Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Mcafee Zeroaccess alerts every 60 seconds


  • This topic is locked This topic is locked
23 replies to this topic

#1 Emberam

Emberam

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:52 AM

Posted 12 September 2012 - 10:16 PM

Hello. I hope I have attached and pasted everything I need to. I ran DDS and GMER and they are definately showing rootkit entries.

I appreciate any help that you can give.

Thanks

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by USER at 22:01:55 on 2012-09-09
.
============== Running Processes ===============
.
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20111221232148.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.7529.1424\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [BitTorrent] "c:\program files\bittorrent\BitTorrent.exe"
uRun: [Laamoxelmo] "c:\documents and settings\user\application data\yqcy\luma.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [IJNetworkScannerSelectorEX] c:\program files\canon\ij network scanner selector ex\CNMNSST.exe /FORCE
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\user\startm~1\programs\startup\teamsp~1.lnk - c:\program files\teamspeak2_rc2\server_windows.exe
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
LSP: mswsock.dll
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1303050676625
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{CF1F78CE-0C56-446F-9536-B8756263C2A1} : DhcpNameServer = 192.168.1.1
Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\progra~1\mcafee\msc\McSnIePl.dll
Notify: igfxcui - igfxdev.dll
LSA: Authentication Packages = msv1_0 relog_ap
.
============= SERVICES / DRIVERS ===============
.
.
=============== Created Last 30 ================
.
2012-09-08 20:52:38 -------- d-----w- c:\documents and settings\user\application data\Yqcy
2012-09-08 20:52:38 -------- d-----w- c:\documents and settings\user\application data\Soak
2012-09-08 20:52:38 -------- d-----w- c:\documents and settings\user\application data\Qaka
2012-09-08 20:51:12 -------- d-sh--w- c:\documents and settings\user\IECompatCache
2012-09-08 05:50:30 168960 ----a-w- c:\documents and settings\user\application data\orkbt.dll
2012-09-08 05:39:30 -------- d-----w- c:\documents and settings\user\local settings\application data\Identities
2012-09-08 05:39:17 -------- d-----w- c:\documents and settings\user\application data\Uqutt
2012-09-08 05:39:17 -------- d-----w- c:\documents and settings\user\application data\Oskab
2012-09-08 05:39:17 -------- d-----w- c:\documents and settings\user\application data\Moes
2012-08-27 03:37:43 -------- d-----w- c:\documents and settings\all users\application data\6C82D0E00009878702F991367B07D287
2012-08-27 03:37:39 524800 ----a-w- c:\documents and settings\user\application data\alear.dll
2012-08-27 03:36:30 150528 --sha-w- c:\documents and settings\user\application data\liseda.dll
.
==================== Find3M ====================
.
2012-08-14 23:43:24 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-08-14 23:43:24 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-07-06 13:58:51 78336 ----a-w- c:\windows\system32\browser.dll
2012-07-04 14:05:18 139784 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-07-03 13:40:15 1866112 ----a-w- c:\windows\system32\win32k.sys
2012-07-02 17:49:33 916992 ----a-w- c:\windows\system32\wininet.dll
2012-07-02 17:49:32 43520 ------w- c:\windows\system32\licmgr10.dll
2012-07-02 17:49:32 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-07-02 12:05:43 385024 ------w- c:\windows\system32\html.iec
.
============= FINISH: 22:04:29.64 ===============

Attached Files

  • Attached File  dds.txt   5.63KB   0 downloads
  • Attached File  gmer.log   227.87KB   0 downloads


BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:52 AM

Posted 13 September 2012 - 12:05 AM

Greetings and Welcome to The Forums!!

My name is Gringo and I'll be glad to help you with your computer problems.

I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of us

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the Watch Topic Button, select Immediate Notification, and click on Proceed. This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of hartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

-AdwCleaner-

  • Please download AdwCleaner by Xplode onto your desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Delete.
  • Confirm each time with Ok.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile with your next answer.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.

--RogueKiller--

  • Download & SAVE to your Desktop RogueKiller or from here
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select "Run as Administrator to start"
  • For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • Then Click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • click on "delete"
  • Wait until the Status box shows "Deleting Finished"
  • Click on "Report" and copy/paste the content of the Notepad into your next reply.
  • The log should be found in RKreport[1].txt on your Desktop
  • Exit/Close RogueKiller+

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:52 AM

Posted 16 September 2012 - 11:59 AM

Hello

48 Hour bump

It has been more than 48 hours since my last post.

  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#4 Emberam

Emberam
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:52 AM

Posted 18 September 2012 - 01:43 PM

I appologize. We had a personal emergency that I had to deal with so I've been offline for a bit. It's hard to imagine, but my parents don't even have a cell phone or satellite TV, much less have the internet. I will try your suggestions and respond by this evening.

Thanks,
Ember

#5 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:52 AM

Posted 18 September 2012 - 02:36 PM

no problem and if you need more time just let me know



gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#6 Emberam

Emberam
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:52 AM

Posted 18 September 2012 - 07:44 PM

Hello Gringo:

I ran AdwCleaner using the supplied instructions with no issues.
There did not seem to be any effect on the computer performance or overall behavior one way or the other after running this program. The rsulting Logfile is Posted below.

RogueKiller had to reboot before generating the logfile. It did not say what it had to do but that it had to reboot to complete some process and then I could continue after the reboot. I reran Roguekiller again after the reboot, and the result was 4 separate logfiles?? I posted all 4 below.
I have not had a ZeroAccess notification since I ran the program. FYI.

AdwCleaner Log .......................

# AdwCleaner v2.002 - Logfile created 09/18/2012 at 20:05:33
# Updated 16/09/2012 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : USER - TORRENT
# Boot Mode : Normal
# Running from : C:\Documents and Settings\USER\Desktop\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****


***** [Registry] *****


***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.6001.18702

Restored : [HKU\S-1-5-18\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]

*************************

AdwCleaner[S1].txt - [778 octets] - [18/09/2012 20:05:33]

########## EOF - C:\AdwCleaner[S1].txt - [837 octets] ##########


RogueKiller V8.0.3 [09/13/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : USER [Admin rights]
Mode : Scan -- Date : 09/18/2012 20:14:56

Bad processes : 0

Registry Entries : 11
[RUN][SUSP PATH] HKCU\[...]\Run : Laamoxelmo ("C:\Documents and Settings\USER\Application Data\Yqcy\luma.exe") -> FOUND
[RUN][SUSP PATH] HKLM\[...]\Run : TsUsbRedirectionGroupPolicyExtension (C:\Documents and Settings\USER\Local Settings\Application Data\Microsoft\Windows\1451\TsUsbRedirectionGroupPolicyExtension.exe) -> FOUND
[RUN][SUSP PATH] HKUS\S-1-5-21-1202660629-117609710-1614895754-1003[...]\Run : Laamoxelmo ("C:\Documents and Settings\USER\Application Data\Yqcy\luma.exe") -> FOUND
[HJPOL] HKLM\[...]\System : DisableTaskMgr (0) -> FOUND
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ] HKLM\[...]\Security Center : AntiVirusDisableNotify (1) -> FOUND
[HJ] HKLM\[...]\Security Center : FirewallDisableNotify (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ INPROC][ZeroAccess] HKCR\[...]\InprocServer32 : (C:\RECYCLER\S-1-5-21-1202660629-117609710-1614895754-1003\$917f5b28a1134af2cc58417682c48f37\n.) -> FOUND
[HJ INPROC][ZeroAccess] HKCR\[...]\InprocServer32 : (C:\RECYCLER\S-1-5-18\$917f5b28a1134af2cc58417682c48f37\n.) -> FOUND
[HJ INPROC][ZeroAccess] HKLM\[...]\InprocServer32 : (C:\RECYCLER\S-1-5-18\$917f5b28a1134af2cc58417682c48f37\n.) -> FOUND

Particular Files / Folders:
[ZeroAccess][FILE] n : C:\WINDOWS\Installer\{917f5b28-a113-4af2-cc58-417682c48f37}\n --> FOUND
[ZeroAccess][FILE] @ : C:\WINDOWS\Installer\{917f5b28-a113-4af2-cc58-417682c48f37}\@ --> FOUND
[ZeroAccess][FOLDER] U : C:\WINDOWS\Installer\{917f5b28-a113-4af2-cc58-417682c48f37}\U --> FOUND
[ZeroAccess][FOLDER] L : C:\WINDOWS\Installer\{917f5b28-a113-4af2-cc58-417682c48f37}\L --> FOUND
[ZeroAccess][FILE] n : C:\Documents and Settings\USER\Local Settings\Application Data\{917f5b28-a113-4af2-cc58-417682c48f37}\n --> FOUND
[ZeroAccess][FILE] @ : C:\Documents and Settings\USER\Local Settings\Application Data\{917f5b28-a113-4af2-cc58-417682c48f37}\@ --> FOUND
[ZeroAccess][FOLDER] U : C:\Documents and Settings\USER\Local Settings\Application Data\{917f5b28-a113-4af2-cc58-417682c48f37}\U --> FOUND
[ZeroAccess][FOLDER] L : C:\Documents and Settings\USER\Local Settings\Application Data\{917f5b28-a113-4af2-cc58-417682c48f37}\L --> FOUND
[ZeroAccess][FILE] Desktop.ini : C:\WINDOWS\Assembly\GAC\Desktop.ini --> FOUND
[ZeroAccess][FILE] n : C:\RECYCLER\S-1-5-18\$917f5b28a1134af2cc58417682c48f37\n --> FOUND
[ZeroAccess][FILE] n : C:\RECYCLER\S-1-5-21-1202660629-117609710-1614895754-1003\$917f5b28a1134af2cc58417682c48f37\n --> FOUND
[ZeroAccess][FILE] @ : C:\RECYCLER\S-1-5-18\$917f5b28a1134af2cc58417682c48f37\@ --> FOUND
[ZeroAccess][FILE] @ : C:\RECYCLER\S-1-5-21-1202660629-117609710-1614895754-1003\$917f5b28a1134af2cc58417682c48f37\@ --> FOUND
[ZeroAccess][FOLDER] U : C:\RECYCLER\S-1-5-18\$917f5b28a1134af2cc58417682c48f37\U --> FOUND
[ZeroAccess][FOLDER] U : C:\RECYCLER\S-1-5-21-1202660629-117609710-1614895754-1003\$917f5b28a1134af2cc58417682c48f37\U --> FOUND
[ZeroAccess][FOLDER] L : C:\RECYCLER\S-1-5-18\$917f5b28a1134af2cc58417682c48f37\L --> FOUND
[ZeroAccess][FOLDER] L : C:\RECYCLER\S-1-5-21-1202660629-117609710-1614895754-1003\$917f5b28a1134af2cc58417682c48f37\L --> FOUND

Driver : [LOADED]

Infection : ZeroAccess

HOSTS File:
--> C:\WINDOWS\system32\drivers\etc\hosts



















127.0.0.1 localhost

[...]


