 AM

Posted 31 August 2012 - 08:48 AM

Checkup.txt

Results of screen317's Security Check version 0.99.49
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
Microsoft Security Essentials
`````````Anti-malware/Other Utilities Check:`````````
Malwarebytes Anti-Malware version 1.62.0.1300
CCleaner
Java™ 6 Update 34
Java™ 6 Update 3
Java™ 6 Update 7
Java version out of Date!
Adobe Reader 9 Adobe Reader out of Date!
````````Process Check: objlist.exe by Laurent````````
Microsoft Security Essentials MSMpEng.exe
Microsoft Security Essentials msseces.exe
Malwarebytes Anti-Malware mbamservice.exe
Malwarebytes Anti-Malware mbamgui.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C:: 5%
````````````````````End of Log``````````````````````

**************************************************************************************
DDS output:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_07
Run by Beth at 9:31:06 on 2012-08-31
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1553 [GMT -4:00]
.
AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Cisco Systems\SSL VPN Client\agent.exe
C:\Program Files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Documents and Settings\All Users\Application Data\LGMOBILEAX\BYR_Client\VZWUAAgent.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HPQ\SHARED\HPQWMI.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\mmc.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://173.194.75.106/
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {95B7759C-8C7F-4BF1-B163-73684A933233} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {95B7759C-8C7F-4BF1-B163-73684A933233} - No File
{e7df6bff-55a5-4eb7-a673-4ed3e9456d39}
uRun: [EasyLinkAdvisor] "c:\program files\linksys easylink advisor\LinksysAgent.exe" /startup
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
mRun: [hpWirelessAssistant] c:\program files\hpq\hp wireless assistant\HP Wireless Assistant.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Cpqset] c:\program files\hpq\default settings\cpqset.exe
mRun: [BYRUA_AGENT] c:\documents and settings\all users\application data\lgmobileax\byr_client\VZWUAAgent.exe
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\desktop messenger\8876480\program\LogitechDesktopMessenger.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - {4982D40A-C53B-4615-B15B-B5B5E98D167C}
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {264AED84-12F1-4CA1-8AA7-EB939AE58D8D} - hxxps://webvpn.progress-energy.com/CACHE/stc/3/binaries/stcweb.cab
DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
DPF: {55963676-2F5E-4BAF-AC28-CF26AA587566} - hxxps://webvpn.progress-energy.com/CACHE/stc/3/binaries/vpnweb.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1344781217468
DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20614.www2.hp.com/ediags/gmd/Install/Cab/hpdetect119b.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_34-windows-i586.cab
DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - hxxp://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0034-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_34-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_34-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7}
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {D9CDEFE3-51BB-4737-A12C-53D9814A148C} - hxxps://owa.pgnmail.com/OWA/MWScripts/AttachView/1.9/DAX.cab
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62 192.168.1.1
TCP: Interfaces\{EE174F14-F27C-49FE-83E7-8CD4FCB6B359} : DhcpNameServer = 209.18.47.61 209.18.47.62 192.168.1.1
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2012-3-20 171064]
R2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\cisco\cisco anyconnect vpn client\vpnagent.exe [2009-2-3 427192]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [2005-8-22 231424]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-8-12 22344]
RUnknown MpKsl5c137dd4;MpKsl5c137dd4; [x]
S0 ffutf;ffutf;c:\windows\system32\drivers\cdrrc.sys --> c:\windows\system32\drivers\cdrrc.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 Ias;Network Security;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336]
S2 intelusb3;Intel USB3 Device Service;c:\windows\system32\svchost.exe -k intelusbs3 [2004-8-4 14336]
S2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-8-12 655944]
S3 CSVirtA;Cisco Systems SSL VPN Adapter;c:\windows\system32\drivers\CSVirtA.sys [2007-5-30 22136]
S3 PLUsbbc2;High-Speed USB Bridge Cable Driver;c:\windows\system32\drivers\usbbc2.sys [2006-6-20 8960]
S3 RemoteControl-USBLAN;RemoteControl-USBLAN;c:\windows\system32\drivers\rcblan.sys [2011-12-10 39704]
S3 vzandnetdiag;LGE AndroidNet for VZW USB Serial Port;c:\windows\system32\drivers\lgvzandnetdiag.sys [2012-5-9 23168]
S3 vzandnetdiag2;LGE AndroidNet for VZW Diagnostics Port;c:\windows\system32\drivers\lgvzandnetdiag2.sys [2012-5-9 23168]
S3 vzandnetmodem;LGE AndroidNet for VZW USB Modem;c:\windows\system32\drivers\lgvzandnetmdm.sys [2012-5-9 28032]
S3 vzandnetndis;LGE AndroidNet for VZW NDIS Ethernet Adapter;c:\windows\system32\drivers\lgvzandnetndis.sys [2012-5-9 71040]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2012-08-31 11:49:29 29904 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{fddd00d4-f06b-4433-93a9-a60b674ea226}\MpKsl5c137dd4.sys
2012-08-30 12:18:11 7022536 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{fddd00d4-f06b-4433-93a9-a60b674ea226}\mpengine.dll
2012-08-28 16:20:33 -------- d-----w- c:\windows\system32\cache
2012-08-27 15:51:49 -------- d--h--w- c:\documents and settings\all users\application data\Common Files
2012-08-27 15:51:48 -------- d-----w- c:\documents and settings\all users\application data\MFAData
2012-08-27 12:06:26 7023536 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2012-08-25 14:54:33 -------- d-----w- c:\documents and settings\beth\application data\Safer Networking
2012-08-24 17:57:59 87328 ----a-w- c:\windows\system32\bcmwlcoi.dll
2012-08-24 17:57:56 -------- d-----w- c:\program files\Broadcom
2012-08-24 17:42:10 -------- d-----w- C:\W30A5F24
2012-08-24 17:42:06 -------- d-----w- c:\program files\SP37159
2012-08-23 13:27:24 78336 ------w- c:\windows\system32\dllcache\browser.dll
2012-08-23 12:22:40 -------- d-----w- c:\documents and settings\beth\application data\PCCUStubInstaller
2012-08-23 01:28:49 -------- d-----w- c:\windows\system32\wbem\repository\FS
2012-08-23 01:28:48 -------- d-----w- c:\windows\system32\wbem\Repository
2012-08-20 00:50:56 477168 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-08-18 12:28:48 -------- d-sh--w- c:\documents and settings\beth\IECompatCache
2012-08-12 14:54:00 -------- d-----w- c:\documents and settings\beth\application data\Malwarebytes
2012-08-12 14:52:59 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2012-08-12 14:52:50 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-08-12 14:52:48 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-08-11 13:46:20 -------- d-----w- c:\documents and settings\beth\application data\ElevatedDiagnostics
2012-08-09 15:16:13 -------- d--h--w- c:\program files\WindowsUpdate
2012-08-07 01:03:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware(2)
2012-08-06 12:14:14 -------- d-----w- c:\windows\LastGood(2)
2012-08-02 13:28:34 146432 ----a-w- c:\windows\regedit.com
.
==================== Find3M ====================
.
2012-08-24 17:57:11 1294200 ----a-w- c:\windows\system32\drivers\BCMWL5.SYS
2012-08-20 00:49:16 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-08-20 00:49:14 473072 ----a-w- c:\windows\system32\deployJava1.dll
2012-07-06 13:58:51 78336 ----a-w- c:\windows\system32\browser.dll
2012-07-04 14:05:18 139784 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-07-03 13:40:15 1866112 ----a-w- c:\windows\system32\win32k.sys
2012-07-02 17:49:33 916992 ----a-w- c:\windows\system32\wininet.dll
2012-07-02 17:49:32 43520 ------w- c:\windows\system32\licmgr10.dll
2012-07-02 17:49:32 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-07-02 12:05:43 385024 ------w- c:\windows\system32\html.iec
2012-06-15 18:54:02 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-06-15 18:53:59 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-06-07 00:59:42 1070152 ----a-w- c:\windows\system32\MSCOMCTL.OCX
2012-06-05 15:50:25 1372672 ----a-w- c:\windows\system32\msxml6.dll
2012-06-05 15:50:25 1172480 ----a-w- c:\windows\system32\msxml3.dll
2012-06-04 21:35:26 222448 ----a-w- c:\windows\system32\muweb.dll
2012-06-04 04:32:08 152576 ----a-w- c:\windows\system32\schannel.dll
2012-06-02 19:19:44 22040 ----a-w- c:\windows\system32\wucltui.dll.mui
2012-06-02 19:19:38 219160 ----a-w- c:\windows\system32\wuaucpl.cpl
2012-06-02 19:19:38 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2012-06-02 19:19:34 45080 ----a-w- c:\windows\system32\wups2(2)(2).dll
2012-06-02 19:19:34 35864 ----a-w- c:\windows\system32\wups(2)(2).dll
2012-06-02 19:19:34 15384 ----a-w- c:\windows\system32\wuapi.dll.mui
2012-06-02 19:19:30 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui
2012-06-02 19:18:58 275696 ----a-w- c:\windows\system32\mucltui.dll
2012-06-02 19:18:58 17136 ----a-w- c:\windows\system32\mucltui.dll.mui
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: FUJITSU_MHV2100AT_PL rev.008300A1 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8AAE14B1]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8aae893c]; MOV EAX, [0x8aae8ab0]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EE140] -> \Device\Harddisk0\DR0[0x8ACE71F0]
3 CLASSPNP[0xF74E7FD7] -> ntkrnlpa!IofCallDriver[0x804EE140] -> \Device\00000076[0x8AC7F968]
5 ACPI[0xF735E620] -> ntkrnlpa!IofCallDriver[0x804EE140] -> [0x8AC53940]
\Driver\atapi[0x8ABF39A0] -> IRP_MJ_CREATE -> 0x8AAE14B1
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV SI, 0x7be; MOV CL, 0x4; CMP [SI], CH; JL 0x2d; JNZ 0x3b; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x8AAE12E2
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 9:34:49.62 ===============

*********************************************************************************************

Attach.txt:


.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 1/9/2006 2:42:51 PM
System Uptime: 8/31/2012 9:17:22 AM (0 hours ago)
.
Motherboard: Hewlett-Packard | | 30A4
Processor: AMD Turion™ 64 Mobile Technology ML-32 | U23 | 1790/mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 93 GiB total, 53.817 GiB free.
D: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: 1394 Net Adapter
Device ID: V1394\NIC1394\3524417D5C3F0200
Manufacturer: Microsoft
Name: 1394 Net Adapter
PNP Device ID: V1394\NIC1394\3524417D5C3F0200
Service: NIC1394
.
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Realtek RTL8139/810x Family Fast Ethernet NIC
Device ID: PCI\VEN_10EC&DEV_8139&SUBSYS_30A4103C&REV_10\4&13826118&0&30A4
Manufacturer: Realtek Semiconductor Corp.
Name: Realtek RTL8139/810x Family Fast Ethernet NIC
PNP Device ID: PCI\VEN_10EC&DEV_8139&SUBSYS_30A4103C&REV_10\4&13826118&0&30A4
Service: RTL8023xp
.
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Cisco Systems SSL VPN Adapter
Device ID: ROOT\NET\0000
Manufacturer: Cisco Systems
Name: Cisco Systems SSL VPN Adapter
PNP Device ID: ROOT\NET\0000
Service: CSVirtA
.
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Cisco AnyConnect VPN Virtual Miniport Adapter for Windows
Device ID: ROOT\NET\0001
Manufacturer: Cisco Systems
Name: Cisco AnyConnect VPN Virtual Miniport Adapter for Windows
PNP Device ID: ROOT\NET\0001
Service: vpnva
.
==== System Restore Points ===================
.
RP18: 8/28/2012 9:15:07 PM - System Checkpoint
RP19: 8/28/2012 9:47:44 PM - Software Distribution Service 3.0
RP20: 8/29/2012 8:51:17 PM - Software Distribution Service 3.0
RP21: 8/30/2012 8:09:29 AM - Software Distribution Service 3.0
.
==== Installed Programs ======================
.
20-20 Version 6.4
Acrobat.com
Adobe AIR
Adobe Flash Player 11 ActiveX
Adobe Reader 9.4.6
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Athlon 64 Processor Driver
ATI Control Panel
ATI Display Driver
AutoIt v3.1.1
Bonjour
Broadcom 802.11 Wireless LAN Adapter
Canon Camera WIA Driver
Canon PowerShot G3 WIA Driver
CCleaner
Cisco AnyConnect VPN Client
Cisco SSL VPN Client
Client Activator 2.0 - English
Conexant AC-Link Audio
Half-Life® 2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Microsoft Visual Studio 2007 Tools for Applications - ENU (KB946040)
Hotfix for Microsoft Visual Studio 2007 Tools for Applications - ENU (KB946308)
Hotfix for Microsoft Visual Studio 2007 Tools for Applications - ENU (KB946344)
Hotfix for Microsoft Visual Studio 2007 Tools for Applications - ENU (KB947540)
Hotfix for Microsoft Visual Studio 2007 Tools for Applications - ENU (KB947789)
Hotfix for Windows Internet Explorer 7 (KB947864)
HP Help and Support
HP Product Detection
HP Update
HP User Guides 0008
HP Wireless Assistant 1.01 C1
HpSdpAppCoreApp
HPSSupply
InterVideo WinDVD
J2SE Runtime Environment 5.0 Update 5
J2SE Runtime Environment 5.0 Update 6
Java Auto Updater
Java™ 6 Update 3
Java™ 6 Update 34
Java™ 6 Update 7
LG Verizon United Drivers
LightScribe 1.4.44.1
Linksys EasyLink Advisor 1.5 (1032)
Logitech Desktop Messenger
Logitech Harmony Remote Software 7
Malwarebytes Anti-Malware version 1.62.0.1300
Messageware AttachView Add-in for Saving Files x86
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2656353)
Microsoft .NET Framework 1.1 Security Update (KB2656370)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft Application Error Reporting
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Money 2005
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 Professional
Microsoft Office 2003 Web Components
Microsoft Office Excel Viewer 2003
Microsoft Office Live Small Business Image Uploader
Microsoft Security Client
Microsoft Security Essentials
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual Studio 2008 Shell (integrated mode) - ENU
Microsoft Visual Studio Tools for Applications 2.0 - ENU
MSN Messenger 7.5
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6.0 Parser (KB933579)
PCLinq2 High-Speed USB Bridge Cable
Picasa 3
Quick Launch Buttons 5.20 D2
QuickBooks Pro 2006
QuickBooks Pro Timer
QuickTime
RealPlayer Basic
Remote Control USB Driver
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
Security Update for Windows Internet Explorer 7 (KB2183461)
Security Update for Windows Internet Explorer 7 (KB2360131)
Security Update for Windows Internet Explorer 7 (KB2416400)
Security Update for Windows Internet Explorer 7 (KB2482017)
Security Update for Windows Internet Explorer 7 (KB2497640)
Security Update for Windows Internet Explorer 7 (KB2530548)
Security Update for Windows Internet Explorer 7 (KB2544521)
Security Update for Windows Internet Explorer 7 (KB2559049)
Security Update for Windows Internet Explorer 7 (KB2586448)
Security Update for Windows Internet Explorer 7 (KB2618444)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Internet Explorer 7 (KB978207)
Security Update for Windows Internet Explorer 7 (KB982381)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2618444)
Security Update for Windows Internet Explorer 8 (KB2647516)
Security Update for Windows Internet Explorer 8 (KB2675157)
Security Update for Windows Internet Explorer 8 (KB2699988)
Security Update for Windows Internet Explorer 8 (KB2722913)
Security Update for Windows Internet Explorer 8 (KB982381)
Sentinel System Driver 5.41.1 (32-bit)
Shop for HP Supplies
Soft Data Fax Modem with SmartCP
Sonic Audio Module
Sonic Copy Module
Sonic Data Module
Sonic Express Labeler
Sonic MyDVD Plus
Sonic Update Manager
Spelling Dictionaries Support For Adobe Reader 9
Swami MapManager
Synaptics Pointing Device Driver
Texas Instruments PCIxx21/x515 drivers.
