Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows Security Alert ("red shield") appears in start-up tray & report of "Rogue Virus" threat when using cleaning tool


  • This topic is locked This topic is locked
18 replies to this topic

#1 KXS

KXS

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:14 PM

Posted 31 August 2012 - 10:11 PM

Was hit by the FBI MoneyPak ransomware virus a couple of days ago. Seem to have successfully removed that virus along with a number of other ones (ZeroAccess.Trojan; Java/Exploit.Agent.NBD.Trojan; .

Unfortunately, my computer continues to show a Windows Security Alert ("red shield") in the start-up tray indicating that "Computer may be at risk" because "Automatic Updates is turned off." Also, while using a cleaning tool (adwcleaner.exe) during the FBI ransomware virus clean-up, a security alert (from AVG Anti-Virus Free-Edition 2012) popped up to warn that the cleaning tool (adwcleaner.exe) was a "rogue" program.

Have pasted contents of the ddt.txt below. Also attaching the Attach.txt.

Was going to attach Ark.txt (GMER log) once the GMER scan was finished, but got a blue screen saying: "A problem ahs been detected and windows has been shut down to prevent damage to your computer."

"IRQL_NOT_LESS_OR_EQUAL"

"If this is the first time you've seen this Stop error screen, restart your computer. If this screen appears again, follow these steps:

[I will spare you all of the details here and just add technical info.]

"Technical information:
*** STOP: 0x0000000A (0xFAABDC00, 0x00000005, 0x00000001, 0x806F48EE)

Beginning dump of physical memory
Physical memory dump complete.
Contact your system administrator or technical support group for further assistance."

Any help in figuring out how to remove this malware would be much appreciated. Thanks in advance, KXS


.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_29
Run by Michael Chang at 22:12:08 on 2012-08-31
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.116 [GMT -4:00]
.
AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
============== Running Processes ===============
.
C:\PROGRA~1\AVG\AVG2012\avgrsx.exe
C:\Program Files\AVG\AVG2012\avgcsrvx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG2012\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\AVG\AVG2012\avgtray.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\AVG\AVG2012\avgnsx.exe
C:\Program Files\AVG\AVG2012\avgemcx.exe
C:\Documents and Settings\Michael Chang\Application Data\Dropbox\bin\Dropbox.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/ig
uInternet Settings,ProxyOverride = *.local
mURLSearchHooks: H - No File
BHO: IE2EMBHO Class: {0a0ddbd3-6641-40b9-873f-bbdd26d6c14e} - c:\program files\easymule\modules\IE2EM.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Do Not Track: {31332eef-cb9f-458f-afeb-d30e9a66b6ba} - c:\program files\avg\avg2012\avgdtiex.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg2012\avgssie.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: del.icio.us Toolbar Helper: {7aa07ae6-01ef-44ec-93ca-9d7cd41ccdb6} - c:\program files\del.icio.us\internet explorer buttons\dlcsIE.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: del.icio.us: {981fe6a8-260c-4930-960f-c3bc82746cb0} - c:\program files\del.icio.us\internet explorer buttons\dlcsIE.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil32_11_3_300_271_Plugin.exe -update plugin
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [AVG_TRAY] "c:\program files\avg\avg2012\avgtray.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\michae~1\startm~1\programs\startup\dropbox.lnk - c:\documents and settings\michael chang\application data\dropbox\bin\Dropbox.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
mPolicies-explorer: <NO NAME> =
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - c:\program files\avg\avg2012\avgdtiex.dll
Trusted Zone: servicemagic.com\www
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1214513166500
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{09730FD7-DC4C-4DD5-B736-DE5090F800E6} : DhcpNameServer = 192.168.1.1
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg2012\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\michael chang\application data\mozilla\firefox\profiles\o7uil3j2.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.netvibes.com/privatepage/1#General
FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4af8506a&v=6.103.018.001&i=23&tp=ab&iy=&ychte=us&lng=en-US&q=
FF - component: c:\program files\avg\avg10\firefox4\components\avgssff4.dll
FF - component: c:\program files\avg\avg10\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\avg\avg10\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\avg\avg10\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
FF - plugin: c:\program files\google\update\1.3.21.115\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.1.10329.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_3_300_271.dll
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSHX;AVGIDSHX;c:\windows\system32\drivers\avgidshx.sys [2012-4-19 24896]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 31952]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-9-7 235216]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 41040]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-9-7 301248]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2008-5-28 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-5-28 67664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCORE.EXE [2012-3-6 116608]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2012\avgidsagent.exe [2012-7-4 5160568]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg2012\avgwdsvc.exe [2012-2-14 193288]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\avgidsdriverx.sys [2011-12-23 139856]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\avgidsfilterx.sys [2011-12-23 24144]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshimx.sys [2011-12-23 17232]
S2 gupdate1c9b86ec6199b10;Google Update Service (gupdate1c9b86ec6199b10);c:\program files\google\update\GoogleUpdate.exe [2009-4-8 133104]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-4 250056]
S3 efavdrv;efavdrv;\??\c:\windows\system32\drivers\efavdrv.sys --> c:\windows\system32\drivers\efavdrv.sys [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-4-8 133104]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-7-28 113120]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-5-28 12872]
.
=============== Created Last 30 ================
.
2012-08-31 18:45:51 -------- d-----w- c:\program files\ESET
2012-08-29 17:00:58 -------- d-----w- c:\documents and settings\michael chang\application data\Malwarebytes
2012-08-29 17:00:37 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2012-08-29 17:00:36 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-08-29 17:00:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
.
==================== Find3M ====================
.
2012-08-15 13:04:32 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-08-15 13:04:32 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
.
============= FINISH: 22:14:29.34 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:14 PM

Posted 31 August 2012 - 11:53 PM

Greetings and Welcome to The Forums!!

My name is Gringo and I'll be glad to help you with your computer problems.

I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of us

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the Watch Topic Button, select Immediate Notification, and click on Proceed. This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of hartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

Security Check

  • Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.



Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 KXS

KXS
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:14 PM

Posted 01 September 2012 - 10:26 AM

1. LOGS (for Security Check and ComboFix)

Security Check Log Report (checkup.txt)

