Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan Sifrefef.AB Detected


  • This topic is locked This topic is locked
23 replies to this topic

#1 cyke68

cyke68

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:02:03 PM

Posted 17 September 2012 - 05:14 PM

Hello,

Doing some diagnostics on my parents' desktop, so please bear with me as this originated from second-hand information. I am told that MS Security Essentials prompted for an update, which was done, then it reported the trojan Win32/Sirefef.AB. It appears to clean successfully, then requires a restart. The bug is flagged again in SE after rebooting. I can't seem to wipe it with SE, so looking for a permanent solution. (SE appears to be legit, but I realize the user might have acted on a spoof alert to update or something, kicking this whole problem off.) I'm running 32-bit XP, Service Pack 3. I had some issues with the GMER scan. (A dialog box reading "WARNING! GMER has found system modification caused by ROOTKIT activity" displayed and I could not successfully save the log. Had to run it a second time.) Not sure if the log is complete, but it is attached nonetheless. The DDS log follows:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Compaq_Administrator at 18:28:40 on 2012-09-16
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.339 [GMT -4:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\ALCMTR.EXE
C:\Program Files\Lexmark S300-S400 Series\lxeamon.exe
C:\Program Files\Lexmark S300-S400 Series\ezprint.exe
C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\lxeacoms.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\AGRSMMSG.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.comcast.net/
uSearch Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=presario&pf=desktop
uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=presario&pf=desktop
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=presario&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=presario&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=presario&pf=desktop
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mSearchAssistant = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=presario&pf=desktop
BHO: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - c:\program files\lexmark toolbar\toolband.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.7529.1424\swg.dll
BHO: Lexmark Printable Web: {d2c5e510-be6d-42cc-9f61-e4f939078474} - c:\program files\lexmark printable web\bho.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - c:\program files\lexmark toolbar\toolband.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [AlcWzrd] ALCWZRD.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [lxeamon.exe] "c:\program files\lexmark s300-s400 series\lxeamon.exe"
mRun: [EzPrint] "c:\program files\lexmark s300-s400 series\ezprint.exe"
mRun: [Google Quick Search Box] "c:\program files\google\quick search box\GoogleQuickSearchBox.exe" /autorun
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\compaq~1.lnk - c:\program files\compaq connections\6750491\program\Compaq Connections.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office10\EXCEL.EXE/3000
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
LSP: mswsock.dll
DPF: {1C11B948-582A-433F-A98D-A8C4D5CC64F2} - hxxps://lowes.2020.net/Core/Player/2020PlayerAX_Win32.cab
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} - hxxp://premium1.tds.net/files/tds/onlinescanner/fscax.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://juniper.net/dana-cached/sc/JuniperSetupClient.cab
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
TCP: Interfaces\{AFD2B09C-3714-4274-91CF-D668373D0EA0} : DhcpNameServer = 75.75.75.75 75.75.76.76
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: winmm.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2012-3-20 171064]
R2 lxea_device;lxea_device;c:\windows\system32\lxeacoms.exe -service --> c:\windows\system32\lxeacoms.exe -service [?]
S1 onpktvpw;onpktvpw;c:\windows\system32\drivers\onpktvpw.sys [2012-9-16 43600]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-12 135664]
S2 lxeaCATSCustConnectService;lxeaCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxeaserv.exe [2010-6-1 98984]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-5-9 250056]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-2-12 135664]
UnknownUnknown fcbktkrk;fcbktkrk; [x]
UnknownUnknown tnrfaaqs;tnrfaaqs; [x]
.
=============== Created Last 30 ================
.
2012-09-16 21:48:50 43600 ----a-w- c:\windows\system32\drivers\onpktvpw.sys
2012-09-16 21:48:41 56200 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{17849164-25b1-46fe-87c6-9fc094dd89de}\offreg.dll
2012-09-16 14:06:58 7022536 ------w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{17849164-25b1-46fe-87c6-9fc094dd89de}\mpengine.dll
2012-09-16 14:00:01 -------- d-----w- c:\program files\Microsoft Security Client
.
==================== Find3M ====================
.
2012-08-15 23:53:25 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-08-15 23:53:24 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-07-17 12:39:16 207609 ----a-w- c:\documents and settings\all users\SPLC.tmp
2012-07-06 13:58:51 78336 ----a-w- c:\windows\system32\browser.dll
2012-07-04 14:05:18 139784 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-07-03 13:40:15 1866112 ----a-w- c:\windows\system32\win32k.sys
2012-07-02 17:49:33 916992 ----a-w- c:\windows\system32\wininet.dll
2012-07-02 17:49:32 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-07-02 17:49:32 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-07-02 12:05:43 385024 ----a-w- c:\windows\system32\html.iec
.
============= FINISH: 18:29:50.07 ===============

Attached Files

  • Attached File  dds.txt   10.19KB   1 downloads
  • Attached File  ark.txt   889bytes   3 downloads


BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:03 PM

Posted 17 September 2012 - 10:02 PM

Greetings and Welcome to The Forums!!