MBR Check:

+++++ PhysicalDrive0: +++++
--- User ---
[MBR] 918ff51f56a16eae2397571996373131
[BSP] 266c4129e5b560403ac2a24d3bbd87a6 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 67280 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 137789505 | Size: 42421 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[1].txt >>
RKreport[1].txt



RogueKiller V8.0.3 [09/13/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : USER [Admin rights]
Mode : Remove -- Date : 09/18/2012 20:17:07

Bad processes : 0

Registry Entries : 9
[RUN][SUSP PATH] HKCU\[...]\Run : Laamoxelmo ("C:\Documents and Settings\USER\Application Data\Yqcy\luma.exe") -> DELETED
[RUN][SUSP PATH] HKLM\[...]\Run : TsUsbRedirectionGroupPolicyExtension (C:\Documents and Settings\USER\Local Settings\Application Data\Microsoft\Windows\1451\TsUsbRedirectionGroupPolicyExtension.exe) -> DELETED
[HJPOL] HKLM\[...]\System : DisableTaskMgr (0) -> DELETED
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> DELETED
[HJ] HKLM\[...]\Security Center : AntiVirusDisableNotify (1) -> REPLACED (0)
[HJ] HKLM\[...]\Security Center : FirewallDisableNotify (1) -> REPLACED (0)
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
[HJ INPROC][ZeroAccess] HKCR\[...]\InprocServer32 : (C:\RECYCLER\S-1-5-21-1202660629-117609710-1614895754-1003\$917f5b28a1134af2cc58417682c48f37\n.) -> REPLACED (C:\WINDOWS\system32\shell32.dll)
[HJ INPROC][ZeroAccess] HKCR\[...]\InprocServer32 : (C:\RECYCLER\S-1-5-18\$917f5b28a1134af2cc58417682c48f37\n.) -> REPLACED (C:\WINDOWS\system32\wbem\fastprox.dll)

Particular Files / Folders:
[ZeroAccess][FILE] n : C:\WINDOWS\Installer\{917f5b28-a113-4af2-cc58-417682c48f37}\n --> REMOVED
[ZeroAccess][FILE] @ : C:\WINDOWS\Installer\{917f5b28-a113-4af2-cc58-417682c48f37}\@ --> REMOVED
[ZeroAccess][FOLDER] ROOT : C:\WINDOWS\Installer\{917f5b28-a113-4af2-cc58-417682c48f37}\U --> REMOVED
[ZeroAccess][FOLDER] ROOT : C:\WINDOWS\Installer\{917f5b28-a113-4af2-cc58-417682c48f37}\L --> REMOVED
[ZeroAccess][FILE] n : C:\Documents and Settings\USER\Local Settings\Application Data\{917f5b28-a113-4af2-cc58-417682c48f37}\n --> REMOVED
[ZeroAccess][FILE] @ : C:\Documents and Settings\USER\Local Settings\Application Data\{917f5b28-a113-4af2-cc58-417682c48f37}\@ --> REMOVED
[ZeroAccess][FOLDER] ROOT : C:\Documents and Settings\USER\Local Settings\Application Data\{917f5b28-a113-4af2-cc58-417682c48f37}\U --> REMOVED
[ZeroAccess][FOLDER] ROOT : C:\Documents and Settings\USER\Local Settings\Application Data\{917f5b28-a113-4af2-cc58-417682c48f37}\L --> REMOVED
[ZeroAccess][FILE] Desktop.ini : C:\WINDOWS\Assembly\GAC\Desktop.ini --> REMOVED AT REBOOT
[ZeroAccess][FILE] n : C:\RECYCLER\S-1-5-18\$917f5b28a1134af2cc58417682c48f37\n --> REMOVED AT REBOOT
[ZeroAccess][FILE] n : C:\RECYCLER\S-1-5-21-1202660629-117609710-1614895754-1003\$917f5b28a1134af2cc58417682c48f37\n --> REMOVED
[ZeroAccess][FILE] @ : C:\RECYCLER\S-1-5-18\$917f5b28a1134af2cc58417682c48f37\@ --> REMOVED AT REBOOT
[ZeroAccess][FILE] @ : C:\RECYCLER\S-1-5-21-1202660629-117609710-1614895754-1003\$917f5b28a1134af2cc58417682c48f37\@ --> REMOVED
[Del.Parent][FILE] 80000032.@ : C:\RECYCLER\S-1-5-18\$917f5b28a1134af2cc58417682c48f37\U\80000032.@ --> REMOVED
[ZeroAccess][FOLDER] ROOT : C:\RECYCLER\S-1-5-18\$917f5b28a1134af2cc58417682c48f37\U --> REMOVED
[ZeroAccess][FOLDER] ROOT : C:\RECYCLER\S-1-5-21-1202660629-117609710-1614895754-1003\$917f5b28a1134af2cc58417682c48f37\U --> REMOVED
[Del.Parent][FILE] 00000004.@ : C:\RECYCLER\S-1-5-18\$917f5b28a1134af2cc58417682c48f37\L\00000004.@ --> REMOVED
[Del.Parent][FILE] 201d3dde : C:\RECYCLER\S-1-5-18\$917f5b28a1134af2cc58417682c48f37\L\201d3dde --> REMOVED
[ZeroAccess][FOLDER] ROOT : C:\RECYCLER\S-1-5-18\$917f5b28a1134af2cc58417682c48f37\L --> REMOVED
[ZeroAccess][FOLDER] ROOT : C:\RECYCLER\S-1-5-21-1202660629-117609710-1614895754-1003\$917f5b28a1134af2cc58417682c48f37\L --> REMOVED

Driver : [LOADED]

Infection : ZeroAccess

HOSTS File:
--> C:\WINDOWS\system32\drivers\etc\hosts



















127.0.0.1 localhost

[...]


MBR Check:

+++++ PhysicalDrive0: +++++
--- User ---
[MBR] 918ff51f56a16eae2397571996373131
[BSP] 266c4129e5b560403ac2a24d3bbd87a6 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 67280 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 137789505 | Size: 42421 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[2].txt >>
RKreport[1].txt ; RKreport[2].txt



RogueKiller V8.0.3 [09/13/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : USER [Admin rights]
Mode : Scan -- Date : 09/18/2012 20:25:47

Bad processes : 0

Registry Entries : 2
[RUN][SUSP PATH] HKCU\[...]\Run : Laamoxelmo ("C:\Documents and Settings\USER\Application Data\Yqcy\luma.exe") -> FOUND
[RUN][SUSP PATH] HKUS\S-1-5-21-1202660629-117609710-1614895754-1003[...]\Run : Laamoxelmo ("C:\Documents and Settings\USER\Application Data\Yqcy\luma.exe") -> FOUND

Particular Files / Folders:
[ZeroAccess][FILE] Desktop.ini : C:\WINDOWS\Assembly\GAC\Desktop.ini --> FOUND
[ZeroAccess][FILE] n : C:\RECYCLER\S-1-5-18\$917f5b28a1134af2cc58417682c48f37\n --> FOUND
[ZeroAccess][FILE] @ : C:\RECYCLER\S-1-5-18\$917f5b28a1134af2cc58417682c48f37\@ --> FOUND
[ZeroAccess][FOLDER] U : C:\RECYCLER\S-1-5-18\$917f5b28a1134af2cc58417682c48f37\U --> FOUND

Driver : [LOADED]

Infection : ZeroAccess

HOSTS File:
--> C:\WINDOWS\system32\drivers\etc\hosts



















127.0.0.1 localhost

[...]


MBR Check:

+++++ PhysicalDrive0: +++++
--- User ---
[MBR] 918ff51f56a16eae2397571996373131
[BSP] 266c4129e5b560403ac2a24d3bbd87a6 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 67280 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 137789505 | Size: 42421 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[3].txt >>
RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt



RogueKiller V8.0.3 [09/13/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : USER [Admin rights]
Mode : Remove -- Date : 09/18/2012 20:26:39

Bad processes : 0

Registry Entries : 2
[RUN][SUSP PATH] HKCU\[...]\Run : Laamoxelmo ("C:\Documents and Settings\USER\Application Data\Yqcy\luma.exe") -> DELETED
[RUN][SUSP PATH] HKUS\S-1-5-21-1202660629-117609710-1614895754-1003[...]\Run : Laamoxelmo ("C:\Documents and Settings\USER\Application Data\Yqcy\luma.exe") -> DELETED

Particular Files / Folders:
[ZeroAccess][FILE] Desktop.ini : C:\WINDOWS\Assembly\GAC\Desktop.ini --> REMOVED
[ZeroAccess][FILE] n : C:\RECYCLER\S-1-5-18\$917f5b28a1134af2cc58417682c48f37\n --> REMOVED
[ZeroAccess][FILE] @ : C:\RECYCLER\S-1-5-18\$917f5b28a1134af2cc58417682c48f37\@ --> REMOVED
[ZeroAccess][FOLDER] ROOT : C:\RECYCLER\S-1-5-18\$917f5b28a1134af2cc58417682c48f37\U --> REMOVED

Driver : [LOADED]

Infection : ZeroAccess

HOSTS File:
--> C:\WINDOWS\system32\drivers\etc\hosts



















127.0.0.1 localhost

[...]


MBR Check:

+++++ PhysicalDrive0: +++++
--- User ---
[MBR] 918ff51f56a16eae2397571996373131
[BSP] 266c4129e5b560403ac2a24d3bbd87a6 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 67280 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 137789505 | Size: 42421 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[4].txt >>
RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt ; RKreport[4].txt

#7 Emberam

Emberam
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:52 AM

Posted 19 September 2012 - 12:24 AM

Hello:

I spoke too soon and Jynxed myself. The Trojan messeges are back :( :cold:

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:52 AM

Posted 19 September 2012 - 01:11 AM

Greetings

I want you to run these next,

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • it will ask to download extra definitions - ALLOW IT
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

If you have any problems running either one come back and let me know

please reply with the reports from TDSSKiller and aswMBR

Gringo

Edited by gringo_pr, 19 September 2012 - 01:11 AM.

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 Emberam

Emberam
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:52 AM

Posted 20 September 2012 - 09:38 PM

Hello Gringo:

TDSSKILLER Logfile:

20:42:41.0593 6764 TDSS rootkit removing tool 2.8.10.0 Sep 17 2012 19:23:24
20:42:42.0218 6764 ============================================================
20:42:42.0218 6764 Current date / time: 2012/09/20 20:42:42.0218
20:42:42.0218 6764 SystemInfo:
20:42:42.0218 6764
20:42:42.0218 6764 OS Version: 5.1.2600 ServicePack: 3.0
20:42:42.0218 6764 Product type: Workstation
20:42:42.0218 6764 ComputerName: TORRENT
20:42:42.0218 6764 UserName: USER
20:42:42.0218 6764 Windows directory: C:\WINDOWS
20:42:42.0218 6764 System windows directory: C:\WINDOWS
20:42:42.0218 6764 Processor architecture: Intel x86
20:42:42.0218 6764 Number of processors: 4
20:42:42.0218 6764 Page size: 0x1000
20:42:42.0218 6764 Boot type: Normal boot
20:42:42.0218 6764 ============================================================
20:42:43.0359 6764 Drive \Device\Harddisk0\DR0 - Size: 0x1AC882A000 (107.13 Gb), SectorSize: 0x200, Cylinders: 0x36A1, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
20:42:43.0359 6764 ============================================================
20:42:43.0359 6764 \Device\Harddisk0\DR0:
20:42:43.0359 6764 MBR partitions:
20:42:43.0359 6764 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x8368002
20:42:43.0359 6764 \Device\Harddisk0\DR0\Partition2: MBR, Type 0x7, StartLBA 0x8368041, BlocksNum 0x52DAD20
20:42:43.0359 6764 ============================================================
20:42:43.0359 6764 C: <-> \Device\Harddisk0\DR0\Partition1
20:42:43.0359 6764 E: <-> \Device\Harddisk0\DR0\Partition2
20:42:43.0359 6764 ============================================================
20:42:43.0359 6764 Initialize success
20:42:43.0359 6764 ============================================================
20:42:47.0703 2500 ============================================================
20:42:47.0703 2500 Scan started
20:42:47.0703 2500 Mode: Manual;
20:42:47.0703 2500 ============================================================
20:42:48.0500 2500 ================ Scan system memory ========================
20:42:51.0406 2500 System memory - ok
20:42:51.0421 2500 ================ Scan services =============================
20:42:51.0437 2500 3259 - ok
20:42:51.0500 2500 Abiosdsk - ok
20:42:51.0515 2500 abp480n5 - ok
20:42:51.0531 2500 [ EA38C961260F29295C6D03070FA9D0B5 ] ACPI C:\WINDOWS\system32\DRIVERS\ACPI.sys
20:42:51.0546 2500 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\ACPI.sys. Real md5: EA38C961260F29295C6D03070FA9D0B5, Fake md5: 8FD99680A539792A30E97944FDAECF17
20:42:51.0562 2500 ACPI ( Virus.Win32.Rloader.a ) - infected
20:42:51.0562 2500 ACPI - detected Virus.Win32.Rloader.a (0)
20:42:51.0578 2500 [ 9859C0F6936E723E4892D7141B1327D5 ] ACPIEC C:\WINDOWS\system32\drivers\ACPIEC.sys
20:42:51.0593 2500 ACPIEC - ok
20:42:51.0609 2500 [ 9E1448BD5398AB3203C23CA58DAE7B9F ] AcrSch2Svc C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
20:42:51.0968 2500 AcrSch2Svc - ok
20:42:51.0984 2500 [ E12CFCF1DDBFC50948A75E6E38793225 ] AdobeFlashPlayerUpdateSvc C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
20:42:51.0984 2500 AdobeFlashPlayerUpdateSvc - ok
20:42:52.0000 2500 adpu160m - ok
20:42:52.0015 2500 [ 8BED39E3C35D6A489438B8141717A557 ] aec C:\WINDOWS\system32\drivers\aec.sys
20:42:52.0046 2500 aec - ok
20:42:52.0062 2500 [ 1E44BC1E83D8FD2305F8D452DB109CF9 ] AFD C:\WINDOWS\System32\drivers\afd.sys
20:42:52.0390 2500 AFD - ok
20:42:52.0406 2500 Aha154x - ok
20:42:52.0406 2500 aic78u2 - ok
20:42:52.0421 2500 aic78xx - ok
20:42:52.0437 2500 [ A9A3DAA780CA6C9671A19D52456705B4 ] Alerter C:\WINDOWS\system32\alrsvc.dll
20:42:52.0453 2500 Alerter - ok
20:42:52.0453 2500 [ 8C515081584A38AA007909CD02020B3D ] ALG C:\WINDOWS\System32\alg.exe
20:42:52.0468 2500 ALG - ok
20:42:52.0484 2500 AliIde - ok
20:42:52.0500 2500 amsint - ok
20:42:52.0531 2500 [ D8849F77C0B66226335A59D26CB4EDC6 ] AppMgmt C:\WINDOWS\System32\appmgmts.dll
20:42:52.0546 2500 AppMgmt - ok
20:42:52.0562 2500 asc - ok
20:42:52.0578 2500 asc3350p - ok
20:42:52.0593 2500 asc3550 - ok
20:42:52.0609 2500 [ B153AFFAC761E7F5FCFA822B9C4E97BC ] AsyncMac C:\WINDOWS\system32\DRIVERS\asyncmac.sys
20:42:52.0625 2500 AsyncMac - ok
20:42:52.0640 2500 [ 9F3A2F5AA6875C72BF062C712CFA2674 ] atapi C:\WINDOWS\system32\DRIVERS\atapi.sys
20:42:52.0656 2500 atapi - ok
20:42:52.0656 2500 Atdisk - ok
20:42:52.0687 2500 [ 9916C1225104BA14794209CFA8012159 ] Atmarpc C:\WINDOWS\system32\DRIVERS\atmarpc.sys
20:42:52.0718 2500 Atmarpc - ok
20:42:52.0734 2500 [ DEF7A7882BEC100FE0B2CE2549188F9D ] AudioSrv C:\WINDOWS\System32\audiosrv.dll
20:42:52.0750 2500 AudioSrv - ok
20:42:52.0765 2500 [ D9F724AA26C010A217C97606B160ED68 ] audstub C:\WINDOWS\system32\DRIVERS\audstub.sys
20:42:52.0796 2500 audstub - ok
20:42:52.0828 2500 [ DA1F27D85E0D1525F6621372E7B685E9 ] Beep C:\WINDOWS\system32\drivers\Beep.sys
20:42:52.0859 2500 Beep - ok
20:42:52.0890 2500 [ CFD4E51402DA9838B5A04AE680AF54A0 ] Browser C:\WINDOWS\System32\browser.dll
20:42:53.0171 2500 Browser - ok
20:42:53.0187 2500 [ 90A673FC8E12A79AFBED2576F6A7AAF9 ] cbidf2k C:\WINDOWS\system32\drivers\cbidf2k.sys
20:42:53.0218 2500 cbidf2k - ok
20:42:53.0234 2500 cd20xrnt - ok
20:42:53.0250 2500 [ C1B486A7658353D33A10CC15211A873B ] Cdaudio C:\WINDOWS\system32\drivers\Cdaudio.sys
20:42:53.0265 2500 Cdaudio - ok
20:42:53.0296 2500 [ C885B02847F5D2FD45A24E219ED93B32 ] Cdfs C:\WINDOWS\system32\drivers\Cdfs.sys
20:42:53.0296 2500 Cdfs - ok
20:42:53.0328 2500 [ 1F4260CC5B42272D71F79E570A27A4FE ] Cdrom C:\WINDOWS\system32\DRIVERS\cdrom.sys
20:42:53.0359 2500 Cdrom - ok
20:42:53.0375 2500 [ 1DCB5209601A70E36C70FE8D197D62CB ] cfwids C:\WINDOWS\system32\drivers\cfwids.sys
20:42:53.0375 2500 cfwids - ok
20:42:53.0390 2500 Changer - ok
20:42:53.0421 2500 [ 1CFE720EB8D93A7158A4EBC3AB178BDE ] CiSvc C:\WINDOWS\system32\cisvc.exe
20:42:53.0453 2500 CiSvc - ok
20:42:53.0453 2500 [ 34CBE729F38138217F9C80212A2A0C82 ] ClipSrv C:\WINDOWS\system32\clipsrv.exe
20:42:53.0484 2500 ClipSrv - ok
20:42:53.0500 2500 CmdIde - ok
20:42:53.0515 2500 COMSysApp - ok
20:42:53.0562 2500 Cpqarray - ok
20:42:53.0609 2500 [ 3D4E199942E29207970E04315D02AD3B ] CryptSvc C:\WINDOWS\System32\cryptsvc.dll
20:42:53.0625 2500 CryptSvc - ok
20:42:53.0656 2500 dac2w2k - ok
20:42:53.0656 2500 dac960nt - ok
20:42:53.0703 2500 [ 6B27A5C03DFB94B4245739065431322C ] DcomLaunch C:\WINDOWS\system32\rpcss.dll
20:42:53.0718 2500 DcomLaunch - ok
20:42:53.0750 2500 [ 5E38D7684A49CACFB752B046357E0589 ] Dhcp C:\WINDOWS\System32\dhcpcsvc.dll
20:42:53.0781 2500 Dhcp - ok
20:42:53.0796 2500 [ 044452051F3E02E7963599FC8F4F3E25 ] Disk C:\WINDOWS\system32\DRIVERS\disk.sys
20:42:53.0796 2500 Disk - ok
20:42:53.0812 2500 dmadmin - ok
20:42:53.0875 2500 [ D992FE1274BDE0F84AD826ACAE022A41 ] dmboot C:\WINDOWS\system32\drivers\dmboot.sys
20:42:53.0937 2500 dmboot - ok
20:42:53.0953 2500 [ 7C824CF7BBDE77D95C08005717A95F6F ] dmio C:\WINDOWS\system32\drivers\dmio.sys
20:42:53.0968 2500 dmio - ok
20:42:53.0984 2500 [ E9317282A63CA4D188C0DF5E09C6AC5F ] dmload C:\WINDOWS\system32\drivers\dmload.sys
20:42:53.0984 2500 dmload - ok
20:42:54.0000 2500 [ 57EDEC2E5F59F0335E92F35184BC8631 ] dmserver C:\WINDOWS\System32\dmserver.dll
20:42:54.0015 2500 dmserver - ok
20:42:54.0031 2500 [ 8A208DFCF89792A484E76C40E5F50B45 ] DMusic C:\WINDOWS\system32\drivers\DMusic.sys
20:42:54.0062 2500 DMusic - ok
20:42:54.0078 2500 [ 5F7E24FA9EAB896051FFB87F840730D2 ] Dnscache C:\WINDOWS\System32\dnsrslvr.dll
20:42:54.0359 2500 Dnscache - ok
20:42:54.0375 2500 [ 0F0F6E687E5E15579EF4DA8DD6945814 ] Dot3svc C:\WINDOWS\System32\dot3svc.dll
20:42:54.0421 2500 Dot3svc - ok
20:42:54.0453 2500 dpti2o - ok
20:42:54.0468 2500 [ 8F5FCFF8E8848AFAC920905FBD9D33C8 ] drmkaud C:\WINDOWS\system32\drivers\drmkaud.sys
20:42:54.0484 2500 drmkaud - ok
20:42:54.0562 2500 [ 2187855A7703ADEF0CEF9EE4285182CC ] EapHost C:\WINDOWS\System32\eapsvc.dll
20:42:54.0578 2500 EapHost - ok
20:42:54.0609 2500 [ BC93B4A066477954555966D77FEC9ECB ] ERSvc C:\WINDOWS\System32\ersvc.dll
20:42:54.0640 2500 ERSvc - ok
20:42:54.0656 2500 [ 65DF52F5B8B6E9BBD183505225C37315 ] Eventlog C:\WINDOWS\system32\services.exe
20:42:54.0703 2500 Eventlog - ok
20:42:54.0718 2500 [ D4991D98F2DB73C60D042F1AEF79EFAE ] EventSystem C:\WINDOWS\system32\es.dll
20:42:54.0765 2500 EventSystem - ok
20:42:54.0796 2500 [ 38D332A6D56AF32635675F132548343E ] Fastfat C:\WINDOWS\system32\drivers\Fastfat.sys
20:42:54.0828 2500 Fastfat - ok
20:42:54.0843 2500 [ 99BC0B50F511924348BE19C7C7313BBF ] FastUserSwitchingCompatibility C:\WINDOWS\System32\shsvcs.dll
20:42:55.0156 2500 FastUserSwitchingCompatibility - ok
20:42:55.0171 2500 [ 92CDD60B6730B9F50F6A1A0C1F8CDC81 ] Fdc C:\WINDOWS\system32\drivers\Fdc.sys
20:42:55.0187 2500 Fdc - ok
20:42:55.0203 2500 [ D45926117EB9FA946A6AF572FBE1CAA3 ] Fips C:\WINDOWS\system32\drivers\Fips.sys
20:42:55.0250 2500 Fips - ok
20:42:55.0265 2500 [ 9D27E7B80BFCDF1CDD9B555862D5E7F0 ] Flpydisk C:\WINDOWS\system32\drivers\Flpydisk.sys
20:42:55.0281 2500 Flpydisk - ok
20:42:55.0312 2500 [ B2CF4B0786F8212CB92ED2B50C6DB6B0 ] FltMgr C:\WINDOWS\system32\DRIVERS\fltMgr.sys