Results of screen317's Security Check version 0.99.49
Windows XP Service Pack 2 x86
Out of date service pack!!
Internet Explorer 8
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
AVG Anti-Virus Free Edition 2012
Antivirus up to date!
`````````Anti-malware/Other Utilities Check:`````````
SUPERAntiSpyware Free Edition
Malwarebytes Anti-Malware version 1.62.0.1300
Java™ 6 Update 29
Java version out of Date!
Adobe Flash Player 11.3.300.271
Adobe Reader 8 Adobe Reader out of Date!
Adobe Reader 9 Adobe Reader out of Date!
Mozilla Firefox (14.0.1)
Google Chrome 21.0.1180.79
Google Chrome 21.0.1180.83
````````Process Check: objlist.exe by Laurent````````
AVG avgwdsvc.exe
AVG avgtray.exe
AVG avgrsx.exe
AVG avgnsx.exe
AVG avgemc.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C:: 14% Defragment your hard drive soon! (Do NOT defrag if SSD!)
````````````````````End of Log``````````````````````





ComboFix Log Report (Combofix.txt)

ComboFix 12-08-31.08 - Michael Chang 09/01/2012 10:44:40.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.325 [GMT -4:00]
Running from: c:\documents and settings\Michael Chang\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\All Users\Application Data\tmp15.tmp
c:\documents and settings\All Users\Application Data\tmp1F.tmp
c:\documents and settings\All Users\Application Data\tmp77.tmp
c:\documents and settings\All Users\Application Data\tmpE6.tmp
c:\windows\system32\dllcache\wmpvis.dll
c:\windows\system32\SET187.tmp
c:\windows\system32\SET188.tmp
c:\windows\system32\SET189.tmp
c:\windows\system32\SET18A.tmp
c:\windows\system32\SET18B.tmp
c:\windows\system32\SET18F.tmp
c:\windows\system32\SET190.tmp
c:\windows\system32\SET191.tmp
.
.
((((((((((((((((((((((((( Files Created from 2012-08-01 to 2012-09-01 )))))))))))))))))))))))))))))))
.
.
2012-08-31 18:45 . 2012-08-31 18:45 -------- d-----w- c:\program files\ESET
2012-08-31 11:49 . 2012-08-31 11:49 -------- d-----w- c:\documents and settings\All Users\Application Data\ESET
2012-08-29 17:00 . 2012-08-29 17:00 -------- d-----w- c:\documents and settings\Michael Chang\Application Data\Malwarebytes
2012-08-29 17:00 . 2012-08-29 17:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-08-29 17:00 . 2012-08-29 17:00 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-08-29 17:00 . 2012-07-03 17:46 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-08-29 13:44 . 2012-08-29 17:17 -------- d-----w- c:\documents and settings\Administrator
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-08-15 13:04 . 2012-04-05 01:57 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-08-15 13:04 . 2011-06-21 20:37 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2012-07-28 13:48 . 2012-07-28 13:45 136672 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
[7] 2008-06-20 . 2A5554FC5B1E04E131230E3CE035C3F9 . 360320 . . [5.1.2600.3394] . . c:\windows\system32\dllcache\tcpip.sys
[-] 2008-06-20 . 01D5EAAFF224415A7FF513E4C882BE30 . 360320 . . [5.1.2600.3394] . . c:\windows\system32\drivers\tcpip.sys
[7] 2008-06-20 . 744E57C99232201AE98C49168B918F48 . 360960 . . [5.1.2600.3394] . . c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
[-] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\tcpip.sys
[7] 2007-10-30 . 64798ECFA43D78C7178375FCDD16D8C8 . 360832 . . [5.1.2600.3244] . . c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
[7] 2004-08-04 . 9F4B36614A0FC234525BA224957DE55C . 359040 . . [5.1.2600.2180] . . c:\windows\ServicePackFiles\i386\tcpip.sys
[-] 2002-09-03 . 244A2F9816BC9B593957281EF577D976 . 332928 . . [5.1.2600.1106] . . c:\windows\$NtServicePackUninstall$\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0A0DDBD3-6641-40B9-873F-BBDD26D6C14E}]
2009-04-29 12:23 147928 ----a-w- c:\program files\easyMule\modules\IE2EM.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Michael Chang\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Michael Chang\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Michael Chang\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Michael Chang\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-12-30 39408]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2012-03-14 4617600]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2002-09-03 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2002-09-03 455168]
"AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2012-04-05 2587008]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-12-14 47904]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-07-31 38872]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-11 919008]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-07-28 1259376]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-05-31 59280]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2012-04-19 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-06-07 421776]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2006-10-04 53760]
.
c:\documents and settings\Michael Chang\Start Menu\Programs\Startup\
Dropbox.lnk - c:\documents and settings\Michael Chang\Application Data\Dropbox\bin\Dropbox.exe [2012-5-24 27112840]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-9-5 113664]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2012-03-14 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2012-03-06 23:48 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
2002-04-10 20:44 679936 ----a-w- c:\program files\Roxio\Easy CD Creator 5\DirectCD\Directcd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\diagent]
2002-04-03 05:01 135264 ----a-w- c:\program files\Creative\SBLive\Diagnostics\diagent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2004-10-13 16:24 1694208 ------w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2003-10-06 18:16 5058560 ----a-w- c:\windows\system32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2003-10-06 18:16 741376 ----a-w- c:\windows\system32\nwiz.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
2002-09-03 19:32 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2012-03-14 02:20 4617600 ----a-w- c:\program files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
2000-05-11 05:00 90112 ------w- c:\windows\Updreg.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"gusvc"=3 (0x3)
"GoToAssist"=3 (0x3)
"NVSvc"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Documents and Settings\\Michael Chang\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgmfapx.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\easyMule\\emule.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgemcx.exe"=
"c:\\Program Files\\activePDF\\PrimoPDF\\PrimoPDF.exe"=
.
R0 AVGIDSHX;AVGIDSHX;c:\windows\system32\drivers\avgidshx.sys [4/19/2012 4:50 AM 24896]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [9/7/2010 4:48 AM 31952]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [9/7/2010 4:48 AM 235216]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [9/7/2010 4:49 AM 301248]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [5/28/2008 10:33 AM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/28/2008 10:33 AM 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [3/6/2012 7:48 PM 116608]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2012\avgidsagent.exe [7/4/2012 5:25 PM 5160568]
R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2012\avgwdsvc.exe [2/14/2012 4:53 AM 193288]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\avgidsdriverx.sys [12/23/2011 1:32 PM 139856]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\avgidsfilterx.sys [12/23/2011 1:32 PM 24144]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshimx.sys [12/23/2011 1:32 PM 17232]
S2 gupdate1c9b86ec6199b10;Google Update Service (gupdate1c9b86ec6199b10);c:\program files\Google\Update\GoogleUpdate.exe [4/8/2009 1:23 PM 133104]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [4/4/2012 9:57 PM 250056]
S3 efavdrv;efavdrv;\??\c:\windows\system32\drivers\efavdrv.sys --> c:\windows\system32\drivers\efavdrv.sys [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [4/8/2009 1:23 PM 133104]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/28/2008 10:33 AM 12872]
.
Contents of the 'Scheduled Tasks' folder
.
2012-09-01 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-05 13:04]
.
2012-07-04 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 21:57]
.
2012-09-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-08 17:23]
.
2012-09-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-08 17:23]
.
2012-09-01 c:\windows\Tasks\User_Feed_Synchronization-{321A3E8C-6B08-4FA7-9E38-95BF6F380C14}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig
uInternet Settings,ProxyOverride = *.local
Trusted Zone: servicemagic.com\www
TCP: DhcpNameServer = 192.168.1.1
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
FF - ProfilePath - c:\documents and settings\Michael Chang\Application Data\Mozilla\Firefox\Profiles\o7uil3j2.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.netvibes.com/privatepage/1#General
FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4af8506a&v=6.103.018.001&i=23&tp=ab&iy=&ychte=us&lng=en-US&q=
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
Toolbar-Locked - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe
MSConfigStartUp-GoogleChrome - c:\docume~1\MICHAE~1\LOCALS~1\Temp\yyu32.exe
MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
AddRemove-AC3Filter - c:\program files\AC3Filter\uninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-09-01 11:08
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(716)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
Completion time: 2012-09-01 11:20:07
ComboFix-quarantined-files.txt 2012-09-01 15:19
.
Pre-Run: 23,150,432,256 bytes free
Post-Run: 23,773,655,040 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /fastdetect
.
- - End Of File - - AC519EA1D2B3F9F39DEFE01CD65C60CE





2. PROBLEMS:

No real problems during the 2 scans, but some details to share, just in case they are relevant.

During the Combofix "AutoScan" process (after Stage 3 was completed), the Windows Security Center alert balloon became active (popped up): "Your computer might be at risk
-No firewall is turned on
-Automatic Updates is turned off
-AVG Anti-Virus Free Edition 2012 is turned off."

Also, AVG anti-virus was only temporarily disabled for 15 min. and turned back on in the middle of the Combofix "AutoScan" process. So, I turned it off again for another 15 min., just before "Stage 4" of the Combofix AutoScan was completed.



3. How is the computer doing now?