TIxx21
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows Internet Explorer 7 (KB980182)
Update for Windows Internet Explorer 8 (KB2598845)
Ventrilo Client
Viewpoint Media Player
WebFldrs XP
Windows Driver Package - FTDI CDM Driver Package (03/13/2008 2.04.06)
Windows Imaging Component
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
WinRAR archiver
Zone Deluxe Games
.
==== Event Viewer Messages From Past Week ========
.
8/31/2012 7:48:35 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Themes service to connect.
8/31/2012 7:48:35 AM, error: Service Control Manager [7000] - The Themes service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
8/30/2012 7:44:27 AM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.133.423.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.8703.0 Error code: 0x8024402c Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support.
8/30/2012 4:13:19 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service upnphost with arguments "" in order to run the server: {204810B9-73B2-11D4-BF42-00B0D0118B56}
8/29/2012 9:00:46 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.133.423.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.8703.0 Error code: 0x8024402c Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support.
8/28/2012 9:33:15 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Microsoft Antimalware Service service to connect.
8/28/2012 9:33:15 PM, error: Service Control Manager [7000] - The Microsoft Antimalware Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
8/28/2012 4:29:18 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.133.423.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.8703.0 Error code: 0x8024402c Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support.
8/28/2012 4:05:52 PM, error: System Error [1003] - Error code 1000008e, parameter1 c0000005, parameter2 f72fc71d, parameter3 b71bd734, parameter4 00000000.
8/28/2012 4:05:47 PM, error: Service Control Manager [7024] - The AVGIDSAgent service terminated with service-specific error 3758213661 (0xE001CA1D).
8/28/2012 4:05:47 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the MBAMService service to connect.
8/28/2012 4:05:47 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Java Quick Starter service to connect.
8/28/2012 4:05:47 PM, error: Service Control Manager [7000] - The MBAMService service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
8/28/2012 4:05:47 PM, error: Service Control Manager [7000] - The Java Quick Starter service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
8/28/2012 3:41:12 PM, error: Service Control Manager [7000] - The HP WMI Interface service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
8/28/2012 3:41:07 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the HP WMI Interface service to connect.
8/28/2012 3:40:16 PM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service hpqwmi with arguments "-Service" in order to run the server: {7DC5B2D7-CACC-47F2-836E-4DF85F026072}
8/28/2012 3:37:05 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the AVG WatchDog service to connect.
8/28/2012 3:37:05 PM, error: Service Control Manager [7000] - The AVG WatchDog service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
8/28/2012 2:52:48 PM, error: SideBySide [59] - Generate Activation Context failed for C:\Program Files\AVG\AVG2012\AVGUIRES.DLL. Reference error message: The operation completed successfully. .
8/28/2012 2:52:48 PM, error: SideBySide [58] - Syntax error in manifest or policy file "C:\Program Files\AVG\AVG2012\AVGUIRES.DLL" on line 0.
8/28/2012 2:42:25 PM, error: Service Control Manager [7023] - The Network Security service terminated with the following error: The specified module could not be found.
8/28/2012 2:42:25 PM, error: Service Control Manager [7023] - The Intel USB3 Device Service service terminated with the following error: The specified module could not be found.
8/28/2012 2:42:25 PM, error: Service Control Manager [7001] - The AVGIDSFilter service depends on the AVGIDSShim service which failed to start because of the following error: The system cannot find the file specified.
8/28/2012 2:42:25 PM, error: Service Control Manager [7001] - The AVGIDSDriver service depends on the AVGIDSFilter service which failed to start because of the following error: The dependency service or group failed to start.
8/28/2012 2:42:25 PM, error: Service Control Manager [7001] - The AVGIDSAgent service depends on the AVGIDSDriver service which failed to start because of the following error: The dependency service or group failed to start.
8/28/2012 2:42:25 PM, error: Service Control Manager [7000] - The AVGIDSShim service failed to start due to the following error: The system cannot find the file specified.
8/28/2012 1:45:22 PM, error: Service Control Manager [7034] - The vToolbarUpdater11.2.0 service terminated unexpectedly. It has done this 1 time(s).
8/27/2012 11:15:54 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the IMAPI CD-Burning COM Service service to connect.
8/27/2012 11:15:54 PM, error: Service Control Manager [7000] - The IMAPI CD-Burning COM Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
8/27/2012 11:15:06 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Microsoft .NET Framework NGEN v4.0.30319_X86 service to connect.
8/27/2012 11:15:06 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Cisco AnyConnect VPN Agent service to connect.
8/27/2012 11:15:06 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the AVGIDSAgent service to connect.
8/27/2012 11:15:06 PM, error: Service Control Manager [7000] - The Cisco AnyConnect VPN Agent service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
8/27/2012 11:15:06 PM, error: Service Control Manager [7000] - The AVGIDSAgent service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
8/27/2012 10:44:03 PM, error: System Error [1003] - Error code 1000008e, parameter1 c0000005, parameter2 f72fc71d, parameter3 b973266c, parameter4 00000000.
8/27/2012 10:41:16 PM, error: Service Control Manager [7022] - The Automatic Updates service hung on starting.
.
==== End Of File ===========================

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:57 AM

Posted 31 August 2012 - 09:35 AM

Hello eperkins

I Would like you to do the following.

Please print out or make a copy in notepad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 eperkins

eperkins
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:57 AM

Posted 31 August 2012 - 10:22 AM

I downloaded and kicked off the combofix after disabling the microsoft security essentials and malwarebytes pro realtime monitoring; I got a warning that AVG Antivirus Free edition 2012 is running, I cannot find any related processes for AVG in task manager or process explorer or add remove programs, nor is there anything in the registry for AVG. I clicked ok, but the next pop-up tells me to run it at my own risk...what is the potential risk or how can I identify the process to kill or remove it?

thanks...

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:57 AM

Posted 31 August 2012 - 10:25 AM

go ahead and run it - windows is telling combofix that avg is running (even if it isn't) I will fix this after we run combofix again



gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 eperkins

eperkins
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:57 AM

Posted 31 August 2012 - 12:55 PM

ok..here's the output from he combo fix;...I am now seeing malwarebytes blocking outgoing calls to 199.21.148.98 & 78.41.203.120, which was not being detected in the past, hopefully this is progress!!

ComboFix 12-08-30.05 - Beth 08/31/2012 12:19:41.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1644 [GMT -4:00]
Running from: c:\documents and settings\Beth\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\$NtUninstallKB62280$\485945278\@
c:\windows\$NtUninstallKB62280$\485945278\bckfg.tmp
c:\windows\$NtUninstallKB62280$\485945278\cfg.ini
c:\windows\$NtUninstallKB62280$\485945278\Desktop.ini
c:\windows\$NtUninstallKB62280$\485945278\kwrd.dll
c:\windows\$NtUninstallKB62280$\485945278\L\yaywbcos
c:\windows\$NtUninstallKB62280$\485945278\lsflt7.ver
c:\windows\$NtUninstallKB62280$\485945278\U\00000001.@
c:\windows\$NtUninstallKB62280$\485945278\U\00000002.@
c:\windows\$NtUninstallKB62280$\485945278\U\00000004.@
c:\windows\$NtUninstallKB62280$\485945278\U\80000000.@
c:\windows\$NtUninstallKB62280$\485945278\U\80000004.@
c:\windows\$NtUninstallKB62280$\485945278\U\80000032.@
c:\windows\regedit.com
c:\windows\system32\bszip.dll
c:\windows\system32\oem62.inf
c:\windows\system32\SET4B8.tmp
c:\windows\system32\SET4BD.tmp
c:\windows\$NtUninstallKB62280$\3969943847 . . . . Failed to delete
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_IAS
-------\Service_Ias
.
.
((((((((((((((((((((((((( Files Created from 2012-07-28 to 2012-08-31 )))))))))))))))))))))))))))))))
.
.
2012-08-31 13:56 . 2012-08-23 07:15 7022536 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{C24F76EF-48CB-4B46-9AC7-734690924CC3}\mpengine.dll
2012-08-30 12:18 . 2012-08-23 07:15 7022536 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-08-28 16:20 . 2012-08-28 16:20 -------- d-----w- c:\windows\system32\cache
2012-08-27 22:38 . 2012-08-28 21:20 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2012-08-27 15:51 . 2012-08-27 15:51 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2012-08-27 15:51 . 2012-08-28 21:48 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2012-08-25 14:54 . 2012-08-25 14:54 -------- d-----w- c:\documents and settings\Beth\Application Data\Safer Networking
2012-08-24 20:03 . 2012-08-24 20:03 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2012-08-24 19:04 . 2012-08-24 19:37 -------- d-----w- c:\program files\Hewlett-Packard
2012-08-24 17:57 . 2012-08-24 17:57 87328 ----a-w- c:\windows\system32\bcmwlcoi.dll
2012-08-24 17:57 . 2012-08-24 17:57 -------- d-----w- c:\program files\Broadcom
2012-08-24 17:49 . 2012-08-24 17:49 -------- d-----w- c:\program files\Intel
2012-08-24 17:42 . 2012-08-24 17:44 -------- d-----w- C:\W30A5F24
2012-08-24 17:42 . 2012-08-24 17:42 -------- d-----w- c:\program files\SP37159
2012-08-23 13:27 . 2012-07-06 13:58 78336 ------w- c:\windows\system32\dllcache\browser.dll
2012-08-23 12:22 . 2012-08-23 12:22 -------- d-----w- c:\documents and settings\Beth\Application Data\PCCUStubInstaller
2012-08-23 01:28 . 2012-08-23 01:28 -------- d-----w- c:\windows\system32\wbem\Repository
2012-08-20 00:50 . 2012-08-20 00:49 477168 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-08-20 00:43 . 2012-08-20 00:43 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2012-08-18 12:28 . 2012-08-18 12:28 -------- d-sh--w- c:\documents and settings\Beth\IECompatCache
2012-08-12 14:54 . 2012-08-12 14:54 -------- d-----w- c:\documents and settings\Beth\Application Data\Malwarebytes
2012-08-12 14:52 . 2012-08-12 14:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-08-12 14:52 . 2012-07-03 17:46 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-08-12 14:52 . 2012-08-12 14:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-08-12 13:35 . 2012-08-12 13:35 -------- d-----w- c:\documents and settings\Beth\Application Data\InterVideo
2012-08-11 13:46 . 2012-08-11 13:46 -------- d-----w- c:\documents and settings\Beth\Application Data\ElevatedDiagnostics
2012-08-06 12:14 . 2012-08-12 13:17 -------- d-----w- c:\windows\LastGood(2)
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-08-24 17:57 . 2005-08-12 06:47 1294200 ----a-w- c:\windows\system32\drivers\BCMWL5.SYS
2012-08-20 00:49 . 2008-01-03 16:34 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-08-20 00:49 . 2011-01-20 11:19 473072 ----a-w- c:\windows\system32\deployJava1.dll
2012-07-06 13:58 . 2004-08-04 08:00 78336 ----a-w- c:\windows\system32\browser.dll
2012-07-04 14:05 . 2004-08-04 08:00 139784 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-07-03 13:40 . 2004-08-04 08:00 1866112 ----a-w- c:\windows\system32\win32k.sys
2012-07-02 17:49 . 2004-08-04 08:00 916992 ----a-w- c:\windows\system32\wininet.dll
2012-07-02 17:49 . 2004-08-04 08:00 43520 ------w- c:\windows\system32\licmgr10.dll
2012-07-02 17:49 . 2004-08-04 08:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-07-02 12:05 . 2004-08-04 08:00 385024 ------w- c:\windows\system32\html.iec
2012-06-15 18:54 . 2012-04-12 17:27 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-06-15 18:53 . 2011-06-03 11:07 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-06-07 00:59 . 2012-06-07 00:59 1070152 ----a-w- c:\windows\system32\MSCOMCTL.OCX
2012-06-05 15:50 . 2008-09-04 11:04 1372672 ----a-w- c:\windows\system32\msxml6.dll
2012-06-05 15:50 . 2004-08-04 08:00 1172480 ----a-w- c:\windows\system32\msxml3.dll
2012-06-04 21:35 . 2011-12-23 12:52 222448 ----a-w- c:\windows\system32\muweb.dll
2012-06-04 04:32 . 2004-08-04 08:00 152576 ----a-w- c:\windows\system32\schannel.dll
2012-06-02 19:19 . 2007-05-30 23:04 22040 ----a-w- c:\windows\system32\wucltui.dll.mui
2012-06-02 19:19 . 2007-05-30 23:04 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2012-06-02 19:19 . 2004-08-04 08:00 329240 ----a-w- c:\windows\system32\wucltui.dll
2012-06-02 19:19 . 2004-08-04 08:00 219160 ----a-w- c:\windows\system32\wuaucpl.cpl
2012-06-02 19:19 . 2004-08-04 08:00 210968 ----a-w- c:\windows\system32\wuweb.dll
2012-06-02 19:19 . 2007-05-30 23:04 15384 ----a-w- c:\windows\system32\wuapi.dll.mui
2012-06-02 19:19 . 2005-05-26 10:16 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 19:19 . 2005-05-26 10:16 45080 ----a-w- c:\windows\system32\wups2(2)(2).dll
2012-06-02 19:19 . 2004-08-04 08:00 97304 ----a-w- c:\windows\system32\cdm.dll
2012-06-02 19:19 . 2004-08-04 08:00 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 19:19 . 2004-08-04 08:00 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-02 19:19 . 2004-08-04 08:00 35864 ----a-w- c:\windows\system32\wups(2)(2).dll
2012-06-02 19:19 . 2007-05-30 23:04 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui
2012-06-02 19:19 . 2004-08-04 08:00 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 19:19 . 2004-08-04 08:00 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 19:18 . 2011-12-23 12:52 275696 ----a-w- c:\windows\system32\mucltui.dll
2012-06-02 19:18 . 2011-12-23 12:52 17136 ----a-w- c:\windows\system32\mucltui.dll.mui
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2006-04-03 389120]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-06-19 729178]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 931200]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-07-03 462920]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 253952]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-05-04 794624]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2010-06-10 49208]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2005-08-01 233534]
"BYRUA_AGENT"="c:\documents and settings\All Users\Application Data\LGMOBILEAX\BYR_Client\VZWUAAgent.exe" [2012-07-27 396408]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-09-28 344064]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2011-12-10 66864]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2007-11-6 815104]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^20-20 Shortcut Bar.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\20-20 Shortcut Bar.lnk
backup=c:\windows\pss\20-20 Shortcut Bar.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-01-03 07:37 843712 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-09-07 22:58 37296 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2011-09-27 11:22 59240 ----a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eabconfg.cpl]
2005-10-12 00:17 409600 ----a-w- c:\program files\HPQ\Quick Launch Buttons\eabservr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2007-04-27 13:41 282624 ----a-w- c:\program files\QuickTime\qttask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
2006-01-09 20:47 26112 ----a-w- c:\program files\Real\RealPlayer\realplay.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2012-01-18 18:02 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"LightScribeService"=2 (0x2)
"idsvc"=3 (0x3)
"gusvc"=3 (0x3)
"getPlus® Helper"=3 (0x3)
"Apple Mobile Device"=3 (0x3)
"WMPNetworkSvc"=3 (0x3)
"iPod Service"=3 (0x3)
"Bonjour Service"=2 (0x2)
"vToolbarUpdater11.2.0"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\thestump\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2006\\QBDBMgrN.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
.