20:42:55.0312 2500 FltMgr - ok
20:42:55.0328 2500 [ 3E1E2BD4F39B0E2B7DC4F4D2BCC2779A ] Fs_Rec C:\WINDOWS\system32\drivers\Fs_Rec.sys
20:42:55.0328 2500 Fs_Rec - ok
20:42:55.0359 2500 [ 6AC26732762483366C3969C9E4D2259D ] Ftdisk C:\WINDOWS\system32\DRIVERS\ftdisk.sys
20:42:55.0359 2500 Ftdisk - ok
20:42:55.0390 2500 [ 0A02C63C8B144BD8C86B103DEE7C86A2 ] Gpc C:\WINDOWS\system32\DRIVERS\msgpc.sys
20:42:55.0406 2500 Gpc - ok
20:42:55.0437 2500 [ F02A533F517EB38333CB12A9E8963773 ] gupdate C:\Program Files\Google\Update\GoogleUpdate.exe
20:42:55.0437 2500 gupdate - ok
20:42:55.0468 2500 [ F02A533F517EB38333CB12A9E8963773 ] gupdatem C:\Program Files\Google\Update\GoogleUpdate.exe
20:42:55.0468 2500 gupdatem - ok
20:42:55.0484 2500 [ 5D4BC124FAAE6730AC002CDB67BF1A1C ] gusvc C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
20:42:55.0921 2500 gusvc - ok
20:42:55.0937 2500 [ 573C7D0A32852B48F3058CFD8026F511 ] HDAudBus C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
20:42:55.0968 2500 HDAudBus - ok
20:42:55.0984 2500 [ 4FCCA060DFE0C51A09DD5C3843888BCD ] helpsvc C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll
20:42:56.0000 2500 helpsvc - ok
20:42:56.0015 2500 [ DEB04DA35CC871B6D309B77E1443C796 ] HidServ C:\WINDOWS\System32\hidserv.dll
20:42:56.0031 2500 HidServ - ok
20:42:56.0046 2500 [ CCF82C5EC8A7326C3066DE870C06DAF1 ] hidusb C:\WINDOWS\system32\DRIVERS\hidusb.sys
20:42:56.0062 2500 hidusb - ok
20:42:56.0062 2500 [ 8878BD685E490239777BFE51320B88E9 ] hkmsvc C:\WINDOWS\System32\kmsvc.dll
20:42:56.0109 2500 hkmsvc - ok
20:42:56.0125 2500 hpn - ok
20:42:56.0156 2500 [ F80A415EF82CD06FFAF0D971528EAD38 ] HTTP C:\WINDOWS\system32\Drivers\HTTP.sys
20:42:56.0203 2500 HTTP - ok
20:42:56.0203 2500 [ 6100A808600F44D999CEBDEF8841C7A3 ] HTTPFilter C:\WINDOWS\System32\w3ssl.dll
20:42:56.0250 2500 HTTPFilter - ok
20:42:56.0265 2500 i2omgmt - ok
20:42:56.0296 2500 i2omp - ok
20:42:56.0312 2500 [ 4A0B06AA8943C1E332520F7440C0AA30 ] i8042prt C:\WINDOWS\system32\DRIVERS\i8042prt.sys
20:42:56.0343 2500 i8042prt - ok
20:42:56.0531 2500 [ 48846B31BE5A4FA662CCFDE7A1BA86B9 ] ialm C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
20:42:57.0000 2500 ialm - ok
20:42:57.0015 2500 [ 083A052659F5310DD8B6A6CB05EDCF8E ] Imapi C:\WINDOWS\system32\DRIVERS\imapi.sys
20:42:57.0031 2500 Imapi - ok
20:42:57.0046 2500 [ 30DEAF54A9755BB8546168CFE8A6B5E1 ] ImapiService C:\WINDOWS\system32\imapi.exe
20:42:57.0078 2500 ImapiService - ok
20:42:57.0093 2500 ini910u - ok
20:42:57.0250 2500 [ 12A9DAFE2266B6FA6DDBCE1847347751 ] IntcAzAudAddService C:\WINDOWS\system32\drivers\RtkHDAud.sys
20:42:57.0453 2500 IntcAzAudAddService - ok
20:42:57.0468 2500 IntelIde - ok
20:42:57.0484 2500 [ 8C953733D8F36EB2133F5BB58808B66B ] intelppm C:\WINDOWS\system32\DRIVERS\intelppm.sys
20:42:57.0500 2500 intelppm - ok
20:42:57.0515 2500 [ 3BB22519A194418D5FEC05D800A19AD0 ] Ip6Fw C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
20:42:57.0531 2500 Ip6Fw - ok
20:42:57.0546 2500 [ 731F22BA402EE4B62748ADAF6363C182 ] IpFilterDriver C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
20:42:57.0578 2500 IpFilterDriver - ok
20:42:57.0593 2500 [ B87AB476DCF76E72010632B5550955F5 ] IpInIp C:\WINDOWS\system32\DRIVERS\ipinip.sys
20:42:57.0609 2500 IpInIp - ok
20:42:57.0625 2500 [ CC748EA12C6EFFDE940EE98098BF96BB ] IpNat C:\WINDOWS\system32\DRIVERS\ipnat.sys
20:42:57.0656 2500 IpNat - ok
20:42:57.0671 2500 [ 23C74D75E36E7158768DD63D92789A91 ] IPSec C:\WINDOWS\system32\DRIVERS\ipsec.sys
20:42:57.0703 2500 IPSec - ok
20:42:57.0718 2500 [ C93C9FF7B04D772627A3646D89F7BF89 ] IRENUM C:\WINDOWS\system32\DRIVERS\irenum.sys
20:42:57.0734 2500 IRENUM - ok
20:42:57.0750 2500 [ 05A299EC56E52649B1CF2FC52D20F2D7 ] isapnp C:\WINDOWS\system32\DRIVERS\isapnp.sys
20:42:57.0750 2500 isapnp - ok
20:42:57.0781 2500 [ 0A5709543986843D37A92290B7838340 ] JavaQuickStarterService C:\Program Files\Java\jre6\bin\jqs.exe
20:42:58.0203 2500 JavaQuickStarterService - ok
20:42:58.0218 2500 [ 463C1EC80CD17420A542B7F36A36F128 ] Kbdclass C:\WINDOWS\system32\DRIVERS\kbdclass.sys
20:42:58.0250 2500 Kbdclass - ok
20:42:58.0265 2500 [ 9EF487A186DEA361AA06913A75B3FA99 ] kbdhid C:\WINDOWS\system32\DRIVERS\kbdhid.sys
20:42:58.0296 2500 kbdhid - ok
20:42:58.0312 2500 [ 692BCF44383D056AED41B045A323D378 ] kmixer C:\WINDOWS\system32\drivers\kmixer.sys
20:42:58.0343 2500 kmixer - ok
20:42:58.0359 2500 [ B467646C54CC746128904E1654C750C1 ] KSecDD C:\WINDOWS\system32\drivers\KSecDD.sys
20:42:58.0359 2500 KSecDD - ok
20:42:58.0390 2500 [ 3A7C3CBE5D96B8AE96CE81F0B22FB527 ] LanmanServer C:\WINDOWS\System32\srvsvc.dll
20:42:58.0703 2500 LanmanServer - ok
20:42:58.0734 2500 [ A8888A5327621856C0CEC4E385F69309 ] lanmanworkstation C:\WINDOWS\System32\wkssvc.dll
20:42:58.0750 2500 lanmanworkstation - ok
20:42:58.0765 2500 lbrtfdc - ok
20:42:58.0796 2500 [ A7DB739AE99A796D91580147E919CC59 ] LmHosts C:\WINDOWS\System32\lmhsvc.dll
20:42:58.0812 2500 LmHosts - ok
20:42:58.0828 2500 [ 3A346239CD2D75BE7F54BE7E28EB5E4F ] McAWFwk c:\PROGRA~1\mcafee\msc\mcawfwk.exe
20:42:59.0171 2500 McAWFwk - ok
20:42:59.0187 2500 [ 7E6932EEDA54C8EAF7DC6C2225261B85 ] McMPFSvc C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
20:42:59.0187 2500 McMPFSvc - ok
20:42:59.0218 2500 [ 7E6932EEDA54C8EAF7DC6C2225261B85 ] mcmscsvc C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
20:42:59.0218 2500 mcmscsvc - ok
20:42:59.0234 2500 [ 7E6932EEDA54C8EAF7DC6C2225261B85 ] McNaiAnn C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
20:42:59.0234 2500 McNaiAnn - ok
20:42:59.0250 2500 [ 7E6932EEDA54C8EAF7DC6C2225261B85 ] McNASvc C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
20:42:59.0250 2500 McNASvc - ok
20:42:59.0265 2500 [ E8C5AAE17E8332F5F4F57935238CD5EB ] McODS C:\Program Files\McAfee\VirusScan\mcods.exe
20:42:59.0687 2500 McODS - ok
20:42:59.0703 2500 [ 7E6932EEDA54C8EAF7DC6C2225261B85 ] McOobeSv C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
20:42:59.0703 2500 McOobeSv - ok
20:42:59.0734 2500 [ 7E6932EEDA54C8EAF7DC6C2225261B85 ] McProxy C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
20:42:59.0734 2500 McProxy - ok
20:42:59.0781 2500 [ 151F3CA25B739B9CB0066ABD1523F064 ] McShield C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe
20:43:00.0156 2500 McShield - ok
20:43:00.0187 2500 [ 986B1FF5814366D71E0AC5755C88F2D3 ] Messenger C:\WINDOWS\System32\msgsvc.dll
20:43:00.0203 2500 Messenger - ok
20:43:00.0250 2500 [ 36B47B1E9C537F8F2B4481084B8F7D22 ] mfeapfk C:\WINDOWS\system32\drivers\mfeapfk.sys
20:43:00.0671 2500 mfeapfk - ok
20:43:00.0734 2500 [ CDE41293DB871A75CD99EB0CE781356B ] mfeavfk C:\WINDOWS\system32\drivers\mfeavfk.sys
20:43:01.0156 2500 mfeavfk - ok
20:43:01.0171 2500 mfeavfk01 - ok
20:43:01.0203 2500 [ E22385F64BDF0AD81157479496E33C4A ] mfebopk C:\WINDOWS\system32\drivers\mfebopk.sys
20:43:01.0593 2500 mfebopk - ok
20:43:01.0625 2500 [ 26BA2EEBCFF16F611CE1118FA0850810 ] mfefire C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe
20:43:02.0062 2500 mfefire - ok
20:43:02.0093 2500 [ 215666A8A85023EF019B510CBB67F678 ] mfefirek C:\WINDOWS\system32\drivers\mfefirek.sys
20:43:02.0531 2500 mfefirek - ok
20:43:02.0562 2500 [ 56D330981866A72F061DD16CC5004513 ] mfehidk C:\WINDOWS\system32\drivers\mfehidk.sys
20:43:02.0578 2500 mfehidk - ok
20:43:02.0578 2500 [ 62ACDA4E958E2A392557BA3C6C754A58 ] mfendisk C:\WINDOWS\system32\DRIVERS\mfendisk.sys
20:43:02.0984 2500 mfendisk - ok
20:43:03.0000 2500 [ 62ACDA4E958E2A392557BA3C6C754A58 ] mfendiskmp C:\WINDOWS\system32\DRIVERS\mfendisk.sys
20:43:03.0406 2500 mfendiskmp - ok
20:43:03.0421 2500 [ 89B564D63C53FC0C6782AB07EEA63ACF ] mferkdet C:\WINDOWS\system32\drivers\mferkdet.sys
20:43:03.0765 2500 mferkdet - ok
20:43:03.0781 2500 [ 922E64CA38E38106498FB3435A8E399D ] mfetdi2k C:\WINDOWS\system32\drivers\mfetdi2k.sys
20:43:04.0203 2500 mfetdi2k - ok
20:43:04.0203 2500 [ D286062A8F57B0E69DB02111493CED77 ] mfevtp C:\WINDOWS\system32\mfevtps.exe
20:43:04.0546 2500 mfevtp - ok
20:43:04.0562 2500 [ 4AE068242760A1FB6E1A44BF4E16AFA6 ] mnmdd C:\WINDOWS\system32\drivers\mnmdd.sys
20:43:04.0593 2500 mnmdd - ok
20:43:04.0609 2500 [ D18F1F0C101D06A1C1ADF26EED16FCDD ] mnmsrvc C:\WINDOWS\system32\mnmsrvc.exe
20:43:04.0656 2500 mnmsrvc - ok
20:43:04.0671 2500 [ DFCBAD3CEC1C5F964962AE10E0BCC8E1 ] Modem C:\WINDOWS\system32\drivers\Modem.sys
20:43:04.0671 2500 Modem - ok
20:43:04.0687 2500 [ 35C9E97194C8CFB8430125F8DBC34D04 ] Mouclass C:\WINDOWS\system32\DRIVERS\mouclass.sys
20:43:04.0718 2500 Mouclass - ok
20:43:04.0734 2500 [ B1C303E17FB9D46E87A98E4BA6769685 ] mouhid C:\WINDOWS\system32\DRIVERS\mouhid.sys
20:43:04.0781 2500 mouhid - ok
20:43:04.0796 2500 [ A80B9A0BAD1B73637DBCBBA7DF72D3FD ] MountMgr C:\WINDOWS\system32\drivers\MountMgr.sys
20:43:04.0796 2500 MountMgr - ok
20:43:04.0812 2500 mraid35x - ok
20:43:04.0843 2500 [ 11D42BB6206F33FBB3BA0288D3EF81BD ] MRxDAV C:\WINDOWS\system32\DRIVERS\mrxdav.sys
20:43:04.0843 2500 MRxDAV - ok
20:43:04.0875 2500 [ 7D304A5EB4344EBEEAB53A2FE3FFB9F0 ] MRxSmb C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
