Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

"Uncompressor" attachment ? yields virus


  • This topic is locked This topic is locked
21 replies to this topic

#1 sparty047

sparty047

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:40 PM

Posted 11 September 2012 - 07:17 PM

Needed to unzip a file and did not have 7Zip installed on this net book....foolishly chose Uncompressor, which installed some search tool add-on (Funguide or fun*.*) despite my specifying "no thank you". This add-on kept redirecting searches on my Chrome browser.

I removed the add-on, but it kept reappearing.
I found I could not remove uncompressor by using either its "uninstall" or my windows control panel.
Finally removed it by using CCleaner Uninstall.
Then could remove the fun*.* add-on.

Meanwhile, my mixer controller disappeared (vol control gone from taskbar) and not found within control panel. Codec drivers okay per device manager.

Also, windows update attempt to download 2 new security patches repeatedly failed.

Ran MalwareBytes both before and after running RKill and uncovered nothing.

I will attach the log from RKill because it referred to signature missing from dmboot.sys. When I looked into this on File.net it discussed the possibility of a malware camouflaging itself in that manner.

I have done nothing further, and will do nothing until I hear back from you.

Many thanks and my deepest respect for you all. If only the folks who spend so much time and creativity fashioning destructive malware could find an outlet such as yours in which they could channel their talents to help people. (Sigh!)

PEACE OUT
SPARTY047

Attached Files



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:40 PM

Posted 12 September 2012 - 12:17 AM

Greetings and Welcome to The Forums!!

My name is Gringo and I'll be glad to help you with your computer problems.

I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of us

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the Watch Topic Button, select Immediate Notification, and click on Proceed. This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of hartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

Security Check

  • Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.



Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 sparty047

sparty047
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:40 PM

Posted 12 September 2012 - 04:50 AM

Results of screen317's Security Check version 0.99.50
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````Antivirus/Firewall Check:``````````````
Windows Security Center service is not running! This report may not be accurate!
Windows Firewall Enabled!
WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````
Malwarebytes Anti-Malware version 1.65.0.1400
CCleaner
Java 7 Update 6
Java version out of Date!
Adobe Reader X (10.1.4)
````````Process Check: objlist.exe by Laurent````````
Malwarebytes Anti-Malware mbamservice.exe
Malwarebytes Anti-Malware mbamgui.exe
Malwarebytes' Anti-Malware mbamscheduler.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C:: 44% Defragment your hard drive soon! (Do NOT defrag if SSD!)
````````````````````End of Log``````````````````````




AND


ComboFix 12-09-12.02 - Owner 09/12/2012 5:25.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1484 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\URTTemp
c:\windows\system32\URTTemp\fusion.dll
c:\windows\system32\URTTemp\mscoree.dll
c:\windows\system32\URTTemp\mscoree.dll.local
c:\windows\system32\URTTemp\mscorsn.dll
c:\windows\system32\URTTemp\mscorwks.dll
c:\windows\system32\URTTemp\msvcr71.dll
c:\windows\system32\URTTemp\regtlib.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-08-12 to 2012-09-12 )))))))))))))))))))))))))))))))
.
.
2012-09-12 06:06 . 2012-09-12 06:06 -------- d-----w- c:\program files\Belarc
2012-09-12 06:06 . 2011-08-09 21:33 3840 ----a-w- c:\windows\system32\drivers\BANTExt.sys
2012-09-12 06:02 . 2012-09-12 06:02 -------- d-----w- c:\program files\Speccy
2012-09-12 06:02 . 2012-09-12 06:02 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Help
2012-09-06 12:15 . 2012-09-06 12:15 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin7.dll
2012-09-06 12:15 . 2012-09-06 12:15 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin6.dll
2012-09-06 12:15 . 2012-09-06 12:15 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin5.dll
2012-09-06 12:15 . 2012-09-06 12:15 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin4.dll
2012-09-06 12:15 . 2012-09-06 12:15 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin3.dll
2012-09-06 12:15 . 2012-09-06 12:15 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin2.dll
2012-09-06 12:15 . 2012-09-06 12:15 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin.dll
2012-09-06 12:14 . 2012-09-06 12:15 -------- d-----w- c:\program files\QuickTime
2012-09-06 12:14 . 2012-09-06 12:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2012-09-06 01:30 . 2012-09-06 01:30 -------- d-----w- c:\program files\URE
2012-09-06 01:30 . 2012-09-06 01:30 -------- d-----w- c:\program files\readmes
2012-09-06 01:30 . 2012-09-06 01:30 -------- d-----w- c:\program files\program
2012-09-06 01:30 . 2012-09-06 01:30 -------- d-----w- c:\program files\share
2012-09-06 01:30 . 2012-09-06 01:30 -------- d-----w- c:\program files\Basis
2012-09-04 15:56 . 2012-09-04 15:56 -------- d-----w- c:\documents and settings\Owner\Application Data\CBS Interactive
2012-09-04 15:49 . 2012-09-04 15:49 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\FixItCenter
2012-09-04 12:19 . 2012-09-04 12:19 -------- d-----w- c:\windows\MATS
2012-09-04 12:19 . 2012-09-04 12:19 -------- d-----w- c:\program files\Microsoft Fix it Center
2012-09-04 11:46 . 2012-09-04 11:46 -------- d-----w- c:\documents and settings\Owner\Application Data\ElevatedDiagnostics
2012-09-04 11:30 . 2012-09-04 16:08 -------- d-----w- c:\program files\CCleaner
2012-08-28 03:55 . 2012-08-28 03:55 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Sun
2012-08-28 03:55 . 2012-08-28 03:55 -------- d-----w- c:\program files\Common Files\Java
2012-08-28 03:55 . 2012-08-28 03:55 -------- d-----w- c:\program files\Java
2012-08-23 23:53 . 2001-08-17 15:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2012-08-23 17:20 . 2012-08-23 17:20 -------- d-----w- c:\documents and settings\Owner\Application Data\Hoyle FaceCreator
2012-08-23 17:20 . 2012-09-12 06:55 -------- d-----w- c:\documents and settings\Owner\Application Data\Hoyle Card Games
2012-08-23 17:20 . 2001-08-21 11:38 7680 --sh--w- c:\documents and settings\All Users\Application Data\nt838cc.com
2012-08-23 17:06 . 2012-08-23 17:09 -------- d-----w- C:\HOYLE
2012-08-23 17:03 . 2012-08-23 17:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Encore
2012-08-20 12:09 . 2012-08-20 12:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Next Installer
2012-08-20 12:09 . 2012-08-01 15:45 163256 ----a-w- c:\program files\Windows Media Player\np-mswmp.dll
2012-08-19 10:44 . 2012-08-19 10:44 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\PCHealth
2012-08-15 02:29 . 2012-05-14 09:21 346112 ------w- c:\windows\system32\dllcache\localspl.dll
2012-08-15 02:29 . 2012-07-06 13:58 78336 ------w- c:\windows\system32\dllcache\browser.dll
2012-08-15 02:29 . 2012-07-06 13:58 339968 ------w- c:\windows\system32\dllcache\netapi32.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-09-12 03:54 . 2011-09-11 00:06 281723 ----a-w- C:\pmtimer.exe
2012-09-07 21:04 . 2011-09-14 01:24 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-07-06 13:58 . 2008-04-14 12:00 78336 ----a-w- c:\windows\system32\browser.dll
2012-07-04 13:59 . 2011-09-11 05:26 139784 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-07-03 13:40 . 2010-06-24 02:14 1875072 ----a-w- c:\windows\system32\win32k.sys
2012-07-02 17:48 . 2011-09-13 23:16 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2012-07-02 17:48 . 2010-06-24 12:24 920064 ----a-w- c:\windows\system32\wininet.dll
2012-07-02 17:48 . 2009-03-07 20:34 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-07-02 11:57 . 2009-03-07 20:35 385024 ----a-w- c:\windows\system32\html.iec
2012-06-25 20:04 . 2012-06-25 20:04 1394248 ----a-w- c:\windows\system32\msxml4.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2010-09-20 . F738697D2AA60AC4BA9B9DED1412D4B2 . 361600 . . [5.1.2600.6009] . . c:\windows\system32\drivers\tcpip.sys
[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\tcpip.sys
.
.
c:\windows\System32\wscntfy.exe ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveBlacklistedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}]
2012-07-20 19:17 556376 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}]
2012-07-20 19:17 556376 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}]
2012-07-20 19:17 556376 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncingOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}]
2012-07-20 19:17 556376 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"Conime"="c:\windows\system32\conime.exe" [2008-04-14 27648]
"EKIJ5000StatusMonitor"="c:\windows\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2011-06-16 2510848]
"IAStorIcon"="c:\program files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe" [2010-06-08 284696]
"CapsHook"="c:\program files\EeePC\CapsHook\CapsHook.exe" [2010-05-28 445344]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-14 59392]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-29 141336]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-09-29 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-09-29 141336]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]
"LiveUpdate"="c:\program files\Asus\LiveUpdate\LiveUpdate.exe" [2011-07-13 1095080]
"ETDWare"="c:\program files\Elantech\ETDCtrl.exe" [2010-06-10 548744]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-07-20 1545512]
"SynAsusAcpi"="c:\program files\Synaptics\SynTP\SynAsusAcpi.exe" [2009-07-20 83240]
"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2007-10-31 2595616]
"AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe" [2007-10-31 909208]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2007-10-31 140568]
"UVS10 Preload"="c:\program files\Ulead Systems\Ulead VideoStudio SE DVD\uvPL.exe" [2006-08-09 36864]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2012-04-19 421888]
"RTHDCPL"="RTHDCPL.EXE" [2011-05-23 20053608]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_3"="advpack.dll" [2009-03-07 128512]
"KodakHomeCenter"="c:\program files\Kodak\AiO\Center\AiOHomeCenter.exe" [2012-06-19 2234840]
.
c:\documents and settings\Owner\Start Menu\Programs\Startup\
CNET TechTracker.lnk - c:\documents and settings\Owner\Application Data\CBS Interactive\CNET TechTracker\TechTracker.exe [2012-8-9 2625024]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
AsusVibeLauncher.lnk - c:\program files\ASUS\AsusVibe\AsusVibeLauncher.exe [2011-9-13 549040]
SuperHybridEngine.lnk - c:\program files\ASUS\EeePC\Super Hybrid Engine\SuperHybridEngine.exe [2011-9-13 385024]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders schannel.dll, credssp.dll, digest.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
"9322:TCP"= 9322:TCP:EKDiscovery
"5353:UDP"= 5353:UDP:Bonjour Port 5353
.
R0 iastor78;iastor78;c:\windows\system32\drivers\iastor78.sys [9/19/2010 9:03 PM 308248]
R1 AsUpIO;AsUpIO;c:\windows\system32\drivers\AsUpIO.sys [9/13/2011 4:54 PM 11832]
R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [9/13/2011 8:09 AM 13336]
R2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\Kodak\AiO\Center\EKAiOHostService.exe [6/18/2012 9:13 PM 394712]
R2 Kodak AiO Status Monitor Service;Kodak AiO Status Monitor Service;c:\program files\Kodak\AiO\StatusMonitor\EKPrinterSDK.exe [6/19/2012 1:44 PM 777728]
R2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [9/10/2012 10:54 PM 399432]
R2 msftesql$TSIFITPRO;SQL Server FullText Search (TSIFITPRO);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe [3/26/2010 3:07 AM 91992]
R2 MSSQL$TSIFITPRO;SQL Server (TSIFITPRO);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [12/10/2010 6:29 PM 29293408]
R3 L1c;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [9/10/2011 8:05 PM 61552]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [9/1/2012 5:49 PM 116648]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [9/13/2011 9:24 PM 676936]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [9/13/2011 4:00 AM 1691480]
S3 ETD;ELAN PS/2 Port Input Device;c:\windows\system32\drivers\ETD.sys [9/13/2011 8:37 PM 102912]
S3 GigasetGenericUSB;GigasetGenericUSB;c:\windows\system32\drivers\GigasetGenericUSB.sys [2/27/2012 12:42 AM 44032]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [9/1/2012 5:49 PM 116648]
S3 MatSvc;Microsoft Automated Troubleshooting Service;c:\program files\Microsoft Fix it Center\Matsvc.exe [6/13/2011 10:09 PM 267568]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [9/13/2011 9:24 PM 22856]
S3 TSIUSB;TSIUSB;c:\windows\system32\drivers\TsiUsb.sys [2/14/2006 12:43 PM 18688]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - BANTEXT
*Deregistered* - cpuz135
.
Contents of the 'Scheduled Tasks' folder
.
2012-09-12 c:\windows\Tasks\ConfigExec.job
- c:\program files\Microsoft Fix it Center\MatsApi.dll [2011-06-14 02:09]
.
2012-09-12 c:\windows\Tasks\DataUpload.job
- c:\program files\Microsoft Fix it Center\MatsApi.dll [2011-06-14 02:09]
.
2012-09-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-09-01 23:15]
.
2012-09-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-09-01 23:15]
.
2012-09-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-854245398-1202660629-527237240-1003Core.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-09-11 04:54]
.
2012-09-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-854245398-1202660629-527237240-1003UA.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-09-11 04:54]
.
2012-09-11 c:\windows\Tasks\Kodak AiO Scheduled Maintenance.job
- c:\program files\Kodak\AiO\Center\Kodak.Statistics.exe [2012-06-19 01:13]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://start.funmoods.com/?f=1&a=afterd&chnl=afterd&cd=2XzuyEtN2Y1L1QzuyByE0FtDyC0DyDtCzy0F0AtBtDyCtCyDtN0D0Tzu0StBtAyDtN1L2XzutBtFtCtFtCtFtAtCtB&cr=551352045
TCP: DhcpNameServer = 64.233.217.5 64.233.217.2
.
- - - - ORPHANS REMOVED - - - -
.
HKU-Default-RunOnce-tscuninstall - c:\windows\system32\tscupgrd.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-09-12 05:31
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\msftesql$TSIFITPRO]
"ImagePath"="\"c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe\" -s:MSSQL.1 -f:TSIFITPRO"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(824)
c:\windows\system32\igfxdev.dll
.
- - - - - - - > 'lsass.exe'(880)
c:\windows\system32\relog_ap.dll
.
Completion time: 2012-09-12 05:33:22
ComboFix-quarantined-files.txt 2012-09-12 09:33
.
Pre-Run: 29,008,064,512 bytes free
Post-Run: 29,506,428,928 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
C:\jolildr.mbr="Joli OS"
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /usepmtimer
.
- - End Of File - - D6002C343D3E159BB8DD91FFE9C4D989





GRINGO:

Noting that Windows seems to be taking longer to load by 15 sec or so.