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [8/12/2012 10:52 AM 655944]
R2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [2/3/2009 4:39 PM 427192]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [8/22/2005 5:06 AM 231424]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [8/12/2012 10:52 AM 22344]
S0 ffutf;ffutf;c:\windows\system32\drivers\cdrrc.sys --> c:\windows\system32\drivers\cdrrc.sys [?]
S2 intelusb3;Intel USB3 Device Service;c:\windows\System32\svchost.exe -k intelusbs3 [8/4/2004 4:00 AM 14336]
S3 CSVirtA;Cisco Systems SSL VPN Adapter;c:\windows\system32\drivers\CSVirtA.sys [5/30/2007 7:11 PM 22136]
S3 PLUsbbc2;High-Speed USB Bridge Cable Driver;c:\windows\system32\drivers\usbbc2.sys [6/20/2006 12:08 PM 8960]
S3 RemoteControl-USBLAN;RemoteControl-USBLAN;c:\windows\system32\drivers\rcblan.sys [12/10/2011 11:32 AM 39704]
S3 vzandnetdiag;LGE AndroidNet for VZW USB Serial Port;c:\windows\system32\drivers\lgvzandnetdiag.sys [5/9/2012 12:46 PM 23168]
S3 vzandnetdiag2;LGE AndroidNet for VZW Diagnostics Port;c:\windows\system32\drivers\lgvzandnetdiag2.sys [5/9/2012 12:46 PM 23168]
S3 vzandnetmodem;LGE AndroidNet for VZW USB Modem;c:\windows\system32\drivers\lgvzandnetmdm.sys [5/9/2012 12:46 PM 28032]
S3 vzandnetndis;LGE AndroidNet for VZW NDIS Ethernet Adapter;c:\windows\system32\drivers\lgvzandnetndis.sys [5/9/2012 12:43 PM 71040]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
intelusbs3 REG_MULTI_SZ intelusb3
.
Contents of the 'Scheduled Tasks' folder
.
2012-08-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]
.
2012-08-23 c:\windows\Tasks\Norton PC Checkup Setup.job
- c:\documents and settings\Beth\Application Data\PCCUStubInstaller\SymcPCCUInstaller.exe [2012-08-23 17:21]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://173.194.75.106/
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62 192.168.1.1
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
DPF: {264AED84-12F1-4CA1-8AA7-EB939AE58D8D} - hxxps://webvpn.progress-energy.com/CACHE/stc/3/binaries/stcweb.cab
DPF: {55963676-2F5E-4BAF-AC28-CF26AA587566} - hxxps://webvpn.progress-energy.com/CACHE/stc/3/binaries/vpnweb.cab
DPF: {D9CDEFE3-51BB-4737-A12C-53D9814A148C} - hxxps://owa.pgnmail.com/OWA/MWScripts/AttachView/1.9/DAX.cab
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{95B7759C-8C7F-4BF1-B163-73684A933233} - (no file)
Toolbar-{95B7759C-8C7F-4BF1-B163-73684A933233} - (no file)
WebBrowser-{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - (no file)
Notify-intelsusb - (no file)
Notify-NavLogon - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-08-31 13:02
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????2?6?2?6??????? ???B?????????????hLC? ??????
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: FUJITSU_MHV2100AT_PL rev.008300A1 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x8AA9F2E2
user & kernel MBR OK
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2719426043-3183262663-4260894840-1016\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(644)
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'lsass.exe'(704)
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(1356)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~1\wmpband.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Cisco Systems\SSL VPN Client\agent.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\HPQ\SHARED\HPQWMI.exe
c:\windows\system32\msiexec.exe
c:\windows\system32\MsiExec.exe
.
**************************************************************************
.
Completion time: 2012-08-31 13:21:40 - machine was rebooted
ComboFix-quarantined-files.txt 2012-08-31 17:21
.
Pre-Run: 57,610,969,088 bytes free
Post-Run: 58,100,166,656 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 9E392A34278FD91CF466A991D65F302C

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:57 AM

Posted 31 August 2012 - 12:58 PM

Greetings

I want you to run these next,

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • it will ask to download extra definitions - ALLOW IT
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

If you have any problems running either one come back and let me know

please reply with the reports from TDSSKiller and aswMBR

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 eperkins

eperkins
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:57 AM

Posted 31 August 2012 - 01:00 PM

not sure if this is the normal process, but after executing combofix it had me install microsoft windows recovery console, which installed without issue, the first scan found rootkit.zeroaccess was inserted into the tcp/ip stack...it cycled back to the same message twice and then rebooted and finished scanning and created the log I just presented...the internet was not working so I rebooted and that fixed that problem..

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:57 AM

Posted 31 August 2012 - 01:05 PM

Go ahead and run post 8 for me


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 eperkins

eperkins
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:57 AM

Posted 31 August 2012 - 01:28 PM

after running the TDSSKiller it had me reboot, now there's a pop from kaspersky lab publisher named ec32b9e6-9aa5-490b-8ebf-2c98b35dceda.exe located in my c:\doc&setting...etc\temp dir....should I run this or exit out and proceed with executing aswMBR

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:57 AM

Posted 31 August 2012 - 03:10 PM

exit out and send me the reports


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 eperkins

eperkins
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:57 AM

Posted 31 August 2012 - 03:57 PM

report for tdsskiller below, the aswMBR.exe ran for almost 45 minutes and died/closed...with this error 'an unhadnled exception occurred in aswmbf.exe [2344]

tdsskiller:

14:14:22.0625 0164 TDSS rootkit removing tool 2.8.8.0 Aug 24 2012 13:27:48
14:14:24.0640 0164 ============================================================
14:14:24.0640 0164 Current date / time: 2012/08/31 14:14:24.0640
14:14:24.0640 0164 SystemInfo:
14:14:24.0640 0164
14:14:24.0640 0164 OS Version: 5.1.2600 ServicePack: 3.0
14:14:24.0640 0164 Product type: Workstation
14:14:24.0640 0164 ComputerName: SPIFFY
14:14:24.0640 0164 UserName: Beth
14:14:24.0640 0164 Windows directory: C:\WINDOWS
14:14:24.0640 0164 System windows directory: C:\WINDOWS
14:14:24.0640 0164 Processor architecture: Intel x86
14:14:24.0640 0164 Number of processors: 1
14:14:24.0640 0164 Page size: 0x1000
14:14:24.0640 0164 Boot type: Normal boot
14:14:24.0640 0164 ============================================================
14:14:27.0015 0164 Drive \Device\Harddisk0\DR0 - Size: 0x174A446000 (93.16 Gb), SectorSize: 0x200, Cylinders: 0x2F81, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
14:14:27.0015 0164 ============================================================
14:14:27.0015 0164 \Device\Harddisk0\DR0:
14:14:27.0015 0164 MBR partitions:
14:14:27.0015 0164 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0xB9E6FA7
14:14:27.0015 0164 ============================================================
14:14:27.0078 0164 C: <-> \Device\Harddisk0\DR0\Partition1
14:14:27.0078 0164 ============================================================
14:14:27.0078 0164 Initialize success
14:14:27.0078 0164 ============================================================
14:14:29.0859 3040 ============================================================
14:14:29.0859 3040 Scan started
14:14:29.0859 3040 Mode: Manual;
14:14:29.0859 3040 ============================================================
14:14:31.0921 3040 ================ Scan system memory ========================
14:14:31.0921 3040 System memory - ok
14:14:31.0921 3040 ================ Scan services =============================
14:14:33.0078 3040 Abiosdsk - ok
14:14:33.0093 3040 abp480n5 - ok
14:14:33.0328 3040 [ 8FD99680A539792A30E97944FDAECF17 ] ACPI C:\WINDOWS\system32\DRIVERS\ACPI.sys
14:14:33.0500 3040 ACPI - ok
14:14:33.0546 3040 [ 9859C0F6936E723E4892D7141B1327D5 ] ACPIEC C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
14:14:33.0562 3040 ACPIEC - ok
14:14:33.0578 3040 adpu160m - ok
14:14:33.0750 3040 [ 8BED39E3C35D6A489438B8141717A557 ] aec C:\WINDOWS\system32\drivers\aec.sys
14:14:33.0875 3040 aec - ok
14:14:34.0031 3040 [ 1E44BC1E83D8FD2305F8D452DB109CF9 ] AFD C:\WINDOWS\System32\drivers\afd.sys
14:14:34.0156 3040 AFD - ok
14:14:34.0171 3040 Aha154x - ok
14:14:34.0187 3040 aic78u2 - ok
14:14:34.0203 3040 aic78xx - ok
14:14:34.0265 3040 [ A9A3DAA780CA6C9671A19D52456705B4 ] Alerter C:\WINDOWS\system32\alrsvc.dll
14:14:34.0281 3040 Alerter - ok
14:14:34.0359 3040 [ 8C515081584A38AA007909CD02020B3D ] ALG C:\WINDOWS\System32\alg.exe
14:14:34.0359 3040 ALG - ok
14:14:34.0390 3040 [ 1140AB9938809700B46BB88E46D72A96 ] AliIde C:\WINDOWS\system32\DRIVERS\aliide.sys
14:14:34.0406 3040 AliIde - ok
14:14:34.0468 3040 [ 59301936898AE62245A6F09C0ABA9475 ] AmdK8 C:\WINDOWS\system32\DRIVERS\AmdK8.sys
14:14:34.0468 3040 AmdK8 - ok
14:14:34.0484 3040 amsint - ok
14:14:34.0765 3040 [ D8E18021F91AD79CA8491CB5A5DA22D4 ] Apple Mobile Device C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
14:14:34.0843 3040 Apple Mobile Device - ok
14:14:34.0859 3040 AppMgmt - ok
14:14:34.0953 3040 [ B5B8A80875C1DEDEDA8B02765642C32F ] Arp1394 C:\WINDOWS\system32\DRIVERS\arp1394.sys
14:14:35.0015 3040 Arp1394 - ok
14:14:35.0031 3040 asc - ok
14:14:35.0046 3040 asc3350p - ok
14:14:35.0062 3040 asc3550 - ok
14:14:35.0156 3040 [ D880831279ED91F9A4190A2DB9539EA9 ] ASCTRM C:\WINDOWS\system32\drivers\ASCTRM.sys
14:14:35.0156 3040 ASCTRM - ok
14:14:35.0453 3040 [ 0E5E4957549056E2BF2C49F4F6B601AD ] aspnet_state C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
14:14:35.0546 3040 aspnet_state - ok
14:14:35.0625 3040 [ B153AFFAC761E7F5FCFA822B9C4E97BC ] AsyncMac C:\WINDOWS\system32\DRIVERS\asyncmac.sys
14:14:35.0640 3040 AsyncMac - ok