20:43:04.0890 2500 MRxSmb - ok
20:43:04.0906 2500 [ A137F1470499A205ABBB9AAFB3B6F2B1 ] MSDTC C:\WINDOWS\system32\msdtc.exe
20:43:04.0937 2500 MSDTC - ok
20:43:04.0953 2500 [ C941EA2454BA8350021D774DAF0F1027 ] Msfs C:\WINDOWS\system32\drivers\Msfs.sys
20:43:04.0968 2500 Msfs - ok
20:43:04.0968 2500 [ CFE6C05F6C48F7ED1F74F9BF9088A9C2 ] MSIconfig C:\WINDOWS\system32\msiexec64.exe
20:43:05.0359 2500 MSIconfig - ok
20:43:05.0375 2500 MSIServer - ok
20:43:05.0390 2500 [ D1575E71568F4D9E14CA56B7B0453BF1 ] MSKSSRV C:\WINDOWS\system32\drivers\MSKSSRV.sys
20:43:05.0406 2500 MSKSSRV - ok
20:43:05.0421 2500 [ 325BB26842FC7CCC1FCCE2C457317F3E ] MSPCLOCK C:\WINDOWS\system32\drivers\MSPCLOCK.sys
20:43:05.0453 2500 MSPCLOCK - ok
20:43:05.0468 2500 [ BAD59648BA099DA4A17680B39730CB3D ] MSPQM C:\WINDOWS\system32\drivers\MSPQM.sys
20:43:05.0500 2500 MSPQM - ok
20:43:05.0500 2500 [ AF5F4F3F14A8EA2C26DE30F7A1E17136 ] mssmbios C:\WINDOWS\system32\DRIVERS\mssmbios.sys
20:43:05.0546 2500 mssmbios - ok
20:43:05.0546 2500 [ DE6A75F5C270E756C5508D94B6CF68F5 ] Mup C:\WINDOWS\system32\drivers\Mup.sys
20:43:05.0562 2500 Mup - ok
20:43:05.0593 2500 [ 0102140028FAD045756796E1C685D695 ] napagent C:\WINDOWS\System32\qagentrt.dll
20:43:05.0640 2500 napagent - ok
20:43:05.0656 2500 [ 1DF7F42665C94B825322FAE71721130D ] NDIS C:\WINDOWS\system32\drivers\NDIS.sys
20:43:05.0671 2500 NDIS - ok
20:43:05.0703 2500 [ 0109C4F3850DFBAB279542515386AE22 ] NdisTapi C:\WINDOWS\system32\DRIVERS\ndistapi.sys
20:43:06.0078 2500 NdisTapi - ok
20:43:06.0140 2500 [ F927A4434C5028758A842943EF1A3849 ] Ndisuio C:\WINDOWS\system32\DRIVERS\ndisuio.sys
20:43:06.0171 2500 Ndisuio - ok
20:43:06.0203 2500 [ EDC1531A49C80614B2CFDA43CA8659AB ] NdisWan C:\WINDOWS\system32\DRIVERS\ndiswan.sys
20:43:06.0250 2500 NdisWan - ok
20:43:06.0250 2500 [ 9282BD12DFB069D3889EB3FCC1000A9B ] NDProxy C:\WINDOWS\system32\drivers\NDProxy.sys
20:43:06.0578 2500 NDProxy - ok
20:43:06.0578 2500 [ 5D81CF9A2F1A3A756B66CF684911CDF0 ] NetBIOS C:\WINDOWS\system32\DRIVERS\netbios.sys
20:43:06.0593 2500 NetBIOS - ok
20:43:06.0609 2500 [ 74B2B2F5BEA5E9A3DC021D685551BD3D ] NetBT C:\WINDOWS\system32\DRIVERS\netbt.sys
20:43:06.0640 2500 NetBT - ok
20:43:06.0656 2500 [ B857BA82860D7FF85AE29B095645563B ] NetDDE C:\WINDOWS\system32\netdde.exe
20:43:06.0671 2500 NetDDE - ok
20:43:06.0687 2500 [ B857BA82860D7FF85AE29B095645563B ] NetDDEdsdm C:\WINDOWS\system32\netdde.exe
20:43:06.0687 2500 NetDDEdsdm - ok
20:43:06.0703 2500 [ BF2466B3E18E970D8A976FB95FC1CA85 ] Netlogon C:\WINDOWS\system32\lsass.exe
20:43:06.0718 2500 Netlogon - ok
20:43:06.0734 2500 [ 13E67B55B3ABD7BF3FE7AAE5A0F9A9DE ] Netman C:\WINDOWS\System32\netman.dll
20:43:06.0781 2500 Netman - ok
20:43:06.0796 2500 [ 943337D786A56729263071623BBB9DE5 ] Nla C:\WINDOWS\System32\mswsock.dll
20:43:06.0812 2500 Nla - ok
20:43:06.0812 2500 [ 1E421A6BCF2203CC61B821ADA9DE878B ] nm C:\WINDOWS\system32\DRIVERS\NMnt.sys
20:43:06.0843 2500 nm - ok
20:43:06.0875 2500 [ B15E0180C43D8B5219196D76878CC2DD ] NPF C:\WINDOWS\system32\drivers\npf.sys
20:43:06.0921 2500 NPF - ok
20:43:06.0937 2500 [ 3182D64AE053D6FB034F44B6DEF8034A ] Npfs C:\WINDOWS\system32\drivers\Npfs.sys
20:43:06.0937 2500 Npfs - ok
20:43:06.0968 2500 [ 78A08DD6A8D65E697C18E1DB01C5CDCA ] Ntfs C:\WINDOWS\system32\drivers\Ntfs.sys
20:43:07.0000 2500 Ntfs - ok
20:43:07.0000 2500 [ BF2466B3E18E970D8A976FB95FC1CA85 ] NtLmSsp C:\WINDOWS\system32\lsass.exe
20:43:07.0015 2500 NtLmSsp - ok
20:43:07.0031 2500 [ 156F64A3345BD23C600655FB4D10BC08 ] NtmsSvc C:\WINDOWS\system32\ntmssvc.dll
20:43:07.0062 2500 NtmsSvc - ok
20:43:07.0062 2500 [ 73C1E1F395918BC2C6DD67AF7591A3AD ] Null C:\WINDOWS\system32\drivers\Null.sys
20:43:07.0093 2500 Null - ok
20:43:07.0109 2500 [ B305F3FAD35083837EF46A0BBCE2FC57 ] NwlnkFlt C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
20:43:07.0109 2500 NwlnkFlt - ok
20:43:07.0125 2500 [ C99B3415198D1AAB7227F2C88FD664B9 ] NwlnkFwd C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
20:43:07.0140 2500 NwlnkFwd - ok
20:43:07.0156 2500 [ 5575FAF8F97CE5E713D108C2A58D7C7C ] Parport C:\WINDOWS\system32\drivers\Parport.sys
20:43:07.0187 2500 Parport - ok
20:43:07.0203 2500 [ BEB3BA25197665D82EC7065B724171C6 ] PartMgr C:\WINDOWS\system32\drivers\PartMgr.sys
20:43:07.0203 2500 PartMgr - ok
20:43:07.0234 2500 [ 70E98B3FD8E963A6A46A2E6247E0BEA1 ] ParVdm C:\WINDOWS\system32\drivers\ParVdm.sys
20:43:07.0234 2500 ParVdm - ok
20:43:07.0250 2500 [ A219903CCF74233761D92BEF471A07B1 ] PCI C:\WINDOWS\system32\DRIVERS\pci.sys
20:43:07.0250 2500 PCI - ok
20:43:07.0265 2500 PCIDump - ok
20:43:07.0281 2500 [ CCF5F451BB1A5A2A522A76E670000FF0 ] PCIIde C:\WINDOWS\system32\DRIVERS\pciide.sys
20:43:07.0281 2500 PCIIde - ok
20:43:07.0296 2500 [ 9E89EF60E9EE05E3F2EEF2DA7397F1C1 ] Pcmcia C:\WINDOWS\system32\drivers\Pcmcia.sys
20:43:07.0328 2500 Pcmcia - ok
20:43:07.0343 2500 PDCOMP - ok
20:43:07.0343 2500 PDFRAME - ok
20:43:07.0359 2500 PDRELI - ok
20:43:07.0375 2500 PDRFRAME - ok
20:43:07.0390 2500 perc2 - ok
20:43:07.0406 2500 perc2hib - ok
20:43:07.0453 2500 [ 65DF52F5B8B6E9BBD183505225C37315 ] PlugPlay C:\WINDOWS\system32\services.exe
20:43:07.0468 2500 PlugPlay - ok
20:43:07.0468 2500 [ CF7C1868B90C90A265FC3F60CE46265B ] Point32 C:\WINDOWS\system32\DRIVERS\point32.sys
20:43:07.0796 2500 Point32 - ok
20:43:07.0812 2500 [ BF2466B3E18E970D8A976FB95FC1CA85 ] PolicyAgent C:\WINDOWS\system32\lsass.exe
20:43:07.0812 2500 PolicyAgent - ok
20:43:07.0812 2500 [ EFEEC01B1D3CF84F16DDD24D9D9D8F99 ] PptpMiniport C:\WINDOWS\system32\DRIVERS\raspptp.sys
20:43:07.0843 2500 PptpMiniport - ok
20:43:07.0859 2500 [ BF2466B3E18E970D8A976FB95FC1CA85 ] ProtectedStorage C:\WINDOWS\system32\lsass.exe
20:43:07.0859 2500 ProtectedStorage - ok
20:43:07.0875 2500 [ 09298EC810B07E5D582CB3A3F9255424 ] PSched C:\WINDOWS\system32\DRIVERS\psched.sys
20:43:07.0906 2500 PSched - ok
20:43:07.0921 2500 [ 80D317BD1C3DBC5D4FE7B1678C60CADD ] Ptilink C:\WINDOWS\system32\DRIVERS\ptilink.sys
20:43:07.0921 2500 Ptilink - ok
20:43:07.0937 2500 ql1080 - ok
20:43:07.0953 2500 Ql10wnt - ok
20:43:07.0968 2500 ql12160 - ok
20:43:07.0984 2500 ql1240 - ok
20:43:07.0984 2500 ql1280 - ok
20:43:08.0000 2500 [ FE0D99D6F31E4FAD8159F690D68DED9C ] RasAcd C:\WINDOWS\system32\DRIVERS\rasacd.sys
20:43:08.0046 2500 RasAcd - ok
20:43:08.0062 2500 [ AD188BE7BDF94E8DF4CA0A55C00A5073 ] RasAuto C:\WINDOWS\System32\rasauto.dll
20:43:08.0093 2500 RasAuto - ok
20:43:08.0093 2500 [ 11B4A627BC9614B885C4969BFA5FF8A6 ] Rasl2tp C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
20:43:08.0109 2500 Rasl2tp - ok
20:43:08.0125 2500 [ 76A9A3CBEADD68CC57CDA5E1D7448235 ] RasMan C:\WINDOWS\System32\rasmans.dll
20:43:08.0140 2500 RasMan - ok
20:43:08.0156 2500 [ 5BC962F2654137C9909C3D4603587DEE ] RasPppoe C:\WINDOWS\system32\DRIVERS\raspppoe.sys
20:43:08.0187 2500 RasPppoe - ok
20:43:08.0203 2500 [ FDBB1D60066FCFBB7452FD8F9829B242 ] Raspti C:\WINDOWS\system32\DRIVERS\raspti.sys
20:43:08.0218 2500 Raspti - ok
20:43:08.0234 2500 [ 7AD224AD1A1437FE28D89CF22B17780A ] Rdbss C:\WINDOWS\system32\DRIVERS\rdbss.sys
20:43:08.0234 2500 Rdbss - ok
20:43:08.0250 2500 [ 4912D5B403614CE99C28420F75353332 ] RDPCDD C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
20:43:08.0281 2500 RDPCDD - ok
20:43:08.0296 2500 [ 15CABD0F7C00C47C70124907916AF3F1 ] rdpdr C:\WINDOWS\system32\DRIVERS\rdpdr.sys
20:43:08.0312 2500 rdpdr - ok
20:43:08.0328 2500 [ 43AF5212BD8FB5BA6EED9754358BD8F7 ] RDPWD C:\WINDOWS\system32\drivers\RDPWD.sys
20:43:08.0968 2500 RDPWD - ok
20:43:08.0984 2500 [ 3C37BF86641BDA977C3BF8A840F3B7FA ] RDSessMgr C:\WINDOWS\system32\sessmgr.exe
20:43:09.0015 2500 RDSessMgr - ok
20:43:09.0031 2500 [ F828DD7E1419B6653894A8F97A0094C5 ] redbook C:\WINDOWS\system32\DRIVERS\redbook.sys
20:43:09.0031 2500 redbook - ok
20:43:09.0046 2500 [ 7E699FF5F59B5D9DE5390E3C34C67CF5 ] RemoteAccess C:\WINDOWS\System32\mprdim.dll
20:43:09.0093 2500 RemoteAccess - ok
20:43:09.0109 2500 [ 5B19B557B0C188210A56A6B699D90B8F ] RemoteRegistry C:\WINDOWS\system32\regsvc.dll
20:43:09.0140 2500 RemoteRegistry - ok
20:43:09.0156 2500 [ 9ED13880478F14900A5840FF048D174C ] rpcapd C:\Program Files\WinPcap\rpcapd.exe
20:43:09.0531 2500 rpcapd - ok
20:43:09.0546 2500 [ AAED593F84AFA419BBAE8572AF87CF6A ] RpcLocator C:\WINDOWS\system32\locator.exe
20:43:09.0562 2500 RpcLocator - ok
20:43:09.0578 2500 [ 6B27A5C03DFB94B4245739065431322C ] RpcSs C:\WINDOWS\system32\rpcss.dll
20:43:09.0593 2500 RpcSs - ok
20:43:09.0609 2500 [ 471B3F9741D762ABE75E9DEEA4787E47 ] RSVP C:\WINDOWS\system32\rsvp.exe
20:43:09.0625 2500 RSVP - ok
20:43:09.0640 2500 [ B52B25F41BF3511071A0E7D10D659C56 ] RTLE8023xp C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys
20:43:09.0921 2500 RTLE8023xp - ok
20:43:09.0921 2500 [ BF2466B3E18E970D8A976FB95FC1CA85 ] SamSs C:\WINDOWS\system32\lsass.exe
20:43:09.0937 2500 SamSs - ok
20:43:09.0953 2500 [ 86D007E7A654B9A71D1D7D856B104353 ] SCardSvr C:\WINDOWS\System32\SCardSvr.exe
20:43:09.0968 2500 SCardSvr - ok
20:43:09.0984 2500 [ 0A9A7365A1CA4319AA7C1D6CD8E4EAFA ] Schedule C:\WINDOWS\system32\schedsvc.dll