Computer is running normally, but Windows Security Alert ("red shield") still appears in the start-up tray saying "Computer may be at risk; Automatic Updates is turned off."

On start-up of computer (before running ComboFix), got 2 pop-up warnings "Unresponsive script"--"A script on this page may be busy, or it may have stopped responding. You can stop the script now, or you can continue to see if the script will complete." "Script: chrome://zotero/content/spcom/schema.js:436"

I clicked "stop script" both times that this warning appeared.

#4 KXS

KXS
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:14 PM

Posted 01 September 2012 - 10:34 AM

In my haste, I became too focused on the technical issues and forgot to THANK YOU for your willingness to help with this, Gringo.

Still wondering why the Windows Security Alert ("red shield") is still appearing in the start-up tray? KXS

#5 KXS

KXS
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:14 PM

Posted 01 September 2012 - 10:52 AM

Gringo,

Just wanted to update you on latest. After re-starting the computer, the Windows Security Alerts ("red shield") has disappeared from the start-up tray, which seems very good.

Now just wondering if I need to do anything else to make absolutely sure that this computer's clean?

Thanks once again. KXS

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:14 PM

Posted 01 September 2012 - 11:34 AM

Greetings KXS

I want you to run these next,

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • it will ask to download extra definitions - ALLOW IT
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

If you have any problems running either one come back and let me know

please reply with the reports from TDSSKiller and aswMBR

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 KXS

KXS
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:14 PM

Posted 01 September 2012 - 05:03 PM

Hello, Gringo.

As requested, please find below the reports from TDSSKiller and aswMBR scans, both of which ran fine.

On the aswMBR report--at 16:25:42.921 it reads "Disk 0 PE file @ sector 117162093 !"

Do you think this "PE [Portable Executable] file" might be a problem? (Like a PE file infector or a Master Boot Record [MBR] file system infector or something else?)

A PE file on the disk also appeared as the last item on the GMER scan that I was performing last night (8/31/2012). I was not able to generate a report log for that because the GMER scan ultimately failed and resulted in a blue-screen-of-death notification that my computer was shutting down to protect itself (see my initial description of the situation in my first post above).

Also, again on the aswMBR report--do the 2 items at 16:28:02.421 look suspicious to you?


Thanks, KXS


TDSSKiller report:

16:17:15.0390 1988 TDSS rootkit removing tool 2.8.8.0 Aug 24 2012 13:27:48
16:17:15.0890 1988 ============================================================
16:17:15.0890 1988 Current date / time: 2012/09/01 16:17:15.0890
16:17:15.0890 1988 SystemInfo:
16:17:15.0890 1988
16:17:15.0890 1988 OS Version: 5.1.2600 ServicePack: 2.0
16:17:15.0890 1988 Product type: Workstation
16:17:15.0890 1988 ComputerName: MICHAEL-9YK4TRZ
16:17:15.0890 1988 UserName: Michael Chang
16:17:15.0890 1988 Windows directory: C:\WINDOWS
16:17:15.0890 1988 System windows directory: C:\WINDOWS
16:17:15.0890 1988 Processor architecture: Intel x86
16:17:15.0890 1988 Number of processors: 1
16:17:15.0890 1988 Page size: 0x1000
16:17:15.0890 1988 Boot type: Normal boot
16:17:15.0890 1988 ============================================================
16:17:33.0296 1988 Drive \Device\Harddisk0\DR0 - Size: 0xDF8475800 (55.88 Gb), SectorSize: 0x200, Cylinders: 0x1C7E, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
16:17:33.0343 1988 ============================================================
16:17:33.0343 1988 \Device\Harddisk0\DR0:
16:17:33.0343 1988 MBR partitions:
16:17:33.0343 1988 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x6FBBFFE
16:17:33.0343 1988 ============================================================
16:17:33.0390 1988 C: <-> \Device\Harddisk0\DR0\Partition1
16:17:33.0390 1988 ============================================================
16:17:33.0390 1988 Initialize success
16:17:33.0390 1988 ============================================================
16:18:02.0828 1780 ============================================================
16:18:02.0828 1780 Scan started
16:18:02.0828 1780 Mode: Manual;
16:18:02.0828 1780 ============================================================
16:18:03.0046 1780 ================ Scan system memory ========================
16:18:03.0046 1780 System memory - ok
16:18:03.0046 1780 ================ Scan services =============================
16:18:03.0187 1780 [ C0393EB99A6C72C6BEF9BFC4A72B33A6 ] !SASCORE C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
16:18:03.0218 1780 !SASCORE - ok
16:18:03.0546 1780 Abiosdsk - ok
16:18:03.0562 1780 abp480n5 - ok
16:18:03.0656 1780 [ A10C7534F7223F4A73A948967D00E69B ] ACPI C:\WINDOWS\system32\DRIVERS\ACPI.sys
16:18:03.0718 1780 ACPI - ok
16:18:03.0765 1780 [ 9859C0F6936E723E4892D7141B1327D5 ] ACPIEC C:\WINDOWS\system32\drivers\ACPIEC.sys
16:18:03.0765 1780 ACPIEC - ok
16:18:03.0906 1780 [ A9D3B95E8466BD58EEB8A1154654E162 ] AdobeFlashPlayerUpdateSvc C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
16:18:03.0968 1780 AdobeFlashPlayerUpdateSvc - ok
16:18:03.0984 1780 adpu160m - ok
16:18:04.0093 1780 [ 1EE7B434BA961EF845DE136224C30FEC ] aec C:\WINDOWS\system32\drivers\aec.sys
16:18:04.0140 1780 aec - ok
16:18:04.0218 1780 [ 55E6E1C51B6D30E54335750955453702 ] AFD C:\WINDOWS\System32\drivers\afd.sys
16:18:04.0265 1780 AFD - ok
16:18:04.0312 1780 [ 2C428FA0C3E3A01ED93C9B2A27D8D4BB ] agp440 C:\WINDOWS\system32\DRIVERS\agp440.sys
16:18:04.0328 1780 agp440 - ok
16:18:04.0343 1780 Aha154x - ok
16:18:04.0359 1780 aic78u2 - ok
16:18:04.0375 1780 aic78xx - ok
16:18:04.0421 1780 [ C7AE0FD3867DB0D42B03B73C18F3D671 ] Alerter C:\WINDOWS\system32\alrsvc.dll
16:18:04.0421 1780 Alerter - ok
16:18:04.0468 1780 [ F1958FBF86D5C004CF19A5951A9514B7 ] ALG C:\WINDOWS\System32\alg.exe
16:18:04.0484 1780 ALG - ok
16:18:04.0500 1780 AliIde - ok
16:18:04.0515 1780 amsint - ok
16:18:04.0609 1780 [ F401929EE0CC92BFE7F15161CA535383 ] Apple Mobile Device C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
16:18:04.0625 1780 Apple Mobile Device - ok
16:18:04.0718 1780 [ 9C3C12975C97119412802B181FBEEFFE ] AppMgmt C:\WINDOWS\System32\appmgmts.dll
16:18:04.0781 1780 AppMgmt - ok
16:18:04.0796 1780 asc - ok
16:18:04.0812 1780 asc3350p - ok
16:18:04.0828 1780 asc3550 - ok
16:18:04.0968 1780 [ 0E5E4957549056E2BF2C49F4F6B601AD ] aspnet_state C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
16:18:05.0000 1780 aspnet_state - ok
16:18:05.0046 1780 [ 02000ABF34AF4C218C35D257024807D6 ] AsyncMac C:\WINDOWS\system32\DRIVERS\asyncmac.sys
16:18:05.0046 1780 AsyncMac - ok
16:18:05.0093 1780 [ CDFE4411A69C224BD1D11B2DA92DAC51 ] atapi C:\WINDOWS\system32\DRIVERS\atapi.sys
16:18:05.0093 1780 atapi - ok
16:18:05.0109 1780 Atdisk - ok
16:18:05.0156 1780 [ EC88DA854AB7D7752EC8BE11A741BB7F ] Atmarpc C:\WINDOWS\system32\DRIVERS\atmarpc.sys
16:18:05.0187 1780 Atmarpc - ok
16:18:05.0234 1780 [ DB66DB626E4882EBEF55F136F12C1829 ] AudioSrv C:\WINDOWS\System32\audiosrv.dll
16:18:05.0250 1780 AudioSrv - ok
16:18:05.0296 1780 [ D9F724AA26C010A217C97606B160ED68 ] audstub C:\WINDOWS\system32\DRIVERS\audstub.sys
16:18:05.0296 1780 audstub - ok
16:18:07.0078 1780 [ D67719BCFDE5798F5C30D14EFED3BCAF ] AVGIDSAgent C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
16:18:08.0718 1780 AVGIDSAgent - ok
16:18:08.0828 1780 [ 1074F787080068C71303B61FAE7E7CA4 ] AVGIDSDriver C:\WINDOWS\system32\DRIVERS\avgidsdriverx.sys
16:18:08.0890 1780 AVGIDSDriver - ok
16:18:08.0906 1780 [ 61A7E0B02F82CFF3DB2445BBE50B3589 ] AVGIDSFilter C:\WINDOWS\system32\DRIVERS\avgidsfilterx.sys
16:18:08.0921 1780 AVGIDSFilter - ok
16:18:08.0953 1780 [ D63D83659EEDF60B3A3E620281A888E5 ] AVGIDSHX C:\WINDOWS\system32\DRIVERS\avgidshx.sys
16:18:08.0968 1780 AVGIDSHX - ok
16:18:09.0000 1780 [ BAF975B72062F53D327788E99D64197E ] AVGIDSShim C:\WINDOWS\system32\DRIVERS\avgidsshimx.sys
16:18:09.0000 1780 AVGIDSShim - ok
16:18:09.0156 1780 [ DDA6A2A18841E4C9172BB85958B8D948 ] Avgldx86 C:\WINDOWS\system32\DRIVERS\avgldx86.sys
16:18:09.0234 1780 Avgldx86 - ok
16:18:09.0265 1780 [ CCDD61545AAEA265977E4B1EFDC74E8C ] Avgmfx86 C:\WINDOWS\system32\DRIVERS\avgmfx86.sys
16:18:09.0281 1780 Avgmfx86 - ok
16:18:09.0312 1780 [ 1FD90B28D2C3100BF4500199C8AD6358 ] Avgrkx86 C:\WINDOWS\system32\DRIVERS\avgrkx86.sys
16:18:09.0312 1780 Avgrkx86 - ok
16:18:09.0437 1780 [ 1263F2554ACE925C237A40B4C568D815 ] Avgtdix C:\WINDOWS\system32\DRIVERS\avgtdix.sys
16:18:09.0546 1780 Avgtdix - ok
16:18:09.0640 1780 [ EA1145DEBCD508FD25BD1E95C4346929 ] avgwd C:\Program Files\AVG\AVG2012\avgwdsvc.exe
16:18:09.0703 1780 avgwd - ok
16:18:09.0781 1780 [ 1B9C81AB9A456EABD9F8335F04B5F495 ] basic2 C:\WINDOWS\system32\DRIVERS\HSF_BSC2.sys
16:18:09.0812 1780 basic2 - ok
16:18:09.0859 1780 [ DA1F27D85E0D1525F6621372E7B685E9 ] Beep C:\WINDOWS\system32\drivers\Beep.sys
16:18:09.0859 1780 Beep - ok
16:18:10.0062 1780 [ DB5BEA73EDAF19AC68B2C0FAD0F92B1A ] Bonjour Service C:\Program Files\Bonjour\mDNSResponder.exe
16:18:10.0187 1780 Bonjour Service - ok
16:18:10.0250 1780 [ E3CFCCDDA4EDD1D0DC9168B2E18F27B8 ] Browser C:\WINDOWS\System32\browser.dll
16:18:10.0265 1780 Browser - ok
16:18:10.0375 1780 catchme - ok
16:18:10.0406 1780 [ 90A673FC8E12A79AFBED2576F6A7AAF9 ] cbidf2k C:\WINDOWS\system32\drivers\cbidf2k.sys
16:18:10.0421 1780 cbidf2k - ok
16:18:10.0437 1780 cd20xrnt - ok
16:18:10.0484 1780 [ C1B486A7658353D33A10CC15211A873B ] Cdaudio C:\WINDOWS\system32\drivers\Cdaudio.sys
16:18:10.0484 1780 Cdaudio - ok
16:18:10.0546 1780 [ CD7D5152DF32B47F4E36F710B35AAE02 ] Cdfs C:\WINDOWS\system32\drivers\Cdfs.sys
16:18:10.0562 1780 Cdfs - ok
16:18:10.0609 1780 [ 837EEF65AF62D4E8A37C41D3879F7274 ] Cdr4_xp C:\WINDOWS\system32\drivers\Cdr4_xp.sys
16:18:10.0609 1780 Cdr4_xp - ok
16:18:10.0640 1780 [ 579DA2F9F5401F55DAE2CF8779D61DFC ] Cdralw2k C:\WINDOWS\system32\drivers\Cdralw2k.sys
16:18:10.0640 1780 Cdralw2k - ok
16:18:10.0671 1780 [ AF9C19B3100FE010496B1A27181FBF72 ] Cdrom C:\WINDOWS\system32\DRIVERS\cdrom.sys
16:18:10.0687 1780 Cdrom - ok
16:18:10.0796 1780 [ 072070A498D5FAD70C3A99A5F0B1331B ] cdudf_xp C:\WINDOWS\system32\drivers\cdudf_xp.sys
16:18:10.0875 1780 cdudf_xp - ok
16:18:10.0875 1780 Changer - ok
16:18:10.0921 1780 [ 3192BD04D032A9C4A85A3278C268A13A ] CiSvc C:\WINDOWS\system32\cisvc.exe
16:18:10.0921 1780 CiSvc - ok