14:14:35.0765 3040 [ 9F3A2F5AA6875C72BF062C712CFA2674 ] atapi C:\WINDOWS\system32\DRIVERS\atapi.sys
14:14:35.0765 3040 atapi - ok
14:14:35.0781 3040 Atdisk - ok
14:14:36.0187 3040 [ E548EB303255721145418F85B77B9D8A ] Ati HotKey Poller C:\WINDOWS\system32\Ati2evxx.exe
14:14:36.0187 3040 Ati HotKey Poller - ok
14:14:37.0734 3040 [ 6EF070828E7B8C6F45D8F0E9CE28CA8B ] ati2mtag C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
14:14:37.0750 3040 ati2mtag - ok
14:14:37.0875 3040 [ 9916C1225104BA14794209CFA8012159 ] Atmarpc C:\WINDOWS\system32\DRIVERS\atmarpc.sys
14:14:37.0937 3040 Atmarpc - ok
14:14:38.0062 3040 [ DEF7A7882BEC100FE0B2CE2549188F9D ] AudioSrv C:\WINDOWS\System32\audiosrv.dll
14:14:38.0062 3040 AudioSrv - ok
14:14:38.0125 3040 [ D9F724AA26C010A217C97606B160ED68 ] audstub C:\WINDOWS\system32\DRIVERS\audstub.sys
14:14:38.0171 3040 audstub - ok
14:14:39.0375 3040 [ C89327377D4B62DC792E8930EA55F571 ] BCM43XX C:\WINDOWS\system32\DRIVERS\bcmwl5.sys
14:14:39.0390 3040 BCM43XX - ok
14:14:39.0421 3040 [ DA1F27D85E0D1525F6621372E7B685E9 ] Beep C:\WINDOWS\system32\drivers\Beep.sys
14:14:39.0421 3040 Beep - ok
14:14:39.0906 3040 [ 574738F61FCA2935F5265DC4E5691314 ] BITS C:\WINDOWS\system32\qmgr.dll
14:14:39.0984 3040 BITS - ok
14:14:40.0515 3040 [ DB5BEA73EDAF19AC68B2C0FAD0F92B1A ] Bonjour Service C:\Program Files\Bonjour\mDNSResponder.exe
14:14:40.0875 3040 Bonjour Service - ok
14:14:41.0015 3040 [ CFD4E51402DA9838B5A04AE680AF54A0 ] Browser C:\WINDOWS\System32\browser.dll
14:14:41.0046 3040 Browser - ok
14:14:41.0171 3040 [ E76DC88F00D50F46072FEB2371769978 ] BTWUSB C:\WINDOWS\system32\Drivers\btwusb.sys
14:14:41.0218 3040 BTWUSB - ok
14:14:41.0343 3040 [ C2EF37F09CFEE9665E6CD7C0B0AFB84F ] CAMCAUD C:\WINDOWS\system32\drivers\camc6aud.sys
14:14:41.0375 3040 CAMCAUD - ok
14:14:41.0734 3040 [ 512DF898DE5C0654647ACD5C82F0BD99 ] CAMCHALA C:\WINDOWS\system32\drivers\camc6hal.sys
14:14:42.0046 3040 CAMCHALA - ok
14:14:42.0171 3040 catchme - ok
14:14:42.0218 3040 [ 90A673FC8E12A79AFBED2576F6A7AAF9 ] cbidf2k C:\WINDOWS\system32\drivers\cbidf2k.sys
14:14:42.0234 3040 cbidf2k - ok
14:14:42.0250 3040 cd20xrnt - ok
14:14:42.0296 3040 [ C1B486A7658353D33A10CC15211A873B ] Cdaudio C:\WINDOWS\system32\drivers\Cdaudio.sys
14:14:42.0328 3040 Cdaudio - ok
14:14:42.0437 3040 [ C885B02847F5D2FD45A24E219ED93B32 ] Cdfs C:\WINDOWS\system32\drivers\Cdfs.sys
14:14:42.0500 3040 Cdfs - ok
14:14:42.0578 3040 [ 1F4260CC5B42272D71F79E570A27A4FE ] Cdrom C:\WINDOWS\system32\DRIVERS\cdrom.sys
14:14:42.0640 3040 Cdrom - ok
14:14:42.0656 3040 Changer - ok
14:14:42.0718 3040 [ 1CFE720EB8D93A7158A4EBC3AB178BDE ] CiSvc C:\WINDOWS\system32\cisvc.exe
14:14:42.0718 3040 CiSvc - ok
14:14:42.0796 3040 [ 34CBE729F38138217F9C80212A2A0C82 ] ClipSrv C:\WINDOWS\system32\clipsrv.exe
14:14:42.0828 3040 ClipSrv - ok
14:14:42.0968 3040 [ D87ACAED61E417BBA546CED5E7E36D9C ] clr_optimization_v2.0.50727_32 c:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
14:14:43.0062 3040 clr_optimization_v2.0.50727_32 - ok
14:14:43.0343 3040 [ C5A75EB48E2344ABDC162BDA79E16841 ] clr_optimization_v4.0.30319_32 C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
14:14:43.0468 3040 clr_optimization_v4.0.30319_32 - ok
14:14:43.0562 3040 [ 0F6C187D38D98F8DF904589A5F94D411 ] CmBatt C:\WINDOWS\system32\DRIVERS\CmBatt.sys
14:14:43.0656 3040 CmBatt - ok
14:14:43.0703 3040 CmdIde - ok
14:14:43.0750 3040 [ 6E4C9F21F0FAE8940661144F41B13203 ] Compbatt C:\WINDOWS\system32\DRIVERS\compbatt.sys
14:14:43.0765 3040 Compbatt - ok
14:14:43.0781 3040 COMSysApp - ok
14:14:43.0812 3040 Cpqarray - ok
14:14:43.0937 3040 [ 3D4E199942E29207970E04315D02AD3B ] CryptSvc C:\WINDOWS\System32\cryptsvc.dll
14:14:43.0937 3040 CryptSvc - ok
14:14:44.0031 3040 [ B90B0A61045DB0C63487D1995F957680 ] CSVirtA C:\WINDOWS\system32\DRIVERS\CSVirtA.sys
14:14:44.0062 3040 CSVirtA - ok
14:14:44.0062 3040 dac2w2k - ok
14:14:44.0078 3040 dac960nt - ok
14:14:44.0515 3040 [ 6B27A5C03DFB94B4245739065431322C ] DcomLaunch C:\WINDOWS\system32\rpcss.dll
14:14:44.0593 3040 DcomLaunch - ok
14:14:44.0750 3040 [ 5E38D7684A49CACFB752B046357E0589 ] Dhcp C:\WINDOWS\System32\dhcpcsvc.dll
14:14:44.0750 3040 Dhcp - ok
14:14:44.0812 3040 [ 044452051F3E02E7963599FC8F4F3E25 ] Disk C:\WINDOWS\system32\DRIVERS\disk.sys
14:14:44.0843 3040 Disk - ok
14:14:44.0859 3040 dmadmin - ok
14:14:45.0593 3040 [ D992FE1274BDE0F84AD826ACAE022A41 ] dmboot C:\WINDOWS\system32\drivers\dmboot.sys
14:14:46.0312 3040 dmboot - ok
14:14:46.0484 3040 [ 7C824CF7BBDE77D95C08005717A95F6F ] dmio C:\WINDOWS\system32\drivers\dmio.sys
14:14:46.0625 3040 dmio - ok
14:14:46.0671 3040 [ E9317282A63CA4D188C0DF5E09C6AC5F ] dmload C:\WINDOWS\system32\drivers\dmload.sys
14:14:46.0687 3040 dmload - ok
14:14:46.0750 3040 [ 57EDEC2E5F59F0335E92F35184BC8631 ] dmserver C:\WINDOWS\System32\dmserver.dll
14:14:46.0765 3040 dmserver - ok
14:14:46.0859 3040 [ 8A208DFCF89792A484E76C40E5F50B45 ] DMusic C:\WINDOWS\system32\drivers\DMusic.sys
14:14:46.0906 3040 DMusic - ok
14:14:47.0000 3040 [ 5F7E24FA9EAB896051FFB87F840730D2 ] Dnscache C:\WINDOWS\System32\dnsrslvr.dll
14:14:47.0015 3040 Dnscache - ok
14:14:47.0203 3040 [ 0F0F6E687E5E15579EF4DA8DD6945814 ] Dot3svc C:\WINDOWS\System32\dot3svc.dll
14:14:47.0328 3040 Dot3svc - ok
14:14:47.0328 3040 dpti2o - ok
14:14:47.0375 3040 [ 8F5FCFF8E8848AFAC920905FBD9D33C8 ] drmkaud C:\WINDOWS\system32\drivers\drmkaud.sys
14:14:47.0375 3040 drmkaud - ok
14:14:47.0453 3040 [ C6ACA0190EE7B614673EE0C91863B1EB ] eabfiltr C:\WINDOWS\system32\drivers\EABFiltr.sys
14:14:47.0468 3040 eabfiltr - ok
14:14:47.0515 3040 [ DA1011DB09AD641DE40CD5CCA70C0C43 ] eabusb C:\WINDOWS\system32\drivers\eabusb.sys
14:14:47.0515 3040 eabusb - ok
14:14:47.0593 3040 [ 2187855A7703ADEF0CEF9EE4285182CC ] EapHost C:\WINDOWS\System32\eapsvc.dll
14:14:47.0625 3040 EapHost - ok
14:14:47.0718 3040 [ BC93B4A066477954555966D77FEC9ECB ] ERSvc C:\WINDOWS\System32\ersvc.dll
14:14:47.0718 3040 ERSvc - ok
14:14:47.0875 3040 [ 65DF52F5B8B6E9BBD183505225C37315 ] Eventlog C:\WINDOWS\system32\services.exe
14:14:47.0890 3040 Eventlog - ok
14:14:48.0187 3040 [ D4991D98F2DB73C60D042F1AEF79EFAE ] EventSystem C:\WINDOWS\system32\es.dll
14:14:48.0203 3040 EventSystem - ok
14:14:48.0421 3040 [ 38D332A6D56AF32635675F132548343E ] Fastfat C:\WINDOWS\system32\drivers\Fastfat.sys
14:14:48.0546 3040 Fastfat - ok
14:14:48.0734 3040 [ 99BC0B50F511924348BE19C7C7313BBF ] FastUserSwitchingCompatibility C:\WINDOWS\System32\shsvcs.dll
14:14:48.0734 3040 FastUserSwitchingCompatibility - ok
14:14:48.0796 3040 [ 92CDD60B6730B9F50F6A1A0C1F8CDC81 ] Fdc C:\WINDOWS\system32\DRIVERS\fdc.sys
14:14:48.0828 3040 Fdc - ok
14:14:48.0828 3040 ffutf - ok
14:14:48.0906 3040 [ D45926117EB9FA946A6AF572FBE1CAA3 ] Fips C:\WINDOWS\system32\drivers\Fips.sys
14:14:48.0906 3040 Fips - ok
14:14:48.0968 3040 [ 9D27E7B80BFCDF1CDD9B555862D5E7F0 ] Flpydisk C:\WINDOWS\system32\DRIVERS\flpydisk.sys
14:14:48.0984 3040 Flpydisk - ok
14:14:49.0140 3040 [ B2CF4B0786F8212CB92ED2B50C6DB6B0 ] FltMgr C:\WINDOWS\system32\drivers\fltmgr.sys
14:14:49.0265 3040 FltMgr - ok
14:14:49.0406 3040 [ 8BA7C024070F2B7FDD98ED8A4BA41789 ] FontCache3.0.0.0 c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
14:14:49.0453 3040 FontCache3.0.0.0 - ok
14:14:49.0531 3040 [ 3E1E2BD4F39B0E2B7DC4F4D2BCC2779A ] Fs_Rec C:\WINDOWS\system32\drivers\Fs_Rec.sys
14:14:49.0531 3040 Fs_Rec - ok
14:14:49.0640 3040 [ 47B9CF937AC479046DA289BD5A769CE9 ] FTDIBUS C:\WINDOWS\system32\drivers\ftdibus.sys
14:14:49.0718 3040 FTDIBUS - ok
14:14:49.0843 3040 [ 6AC26732762483366C3969C9E4D2259D ] Ftdisk C:\WINDOWS\system32\DRIVERS\ftdisk.sys
14:14:49.0953 3040 Ftdisk - ok
14:14:50.0109 3040 [ 216B9A2191676034999785C7F94FA5D6 ] FTSER2K C:\WINDOWS\system32\drivers\ftser2k.sys
14:14:50.0171 3040 FTSER2K - ok
14:14:50.0250 3040 [ 8182FF89C65E4D38B2DE4BB0FB18564E ] GEARAspiWDM C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
14:14:50.0250 3040 GEARAspiWDM - ok
14:14:50.0265 3040 getPlus® Helper - ok
14:14:50.0343 3040 [ 3800262165CE4A2B9D1ED09E2BCE3E9C ] GoProto C:\WINDOWS\system32\DRIVERS\goprot51.sys
14:14:50.0375 3040 GoProto - ok
14:14:50.0437 3040 [ 0A02C63C8B144BD8C86B103DEE7C86A2 ] Gpc C:\WINDOWS\system32\DRIVERS\msgpc.sys
14:14:50.0484 3040 Gpc - ok
14:14:50.0750 3040 [ CC839E8D766CC31A7710C9F38CF3E375 ] gusvc C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
14:14:50.0921 3040 gusvc - ok
14:14:51.0093 3040 [ 4FCCA060DFE0C51A09DD5C3843888BCD ] helpsvc C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll
14:14:51.0093 3040 helpsvc - ok
14:14:51.0187 3040 [ DEB04DA35CC871B6D309B77E1443C796 ] HidServ C:\WINDOWS\System32\hidserv.dll
14:14:51.0187 3040 HidServ - ok
14:14:51.0265 3040 [ CCF82C5EC8A7326C3066DE870C06DAF1 ] HidUsb C:\WINDOWS\system32\DRIVERS\hidusb.sys
14:14:51.0281 3040 HidUsb - ok
14:14:51.0390 3040 [ 8878BD685E490239777BFE51320B88E9 ] hkmsvc C:\WINDOWS\System32\kmsvc.dll
14:14:51.0453 3040 hkmsvc - ok
14:14:51.0468 3040 hpn - ok
14:14:51.0671 3040 [ 7463E7CBDF29B50ACB90574D5769A160 ] hpqwmi C:\Program Files\HPQ\SHARED\HPQWMI.exe
14:14:51.0671 3040 hpqwmi - ok
14:14:51.0921 3040 [ 14794F142BEFC962AB142584607A6631 ] HSFHWATI C:\WINDOWS\system32\DRIVERS\HSFHWATI.sys
14:14:52.0140 3040 HSFHWATI - ok
14:14:53.0062 3040 [ F99BB4E2B462198B2B0A82D0949F0C41 ] HSF_DP C:\WINDOWS\system32\DRIVERS\HSF_DP.sys
14:14:53.0093 3040 HSF_DP - ok
14:14:54.0046 3040 [ 0E44AF3828111D4C3E73C33AC95226D8 ] HSF_DPV C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys
14:14:55.0000 3040 HSF_DPV - ok
14:14:55.0281 3040 [ F80A415EF82CD06FFAF0D971528EAD38 ] HTTP C:\WINDOWS\system32\Drivers\HTTP.sys
14:14:55.0453 3040 HTTP - ok
14:14:55.0515 3040 [ 6100A808600F44D999CEBDEF8841C7A3 ] HTTPFilter C:\WINDOWS\System32\w3ssl.dll
14:14:55.0515 3040 HTTPFilter - ok
14:14:55.0546 3040 i2omgmt - ok
14:14:55.0562 3040 i2omp - ok
14:14:55.0640 3040 [ 4A0B06AA8943C1E332520F7440C0AA30 ] i8042prt C:\WINDOWS\system32\DRIVERS\i8042prt.sys
14:14:55.0703 3040 i8042prt - ok