My name is Gringo and I'll be glad to help you with your computer problems.

I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of us

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the Watch Topic Button, select Immediate Notification, and click on Proceed. This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of hartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

DeFogger:

  • Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger may ask you to reboot the machine, if it does - click OK
Do not re-enable these drivers until otherwise instructed.

-AdwCleaner-

  • Please download AdwCleaner by Xplode onto your desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Delete.
  • Confirm each time with Ok.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile with your next answer.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.

--RogueKiller--

  • Download & SAVE to your Desktop RogueKiller or from here
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select "Run as Administrator to start"
  • For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • Then Click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • click on "delete"
  • Wait until the Status box shows "Deleting Finished"
  • Click on "Report" and copy/paste the content of the Notepad into your next reply.
  • The log should be found in RKreport[1].txt on your Desktop
  • Exit/Close RogueKiller+

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 cyke68

cyke68
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:02:03 PM

Posted 17 September 2012 - 11:20 PM

Hi Gringo, thanks for the quick response! I have followed your instructions. Worth noting, after these scans, Microsoft Security Essentials is now in the green as of my last reboot! Here is the AdwCleaner log:

# AdwCleaner v2.002 - Logfile created 09/17/2012 at 23:58:49
# Updated 16/09/2012 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : Compaq_Administrator - YOUR-81F40AF718
# Boot Mode : Normal
# Running from : C:\Documents and Settings\Compaq_Administrator.YOUR-81F40AF718\Desktop\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****

Folder Deleted : C:\Documents and Settings\All Users\Application Data\Viewpoint
Folder Deleted : C:\Program Files\Viewpoint

***** [Registry] *****


***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.6001.18702

Restored : [HKCU\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKU\S-1-5-18\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]

*************************

AdwCleaner[S1].txt - [1128 octets] - [17/09/2012 23:58:49]

########## EOF - C:\AdwCleaner[S1].txt - [1188 octets] ##########


And RKreport[1]...

RogueKiller V8.0.3 [09/13/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : Compaq_Administrator [Admin rights]
Mode : Scan -- Date : 09/18/2012 00:07:02

Bad processes : 0

Registry Entries : 7
[STARTUP][BLACKLIST DLL] ChkDisk.lnk @Compaq_Administrator : C:\WINDOWS\system32\rundll32.exe|C:\DOCUME~1\COMPAQ~1\STARTM~1\Programs\Startup\ChkDisk.dll,_IWMPEvents@16 -> FOUND
[HJ] HKLM\[...]\Security Center : AntiVirusDisableNotify (1) -> FOUND
[HJ] HKLM\[...]\Security Center : FirewallDisableNotify (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ INPROC][ZeroAccess] HKCR\[...]\InprocServer32 : (C:\RECYCLER\S-1-5-21-3291263471-3854962766-3140342222-1008\$ff24043d55f85ce9a20a8337d9b4b888\n.) -> FOUND
[HJ INPROC][ZeroAccess] HKCR\[...]\InprocServer32 : (C:\RECYCLER\S-1-5-18\$ff24043d55f85ce9a20a8337d9b4b888\n.) -> FOUND
[HJ INPROC][ZeroAccess] HKLM\[...]\InprocServer32 : (C:\RECYCLER\S-1-5-18\$ff24043d55f85ce9a20a8337d9b4b888\n.) -> FOUND

Particular Files / Folders:
[ZeroAccess][FILE] Desktop.ini : C:\WINDOWS\Assembly\GAC\Desktop.ini --> FOUND
[ZeroAccess][FILE] n : C:\RECYCLER\S-1-5-18\$ff24043d55f85ce9a20a8337d9b4b888\n --> FOUND
[ZeroAccess][FILE] n : C:\RECYCLER\S-1-5-21-3291263471-3854962766-3140342222-1008\$ff24043d55f85ce9a20a8337d9b4b888\n --> FOUND
[ZeroAccess][FILE] @ : C:\RECYCLER\S-1-5-21-3291263471-3854962766-3140342222-1008\$ff24043d55f85ce9a20a8337d9b4b888\@ --> FOUND
[ZeroAccess][FOLDER] U : C:\RECYCLER\S-1-5-18\$ff24043d55f85ce9a20a8337d9b4b888\U --> FOUND
[ZeroAccess][FOLDER] U : C:\RECYCLER\S-1-5-21-3291263471-3854962766-3140342222-1008\$ff24043d55f85ce9a20a8337d9b4b888\U --> FOUND
[ZeroAccess][FOLDER] L : C:\RECYCLER\S-1-5-18\$ff24043d55f85ce9a20a8337d9b4b888\L --> FOUND
[ZeroAccess][FOLDER] L : C:\RECYCLER\S-1-5-21-3291263471-3854962766-3140342222-1008\$ff24043d55f85ce9a20a8337d9b4b888\L --> FOUND