Had run Belarc advisor, which noted the lack of the 5-8-12 MS XP security updates. Tried to add them through that route and again showed then updated...yet were not installed. and repeat Belarc scanned showed them still lacking

I honestly do not know if loss of audio is associated with these other issues....but Control / sounds and audio and device manager both show there is no sound device and now audio mixer (and no volume adjustment ...because no sound device installed) yet audio codec drivers are present and working.

Lastly, I was contacted by Discover card fraud unit,,,,someone had attempted to use the the account out of state, shortly after changing the address on the account. This left me wondering if this computer had been hacked. Needless to say, all Chrome auto-fill data has been deleted and no passwords for any transaction websites or Credit card numbers are now on this computer.


Awaiting further instruction

Thank you for this help and guidance

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:40 PM

Posted 12 September 2012 - 07:48 AM

Greetings

I want you to run these next,

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • it will ask to download extra definitions - ALLOW IT
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

If you have any problems running either one come back and let me know

please reply with the reports from TDSSKiller and aswMBR

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 sparty047

sparty047
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:40 PM

Posted 12 September 2012 - 10:58 AM

GRINGO:

Possibly of note; I had downloaded rootkiller and ran it prior to contacting bleeping...so opened it to run....it noted an update....I okayed getting update, and it was unable to make a connection (had prior malware experience about 4 yrs ago with windows*.* (saw it listed on your "how-to" virus removal list of annoying malwares) and recall it blocked updates to virus-seeking softwares.

So, I removed prior copy and used your link to install and run the latest...here's report:


11:25:32.0328 1056 TDSS rootkit removing tool 2.8.8.0 Aug 24 2012 13:27:48
11:25:32.0593 1056 ============================================================
11:25:32.0593 1056 Current date / time: 2012/09/12 11:25:32.0593
11:25:32.0593 1056 SystemInfo:
11:25:32.0593 1056
11:25:32.0593 1056 OS Version: 5.1.2600 ServicePack: 3.0
11:25:32.0593 1056 Product type: Workstation
11:25:32.0593 1056 ComputerName: ANONYMOUS
11:25:32.0593 1056 UserName: Owner
11:25:32.0593 1056 Windows directory: C:\WINDOWS
11:25:32.0593 1056 System windows directory: C:\WINDOWS
11:25:32.0593 1056 Processor architecture: Intel x86
11:25:32.0593 1056 Number of processors: 2
11:25:32.0593 1056 Page size: 0x1000
11:25:32.0593 1056 Boot type: Normal boot
11:25:32.0593 1056 ============================================================
11:25:33.0265 1056 Drive \Device\Harddisk0\DR0 - Size: 0x25433D6000 (149.05 Gb), SectorSize: 0x200, Cylinders: 0x4C01, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000050
11:25:33.0265 1056 ============================================================
11:25:33.0265 1056 \Device\Harddisk0\DR0:
11:25:33.0265 1056 MBR partitions:
11:25:33.0265 1056 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0xF0B079F
11:25:33.0296 1056 ============================================================
11:25:33.0359 1056 C: <-> \Device\Harddisk0\DR0\Partition1
11:25:33.0359 1056 ============================================================
11:25:33.0359 1056 Initialize success
11:25:33.0359 1056 ============================================================
11:25:41.0531 3672 ============================================================
11:25:41.0531 3672 Scan started
11:25:41.0531 3672 Mode: Manual;
11:25:41.0531 3672 ============================================================
11:25:42.0171 3672 ================ Scan system memory ========================
11:25:42.0515 3672 System memory - ok
11:25:42.0515 3672 ================ Scan services =============================
11:25:42.0656 3672 Abiosdsk - ok
11:25:42.0656 3672 abp480n5 - ok
11:25:42.0718 3672 [ 8FD99680A539792A30E97944FDAECF17 ] ACPI C:\WINDOWS\system32\DRIVERS\ACPI.sys
11:25:42.0718 3672 ACPI - ok
11:25:42.0750 3672 [ 9859C0F6936E723E4892D7141B1327D5 ] ACPIEC C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
11:25:42.0750 3672 ACPIEC - ok
11:25:42.0843 3672 [ 3FC5CC29583196A64185F50448C2F45A ] AcrSch2Svc C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
11:25:42.0843 3672 AcrSch2Svc - ok
11:25:42.0859 3672 adpu160m - ok
11:25:42.0906 3672 [ 8BED39E3C35D6A489438B8141717A557 ] aec C:\WINDOWS\system32\drivers\aec.sys
11:25:42.0906 3672 aec - ok
11:25:42.0953 3672 [ F6B7B1ECD7B41736BDB6FF4B092BCB79 ] AFD C:\WINDOWS\System32\drivers\afd.sys
11:25:42.0968 3672 AFD - ok
11:25:42.0968 3672 Aha154x - ok
11:25:42.0984 3672 aic78u2 - ok
11:25:43.0000 3672 aic78xx - ok
11:25:43.0062 3672 [ A9A3DAA780CA6C9671A19D52456705B4 ] Alerter C:\WINDOWS\system32\alrsvc.dll
11:25:43.0062 3672 Alerter - ok
11:25:43.0093 3672 [ 8C515081584A38AA007909CD02020B3D ] ALG C:\WINDOWS\System32\alg.exe
11:25:43.0093 3672 ALG - ok
11:25:43.0109 3672 AliIde - ok
11:25:43.0218 3672 [ 267FC636801EDC5AB28E14036349E3BE ] Ambfilt C:\WINDOWS\system32\drivers\Ambfilt.sys
11:25:43.0250 3672 Ambfilt - ok
11:25:43.0265 3672 amsint - ok
11:25:43.0359 3672 [ D8849F77C0B66226335A59D26CB4EDC6 ] AppMgmt C:\WINDOWS\System32\appmgmts.dll
11:25:43.0359 3672 AppMgmt - ok
11:25:43.0468 3672 [ C413E2E549488A5F1969DECB5B03187A ] AR5416 C:\WINDOWS\system32\DRIVERS\athw.sys
11:25:43.0500 3672 AR5416 - ok
11:25:43.0515 3672 asc - ok
11:25:43.0531 3672 asc3350p - ok
11:25:43.0562 3672 asc3550 - ok
11:25:43.0687 3672 [ 0E5E4957549056E2BF2C49F4F6B601AD ] aspnet_state C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
11:25:43.0687 3672 aspnet_state - ok
11:25:43.0734 3672 [ A9A565C669786C402752F609AFDD0DD5 ] AsUpIO C:\WINDOWS\system32\drivers\AsUpIO.sys
11:25:43.0734 3672 AsUpIO - ok
11:25:43.0765 3672 [ B153AFFAC761E7F5FCFA822B9C4E97BC ] AsyncMac C:\WINDOWS\system32\DRIVERS\asyncmac.sys
11:25:43.0765 3672 AsyncMac - ok
11:25:43.0812 3672 [ 9F3A2F5AA6875C72BF062C712CFA2674 ] atapi C:\WINDOWS\system32\drivers\atapi.sys
11:25:43.0812 3672 atapi - ok
11:25:43.0828 3672 Atdisk - ok
11:25:43.0859 3672 [ 9916C1225104BA14794209CFA8012159 ] Atmarpc C:\WINDOWS\system32\DRIVERS\atmarpc.sys
11:25:43.0875 3672 Atmarpc - ok
11:25:43.0906 3672 [ DEF7A7882BEC100FE0B2CE2549188F9D ] AudioSrv C:\WINDOWS\System32\audiosrv.dll
11:25:43.0906 3672 AudioSrv - ok
11:25:43.0937 3672 [ D9F724AA26C010A217C97606B160ED68 ] audstub C:\WINDOWS\system32\DRIVERS\audstub.sys
11:25:43.0953 3672 audstub - ok
11:25:43.0984 3672 [ 5D7BE7B19E827125E016325334E58FF1 ] BANTExt C:\WINDOWS\System32\Drivers\BANTExt.sys
11:25:43.0984 3672 BANTExt - ok
11:25:44.0015 3672 [ DA1F27D85E0D1525F6621372E7B685E9 ] Beep C:\WINDOWS\system32\drivers\Beep.sys
11:25:44.0015 3672 Beep - ok
11:25:44.0093 3672 [ 574738F61FCA2935F5265DC4E5691314 ] BITS C:\WINDOWS\system32\qmgr.dll
11:25:44.0093 3672 BITS - ok
11:25:44.0125 3672 [ FC6D1D80588D371F0321E15A75B2F8F2 ] Browser C:\WINDOWS\System32\browser.dll
11:25:44.0125 3672 Browser - ok
11:25:44.0140 3672 btaudio - ok
11:25:44.0171 3672 BTDriver - ok
11:25:44.0187 3672 BTWDNDIS - ok
11:25:44.0203 3672 btwhid - ok
11:25:44.0328 3672 catchme - ok
11:25:44.0359 3672 [ 90A673FC8E12A79AFBED2576F6A7AAF9 ] cbidf2k C:\WINDOWS\system32\drivers\cbidf2k.sys
11:25:44.0359 3672 cbidf2k - ok
11:25:44.0406 3672 [ 0BE5AEF125BE881C4F854C554F2B025C ] CCDECODE C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
11:25:44.0406 3672 CCDECODE - ok
11:25:44.0421 3672 cd20xrnt - ok
11:25:44.0468 3672 [ C1B486A7658353D33A10CC15211A873B ] Cdaudio C:\WINDOWS\system32\drivers\Cdaudio.sys
11:25:44.0468 3672 Cdaudio - ok
11:25:44.0515 3672 [ C885B02847F5D2FD45A24E219ED93B32 ] Cdfs C:\WINDOWS\system32\drivers\Cdfs.sys
11:25:44.0515 3672 Cdfs - ok
11:25:44.0531 3672 [ 4B0A100EAF5C49EF3CCA8C641431EACC ] Cdrom C:\WINDOWS\system32\DRIVERS\cdrom.sys
11:25:44.0546 3672 Cdrom - ok
11:25:44.0562 3672 Changer - ok
11:25:44.0593 3672 [ 1CFE720EB8D93A7158A4EBC3AB178BDE ] CiSvc C:\WINDOWS\system32\cisvc.exe
11:25:44.0593 3672 CiSvc - ok
11:25:44.0640 3672 [ 34CBE729F38138217F9C80212A2A0C82 ] ClipSrv C:\WINDOWS\system32\clipsrv.exe
11:25:44.0640 3672 ClipSrv - ok
11:25:44.0687 3672 [ D87ACAED61E417BBA546CED5E7E36D9C ] clr_optimization_v2.0.50727_32 C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
11:25:44.0687 3672 clr_optimization_v2.0.50727_32 - ok
11:25:44.0750 3672 [ 0F6C187D38D98F8DF904589A5F94D411 ] CmBatt C:\WINDOWS\system32\DRIVERS\CmBatt.sys
11:25:44.0750 3672 CmBatt - ok
11:25:44.0765 3672 CmdIde - ok
11:25:44.0812 3672 [ 6E4C9F21F0FAE8940661144F41B13203 ] Compbatt C:\WINDOWS\system32\DRIVERS\compbatt.sys
11:25:44.0812 3672 Compbatt - ok
11:25:44.0828 3672 COMSysApp - ok
11:25:44.0890 3672 Cpqarray - ok
11:25:44.0921 3672 [ 3D4E199942E29207970E04315D02AD3B ] CryptSvc C:\WINDOWS\System32\cryptsvc.dll
11:25:44.0921 3672 CryptSvc - ok
11:25:44.0937 3672 dac2w2k - ok
11:25:44.0968 3672 dac960nt - ok
11:25:45.0031 3672 [ 9222562D44021B988B9F9F62207FB6F2 ] DcomLaunch C:\WINDOWS\system32\rpcss.dll
11:25:45.0046 3672 DcomLaunch - ok
11:25:45.0078 3672 [ C51DE19619D50CBD03708647ACA10E70 ] Dhcp C:\WINDOWS\System32\dhcpcsvc.dll
11:25:45.0078 3672 Dhcp - ok
11:25:45.0125 3672 [ 47B6AAEC570F2C11D8BAD80A064D8ED1 ] Disk C:\WINDOWS\system32\DRIVERS\disk.sys
11:25:45.0140 3672 Disk - ok
11:25:45.0156 3672 dmadmin - ok
11:25:45.0250 3672 [ AEE02DE337D8E038D31630EA26286C8E ] dmboot C:\WINDOWS\system32\drivers\dmboot.sys
11:25:45.0250 3672 dmboot - ok
11:25:45.0281 3672 [ 7C824CF7BBDE77D95C08005717A95F6F ] dmio C:\WINDOWS\system32\DRIVERS\dmio.sys
11:25:45.0281 3672 dmio - ok
11:25:45.0312 3672 [ E9317282A63CA4D188C0DF5E09C6AC5F ] dmload C:\WINDOWS\system32\drivers\dmload.sys
11:25:45.0312 3672 dmload - ok
11:25:45.0359 3672 [ 57EDEC2E5F59F0335E92F35184BC8631 ] dmserver C:\WINDOWS\System32\dmserver.dll
11:25:45.0359 3672 dmserver - ok
11:25:45.0406 3672 [ 8A208DFCF89792A484E76C40E5F50B45 ] DMusic C:\WINDOWS\system32\drivers\DMusic.sys
11:25:45.0406 3672 DMusic - ok
11:25:45.0453 3672 [ D977659AE4D8ECE5286D99D1ED34614D ] Dnscache C:\WINDOWS\System32\dnsrslvr.dll
11:25:45.0453 3672 Dnscache - ok
11:25:45.0500 3672 [ B4109C8C3D54C83246997A777724F318 ] Dot3svc C:\WINDOWS\System32\dot3svc.dll
11:25:45.0500 3672 Dot3svc - ok
11:25:45.0515 3672 dpti2o - ok
11:25:45.0562 3672 [ 8F5FCFF8E8848AFAC920905FBD9D33C8 ] drmkaud C:\WINDOWS\system32\drivers\drmkaud.sys
11:25:45.0562 3672 drmkaud - ok
11:25:45.0593 3672 [ 2187855A7703ADEF0CEF9EE4285182CC ] EapHost C:\WINDOWS\System32\eapsvc.dll
11:25:45.0593 3672 EapHost - ok
11:25:45.0640 3672 [ BC93B4A066477954555966D77FEC9ECB ] ERSvc C:\WINDOWS\System32\ersvc.dll
11:25:45.0640 3672 ERSvc - ok
11:25:45.0703 3672 [ 4B8D8BA257CD645D19092953692C8B39 ] ETD C:\WINDOWS\system32\DRIVERS\ETD.sys
11:25:45.0703 3672 ETD - ok
11:25:45.0765 3672 [ C519E15665CD89A91AD383FCE3CB556A ] Eventlog C:\WINDOWS\system32\services.exe
11:25:45.0765 3672 Eventlog - ok
11:25:45.0828 3672 [ F17F6226BDC0CD5F0BEF0DAF84D29BEC ] EventSystem C:\WINDOWS\system32\es.dll
11:25:45.0843 3672 EventSystem - ok
11:25:45.0890 3672 [ 4D893323DAE445E34A4C9038B0551BC9 ] exFat C:\WINDOWS\system32\drivers\exFat.sys
11:25:45.0906 3672 exFat - ok
11:25:45.0953 3672 [ 38D332A6D56AF32635675F132548343E ] Fastfat C:\WINDOWS\system32\drivers\Fastfat.sys
11:25:45.0953 3672 Fastfat - ok
11:25:46.0000 3672 [ 888CD7B39C37E13A2419BECFAAF0A28C ] FastUserSwitchingCompatibility C:\WINDOWS\System32\shsvcs.dll
11:25:46.0015 3672 FastUserSwitchingCompatibility - ok
11:25:46.0062 3672 [ E97D6A8684466DF94FF3BC24FB787A07 ] Fax C:\WINDOWS\system32\fxssvc.exe
11:25:46.0078 3672 Fax - ok
11:25:46.0125 3672 [ 92CDD60B6730B9F50F6A1A0C1F8CDC81 ] Fdc C:\WINDOWS\system32\drivers\Fdc.sys
11:25:46.0125 3672 Fdc - ok
11:25:46.0156 3672 [ D45926117EB9FA946A6AF572FBE1CAA3 ] Fips C:\WINDOWS\system32\drivers\Fips.sys
11:25:46.0156 3672 Fips - ok
11:25:46.0171 3672 [ 9D27E7B80BFCDF1CDD9B555862D5E7F0 ] Flpydisk C:\WINDOWS\system32\drivers\Flpydisk.sys
11:25:46.0171 3672 Flpydisk - ok
11:25:46.0218 3672 [ B2CF4B0786F8212CB92ED2B50C6DB6B0 ] FltMgr C:\WINDOWS\system32\DRIVERS\fltMgr.sys
11:25:46.0218 3672 FltMgr - ok
11:25:46.0343 3672 [ 8BA7C024070F2B7FDD98ED8A4BA41789 ] FontCache3.0.0.0 c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
11:25:46.0343 3672 FontCache3.0.0.0 - ok
11:25:46.0390 3672 [ 30D42943A54704EF13E2562911DBFCEA ] Fs_Rec C:\WINDOWS\system32\drivers\Fs_Rec.sys
11:25:46.0390 3672 Fs_Rec - ok
11:25:46.0406 3672 [ 6AC26732762483366C3969C9E4D2259D ] Ftdisk C:\WINDOWS\system32\DRIVERS\ftdisk.sys
11:25:46.0406 3672 Ftdisk - ok
11:25:46.0468 3672 [ 997527391DEC418DC62D784D848D73BE ] GigasetGenericUSB C:\WINDOWS\system32\DRIVERS\GigasetGenericUSB.sys
11:25:46.0468 3672 GigasetGenericUSB - ok
11:25:46.0531 3672 [ 0A02C63C8B144BD8C86B103DEE7C86A2 ] Gpc C:\WINDOWS\system32\DRIVERS\msgpc.sys
11:25:46.0531 3672 Gpc - ok
11:25:46.0593 3672 [ 506708142BC63DABA64F2D3AD1DCD5BF ] gupdate C:\Program Files\Google\Update\GoogleUpdate.exe
11:25:46.0593 3672 gupdate - ok
11:25:46.0625 3672 [ 506708142BC63DABA64F2D3AD1DCD5BF ] gupdatem C:\Program Files\Google\Update\GoogleUpdate.exe
11:25:46.0625 3672 gupdatem - ok
11:25:46.0687 3672 [ 573C7D0A32852B48F3058CFD8026F511 ] HDAudBus C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
11:25:46.0687 3672 HDAudBus - ok
11:25:46.0812 3672 [ 4FCCA060DFE0C51A09DD5C3843888BCD ] helpsvc C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll
11:25:46.0812 3672 helpsvc - ok
11:25:46.0828 3672 [ DEB04DA35CC871B6D309B77E1443C796 ] HidServ C:\WINDOWS\System32\hidserv.dll
11:25:46.0828 3672 HidServ - ok
11:25:46.0859 3672 [ CCF82C5EC8A7326C3066DE870C06DAF1 ] HidUsb C:\WINDOWS\system32\DRIVERS\hidusb.sys
11:25:46.0859 3672 HidUsb - ok
11:25:46.0921 3672 [ 8878BD685E490239777BFE51320B88E9 ] hkmsvc C:\WINDOWS\System32\kmsvc.dll
11:25:46.0921 3672 hkmsvc - ok
11:25:46.0937 3672 hpn - ok
11:25:47.0000 3672 [ 937031C085718C1C04A9C0864625EC6B ] HTTP C:\WINDOWS\system32\Drivers\HTTP.sys
11:25:47.0000 3672 HTTP - ok
11:25:47.0046 3672 [ 6100A808600F44D999CEBDEF8841C7A3 ] HTTPFilter C:\WINDOWS\System32\w3ssl.dll
11:25:47.0062 3672 HTTPFilter - ok
11:25:47.0078 3672 i2omgmt - ok
11:25:47.0093 3672 i2omp - ok
11:25:47.0140 3672 [ 4A0B06AA8943C1E332520F7440C0AA30 ] i8042prt C:\WINDOWS\system32\DRIVERS\i8042prt.sys
11:25:47.0156 3672 i8042prt - ok
11:25:47.0437 3672 [ 1832E58852AD2AC231ABC02C1DDB1309 ] ialm C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
11:25:47.0531 3672 ialm - ok
11:25:47.0578 3672 [ D80AA0907748D7CC8EFAB3773F32629B ] iaStor C:\WINDOWS\system32\DRIVERS\iaStor.sys
11:25:47.0593 3672 iaStor - ok
11:25:47.0625 3672 [ E5A0034847537EAEE3C00349D5C34C5F ] iastor78 C:\WINDOWS\system32\drivers\iastor78.sys
11:25:47.0625 3672 iastor78 - ok
11:25:47.0703 3672 [ A9BE186ABF28B3D3D698CB855EDF457E ] IAStorDataMgrSvc C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
11:25:47.0703 3672 IAStorDataMgrSvc - ok
11:25:47.0781 3672 [ C01AC32DC5C03076CFB852CB5DA5229C ] idsvc c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
11:25:47.0796 3672 idsvc - ok
11:25:47.0812 3672 [ 083A052659F5310DD8B6A6CB05EDCF8E ] Imapi C:\WINDOWS\system32\DRIVERS\imapi.sys
11:25:47.0812 3672 Imapi - ok
11:25:47.0843 3672 [ 30DEAF54A9755BB8546168CFE8A6B5E1 ] ImapiService C:\WINDOWS\system32\imapi.exe
11:25:47.0843 3672 ImapiService - ok
11:25:47.0859 3672 ini910u - ok
11:25:48.0109 3672 [ 557B8FA374CCD8B1570DFC45D333590C ] IntcAzAudAddService C:\WINDOWS\system32\drivers\RtkHDAud.sys
11:25:48.0203 3672 IntcAzAudAddService - ok
11:25:48.0234 3672 IntelIde - ok
11:25:48.0281 3672 [ 8C953733D8F36EB2133F5BB58808B66B ] intelppm C:\WINDOWS\system32\DRIVERS\intelppm.sys
11:25:48.0281 3672 intelppm - ok
11:25:48.0312 3672 [ 3BB22519A194418D5FEC05D800A19AD0 ] Ip6Fw C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
11:25:48.0312 3672 Ip6Fw - ok
11:25:48.0359 3672 [ 731F22BA402EE4B62748ADAF6363C182 ] IpFilterDriver C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
11:25:48.0359 3672 IpFilterDriver - ok
11:25:48.0390 3672 [ B87AB476DCF76E72010632B5550955F5 ] IpInIp C:\WINDOWS\system32\DRIVERS\ipinip.sys
11:25:48.0390 3672 IpInIp - ok
11:25:48.0421 3672 [ CC748EA12C6EFFDE940EE98098BF96BB ] IpNat C:\WINDOWS\system32\DRIVERS\ipnat.sys
11:25:48.0437 3672 IpNat - ok
11:25:48.0453 3672 [ 23C74D75E36E7158768DD63D92789A91 ] IPSec C:\WINDOWS\system32\DRIVERS\ipsec.sys
11:25:48.0468 3672 IPSec - ok
11:25:48.0500 3672 [ C93C9FF7B04D772627A3646D89F7BF89 ] IRENUM C:\WINDOWS\system32\DRIVERS\irenum.sys
11:25:48.0515 3672 IRENUM - ok
11:25:48.0562 3672 [ 05A299EC56E52649B1CF2FC52D20F2D7 ] isapnp C:\WINDOWS\system32\drivers\isapnp.sys
11:25:48.0562 3672 isapnp - ok
11:25:48.0671 3672 [ 9A337AE3DB478034A7839E753BBFF1AB ] JavaQuickStarterService C:\Program Files\Java\jre7\bin\jqs.exe
11:25:48.0671 3672 JavaQuickStarterService - ok
11:25:48.0718 3672 [ 463C1EC80CD17420A542B7F36A36F128 ] Kbdclass C:\WINDOWS\system32\DRIVERS\kbdclass.sys
11:25:48.0718 3672 Kbdclass - ok
11:25:48.0781 3672 [ 692BCF44383D056AED41B045A323D378 ] kmixer C:\WINDOWS\system32\drivers\kmixer.sys
11:25:48.0781 3672 kmixer - ok
11:25:48.0906 3672 [ 162A5E3A691B903111526147C8D29E6D ] Kodak AiO Network Discovery Service C:\Program Files\Kodak\AiO\Center\EKAiOHostService.exe
11:25:48.0906 3672 Kodak AiO Network Discovery Service - ok
11:25:48.0984 3672 [ B5E53FCA219A6491E9A1BA146A5D2452 ] Kodak AiO Status Monitor Service C:\Program Files\Kodak\AiO\StatusMonitor\EKPrinterSDK.exe
11:25:49.0000 3672 Kodak AiO Status Monitor Service - ok
11:25:49.0062 3672 [ C6EBF1D6AD71DF30DB49B8D3287E1368 ] KSecDD C:\WINDOWS\system32\drivers\KSecDD.sys
11:25:49.0062 3672 KSecDD - ok
11:25:49.0125 3672 [ 151D6D3E446D9FF403AE5CDDD7791286 ] L1c C:\WINDOWS\system32\DRIVERS\l1c51x86.sys
11:25:49.0125 3672 L1c - ok
11:25:49.0140 3672 [ F385F4B02C535BFFE1D70CAB80838123 ] LanmanServer C:\WINDOWS\System32\srvsvc.dll
11:25:49.0156 3672 LanmanServer - ok
11:25:49.0218 3672 [ 3B9324D60DD321BAB7BF6F77931D3FD1 ] lanmanworkstation C:\WINDOWS\System32\wkssvc.dll
11:25:49.0218 3672 lanmanworkstation - ok
11:25:49.0234 3672 lbrtfdc - ok
11:25:49.0312 3672 [ A7DB739AE99A796D91580147E919CC59 ] LmHosts C:\WINDOWS\System32\lmhsvc.dll
11:25:49.0328 3672 LmHosts - ok
11:25:49.0390 3672 [ DDF15A42E27E8EFE27B18FD403151A86 ] MatSvc C:\Program Files\Microsoft Fix it Center\Matsvc.exe
11:25:49.0390 3672 MatSvc - ok
11:25:49.0437 3672 [ 65E794E86468B61F2BC79ABC48BC4433 ] MBAMProtector C:\WINDOWS\system32\drivers\mbam.sys
11:25:49.0437 3672 MBAMProtector - ok
11:25:49.0500 3672 [ 0DCF16B1449811EFA47AB52CAC84093C ] MBAMScheduler C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
11:25:49.0515 3672 MBAMScheduler - ok
11:25:49.0562 3672 [ 9EAABA4D601004BEA4DAA6E146E19A96 ] MBAMService C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
11:25:49.0578 3672 MBAMService - ok
11:25:49.0625 3672 [ 986B1FF5814366D71E0AC5755C88F2D3 ] Messenger C:\WINDOWS\System32\msgsvc.dll
11:25:49.0640 3672 Messenger - ok
11:25:49.0687 3672 [ DFCBAD3CEC1C5F964962AE10E0BCC8E1 ] Modem C:\WINDOWS\system32\drivers\Modem.sys
11:25:49.0687 3672 Modem - ok
11:25:49.0765 3672 [ C7D9F9717916B34C1B00DD4834AF485C ] Monfilt C:\WINDOWS\system32\drivers\Monfilt.sys
11:25:49.0796 3672 Monfilt - ok
11:25:49.0843 3672 [ 35C9E97194C8CFB8430125F8DBC34D04 ] Mouclass C:\WINDOWS\system32\DRIVERS\mouclass.sys
11:25:49.0843 3672 Mouclass - ok
11:25:49.0890 3672 [ B1C303E17FB9D46E87A98E4BA6769685 ] mouhid C:\WINDOWS\system32\DRIVERS\mouhid.sys
11:25:49.0890 3672 mouhid - ok
11:25:49.0937 3672 [ 1A1FAA5102466F418494E94FF9B0B091 ] MountMgr C:\WINDOWS\system32\drivers\MountMgr.sys
11:25:49.0937 3672 MountMgr - ok
11:25:49.0953 3672 mraid35x - ok
11:25:50.0000 3672 [ 4FEFD389D71126EE581B9F9CB2918BE4 ] MRxDAV C:\WINDOWS\system32\DRIVERS\mrxdav.sys
11:25:50.0000 3672 MRxDAV - ok
11:25:50.0031 3672 [ FB2FCCC70F7174C7BF64F48E96D3ADF4 ] MRxSmb C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
11:25:50.0046 3672 MRxSmb - ok
11:25:50.0109 3672 [ A137F1470499A205ABBB9AAFB3B6F2B1 ] MSDTC C:\WINDOWS\system32\msdtc.exe
11:25:50.0109 3672 MSDTC - ok
11:25:50.0140 3672 [ C941EA2454BA8350021D774DAF0F1027 ] Msfs C:\WINDOWS\system32\drivers\Msfs.sys
11:25:50.0140 3672 Msfs - ok
11:25:50.0234 3672 [ 54819FC5C79E4B2C6E896F9DE440494D ] msftesql$TSIFITPRO c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe
11:25:50.0234 3672 msftesql$TSIFITPRO - ok
11:25:50.0265 3672 MSIServer - ok
11:25:50.0312 3672 [ D1575E71568F4D9E14CA56B7B0453BF1 ] MSKSSRV C:\WINDOWS\system32\drivers\MSKSSRV.sys
11:25:50.0312 3672 MSKSSRV - ok
11:25:50.0328 3672 [ 325BB26842FC7CCC1FCCE2C457317F3E ] MSPCLOCK C:\WINDOWS\system32\drivers\MSPCLOCK.sys
11:25:50.0343 3672 MSPCLOCK - ok
11:25:50.0359 3672 [ BAD59648BA099DA4A17680B39730CB3D ] MSPQM C:\WINDOWS\system32\drivers\MSPQM.sys
11:25:50.0359 3672 MSPQM - ok
11:25:50.0390 3672 [ AF5F4F3F14A8EA2C26DE30F7A1E17136 ] mssmbios C:\WINDOWS\system32\DRIVERS\mssmbios.sys
11:25:50.0390 3672 mssmbios - ok
11:25:50.0421 3672 MSSQL$TSIFITPRO - ok
11:25:50.0468 3672 [ 1D89EB4E2A99CABD4E81225F4F4C4B25 ] MSSQLServerADHelper c:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe
11:25:50.0468 3672 MSSQLServerADHelper - ok