14:14:56.0578 3040 [ C01AC32DC5C03076CFB852CB5DA5229C ] idsvc c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
14:14:57.0390 3040 idsvc - ok
14:14:57.0453 3040 [ 083A052659F5310DD8B6A6CB05EDCF8E ] Imapi C:\WINDOWS\system32\DRIVERS\imapi.sys
14:14:57.0500 3040 Imapi - ok
14:14:57.0687 3040 [ 30DEAF54A9755BB8546168CFE8A6B5E1 ] ImapiService C:\WINDOWS\system32\imapi.exe
14:14:57.0765 3040 ImapiService - ok
14:14:57.0781 3040 ini910u - ok
14:14:57.0859 3040 [ B5466A9250342A7AA0CD1FBA13420678 ] IntelIde C:\WINDOWS\system32\DRIVERS\intelide.sys
14:14:57.0859 3040 IntelIde - ok
14:14:57.0875 3040 intelusb3 - ok
14:14:57.0953 3040 [ 3BB22519A194418D5FEC05D800A19AD0 ] Ip6Fw C:\WINDOWS\system32\drivers\ip6fw.sys
14:14:57.0984 3040 Ip6Fw - ok
14:14:58.0062 3040 [ 731F22BA402EE4B62748ADAF6363C182 ] IpFilterDriver C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
14:14:58.0062 3040 IpFilterDriver - ok
14:14:58.0156 3040 [ B87AB476DCF76E72010632B5550955F5 ] IpInIp C:\WINDOWS\system32\DRIVERS\ipinip.sys
14:14:58.0171 3040 IpInIp - ok
14:14:58.0328 3040 [ CC748EA12C6EFFDE940EE98098BF96BB ] IpNat C:\WINDOWS\system32\DRIVERS\ipnat.sys
14:14:58.0468 3040 IpNat - ok
14:14:58.0562 3040 [ 23C74D75E36E7158768DD63D92789A91 ] IPSec C:\WINDOWS\system32\DRIVERS\ipsec.sys
14:14:58.0625 3040 IPSec - ok
14:14:58.0671 3040 [ C93C9FF7B04D772627A3646D89F7BF89 ] IRENUM C:\WINDOWS\system32\DRIVERS\irenum.sys
14:14:58.0703 3040 IRENUM - ok
14:14:58.0765 3040 [ 05A299EC56E52649B1CF2FC52D20F2D7 ] isapnp C:\WINDOWS\system32\DRIVERS\isapnp.sys
14:14:58.0796 3040 isapnp - ok
14:14:59.0078 3040 [ 0AB63D5785991F9CB362D82DEFF1DBBA ] JavaQuickStarterService C:\Program Files\Java\jre6\bin\jqs.exe
14:14:59.0234 3040 JavaQuickStarterService - ok
14:14:59.0296 3040 [ 463C1EC80CD17420A542B7F36A36F128 ] Kbdclass C:\WINDOWS\system32\DRIVERS\kbdclass.sys
14:14:59.0328 3040 Kbdclass - ok
14:14:59.0359 3040 [ 9EF487A186DEA361AA06913A75B3FA99 ] kbdhid C:\WINDOWS\system32\DRIVERS\kbdhid.sys
14:14:59.0375 3040 kbdhid - ok
14:14:59.0546 3040 [ 692BCF44383D056AED41B045A323D378 ] kmixer C:\WINDOWS\system32\drivers\kmixer.sys
14:14:59.0718 3040 kmixer - ok
14:14:59.0843 3040 [ B467646C54CC746128904E1654C750C1 ] KSecDD C:\WINDOWS\system32\drivers\KSecDD.sys
14:14:59.0937 3040 KSecDD - ok
14:15:00.0078 3040 [ 3A7C3CBE5D96B8AE96CE81F0B22FB527 ] lanmanserver C:\WINDOWS\System32\srvsvc.dll
14:15:00.0093 3040 lanmanserver - ok
14:15:00.0281 3040 [ A8888A5327621856C0CEC4E385F69309 ] lanmanworkstation C:\WINDOWS\System32\wkssvc.dll
14:15:00.0375 3040 lanmanworkstation - ok
14:15:00.0390 3040 lbrtfdc - ok
14:15:00.0515 3040 [ C12476DE1AFFB1BBA1A48A459CEB3D39 ] LightScribeService C:\Program Files\Common Files\LightScribe\LSSrvc.exe
14:15:00.0562 3040 LightScribeService - ok
14:15:00.0640 3040 [ A7DB739AE99A796D91580147E919CC59 ] LmHosts C:\WINDOWS\System32\lmhsvc.dll
14:15:00.0656 3040 LmHosts - ok
14:15:00.0718 3040 [ 6DFE7F2E8E8A337263AA5C92A215F161 ] MBAMProtector C:\WINDOWS\system32\drivers\mbam.sys
14:15:00.0765 3040 MBAMProtector - ok
14:15:01.0437 3040 [ 43683E970F008C93C9429EF428147A54 ] MBAMService C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
14:15:02.0015 3040 MBAMService - ok
14:15:02.0078 3040 [ 3C318B9CD391371BED62126581EE9961 ] mdmxsdk C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
14:15:02.0078 3040 mdmxsdk - ok
14:15:02.0140 3040 [ 986B1FF5814366D71E0AC5755C88F2D3 ] Messenger C:\WINDOWS\System32\msgsvc.dll
14:15:02.0187 3040 Messenger - ok
14:15:02.0250 3040 [ 4AE068242760A1FB6E1A44BF4E16AFA6 ] mnmdd C:\WINDOWS\system32\drivers\mnmdd.sys
14:15:02.0250 3040 mnmdd - ok
14:15:02.0328 3040 [ D18F1F0C101D06A1C1ADF26EED16FCDD ] mnmsrvc C:\WINDOWS\system32\mnmsrvc.exe
14:15:02.0359 3040 mnmsrvc - ok
14:15:02.0421 3040 [ DFCBAD3CEC1C5F964962AE10E0BCC8E1 ] Modem C:\WINDOWS\system32\drivers\Modem.sys
14:15:02.0437 3040 Modem - ok
14:15:02.0484 3040 [ 35C9E97194C8CFB8430125F8DBC34D04 ] Mouclass C:\WINDOWS\system32\DRIVERS\mouclass.sys
14:15:02.0500 3040 Mouclass - ok
14:15:02.0562 3040 [ B1C303E17FB9D46E87A98E4BA6769685 ] mouhid C:\WINDOWS\system32\DRIVERS\mouhid.sys
14:15:02.0578 3040 mouhid - ok
14:15:02.0640 3040 [ A80B9A0BAD1B73637DBCBBA7DF72D3FD ] MountMgr C:\WINDOWS\system32\drivers\MountMgr.sys
14:15:02.0687 3040 MountMgr - ok
14:15:02.0937 3040 [ D993BEA500E7382DC4E760BF4F35EFCB ] MpFilter C:\WINDOWS\system32\DRIVERS\MpFilter.sys
14:15:03.0078 3040 MpFilter - ok
14:15:03.0328 3040 [ A69630D039C38018689190234F866D77 ] MpKslc79e9fda c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{7FB63FA6-A64E-4F3C-A687-BAB5F040869F}\MpKslc79e9fda.sys
14:15:03.0328 3040 MpKslc79e9fda - ok
14:15:03.0343 3040 mraid35x - ok
14:15:03.0546 3040 [ 11D42BB6206F33FBB3BA0288D3EF81BD ] MRxDAV C:\WINDOWS\system32\DRIVERS\mrxdav.sys
14:15:03.0703 3040 MRxDAV - ok
14:15:04.0171 3040 [ 7D304A5EB4344EBEEAB53A2FE3FFB9F0 ] MRxSmb C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
14:15:04.0578 3040 MRxSmb - ok
14:15:04.0640 3040 [ A137F1470499A205ABBB9AAFB3B6F2B1 ] MSDTC C:\WINDOWS\system32\msdtc.exe
14:15:04.0656 3040 MSDTC - ok
14:15:04.0703 3040 [ C941EA2454BA8350021D774DAF0F1027 ] Msfs C:\WINDOWS\system32\drivers\Msfs.sys
14:15:04.0750 3040 Msfs - ok
14:15:04.0906 3040 MSIServer - ok
14:15:04.0937 3040 [ D1575E71568F4D9E14CA56B7B0453BF1 ] MSKSSRV C:\WINDOWS\system32\drivers\MSKSSRV.sys
14:15:04.0953 3040 MSKSSRV - ok
14:15:05.0078 3040 [ 24516BF4E12A46CB67302E2CDCB8CDDF ] MsMpSvc c:\Program Files\Microsoft Security Client\MsMpEng.exe
14:15:05.0078 3040 MsMpSvc - ok
14:15:05.0156 3040 [ 325BB26842FC7CCC1FCCE2C457317F3E ] MSPCLOCK C:\WINDOWS\system32\drivers\MSPCLOCK.sys
14:15:05.0156 3040 MSPCLOCK - ok
14:15:05.0203 3040 [ BAD59648BA099DA4A17680B39730CB3D ] MSPQM C:\WINDOWS\system32\drivers\MSPQM.sys
14:15:05.0218 3040 MSPQM - ok
14:15:05.0265 3040 [ AF5F4F3F14A8EA2C26DE30F7A1E17136 ] mssmbios C:\WINDOWS\system32\DRIVERS\mssmbios.sys
14:15:05.0281 3040 mssmbios - ok
14:15:08.0343 3040 [ 70E994D23895DF6B1EE1E70145299FCF ] msvsmon90 C:\Program Files\Microsoft Visual Studio 9.0\Common7\IDE\Remote Debugger\x86\msvsmon.exe
14:15:11.0156 3040 msvsmon90 - ok
14:15:11.0296 3040 [ DE6A75F5C270E756C5508D94B6CF68F5 ] Mup C:\WINDOWS\system32\drivers\Mup.sys
14:15:11.0390 3040 Mup - ok
14:15:11.0718 3040 [ 0102140028FAD045756796E1C685D695 ] napagent C:\WINDOWS\System32\qagentrt.dll
14:15:11.0984 3040 napagent - ok
14:15:12.0203 3040 [ 1DF7F42665C94B825322FAE71721130D ] NDIS C:\WINDOWS\system32\drivers\NDIS.sys
14:15:12.0359 3040 NDIS - ok
14:15:12.0437 3040 [ 0109C4F3850DFBAB279542515386AE22 ] NdisTapi C:\WINDOWS\system32\DRIVERS\ndistapi.sys
14:15:12.0453 3040 NdisTapi - ok
14:15:12.0500 3040 [ F927A4434C5028758A842943EF1A3849 ] Ndisuio C:\WINDOWS\system32\DRIVERS\ndisuio.sys
14:15:12.0515 3040 Ndisuio - ok
14:15:12.0609 3040 [ EDC1531A49C80614B2CFDA43CA8659AB ] NdisWan C:\WINDOWS\system32\DRIVERS\ndiswan.sys
14:15:12.0703 3040 NdisWan - ok
14:15:12.0781 3040 [ 9282BD12DFB069D3889EB3FCC1000A9B ] NDProxy C:\WINDOWS\system32\drivers\NDProxy.sys
14:15:12.0828 3040 NDProxy - ok
14:15:12.0890 3040 [ 5D81CF9A2F1A3A756B66CF684911CDF0 ] NetBIOS C:\WINDOWS\system32\DRIVERS\netbios.sys
14:15:12.0921 3040 NetBIOS - ok
14:15:13.0093 3040 [ 74B2B2F5BEA5E9A3DC021D685551BD3D ] NetBT C:\WINDOWS\system32\DRIVERS\netbt.sys
14:15:13.0250 3040 NetBT - ok
14:15:13.0406 3040 [ B857BA82860D7FF85AE29B095645563B ] NetDDE C:\WINDOWS\system32\netdde.exe
14:15:13.0515 3040 NetDDE - ok
14:15:13.0625 3040 [ B857BA82860D7FF85AE29B095645563B ] NetDDEdsdm C:\WINDOWS\system32\netdde.exe
14:15:13.0625 3040 NetDDEdsdm - ok
14:15:13.0671 3040 [ BF2466B3E18E970D8A976FB95FC1CA85 ] Netlogon C:\WINDOWS\system32\lsass.exe
14:15:13.0671 3040 Netlogon - ok
14:15:13.0890 3040 [ 13E67B55B3ABD7BF3FE7AAE5A0F9A9DE ] Netman C:\WINDOWS\System32\netman.dll
14:15:13.0906 3040 Netman - ok
14:15:14.0078 3040 [ D34612C5D02D026535B3095D620626AE ] NetTcpPortSharing c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
14:15:14.0203 3040 NetTcpPortSharing - ok
14:15:14.0296 3040 [ E9E47CFB2D461FA0FC75B7A74C6383EA ] NIC1394 C:\WINDOWS\system32\DRIVERS\nic1394.sys
14:15:14.0359 3040 NIC1394 - ok
14:15:14.0640 3040 [ 943337D786A56729263071623BBB9DE5 ] Nla C:\WINDOWS\System32\mswsock.dll
14:15:14.0640 3040 Nla - ok
14:15:14.0703 3040 [ 3182D64AE053D6FB034F44B6DEF8034A ] Npfs C:\WINDOWS\system32\drivers\Npfs.sys
14:15:14.0718 3040 Npfs - ok
14:15:15.0312 3040 [ 78A08DD6A8D65E697C18E1DB01C5CDCA ] Ntfs C:\WINDOWS\system32\drivers\Ntfs.sys
14:15:15.0843 3040 Ntfs - ok
14:15:15.0875 3040 [ BF2466B3E18E970D8A976FB95FC1CA85 ] NtLmSsp C:\WINDOWS\system32\lsass.exe
14:15:15.0875 3040 NtLmSsp - ok
14:15:16.0296 3040 [ 156F64A3345BD23C600655FB4D10BC08 ] NtmsSvc C:\WINDOWS\system32\ntmssvc.dll
14:15:16.0718 3040 NtmsSvc - ok
14:15:16.0765 3040 [ 73C1E1F395918BC2C6DD67AF7591A3AD ] Null C:\WINDOWS\system32\drivers\Null.sys
14:15:16.0781 3040 Null - ok
14:15:16.0828 3040 [ B305F3FAD35083837EF46A0BBCE2FC57 ] NwlnkFlt C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
14:15:16.0843 3040 NwlnkFlt - ok
14:15:16.0906 3040 [ C99B3415198D1AAB7227F2C88FD664B9 ] NwlnkFwd C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
14:15:16.0937 3040 NwlnkFwd - ok
14:15:17.0015 3040 [ CA33832DF41AFB202EE7AEB05145922F ] ohci1394 C:\WINDOWS\system32\DRIVERS\ohci1394.sys
14:15:17.0062 3040 ohci1394 - ok
14:15:17.0250 3040 [ 7A56CF3E3F12E8AF599963B16F50FB6A ] ose C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
14:15:17.0343 3040 ose - ok
14:15:17.0453 3040 [ 5575FAF8F97CE5E713D108C2A58D7C7C ] Parport C:\WINDOWS\system32\DRIVERS\parport.sys
14:15:17.0531 3040 Parport - ok
14:15:17.0609 3040 [ BEB3BA25197665D82EC7065B724171C6 ] PartMgr C:\WINDOWS\system32\drivers\PartMgr.sys
14:15:17.0625 3040 PartMgr - ok
14:15:17.0671 3040 [ 70E98B3FD8E963A6A46A2E6247E0BEA1 ] ParVdm C:\WINDOWS\system32\drivers\ParVdm.sys
14:15:17.0671 3040 ParVdm - ok
14:15:17.0750 3040 [ A219903CCF74233761D92BEF471A07B1 ] PCI C:\WINDOWS\system32\DRIVERS\pci.sys