Driver : [LOADED]

Infection : ZeroAccess

HOSTS File:
--> C:\WINDOWS\system32\drivers\etc\hosts

127.0.0.1 localhost


MBR Check:

+++++ PhysicalDrive0: Maxtor 6L200M0 +++++
--- User ---
[MBR] ecae8bd62e3ae0bb9b3942a812515d90
[BSP] 8a7884da59e414827f91c43dcf324e78 : Toshiba tatooed MBR Code
Partition table:
0 - [XXXXXX] FAT32-LBA (0x0c) [VISIBLE] Offset (sectors): 63 | Size: 6142 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 12579840 | Size: 184629 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[1].txt >>
RKreport[1].txt

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:03 PM

Posted 17 September 2012 - 11:34 PM

Greetings

I want you to run these next,

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • it will ask to download extra definitions - ALLOW IT
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

If you have any problems running either one come back and let me know

please reply with the reports from TDSSKiller and aswMBR

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 cyke68

cyke68
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:02:03 PM

Posted 18 September 2012 - 07:01 PM

Alright... TDSSKiller reported no threats! Here is that log:

19:06:12.0168 2496 TDSS rootkit removing tool 2.8.10.0 Sep 17 2012 19:23:24
19:06:12.0433 2496 ============================================================
19:06:12.0433 2496 Current date / time: 2012/09/18 19:06:12.0433
19:06:12.0433 2496 SystemInfo:
19:06:12.0433 2496
19:06:12.0433 2496 OS Version: 5.1.2600 ServicePack: 3.0
19:06:12.0433 2496 Product type: Workstation
19:06:12.0433 2496 ComputerName: YOUR-81F40AF718
19:06:12.0433 2496 UserName: Compaq_Administrator
19:06:12.0433 2496 Windows directory: C:\WINDOWS
19:06:12.0433 2496 System windows directory: C:\WINDOWS
19:06:12.0433 2496 Processor architecture: Intel x86
19:06:12.0433 2496 Number of processors: 2
19:06:12.0433 2496 Page size: 0x1000
19:06:12.0433 2496 Boot type: Normal boot
19:06:12.0433 2496 ============================================================
19:06:14.0965 2496 Drive \Device\Harddisk0\DR0 - Size: 0x2E93E36000 (186.31 Gb), SectorSize: 0x200, Cylinders: 0x64F1, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xF0, Type 'K0', Flags 0x00000054
19:06:15.0199 2496 ============================================================
19:06:15.0199 2496 \Device\Harddisk0\DR0:
19:06:15.0199 2496 MBR partitions:
19:06:15.0199 2496 \Device\Harddisk0\DR0\Partition1: MBR, Type 0xC, StartLBA 0x3F, BlocksNum 0xBFF3C1
19:06:15.0199 2496 \Device\Harddisk0\DR0\Partition2: MBR, Type 0x7, StartLBA 0xBFF400, BlocksNum 0x1689AB00
19:06:15.0199 2496 ============================================================
19:06:15.0231 2496 C: <-> \Device\Harddisk0\DR0\Partition2
19:06:15.0231 2496 D: <-> \Device\Harddisk0\DR0\Partition1
19:06:15.0231 2496 ============================================================
19:06:15.0231 2496 Initialize success
19:06:15.0231 2496 ============================================================
19:06:22.0498 2604 ============================================================
19:06:22.0498 2604 Scan started
19:06:22.0498 2604 Mode: Manual;