16:18:10.0953 1780 [ C8DEC22C4137D7A90F8BDF41CA4B82AE ] ClipSrv C:\WINDOWS\system32\clipsrv.exe
16:18:10.0968 1780 ClipSrv - ok
16:18:11.0031 1780 [ D87ACAED61E417BBA546CED5E7E36D9C ] clr_optimization_v2.0.50727_32 C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
16:18:11.0203 1780 clr_optimization_v2.0.50727_32 - ok
16:18:11.0218 1780 CmdIde - ok
16:18:11.0234 1780 COMSysApp - ok
16:18:11.0265 1780 Cpqarray - ok
16:18:11.0312 1780 [ 3C8B6609712F4FF78E521F6DCFC4032B ] Creative Service for CDROM Access C:\WINDOWS\System32\CTsvcCDA.exe
16:18:11.0328 1780 Creative Service for CDROM Access - ok
16:18:11.0390 1780 [ 10654F9DDCEA9C46CFB77554231BE73B ] CryptSvc C:\WINDOWS\System32\cryptsvc.dll
16:18:11.0421 1780 CryptSvc - ok
16:18:11.0437 1780 dac2w2k - ok
16:18:11.0453 1780 dac960nt - ok
16:18:11.0609 1780 [ 01095FEBF33BEEA00C2A0730B9B3EC28 ] DcomLaunch C:\WINDOWS\system32\rpcss.dll
16:18:11.0750 1780 DcomLaunch - ok
16:18:11.0828 1780 [ EF545E1A4B043DA4C84E230DD471C55F ] Dhcp C:\WINDOWS\System32\dhcpcsvc.dll
16:18:11.0859 1780 Dhcp - ok
16:18:11.0921 1780 [ 00CA44E4534865F8A3B64F7C0984BFF0 ] Disk C:\WINDOWS\system32\DRIVERS\disk.sys
16:18:11.0921 1780 Disk - ok
16:18:11.0937 1780 dmadmin - ok
16:18:12.0234 1780 [ C0FBB516E06E243F0CF31F597E7EBF7D ] dmboot C:\WINDOWS\system32\drivers\dmboot.sys
16:18:12.0484 1780 dmboot - ok
16:18:12.0546 1780 [ F5E7B358A732D09F4BCF2824B88B9E28 ] dmio C:\WINDOWS\system32\drivers\dmio.sys
16:18:12.0593 1780 dmio - ok
16:18:12.0640 1780 [ E9317282A63CA4D188C0DF5E09C6AC5F ] dmload C:\WINDOWS\system32\drivers\dmload.sys
16:18:12.0640 1780 dmload - ok
16:18:12.0687 1780 [ 1639D9964C9E1B2ECCA95C8217D3E70D ] dmserver C:\WINDOWS\System32\dmserver.dll
16:18:12.0703 1780 dmserver - ok
16:18:12.0750 1780 [ A6F881284AC1150E37D9AE47FF601267 ] DMusic C:\WINDOWS\system32\drivers\DMusic.sys
16:18:12.0765 1780 DMusic - ok
16:18:12.0812 1780 [ AAC8FFBFD61E784FA3BAC851D4A0BD5F ] Dnscache C:\WINDOWS\System32\dnsrslvr.dll
16:18:12.0828 1780 Dnscache - ok
16:18:12.0843 1780 dpti2o - ok
16:18:12.0875 1780 [ 1ED4DBBAE9F5D558DBBA4CC450E3EB2E ] drmkaud C:\WINDOWS\system32\drivers\drmkaud.sys
16:18:12.0875 1780 drmkaud - ok
16:18:12.0921 1780 [ A3997BAAB606CAA92F27E07BC4F070F0 ] dvd_2K C:\WINDOWS\system32\drivers\dvd_2K.sys
16:18:12.0937 1780 dvd_2K - ok
16:18:13.0031 1780 [ 98ED0BEA10477B0F252CCA35EB50F838 ] E100B C:\WINDOWS\system32\DRIVERS\e100b325.sys
16:18:13.0062 1780 E100B - ok
16:18:13.0078 1780 efavdrv - ok
16:18:13.0125 1780 [ 67DFF7BBBD0E80AAB7B3CF061448DB8A ] ERSvc C:\WINDOWS\System32\ersvc.dll
16:18:13.0140 1780 ERSvc - ok
16:18:13.0218 1780 [ 37561F8D4160D62DA86D24AE41FAE8DE ] Eventlog C:\WINDOWS\system32\services.exe
16:18:13.0250 1780 Eventlog - ok
16:18:13.0375 1780 [ 60D1A6342238378BFB7545C81EE3606C ] EventSystem C:\WINDOWS\System32\es.dll
16:18:13.0453 1780 EventSystem - ok
16:18:13.0562 1780 [ C823DEBE2548656549F84A875D65237B ] Fallback C:\WINDOWS\system32\DRIVERS\HSF_FALL.sys
16:18:13.0671 1780 Fallback - ok
16:18:13.0734 1780 [ 3117F595E9615E04F05A54FC15A03B20 ] Fastfat C:\WINDOWS\system32\drivers\Fastfat.sys
16:18:13.0781 1780 Fastfat - ok
16:18:13.0859 1780 [ 6815DEF9B810AEFAC107EEAF72DA6F82 ] FastUserSwitchingCompatibility C:\WINDOWS\System32\shsvcs.dll
16:18:13.0906 1780 FastUserSwitchingCompatibility - ok
16:18:13.0937 1780 [ CED2E8396A8838E59D8FD529C680E02C ] Fdc C:\WINDOWS\system32\DRIVERS\fdc.sys
16:18:13.0953 1780 Fdc - ok
16:18:14.0000 1780 [ E153AB8A11DE5452BCF5AC7652DBF3ED ] Fips C:\WINDOWS\system32\drivers\Fips.sys
16:18:14.0015 1780 Fips - ok
16:18:14.0093 1780 [ 0DD1DE43115B93F4D85E889D7A86F548 ] Flpydisk C:\WINDOWS\system32\DRIVERS\flpydisk.sys
16:18:14.0093 1780 Flpydisk - ok
16:18:14.0187 1780 [ 3D234FB6D6EE875EB009864A299BEA29 ] FltMgr C:\WINDOWS\system32\drivers\fltmgr.sys
16:18:14.0234 1780 FltMgr - ok
16:18:14.0375 1780 [ 8BA7C024070F2B7FDD98ED8A4BA41789 ] FontCache3.0.0.0 c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
16:18:14.0390 1780 FontCache3.0.0.0 - ok
16:18:14.0453 1780 [ 6483414841D4CAB6C3B4DB2AC6EDD70B ] Fsks C:\WINDOWS\system32\DRIVERS\HSF_FSKS.sys
16:18:14.0500 1780 Fsks - ok
16:18:14.0515 1780 [ 3E1E2BD4F39B0E2B7DC4F4D2BCC2779A ] Fs_Rec C:\WINDOWS\system32\drivers\Fs_Rec.sys
16:18:14.0515 1780 Fs_Rec - ok
16:18:14.0593 1780 [ 6AC26732762483366C3969C9E4D2259D ] Ftdisk C:\WINDOWS\system32\DRIVERS\ftdisk.sys
16:18:14.0640 1780 Ftdisk - ok
16:18:14.0656 1780 [ 5F92FD09E5610A5995DA7D775EADCD12 ] gameenum C:\WINDOWS\system32\DRIVERS\gameenum.sys
16:18:14.0656 1780 gameenum - ok
16:18:14.0718 1780 [ 8182FF89C65E4D38B2DE4BB0FB18564E ] GEARAspiWDM C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
16:18:14.0718 1780 GEARAspiWDM - ok
16:18:14.0796 1780 [ C0F1D4A21DE5A415DF8170616703DEBF ] Gpc C:\WINDOWS\system32\DRIVERS\msgpc.sys
16:18:14.0812 1780 Gpc - ok
16:18:14.0937 1780 [ 626A24ED1228580B9518C01930936DF9 ] gupdate1c9b86ec6199b10 C:\Program Files\Google\Update\GoogleUpdate.exe
16:18:14.0953 1780 gupdate1c9b86ec6199b10 - ok
16:18:15.0000 1780 [ 626A24ED1228580B9518C01930936DF9 ] gupdatem C:\Program Files\Google\Update\GoogleUpdate.exe
16:18:15.0000 1780 gupdatem - ok
16:18:15.0109 1780 [ CC839E8D766CC31A7710C9F38CF3E375 ] gusvc C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
16:18:15.0171 1780 gusvc - ok
16:18:15.0250 1780 [ 8827911A8C37E40C027CBFC88E69D967 ] helpsvc C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll
16:18:15.0250 1780 helpsvc - ok
16:18:15.0265 1780 HidServ - ok
16:18:15.0312 1780 [ 1DE6783B918F540149AA69943BDFEBA8 ] hidusb C:\WINDOWS\system32\DRIVERS\hidusb.sys
16:18:15.0328 1780 hidusb - ok
16:18:15.0343 1780 hpn - ok
16:18:15.0453 1780 [ 970178E8E003EB1481293830069624B9 ] HSFHWBS2 C:\WINDOWS\system32\DRIVERS\HSFBS2S2.sys
16:18:15.0515 1780 HSFHWBS2 - ok
16:18:15.0890 1780 [ EBB354438A4C5A3327FB97306260714A ] HSF_DP C:\WINDOWS\system32\DRIVERS\HSFDPSP2.sys
16:18:16.0218 1780 HSF_DP - ok
16:18:16.0421 1780 [ 74E379857D4C0DFB56DE2D19B8F4C434 ] hsf_msft C:\WINDOWS\system32\DRIVERS\HSF_MSFT.sys
16:18:16.0593 1780 hsf_msft - ok
16:18:16.0718 1780 [ 9F8B0F4276F618964FD118BE4289B7CD ] HTTP C:\WINDOWS\system32\Drivers\HTTP.sys
16:18:16.0796 1780 HTTP - ok
16:18:16.0843 1780 [ 064D8581ADF77C25133E7D751D917D83 ] HTTPFilter C:\WINDOWS\System32\w3ssl.dll
16:18:16.0859 1780 HTTPFilter - ok
16:18:16.0875 1780 i2omgmt - ok
16:18:16.0890 1780 i2omp - ok
16:18:16.0953 1780 [ 5502B58EEF7486EE6F93F3F164DCB808 ] i8042prt C:\WINDOWS\system32\DRIVERS\i8042prt.sys
16:18:16.0984 1780 i8042prt - ok
16:18:17.0375 1780 [ C01AC32DC5C03076CFB852CB5DA5229C ] idsvc c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
16:18:17.0671 1780 idsvc - ok
16:18:17.0703 1780 [ F8AA320C6A0409C0380E5D8A99D76EC6 ] Imapi C:\WINDOWS\system32\DRIVERS\imapi.sys
16:18:17.0718 1780 Imapi - ok
16:18:17.0859 1780 [ FA788520BCAC0F5D9D5CDE5615C0D931 ] ImapiService C:\WINDOWS\system32\imapi.exe
16:18:17.0906 1780 ImapiService - ok
16:18:17.0921 1780 ini910u - ok
16:18:17.0968 1780 [ 2D722B2B54AB55B2FA475EB58D7B2AAD ] IntelIde C:\WINDOWS\system32\DRIVERS\intelide.sys
16:18:17.0968 1780 IntelIde - ok
16:18:18.0000 1780 [ 279FB78702454DFF2BB445F238C048D2 ] intelppm C:\WINDOWS\system32\DRIVERS\intelppm.sys
16:18:18.0000 1780 intelppm - ok
16:18:18.0062 1780 [ 4448006B6BC60E6C027932CFC38D6855 ] ip6fw C:\WINDOWS\system32\drivers\ip6fw.sys
16:18:18.0062 1780 ip6fw - ok
16:18:18.0125 1780 [ 731F22BA402EE4B62748ADAF6363C182 ] IpFilterDriver C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
16:18:18.0140 1780 IpFilterDriver - ok
16:18:18.0171 1780 [ E1EC7F5DA720B640CD8FB8424F1B14BB ] IpInIp C:\WINDOWS\system32\DRIVERS\ipinip.sys
16:18:18.0187 1780 IpInIp - ok
16:18:18.0265 1780 [ E2168CBC7098FFE963C6F23F472A3593 ] IpNat C:\WINDOWS\system32\DRIVERS\ipnat.sys
16:18:18.0312 1780 IpNat - ok
16:18:18.0593 1780 [ E6BE7A41A28D8F2DB174957454D32448 ] iPod Service C:\Program Files\iPod\bin\iPodService.exe
16:18:18.0953 1780 iPod Service - ok
16:18:19.0109 1780 [ 64537AA5C003A6AFEEE1DF819062D0D1 ] IPSec C:\WINDOWS\system32\DRIVERS\ipsec.sys
16:18:19.0140 1780 IPSec - ok
16:18:19.0156 1780 [ 50708DAA1B1CBB7D6AC1CF8F56A24410 ] IRENUM C:\WINDOWS\system32\DRIVERS\irenum.sys
16:18:19.0171 1780 IRENUM - ok
16:18:19.0218 1780 [ E504F706CCB699C2596E9A3DA1596E87 ] isapnp C:\WINDOWS\system32\DRIVERS\isapnp.sys
16:18:19.0234 1780 isapnp - ok
16:18:19.0421 1780 [ 381B25DC8E958D905B33130D500BBF29 ] JavaQuickStarterService C:\Program Files\Java\jre6\bin\jqs.exe
16:18:19.0468 1780 JavaQuickStarterService - ok
16:18:19.0609 1780 [ 9C5E3FDBFCC30CF71A49CA178B9AD442 ] K56 C:\WINDOWS\system32\DRIVERS\HSF_K56K.sys
16:18:19.0734 1780 K56 - ok
16:18:19.0796 1780 [ EBDEE8A2EE5393890A1ACEE971C4C246 ] Kbdclass C:\WINDOWS\system32\DRIVERS\kbdclass.sys
16:18:19.0812 1780 Kbdclass - ok
16:18:19.0890 1780 [ BA5DEDA4D934E6288C2F66CAF58D2562 ] kmixer C:\WINDOWS\system32\drivers\kmixer.sys
16:18:19.0953 1780 kmixer - ok
16:18:20.0015 1780 [ 674D3E5A593475915DC6643317192403 ] KSecDD C:\WINDOWS\system32\drivers\KSecDD.sys
16:18:20.0046 1780 KSecDD - ok
16:18:20.0125 1780 [ 0CB3AF149A0BAC0836022CA307C7A0F8 ] lanmanserver C:\WINDOWS\System32\srvsvc.dll
16:18:20.0156 1780 lanmanserver - ok
16:18:20.0234 1780 [ E1F27CFCD114EC9F1E1F44674B2FF9F0 ] lanmanworkstation C:\WINDOWS\System32\wkssvc.dll
16:18:20.0281 1780 lanmanworkstation - ok
16:18:20.0312 1780 lbrtfdc - ok
16:18:20.0359 1780 [ B3EFF6D938C572E90A07B3D87A3C7657 ] LmHosts C:\WINDOWS\System32\lmhsvc.dll
16:18:20.0375 1780 LmHosts - ok
16:18:20.0390 1780 [ 195741AEE20369980796B557358CD774 ] mdmxsdk C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
16:18:20.0406 1780 mdmxsdk - ok
16:18:20.0453 1780 [ 95FD808E4AC22ABA025A7B3EAC0375D2 ] Messenger C:\WINDOWS\System32\msgsvc.dll
16:18:20.0468 1780 Messenger - ok
16:18:20.0500 1780 [ E97E3FE03B6F271336CB2FBB24734989 ] mmc_2K C:\WINDOWS\system32\drivers\mmc_2K.sys
16:18:20.0515 1780 mmc_2K - ok
16:18:20.0546 1780 [ 4AE068242760A1FB6E1A44BF4E16AFA6 ] mnmdd C:\WINDOWS\system32\drivers\mnmdd.sys
16:18:20.0546 1780 mnmdd - ok
16:18:20.0609 1780 [ F6415361201915B9FE3896B0E4E724FF ] mnmsrvc C:\WINDOWS\System32\mnmsrvc.exe
16:18:20.0625 1780 mnmsrvc - ok
16:18:20.0671 1780 [ 6FC6F9D7ACC36DCA9B914565A3AEDA05 ] Modem C:\WINDOWS\system32\drivers\Modem.sys
16:18:20.0687 1780 Modem - ok
16:18:20.0718 1780 [ 1992E0D143B09653AB0F9C5E04B0FD65 ] MODEMCSA C:\WINDOWS\system32\drivers\MODEMCSA.sys
16:18:20.0734 1780 MODEMCSA - ok
16:18:20.0781 1780 [ 34E1F0031153E491910E12551400192C ] Mouclass C:\WINDOWS\system32\DRIVERS\mouclass.sys
16:18:20.0796 1780 Mouclass - ok