20:43:10.0031 2500 Schedule - ok
20:43:10.0046 2500 [ 90A3935D05B494A5A39D37E71F09A677 ] Secdrv C:\WINDOWS\system32\DRIVERS\secdrv.sys
20:43:10.0062 2500 Secdrv - ok
20:43:10.0062 2500 [ CBE612E2BB6A10E3563336191EDA1250 ] seclogon C:\WINDOWS\System32\seclogon.dll
20:43:10.0093 2500 seclogon - ok
20:43:10.0109 2500 [ 7FDD5D0684ECA8C1F68B4D99D124DCD0 ] SENS C:\WINDOWS\system32\sens.dll
20:43:10.0109 2500 SENS - ok
20:43:10.0125 2500 [ CCA207A8896D4C6A0C9CE29A4AE411A7 ] Serial C:\WINDOWS\system32\drivers\Serial.sys
20:43:10.0140 2500 Serial - ok
20:43:10.0156 2500 [ 8E6B8C671615D126FDC553D1E2DE5562 ] Sfloppy C:\WINDOWS\system32\drivers\Sfloppy.sys
20:43:10.0187 2500 Sfloppy - ok
20:43:10.0218 2500 [ 99BC0B50F511924348BE19C7C7313BBF ] ShellHWDetection C:\WINDOWS\System32\shsvcs.dll
20:43:10.0218 2500 ShellHWDetection - ok
20:43:10.0234 2500 Simbad - ok
20:43:10.0250 2500 [ 68FC62A72BD6D8E9DFE3718440BE94A0 ] snapman C:\WINDOWS\system32\DRIVERS\snapman.sys
20:43:10.0265 2500 snapman - ok
20:43:10.0281 2500 Sparrow - ok
20:43:10.0296 2500 [ AB8B92451ECB048A4D1DE7C3FFCB4A9F ] splitter C:\WINDOWS\system32\drivers\splitter.sys
20:43:10.0328 2500 splitter - ok
20:43:10.0328 2500 [ 60784F891563FB1B767F70117FC2428F ] Spooler C:\WINDOWS\system32\spoolsv.exe
20:43:10.0734 2500 Spooler - ok
20:43:10.0750 2500 [ 76BB022C2FB6902FD5BDD4F78FC13A5D ] sr C:\WINDOWS\system32\DRIVERS\sr.sys
20:43:10.0750 2500 sr - ok
20:43:10.0781 2500 [ 3805DF0AC4296A34BA4BF93B346CC378 ] srservice C:\WINDOWS\system32\srsvc.dll
20:43:10.0812 2500 srservice - ok
20:43:10.0828 2500 [ 47DDFC2F003F7F9F0592C6874962A2E7 ] Srv C:\WINDOWS\system32\DRIVERS\srv.sys
20:43:10.0859 2500 Srv - ok
20:43:10.0875 2500 [ 0A5679B3714EDAB99E357057EE88FCA6 ] SSDPSRV C:\WINDOWS\System32\ssdpsrv.dll
20:43:10.0906 2500 SSDPSRV - ok
20:43:10.0937 2500 [ 8BAD69CBAC032D4BBACFCE0306174C30 ] stisvc C:\WINDOWS\system32\wiaservc.dll
20:43:10.0984 2500 stisvc - ok
20:43:11.0015 2500 [ 3941D127AEF12E93ADDF6FE6EE027E0F ] swenum C:\WINDOWS\system32\DRIVERS\swenum.sys
20:43:11.0031 2500 swenum - ok
20:43:11.0062 2500 [ 8CE882BCC6CF8A62F2B2323D95CB3D01 ] swmidi C:\WINDOWS\system32\drivers\swmidi.sys
20:43:11.0093 2500 swmidi - ok
20:43:11.0109 2500 SwPrv - ok
20:43:11.0140 2500 symc810 - ok
20:43:11.0171 2500 symc8xx - ok
20:43:11.0187 2500 sym_hi - ok
20:43:11.0203 2500 sym_u3 - ok
20:43:11.0234 2500 [ 8B83F3ED0F1688B4958F77CD6D2BF290 ] sysaudio C:\WINDOWS\system32\drivers\sysaudio.sys
20:43:11.0250 2500 sysaudio - ok
20:43:11.0265 2500 [ C7ABBC59B43274B1109DF6B24D617051 ] SysmonLog C:\WINDOWS\system32\smlogsvc.exe
20:43:11.0281 2500 SysmonLog - ok
20:43:11.0296 2500 [ 3CB78C17BB664637787C9A1C98F79C38 ] TapiSrv C:\WINDOWS\System32\tapisrv.dll
20:43:11.0343 2500 TapiSrv - ok
20:43:11.0375 2500 [ 9AEFA14BD6B182D61E3119FA5F436D3D ] Tcpip C:\WINDOWS\system32\DRIVERS\tcpip.sys
20:43:11.0406 2500 Tcpip - ok
20:43:11.0406 2500 [ 6471A66807F5E104E4885F5B67349397 ] TDPIPE C:\WINDOWS\system32\drivers\TDPIPE.sys
20:43:11.0437 2500 TDPIPE - ok
20:43:11.0468 2500 [ 3B7B6779EB231F731BBA8F9FE67AADFC ] tdrpman C:\WINDOWS\system32\DRIVERS\tdrpman.sys
20:43:11.0468 2500 tdrpman - ok
20:43:11.0484 2500 [ C56B6D0402371CF3700EB322EF3AAF61 ] TDTCP C:\WINDOWS\system32\drivers\TDTCP.sys
20:43:11.0515 2500 TDTCP - ok
20:43:11.0531 2500 [ 88155247177638048422893737429D9E ] TermDD C:\WINDOWS\system32\DRIVERS\termdd.sys
20:43:11.0546 2500 TermDD - ok
20:43:11.0578 2500 [ FF3477C03BE7201C294C35F684B3479F ] TermService C:\WINDOWS\System32\termsrv.dll
20:43:11.0593 2500 TermService - ok
20:43:11.0609 2500 [ 99BC0B50F511924348BE19C7C7313BBF ] Themes C:\WINDOWS\System32\shsvcs.dll
20:43:11.0625 2500 Themes - ok
20:43:11.0640 2500 [ B0B3122BFF3910E0BA97014045467778 ] tifsfilter C:\WINDOWS\system32\DRIVERS\tifsfilt.sys
20:43:11.0640 2500 tifsfilter - ok
20:43:11.0656 2500 [ 13BFE330880AC0CE8672D00AA5AFF738 ] timounter C:\WINDOWS\system32\DRIVERS\timntr.sys
20:43:11.0671 2500 timounter - ok
20:43:11.0687 2500 [ DB7205804759FF62C34E3EFD8A4CC76A ] TlntSvr C:\WINDOWS\system32\tlntsvr.exe
20:43:11.0734 2500 TlntSvr - ok
20:43:11.0750 2500 TosIde - ok
20:43:11.0781 2500 [ 55BCA12F7F523D35CA3CB833C725F54E ] TrkWks C:\WINDOWS\system32\trkwks.dll
20:43:11.0812 2500 TrkWks - ok
20:43:11.0843 2500 [ 5787B80C2E3C5E2F56C2A233D91FA2C9 ] Udfs C:\WINDOWS\system32\drivers\Udfs.sys
20:43:11.0843 2500 Udfs - ok
20:43:11.0859 2500 ultra - ok
20:43:11.0890 2500 [ 402DDC88356B1BAC0EE3DD1580C76A31 ] Update C:\WINDOWS\system32\DRIVERS\update.sys
20:43:11.0937 2500 Update - ok
20:43:11.0953 2500 [ 1EBAFEB9A3FBDC41B8D9C7F0F687AD91 ] upnphost C:\WINDOWS\System32\upnphost.dll
20:43:11.0984 2500 upnphost - ok
20:43:12.0000 2500 [ 05365FB38FCA1E98F7A566AAAF5D1815 ] UPS C:\WINDOWS\System32\ups.exe
20:43:12.0031 2500 UPS - ok
20:43:12.0046 2500 [ 173F317CE0DB8E21322E71B7E60A27E8 ] usbccgp C:\WINDOWS\system32\DRIVERS\usbccgp.sys
20:43:12.0062 2500 usbccgp - ok
20:43:12.0078 2500 [ 65DCF09D0E37D4C6B11B5B0B76D470A7 ] usbehci C:\WINDOWS\system32\DRIVERS\usbehci.sys
20:43:12.0093 2500 usbehci - ok
20:43:12.0109 2500 [ 1AB3CDDE553B6E064D2E754EFE20285C ] usbhub C:\WINDOWS\system32\DRIVERS\usbhub.sys
20:43:12.0140 2500 usbhub - ok
20:43:12.0156 2500 [ A0B8CF9DEB1184FBDD20784A58FA75D4 ] usbscan C:\WINDOWS\system32\DRIVERS\usbscan.sys
20:43:12.0187 2500 usbscan - ok
20:43:12.0203 2500 [ A32426D9B14A089EAA1D922E0C5801A9 ] USBSTOR C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
20:43:12.0234 2500 USBSTOR - ok
20:43:12.0250 2500 [ 26496F9DEE2D787FC3E61AD54821FFE6 ] usbuhci C:\WINDOWS\system32\DRIVERS\usbuhci.sys
20:43:12.0265 2500 usbuhci - ok
20:43:12.0281 2500 [ 0D3A8FAFCEACD8B7625CD549757A7DF1 ] VgaSave C:\WINDOWS\System32\drivers\vga.sys
20:43:12.0312 2500 VgaSave - ok
20:43:12.0328 2500 ViaIde - ok
20:43:12.0343 2500 [ 4C8FCB5CC53AAB716D810740FE59D025 ] VolSnap C:\WINDOWS\system32\drivers\VolSnap.sys
20:43:12.0359 2500 VolSnap - ok
20:43:12.0375 2500 [ 7A9DB3A67C333BF0BD42E42B8596854B ] VSS C:\WINDOWS\System32\vssvc.exe
20:43:12.0421 2500 VSS - ok
20:43:12.0437 2500 [ 54AF4B1D5459500EF0937F6D33B1914F ] W32Time C:\WINDOWS\system32\w32time.dll
20:43:12.0468 2500 W32Time - ok
20:43:12.0500 2500 [ E20B95BAEDB550F32DD489265C1DA1F6 ] Wanarp C:\WINDOWS\system32\DRIVERS\wanarp.sys
20:43:12.0531 2500 Wanarp - ok
20:43:12.0546 2500 WDICA - ok
20:43:12.0562 2500 [ 6768ACF64B18196494413695F0C3A00F ] wdmaud C:\WINDOWS\system32\drivers\wdmaud.sys
20:43:12.0593 2500 wdmaud - ok
20:43:12.0609 2500 [ 77A354E28153AD2D5E120A5A8687BC06 ] WebClient C:\WINDOWS\System32\webclnt.dll
20:43:12.0625 2500 WebClient - ok
20:43:12.0640 2500 [ 2D0E4ED081963804CCC196A0929275B5 ] winmgmt C:\WINDOWS\system32\wbem\WMIsvc.dll
20:43:12.0671 2500 winmgmt - ok
20:43:12.0703 2500 [ C7E39EA41233E9F5B86C8DA3A9F1E4A8 ] WmdmPmSN C:\WINDOWS\system32\mspmsnsv.dll
20:43:12.0718 2500 WmdmPmSN - ok
20:43:12.0750 2500 [ E76F8807070ED04E7408A86D6D3A6137 ] Wmi C:\WINDOWS\System32\advapi32.dll
20:43:12.0765 2500 Wmi - ok
20:43:12.0781 2500 [ E0673F1106E62A68D2257E376079F821 ] WmiApSrv C:\WINDOWS\system32\wbem\wmiapsrv.exe
20:43:12.0812 2500 WmiApSrv - ok
20:43:12.0843 2500 [ 81DC3F549F44B1C1FFF022DEC9ECF30B ] WZCSVC C:\WINDOWS\System32\wzcsvc.dll
20:43:12.0859 2500 WZCSVC - ok
20:43:12.0875 2500 [ 295D21F14C335B53CB8154E5B1F892B9 ] xmlprov C:\WINDOWS\System32\xmlprov.dll
20:43:12.0921 2500 xmlprov - ok
20:43:12.0921 2500 ================ Scan global ===============================
20:43:12.0937 2500 [ 42F1F4C0AFB08410E5F02D4B13EBB623 ] C:\WINDOWS\system32\basesrv.dll
20:43:12.0984 2500 [ 8C7DCA4B158BF16894120786A7A5F366 ] C:\WINDOWS\system32\winsrv.dll
20:43:13.0296 2500 [ 8C7DCA4B158BF16894120786A7A5F366 ] C:\WINDOWS\system32\winsrv.dll
20:43:13.0328 2500 [ 65DF52F5B8B6E9BBD183505225C37315 ] C:\WINDOWS\system32\services.exe
20:43:13.0328 2500 [Global] - ok
20:43:13.0328 2500 ================ Scan MBR ==================================
20:43:13.0343 2500 [ 8F558EB6672622401DA993E1E865C861 ] \Device\Harddisk0\DR0
20:43:13.0562 2500 \Device\Harddisk0\DR0 - ok
20:43:13.0562 2500 ================ Scan VBR ==================================
20:43:13.0578 2500 [ FCB71105C35F0F64DA74C03777CDA522 ] \Device\Harddisk0\DR0\Partition1
20:43:13.0578 2500 \Device\Harddisk0\DR0\Partition1 - ok
20:43:13.0578 2500 [ 04570867E24E2C79BD560096B64F17EF ] \Device\Harddisk0\DR0\Partition2
20:43:13.0578 2500 \Device\Harddisk0\DR0\Partition2 - ok
20:43:13.0593 2500 ============================================================
20:43:13.0593 2500 Scan finished
20:43:13.0593 2500 ============================================================
20:43:13.0609 9976 Detected object count: 1
20:43:13.0609 9976 Actual detected object count: 1
20:43:27.0531 9976 C:\WINDOWS\system32\DRIVERS\ACPI.sys - copied to quarantine
20:43:35.0421 9976 Backup copy found, using it..
20:43:35.0437 9976 C:\WINDOWS\system32\DRIVERS\ACPI.sys - will be cured on reboot
20:43:35.0437 9976 ACPI ( Virus.Win32.Rloader.a ) - User select action: Cure
20:43:41.0343 9588 Deinitialize success