19:06:22.0498 2604 ============================================================
19:06:25.0530 2604 ================ Scan system memory ========================
19:06:25.0530 2604 System memory - ok
19:06:25.0530 2604 ================ Scan services =============================
19:06:25.0733 2604 Abiosdsk - ok
19:06:25.0749 2604 abp480n5 - ok
19:06:25.0795 2604 [ 8FD99680A539792A30E97944FDAECF17 ] ACPI C:\WINDOWS\system32\DRIVERS\ACPI.sys
19:06:25.0811 2604 ACPI - ok
19:06:25.0842 2604 [ 9859C0F6936E723E4892D7141B1327D5 ] ACPIEC C:\WINDOWS\system32\drivers\ACPIEC.sys
19:06:25.0842 2604 ACPIEC - ok
19:06:25.0905 2604 [ A9D3B95E8466BD58EEB8A1154654E162 ] AdobeFlashPlayerUpdateSvc C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
19:06:25.0905 2604 AdobeFlashPlayerUpdateSvc - ok
19:06:25.0920 2604 adpu160m - ok
19:06:25.0936 2604 [ 8BED39E3C35D6A489438B8141717A557 ] aec C:\WINDOWS\system32\drivers\aec.sys
19:06:25.0952 2604 aec - ok
19:06:25.0999 2604 [ 1E44BC1E83D8FD2305F8D452DB109CF9 ] AFD C:\WINDOWS\System32\drivers\afd.sys
19:06:26.0014 2604 AFD - ok
19:06:26.0061 2604 [ 593AEFC67283D409F34CC1245D00A509 ] AgereSoftModem C:\WINDOWS\system32\DRIVERS\AGRSM.sys
19:06:26.0092 2604 AgereSoftModem - ok
19:06:26.0108 2604 Aha154x - ok
19:06:26.0108 2604 aic78u2 - ok
19:06:26.0124 2604 aic78xx - ok
19:06:26.0170 2604 [ A9A3DAA780CA6C9671A19D52456705B4 ] Alerter C:\WINDOWS\system32\alrsvc.dll
19:06:26.0170 2604 Alerter - ok
19:06:26.0186 2604 [ 8C515081584A38AA007909CD02020B3D ] ALG C:\WINDOWS\System32\alg.exe
19:06:26.0202 2604 ALG - ok
19:06:26.0202 2604 AliIde - ok
19:06:26.0202 2604 amsint - ok
19:06:26.0311 2604 [ 20F6F19FE9E753F2780DC2FA083AD597 ] Apple Mobile Device C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
19:06:26.0311 2604 Apple Mobile Device - ok
19:06:26.0358 2604 [ D8849F77C0B66226335A59D26CB4EDC6 ] AppMgmt C:\WINDOWS\System32\appmgmts.dll
19:06:26.0374 2604 AppMgmt - ok
19:06:26.0421 2604 [ B5B8A80875C1DEDEDA8B02765642C32F ] Arp1394 C:\WINDOWS\system32\DRIVERS\arp1394.sys
19:06:26.0421 2604 Arp1394 - ok
19:06:26.0421 2604 asc - ok
19:06:26.0436 2604 asc3350p - ok
19:06:26.0436 2604 asc3550 - ok
19:06:26.0546 2604 [ 0E5E4957549056E2BF2C49F4F6B601AD ] aspnet_state C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
19:06:26.0592 2604 aspnet_state - ok
19:06:26.0608 2604 [ B153AFFAC761E7F5FCFA822B9C4E97BC ] AsyncMac C:\WINDOWS\system32\DRIVERS\asyncmac.sys
19:06:26.0608 2604 AsyncMac - ok
19:06:26.0655 2604 [ 9F3A2F5AA6875C72BF062C712CFA2674 ] atapi C:\WINDOWS\system32\DRIVERS\atapi.sys
19:06:26.0655 2604 atapi - ok
19:06:26.0655 2604 Atdisk - ok
19:06:26.0686 2604 [ 9916C1225104BA14794209CFA8012159 ] Atmarpc C:\WINDOWS\system32\DRIVERS\atmarpc.sys
19:06:26.0702 2604 Atmarpc - ok
19:06:26.0717 2604 [ DEF7A7882BEC100FE0B2CE2549188F9D ] AudioSrv C:\WINDOWS\System32\audiosrv.dll
19:06:26.0717 2604 AudioSrv - ok
19:06:26.0780 2604 [ D9F724AA26C010A217C97606B160ED68 ] audstub C:\WINDOWS\system32\DRIVERS\audstub.sys
19:06:26.0780 2604 audstub - ok
19:06:26.0796 2604 [ DA1F27D85E0D1525F6621372E7B685E9 ] Beep C:\WINDOWS\system32\drivers\Beep.sys
19:06:26.0796 2604 Beep - ok
19:06:26.0843 2604 [ F2060A34C8A75BC24A9222EB4F8C07BD ] Bonjour Service C:\Program Files\Bonjour\mDNSResponder.exe