16:18:20.0812 1780 [ B1C303E17FB9D46E87A98E4BA6769685 ] mouhid C:\WINDOWS\system32\DRIVERS\mouhid.sys
16:18:20.0828 1780 mouhid - ok
16:18:20.0859 1780 [ 65653F3B4477F3C63E68A9659F85EE2E ] MountMgr C:\WINDOWS\system32\drivers\MountMgr.sys
16:18:20.0875 1780 MountMgr - ok
16:18:20.0968 1780 [ 46297FA8E30A6007F14118FC2B942FBC ] MozillaMaintenance C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe
16:18:21.0015 1780 MozillaMaintenance - ok
16:18:21.0031 1780 mraid35x - ok
16:18:21.0125 1780 [ 29414447EB5BDE2F8397DC965DBB3156 ] MRxDAV C:\WINDOWS\system32\DRIVERS\mrxdav.sys
16:18:21.0171 1780 MRxDAV - ok
16:18:21.0343 1780 [ FB6C89BB3CE282B08BDB1E3C179E1C39 ] MRxSmb C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
16:18:21.0500 1780 MRxSmb - ok
16:18:21.0531 1780 [ C7C3D89EB0A6F3DBA622EA737FA335B1 ] MSDTC C:\WINDOWS\System32\msdtc.exe
16:18:21.0546 1780 MSDTC - ok
16:18:21.0578 1780 [ 561B3A4333CA2DBDBA28B5B956822519 ] Msfs C:\WINDOWS\system32\drivers\Msfs.sys
16:18:21.0578 1780 Msfs - ok
16:18:21.0593 1780 MSIServer - ok
16:18:21.0625 1780 [ AE431A8DD3C1D0D0610CDBAC16057AD0 ] MSKSSRV C:\WINDOWS\system32\drivers\MSKSSRV.sys
16:18:21.0625 1780 MSKSSRV - ok
16:18:21.0671 1780 [ 13E75FEF9DFEB08EEDED9D0246E1F448 ] MSPCLOCK C:\WINDOWS\system32\drivers\MSPCLOCK.sys
16:18:21.0671 1780 MSPCLOCK - ok
16:18:21.0703 1780 [ 1988A33FF19242576C3D0EF9CE785DA7 ] MSPQM C:\WINDOWS\system32\drivers\MSPQM.sys
16:18:21.0703 1780 MSPQM - ok
16:18:21.0734 1780 [ 469541F8BFD2B32659D5D463A6714BCE ] mssmbios C:\WINDOWS\system32\DRIVERS\mssmbios.sys
16:18:21.0734 1780 mssmbios - ok
16:18:21.0828 1780 [ 82035E0F41C2DD05AE41D27FE6CF7DE1 ] Mup C:\WINDOWS\system32\drivers\Mup.sys
16:18:21.0859 1780 Mup - ok
16:18:21.0937 1780 [ 558635D3AF1C7546D26067D5D9B6959E ] NDIS C:\WINDOWS\system32\drivers\NDIS.sys
16:18:22.0000 1780 NDIS - ok
16:18:22.0031 1780 [ 08D43BBDACDF23F34D79E44ED35C1B4C ] NdisTapi C:\WINDOWS\system32\DRIVERS\ndistapi.sys
16:18:22.0031 1780 NdisTapi - ok
16:18:22.0078 1780 [ 34D6CD56409DA9A7ED573E1C90A308BF ] Ndisuio C:\WINDOWS\system32\DRIVERS\ndisuio.sys
16:18:22.0093 1780 Ndisuio - ok
16:18:22.0140 1780 [ 0B90E255A9490166AB368CD55A529893 ] NdisWan C:\WINDOWS\system32\DRIVERS\ndiswan.sys
16:18:22.0171 1780 NdisWan - ok
16:18:22.0203 1780 [ 59FC3FB44D2669BC144FD87826BB571F ] NDProxy C:\WINDOWS\system32\drivers\NDProxy.sys
16:18:22.0218 1780 NDProxy - ok
16:18:22.0265 1780 [ 3A2ACA8FC1D7786902CA434998D7CEB4 ] NetBIOS C:\WINDOWS\system32\DRIVERS\netbios.sys
16:18:22.0265 1780 NetBIOS - ok
16:18:22.0343 1780 [ 0C80E410CD2F47134407EE7DD19CC86B ] NetBT C:\WINDOWS\system32\DRIVERS\netbt.sys
16:18:22.0390 1780 NetBT - ok
16:18:22.0468 1780 [ 05AFB5AD06462257BEA7495283C86D50 ] NetDDE C:\WINDOWS\system32\netdde.exe
16:18:22.0515 1780 NetDDE - ok
16:18:22.0562 1780 [ 05AFB5AD06462257BEA7495283C86D50 ] NetDDEdsdm C:\WINDOWS\system32\netdde.exe
16:18:22.0562 1780 NetDDEdsdm - ok
16:18:22.0609 1780 [ 84885F9B82F4D55C6146EBF6065D75D2 ] Netlogon C:\WINDOWS\system32\lsass.exe
16:18:22.0625 1780 Netlogon - ok
16:18:22.0718 1780 [ 36739B39267914BA69AD0610A0299732 ] Netman C:\WINDOWS\System32\netman.dll
16:18:22.0796 1780 Netman - ok
16:18:22.0890 1780 [ D34612C5D02D026535B3095D620626AE ] NetTcpPortSharing c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
16:18:22.0937 1780 NetTcpPortSharing - ok
16:18:23.0062 1780 [ 097722F235A1FB698BF9234E01B52637 ] Nla C:\WINDOWS\System32\mswsock.dll
16:18:23.0140 1780 Nla - ok
16:18:23.0187 1780 [ 4F601BCB8F64EA3AC0994F98FED03F8E ] Npfs C:\WINDOWS\system32\drivers\Npfs.sys
16:18:23.0187 1780 Npfs - ok
16:18:23.0406 1780 [ 19A811EF5F1ED5C926A028CE107FF1AF ] Ntfs C:\WINDOWS\system32\drivers\Ntfs.sys
16:18:23.0609 1780 Ntfs - ok
16:18:23.0640 1780 [ 84885F9B82F4D55C6146EBF6065D75D2 ] NtLmSsp C:\WINDOWS\System32\lsass.exe
16:18:23.0640 1780 NtLmSsp - ok
16:18:23.0828 1780 [ B62F29C00AC55A761B2E45877D85EA0F ] NtmsSvc C:\WINDOWS\system32\ntmssvc.dll
16:18:23.0968 1780 NtmsSvc - ok
16:18:24.0000 1780 [ 73C1E1F395918BC2C6DD67AF7591A3AD ] Null C:\WINDOWS\system32\drivers\Null.sys
16:18:24.0000 1780 Null - ok
16:18:24.0546 1780 [ 71DBDC08DF86B80511E72953FA1AD6B0 ] nv C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
16:18:25.0046 1780 nv - ok
16:18:25.0109 1780 [ 5ED834603C36414B579979B3A9C90F54 ] NVSvc C:\WINDOWS\system32\nvsvc32.exe
16:18:25.0140 1780 NVSvc - ok
16:18:25.0203 1780 [ B305F3FAD35083837EF46A0BBCE2FC57 ] NwlnkFlt C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
16:18:25.0218 1780 NwlnkFlt - ok
16:18:25.0234 1780 [ C99B3415198D1AAB7227F2C88FD664B9 ] NwlnkFwd C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
16:18:25.0250 1780 NwlnkFwd - ok
16:18:25.0296 1780 [ CEC7E2C6C1FA00C7AB2F5434F848AE51 ] OMCI C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS
16:18:25.0312 1780 OMCI - ok
16:18:25.0859 1780 [ E433C553D00D76FBC616294B60A7A530 ] P16X C:\WINDOWS\system32\drivers\P16X.sys
16:18:26.0312 1780 P16X - ok
16:18:26.0375 1780 [ 29744EB4CE659DFE3B4122DEB45BC478 ] Parport C:\WINDOWS\system32\DRIVERS\parport.sys
16:18:26.0390 1780 Parport - ok
16:18:26.0437 1780 [ 3334430C29DC338092F79C38EF7B4CD0 ] PartMgr C:\WINDOWS\system32\drivers\PartMgr.sys
16:18:26.0437 1780 PartMgr - ok
16:18:26.0468 1780 [ 70E98B3FD8E963A6A46A2E6247E0BEA1 ] ParVdm C:\WINDOWS\system32\drivers\ParVdm.sys
16:18:26.0484 1780 ParVdm - ok
16:18:26.0515 1780 [ 8086D9979234B603AD5BC2F5D890B234 ] PCI C:\WINDOWS\system32\DRIVERS\pci.sys
16:18:26.0531 1780 PCI - ok
16:18:26.0546 1780 PCIDump - ok
16:18:26.0578 1780 [ CCF5F451BB1A5A2A522A76E670000FF0 ] PCIIde C:\WINDOWS\system32\DRIVERS\pciide.sys
16:18:26.0578 1780 PCIIde - ok
16:18:26.0656 1780 [ 82A087207DECEC8456FBE8537947D579 ] Pcmcia C:\WINDOWS\system32\drivers\Pcmcia.sys
16:18:26.0703 1780 Pcmcia - ok
16:18:26.0718 1780 PDCOMP - ok
16:18:26.0734 1780 PDFRAME - ok
16:18:26.0750 1780 PDRELI - ok
16:18:26.0765 1780 PDRFRAME - ok
16:18:26.0781 1780 perc2 - ok
16:18:26.0796 1780 perc2hib - ok
16:18:26.0843 1780 [ 2F5532F9B0F903B26847DA674B4F55B2 ] PfModNT C:\WINDOWS\System32\PfModNT.sys
16:18:26.0859 1780 PfModNT - ok
16:18:26.0921 1780 [ 37561F8D4160D62DA86D24AE41FAE8DE ] PlugPlay C:\WINDOWS\system32\services.exe
16:18:26.0921 1780 PlugPlay - ok
16:18:26.0953 1780 [ 84885F9B82F4D55C6146EBF6065D75D2 ] PolicyAgent C:\WINDOWS\system32\lsass.exe
16:18:26.0953 1780 PolicyAgent - ok
16:18:27.0000 1780 [ 1C5CC65AAC0783C344F16353E60B72AC ] PptpMiniport C:\WINDOWS\system32\DRIVERS\raspptp.sys
16:18:27.0015 1780 PptpMiniport - ok
16:18:27.0046 1780 [ 0D97D88720A4087EC93AF7DBB303B30A ] Processor C:\WINDOWS\system32\DRIVERS\processr.sys
16:18:27.0062 1780 Processor - ok
16:18:27.0078 1780 [ 84885F9B82F4D55C6146EBF6065D75D2 ] ProtectedStorage C:\WINDOWS\system32\lsass.exe
16:18:27.0078 1780 ProtectedStorage - ok
16:18:27.0125 1780 [ 48671F327553DCF1D27F6197F622A668 ] PSched C:\WINDOWS\system32\DRIVERS\psched.sys
16:18:27.0140 1780 PSched - ok
16:18:27.0187 1780 [ 80D317BD1C3DBC5D4FE7B1678C60CADD ] Ptilink C:\WINDOWS\system32\DRIVERS\ptilink.sys
16:18:27.0187 1780 Ptilink - ok
16:18:27.0281 1780 [ 070EDDD0E4A5BE55DD590D8B30DBFF22 ] pwd_2k C:\WINDOWS\system32\drivers\pwd_2k.sys
16:18:27.0328 1780 pwd_2k - ok
16:18:27.0375 1780 [ 153D02480A0A2F45785522E814C634B6 ] PxHelp20 C:\WINDOWS\system32\Drivers\PxHelp20.sys
16:18:27.0390 1780 PxHelp20 - ok
16:18:27.0406 1780 ql1080 - ok
16:18:27.0421 1780 Ql10wnt - ok
16:18:27.0437 1780 ql12160 - ok
16:18:27.0453 1780 ql1240 - ok
16:18:27.0468 1780 ql1280 - ok
16:18:27.0500 1780 [ FE0D99D6F31E4FAD8159F690D68DED9C ] RasAcd C:\WINDOWS\system32\DRIVERS\rasacd.sys
16:18:27.0500 1780 RasAcd - ok
16:18:27.0578 1780 [ 44DB7A9BDD2FB58747D123FBF1D35ADB ] RasAuto C:\WINDOWS\System32\rasauto.dll
16:18:27.0609 1780 RasAuto - ok
16:18:27.0640 1780 [ 98FAEB4A4DCF812BA1C6FCA4AA3E115C ] Rasl2tp C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
16:18:27.0656 1780 Rasl2tp - ok
16:18:27.0765 1780 [ 49B5EED5FB89D39456A2F616CCD8BA5D ] RasMan C:\WINDOWS\System32\rasmans.dll
16:18:27.0828 1780 RasMan - ok
16:18:27.0890 1780 [ 7306EEED8895454CBED4669BE9F79FAA ] RasPppoe C:\WINDOWS\system32\DRIVERS\raspppoe.sys
16:18:27.0906 1780 RasPppoe - ok
16:18:27.0921 1780 [ FDBB1D60066FCFBB7452FD8F9829B242 ] Raspti C:\WINDOWS\system32\DRIVERS\raspti.sys
16:18:27.0921 1780 Raspti - ok
16:18:28.0015 1780 [ 03B965B1CA47F6EF60EB5E51CB50E0AF ] Rdbss C:\WINDOWS\system32\DRIVERS\rdbss.sys
16:18:28.0078 1780 Rdbss - ok
16:18:28.0093 1780 [ 4912D5B403614CE99C28420F75353332 ] RDPCDD C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
16:18:28.0093 1780 RDPCDD - ok
16:18:28.0203 1780 [ A2CAE2C60BC37E0751EF9DDA7CEAF4AD ] rdpdr C:\WINDOWS\system32\DRIVERS\rdpdr.sys
16:18:28.0265 1780 rdpdr - ok
16:18:28.0359 1780 [ B54CD38A9EBFBF2B3561426E3FE26F62 ] RDPWD C:\WINDOWS\system32\drivers\RDPWD.sys
16:18:28.0406 1780 RDPWD - ok
16:18:28.0484 1780 [ 729798E0933076B8FCFCD9934698F164 ] RDSessMgr C:\WINDOWS\system32\sessmgr.exe
16:18:28.0531 1780 RDSessMgr - ok
16:18:28.0578 1780 [ B31B4588E4086D8D84ADBF9845C2402B ] redbook C:\WINDOWS\system32\DRIVERS\redbook.sys
16:18:28.0609 1780 redbook - ok
16:18:28.0671 1780 [ 3046DB917E3CFA040632799DD9B14865 ] RemoteAccess C:\WINDOWS\System32\mprdim.dll
16:18:28.0687 1780 RemoteAccess - ok
16:18:28.0734 1780 [ 3151427DB7D87107D1C5BE58FAC53960 ] RemoteRegistry C:\WINDOWS\system32\regsvc.dll
16:18:28.0765 1780 RemoteRegistry - ok
16:18:28.0796 1780 [ BB7549BD94D1AAC3599C7606C50C48A0 ] Rksample C:\WINDOWS\system32\DRIVERS\HSF_SAMP.sys
16:18:28.0828 1780 Rksample - ok
16:18:28.0875 1780 [ 793F04A09B15E7C6C11DBDFFAF06C0AB ] RpcLocator C:\WINDOWS\System32\locator.exe
16:18:28.0906 1780 RpcLocator - ok
16:18:29.0046 1780 [ 01095FEBF33BEEA00C2A0730B9B3EC28 ] RpcSs C:\WINDOWS\System32\rpcss.dll
16:18:29.0062 1780 RpcSs - ok
16:18:29.0140 1780 [ 471B3F9741D762ABE75E9DEEA4787E47 ] RSVP C:\WINDOWS\System32\rsvp.exe
16:18:29.0187 1780 RSVP - ok
16:18:29.0218 1780 [ 84885F9B82F4D55C6146EBF6065D75D2 ] SamSs C:\WINDOWS\system32\lsass.exe
16:18:29.0218 1780 SamSs - ok
16:18:29.0265 1780 [ 39763504067962108505BFF25F024345 ] SASDIFSV C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
16:18:29.0265 1780 SASDIFSV - ok
16:18:29.0312 1780 [ 7CE61C25C159F50F9EAF6D77FC83FA35 ] SASENUM C:\Program Files\SUPERAntiSpyware\SASENUM.SYS
16:18:29.0312 1780 SASENUM - ok
16:18:29.0375 1780 [ 77B9FC20084B48408AD3E87570EB4A85 ] SASKUTIL C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
16:18:29.0406 1780 SASKUTIL - ok
16:18:29.0468 1780 [ 25D8DE134DF108E3DBC8D7D23B1AA58E ] SCardSvr C:\WINDOWS\System32\SCardSvr.exe
16:18:29.0500 1780 SCardSvr - ok
16:18:29.0593 1780 [ 92360854316611F6CC471612213C3D92 ] Schedule C:\WINDOWS\system32\schedsvc.dll