aswMBR Logfile:

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-09-20 21:33:47
-----------------------------
21:33:47.125 OS Version: Windows 5.1.2600 Service Pack 3
21:33:47.125 Number of processors: 4 586 0x1C02
21:33:47.125 ComputerName: TORRENT UserName: USER
21:33:47.375 Initialize success
21:34:09.750 AVAST engine defs: 12092001
21:34:15.062 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-5
21:34:15.062 Disk 0 Vendor: OCZ-VERTEX2_3.5 1.32 Size: 109704MB BusType: 3
21:34:15.062 Disk 0 MBR read successfully
21:34:15.062 Disk 0 MBR scan
21:34:15.078 Disk 0 Windows XP default MBR code
21:34:15.078 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 67280 MB offset 63
21:34:15.078 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 42421 MB offset 137789505
21:34:15.093 Disk 0 scanning sectors +224669025
21:34:15.109 Disk 0 scanning C:\WINDOWS\system32\drivers
21:34:22.203 Service scanning
21:34:28.218 Service MSIconfig C:\WINDOWS\system32\msiexec64.exe **INFECTED** Win32:Spyware-gen [Spy]
21:34:33.562 Modules scanning
21:34:37.046 Disk 0 trace - called modules:
21:34:37.062 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
21:34:37.062 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a8c0ab8]
21:34:37.078 3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> \Device\0000006a[0x8a8129e8]
21:34:37.078 5 ACPI.sys[b9f7f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP1T0L0-5[0x8a85bd98]
21:34:37.250 AVAST engine scan C:\WINDOWS
21:34:41.187 AVAST engine scan C:\WINDOWS\system32
21:34:55.875 File: C:\WINDOWS\system32\dosxlace.dll **INFECTED** Win32:Dropper-gen [Drp]
21:35:30.718 File: C:\WINDOWS\system32\msiexec64.exe **INFECTED** Win32:Spyware-gen [Spy]
21:36:26.156 AVAST engine scan C:\WINDOWS\system32\drivers
21:36:37.640 AVAST engine scan C:\Documents and Settings\USER
21:36:38.375 File: C:\Documents and Settings\USER\Application Data\bbjjoditgcybpryccus.exe **INFECTED** Win32:Trojan-gen
21:36:38.781 File: C:\Documents and Settings\USER\Application Data\Ekyb\ivezb.exe **INFECTED** Win32:Downloader-QOT [Trj]
21:36:38.906 File: C:\Documents and Settings\USER\Application Data\Gywaix\kuyqo.exe **INFECTED** Win32:Downloader-QOT [Trj]
21:36:39.468 File: C:\Documents and Settings\USER\Application Data\liseda.dll **INFECTED** Win32:Trojan-gen
21:36:42.875 File: C:\Documents and Settings\USER\Application Data\Moes\ixzai.exe **INFECTED** Win32:Trojan-gen
21:36:42.937 File: C:\Documents and Settings\USER\Application Data\Muyt\zoyso.exe **INFECTED** Win32:LockScreen-IZ [Trj]
21:36:43.015 File: C:\Documents and Settings\USER\Application Data\orkbt.dll **INFECTED** Win32:Trojan-gen
21:36:43.093 File: C:\Documents and Settings\USER\Application Data\pocsr.dll **INFECTED** Win32:Agent-APWT [Trj]
21:36:44.187 File: C:\Documents and Settings\USER\Application Data\wmlbj.dll **INFECTED** Win32:Agent-APWR [Trj]
21:36:44.328 File: C:\Documents and Settings\USER\Application Data\Yqcy\luma.exe **INFECTED** Win32:Spyware-gen [Spy]
21:36:57.984 File: C:\Documents and Settings\USER\Local Settings\Application Data\Microsoft\Windows\1451\TsUsbRedirectionGroupPolicyExtension.exe **INFECTED** Win32:Downloader-QOQ [Trj]
21:36:58.437 File: C:\Documents and Settings\USER\Local Settings\Temp\134.tmp **INFECTED** Win32:Dropper-gen [Drp]
21:36:58.796 File: C:\Documents and Settings\USER\Local Settings\Temp\6.tmp **INFECTED** Win32:Trojan-gen
21:36:59.109 File: C:\Documents and Settings\USER\Local Settings\Temp\A.tmp **INFECTED** Win32:Trojan-gen
21:36:59.343 File: C:\Documents and Settings\USER\Local Settings\Temp\C.tmp **INFECTED** Win32:LockScreen-IY [Trj]
21:36:59.640 File: C:\Documents and Settings\USER\Local Settings\Temp\idpjbdrjd.exe **INFECTED** Win32:Malware-gen
21:37:06.953 File: C:\Documents and Settings\USER\Local Settings\Temp\tmp2fa48796\ok3eefdkd.exe **INFECTED** Win32:Malware-gen
21:37:13.921 File: C:\Documents and Settings\USER\Local Settings\Temp\~!#12F.tmp **INFECTED** Win32:Trojan-gen
21:37:14.046 File: C:\Documents and Settings\USER\Local Settings\Temp\~!#131.tmp **INFECTED** Win32:FakeAlert-CYR [Trj]
21:37:14.093 File: C:\Documents and Settings\USER\Local Settings\Temp\~!#18.tmp **INFECTED** Win32:Rootkit-gen [Rtk]
21:37:14.234 File: C:\Documents and Settings\USER\Local Settings\Temp\~!#1A.tmp **INFECTED** Win32:FakeAlert-CYU [Trj]
21:38:18.187 AVAST engine scan C:\Documents and Settings\All Users
21:44:03.171 Scan finished successfully
21:55:27.453 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\USER\Desktop\MBR.dat"
21:55:27.484 The log file has been saved successfully to "C:\Documents and Settings\USER\Desktop\aswMBR.txt"