19:06:26.0858 2604 Bonjour Service - ok
19:06:26.0905 2604 [ CFD4E51402DA9838B5A04AE680AF54A0 ] Browser C:\WINDOWS\System32\browser.dll
19:06:26.0905 2604 Browser - ok
19:06:26.0952 2604 [ 90A673FC8E12A79AFBED2576F6A7AAF9 ] cbidf2k C:\WINDOWS\system32\drivers\cbidf2k.sys
19:06:26.0952 2604 cbidf2k - ok
19:06:26.0952 2604 cd20xrnt - ok
19:06:26.0968 2604 [ C1B486A7658353D33A10CC15211A873B ] Cdaudio C:\WINDOWS\system32\drivers\Cdaudio.sys
19:06:26.0968 2604 Cdaudio - ok
19:06:27.0014 2604 [ C885B02847F5D2FD45A24E219ED93B32 ] Cdfs C:\WINDOWS\system32\drivers\Cdfs.sys
19:06:27.0014 2604 Cdfs - ok
19:06:27.0030 2604 [ 1F4260CC5B42272D71F79E570A27A4FE ] Cdrom C:\WINDOWS\system32\DRIVERS\cdrom.sys
19:06:27.0030 2604 Cdrom - ok
19:06:27.0030 2604 Changer - ok
19:06:27.0077 2604 [ 1CFE720EB8D93A7158A4EBC3AB178BDE ] CiSvc C:\WINDOWS\system32\cisvc.exe
19:06:27.0077 2604 CiSvc - ok
19:06:27.0093 2604 [ 34CBE729F38138217F9C80212A2A0C82 ] ClipSrv C:\WINDOWS\system32\clipsrv.exe
19:06:27.0093 2604 ClipSrv - ok
19:06:27.0139 2604 [ D87ACAED61E417BBA546CED5E7E36D9C ] clr_optimization_v2.0.50727_32 C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
19:06:27.0218 2604 clr_optimization_v2.0.50727_32 - ok
19:06:27.0218 2604 CmdIde - ok
19:06:27.0233 2604 COMSysApp - ok
19:06:27.0249 2604 Cpqarray - ok
19:06:27.0264 2604 [ 3D4E199942E29207970E04315D02AD3B ] CryptSvc C:\WINDOWS\System32\cryptsvc.dll
19:06:27.0264 2604 CryptSvc - ok
19:06:27.0280 2604 dac2w2k - ok
19:06:27.0280 2604 dac960nt - ok
19:06:27.0343 2604 [ 6B27A5C03DFB94B4245739065431322C ] DcomLaunch C:\WINDOWS\system32\rpcss.dll
19:06:27.0358 2604 DcomLaunch - ok
19:06:27.0421 2604 [ 5E38D7684A49CACFB752B046357E0589 ] Dhcp C:\WINDOWS\System32\dhcpcsvc.dll
19:06:27.0421 2604 Dhcp - ok
19:06:27.0468 2604 [ 044452051F3E02E7963599FC8F4F3E25 ] Disk C:\WINDOWS\system32\DRIVERS\disk.sys
19:06:27.0468 2604 Disk - ok
19:06:27.0483 2604 dmadmin - ok
19:06:27.0515 2604 [ D992FE1274BDE0F84AD826ACAE022A41 ] dmboot C:\WINDOWS\system32\drivers\dmboot.sys
19:06:27.0546 2604 dmboot - ok
19:06:27.0561 2604 [ 7C824CF7BBDE77D95C08005717A95F6F ] dmio C:\WINDOWS\system32\drivers\dmio.sys
19:06:27.0561 2604 dmio - ok
19:06:27.0577 2604 [ E9317282A63CA4D188C0DF5E09C6AC5F ] dmload C:\WINDOWS\system32\drivers\dmload.sys
19:06:27.0577 2604 dmload - ok
19:06:27.0608 2604 [ 57EDEC2E5F59F0335E92F35184BC8631 ] dmserver C:\WINDOWS\System32\dmserver.dll
19:06:27.0624 2604 dmserver - ok
19:06:27.0655 2604 [ 8A208DFCF89792A484E76C40E5F50B45 ] DMusic C:\WINDOWS\system32\drivers\DMusic.sys
19:06:27.0655 2604 DMusic - ok
19:06:27.0718 2604 [ 5F7E24FA9EAB896051FFB87F840730D2 ] Dnscache C:\WINDOWS\System32\dnsrslvr.dll
19:06:27.0718 2604 Dnscache - ok
19:06:27.0765 2604 [ 0F0F6E687E5E15579EF4DA8DD6945814 ] Dot3svc C:\WINDOWS\System32\dot3svc.dll
19:06:27.0780 2604 Dot3svc - ok
19:06:27.0780 2604 dpti2o - ok
19:06:27.0811 2604 [ 8F5FCFF8E8848AFAC920905FBD9D33C8 ] drmkaud C:\WINDOWS\system32\drivers\drmkaud.sys
19:06:27.0811 2604 drmkaud - ok
19:06:27.0843 2604 [ 2187855A7703ADEF0CEF9EE4285182CC ] EapHost C:\WINDOWS\System32\eapsvc.dll
19:06:27.0843 2604 EapHost - ok