11:25:50.0500 3672 [ E53736A9E30C45FA9E7B5EAC55056D1D ] MSTEE C:\WINDOWS\system32\drivers\MSTEE.sys
11:25:50.0500 3672 MSTEE - ok
11:25:50.0546 3672 [ F7B1AD991491F02AF6DA70B00B8BF114 ] Mup C:\WINDOWS\system32\drivers\Mup.sys
11:25:50.0546 3672 Mup - ok
11:25:50.0609 3672 [ 5B50F1B2A2ED47D560577B221DA734DB ] NABTSFEC C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
11:25:50.0609 3672 NABTSFEC - ok
11:25:50.0656 3672 [ 0102140028FAD045756796E1C685D695 ] napagent C:\WINDOWS\System32\qagentrt.dll
11:25:50.0671 3672 napagent - ok
11:25:50.0734 3672 [ 1DF7F42665C94B825322FAE71721130D ] NDIS C:\WINDOWS\system32\drivers\NDIS.sys
11:25:50.0734 3672 NDIS - ok
11:25:50.0765 3672 [ 7FF1F1FD8609C149AA432F95A8163D97 ] NdisIP C:\WINDOWS\system32\DRIVERS\NdisIP.sys
11:25:50.0765 3672 NdisIP - ok
11:25:50.0812 3672 [ 0109C4F3850DFBAB279542515386AE22 ] NdisTapi C:\WINDOWS\system32\DRIVERS\ndistapi.sys
11:25:50.0812 3672 NdisTapi - ok
11:25:50.0859 3672 [ F927A4434C5028758A842943EF1A3849 ] Ndisuio C:\WINDOWS\system32\DRIVERS\ndisuio.sys
11:25:50.0859 3672 Ndisuio - ok
11:25:50.0875 3672 [ EDC1531A49C80614B2CFDA43CA8659AB ] NdisWan C:\WINDOWS\system32\DRIVERS\ndiswan.sys
11:25:50.0890 3672 NdisWan - ok
11:25:50.0953 3672 [ 9282BD12DFB069D3889EB3FCC1000A9B ] NDProxy C:\WINDOWS\system32\drivers\NDProxy.sys
11:25:50.0953 3672 NDProxy - ok
11:25:50.0984 3672 [ 5D81CF9A2F1A3A756B66CF684911CDF0 ] NetBIOS C:\WINDOWS\system32\DRIVERS\netbios.sys
11:25:50.0984 3672 NetBIOS - ok
11:25:51.0000 3672 [ 74B2B2F5BEA5E9A3DC021D685551BD3D ] NetBT C:\WINDOWS\system32\DRIVERS\netbt.sys
11:25:51.0000 3672 NetBT - ok
11:25:51.0046 3672 [ B857BA82860D7FF85AE29B095645563B ] NetDDE C:\WINDOWS\system32\netdde.exe
11:25:51.0062 3672 NetDDE - ok
11:25:51.0078 3672 [ B857BA82860D7FF85AE29B095645563B ] NetDDEdsdm C:\WINDOWS\system32\netdde.exe
11:25:51.0093 3672 NetDDEdsdm - ok
11:25:51.0156 3672 [ BF2466B3E18E970D8A976FB95FC1CA85 ] Netlogon C:\WINDOWS\system32\lsass.exe
11:25:51.0156 3672 Netlogon - ok
11:25:51.0187 3672 [ 13E67B55B3ABD7BF3FE7AAE5A0F9A9DE ] Netman C:\WINDOWS\System32\netman.dll
11:25:51.0187 3672 Netman - ok
11:25:51.0250 3672 [ D34612C5D02D026535B3095D620626AE ] NetTcpPortSharing c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
11:25:51.0250 3672 NetTcpPortSharing - ok
11:25:51.0296 3672 [ 290C1A30DEFC723BBE10910AC2D6F6D0 ] Nla C:\WINDOWS\System32\mswsock.dll
11:25:51.0312 3672 Nla - ok
11:25:51.0328 3672 [ 3182D64AE053D6FB034F44B6DEF8034A ] Npfs C:\WINDOWS\system32\drivers\Npfs.sys
11:25:51.0328 3672 Npfs - ok
11:25:51.0359 3672 [ 4C51D5275AE8A16999EDFE7E647D00DE ] Ntfs C:\WINDOWS\system32\drivers\Ntfs.sys
11:25:51.0375 3672 Ntfs - ok
11:25:51.0390 3672 [ BF2466B3E18E970D8A976FB95FC1CA85 ] NtLmSsp C:\WINDOWS\system32\lsass.exe
11:25:51.0406 3672 NtLmSsp - ok
11:25:51.0453 3672 [ 156F64A3345BD23C600655FB4D10BC08 ] NtmsSvc C:\WINDOWS\system32\ntmssvc.dll
11:25:51.0468 3672 NtmsSvc - ok
11:25:51.0515 3672 [ 73C1E1F395918BC2C6DD67AF7591A3AD ] Null C:\WINDOWS\system32\drivers\Null.sys
11:25:51.0515 3672 Null - ok
11:25:51.0546 3672 [ B305F3FAD35083837EF46A0BBCE2FC57 ] NwlnkFlt C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
11:25:51.0546 3672 NwlnkFlt - ok
11:25:51.0578 3672 [ C99B3415198D1AAB7227F2C88FD664B9 ] NwlnkFwd C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
11:25:51.0578 3672 NwlnkFwd - ok
11:25:51.0625 3672 [ 5575FAF8F97CE5E713D108C2A58D7C7C ] Parport C:\WINDOWS\system32\drivers\Parport.sys
11:25:51.0625 3672 Parport - ok
11:25:51.0656 3672 [ BEB3BA25197665D82EC7065B724171C6 ] PartMgr C:\WINDOWS\system32\drivers\PartMgr.sys
11:25:51.0656 3672 PartMgr - ok
11:25:51.0687 3672 [ 70E98B3FD8E963A6A46A2E6247E0BEA1 ] ParVdm C:\WINDOWS\system32\drivers\ParVdm.sys
11:25:51.0687 3672 ParVdm - ok
11:25:51.0703 3672 [ A219903CCF74233761D92BEF471A07B1 ] PCI C:\WINDOWS\system32\DRIVERS\pci.sys
11:25:51.0703 3672 PCI - ok
11:25:51.0718 3672 PCIDump - ok
11:25:51.0750 3672 PCIIde - ok
11:25:51.0781 3672 [ 9E89EF60E9EE05E3F2EEF2DA7397F1C1 ] Pcmcia C:\WINDOWS\system32\drivers\Pcmcia.sys
11:25:51.0781 3672 Pcmcia - ok
11:25:51.0796 3672 PDCOMP - ok
11:25:51.0828 3672 PDFRAME - ok
11:25:51.0843 3672 PDRELI - ok
11:25:51.0859 3672 PDRFRAME - ok
11:25:51.0875 3672 perc2 - ok
11:25:51.0906 3672 perc2hib - ok
11:25:51.0984 3672 [ C519E15665CD89A91AD383FCE3CB556A ] PlugPlay C:\WINDOWS\system32\services.exe
11:25:51.0984 3672 PlugPlay - ok
11:25:52.0000 3672 [ BF2466B3E18E970D8A976FB95FC1CA85 ] PolicyAgent C:\WINDOWS\system32\lsass.exe
11:25:52.0000 3672 PolicyAgent - ok
11:25:52.0015 3672 [ EFEEC01B1D3CF84F16DDD24D9D9D8F99 ] PptpMiniport C:\WINDOWS\system32\DRIVERS\raspptp.sys
11:25:52.0015 3672 PptpMiniport - ok
11:25:52.0031 3672 [ BF2466B3E18E970D8A976FB95FC1CA85 ] ProtectedStorage C:\WINDOWS\system32\lsass.exe
11:25:52.0031 3672 ProtectedStorage - ok
11:25:52.0046 3672 [ D8E11D311785F89F1D70A28B0E879127 ] PSched C:\WINDOWS\system32\DRIVERS\psched.sys
11:25:52.0046 3672 PSched - ok
11:25:52.0078 3672 [ 80D317BD1C3DBC5D4FE7B1678C60CADD ] Ptilink C:\WINDOWS\system32\DRIVERS\ptilink.sys
11:25:52.0078 3672 Ptilink - ok
11:25:52.0078 3672 ql1080 - ok
11:25:52.0093 3672 Ql10wnt - ok
11:25:52.0109 3672 ql12160 - ok
11:25:52.0125 3672 ql1240 - ok
11:25:52.0140 3672 ql1280 - ok
11:25:52.0171 3672 [ FE0D99D6F31E4FAD8159F690D68DED9C ] RasAcd C:\WINDOWS\system32\DRIVERS\rasacd.sys
11:25:52.0171 3672 RasAcd - ok
11:25:52.0203 3672 [ AD188BE7BDF94E8DF4CA0A55C00A5073 ] RasAuto C:\WINDOWS\System32\rasauto.dll
11:25:52.0203 3672 RasAuto - ok
11:25:52.0234 3672 [ 11B4A627BC9614B885C4969BFA5FF8A6 ] Rasl2tp C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
11:25:52.0234 3672 Rasl2tp - ok
11:25:52.0265 3672 [ 76A9A3CBEADD68CC57CDA5E1D7448235 ] RasMan C:\WINDOWS\System32\rasmans.dll
11:25:52.0265 3672 RasMan - ok
11:25:52.0281 3672 [ 5BC962F2654137C9909C3D4603587DEE ] RasPppoe C:\WINDOWS\system32\DRIVERS\raspppoe.sys
11:25:52.0296 3672 RasPppoe - ok
11:25:52.0296 3672 [ FDBB1D60066FCFBB7452FD8F9829B242 ] Raspti C:\WINDOWS\system32\DRIVERS\raspti.sys
11:25:52.0312 3672 Raspti - ok
11:25:52.0343 3672 [ 77050C6615F6EB5402F832B27FD695E0 ] Rdbss C:\WINDOWS\system32\DRIVERS\rdbss.sys
11:25:52.0343 3672 Rdbss - ok
11:25:52.0359 3672 [ 4912D5B403614CE99C28420F75353332 ] RDPCDD C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
11:25:52.0359 3672 RDPCDD - ok
11:25:52.0406 3672 [ 47EA20320E3D6FDC7B7BB22B2B881CA6 ] rdpdr C:\WINDOWS\system32\DRIVERS\rdpdr.sys
11:25:52.0406 3672 rdpdr - ok
11:25:52.0468 3672 [ C7D9BC54354B8C706ABF172D48313F1B ] RDPWD C:\WINDOWS\system32\drivers\RDPWD.sys
11:25:52.0468 3672 RDPWD - ok
11:25:52.0546 3672 [ 3C37BF86641BDA977C3BF8A840F3B7FA ] RDSessMgr C:\WINDOWS\system32\sessmgr.exe
11:25:52.0562 3672 RDSessMgr - ok
11:25:52.0593 3672 [ F828DD7E1419B6653894A8F97A0094C5 ] redbook C:\WINDOWS\system32\DRIVERS\redbook.sys
11:25:52.0593 3672 redbook - ok
11:25:52.0640 3672 [ 7E699FF5F59B5D9DE5390E3C34C67CF5 ] RemoteAccess C:\WINDOWS\System32\mprdim.dll
11:25:52.0640 3672 RemoteAccess - ok
11:25:52.0671 3672 [ 5B19B557B0C188210A56A6B699D90B8F ] RemoteRegistry C:\WINDOWS\system32\regsvc.dll
11:25:52.0687 3672 RemoteRegistry - ok
11:25:52.0734 3672 [ AAED593F84AFA419BBAE8572AF87CF6A ] RpcLocator C:\WINDOWS\system32\locator.exe
11:25:52.0734 3672 RpcLocator - ok
11:25:52.0765 3672 [ 9222562D44021B988B9F9F62207FB6F2 ] RpcSs C:\WINDOWS\System32\rpcss.dll
11:25:52.0781 3672 RpcSs - ok
11:25:52.0828 3672 [ 743D7D59767073A617B1DCC6C546F234 ] rspndr C:\WINDOWS\system32\DRIVERS\rspndr.sys
11:25:52.0828 3672 rspndr - ok
11:25:52.0875 3672 [ 471B3F9741D762ABE75E9DEEA4787E47 ] RSVP C:\WINDOWS\system32\rsvp.exe
11:25:52.0890 3672 RSVP - ok
11:25:52.0906 3672 [ BF2466B3E18E970D8A976FB95FC1CA85 ] SamSs C:\WINDOWS\system32\lsass.exe
11:25:52.0906 3672 SamSs - ok
11:25:52.0937 3672 [ 86D007E7A654B9A71D1D7D856B104353 ] SCardSvr C:\WINDOWS\System32\SCardSvr.exe
11:25:52.0937 3672 SCardSvr - ok
11:25:53.0015 3672 [ 0A9A7365A1CA4319AA7C1D6CD8E4EAFA ] Schedule C:\WINDOWS\system32\schedsvc.dll
11:25:53.0031 3672 Schedule - ok
11:25:53.0062 3672 [ 90A3935D05B494A5A39D37E71F09A677 ] Secdrv C:\WINDOWS\system32\DRIVERS\secdrv.sys
11:25:53.0062 3672 Secdrv - ok
11:25:53.0093 3672 [ CBE612E2BB6A10E3563336191EDA1250 ] seclogon C:\WINDOWS\System32\seclogon.dll
11:25:53.0109 3672 seclogon - ok
11:25:53.0156 3672 [ 7FDD5D0684ECA8C1F68B4D99D124DCD0 ] SENS C:\WINDOWS\system32\sens.dll
11:25:53.0156 3672 SENS - ok
11:25:53.0203 3672 [ CCA207A8896D4C6A0C9CE29A4AE411A7 ] Serial C:\WINDOWS\system32\drivers\Serial.sys
11:25:53.0203 3672 Serial - ok
11:25:53.0296 3672 [ 8E6B8C671615D126FDC553D1E2DE5562 ] Sfloppy C:\WINDOWS\system32\drivers\Sfloppy.sys
11:25:53.0296 3672 Sfloppy - ok
11:25:53.0328 3672 [ 4F10A2FA76B5BD54CD68AFA94E8ADB39 ] SharedAccess C:\WINDOWS\System32\ipnathlp.dll
11:25:53.0328 3672 SharedAccess - ok
11:25:53.0359 3672 [ 888CD7B39C37E13A2419BECFAAF0A28C ] ShellHWDetection C:\WINDOWS\System32\shsvcs.dll
11:25:53.0359 3672 ShellHWDetection - ok
11:25:53.0359 3672 Simbad - ok
11:25:53.0390 3672 [ 866D538EBE33709A5C9F5C62B73B7D14 ] SLIP C:\WINDOWS\system32\DRIVERS\SLIP.sys
11:25:53.0390 3672 SLIP - ok
11:25:53.0453 3672 [ BCC773872041AA59BC9A6CF770FB32E2 ] snapman C:\WINDOWS\system32\DRIVERS\snapman.sys
11:25:53.0453 3672 snapman - ok
11:25:53.0468 3672 Sparrow - ok
11:25:53.0500 3672 [ AB8B92451ECB048A4D1DE7C3FFCB4A9F ] splitter C:\WINDOWS\system32\drivers\splitter.sys
11:25:53.0500 3672 splitter - ok
11:25:53.0546 3672 [ 258DD5D4283FD9F9A7166BE9AE45CE73 ] Spooler C:\WINDOWS\system32\spoolsv.exe
11:25:53.0562 3672 Spooler - ok
11:25:53.0593 3672 [ 86EBD8B1F23E743AAD21F4D5B4D40985 ] SQLBrowser c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
11:25:53.0593 3672 SQLBrowser - ok
11:25:53.0609 3672 [ D89083C4EB02DACA8F944B0E05E57F9D ] SQLWriter c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
11:25:53.0609 3672 SQLWriter - ok
11:25:53.0625 3672 [ 76BB022C2FB6902FD5BDD4F78FC13A5D ] sr C:\WINDOWS\system32\DRIVERS\sr.sys
11:25:53.0625 3672 sr - ok
11:25:53.0671 3672 [ 3805DF0AC4296A34BA4BF93B346CC378 ] srservice C:\WINDOWS\system32\srsvc.dll
11:25:53.0671 3672 srservice - ok
11:25:53.0765 3672 [ 9B390283569EA58D43D2586032B892F5 ] Srv C:\WINDOWS\system32\DRIVERS\srv.sys
11:25:53.0765 3672 Srv - ok
11:25:53.0781 3672 [ 0A5679B3714EDAB99E357057EE88FCA6 ] SSDPSRV C:\WINDOWS\System32\ssdpsrv.dll
11:25:53.0796 3672 SSDPSRV - ok
11:25:53.0859 3672 [ 8BAD69CBAC032D4BBACFCE0306174C30 ] stisvc C:\WINDOWS\system32\wiaservc.dll
11:25:53.0859 3672 stisvc - ok
11:25:53.0906 3672 [ 77813007BA6265C4B6098187E6ED79D2 ] streamip C:\WINDOWS\system32\DRIVERS\StreamIP.sys
11:25:53.0906 3672 streamip - ok
11:25:53.0953 3672 [ 3941D127AEF12E93ADDF6FE6EE027E0F ] swenum C:\WINDOWS\system32\DRIVERS\swenum.sys
11:25:53.0953 3672 swenum - ok
11:25:53.0968 3672 [ 8CE882BCC6CF8A62F2B2323D95CB3D01 ] swmidi C:\WINDOWS\system32\drivers\swmidi.sys
11:25:53.0968 3672 swmidi - ok
11:25:53.0984 3672 SwPrv - ok
11:25:54.0000 3672 symc810 - ok
11:25:54.0015 3672 symc8xx - ok
11:25:54.0031 3672 sym_hi - ok
11:25:54.0046 3672 sym_u3 - ok
11:25:54.0109 3672 [ 8BD10DC8809DC69A1C5A795CB10ADD76 ] SynTP C:\WINDOWS\system32\DRIVERS\SynTP.sys
11:25:54.0125 3672 SynTP - ok
11:25:54.0140 3672 [ 8B83F3ED0F1688B4958F77CD6D2BF290 ] sysaudio C:\WINDOWS\system32\drivers\sysaudio.sys
11:25:54.0140 3672 sysaudio - ok
11:25:54.0171 3672 [ C7ABBC59B43274B1109DF6B24D617051 ] SysmonLog C:\WINDOWS\system32\smlogsvc.exe
11:25:54.0171 3672 SysmonLog - ok
11:25:54.0218 3672 [ E2B32B10ACC5D97623275AAFB67E5F03 ] TapiSrv C:\WINDOWS\System32\tapisrv.dll
11:25:54.0218 3672 TapiSrv - ok
11:25:54.0250 3672 [ F738697D2AA60AC4BA9B9DED1412D4B2 ] Tcpip C:\WINDOWS\system32\DRIVERS\tcpip.sys
11:25:54.0265 3672 Tcpip - ok
11:25:54.0296 3672 [ 6471A66807F5E104E4885F5B67349397 ] TDPIPE C:\WINDOWS\system32\drivers\TDPIPE.sys
11:25:54.0296 3672 TDPIPE - ok
11:25:54.0343 3672 [ EB53EC341458256DEAE2AD58822C4A17 ] tdrpman C:\WINDOWS\system32\DRIVERS\tdrpman.sys
11:25:54.0343 3672 tdrpman - ok
11:25:54.0437 3672 [ C0578456F29E5F26285F81B7B71FE57D ] TDTCP C:\WINDOWS\system32\drivers\TDTCP.sys
11:25:54.0437 3672 TDTCP - ok
11:25:54.0468 3672 [ 88155247177638048422893737429D9E ] TermDD C:\WINDOWS\system32\DRIVERS\termdd.sys
11:25:54.0484 3672 TermDD - ok
11:25:54.0515 3672 [ 5128852A18AE46C387F87BF27DA4C9DD ] TermService C:\WINDOWS\System32\termsrv.dll
11:25:54.0515 3672 TermService - ok
11:25:54.0546 3672 [ 888CD7B39C37E13A2419BECFAAF0A28C ] Themes C:\WINDOWS\System32\shsvcs.dll
11:25:54.0546 3672 Themes - ok
11:25:54.0593 3672 [ B0B3122BFF3910E0BA97014045467778 ] tifsfilter C:\WINDOWS\system32\DRIVERS\tifsfilt.sys
11:25:54.0593 3672 tifsfilter - ok
11:25:54.0625 3672 [ 13BFE330880AC0CE8672D00AA5AFF738 ] timounter C:\WINDOWS\system32\DRIVERS\timntr.sys
11:25:54.0625 3672 timounter - ok
11:25:54.0671 3672 [ DB7205804759FF62C34E3EFD8A4CC76A ] TlntSvr C:\WINDOWS\system32\tlntsvr.exe
11:25:54.0671 3672 TlntSvr - ok
11:25:54.0687 3672 TosIde - ok
11:25:54.0734 3672 [ 55BCA12F7F523D35CA3CB833C725F54E ] TrkWks C:\WINDOWS\system32\trkwks.dll
11:25:54.0734 3672 TrkWks - ok
11:25:54.0765 3672 [ 02C16294D7903FC0C7F2DE953126B28A ] TryAndDecideService C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
11:25:54.0781 3672 TryAndDecideService - ok
11:25:54.0828 3672 [ A2DF1322D5679626302CD828BE2009C4 ] TSIUSB C:\WINDOWS\system32\DRIVERS\TSIUSB.sys
11:25:54.0828 3672 TSIUSB - ok
11:25:54.0875 3672 [ 5787B80C2E3C5E2F56C2A233D91FA2C9 ] Udfs C:\WINDOWS\system32\drivers\Udfs.sys
11:25:54.0875 3672 Udfs - ok
11:25:54.0953 3672 [ F13DA74969897359A88F2A739F54A250 ] UleadBurningHelper C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
11:25:54.0953 3672 UleadBurningHelper - ok
11:25:54.0953 3672 ultra - ok
11:25:55.0046 3672 [ 402DDC88356B1BAC0EE3DD1580C76A31 ] Update C:\WINDOWS\system32\DRIVERS\update.sys
11:25:55.0046 3672 Update - ok
11:25:55.0140 3672 [ 1EBAFEB9A3FBDC41B8D9C7F0F687AD91 ] upnphost C:\WINDOWS\System32\upnphost.dll
11:25:55.0140 3672 upnphost - ok
11:25:55.0171 3672 [ 05365FB38FCA1E98F7A566AAAF5D1815 ] UPS C:\WINDOWS\System32\ups.exe
11:25:55.0171 3672 UPS - ok
11:25:55.0203 3672 [ 173F317CE0DB8E21322E71B7E60A27E8 ] usbccgp C:\WINDOWS\system32\DRIVERS\usbccgp.sys
11:25:55.0203 3672 usbccgp - ok
11:25:55.0218 3672 [ 52674B5DBEE499342A599C7771ABECAA ] usbehci C:\WINDOWS\system32\DRIVERS\usbehci.sys
11:25:55.0218 3672 usbehci - ok
11:25:55.0250 3672 [ 1AB3CDDE553B6E064D2E754EFE20285C ] usbhub C:\WINDOWS\system32\DRIVERS\usbhub.sys
11:25:55.0250 3672 usbhub - ok
11:25:55.0296 3672 [ A32426D9B14A089EAA1D922E0C5801A9 ] usbstor C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
11:25:55.0296 3672 usbstor - ok
11:25:55.0312 3672 [ 26496F9DEE2D787FC3E61AD54821FFE6 ] usbuhci C:\WINDOWS\system32\DRIVERS\usbuhci.sys
11:25:55.0328 3672 usbuhci - ok
11:25:55.0375 3672 [ 63BBFCA7F390F4C49ED4B96BFB1633E0 ] usbvideo C:\WINDOWS\system32\Drivers\usbvideo.sys
11:25:55.0375 3672 usbvideo - ok
11:25:55.0406 3672 [ B6CC50279D6CD28E090A5D33244ADC9A ] usb_rndisx C:\WINDOWS\system32\DRIVERS\usb8023x.sys
11:25:55.0406 3672 usb_rndisx - ok
11:25:55.0453 3672 [ 0D3A8FAFCEACD8B7625CD549757A7DF1 ] VgaSave C:\WINDOWS\System32\drivers\vga.sys
11:25:55.0453 3672 VgaSave - ok
11:25:55.0468 3672 ViaIde - ok
11:25:55.0515 3672 [ 4C8FCB5CC53AAB716D810740FE59D025 ] VolSnap C:\WINDOWS\system32\drivers\VolSnap.sys
11:25:55.0515 3672 VolSnap - ok
11:25:55.0546 3672 [ 7A9DB3A67C333BF0BD42E42B8596854B ] VSS C:\WINDOWS\System32\vssvc.exe
11:25:55.0562 3672 VSS - ok
11:25:55.0593 3672 [ 9F8A0D0CBB2FA265A754516128C00E22 ] W32Time C:\WINDOWS\system32\w32time.dll
11:25:55.0593 3672 W32Time - ok
11:25:55.0625 3672 [ E20B95BAEDB550F32DD489265C1DA1F6 ] Wanarp C:\WINDOWS\system32\DRIVERS\wanarp.sys
11:25:55.0625 3672 Wanarp - ok
11:25:55.0703 3672 [ BBCFEAB7E871CDDAC2D397EE7FA91FDC ] Wdf01000 C:\WINDOWS\system32\Drivers\wdf01000.sys
11:25:55.0703 3672 Wdf01000 - ok
11:25:55.0718 3672 WDICA - ok
11:25:55.0765 3672 [ 6768ACF64B18196494413695F0C3A00F ] wdmaud C:\WINDOWS\system32\drivers\wdmaud.sys
11:25:55.0765 3672 wdmaud - ok
11:25:55.0828 3672 [ 77A354E28153AD2D5E120A5A8687BC06 ] WebClient C:\WINDOWS\System32\webclnt.dll
11:25:55.0843 3672 WebClient - ok
11:25:55.0953 3672 [ 2D0E4ED081963804CCC196A0929275B5 ] winmgmt C:\WINDOWS\system32\wbem\WMIsvc.dll
11:25:55.0953 3672 winmgmt - ok
11:25:56.0015 3672 [ 051B1BDECD6DEE18C771B5D5EC7F044D ] WmdmPmSN C:\WINDOWS\system32\mspmsnsv.dll
11:25:56.0031 3672 WmdmPmSN - ok
11:25:56.0093 3672 [ C8A6C82F90B055149925DC7526B2D78C ] Wmi C:\WINDOWS\System32\advapi32.dll
11:25:56.0093 3672 Wmi - ok
11:25:56.0156 3672 [ C42584FD66CE9E17403AEBCA199F7BDB ] WmiAcpi C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
11:25:56.0156 3672 WmiAcpi - ok
11:25:56.0234 3672 [ E0673F1106E62A68D2257E376079F821 ] WmiApSrv C:\WINDOWS\system32\wbem\wmiapsrv.exe
11:25:56.0234 3672 WmiApSrv - ok
11:25:56.0328 3672 [ 6BAB4DC65515A098505F8B3D01FB6FE5 ] WMPNetworkSvc C:\Program Files\Windows Media Player\WMPNetwk.exe
11:25:56.0343 3672 WMPNetworkSvc - ok
11:25:56.0390 3672 [ 6ABE6E225ADB5A751622A9CC3BC19CE8 ] WS2IFSL C:\WINDOWS\System32\drivers\ws2ifsl.sys
11:25:56.0390 3672 WS2IFSL - ok
11:25:56.0406 3672 wscsvc - ok
11:25:56.0437 3672 [ C98B39829C2BBD34E454150633C62C78 ] WSTCODEC C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
11:25:56.0453 3672 WSTCODEC - ok
11:25:56.0500 3672 [ FC1E3B06AE8D160B686C5D04B5E85371 ] wuauserv C:\WINDOWS\system32\wuauserv.dll
11:25:56.0500 3672 wuauserv - ok
11:25:56.0546 3672 [ F15FEAFFFBB3644CCC80C5DA584E6311 ] WudfPf C:\WINDOWS\system32\DRIVERS\WudfPf.sys
11:25:56.0546 3672 WudfPf - ok
11:25:56.0562 3672 [ 28B524262BCE6DE1F7EF9F510BA3985B ] WudfRd C:\WINDOWS\system32\DRIVERS\wudfrd.sys
11:25:56.0562 3672 WudfRd - ok
11:25:56.0593 3672 [ 05231C04253C5BC30B26CBAAE680ED89 ] WudfSvc C:\WINDOWS\System32\WUDFSvc.dll
11:25:56.0593 3672 WudfSvc - ok
11:25:56.0640 3672 [ 349B8D2BB755E8C3B0E3E82A87663E55 ] WZCSVC C:\WINDOWS\System32\wzcsvc.dll
11:25:56.0656 3672 WZCSVC - ok
11:25:56.0734 3672 [ 295D21F14C335B53CB8154E5B1F892B9 ] xmlprov C:\WINDOWS\System32\xmlprov.dll
11:25:56.0734 3672 xmlprov - ok
11:25:56.0765 3672 ================ Scan global ===============================
11:25:56.0812 3672 [ 42F1F4C0AFB08410E5F02D4B13EBB623 ] C:\WINDOWS\system32\basesrv.dll
11:25:56.0843 3672 [ B23423313519C522E0E73BA170D3CE71 ] C:\WINDOWS\system32\winsrv.dll
11:25:56.0875 3672 [ B23423313519C522E0E73BA170D3CE71 ] C:\WINDOWS\system32\winsrv.dll
11:25:56.0890 3672 [ C519E15665CD89A91AD383FCE3CB556A ] C:\WINDOWS\system32\services.exe
11:25:56.0890 3672 [Global] - ok
11:25:56.0890 3672 ================ Scan MBR ==================================
11:25:56.0921 3672 [ 5DBEAF22470938DB83D871E2812EFBAE ] \Device\Harddisk0\DR0
11:25:57.0921 3672 \Device\Harddisk0\DR0 - ok
11:25:57.0921 3672 ================ Scan VBR ==================================
11:25:57.0921 3672 [ 0A52807BE55E7B219D15E82696B44AB7 ] \Device\Harddisk0\DR0\Partition1
11:25:57.0937 3672 \Device\Harddisk0\DR0\Partition1 - ok
11:25:57.0937 3672 ============================================================
11:25:57.0937 3672 Scan finished
11:25:57.0937 3672 ============================================================
11:25:57.0953 0516 Detected object count: 0
11:25:57.0953 0516 Actual detected object count: 0