16:18:29.0656 1780 Schedule - ok
16:18:29.0718 1780 [ 90A3935D05B494A5A39D37E71F09A677 ] Secdrv C:\WINDOWS\system32\DRIVERS\secdrv.sys
16:18:29.0718 1780 Secdrv - ok
16:18:29.0765 1780 [ B1E0CE09895376871746F36DC5773B4F ] seclogon C:\WINDOWS\System32\seclogon.dll
16:18:29.0765 1780 seclogon - ok
16:18:29.0796 1780 [ DFD9870CF39C791D86C4C209DA9FA919 ] SENS C:\WINDOWS\system32\sens.dll
16:18:29.0812 1780 SENS - ok
16:18:29.0859 1780 [ A2D868AEEFF612E70E213C451A70CAFB ] serenum C:\WINDOWS\system32\DRIVERS\serenum.sys
16:18:29.0859 1780 serenum - ok
16:18:29.0921 1780 [ CD9404D115A00D249F70A371B46D5A26 ] Serial C:\WINDOWS\system32\DRIVERS\serial.sys
16:18:29.0937 1780 Serial - ok
16:18:30.0000 1780 [ 0D13B6DF6E9E101013A7AFB0CE629FE0 ] Sfloppy C:\WINDOWS\system32\drivers\Sfloppy.sys
16:18:30.0000 1780 Sfloppy - ok
16:18:30.0156 1780 [ 36CC8C01B5E50163037BEF56CB96DEFF ] SharedAccess C:\WINDOWS\System32\ipnathlp.dll
16:18:30.0250 1780 SharedAccess - ok
16:18:30.0312 1780 [ 6815DEF9B810AEFAC107EEAF72DA6F82 ] ShellHWDetection C:\WINDOWS\System32\shsvcs.dll
16:18:30.0312 1780 ShellHWDetection - ok
16:18:30.0328 1780 Simbad - ok
16:18:30.0421 1780 [ D9E8E0CE154A2F6430D9EFABDF730867 ] SoftFax C:\WINDOWS\system32\DRIVERS\HSF_FAXX.sys
16:18:30.0484 1780 SoftFax - ok
16:18:30.0500 1780 Sparrow - ok
16:18:30.0578 1780 [ 6C843C43FD7F0B42CFE477CE88D0F9B3 ] SpeakerPhone C:\WINDOWS\system32\DRIVERS\HSF_SPKP.sys
16:18:30.0593 1780 SpeakerPhone - ok
16:18:30.0625 1780 [ 0CE218578FFF5F4F7E4201539C45C78F ] splitter C:\WINDOWS\system32\drivers\splitter.sys
16:18:30.0625 1780 splitter - ok
16:18:30.0687 1780 [ DA81EC57ACD4CDC3D4C51CF3D409AF9F ] Spooler C:\WINDOWS\system32\spoolsv.exe
16:18:30.0703 1780 Spooler - ok
16:18:30.0750 1780 [ E41B6D037D6CD08461470AF04500DC24 ] sr C:\WINDOWS\system32\DRIVERS\sr.sys
16:18:30.0781 1780 sr - ok
16:18:30.0890 1780 [ 92BDF74F12D6CBEC43C94D4B7F804838 ] srservice C:\WINDOWS\system32\srsvc.dll
16:18:30.0953 1780 srservice - ok
16:18:31.0093 1780 [ 7A4F147CC6B133F905F6E65E2F8669FB ] Srv C:\WINDOWS\system32\DRIVERS\srv.sys
16:18:31.0218 1780 Srv - ok
16:18:31.0281 1780 [ 4B8D61792F7175BED48859CC18CE4E38 ] SSDPSRV C:\WINDOWS\System32\ssdpsrv.dll
16:18:31.0296 1780 SSDPSRV - ok
16:18:31.0437 1780 [ B6763F8534AC547CF1AF98AFDFF2EDC8 ] stisvc C:\WINDOWS\system32\wiaservc.dll
16:18:31.0546 1780 stisvc - ok
16:18:31.0593 1780 [ 03C1BAE4766E2450219D20B993D6E046 ] swenum C:\WINDOWS\system32\DRIVERS\swenum.sys
16:18:31.0593 1780 swenum - ok
16:18:31.0656 1780 [ 94ABC808FC4B6D7D2BBF42B85E25BB4D ] swmidi C:\WINDOWS\system32\drivers\swmidi.sys
16:18:31.0671 1780 swmidi - ok
16:18:31.0687 1780 SwPrv - ok
16:18:31.0718 1780 symc810 - ok
16:18:31.0734 1780 symc8xx - ok
16:18:31.0750 1780 sym_hi - ok
16:18:31.0765 1780 sym_u3 - ok
16:18:31.0796 1780 [ 650AD082D46BAC0E64C9C0E0928492FD ] sysaudio C:\WINDOWS\system32\drivers\sysaudio.sys
16:18:31.0812 1780 sysaudio - ok
16:18:31.0890 1780 [ 8B54AA346D1B1B113FFAA75501B8B1B2 ] SysmonLog C:\WINDOWS\system32\smlogsvc.exe
16:18:31.0921 1780 SysmonLog - ok
16:18:32.0046 1780 [ FB78839B36025AA286A51289ED28B73E ] TapiSrv C:\WINDOWS\System32\tapisrv.dll
16:18:32.0125 1780 TapiSrv - ok
16:18:32.0312 1780 [ 01D5EAAFF224415A7FF513E4C882BE30 ] Tcpip C:\WINDOWS\system32\DRIVERS\tcpip.sys
16:18:32.0421 1780 Tcpip - ok
16:18:32.0468 1780 [ 38D437CF2D98965F239B0ABCD66DCB0F ] TDPIPE C:\WINDOWS\system32\drivers\TDPIPE.sys
16:18:32.0468 1780 TDPIPE - ok
16:18:32.0500 1780 [ ED0580AF02502D00AD8C4C066B156BE9 ] TDTCP C:\WINDOWS\system32\drivers\TDTCP.sys
16:18:32.0515 1780 TDTCP - ok
16:18:32.0546 1780 [ A540A99C281D933F3D69D55E48727F47 ] TermDD C:\WINDOWS\system32\DRIVERS\termdd.sys
16:18:32.0562 1780 TermDD - ok
16:18:32.0703 1780 [ B60C877D16D9C880B952FDA04ADF16E6 ] TermService C:\WINDOWS\System32\termsrv.dll
16:18:32.0796 1780 TermService - ok
16:18:32.0859 1780 [ 6815DEF9B810AEFAC107EEAF72DA6F82 ] Themes C:\WINDOWS\System32\shsvcs.dll
16:18:32.0875 1780 Themes - ok
16:18:32.0937 1780 [ 37DB0A7D097310E8B4DE803FC3119C78 ] TlntSvr C:\WINDOWS\System32\tlntsvr.exe
16:18:32.0968 1780 TlntSvr - ok
16:18:33.0015 1780 [ 8021A499DB46B2961C285168671CB9AF ] Tones C:\WINDOWS\system32\DRIVERS\HSF_TONE.sys
16:18:33.0031 1780 Tones - ok
16:18:33.0046 1780 TosIde - ok
16:18:33.0125 1780 [ 6D9AC544B30F96C57F8206566C1FB6A1 ] TrkWks C:\WINDOWS\system32\trkwks.dll
16:18:33.0156 1780 TrkWks - ok
16:18:33.0250 1780 [ 27E66E79FD742C107FDB23280E17D869 ] UdfReadr_xp C:\WINDOWS\system32\drivers\UdfReadr_xp.sys
16:18:33.0312 1780 UdfReadr_xp - ok
16:18:33.0375 1780 [ 12F70256F140CD7D52C58C7048FDE657 ] Udfs C:\WINDOWS\system32\drivers\Udfs.sys
16:18:33.0390 1780 Udfs - ok
16:18:33.0406 1780 ultra - ok
16:18:33.0578 1780 [ CED744117E91BDC0BEB810F7D8608183 ] Update C:\WINDOWS\system32\DRIVERS\update.sys
16:18:33.0687 1780 Update - ok
16:18:33.0781 1780 [ ACA5D98663D879C6BAAFCEA7E2F1B710 ] upnphost C:\WINDOWS\System32\upnphost.dll
16:18:34.0203 1780 upnphost - ok
16:18:34.0234 1780 [ 3F5DF65B0758675F95A2D43918A740A3 ] UPS C:\WINDOWS\System32\ups.exe
16:18:34.0250 1780 UPS - ok
16:18:34.0296 1780 [ EAFE1E00739AFE6C51487A050E772E17 ] USBAAPL C:\WINDOWS\system32\Drivers\usbaapl.sys
16:18:34.0312 1780 USBAAPL - ok
16:18:34.0375 1780 [ 15E993BA2F6946B2BFBBFCD30398621E ] usbehci C:\WINDOWS\system32\DRIVERS\usbehci.sys
16:18:34.0375 1780 usbehci - ok
16:18:34.0437 1780 [ C72F40947F92CEA56A8FB532EDF025F1 ] usbhub C:\WINDOWS\system32\DRIVERS\usbhub.sys
16:18:34.0453 1780 usbhub - ok
16:18:34.0515 1780 [ A6BC71402F4F7DD5B77FD7F4A8DDBA85 ] usbscan C:\WINDOWS\system32\DRIVERS\usbscan.sys
16:18:34.0531 1780 usbscan - ok
16:18:34.0578 1780 [ 6CD7B22193718F1D17A47A1CD6D37E75 ] USBSTOR C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
16:18:34.0609 1780 USBSTOR - ok
16:18:34.0656 1780 [ F8FD1400092E23C8F2F31406EF06167B ] usbuhci C:\WINDOWS\system32\DRIVERS\usbuhci.sys
16:18:34.0656 1780 usbuhci - ok
16:18:34.0843 1780 [ 269C0ADE94B90029B12497747BE408CB ] V124 C:\WINDOWS\system32\DRIVERS\HSF_V124.sys
16:18:35.0015 1780 V124 - ok
16:18:35.0046 1780 [ 8A60EDD72B4EA5AEA8202DAF0E427925 ] VgaSave C:\WINDOWS\System32\drivers\vga.sys
16:18:35.0062 1780 VgaSave - ok
16:18:35.0078 1780 ViaIde - ok
16:18:35.0140 1780 [ EE4660083DEBA849FF6C485D944B379B ] VolSnap C:\WINDOWS\system32\drivers\VolSnap.sys
16:18:35.0156 1780 VolSnap - ok
16:18:35.0281 1780 [ 3EE00364AE0FD8D604F46CBAF512838A ] VSS C:\WINDOWS\System32\vssvc.exe
16:18:35.0375 1780 VSS - ok
16:18:35.0468 1780 [ 2B281958F5D0CF99ED626E3EF39D5C8D ] W32Time C:\WINDOWS\system32\w32time.dll
16:18:35.0531 1780 W32Time - ok
16:18:35.0593 1780 [ 984EF0B9788ABF89974CFED4BFBAACBC ] Wanarp C:\WINDOWS\system32\DRIVERS\wanarp.sys
16:18:35.0593 1780 Wanarp - ok
16:18:35.0625 1780 WDICA - ok
16:18:35.0671 1780 [ EFD235CA22B57C81118C1AEB4798F1C1 ] wdmaud C:\WINDOWS\system32\drivers\wdmaud.sys
16:18:35.0703 1780 wdmaud - ok
16:18:35.0765 1780 [ 265F534EF76832435AFBF771EC97176D ] WebClient C:\WINDOWS\System32\webclnt.dll
16:18:35.0781 1780 WebClient - ok
16:18:36.0046 1780 [ 1225EBEA76AAC3C84DF6C54FE5E5D8BE ] winachsf C:\WINDOWS\system32\DRIVERS\HSFCXTS2.sys
16:18:36.0265 1780 winachsf - ok
16:18:36.0390 1780 [ F399242A80C4066FD155EFA4CF96658E ] winmgmt C:\WINDOWS\system32\wbem\WMIsvc.dll
16:18:36.0437 1780 winmgmt - ok
16:18:36.0531 1780 [ 581176F60885AEF8F78C6E38DCC3CDF9 ] WMDM PMSP Service C:\WINDOWS\System32\MsPMSPSv.exe
16:18:36.0562 1780 WMDM PMSP Service - ok
16:18:36.0609 1780 [ C51B4A5C05A5475708E3C81C7765B71D ] WmdmPmSN C:\WINDOWS\system32\MsPMSNSv.dll
16:18:36.0609 1780 WmdmPmSN - ok
16:18:36.0843 1780 [ 1081C185AED0660B2B5F173C3E023B23 ] Wmi C:\WINDOWS\System32\advapi32.dll
16:18:37.0062 1780 Wmi - ok
16:18:37.0156 1780 [ BA8CECC3E813E1F7C441B20393D4F86C ] WmiApSrv C:\WINDOWS\System32\wbem\wmiapsrv.exe
16:18:37.0187 1780 WmiApSrv - ok
16:18:37.0546 1780 [ F74E3D9A7FA9556C3BBB14D4E5E63D3B ] WMPNetworkSvc C:\Program Files\Windows Media Player\WMPNetwk.exe
16:18:37.0828 1780 WMPNetworkSvc - ok
16:18:37.0890 1780 [ 6ABE6E225ADB5A751622A9CC3BC19CE8 ] WS2IFSL C:\WINDOWS\System32\drivers\ws2ifsl.sys
16:18:37.0937 1780 WS2IFSL - ok
16:18:38.0031 1780 [ 4D59DAA66C60858CDF4F67A900F42D4A ] wscsvc C:\WINDOWS\system32\wscsvc.dll
16:18:38.0046 1780 wscsvc - ok
16:18:38.0093 1780 [ 13D72740963CBA12D9FF76A7F218BCD8 ] wuauserv C:\WINDOWS\system32\wuauserv.dll
16:18:38.0093 1780 wuauserv - ok
16:18:38.0171 1780 [ F15FEAFFFBB3644CCC80C5DA584E6311 ] WudfPf C:\WINDOWS\system32\DRIVERS\WudfPf.sys
16:18:38.0187 1780 WudfPf - ok
16:18:38.0250 1780 [ 28B524262BCE6DE1F7EF9F510BA3985B ] WudfRd C:\WINDOWS\system32\DRIVERS\wudfrd.sys
16:18:38.0265 1780 WudfRd - ok
16:18:38.0328 1780 [ 05231C04253C5BC30B26CBAAE680ED89 ] WudfSvc C:\WINDOWS\System32\WUDFSvc.dll
16:18:38.0343 1780 WudfSvc - ok
16:18:38.0500 1780 [ 5A91E6FEAB9F901302FA7FF768C0120F ] WZCSVC C:\WINDOWS\System32\wzcsvc.dll
16:18:38.0625 1780 WZCSVC - ok
16:18:38.0687 1780 [ EEF46DAB68229A14DA3D8E73C99E2959 ] xmlprov C:\WINDOWS\System32\xmlprov.dll
16:18:38.0734 1780 xmlprov - ok
16:18:38.0765 1780 ================ Scan global ===============================
16:18:38.0796 1780 [ 00EF9C3AF83EDBAF18CA7A2837750117 ] C:\WINDOWS\system32\basesrv.dll
16:18:38.0968 1780 [ 3D21B3BE0C5768E76FD9780E9CF9E07C ] C:\WINDOWS\system32\winsrv.dll
16:18:39.0171 1780 [ 3D21B3BE0C5768E76FD9780E9CF9E07C ] C:\WINDOWS\system32\winsrv.dll
16:18:39.0250 1780 [ 37561F8D4160D62DA86D24AE41FAE8DE ] C:\WINDOWS\system32\services.exe
16:18:39.0250 1780 [Global] - ok
16:18:39.0250 1780 ================ Scan MBR ==================================
16:18:39.0281 1780 [ 8F558EB6672622401DA993E1E865C861 ] \Device\Harddisk0\DR0
16:18:39.0593 1780 \Device\Harddisk0\DR0 - ok
16:18:39.0609 1780 ================ Scan VBR ==================================
16:18:39.0609 1780 [ F1F23D7C385DE55DD5136D696CCE1B28 ] \Device\Harddisk0\DR0\Partition1
16:18:39.0609 1780 \Device\Harddisk0\DR0\Partition1 - ok
16:18:39.0625 1780 ============================================================
16:18:39.0625 1780 Scan finished
16:18:39.0625 1780 ============================================================
16:18:39.0640 2296 Detected object count: 0
16:18:39.0640 2296 Actual detected object count: 0







aswMBR report:

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-09-01 16:21:45
-----------------------------
16:21:45.421 OS Version: Windows 5.1.2600 Service Pack 2
16:21:45.421 Number of processors: 1 586 0x207
16:21:45.421 ComputerName: MICHAEL-9YK4TRZ UserName: Michael Chang
16:21:50.468 Initialize success
16:25:34.812 AVAST engine defs: 12090101