19:06:27.0858 2604 [ BC93B4A066477954555966D77FEC9ECB ] ERSvc C:\WINDOWS\System32\ersvc.dll
19:06:27.0858 2604 ERSvc - ok
19:06:27.0905 2604 [ 65DF52F5B8B6E9BBD183505225C37315 ] Eventlog C:\WINDOWS\system32\services.exe
19:06:27.0905 2604 Eventlog - ok
19:06:27.0968 2604 [ D4991D98F2DB73C60D042F1AEF79EFAE ] EventSystem C:\WINDOWS\system32\es.dll
19:06:27.0983 2604 EventSystem - ok
19:06:28.0030 2604 [ 38D332A6D56AF32635675F132548343E ] Fastfat C:\WINDOWS\system32\drivers\Fastfat.sys
19:06:28.0046 2604 Fastfat - ok
19:06:28.0077 2604 [ 1E580770BDECE924494B368AC980749E ] fasttx2k C:\WINDOWS\system32\DRIVERS\fasttx2k.sys
19:06:28.0077 2604 fasttx2k - ok
19:06:28.0108 2604 [ 99BC0B50F511924348BE19C7C7313BBF ] FastUserSwitchingCompatibility C:\WINDOWS\System32\shsvcs.dll
19:06:28.0124 2604 FastUserSwitchingCompatibility - ok
19:06:28.0171 2604 [ E97D6A8684466DF94FF3BC24FB787A07 ] Fax C:\WINDOWS\system32\fxssvc.exe
19:06:28.0187 2604 Fax - ok
19:06:28.0218 2604 [ 92CDD60B6730B9F50F6A1A0C1F8CDC81 ] Fdc C:\WINDOWS\system32\DRIVERS\fdc.sys
19:06:28.0218 2604 Fdc - ok
19:06:28.0233 2604 [ D45926117EB9FA946A6AF572FBE1CAA3 ] Fips C:\WINDOWS\system32\drivers\Fips.sys
19:06:28.0233 2604 Fips - ok
19:06:28.0249 2604 [ 9D27E7B80BFCDF1CDD9B555862D5E7F0 ] Flpydisk C:\WINDOWS\system32\DRIVERS\flpydisk.sys
19:06:28.0249 2604 Flpydisk - ok
19:06:28.0280 2604 [ B2CF4B0786F8212CB92ED2B50C6DB6B0 ] FltMgr C:\WINDOWS\system32\drivers\fltmgr.sys
19:06:28.0280 2604 FltMgr - ok
19:06:28.0374 2604 [ 8BA7C024070F2B7FDD98ED8A4BA41789 ] FontCache3.0.0.0 c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
19:06:28.0374 2604 FontCache3.0.0.0 - ok
19:06:28.0405 2604 [ 3E1E2BD4F39B0E2B7DC4F4D2BCC2779A ] Fs_Rec C:\WINDOWS\system32\drivers\Fs_Rec.sys
19:06:28.0405 2604 Fs_Rec - ok
19:06:28.0405 2604 [ 6AC26732762483366C3969C9E4D2259D ] Ftdisk C:\WINDOWS\system32\DRIVERS\ftdisk.sys
19:06:28.0405 2604 Ftdisk - ok
19:06:28.0421 2604 [ 8182FF89C65E4D38B2DE4BB0FB18564E ] GEARAspiWDM C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
19:06:28.0421 2604 GEARAspiWDM - ok
19:06:28.0468 2604 [ 0A02C63C8B144BD8C86B103DEE7C86A2 ] Gpc C:\WINDOWS\system32\DRIVERS\msgpc.sys
19:06:28.0468 2604 Gpc - ok
19:06:28.0546 2604 [ 8F0DE4FEF8201E306F9938B0905AC96A ] gupdate C:\Program Files\Google\Update\GoogleUpdate.exe
19:06:28.0562 2604 gupdate - ok
19:06:28.0577 2604 [ 8F0DE4FEF8201E306F9938B0905AC96A ] gupdatem C:\Program Files\Google\Update\GoogleUpdate.exe
19:06:28.0577 2604 gupdatem - ok
19:06:28.0687 2604 [ 5D4BC124FAAE6730AC002CDB67BF1A1C ] gusvc C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
19:06:28.0796 2604 gusvc - ok
19:06:28.0859 2604 [ 160B24FD894E79E71C983EA403A6E6E7 ] HdAudAddService C:\WINDOWS\system32\drivers\HdAudio.sys
19:06:28.0859 2604 HdAudAddService - ok
19:06:28.0937 2604 [ 573C7D0A32852B48F3058CFD8026F511 ] HDAudBus C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
19:06:28.0937 2604 HDAudBus - ok
19:06:29.0030 2604 [ 4FCCA060DFE0C51A09DD5C3843888BCD ] helpsvc C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll
19:06:29.0030 2604 helpsvc - ok
19:06:29.0030 2604 HidServ - ok
19:06:29.0077 2604 [ CCF82C5EC8A7326C3066DE870C06DAF1 ] HidUsb C:\WINDOWS\system32\DRIVERS\hidusb.sys