14:15:17.0812 3040 PCI - ok
14:15:17.0828 3040 PCIDump - ok
14:15:17.0843 3040 [ CCF5F451BB1A5A2A522A76E670000FF0 ] PCIIde C:\WINDOWS\system32\DRIVERS\pciide.sys
14:15:17.0843 3040 PCIIde - ok
14:15:17.0984 3040 [ 9E89EF60E9EE05E3F2EEF2DA7397F1C1 ] Pcmcia C:\WINDOWS\system32\DRIVERS\pcmcia.sys
14:15:18.0093 3040 Pcmcia - ok
14:15:18.0109 3040 PDCOMP - ok
14:15:18.0125 3040 PDFRAME - ok
14:15:18.0140 3040 PDRELI - ok
14:15:18.0156 3040 PDRFRAME - ok
14:15:18.0171 3040 perc2 - ok
14:15:18.0187 3040 perc2hib - ok
14:15:18.0343 3040 [ 65DF52F5B8B6E9BBD183505225C37315 ] PlugPlay C:\WINDOWS\system32\services.exe
14:15:18.0343 3040 PlugPlay - ok
14:15:18.0437 3040 [ DEB5A23F8625D7D84DAFF899478A4893 ] PLUsbbc2 C:\WINDOWS\system32\Drivers\usbbc2.sys
14:15:18.0437 3040 PLUsbbc2 - ok
14:15:18.0500 3040 [ BF2466B3E18E970D8A976FB95FC1CA85 ] PolicyAgent C:\WINDOWS\system32\lsass.exe
14:15:18.0500 3040 PolicyAgent - ok
14:15:18.0562 3040 [ EFEEC01B1D3CF84F16DDD24D9D9D8F99 ] PptpMiniport C:\WINDOWS\system32\DRIVERS\raspptp.sys
14:15:18.0609 3040 PptpMiniport - ok
14:15:18.0671 3040 [ A32BEBAF723557681BFC6BD93E98BD26 ] Processor C:\WINDOWS\system32\DRIVERS\processr.sys
14:15:18.0703 3040 Processor - ok
14:15:18.0734 3040 [ BF2466B3E18E970D8A976FB95FC1CA85 ] ProtectedStorage C:\WINDOWS\system32\lsass.exe
14:15:18.0734 3040 ProtectedStorage - ok
14:15:18.0812 3040 [ 09298EC810B07E5D582CB3A3F9255424 ] PSched C:\WINDOWS\system32\DRIVERS\psched.sys
14:15:18.0875 3040 PSched - ok
14:15:18.0921 3040 [ 80D317BD1C3DBC5D4FE7B1678C60CADD ] Ptilink C:\WINDOWS\system32\DRIVERS\ptilink.sys
14:15:18.0953 3040 Ptilink - ok
14:15:19.0031 3040 [ 49452BFCEC22F36A7A9B9C2181BC3042 ] PxHelp20 C:\WINDOWS\system32\Drivers\PxHelp20.sys
14:15:19.0062 3040 PxHelp20 - ok
14:15:19.0078 3040 ql1080 - ok
14:15:19.0093 3040 Ql10wnt - ok
14:15:19.0109 3040 ql12160 - ok
14:15:19.0125 3040 ql1240 - ok
14:15:19.0140 3040 ql1280 - ok
14:15:19.0187 3040 [ FE0D99D6F31E4FAD8159F690D68DED9C ] RasAcd C:\WINDOWS\system32\DRIVERS\rasacd.sys
14:15:19.0187 3040 RasAcd - ok
14:15:19.0296 3040 [ AD188BE7BDF94E8DF4CA0A55C00A5073 ] RasAuto C:\WINDOWS\System32\rasauto.dll
14:15:19.0375 3040 RasAuto - ok
14:15:19.0437 3040 [ 0207D26DDF796A193CCD9F83047BB5FC ] Rasirda C:\WINDOWS\system32\DRIVERS\rasirda.sys
14:15:19.0453 3040 Rasirda - ok
14:15:19.0515 3040 [ 11B4A627BC9614B885C4969BFA5FF8A6 ] Rasl2tp C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
14:15:19.0562 3040 Rasl2tp - ok
14:15:20.0140 3040 [ 76A9A3CBEADD68CC57CDA5E1D7448235 ] RasMan C:\WINDOWS\System32\rasmans.dll
14:15:20.0140 3040 RasMan - ok
14:15:20.0187 3040 [ 5BC962F2654137C9909C3D4603587DEE ] RasPppoe C:\WINDOWS\system32\DRIVERS\raspppoe.sys
14:15:20.0234 3040 RasPppoe - ok
14:15:20.0265 3040 [ FDBB1D60066FCFBB7452FD8F9829B242 ] Raspti C:\WINDOWS\system32\DRIVERS\raspti.sys
14:15:20.0281 3040 Raspti - ok
14:15:20.0484 3040 [ 7AD224AD1A1437FE28D89CF22B17780A ] Rdbss C:\WINDOWS\system32\DRIVERS\rdbss.sys
14:15:20.0625 3040 Rdbss - ok
14:15:20.0656 3040 [ 4912D5B403614CE99C28420F75353332 ] RDPCDD C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
14:15:20.0656 3040 RDPCDD - ok
14:15:21.0187 3040 [ 43AF5212BD8FB5BA6EED9754358BD8F7 ] RDPWD C:\WINDOWS\system32\drivers\RDPWD.sys
14:15:21.0312 3040 RDPWD - ok
14:15:21.0515 3040 [ 3C37BF86641BDA977C3BF8A840F3B7FA ] RDSessMgr C:\WINDOWS\system32\sessmgr.exe
14:15:21.0640 3040 RDSessMgr - ok
14:15:21.0734 3040 [ F828DD7E1419B6653894A8F97A0094C5 ] redbook C:\WINDOWS\system32\DRIVERS\redbook.sys
14:15:21.0781 3040 redbook - ok
14:15:21.0875 3040 [ 7E699FF5F59B5D9DE5390E3C34C67CF5 ] RemoteAccess C:\WINDOWS\System32\mprdim.dll
14:15:21.0921 3040 RemoteAccess - ok
14:15:22.0000 3040 [ 7553D60B85AC53BD4486C418A0FBFCDF ] RemoteControl-USBLAN C:\WINDOWS\system32\DRIVERS\rcblan.sys
14:15:22.0046 3040 RemoteControl-USBLAN - ok
14:15:22.0125 3040 [ AAED593F84AFA419BBAE8572AF87CF6A ] RpcLocator C:\WINDOWS\system32\locator.exe
14:15:22.0203 3040 RpcLocator - ok
14:15:22.0578 3040 [ 6B27A5C03DFB94B4245739065431322C ] RpcSs C:\WINDOWS\System32\rpcss.dll
14:15:22.0578 3040 RpcSs - ok
14:15:22.0734 3040 [ 471B3F9741D762ABE75E9DEEA4787E47 ] RSVP C:\WINDOWS\system32\rsvp.exe
14:15:22.0859 3040 RSVP - ok
14:15:23.0000 3040 [ 7F0413BDD7D53EB4C7A371E7F6F84DF1 ] RTL8023xp C:\WINDOWS\system32\DRIVERS\Rtlnicxp.sys
14:15:23.0078 3040 RTL8023xp - ok
14:15:23.0125 3040 [ BF2466B3E18E970D8A976FB95FC1CA85 ] SamSs C:\WINDOWS\system32\lsass.exe
14:15:23.0125 3040 SamSs - ok
14:15:23.0234 3040 [ 86D007E7A654B9A71D1D7D856B104353 ] SCardSvr C:\WINDOWS\System32\SCardSvr.exe
14:15:23.0312 3040 SCardSvr - ok
14:15:23.0578 3040 [ 0A9A7365A1CA4319AA7C1D6CD8E4EAFA ] Schedule C:\WINDOWS\system32\schedsvc.dll
14:15:23.0578 3040 Schedule - ok
14:15:23.0687 3040 [ 8D04819A3CE51B9EB47E5689B44D43C4 ] sdbus C:\WINDOWS\system32\DRIVERS\sdbus.sys
14:15:23.0765 3040 sdbus - ok
14:15:23.0843 3040 [ 90A3935D05B494A5A39D37E71F09A677 ] Secdrv C:\WINDOWS\system32\DRIVERS\secdrv.sys
14:15:23.0843 3040 Secdrv - ok
14:15:23.0921 3040 [ CBE612E2BB6A10E3563336191EDA1250 ] seclogon C:\WINDOWS\System32\seclogon.dll
14:15:23.0921 3040 seclogon - ok
14:15:24.0031 3040 [ 7FDD5D0684ECA8C1F68B4D99D124DCD0 ] SENS C:\WINDOWS\system32\sens.dll
14:15:24.0031 3040 SENS - ok
14:15:24.0156 3040 [ AEBBA7428A6C40CCE3C5ABDE45190B24 ] Sentinel C:\WINDOWS\System32\Drivers\SENTINEL.SYS
14:15:24.0218 3040 Sentinel - ok
14:15:24.0296 3040 [ 0F29512CCD6BEAD730039FB4BD2C85CE ] serenum C:\WINDOWS\system32\DRIVERS\serenum.sys
14:15:24.0312 3040 serenum - ok
14:15:24.0406 3040 [ CCA207A8896D4C6A0C9CE29A4AE411A7 ] Serial C:\WINDOWS\system32\DRIVERS\serial.sys
14:15:24.0453 3040 Serial - ok
14:15:24.0531 3040 [ 8E6B8C671615D126FDC553D1E2DE5562 ] Sfloppy C:\WINDOWS\system32\drivers\Sfloppy.sys
14:15:24.0531 3040 Sfloppy - ok
14:15:24.0906 3040 [ 83F41D0D89645D7235C051AB1D9523AC ] SharedAccess C:\WINDOWS\System32\ipnathlp.dll
14:15:25.0234 3040 SharedAccess - ok
14:15:25.0406 3040 [ 99BC0B50F511924348BE19C7C7313BBF ] ShellHWDetection C:\WINDOWS\System32\shsvcs.dll
14:15:25.0421 3040 ShellHWDetection - ok
14:15:25.0437 3040 Simbad - ok
14:15:25.0531 3040 [ 707647A1AA0EDB6CBEF61B0C75C28ED3 ] SMCIRDA C:\WINDOWS\system32\DRIVERS\smcirda.sys
14:15:25.0562 3040 SMCIRDA - ok
14:15:25.0671 3040 [ A1FF7D99B199CEA1F3DF371BA70D2780 ] SNTNLUSB C:\WINDOWS\system32\DRIVERS\SNTNLUSB.SYS
14:15:25.0687 3040 SNTNLUSB - ok
14:15:25.0703 3040 Sparrow - ok
14:15:25.0750 3040 [ AB8B92451ECB048A4D1DE7C3FFCB4A9F ] splitter C:\WINDOWS\system32\drivers\splitter.sys
14:15:25.0765 3040 splitter - ok
14:15:25.0875 3040 [ 60784F891563FB1B767F70117FC2428F ] Spooler C:\WINDOWS\system32\spoolsv.exe
14:15:25.0875 3040 Spooler - ok
14:15:25.0984 3040 [ 76BB022C2FB6902FD5BDD4F78FC13A5D ] sr C:\WINDOWS\system32\DRIVERS\sr.sys
14:15:26.0046 3040 sr - ok
14:15:26.0250 3040 [ 3805DF0AC4296A34BA4BF93B346CC378 ] srservice C:\WINDOWS\system32\srsvc.dll
14:15:26.0328 3040 srservice - ok
14:15:26.0703 3040 [ 47DDFC2F003F7F9F0592C6874962A2E7 ] Srv C:\WINDOWS\system32\DRIVERS\srv.sys
14:15:27.0062 3040 Srv - ok
14:15:27.0171 3040 [ 0A5679B3714EDAB99E357057EE88FCA6 ] SSDPSRV C:\WINDOWS\System32\ssdpsrv.dll
14:15:27.0203 3040 SSDPSRV - ok
14:15:27.0515 3040 [ DB26EFF1935D13C127514B2ED2DB4F1D ] STCAgent C:\Program Files\Cisco Systems\SSL VPN Client\agent.exe
14:15:27.0531 3040 STCAgent - ok
14:15:27.0890 3040 [ 8BAD69CBAC032D4BBACFCE0306174C30 ] stisvc C:\WINDOWS\system32\wiaservc.dll
14:15:28.0078 3040 stisvc - ok
14:15:28.0125 3040 [ 3941D127AEF12E93ADDF6FE6EE027E0F ] swenum C:\WINDOWS\system32\DRIVERS\swenum.sys
14:15:28.0125 3040 swenum - ok
14:15:28.0203 3040 [ 8CE882BCC6CF8A62F2B2323D95CB3D01 ] swmidi C:\WINDOWS\system32\drivers\swmidi.sys
14:15:28.0250 3040 swmidi - ok
14:15:28.0265 3040 SwPrv - ok
14:15:28.0281 3040 symc810 - ok
14:15:28.0296 3040 symc8xx - ok
14:15:28.0312 3040 sym_hi - ok
14:15:28.0328 3040 sym_u3 - ok
14:15:28.0578 3040 [ F484C77F748729129D5CC9C965D9F701 ] SynTP C:\WINDOWS\system32\DRIVERS\SynTP.sys
14:15:28.0750 3040 SynTP - ok
14:15:28.0859 3040 [ 8B83F3ED0F1688B4958F77CD6D2BF290 ] sysaudio C:\WINDOWS\system32\drivers\sysaudio.sys
14:15:28.0906 3040 sysaudio - ok
14:15:29.0015 3040 [ C7ABBC59B43274B1109DF6B24D617051 ] SysmonLog C:\WINDOWS\system32\smlogsvc.exe
14:15:29.0109 3040 SysmonLog - ok
14:15:29.0359 3040 [ 3CB78C17BB664637787C9A1C98F79C38 ] TapiSrv C:\WINDOWS\System32\tapisrv.dll
14:15:29.0359 3040 TapiSrv - ok
14:15:29.0750 3040 [ 9AEFA14BD6B182D61E3119FA5F436D3D ] Tcpip C:\WINDOWS\system32\DRIVERS\tcpip.sys
14:15:30.0078 3040 Tcpip - ok
14:15:30.0140 3040 [ 6471A66807F5E104E4885F5B67349397 ] TDPIPE C:\WINDOWS\system32\drivers\TDPIPE.sys
14:15:30.0156 3040 TDPIPE - ok
14:15:30.0203 3040 [ C56B6D0402371CF3700EB322EF3AAF61 ] TDTCP C:\WINDOWS\system32\drivers\TDTCP.sys
14:15:30.0218 3040 TDTCP - ok
14:15:30.0265 3040 [ 88155247177638048422893737429D9E ] TermDD C:\WINDOWS\system32\DRIVERS\termdd.sys
14:15:30.0312 3040 TermDD - ok
14:15:30.0625 3040 [ FF3477C03BE7201C294C35F684B3479F ] TermService C:\WINDOWS\System32\termsrv.dll
14:15:30.0812 3040 TermService - ok
14:15:30.0984 3040 [ 99BC0B50F511924348BE19C7C7313BBF ] Themes C:\WINDOWS\System32\shsvcs.dll
14:15:30.0984 3040 Themes - ok
14:15:31.0218 3040 [ 0EDC3CF7B38F4260EB006C38E4A44DE4 ] tifm21 C:\WINDOWS\system32\drivers\tifm21.sys
14:15:31.0359 3040 tifm21 - ok
14:15:31.0390 3040 TosIde - ok
14:15:31.0546 3040 [ 55BCA12F7F523D35CA3CB833C725F54E ] TrkWks C:\WINDOWS\system32\trkwks.dll
14:15:31.0546 3040 TrkWks - ok
14:15:31.0656 3040 [ 5787B80C2E3C5E2F56C2A233D91FA2C9 ] Udfs C:\WINDOWS\system32\drivers\Udfs.sys
14:15:31.0718 3040 Udfs - ok
14:15:31.0734 3040 ultra - ok
14:15:32.0109 3040 [ 402DDC88356B1BAC0EE3DD1580C76A31 ] Update C:\WINDOWS\system32\DRIVERS\update.sys
14:15:32.0453 3040 Update - ok
14:15:32.0671 3040 [ 1EBAFEB9A3FBDC41B8D9C7F0F687AD91 ] upnphost C:\WINDOWS\System32\upnphost.dll
14:15:32.0843 3040 upnphost - ok