Now here's the second log:

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-09-12 11:41:14
-----------------------------
11:41:14.562 OS Version: Windows 5.1.2600 Service Pack 3
11:41:14.562 Number of processors: 2 586 0x1C0A
11:41:14.562 ComputerName: ANONYMOUS UserName: Owner
11:41:15.375 Initialize success
11:42:27.265 AVAST engine defs: 12091200
11:45:49.203 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
11:45:49.218 Disk 0 Vendor: ST916031 0002 Size: 152627MB BusType: 3
11:45:49.296 Disk 0 MBR read successfully
11:45:49.296 Disk 0 MBR scan
11:45:49.359 Disk 0 unknown MBR code
11:45:49.375 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 123232 MB offset 63
11:45:49.390 Disk 0 Partition - 00 05 Extended 29392 MB offset 252381150
11:45:49.421 Disk 0 Partition 2 00 BC BOOTWIZ0 29392 MB offset 252381213
11:45:49.453 Disk 0 scanning sectors +312576705
11:45:49.546 Disk 0 scanning C:\WINDOWS\system32\drivers
11:46:03.500 Service scanning
11:46:32.625 Modules scanning
11:46:38.781 Disk 0 trace - called modules:
11:46:38.828 ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll iaStor.sys
11:46:38.859 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a09c030]
11:46:38.875 3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> \Device\00000068[0x8a11f498]
11:46:38.906 5 ACPI.sys[b9f7f620] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-0[0x8a0cc028]
11:46:39.625 AVAST engine scan C:\WINDOWS
11:46:47.093 AVAST engine scan C:\WINDOWS\system32
11:51:43.781 AVAST engine scan C:\WINDOWS\system32\drivers
11:52:05.296 AVAST engine scan C:\Documents and Settings\Owner
11:54:03.453 AVAST engine scan C:\Documents and Settings\All Users
11:54:29.843 Scan finished successfully
11:55:47.125 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Owner\Desktop\MBR.dat"
11:55:47.156 The log file has been saved successfully to "C:\Documents and Settings\Owner\Desktop\aswMBR.txt"