19:06:29.0077 2604 HidUsb - ok
19:06:29.0077 2604 [ 8878BD685E490239777BFE51320B88E9 ] hkmsvc C:\WINDOWS\System32\kmsvc.dll
19:06:29.0077 2604 hkmsvc - ok
19:06:29.0093 2604 hpn - ok
19:06:29.0140 2604 [ F80A415EF82CD06FFAF0D971528EAD38 ] HTTP C:\WINDOWS\system32\Drivers\HTTP.sys
19:06:29.0156 2604 HTTP - ok
19:06:29.0187 2604 [ 6100A808600F44D999CEBDEF8841C7A3 ] HTTPFilter C:\WINDOWS\System32\w3ssl.dll
19:06:29.0187 2604 HTTPFilter - ok
19:06:29.0202 2604 i2omgmt - ok
19:06:29.0202 2604 i2omp - ok
19:06:29.0249 2604 [ 4A0B06AA8943C1E332520F7440C0AA30 ] i8042prt C:\WINDOWS\system32\DRIVERS\i8042prt.sys
19:06:29.0249 2604 i8042prt - ok
19:06:29.0312 2604 [ 0294A30B302CA71A2C26E582DDA93486 ] ialm C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
19:06:29.0343 2604 ialm - ok
19:06:29.0421 2604 [ 6F95324909B502E2651442C1548AB12F ] IDriverT C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
19:06:29.0421 2604 IDriverT - ok
19:06:29.0546 2604 [ C01AC32DC5C03076CFB852CB5DA5229C ] idsvc C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
19:06:29.0562 2604 idsvc - ok
19:06:29.0577 2604 [ 083A052659F5310DD8B6A6CB05EDCF8E ] Imapi C:\WINDOWS\system32\DRIVERS\imapi.sys
19:06:29.0577 2604 Imapi - ok
19:06:29.0624 2604 [ 30DEAF54A9755BB8546168CFE8A6B5E1 ] ImapiService C:\WINDOWS\system32\imapi.exe
19:06:29.0656 2604 ImapiService - ok
19:06:29.0671 2604 ini910u - ok
19:06:29.0796 2604 [ A30685283F90AE02F1CD50972C6065E3 ] IntcAzAudAddService C:\WINDOWS\system32\drivers\RtkHDAud.sys
19:06:29.0812 2604 IntcAzAudAddService - ok
19:06:29.0828 2604 [ B5466A9250342A7AA0CD1FBA13420678 ] IntelIde C:\WINDOWS\system32\DRIVERS\intelide.sys
19:06:29.0828 2604 IntelIde - ok
19:06:29.0859 2604 [ 8C953733D8F36EB2133F5BB58808B66B ] intelppm C:\WINDOWS\system32\DRIVERS\intelppm.sys
19:06:29.0859 2604 intelppm - ok
19:06:29.0874 2604 [ 3BB22519A194418D5FEC05D800A19AD0 ] Ip6Fw C:\WINDOWS\system32\drivers\ip6fw.sys
19:06:29.0874 2604 Ip6Fw - ok
19:06:29.0906 2604 [ 731F22BA402EE4B62748ADAF6363C182 ] IpFilterDriver C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
19:06:29.0906 2604 IpFilterDriver - ok
19:06:29.0937 2604 [ B87AB476DCF76E72010632B5550955F5 ] IpInIp C:\WINDOWS\system32\DRIVERS\ipinip.sys
19:06:29.0937 2604 IpInIp - ok
19:06:29.0968 2604 [ CC748EA12C6EFFDE940EE98098BF96BB ] IpNat C:\WINDOWS\system32\DRIVERS\ipnat.sys
19:06:29.0984 2604 IpNat - ok
19:06:30.0046 2604 [ CA9D4B998BFF311A539604ED87318FA0 ] iPod Service C:\Program Files\iPod\bin\iPodService.exe
19:06:30.0078 2604 iPod Service - ok
19:06:30.0078 2604 [ 23C74D75E36E7158768DD63D92789A91 ] IPSec C:\WINDOWS\system32\DRIVERS\ipsec.sys
19:06:30.0078 2604 IPSec - ok
19:06:30.0109 2604 [ C93C9FF7B04D772627A3646D89F7BF89 ] IRENUM C:\WINDOWS\system32\DRIVERS\irenum.sys
19:06:30.0109 2604 IRENUM - ok
19:06:30.0140 2604 [ 05A299EC56E52649B1CF2FC52D20F2D7 ] isapnp C:\WINDOWS\system32\DRIVERS\isapnp.sys
19:06:30.0140 2604 isapnp - ok
19:06:30.0249 2604 [ 0A5709543986843D37A92290B7838340 ] JavaQuickStarterService C:\Program Files\Java\jre6\bin\jqs.exe
19:06:30.0265 2604 JavaQuickStarterService - ok
19:06:30.0281 2604 [ 463C1EC80CD17420A542B7F36A36F128 ] Kbdclass C:\WINDOWS\system32\DRIVERS\kbdclass.sys