14:15:32.0906 3040 [ 05365FB38FCA1E98F7A566AAAF5D1815 ] UPS C:\WINDOWS\System32\ups.exe
14:15:32.0921 3040 UPS - ok
14:15:33.0031 3040 [ 83CAFCB53201BBAC04D822F32438E244 ] USBAAPL C:\WINDOWS\system32\Drivers\usbaapl.sys
14:15:33.0078 3040 USBAAPL - ok
14:15:33.0187 3040 [ 173F317CE0DB8E21322E71B7E60A27E8 ] usbccgp C:\WINDOWS\system32\DRIVERS\usbccgp.sys
14:15:33.0218 3040 usbccgp - ok
14:15:33.0281 3040 [ 65DCF09D0E37D4C6B11B5B0B76D470A7 ] usbehci C:\WINDOWS\system32\DRIVERS\usbehci.sys
14:15:33.0312 3040 usbehci - ok
14:15:33.0390 3040 [ 1AB3CDDE553B6E064D2E754EFE20285C ] usbhub C:\WINDOWS\system32\DRIVERS\usbhub.sys
14:15:33.0453 3040 usbhub - ok
14:15:33.0484 3040 [ 0DAECCE65366EA32B162F85F07C6753B ] usbohci C:\WINDOWS\system32\DRIVERS\usbohci.sys
14:15:33.0500 3040 usbohci - ok
14:15:33.0562 3040 [ A717C8721046828520C9EDF31288FC00 ] usbprint C:\WINDOWS\system32\DRIVERS\usbprint.sys
14:15:33.0593 3040 usbprint - ok
14:15:33.0640 3040 [ A0B8CF9DEB1184FBDD20784A58FA75D4 ] usbscan C:\WINDOWS\system32\DRIVERS\usbscan.sys
14:15:33.0656 3040 usbscan - ok
14:15:33.0734 3040 [ A32426D9B14A089EAA1D922E0C5801A9 ] USBSTOR C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
14:15:33.0750 3040 USBSTOR - ok
14:15:33.0812 3040 [ 26496F9DEE2D787FC3E61AD54821FFE6 ] usbuhci C:\WINDOWS\system32\DRIVERS\usbuhci.sys
14:15:33.0828 3040 usbuhci - ok
14:15:33.0859 3040 [ 0D3A8FAFCEACD8B7625CD549757A7DF1 ] VgaSave C:\WINDOWS\System32\drivers\vga.sys
14:15:33.0875 3040 VgaSave - ok
14:15:33.0937 3040 [ 3B3EFCDA263B8AC14FDF9CBDD0791B2E ] ViaIde C:\WINDOWS\system32\DRIVERS\viaide.sys
14:15:33.0953 3040 ViaIde - ok
14:15:34.0015 3040 [ 4C8FCB5CC53AAB716D810740FE59D025 ] VolSnap C:\WINDOWS\system32\drivers\VolSnap.sys
14:15:34.0062 3040 VolSnap - ok
14:15:34.0515 3040 [ CB7859F7029AC19E9B9C76AA0E5E79D2 ] vpnagent C:\Program Files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe
14:15:34.0734 3040 vpnagent - ok
14:15:34.0828 3040 [ E1F2333A88EC4A5C8EA6BE357323B72D ] vpnva C:\WINDOWS\system32\DRIVERS\vpnva.sys
14:15:34.0843 3040 vpnva - ok
14:15:35.0171 3040 [ 7A9DB3A67C333BF0BD42E42B8596854B ] VSS C:\WINDOWS\System32\vssvc.exe
14:15:35.0437 3040 VSS - ok
14:15:35.0500 3040 [ 9D7199B8BDDF58875A5E51A4D88E4190 ] vzandnetdiag C:\WINDOWS\system32\DRIVERS\lgvzandnetdiag.sys
14:15:35.0531 3040 vzandnetdiag - ok
14:15:35.0609 3040 [ 4C52311029859833EF34DE238B6C6963 ] vzandnetdiag2 C:\WINDOWS\system32\DRIVERS\lgvzandnetdiag2.sys
14:15:35.0625 3040 vzandnetdiag2 - ok
14:15:35.0703 3040 [ CC1071DF7D78DF779A938D759022D6F7 ] vzandnetmodem C:\WINDOWS\system32\DRIVERS\lgvzandnetmdm.sys
14:15:35.0734 3040 vzandnetmodem - ok
14:15:35.0843 3040 [ 2A07B70BC3055361F4EB4B4D9AA9917A ] vzandnetndis C:\WINDOWS\system32\DRIVERS\lgvzandnetndis.sys
14:15:35.0906 3040 vzandnetndis - ok
14:15:36.0109 3040 [ 54AF4B1D5459500EF0937F6D33B1914F ] W32Time C:\WINDOWS\system32\w32time.dll
14:15:36.0109 3040 W32Time - ok
14:15:36.0171 3040 [ E20B95BAEDB550F32DD489265C1DA1F6 ] Wanarp C:\WINDOWS\system32\DRIVERS\wanarp.sys
14:15:36.0234 3040 Wanarp - ok
14:15:36.0250 3040 wanatw - ok
14:15:36.0265 3040 WDICA - ok
14:15:36.0375 3040 [ 6768ACF64B18196494413695F0C3A00F ] wdmaud C:\WINDOWS\system32\drivers\wdmaud.sys
14:15:36.0453 3040 wdmaud - ok
14:15:36.0546 3040 [ 77A354E28153AD2D5E120A5A8687BC06 ] WebClient C:\WINDOWS\System32\webclnt.dll
14:15:36.0578 3040 WebClient - ok
14:15:37.0265 3040 [ 214BC3AD84907AD6AD655AC5465F449A ] winachsf C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
14:15:37.0921 3040 winachsf - ok
14:15:38.0171 3040 [ 2D0E4ED081963804CCC196A0929275B5 ] winmgmt C:\WINDOWS\system32\wbem\WMIsvc.dll
14:15:38.0171 3040 winmgmt - ok
14:15:38.0296 3040 [ C51B4A5C05A5475708E3C81C7765B71D ] WmdmPmSN C:\WINDOWS\system32\MsPMSNSv.dll
14:15:38.0343 3040 WmdmPmSN - ok
14:15:38.0406 3040 [ C42584FD66CE9E17403AEBCA199F7BDB ] WmiAcpi C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
14:15:38.0406 3040 WmiAcpi - ok
14:15:38.0546 3040 [ E0673F1106E62A68D2257E376079F821 ] WmiApSrv C:\WINDOWS\system32\wbem\wmiapsrv.exe
14:15:38.0671 3040 WmiApSrv - ok
14:15:39.0546 3040 [ F74E3D9A7FA9556C3BBB14D4E5E63D3B ] WMPNetworkSvc C:\Program Files\Windows Media Player\WMPNetwk.exe
14:15:40.0359 3040 WMPNetworkSvc - ok
14:15:40.0421 3040 [ CF4DEF1BF66F06964DC0D91844239104 ] WpdUsb C:\WINDOWS\system32\Drivers\wpdusb.sys
14:15:40.0453 3040 WpdUsb - ok
14:15:41.0250 3040 [ DCF3E3EDF5109EE8BC02FE6E1F045795 ] WPFFontCache_v0400 C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe
14:15:41.0953 3040 WPFFontCache_v0400 - ok
14:15:42.0000 3040 [ 6ABE6E225ADB5A751622A9CC3BC19CE8 ] WS2IFSL C:\WINDOWS\System32\drivers\ws2ifsl.sys
14:15:42.0000 3040 WS2IFSL - ok
14:15:42.0140 3040 [ 7C278E6408D1DCE642230C0585A854D5 ] wscsvc C:\WINDOWS\system32\wscsvc.dll
14:15:42.0140 3040 wscsvc - ok
14:15:42.0187 3040 [ 35321FB577CDC98CE3EB3A3EB9E4610A ] wuauserv C:\WINDOWS\system32\wuauserv.dll
14:15:42.0187 3040 wuauserv - ok
14:15:42.0312 3040 [ F15FEAFFFBB3644CCC80C5DA584E6311 ] WudfPf C:\WINDOWS\system32\DRIVERS\WudfPf.sys
14:15:42.0375 3040 WudfPf - ok
14:15:42.0468 3040 [ 28B524262BCE6DE1F7EF9F510BA3985B ] WudfRd C:\WINDOWS\system32\DRIVERS\wudfrd.sys
14:15:42.0546 3040 WudfRd - ok
14:15:42.0640 3040 [ 05231C04253C5BC30B26CBAAE680ED89 ] WudfSvc C:\WINDOWS\System32\WUDFSvc.dll
14:15:42.0703 3040 WudfSvc - ok
14:15:43.0187 3040 [ 81DC3F549F44B1C1FFF022DEC9ECF30B ] WZCSVC C:\WINDOWS\System32\wzcsvc.dll
14:15:43.0203 3040 WZCSVC - ok
14:15:43.0359 3040 [ 295D21F14C335B53CB8154E5B1F892B9 ] xmlprov C:\WINDOWS\System32\xmlprov.dll
14:15:43.0468 3040 xmlprov - ok
14:15:43.0531 3040 ================ Scan global ===============================
14:15:43.0671 3040 [ 42F1F4C0AFB08410E5F02D4B13EBB623 ] C:\WINDOWS\system32\basesrv.dll
14:15:43.0984 3040 [ 8C7DCA4B158BF16894120786A7A5F366 ] C:\WINDOWS\system32\winsrv.dll
14:15:44.0312 3040 [ 8C7DCA4B158BF16894120786A7A5F366 ] C:\WINDOWS\system32\winsrv.dll
14:15:44.0437 3040 [ 65DF52F5B8B6E9BBD183505225C37315 ] C:\WINDOWS\system32\services.exe
14:15:44.0437 3040 [Global] - ok
14:15:44.0453 3040 ================ Scan MBR ==================================
14:15:44.0484 3040 [ 671B81004FDD1588FA9ED1331C9CECA9 ] \Device\Harddisk0\DR0
14:15:44.0484 3040 Suspicious mbr (Forged): \Device\Harddisk0\DR0
14:15:44.0515 3040 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.c ) - infected
14:15:44.0515 3040 \Device\Harddisk0\DR0 - detected Rootkit.Boot.Pihar.c (0)
14:15:44.0515 3040 ================ Scan VBR ==================================
14:15:44.0531 3040 [ 25309C2DDA968013CB2E18D6103AB19B ] \Device\Harddisk0\DR0\Partition1
14:15:44.0546 3040 \Device\Harddisk0\DR0\Partition1 - ok
14:15:44.0546 3040 ============================================================
14:15:44.0546 3040 Scan finished
14:15:44.0546 3040 ============================================================
14:15:44.0562 2296 Detected object count: 1
14:15:44.0562 2296 Actual detected object count: 1
14:15:57.0140 2296 \Device\Harddisk0\DR0\# - copied to quarantine
14:15:57.0140 2296 \Device\Harddisk0\DR0 - copied to quarantine
14:15:57.0453 2296 \Device\Harddisk0\DR0\TDLFS\ldrm - copied to quarantine
14:15:57.0500 2296 \Device\Harddisk0\DR0\TDLFS\cmd.dll - copied to quarantine
14:15:57.0500 2296 \Device\Harddisk0\DR0\TDLFS\cmd64.dll - copied to quarantine
14:15:57.0515 2296 \Device\Harddisk0\DR0\TDLFS\sub.dll - copied to quarantine
14:15:57.0531 2296 \Device\Harddisk0\DR0\TDLFS\subx.dll - copied to quarantine
14:15:57.0578 2296 \Device\Harddisk0\DR0\TDLFS\drv32 - copied to quarantine
14:15:57.0609 2296 \Device\Harddisk0\DR0\TDLFS\drv64 - copied to quarantine
14:15:57.0703 2296 \Device\Harddisk0\DR0\TDLFS\servers.dat - copied to quarantine
14:15:57.0703 2296 \Device\Harddisk0\DR0\TDLFS\config.ini - copied to quarantine
14:15:57.0718 2296 \Device\Harddisk0\DR0\TDLFS\ldr16 - copied to quarantine
14:15:57.0718 2296 \Device\Harddisk0\DR0\TDLFS\ldr32 - copied to quarantine
14:15:57.0718 2296 \Device\Harddisk0\DR0\TDLFS\ldr64 - copied to quarantine
14:15:57.0718 2296 \Device\Harddisk0\DR0\TDLFS\s - copied to quarantine
14:15:57.0718 2296 \Device\Harddisk0\DR0\TDLFS\u - copied to quarantine
14:15:57.0734 2296 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.c ) - will be cured on reboot
14:15:57.0734 2296 \Device\Harddisk0\DR0 - ok
14:15:57.0750 2296 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.c ) - User select action: Cure
14:16:15.0421 1592 Deinitialize success

#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:57 AM

Posted 31 August 2012 - 04:08 PM

Greetings

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 eperkins

eperkins
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:57 AM

Posted 31 August 2012 - 06:03 PM

hello, here's the latest output, (same as first...rootkit infected and the windows sound upon logon is skipping big time):

ComboFix 12-08-31.02 - Beth 08/31/2012 17:45:25.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1626 [GMT -4:00]
Running from: c:\documents and settings\Beth\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Beth\Desktop\CFScript.txt
AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\windows\system32\Cache
c:\windows\system32\Cache\272512937d9e61a4.fb
c:\windows\system32\Cache\287204568329e189.fb
c:\windows\system32\Cache\28bc8f716fd76a47.fb
c:\windows\system32\Cache\2c53092c95605355.fb
c:\windows\system32\Cache\31a0997e9a5b5eb3.fb
c:\windows\system32\Cache\32c84fe32bb74d60.fb
c:\windows\system32\Cache\3917078cb68ec657.fb
c:\windows\system32\Cache\590ba23ce359fd0c.fb
c:\windows\system32\Cache\610289e025a3ee9a.fb
c:\windows\system32\Cache\651c5d3cdbfb8bd1.fb
c:\windows\system32\Cache\6c59ac5e7e7a3ad0.fb
c:\windows\system32\Cache\6d03dad1035885d3.fb
c:\windows\system32\Cache\a8556537add6dfc5.fb
c:\windows\system32\Cache\ad10a52aff5e038d.fb
c:\windows\system32\Cache\b6c181be85030823.fb
c:\windows\system32\Cache\c1fa887b03019701.fb
c:\windows\system32\Cache\c4d28dca2e7648be.fb