16:25:42.593 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
16:25:42.593 Disk 0 Vendor: IC35L060AVV207-0 V22OA63A Size: 57220MB BusType: 3
16:25:42.671 Disk 0 MBR read successfully
16:25:42.671 Disk 0 MBR scan
16:25:42.812 Disk 0 Windows XP default MBR code
16:25:42.843 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 57207 MB offset 63
16:25:42.859 Disk 0 scanning sectors +117162045
16:25:42.921 Disk 0 PE file @ sector 117162093 !
16:25:43.031 Disk 0 scanning C:\WINDOWS\system32\drivers
16:26:18.109 Service scanning
16:27:25.593 Modules scanning
16:28:01.859 Disk 0 trace - called modules:
16:28:01.890 ntoskrnl.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys
16:28:02.421 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8234fab8]
16:28:02.421 3 CLASSPNP.SYS[f857705b] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x8234bd98]
16:28:04.062 AVAST engine scan C:\WINDOWS
16:28:47.500 AVAST engine scan C:\WINDOWS\system32
16:36:57.500 AVAST engine scan C:\WINDOWS\system32\drivers
16:37:28.515 AVAST engine scan C:\Documents and Settings\Michael Chang
17:54:08.156 AVAST engine scan C:\Documents and Settings\All Users
18:00:18.000 Scan finished successfully
18:01:49.296 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Michael Chang\Desktop\MBR.dat"
18:01:49.343 The log file has been saved successfully to "C:\Documents and Settings\Michael Chang\Desktop\aswMBR.txt"

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:14 PM

Posted 01 September 2012 - 06:02 PM

Greetings

that is part of an old infection and is not active anymore - it is in a hard to get to area that may be more dangerous to remove than just to leave there


At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 KXS

KXS
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:14 PM

Posted 01 September 2012 - 07:42 PM

Gringo,

No problems running ComboFix again.

As requested, the log follows below.

The computer seems to be running fine now.

KXS


REPORT from ComboFix:

ComboFix 12-08-31.08 - Michael Chang 09/01/2012 20:09:48.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.270 [GMT -4:00]
Running from: c:\documents and settings\Michael Chang\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Michael Chang\Desktop\CFScript.txt
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
.
((((((((((((((((((((((((( Files Created from 2012-08-02 to 2012-09-02 )))))))))))))))))))))))))))))))
.
.
2012-08-31 18:45 . 2012-08-31 18:45 -------- d-----w- c:\program files\ESET
2012-08-31 11:49 . 2012-08-31 11:49 -------- d-----w- c:\documents and settings\All Users\Application Data\ESET
2012-08-29 17:00 . 2012-08-29 17:00 -------- d-----w- c:\documents and settings\Michael Chang\Application Data\Malwarebytes
2012-08-29 17:00 . 2012-08-29 17:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-08-29 17:00 . 2012-08-29 17:00 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-08-29 17:00 . 2012-07-03 17:46 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-08-29 13:44 . 2012-08-29 17:17 -------- d-----w- c:\documents and settings\Administrator
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-08-15 13:04 . 2012-04-05 01:57 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-08-15 13:04 . 2011-06-21 20:37 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2012-07-28 13:48 . 2012-07-28 13:45 136672 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
[7] 2008-06-20 . 2A5554FC5B1E04E131230E3CE035C3F9 . 360320 . . [5.1.2600.3394] . . c:\windows\system32\dllcache\tcpip.sys
[-] 2008-06-20 . 01D5EAAFF224415A7FF513E4C882BE30 . 360320 . . [5.1.2600.3394] . . c:\windows\system32\drivers\tcpip.sys
[7] 2008-06-20 . 744E57C99232201AE98C49168B918F48 . 360960 . . [5.1.2600.3394] . . c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
[-] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\tcpip.sys
[7] 2007-10-30 . 64798ECFA43D78C7178375FCDD16D8C8 . 360832 . . [5.1.2600.3244] . . c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
[7] 2004-08-04 . 9F4B36614A0FC234525BA224957DE55C . 359040 . . [5.1.2600.2180] . . c:\windows\ServicePackFiles\i386\tcpip.sys
[-] 2002-09-03 . 244A2F9816BC9B593957281EF577D976 . 332928 . . [5.1.2600.1106] . . c:\windows\$NtServicePackUninstall$\tcpip.sys
.
((((((((((((((((((((((((((((( SnapShot@2012-09-01_15.09.01 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-09-01 15:45 . 2012-09-01 15:45 16384 c:\windows\Temp\Perflib_Perfdata_1cc.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0A0DDBD3-6641-40B9-873F-BBDD26D6C14E}]
2009-04-29 12:23 147928 ----a-w- c:\program files\easyMule\modules\IE2EM.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Michael Chang\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Michael Chang\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Michael Chang\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Michael Chang\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2012-03-14 4617600]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2002-09-03 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2002-09-03 455168]
"AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2012-04-05 2587008]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-12-14 47904]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-07-31 38872]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-11 919008]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-07-28 1259376]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-05-31 59280]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-06-07 421776]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2006-10-04 53760]
.
c:\documents and settings\Michael Chang\Start Menu\Programs\Startup\
Dropbox.lnk - c:\documents and settings\Michael Chang\Application Data\Dropbox\bin\Dropbox.exe [2012-5-24 27112840]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-9-5 113664]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2012-03-14 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2012-03-06 23:48 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
2002-04-10 20:44 679936 ----a-w- c:\program files\Roxio\Easy CD Creator 5\DirectCD\Directcd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\diagent]
2002-04-03 05:01 135264 ----a-w- c:\program files\Creative\SBLive\Diagnostics\diagent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2004-10-13 16:24 1694208 ------w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2003-10-06 18:16 5058560 ----a-w- c:\windows\system32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2003-10-06 18:16 741376 ----a-w- c:\windows\system32\nwiz.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
2002-09-03 19:32 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2012-04-19 00:56 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2012-03-14 02:20 4617600 ----a-w- c:\program files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2008-12-30 23:07 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
2000-05-11 05:00 90112 ------w- c:\windows\Updreg.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"gusvc"=3 (0x3)
"GoToAssist"=3 (0x3)
"NVSvc"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Documents and Settings\\Michael Chang\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgmfapx.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\easyMule\\emule.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgemcx.exe"=
"c:\\Program Files\\activePDF\\PrimoPDF\\PrimoPDF.exe"=
.
R0 AVGIDSHX;AVGIDSHX;c:\windows\system32\drivers\avgidshx.sys [4/19/2012 4:50 AM 24896]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [9/7/2010 4:48 AM 31952]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [9/7/2010 4:48 AM 235216]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [9/7/2010 4:49 AM 301248]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [5/28/2008 10:33 AM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/28/2008 10:33 AM 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [3/6/2012 7:48 PM 116608]
R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2012\avgwdsvc.exe [2/14/2012 4:53 AM 193288]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\avgidsdriverx.sys [12/23/2011 1:32 PM 139856]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\avgidsfilterx.sys [12/23/2011 1:32 PM 24144]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshimx.sys [12/23/2011 1:32 PM 17232]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2012\avgidsagent.exe [7/4/2012 5:25 PM 5160568]
S2 gupdate1c9b86ec6199b10;Google Update Service (gupdate1c9b86ec6199b10);c:\program files\Google\Update\GoogleUpdate.exe [4/8/2009 1:23 PM 133104]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [4/4/2012 9:57 PM 250056]
S3 efavdrv;efavdrv;\??\c:\windows\system32\drivers\efavdrv.sys --> c:\windows\system32\drivers\efavdrv.sys [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [4/8/2009 1:23 PM 133104]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/28/2008 10:33 AM 12872]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - 06341444
*NewlyCreated* - WS2IFSL
*NewlyCreated* - WUAUSERV
*Deregistered* - 06341444
*Deregistered* - aswMBR
.
Contents of the 'Scheduled Tasks' folder
.
2012-09-02 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-05 13:04]
.
2012-07-04 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 21:57]
.
2012-09-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-08 17:23]
.
2012-09-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-08 17:23]
.
2012-09-01 c:\windows\Tasks\User_Feed_Synchronization-{321A3E8C-6B08-4FA7-9E38-95BF6F380C14}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig
uInternet Settings,ProxyOverride = *.local
Trusted Zone: servicemagic.com\www
TCP: DhcpNameServer = 192.168.1.1
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
FF - ProfilePath - c:\documents and settings\Michael Chang\Application Data\Mozilla\Firefox\Profiles\o7uil3j2.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.netvibes.com/privatepage/1#General
FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4af8506a&v=6.103.018.001&i=23&tp=ab&iy=&ychte=us&lng=en-US&q=
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-09-01 20:28
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(708)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(2592)
c:\windows\system32\WININET.dll
c:\documents and settings\Michael Chang\Application Data\Dropbox\bin\DropboxExt.14.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2012-09-01 20:33:57
ComboFix-quarantined-files.txt 2012-09-02 00:33
ComboFix2.txt 2012-09-01 15:20
.
Pre-Run: 23,691,890,688 bytes free
Post-Run: 23,811,600,384 bytes free