I hope these help shed some light.

Thanks :)

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:52 AM

Posted 21 September 2012 - 08:37 PM

Hello

I Would like you to do the following.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:52 AM

Posted 23 September 2012 - 11:48 PM

Greetings


I have not heard from you in a couple of days so I am coming by to check on you to see if you are having problems or you just need some more time.

Also to remind you that it is very important that we finish the process completely so as to not get reinfected. I will let you know when we are complete and I will ask to remove our tools




Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#12 Emberam

Emberam
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:52 AM

Posted 24 September 2012 - 07:46 PM

Hello Gringo:

Below is the Logfile as requested.
It took about 3 reboots and about 4 hours to complete the scan. McAfee detected a ZeroAccess trojan once and has never given me a peep since. I can now do Virusscan updates which I could not before, and all the icons and program settings have returned to pre-infection locations/values. The machine is still noticeably slower to respond when using Internet Explorer, but windows itself is functioning better.

Not sure if everything is 100% gone but hopefully you can tell me more.


ComboFix 12-09-23.03 - USER 23/09/2012 21:06:05.1.4 - x86
Running from: c:\documents and settings\USER\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active
.
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\vOK64xhU.exe.b
c:\documents and settings\USER\Application Data\4F087B.dat
c:\documents and settings\USER\Application Data\Abewm
c:\documents and settings\USER\Application Data\Abewm\acma.exe
c:\documents and settings\USER\Application Data\Bacy
c:\documents and settings\USER\Application Data\Bacy\honi.soz
c:\documents and settings\USER\Application Data\cumief.dll
c:\documents and settings\USER\Application Data\Ekyb
c:\documents and settings\USER\Application Data\Ekyb\ivezb.exe
c:\documents and settings\USER\Application Data\Exuqn
c:\documents and settings\USER\Application Data\Exuqn\ifpu.zez
c:\documents and settings\USER\Application Data\Gywaix
c:\documents and settings\USER\Application Data\Gywaix\kuyqo.exe
c:\documents and settings\USER\Application Data\Ixitq
c:\documents and settings\USER\Application Data\Ixitq\yzez.avf
c:\documents and settings\USER\Application Data\lanbap.dll
c:\documents and settings\USER\Application Data\Muyt
c:\documents and settings\USER\Application Data\Muyt\zoyso.exe
c:\documents and settings\USER\Application Data\Ubwe
c:\documents and settings\USER\Application Data\Ubwe\abeth.yve
c:\documents and settings\USER\Application Data\Yqcy
c:\documents and settings\USER\Application Data\Yqcy\luma.exe
c:\documents and settings\USER\dfd2b1eb_cbb.exe
c:\documents and settings\USER\Favorites\Thumbs.db
c:\windows\system32\wpcap.dll
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_MSICONFIG
-------\Service_MSIconfig
.
.
((((((((((((((((((((((((( Files Created from 2012-08-24 to 2012-09-24 )))))))))))))))))))))))))))))))
.
.
2012-09-22 03:03 . 2012-09-22 03:03 -------- d-----w- c:\documents and settings\All Users\Application Data\67B43CB38F3E364100ED67B350376C82
2012-09-21 00:43 . 2012-09-23 23:07 -------- d-----w- C:\TDSSKiller_Quarantine
2012-09-20 22:40 . 2012-09-20 22:40 -------- d-----w- c:\documents and settings\USER\Application Data\Egho
2012-09-20 02:06 . 2012-09-20 02:06 -------- d-----w- c:\documents and settings\USER\Application Data\Enezic
2012-09-20 01:01 . 2012-09-20 01:01 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
2012-09-19 22:26 . 2012-09-19 22:26 -------- d-----w- c:\documents and settings\USER\Application Data\Yfkyu
2012-09-19 05:19 . 2012-09-19 05:23 -------- d-----w- c:\documents and settings\USER\Application Data\Reuc
2012-09-19 05:18 . 2012-09-22 03:02 108 ----a-w- c:\documents and settings\USER\inv.vbs
2012-09-17 02:23 . 2012-09-17 02:23 -------- d-----w- c:\documents and settings\USER\Application Data\hellomoto
2012-09-08 20:52 . 2012-09-17 23:52 -------- d-----w- c:\documents and settings\USER\Application Data\Soak
2012-09-08 20:52 . 2012-09-08 20:52 -------- d-----w- c:\documents and settings\USER\Application Data\Qaka
2012-09-08 20:51 . 2012-09-08 20:51 -------- d-sh--w- c:\documents and settings\USER\IECompatCache
2012-09-08 05:39 . 2012-09-08 05:39 -------- d-----w- c:\documents and settings\USER\Local Settings\Application Data\Identities
2012-09-08 05:39 . 2012-09-24 01:20 -------- d-----w- c:\documents and settings\USER\Application Data\Moes
2012-09-08 05:39 . 2012-09-08 05:43 -------- d-----w- c:\documents and settings\USER\Application Data\Oskab
2012-09-08 05:39 . 2012-09-08 05:39 -------- d-----w- c:\documents and settings\USER\Application Data\Uqutt
2012-08-27 03:37 . 2012-08-27 03:39 -------- d-----w- c:\documents and settings\All Users\Application Data\6C82D0E00009878702F991367B07D287
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-09-21 00:44 . 2008-04-14 04:06 187776 ----a-w- c:\windows\system32\drivers\acpi.sys
2012-09-20 23:43 . 2012-04-04 14:07 696240 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-09-20 23:43 . 2011-06-11 16:27 73136 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-07-06 13:58 . 2008-04-14 09:41 78336 ----a-w- c:\windows\system32\browser.dll
2012-07-04 14:05 . 2011-04-17 04:48 139784 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-07-03 13:40 . 2008-04-14 05:00 1866112 ----a-w- c:\windows\system32\win32k.sys
2012-07-02 17:49 . 2008-04-14 09:42 916992 ----a-w- c:\windows\system32\wininet.dll
2012-07-02 17:49 . 2008-04-14 09:42 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-07-02 17:49 . 2008-04-14 09:41 43520 ------w- c:\windows\system32\licmgr10.dll
2012-07-02 12:05 . 2008-04-14 04:07 385024 ------w- c:\windows\system32\html.iec
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BitTorrent"="c:\program files\BitTorrent\BitTorrent.exe" [2011-04-17 400760]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-28 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-28 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-28 137752]
"IJNetworkScannerSelectorEX"="c:\program files\Canon\IJ Network Scanner Selector EX\CNMNSST.exe" [2010-09-09 452016]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-11-22 1318816]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-07-31 38872]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-11 919008]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\USER\Start Menu\Programs\Startup\
TeamSpeak 2 Server.lnk - c:\program files\Teamspeak2_RC2\server_windows.exe [2011-4-17 1263104]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service]
2009-06-10 07:57 136472 ----a-w- c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcronisTimounterMonitor]
2009-06-10 08:02 904840 ----a-w- c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-07-11 19:00 919008 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2012-07-31 11:20 38872 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2008-06-19 16:20 57344 ----a-w- c:\windows\ALCMTR.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
2008-06-10 19:56 1406024 ----a-w- c:\program files\Microsoft IntelliPoint\ipoint.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2008-09-18 18:02 16855040 ----a-w- c:\windows\RTHDCPL.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrueImageMonitor.exe]
2009-06-10 07:55 1326080 ----a-w- c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\BitTorrent\\BitTorrent.exe"=
"c:\\Program Files\\Teamspeak2_RC2\\server_windows.exe"=
.
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [18/05/2011 11:58 PM 89792]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [22/12/2011 12:21 AM 214904]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [22/12/2011 12:21 AM 214904]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\Mcafee\SystemCore\mfefire.exe [22/12/2011 12:21 AM 160608]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [22/12/2011 12:11 AM 150856]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [18/05/2011 11:58 PM 57600]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [18/05/2011 11:58 PM 338176]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [18/05/2011 11:58 PM 83856]
S2 3259;3259;\??\c:\docume~1\USER\LOCALS~1\Temp\3259.sys --> c:\docume~1\USER\LOCALS~1\Temp\3259.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [25/05/2011 5:49 PM 136176]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [04/04/2012 10:08 AM 250288]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [25/05/2011 5:49 PM 136176]
S3 McAWFwk;McAfee Activation Service;c:\progra~1\mcafee\msc\mcawfwk.exe [22/12/2011 12:23 AM 203080]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [18/05/2011 11:58 PM 83856]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [18/05/2011 11:58 PM 87656]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [25/01/2007 1:31 PM 42000]
S4 McOobeSv;McAfee OOBE Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [22/12/2011 12:21 AM 214904]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - BITS
*NewlyCreated* - WS2IFSL
*NewlyCreated* - WUAUSERV
*Deregistered* - mfeavfk01
.
Contents of the 'Scheduled Tasks' folder
.
2012-09-23 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-04 23:43]
.
2012-09-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-05-25 21:49]
.
2012-09-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-05-25 21:49]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
Trusted Zone: internet
Trusted Zone: mcafee.com
TCP: DhcpNameServer = 192.168.1.1
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-Laamoxelmo - c:\documents and settings\USER\Application Data\Yqcy\luma.exe
HKCU-Run-Saigoqzuga - c:\documents and settings\USER\Application Data\Gywaix\kuyqo.exe
HKCU-Run-Windows Update Server - c:\documents and settings\USER\dfd2b1eb_cbb.exe
SafeBoot-42714107.sys
MSConfigStartUp-alear - c:\documents and settings\USER\Application Data\alear.dll
MSConfigStartUp-Ilifa - c:\documents and settings\USER\Application Data\Moes\ixzai.exe
MSConfigStartUp-liseda - c:\documents and settings\USER\Application Data\liseda.dll
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-09-23 23:32
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,6c,60,aa,42,b5,89,7f,4a,bb,ba,ed,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,6c,60,aa,42,b5,89,7f,4a,bb,ba,ed,\
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_278_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_278_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(1408)
c:\windows\system32\relog_ap.dll
.
- - - - - - - > 'explorer.exe'(2120)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\McAfee\SystemCore\mcshield.exe
c:\windows\system32\igfxsrvc.exe
.
**************************************************************************
.
Completion time: 2012-09-23 23:34:59 - machine was rebooted
ComboFix-quarantined-files.txt 2012-09-24 03:34
.
Pre-Run: 47,304,495,104 bytes free
Post-Run: 45,754,617,856 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - B102F2199B2F90599276E72E524F4A96


Thank You :)

#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:52 AM

Posted 25 September 2012 - 01:23 AM

Greetings

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache:: 

Folfder::
c:\documents and settings\USER\Application Data\Egho
c:\documents and settings\USER\Application Data\Enezic
c:\documents and settings\USER\Application Data\Yfkyu
c:\documents and settings\USER\Application Data\Reuc
c:\documents and settings\USER\Application Data\Soak
c:\documents and settings\USER\Application Data\Qaka
c:\documents and settings\USER\Application Data\Moes
c:\documents and settings\USER\Application Data\Oskab
c:\documents and settings\USER\Application Data\Uqutt

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:52 AM

Posted 28 September 2012 - 07:01 PM

Greetings


I have not heard from you in a couple of days so I am coming by to check on you to see if you are having problems or you just need some more time.

Also to remind you that it is very important that we finish the process completely so as to not get reinfected. I will let you know when we are complete and I will ask to remove our tools




Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 Emberam

Emberam
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:52 AM

Posted 30 September 2012 - 08:02 PM

Hello Gringo:

I've been away with the kids.

I'm setting up the script now and will run it tonight. Will post the results later tonight.

Thanks




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users