c:\windows\system32\Cache\d201ef9910cd39de.fb
c:\windows\system32\Cache\d2e94710a5708128.fb
c:\windows\system32\Cache\d79b9dfe81484ec4.fb
c:\windows\system32\Cache\f998975c9cc711ee.fb
c:\windows\system32\URTTemp
c:\windows\system32\URTTemp\fusion.dll
c:\windows\system32\URTTemp\mscoree.dll
c:\windows\system32\URTTemp\mscoree.dll.local
c:\windows\system32\URTTemp\mscorsn.dll
c:\windows\system32\URTTemp\mscorwks.dll
c:\windows\system32\URTTemp\msvcr71.dll
c:\windows\system32\URTTemp\regtlib.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-07-28 to 2012-08-31 )))))))))))))))))))))))))))))))
.
.
2012-08-31 18:15 . 2012-08-31 18:15 -------- d-----w- C:\TDSSKiller_Quarantine
2012-08-31 17:46 . 2012-08-23 07:15 7022536 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{7FB63FA6-A64E-4F3C-A687-BAB5F040869F}\mpengine.dll
2012-08-30 12:18 . 2012-08-23 07:15 7022536 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-08-27 15:51 . 2012-08-27 15:51 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2012-08-27 15:51 . 2012-08-28 21:48 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2012-08-25 14:54 . 2012-08-25 14:54 -------- d-----w- c:\documents and settings\Beth\Application Data\Safer Networking
2012-08-24 20:03 . 2012-08-24 20:03 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2012-08-24 19:04 . 2012-08-24 19:37 -------- d-----w- c:\program files\Hewlett-Packard
2012-08-24 17:57 . 2012-08-24 17:57 87328 ----a-w- c:\windows\system32\bcmwlcoi.dll
2012-08-24 17:57 . 2012-08-24 17:57 -------- d-----w- c:\program files\Broadcom
2012-08-24 17:49 . 2012-08-24 17:49 -------- d-----w- c:\program files\Intel
2012-08-24 17:42 . 2012-08-24 17:44 -------- d-----w- C:\W30A5F24
2012-08-24 17:42 . 2012-08-24 17:42 -------- d-----w- c:\program files\SP37159
2012-08-23 13:27 . 2012-07-06 13:58 78336 ------w- c:\windows\system32\dllcache\browser.dll
2012-08-23 12:22 . 2012-08-23 12:22 -------- d-----w- c:\documents and settings\Beth\Application Data\PCCUStubInstaller
2012-08-23 01:28 . 2012-08-23 01:28 -------- d-----w- c:\windows\system32\wbem\Repository
2012-08-20 00:50 . 2012-08-20 00:49 477168 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-08-20 00:43 . 2012-08-20 00:43 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2012-08-18 12:28 . 2012-08-18 12:28 -------- d-sh--w- c:\documents and settings\Beth\IECompatCache
2012-08-12 14:54 . 2012-08-12 14:54 -------- d-----w- c:\documents and settings\Beth\Application Data\Malwarebytes
2012-08-12 14:52 . 2012-08-12 14:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-08-12 14:52 . 2012-07-03 17:46 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-08-12 14:52 . 2012-08-12 14:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-08-12 13:35 . 2012-08-12 13:35 -------- d-----w- c:\documents and settings\Beth\Application Data\InterVideo
2012-08-11 13:46 . 2012-08-11 13:46 -------- d-----w- c:\documents and settings\Beth\Application Data\ElevatedDiagnostics
2012-08-06 12:14 . 2012-08-12 13:17 -------- d-----w- c:\windows\LastGood(2)
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-08-24 17:57 . 2005-08-12 06:47 1294200 ----a-w- c:\windows\system32\drivers\BCMWL5.SYS
2012-08-20 00:49 . 2008-01-03 16:34 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-08-20 00:49 . 2011-01-20 11:19 473072 ----a-w- c:\windows\system32\deployJava1.dll
2012-07-06 13:58 . 2004-08-04 08:00 78336 ----a-w- c:\windows\system32\browser.dll
2012-07-04 14:05 . 2004-08-04 08:00 139784 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-07-03 13:40 . 2004-08-04 08:00 1866112 ----a-w- c:\windows\system32\win32k.sys
2012-07-02 17:49 . 2004-08-04 08:00 916992 ----a-w- c:\windows\system32\wininet.dll
2012-07-02 17:49 . 2004-08-04 08:00 43520 ------w- c:\windows\system32\licmgr10.dll
2012-07-02 17:49 . 2004-08-04 08:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-07-02 12:05 . 2004-08-04 08:00 385024 ------w- c:\windows\system32\html.iec
2012-06-15 18:54 . 2012-04-12 17:27 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-06-15 18:53 . 2011-06-03 11:07 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-06-07 00:59 . 2012-06-07 00:59 1070152 ----a-w- c:\windows\system32\MSCOMCTL.OCX
2012-06-05 15:50 . 2008-09-04 11:04 1372672 ----a-w- c:\windows\system32\msxml6.dll
2012-06-05 15:50 . 2004-08-04 08:00 1172480 ----a-w- c:\windows\system32\msxml3.dll
2012-06-04 21:35 . 2011-12-23 12:52 222448 ----a-w- c:\windows\system32\muweb.dll
2012-06-04 04:32 . 2004-08-04 08:00 152576 ----a-w- c:\windows\system32\schannel.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2006-04-03 389120]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-06-19 729178]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 931200]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-07-03 462920]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 253952]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-05-04 794624]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2010-06-10 49208]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2005-08-01 233534]
"BYRUA_AGENT"="c:\documents and settings\All Users\Application Data\LGMOBILEAX\BYR_Client\VZWUAAgent.exe" [2012-07-27 396408]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-09-28 344064]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-04-27 282624]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2011-12-10 66864]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2007-11-6 815104]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^20-20 Shortcut Bar.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\20-20 Shortcut Bar.lnk
backup=c:\windows\pss\20-20 Shortcut Bar.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-01-03 07:37 843712 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-09-07 22:58 37296 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2011-09-27 11:22 59240 ----a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eabconfg.cpl]
2005-10-12 00:17 409600 ----a-w- c:\program files\HPQ\Quick Launch Buttons\eabservr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2007-04-27 13:41 282624 ----a-w- c:\program files\QuickTime\qttask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
2006-01-09 20:47 26112 ----a-w- c:\program files\Real\RealPlayer\realplay.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2012-01-18 18:02 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"LightScribeService"=2 (0x2)
"idsvc"=3 (0x3)
"gusvc"=3 (0x3)
"getPlus® Helper"=3 (0x3)
"Apple Mobile Device"=3 (0x3)
"WMPNetworkSvc"=3 (0x3)
"iPod Service"=3 (0x3)
"Bonjour Service"=2 (0x2)
"vToolbarUpdater11.2.0"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\thestump\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2006\\QBDBMgrN.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
.
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [8/12/2012 10:52 AM 655944]
R2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [2/3/2009 4:39 PM 427192]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [8/22/2005 5:06 AM 231424]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [8/12/2012 10:52 AM 22344]
S0 ffutf;ffutf;c:\windows\system32\drivers\cdrrc.sys --> c:\windows\system32\drivers\cdrrc.sys [?]
S2 intelusb3;Intel USB3 Device Service;c:\windows\System32\svchost.exe -k intelusbs3 [8/4/2004 4:00 AM 14336]
S3 CSVirtA;Cisco Systems SSL VPN Adapter;c:\windows\system32\drivers\CSVirtA.sys [5/30/2007 7:11 PM 22136]
S3 PLUsbbc2;High-Speed USB Bridge Cable Driver;c:\windows\system32\drivers\usbbc2.sys [6/20/2006 12:08 PM 8960]
S3 RemoteControl-USBLAN;RemoteControl-USBLAN;c:\windows\system32\drivers\rcblan.sys [12/10/2011 11:32 AM 39704]
S3 vzandnetdiag;LGE AndroidNet for VZW USB Serial Port;c:\windows\system32\drivers\lgvzandnetdiag.sys [5/9/2012 12:46 PM 23168]
S3 vzandnetdiag2;LGE AndroidNet for VZW Diagnostics Port;c:\windows\system32\drivers\lgvzandnetdiag2.sys [5/9/2012 12:46 PM 23168]
S3 vzandnetmodem;LGE AndroidNet for VZW USB Modem;c:\windows\system32\drivers\lgvzandnetmdm.sys [5/9/2012 12:46 PM 28032]
S3 vzandnetndis;LGE AndroidNet for VZW NDIS Ethernet Adapter;c:\windows\system32\drivers\lgvzandnetndis.sys [5/9/2012 12:43 PM 71040]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
intelusbs3 REG_MULTI_SZ intelusb3
.
Contents of the 'Scheduled Tasks' folder
.
2012-08-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]
.
2012-08-31 c:\windows\Tasks\Microsoft Antimalware Scheduled Scan.job
- c:\program files\Microsoft Security Client\MpCmdRun.exe [2012-03-26 21:03]
.
2012-08-23 c:\windows\Tasks\Norton PC Checkup Setup.job
- c:\documents and settings\Beth\Application Data\PCCUStubInstaller\SymcPCCUInstaller.exe [2012-08-23 17:21]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://173.194.75.106/
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62 192.168.1.1
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
DPF: {264AED84-12F1-4CA1-8AA7-EB939AE58D8D} - hxxps://webvpn.progress-energy.com/CACHE/stc/3/binaries/stcweb.cab
DPF: {55963676-2F5E-4BAF-AC28-CF26AA587566} - hxxps://webvpn.progress-energy.com/CACHE/stc/3/binaries/vpnweb.cab
DPF: {D9CDEFE3-51BB-4737-A12C-53D9814A148C} - hxxps://owa.pgnmail.com/OWA/MWScripts/AttachView/1.9/DAX.cab
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-85603552.sys
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-08-31 18:13
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????2?6?2?6??????? ???B?????????????hLC? ??????
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2719426043-3183262663-4260894840-1016\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(668)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2012-08-31 18:20:58
ComboFix-quarantined-files.txt 2012-08-31 22:20
ComboFix2.txt 2012-08-31 17:21
.
Pre-Run: 57,811,124,224 bytes free
Post-Run: 58,087,378,944 bytes free
.
- - End Of File - - 94C657574A0D2FF5021A42F8F2D22C47




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users