.
- - End Of File - - 9A185B55EF949D0DD412232D7CD52813

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:14 PM

Posted 01 September 2012 - 07:44 PM

These logs are looking allot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs

NOTE** Because of the cleanup process some of the programs I have listed may not be in add/remove anymore this is fine just move to the next item on the list.

You can remove these programs using add/remove or you can use the free uninstaller from Revo (Revo does allot better of a job)

Programs to remove

Adobe Reader 9.5.2
Java™ 6 Update 29
[/list]


  • Please download and install Revo Uninstaller Free
  • Double click Revo Uninstaller to run it.
  • From the list of programs double click on The Program to remove
  • When prompted if you want to uninstall click Yes.
  • Be sure the Moderate option is selected then click Next.
  • The program will run, If prompted again click Yes
  • when the built-in uninstaller is finished click on Next.
  • Once the program has searched for leftovers click Next.
  • Check/tick the bolded items only on the list then click Delete
  • when prompted click on Yes and then on next.
  • put a check on any folders that are found and select delete
  • when prompted select yes then on next
  • Once done click Finish.
.

Update Adobe Reader

Recently there have been vulnerabilities detected in older versions of Adobe Reader. It is strongly suggested that you update to the current version.

You can download it from http://www.adobe.com/products/acrobat/readstep2.html
After installing the latest Adobe Reader, uninstall all previous versions.
If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

If you don't like Adobe Reader (53 MB), you can download Foxit PDF Reader(7 MB) from here. It's a much smaller file to download and uses a lot less resources than Adobe Reader.

Note: When installing FoxitReader, be careful not to install anything to do with AskBar.
[/list]

Install Java:

Please go here to install Java

  • click on the Free Java Download Button
  • click on Agree and start Free download
  • click on Run
  • click on run again
  • click on install
  • when install is complete click on close

Clean Out Temp Files

  • This small application you may want to keep and use once a week to keep the computer clean.

    Download CCleaner from here http://www.ccleaner.com/

  • Run the installer to install the application.
  • When it gives you the option to install Yahoo toolbar uncheck the box next to it.
  • Run CCleaner. (make sure under Windows tab all the boxes of Internet Explorer and Windows explorer are checked. Under System check Empty Recycle Bin and Temporary Files. Under Application tab all the boxes should be checked).
  • Click Run Cleaner.
  • Close CCleaner.

: Malwarebytes' Anti-Malware :

  • I would like you to rerun MBAM
  • Double-click mbam icon
  • go to the update tab at the top
  • click on check for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidentally close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Download HijackThis

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a log file button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the Analyze This button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

"information and logs"

  • In your next post I need the following

  • Log From MBAM
  • report from Hijackthis
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 KXS

KXS
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:14 PM

Posted 01 September 2012 - 09:41 PM

Gringo,

I was able to successfully uninstall both the Adobe Reader 9.5.2 and the Java 6 Update 29 programs.

However, while Adobe 10 was installing 2 "Warnings" about "Unresponsive scripts" popped up.

"A script on this page may be busy, or it may have stopped responding. You can stop the script now, or you can continue to see if the script will complete.

The first Warning was for--

Script: resource://gre/modules/XPCOMUtils.jsm:357"


The second Warning was for--

Script: http://mail.yimg.com/zz/combo?nq/5346/yui/yui-min.js&nq/5346/oopoop-min.js&nq/5346/dom/dom-min.js&nq/5346/event/event-min.js&nq/5346/event-custom/event-custom-min.js&nq/5346/base/base-base-min.js&nq/5346/plugin/plugin-min.js&nq/5346/pluginhost/pluginhost-min.js&nq .... [won't type in all the text here]"

I clicked "Stop script" on both.

Am still working on cleaning out the temp files (with CCLeaner.exe) and rerunning MBAM and HijackThis. Will post reports when finished.

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:14 PM

Posted 01 September 2012 - 10:20 PM

:thumbup2:
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 KXS

KXS
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:14 PM

Posted 01 September 2012 - 10:34 PM

Gringo,

No real problems encountered.

Computer seems to be running smoothly (with the exception of occasional "Warning: Unresponsive script" messages noted above).


As requested, here are the log from MBAM and the report from HijackThis.


Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Database version: v2012.09.02.01

Windows XP Service Pack 2 x86 NTFS
Internet Explorer 8.0.6001.18702
Michael Chang :: MICHAEL-9YK4TRZ [administrator]

9/1/2012 10:55:53 PM
mbam-log-2012-09-01 (22-55-53).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 207198
Time elapsed: 14 minute(s), 10 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)






Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:26:43 PM, on 9/1/2012
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG2012\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\AVG\AVG2012\avgtray.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
C:\Program Files\AVG\AVG2012\avgemcx.exe
C:\Program Files\AVG\AVG2012\avgnsx.exe
C:\Program Files\AVG\AVG2012\avgrsx.exe
C:\Program Files\AVG\AVG2012\avgcsrvx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\Michael Chang\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: IE2EMBHO Class - {0A0DDBD3-6641-40B9-873F-BBDD26D6C14E} - C:\Program Files\easyMule\modules\IE2EM.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: AVG Do Not Track - {31332EEF-CB9F-458F-AFEB-D30E9A66B6BA} - C:\Program Files\AVG\AVG2012\avgdtiex.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG2012\avgssie.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5612.1312\swg.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [AVG_TRAY] "C:\Program Files\AVG\AVG2012\avgtray.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [DivXUpdate] "C:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: Dropbox.lnk = C:\Documents and Settings\Michael Chang\Application Data\Dropbox\bin\Dropbox.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: AVG Do Not Track - {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - C:\Program Files\AVG\AVG2012\avgdtiex.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.servicemagic.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1214513166500
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG2012\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: SAS Core Service (!SASCORE) - SUPERAntiSpyware.com - C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: AVGIDSAgent - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
O23 - Service: AVG WatchDog (avgwd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG2012\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Google Update Service (gupdate1c9b86ec6199b10) (gupdate1c9b86ec6199b10) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe

--
End of file - 7559 bytes

#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:14 PM

Posted 01 September 2012 - 10:58 PM

Greetings

These logs are looking very good, we are almost done!!! Just one more scan to go.

:Remove unneeded start-up entries:

This part of the fix is purely optional
These are programs that start up when you turn on your computer but don't need to be, any of these programs you can click on their icons (or start from the control panel) and start the program when you need it. By stopping these programs you will boot up faster and your computer will work faster.

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Run HijackThis
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):

    • O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
      O4 - HKLM\..\Run: [DivXUpdate] "C:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
      O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
      O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
      O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
      O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
      O4 - Startup: Dropbox.lnk = C:\Documents and Settings\Michael Chang\Application Data\Dropbox\bin\Dropbox.exe
      O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
      O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application.

    NOTE**You can research each of those lines >here< and see if you want to keep them or not
    just copy the name between the brackets and paste into the search space
    O4 - HKLM\..\Run: [IntelliPoint]


NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

Eset Online Scanner

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

Go Eset web page to run an online scanner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the Run ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
  • When asked, allow the add/on to be installed
    • Click Start
  • Make sure that the option Remove found threats is unticked
  • Click on Advanced Settings, ensure the options
    Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • wait for the virus definitions to be downloaded
  • Wait for the scan to finish

When the scan is complete

  • If no threats were found
  • put a checkmark in "Uninstall application on close"
  • close program
  • report to me that nothing was found

  • If threats were found
  • click on "list of threats found"
  • click on "export to text file" and save it as ESET SCAN and save to the desktop
  • Click on back
  • put a checkmark in "Uninstall application on close"
  • click on finish
  • close program
  • copy and paste the report here


Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 KXS

KXS
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:14 PM

Posted 02 September 2012 - 08:49 AM

Hi Gringo,

Successfully ran the ESET Online Scanner from Internet Explorer, and no threats were found.

Does this mean the computer is "clean" and ready to go again?

KXS




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users