I believe that's all that you've requested.

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:40 PM

Posted 12 September 2012 - 04:28 PM

--RogueKiller--

  • Download & SAVE to your Desktop RogueKiller or from here
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select "Run as Administrator to start"
  • For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • Then Click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • Click on Report and copy/paste the content of the Notepad into your next reply.
  • The log should be found in RKreport[1].txt on your Desktop
  • Exit/Close RogueKiller+

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 sparty047

sparty047
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:40 PM

Posted 12 September 2012 - 06:39 PM

GRINGO:

As you requested:


RogueKiller V8.0.2 [08/31/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : Owner [Admin rights]
Mode : Scan -- Date : 09/12/2012 19:37:30

Bad processes : 1
[SUSP PATH] TechTracker.exe -- C:\Documents and Settings\Owner\Application Data\CBS Interactive\CNET TechTracker\TechTracker.exe -> KILLED [TermProc]

Registry Entries : 4
[STARTUP][SUSP PATH] CNET TechTracker.lnk @Owner : C:\Documents and Settings\Owner\Application Data\CBS Interactive\CNET TechTracker\TechTracker.exe -> FOUND
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowSetProgramAccessAndDefaults (0) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

Particular Files / Folders:

Driver : [LOADED]

Infection :

HOSTS File:
--> C:\WINDOWS\system32\drivers\etc\hosts

127.0.0.1 localhost


MBR Check:

+++++ PhysicalDrive0: ST9160314AS +++++
--- User ---
[MBR] 3a3b446da3820818e5bfa100e7be9e0f
[BSP] 91681887eabe9efb61fb894e7a041f16 : MBR Code unknown
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 123232 Mo
1 - [XXXXXX] EXTEN (0x05) [VISIBLE] Offset (sectors): 252381150 | Size: 29392 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[1].txt >>
RKreport[1].txt

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:40 PM

Posted 12 September 2012 - 11:47 PM

Greetings

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 sparty047

sparty047
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:40 PM

Posted 13 September 2012 - 08:09 PM

Gringo:

Log you requested:


ComboFix 12-09-13.03 - Owner 09/13/2012 20:31:31.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1355 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
.
.
((((((((((((((((((((((((( Files Created from 2012-08-14 to 2012-09-14 )))))))))))))))))))))))))))))))
.
.
2012-09-13 23:56 . 2012-09-13 23:56 -------- d-----w- c:\windows\LastGood
2012-09-12 19:13 . 2012-09-12 19:13 -------- d-----w- c:\windows\system32\xircom
2012-09-12 19:13 . 2012-09-12 19:13 -------- d-----w- c:\windows\system32\wbem\snmp
2012-09-12 19:13 . 2012-09-12 19:13 -------- d-----w- c:\windows\system32\oobe
2012-09-12 19:13 . 2012-09-12 19:13 -------- d-----w- c:\program files\microsoft frontpage
2012-09-12 18:29 . 2012-09-12 18:29 -------- d-----w- c:\documents and settings\Owner\Application Data\KODAK AiO Home Center1147430796
2012-09-12 18:25 . 2001-08-18 00:36 5632 ----a-w- c:\windows\system32\ptpusb.dll
2012-09-12 18:25 . 2008-04-14 07:42 159232 ----a-w- c:\windows\system32\ptpusd.dll
2012-09-12 18:25 . 2008-04-14 02:17 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2012-09-12 18:24 . 2008-04-14 02:15 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2012-09-12 18:19 . 2012-09-12 18:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Kodak Cloud Print
2012-09-12 18:18 . 2012-09-12 19:10 -------- d-----w- C:\KCPConnectorTemp
2012-09-12 18:01 . 2012-09-12 18:01 -------- d-----w- c:\documents and settings\Owner\Application Data\KODAK AiO Home Center179788291
2012-09-12 06:06 . 2012-09-12 06:06 -------- d-----w- c:\program files\Belarc
2012-09-12 06:06 . 2011-08-09 21:33 3840 ----a-w- c:\windows\system32\drivers\BANTExt.sys
2012-09-12 06:02 . 2012-09-12 06:02 -------- d-----w- c:\program files\Speccy
2012-09-12 06:02 . 2012-09-12 06:02 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Help
2012-09-06 12:15 . 2012-09-06 12:15 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin7.dll
2012-09-06 12:15 . 2012-09-06 12:15 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin6.dll
2012-09-06 12:15 . 2012-09-06 12:15 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin5.dll
2012-09-06 12:15 . 2012-09-06 12:15 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin4.dll
2012-09-06 12:15 . 2012-09-06 12:15 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin3.dll
2012-09-06 12:15 . 2012-09-06 12:15 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin2.dll
2012-09-06 12:15 . 2012-09-06 12:15 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin.dll
2012-09-06 12:14 . 2012-09-06 12:15 -------- d-----w- c:\program files\QuickTime
2012-09-06 12:14 . 2012-09-06 12:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2012-09-06 01:30 . 2012-09-06 01:30 -------- d-----w- c:\program files\URE
2012-09-06 01:30 . 2012-09-06 01:30 -------- d-----w- c:\program files\readmes
2012-09-06 01:30 . 2012-09-06 01:30 -------- d-----w- c:\program files\program
2012-09-06 01:30 . 2012-09-06 01:30 -------- d-----w- c:\program files\share
2012-09-06 01:30 . 2012-09-06 01:30 -------- d-----w- c:\program files\Basis
2012-09-04 15:56 . 2012-09-04 15:56 -------- d-----w- c:\documents and settings\Owner\Application Data\CBS Interactive
2012-09-04 15:49 . 2012-09-04 15:49 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\FixItCenter
2012-09-04 12:19 . 2012-09-04 12:19 -------- d-----w- c:\windows\MATS
2012-09-04 12:19 . 2012-09-04 12:19 -------- d-----w- c:\program files\Microsoft Fix it Center
2012-09-04 11:46 . 2012-09-04 11:46 -------- d-----w- c:\documents and settings\Owner\Application Data\ElevatedDiagnostics
2012-09-04 11:30 . 2012-09-04 16:08 -------- d-----w- c:\program files\CCleaner
2012-08-28 03:55 . 2012-08-28 03:55 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Sun
2012-08-28 03:55 . 2012-08-28 03:55 -------- d-----w- c:\program files\Common Files\Java
2012-08-28 03:55 . 2012-08-28 03:55 -------- d-----w- c:\program files\Java
2012-08-23 23:53 . 2001-08-17 15:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2012-08-23 17:20 . 2012-08-23 17:20 -------- d-----w- c:\documents and settings\Owner\Application Data\Hoyle FaceCreator
2012-08-23 17:20 . 2012-09-13 02:09 -------- d-----w- c:\documents and settings\Owner\Application Data\Hoyle Card Games
2012-08-23 17:20 . 2001-08-21 11:38 8704 --sh--w- c:\documents and settings\All Users\Application Data\nt838cc.com
2012-08-23 17:06 . 2012-08-23 17:09 -------- d-----w- C:\HOYLE
2012-08-23 17:03 . 2012-08-23 17:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Encore
2012-08-20 12:09 . 2012-08-20 12:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Next Installer
2012-08-20 12:09 . 2012-08-01 15:45 163256 ----a-w- c:\program files\Windows Media Player\np-mswmp.dll
2012-08-19 10:44 . 2012-08-19 10:44 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\PCHealth
2012-08-15 02:29 . 2012-05-14 09:21 346112 ------w- c:\windows\system32\dllcache\localspl.dll
2012-08-15 02:29 . 2012-07-06 13:58 78336 ------w- c:\windows\system32\dllcache\browser.dll
2012-08-15 02:29 . 2012-07-06 13:58 339968 ------w- c:\windows\system32\dllcache\netapi32.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-09-12 03:54 . 2011-09-11 00:06 281723 ----a-w- C:\pmtimer.exe
2012-09-07 21:04 . 2011-09-14 01:24 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-07-06 13:58 . 2008-04-14 12:00 78336 ----a-w- c:\windows\system32\browser.dll
2012-07-04 13:59 . 2011-09-11 05:26 139784 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-07-03 13:40 . 2010-06-24 02:14 1875072 ----a-w- c:\windows\system32\win32k.sys
2012-07-02 17:48 . 2011-09-13 23:16 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2012-07-02 17:48 . 2010-06-24 12:24 920064 ----a-w- c:\windows\system32\wininet.dll
2012-07-02 17:48 . 2009-03-07 20:34 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-07-02 11:57 . 2009-03-07 20:35 385024 ----a-w- c:\windows\system32\html.iec
2012-06-25 20:04 . 2012-06-25 20:04 1394248 ----a-w- c:\windows\system32\msxml4.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2010-09-20 . F738697D2AA60AC4BA9B9DED1412D4B2 . 361600 . . [5.1.2600.6009] . . c:\windows\system32\drivers\tcpip.sys
[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\tcpip.sys
.
((((((((((((((((((((((((((((( SnapShot@2012-09-12_09.31.32 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-09-13 23:53 . 2012-09-13 23:53 16384 c:\windows\Temp\Perflib_Perfdata_240.dat
+ 2011-09-12 12:49 . 2011-06-16 21:52 10240 c:\windows\system32\kodak\kds_aio5000\EKAiOWiaShellExtRes.dll
+ 2012-09-14 00:00 . 2012-09-14 00:00 22016 c:\windows\Installer\2ef48.msi
+ 2011-09-12 12:49 . 2011-06-16 21:52 174080 c:\windows\system32\kodak\kds_aio5000\EKAiOWiaShellExt.dll
+ 2011-09-12 12:49 . 2011-06-16 21:52 216576 c:\windows\system32\kodak\kds_aio5000\EKAiOWiaPtp.exe
+ 2012-09-12 18:51 . 2011-06-16 21:53 131072 c:\windows\system32\DRVSTORE\ekij5000_31D984B8203514F8357DC762212717F5BCCDD94E\Drivers\Printer\i386\en-US\EKIJCOINST12.dll
- 2011-09-12 20:47 . 2011-06-16 21:53 131072 c:\windows\system32\DRVSTORE\ekij5000_31D984B8203514F8357DC762212717F5BCCDD94E\Drivers\Printer\i386\en-US\EKIJCOINST12.dll
- 2011-09-12 20:47 . 2011-06-16 21:53 139264 c:\windows\system32\DRVSTORE\ekij5000_31D984B8203514F8357DC762212717F5BCCDD94E\Drivers\Printer\i386\en-US\EKIJ5000RES.dll
+ 2012-09-12 18:51 . 2011-06-16 21:53 139264 c:\windows\system32\DRVSTORE\ekij5000_31D984B8203514F8357DC762212717F5BCCDD94E\Drivers\Printer\i386\en-US\EKIJ5000RES.dll
- 2011-09-12 20:47 . 2011-06-16 21:53 204800 c:\windows\system32\DRVSTORE\ekij5000_31D984B8203514F8357DC762212717F5BCCDD94E\Drivers\Printer\i386\en-US\EKIJ5000PRE.dll
+ 2012-09-12 18:51 . 2011-06-16 21:53 204800 c:\windows\system32\DRVSTORE\ekij5000_31D984B8203514F8357DC762212717F5BCCDD94E\Drivers\Printer\i386\en-US\EKIJ5000PRE.dll
+ 2012-09-12 18:51 . 2011-06-16 21:53 299008 c:\windows\system32\DRVSTORE\ekij5000_31D984B8203514F8357DC762212717F5BCCDD94E\Drivers\Printer\i386\EKIJ5000SDK.dll
- 2011-09-12 20:47 . 2011-06-16 21:53 299008 c:\windows\system32\DRVSTORE\ekij5000_31D984B8203514F8357DC762212717F5BCCDD94E\Drivers\Printer\i386\EKIJ5000SDK.dll
+ 2012-09-12 18:51 . 2011-06-16 21:53 569344 c:\windows\system32\DRVSTORE\ekij5000_31D984B8203514F8357DC762212717F5BCCDD94E\Drivers\Printer\i386\EKIJ5000PRE.exe
- 2011-09-12 20:47 . 2011-06-16 21:53 569344 c:\windows\system32\DRVSTORE\ekij5000_31D984B8203514F8357DC762212717F5BCCDD94E\Drivers\Printer\i386\EKIJ5000PRE.exe
- 2011-09-12 20:47 . 2011-06-16 21:53 196608 c:\windows\system32\DRVSTORE\ekij5000_31D984B8203514F8357DC762212717F5BCCDD94E\Drivers\Printer\i386\EKIJ5000PPR.dll
+ 2012-09-12 18:51 . 2011-06-16 21:53 196608 c:\windows\system32\DRVSTORE\ekij5000_31D984B8203514F8357DC762212717F5BCCDD94E\Drivers\Printer\i386\EKIJ5000PPR.dll
+ 2012-09-12 18:51 . 2011-06-16 21:53 425984 c:\windows\system32\DRVSTORE\ekij5000_31D984B8203514F8357DC762212717F5BCCDD94E\Drivers\Printer\i386\EKIJ5000MON.dll
- 2011-09-12 20:47 . 2011-06-16 21:53 425984 c:\windows\system32\DRVSTORE\ekij5000_31D984B8203514F8357DC762212717F5BCCDD94E\Drivers\Printer\i386\EKIJ5000MON.dll
+ 2012-09-12 18:40 . 2012-09-12 19:11 557056 c:\windows\Installer\{12A985FE-1E10-4FB2-B3F9-C8B4FB4D905F}\NewShortcut2_63349E0ECD1245C8BB50037875CA2C9C.exe
+ 2012-09-12 18:40 . 2012-09-12 19:11 557056 c:\windows\Installer\{12A985FE-1E10-4FB2-B3F9-C8B4FB4D905F}\NewShortcut1_13E0CB410ACC44E6A67F5A3DE8E1BE28.exe
+ 2012-09-12 18:40 . 2012-09-12 19:11 557056 c:\windows\Installer\{12A985FE-1E10-4FB2-B3F9-C8B4FB4D905F}\ARPPRODUCTICON.exe
+ 2011-09-12 12:49 . 2011-06-16 21:52 1118208 c:\windows\system32\kodak\kds_aio5000\EKAiOWia.dll
+ 2012-09-12 18:51 . 2011-06-16 21:53 1839104 c:\windows\system32\DRVSTORE\ekij5000_31D984B8203514F8357DC762212717F5BCCDD94E\Drivers\Printer\i386\en-US\EKIJ5000MUI.dll
- 2011-09-12 20:47 . 2011-06-16 21:53 1839104 c:\windows\system32\DRVSTORE\ekij5000_31D984B8203514F8357DC762212717F5BCCDD94E\Drivers\Printer\i386\en-US\EKIJ5000MUI.dll
+ 2012-09-12 18:51 . 2011-06-16 21:53 3096576 c:\windows\system32\DRVSTORE\ekij5000_31D984B8203514F8357DC762212717F5BCCDD94E\Drivers\Printer\i386\EKIJ5000UIP.dll
- 2011-09-12 20:47 . 2011-06-16 21:53 3096576 c:\windows\system32\DRVSTORE\ekij5000_31D984B8203514F8357DC762212717F5BCCDD94E\Drivers\Printer\i386\EKIJ5000UIP.dll
- 2011-09-12 20:47 . 2011-06-16 21:53 5480448 c:\windows\system32\DRVSTORE\ekij5000_31D984B8203514F8357DC762212717F5BCCDD94E\Drivers\Printer\i386\EKIJ5000RRS.dll
+ 2012-09-12 18:51 . 2011-06-16 21:53 5480448 c:\windows\system32\DRVSTORE\ekij5000_31D984B8203514F8357DC762212717F5BCCDD94E\Drivers\Printer\i386\EKIJ5000RRS.dll
- 2011-09-12 20:47 . 2011-06-16 21:53 2510848 c:\windows\system32\DRVSTORE\ekij5000_31D984B8203514F8357DC762212717F5BCCDD94E\Drivers\Printer\i386\EKIJ5000MUI.exe
+ 2012-09-12 18:51 . 2011-06-16 21:53 2510848 c:\windows\system32\DRVSTORE\ekij5000_31D984B8203514F8357DC762212717F5BCCDD94E\Drivers\Printer\i386\EKIJ5000MUI.exe
+ 2012-09-12 19:11 . 2012-09-12 19:11 5788160 c:\windows\Installer\2d1b4ad.msi
- 2012-09-12 06:18 . 2012-04-17 18:56 16022448 c:\windows\SoftwareDistribution\Download\Install\NDP30SP2-KB2604110-x86.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveBlacklistedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}]
2012-07-20 19:17 556376 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}]
2012-07-20 19:17 556376 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}]
2012-07-20 19:17 556376 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncingOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}]
2012-07-20 19:17 556376 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"Conime"="c:\windows\system32\conime.exe" [2008-04-14 27648]
"EKIJ5000StatusMonitor"="c:\windows\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2011-06-16 2510848]
"IAStorIcon"="c:\program files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe" [2010-06-08 284696]
"CapsHook"="c:\program files\EeePC\CapsHook\CapsHook.exe" [2010-05-28 445344]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-14 59392]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-29 141336]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-09-29 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-09-29 141336]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]
"LiveUpdate"="c:\program files\Asus\LiveUpdate\LiveUpdate.exe" [2011-07-13 1095080]
"ETDWare"="c:\program files\Elantech\ETDCtrl.exe" [2010-06-10 548744]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-07-20 1545512]
"SynAsusAcpi"="c:\program files\Synaptics\SynTP\SynAsusAcpi.exe" [2009-07-20 83240]
"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2007-10-31 2595616]
"AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe" [2007-10-31 909208]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2007-10-31 140568]
"UVS10 Preload"="c:\program files\Ulead Systems\Ulead VideoStudio SE DVD\uvPL.exe" [2006-08-09 36864]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2012-04-19 421888]
"RTHDCPL"="RTHDCPL.EXE" [2011-05-23 20053608]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_3"="advpack.dll" [2009-03-07 128512]
"KodakHomeCenter"="c:\program files\Kodak\AiO\Center\AiOHomeCenter.exe" [2012-06-19 2234840]
.
c:\documents and settings\Owner\Start Menu\Programs\Startup\
CNET TechTracker.lnk - c:\documents and settings\Owner\Application Data\CBS Interactive\CNET TechTracker\TechTracker.exe [2012-8-9 2625024]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
AsusVibeLauncher.lnk - c:\program files\ASUS\AsusVibe\AsusVibeLauncher.exe [2011-9-13 549040]
SuperHybridEngine.lnk - c:\program files\ASUS\EeePC\Super Hybrid Engine\SuperHybridEngine.exe [2011-9-13 385024]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders schannel.dll, credssp.dll, digest.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Kodak\\CloudPrinting\\KCPConnector.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
"9322:TCP"= 9322:TCP:EKDiscovery
"5353:UDP"= 5353:UDP:Bonjour Port 5353
.
R0 iastor78;iastor78;c:\windows\system32\drivers\iastor78.sys [9/19/2010 9:03 PM 308248]
R1 AsUpIO;AsUpIO;c:\windows\system32\drivers\AsUpIO.sys [9/13/2011 4:54 PM 11832]
R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [9/13/2011 8:09 AM 13336]
R2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\Kodak\AiO\Center\EKAiOHostService.exe [6/18/2012 9:13 PM 394712]
R2 Kodak AiO Status Monitor Service;Kodak AiO Status Monitor Service;c:\program files\Kodak\AiO\StatusMonitor\EKPrinterSDK.exe [6/19/2012 1:44 PM 777728]
R2 Kodak Cloud Software Connector;Kodak Cloud Software Connector;c:\program files\Kodak\CloudPrinting\KCPConnector.exe -s --> c:\program files\Kodak\CloudPrinting\KCPConnector.exe -s [?]
R2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [9/10/2012 10:54 PM 399432]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [9/13/2011 9:24 PM 676936]
R2 msftesql$TSIFITPRO;SQL Server FullText Search (TSIFITPRO);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe [3/26/2010 3:07 AM 91992]
R2 MSSQL$TSIFITPRO;SQL Server (TSIFITPRO);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [12/10/2010 6:29 PM 29293408]
R3 L1c;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [9/10/2011 8:05 PM 61552]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [9/13/2011 9:24 PM 22856]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [9/1/2012 5:49 PM 116648]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [9/13/2011 4:00 AM 1691480]
S3 ETD;ELAN PS/2 Port Input Device;c:\windows\system32\drivers\ETD.sys [9/13/2011 8:37 PM 102912]
S3 GigasetGenericUSB;GigasetGenericUSB;c:\windows\system32\drivers\GigasetGenericUSB.sys [2/27/2012 12:42 AM 44032]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [9/1/2012 5:49 PM 116648]
S3 MatSvc;Microsoft Automated Troubleshooting Service;c:\program files\Microsoft Fix it Center\Matsvc.exe [6/13/2011 10:09 PM 267568]
S3 TSIUSB;TSIUSB;c:\windows\system32\drivers\TsiUsb.sys [2/14/2006 12:43 PM 18688]
.
Contents of the 'Scheduled Tasks' folder
.
2012-09-13 c:\windows\Tasks\ConfigExec.job
- c:\program files\Microsoft Fix it Center\MatsApi.dll [2011-06-14 02:09]
.
2012-09-12 c:\windows\Tasks\DataUpload.job
- c:\program files\Microsoft Fix it Center\MatsApi.dll [2011-06-14 02:09]
.
2012-09-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-09-01 23:15]
.
2012-09-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-09-01 23:15]
.
2012-09-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-854245398-1202660629-527237240-1003Core.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-09-11 04:54]
.
2012-09-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-854245398-1202660629-527237240-1003UA.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-09-11 04:54]
.
2012-09-12 c:\windows\Tasks\Kodak AiO Scheduled Maintenance.job
- c:\program files\Kodak\AiO\Center\Kodak.Statistics.exe [2012-06-19 01:13]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://start.funmoods.com/?f=1&a=afterd&chnl=afterd&cd=2XzuyEtN2Y1L1QzuyByE0FtDyC0DyDtCzy0F0AtBtDyCtCyDtN0D0Tzu0StBtAyDtN1L2XzutBtFtCtFtCtFtAtCtB&cr=551352045
TCP: DhcpNameServer = 64.233.217.5 64.233.217.2
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-09-13 20:39
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\msftesql$TSIFITPRO]
"ImagePath"="\"c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe\" -s:MSSQL.1 -f:TSIFITPRO"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(884)
c:\windows\system32\relog_ap.dll
.
- - - - - - - > 'explorer.exe'(1504)
c:\windows\system32\WININET.dll
c:\program files\Google\Drive\googledrivesync32.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2012-09-13 20:41:09
ComboFix-quarantined-files.txt 2012-09-14 00:41
ComboFix2.txt 2012-09-12 09:33
.
Pre-Run: 29,099,331,584 bytes free
Post-Run: 29,166,272,512 bytes free
.
- - End Of File - - 0F4130D4D2CEDAA6FF367647B12158C7



Now:


As mentioned in earlier post, first concerns arose when auto updates to windows security failed to be installed (despite messages that install was completed).

So:

After above scan done ran Belarc assessment of system that showed these security updates were still missing

And:

I went to Windows update, had system scanned (which noted the same missing critical updates as Belarc), and express installed the files....received this:


Successful Updates
Microsoft Windows XP
Security Update for Microsoft .NET Framework 3.0 SP2 on Windows Server 2003 and Windows XP x86 (KB2604110)
Security Update for Microsoft .NET Framework 3.0 SP2 on Windows Server 2003 and Windows XP x86 (KB2656407)


But:

When I returned and reran Belarc and Windows update; they both note they're still absent. Yet Windows Add/Remove Programs shows 19 newer updates have installed, including (KB2736233) just today.

Here's a sample of update hx that shows the two security updates being successfully installed, repeatedly, yet they do not appear when Add/Remove is populated.....or when Belarc scans.




Review your Update History
You have not yet installed updates from this website or by turning on automatic updating on your computer. To select and install updates now, go to our Home page. Review your Update History
If an update failed to install, click the Failed icon to learn how to solve the problem.

Note: To remove an update, go to Add and Remove Programs in your Control Panel.
Key: = Succeeded = Cancelled = Failed Print Current | Print All
Product Update Status Date Source

Windows XP Security Update for Microsoft .NET Framework 3.0 SP2 on Windows Server 2003 and Windows XP x86 (KB2656407) Thursday, September 13, 2012 Microsoft Update
Windows XP Security Update for Microsoft .NET Framework 3.0 SP2 on Windows Server 2003 and Windows XP x86 (KB2604110) Thursday, September 13, 2012 Microsoft Update
Windows XP Security Update for Microsoft .NET Framework 3.0 SP2 on Windows Server 2003 and Windows XP x86 (KB2656407) Thursday, September 13, 2012 Microsoft Update
Windows XP Security Update for Microsoft .NET Framework 3.0 SP2 on Windows Server 2003 and Windows XP x86 (KB2604110) Thursday, September 13, 2012 Microsoft Update
Windows XP Security Update for Microsoft .NET Framework 3.0 SP2 on Windows Server 2003 and Windows XP x86 (KB2604110) Thursday, September 13, 2012 Automatic Updates
Windows XP Update Rollup for ActiveX Killbits for Windows XP (KB2736233) Thursday, September 13, 2012 Automatic Updates
Windows XP Security Update for Microsoft .NET Framework 3.0 SP2 on Windows Server 2003 and Windows XP x86 (KB2656407) Thursday, September 13, 2012 Automatic Updates
Windows XP Security Update for Microsoft .NET Framework 3.0 SP2 on Windows Server 2003 and Windows XP x86 (KB2604110) Wednesday, September 12, 2012 Automatic Updates
Windows XP Security Update for Microsoft .NET Framework 3.0 SP2 on Windows Server 2003 and Windows XP x86 (KB2656407) Wednesday, September 12, 2012 Automatic Updates
Windows XP Security Update for Microsoft .NET Framework 3.0 SP2 on Windows Server 2003 and Windows XP x86 (KB2604110) Wednesday, September 12, 2012 Automatic Updates

Other than that:

I haven't used this laptop recently as I have started my 6day stretch at work (12.5 hrs on 11.5hrs for everything else in life...lol)....However, I check my emails and will ALWAYS respond to yours on the day received.


Thanks again (n I did send some dinero)

Til next time
Dennis

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:40 PM

Posted 14 September 2012 - 01:03 PM

Clean Out Temp Files

  • This small application you may want to keep and use once a week to keep the computer clean.

    Download CCleaner from here http://www.ccleaner.com/

  • Run the installer to install the application.
  • When it gives you the option to install Yahoo toolbar uncheck the box next to it.
  • Run CCleaner. (make sure under Windows tab all the boxes of Internet Explorer and Windows explorer are checked. Under System check Empty Recycle Bin and Temporary Files. Under Application tab all the boxes should be checked).
  • Click Run Cleaner.
  • Close CCleaner.

: Malwarebytes' Anti-Malware :

  • I would like you to rerun MBAM
  • Double-click mbam icon
  • go to the update tab at the top
  • click on check for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidentally close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Download HijackThis

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a log file button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the Analyze This button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

"information and logs"

  • In your next post I need the following

  • Log From MBAM
  • report from Hijackthis
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 sparty047

sparty047
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:40 PM

Posted 14 September 2012 - 04:30 PM

GRINGO:


On lunch so here goes:

Have CCleaner already....so updated and ran (ticked all boxes you mentioned EXCEPT: saved passwords (all non-financial sites) and saved autofill (Name address and telephone/email) on Chrome (willing to repeat and do so if you so advise but could not imagine a hiding place for malware - tell me if i am mistaken))


Likewise, have Malware and ran scan with results below (then ran flashscan b/c I paid for a key on MBam)with clear results so did not include:




Malwarebytes Anti-Malware (PRO) 1.65.0.1400
www.malwarebytes.org

Database version: v2012.09.14.06

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Owner :: ANONYMOUS [administrator]

Protection: Enabled

9/14/2012 3:50:44 PM
mbam-log-2012-09-14 (15-50-44).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 186023
Time elapsed: 2 minute(s), 50 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)



And log from HJT:





Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 5:19:03 PM, on 9/14/2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 SP3 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
C:\Program Files\EeePC\CapsHook\CapsHook.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Asus\LiveUpdate\LiveUpdate.exe
C:\Program Files\Elantech\ETDCtrl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Documents and Settings\Owner\Application Data\CBS Interactive\CNET TechTracker\TechTracker.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
C:\Program Files\Java\jre7\bin\jqs.exe
C:\Program Files\Kodak\AiO\Center\EKAiOHostService.exe
C:\Program Files\Kodak\AiO\StatusMonitor\EKPrinterSDK.exe
C:\Program Files\Kodak\CloudPrinting\KCPConnector.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\notepad.exe
C:\WINDOWS\notepad.exe
C:\WINDOWS\notepad.exe
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Owner\My Documents\Downloads\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.funmoods.com/?f=1&a=afterd&chnl=afterd&cd=2XzuyEtN2Y1L1QzuyByE0FtDyC0DyDtCzy0F0AtBtDyCtCyDtN0D0Tzu0StBtAyDtN1L2XzutBtFtCtFtCtFtAtCtB&cr=551352045
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Conime] %windir%\system32\conime.exe
O4 - HKLM\..\Run: [EKIJ5000StatusMonitor] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
O4 - HKLM\..\Run: [IAStorIcon] C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
O4 - HKLM\..\Run: [CapsHook] C:\Program Files\EeePC\CapsHook\CapsHook.exe
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [LiveUpdate] C:\Program Files\Asus\LiveUpdate\LiveUpdate.exe auto
O4 - HKLM\..\Run: [ETDWare] %ProgramFiles%\Elantech\ETDCtrl.exe
O4 - HKLM\..\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SynAsusAcpi] %ProgramFiles%\Synaptics\SynTP\SynAsusAcpi.exe
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [UVS10 Preload] C:\Program Files\Ulead Systems\Ulead VideoStudio SE DVD\uvPL.exe
O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - Startup: CNET TechTracker.lnk = C:\Documents and Settings\Owner\Application Data\CBS Interactive\CNET TechTracker\TechTracker.exe
O4 - Global Startup: AsusVibeLauncher.lnk = C:\Program Files\ASUS\AsusVibe\AsusVibeLauncher.exe
O4 - Global Startup: SuperHybridEngine.lnk = ?
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.com/select/asusTek_sys_ctrl3.cab
O16 - DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} (MUCatalogWebControl Class) - http://catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWebControl.cab?1315736433515
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Intel® Rapid Storage Technology (IAStorDataMgrSvc) - Intel Corporation - C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Oracle Corporation - C:\Program Files\Java\jre7\bin\jqs.exe
O23 - Service: Kodak AiO Network Discovery Service - Eastman Kodak Company - C:\Program Files\Kodak\AiO\Center\EKAiOHostService.exe
O23 - Service: Kodak AiO Status Monitor Service - Eastman Kodak Company - C:\Program Files\Kodak\AiO\StatusMonitor\EKPrinterSDK.exe
O23 - Service: Kodak Cloud Software Connector - Unknown owner - C:\Program Files\Kodak\CloudPrinting\KCPConnector.exe
O23 - Service: MBAMScheduler - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: Acronis Try And Decide Service (TryAndDecideService) - Unknown owner - C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 9274 bytes

As i mentioned last posting:

Working w no time to use CPU. Though did just check and, again. Wndows Update found those 5/8/12 security patches are still not installed, and again state "successfully installed when run express.

Have a pleasant weekend,

I will be here Sat & Sun but will find time to look for your response

Muchos gracias

Dennis

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:40 PM

Posted 14 September 2012 - 05:43 PM

Greetings

These logs are looking very good, we are almost done!!! Just one more scan to go.

:Remove unneeded start-up entries:

This part of the fix is purely optional
These are programs that start up when you turn on your computer but don't need to be, any of these programs you can click on their icons (or start from the control panel) and start the program when you need it. By stopping these programs you will boot up faster and your computer will work faster.

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Run HijackThis
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):

    • O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
      O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
      O4 - HKLM\..\Run: [LiveUpdate] C:\Program Files\Asus\LiveUpdate\LiveUpdate.exe auto
      O4 - HKLM\..\Run: [UVS10 Preload] C:\Program Files\Ulead Systems\Ulead VideoStudio SE DVD\uvPL.exe
      O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
      O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
      O4 - HKUS\S-1-5-18\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
      O4 - HKUS\.DEFAULT\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
      O4 - Startup: CNET TechTracker.lnk = C:\Documents and Settings\Owner\Application Data\CBS Interactive\CNET TechTracker\TechTracker.exe
      O4 - Global Startup: SuperHybridEngine.lnk = ?
  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application.

    NOTE**You can research each of those lines >here< and see if you want to keep them or not
    just copy the name between the brackets and paste into the search space
    O4 - HKLM\..\Run: [IntelliPoint]


NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

Eset Online Scanner

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

Go Eset web page to run an online scanner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the Run ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
  • When asked, allow the add/on to be installed
    • Click Start
  • Make sure that the option Remove found threats is unticked
  • Click on Advanced Settings, ensure the options
    Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • wait for the virus definitions to be downloaded
  • Wait for the scan to finish

When the scan is complete

  • If no threats were found
  • put a checkmark in "Uninstall application on close"
  • close program
  • report to me that nothing was found

  • If threats were found
  • click on "list of threats found"
  • click on "export to text file" and save it as ESET SCAN and save to the desktop
  • Click on back
  • put a checkmark in "Uninstall application on close"
  • click on finish
  • close program
  • copy and paste the report here


Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 sparty047

sparty047
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:40 PM

Posted 15 September 2012 - 08:45 AM

GRINGO

As ticking off your suggestions in HJT, I noted presence of Funmood in the list of autostart programs. This is the add-on that kept redirecting my browser, after it installed during download of Uncompressor. I ticked that and removed it also.

When I "forceably" removed uncompressor via CCleaner, files for the start menu remained. I had to use search to find and delete those files.

Here's ESETscan results of infections:

C:\System Volume Information\_restore{CA861B82-ADF1-4144-A9A8-BC7529BFF439}\RP149\A0017700.dll a variant of Win32/Toolbar.CrossRider.A application
C:\System Volume Information\_restore{CA861B82-ADF1-4144-A9A8-BC7529BFF439}\RP149\A0017710.dll Win32/Toolbar.Funmoods application
C:\System Volume Information\_restore{CA861B82-ADF1-4144-A9A8-BC7529BFF439}\RP154\A0020815.exe a variant of Win32/InstallCore.AG application
C:\System Volume Information\_restore{CA861B82-ADF1-4144-A9A8-BC7529BFF439}\RP163\A0021032.exe a variant of Win32/InstallCore.AG application
C:\System Volume Information\_restore{CA861B82-ADF1-4144-A9A8-BC7529BFF439}\RP175\A0022997.exe a variant of Win32/InstallCore.AG application
C:\System Volume Information\_restore{CA861B82-ADF1-4144-A9A8-BC7529BFF439}\RP176\A0023707.exe a variant of Win32/InstallCore.AG application
C:\System Volume Information\_restore{CA861B82-ADF1-4144-A9A8-BC7529BFF439}\RP182\A0024474.exe a variant of Win32/InstallCore.AG application
C:\System Volume Information\_restore{CA861B82-ADF1-4144-A9A8-BC7529BFF439}\RP187\A0026089.exe a variant of Win32/InstallCore.AG application


BTW


Security Update for Microsoft .NET Framework 3.0 SP2 on Windows Server 2003 and Windows XP x86 (KB2604110)
Download size: 0 KB , 0 minutes (Downloaded; ready to install)
A security issue has been identified that could allow an unauthenticated remote attacker to compromise your system and gain control over it. You can help protect your system by installing this update from Microsoft. After you install this update, you may have to restart your system. Details...
AND

Security Update for Microsoft .NET Framework 3.0 SP2 on Windows Server 2003 and Windows XP x86 (KB2656407)

Still are not "actually installed" even though MS automatic update program continues to register them as actually installed.


Also, audio codecs still show with drivers working but audio mixer still unavailable and BOTH windows device mgr and BelArc scan show that "no audio device is installed!" Belarc also confirms that the above security updates (which MUST have downloaded in May....because auto-update was working routinely well until ~2wks ago; when all other troubles be

I did, for verification, easily download a non-security windows program update....then removed it with add/remove.

LASTLY,

Do you have a professional opinion of the ESET products? How about compared to Malwarebytes? MWB checks for updates for the virus definitions file whenever I boot. I also have previously read, and understand, the value of "cloud updating" of the master file. I reviewed all of the written material offered via the link to their website. Would their firewall, for example, offer better protection than MS windows firewall protection. The tutorial on firewalls here on bleeping computer talk about commercial programs but later make reference to Windows offering just as good of protection.

This is an issue to me because, and I believe I mentioned this upfront, I assume one of our computers was hacked via our web address, and information obtained that was then used to:
1. access our Discovery Card account (by email or telephone) to change the mailing)billing address to another State.
2. attempt was then made to make a large purchase, first at a retail store, then through a website.
3. oddly, they bothered to reset igoogle page to monitor news, weather, soccer, cricket and jokes to the Mumbai region of India. This could NOT be done by a global reset of the igoogle page.

I have since come to realize it was time to remove ALL financial information from any autofill settings and ALL passwords to any websites where financial transactions could occur be removed from our computers

I will be reading the complete set of tutorials dealing with security, but always like to hear expert opinions.

Again, many thank you's

Dennis

#14 sparty047

sparty047
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:40 PM

Posted 23 September 2012 - 09:50 AM

Gringo


Have not heard back from you????

#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:40 PM

Posted 23 September 2012 - 03:30 PM

sorry i will have a post later tonight
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users