19:06:30.0281 2604 Kbdclass - ok
19:06:30.0296 2604 [ 692BCF44383D056AED41B045A323D378 ] kmixer C:\WINDOWS\system32\drivers\kmixer.sys
19:06:30.0312 2604 kmixer - ok
19:06:30.0343 2604 [ B467646C54CC746128904E1654C750C1 ] KSecDD C:\WINDOWS\system32\drivers\KSecDD.sys
19:06:30.0343 2604 KSecDD - ok
19:06:30.0375 2604 [ 3A7C3CBE5D96B8AE96CE81F0B22FB527 ] lanmanserver C:\WINDOWS\System32\srvsvc.dll
19:06:30.0375 2604 lanmanserver - ok
19:06:30.0437 2604 [ A8888A5327621856C0CEC4E385F69309 ] lanmanworkstation C:\WINDOWS\System32\wkssvc.dll
19:06:30.0437 2604 lanmanworkstation - ok
19:06:30.0453 2604 lbrtfdc - ok
19:06:30.0515 2604 [ 9BD7ADD61B031307DD075E5E6A917C4D ] LightScribeService c:\Program Files\Common Files\LightScribe\LSSrvc.exe
19:06:30.0515 2604 LightScribeService - ok
19:06:30.0546 2604 [ A7DB739AE99A796D91580147E919CC59 ] LmHosts C:\WINDOWS\System32\lmhsvc.dll
19:06:30.0546 2604 LmHosts - ok
19:06:30.0671 2604 [ BE074BAD48BE291FE0E8F518B10AF455 ] lxeaCATSCustConnectService C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxeaserv.exe
19:06:30.0687 2604 lxeaCATSCustConnectService - ok
19:06:30.0687 2604 lxea_device - ok
19:06:30.0750 2604 [ 11F714F85530A2BD134074DC30E99FCA ] MDM C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
19:06:30.0781 2604 MDM - ok
19:06:30.0812 2604 [ 986B1FF5814366D71E0AC5755C88F2D3 ] Messenger C:\WINDOWS\System32\msgsvc.dll
19:06:30.0812 2604 Messenger - ok
19:06:30.0843 2604 [ 4AE068242760A1FB6E1A44BF4E16AFA6 ] mnmdd C:\WINDOWS\system32\drivers\mnmdd.sys
19:06:30.0843 2604 mnmdd - ok
19:06:30.0890 2604 [ D18F1F0C101D06A1C1ADF26EED16FCDD ] mnmsrvc C:\WINDOWS\system32\mnmsrvc.exe
19:06:30.0906 2604 mnmsrvc - ok
19:06:30.0937 2604 [ DFCBAD3CEC1C5F964962AE10E0BCC8E1 ] Modem C:\WINDOWS\system32\drivers\Modem.sys
19:06:30.0937 2604 Modem - ok
19:06:30.0953 2604 [ 35C9E97194C8CFB8430125F8DBC34D04 ] Mouclass C:\WINDOWS\system32\DRIVERS\mouclass.sys
19:06:30.0953 2604 Mouclass - ok
19:06:30.0968 2604 [ A80B9A0BAD1B73637DBCBBA7DF72D3FD ] MountMgr C:\WINDOWS\system32\drivers\MountMgr.sys
19:06:30.0968 2604 MountMgr - ok
19:06:31.0015 2604 [ D993BEA500E7382DC4E760BF4F35EFCB ] MpFilter C:\WINDOWS\system32\DRIVERS\MpFilter.sys
19:06:31.0015 2604 MpFilter - ok
19:06:31.0031 2604 mraid35x - ok
19:06:31.0031 2604 [ 11D42BB6206F33FBB3BA0288D3EF81BD ] MRxDAV C:\WINDOWS\system32\DRIVERS\mrxdav.sys
19:06:31.0047 2604 MRxDAV - ok
19:06:31.0093 2604 [ 7D304A5EB4344EBEEAB53A2FE3FFB9F0 ] MRxSmb C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
19:06:31.0109 2604 MRxSmb - ok
19:06:31.0156 2604 [ A137F1470499A205ABBB9AAFB3B6F2B1 ] MSDTC C:\WINDOWS\system32\msdtc.exe
19:06:31.0156 2604 MSDTC - ok
19:06:31.0156 2604 [ C941EA2454BA8350021D774DAF0F1027 ] Msfs C:\WINDOWS\system32\drivers\Msfs.sys
19:06:31.0156 2604 Msfs - ok
19:06:31.0172 2604 MSIServer - ok
19:06:31.0187 2604 [ D1575E71568F4D9E14CA56B7B0453BF1 ] MSKSSRV C:\WINDOWS\system32\drivers\MSKSSRV.sys
19:06:31.0187 2604 MSKSSRV - ok
19:06:31.0234 2604 [ 24516BF4E12A46CB67302E2CDCB8CDDF ] MsMpSvc c:\Program Files\Microsoft Security Client\MsMpEng.exe
19:06:31.0234 2604 MsMpSvc - ok
19:06:31.0250 2604 [ 325BB26842FC7CCC1FCCE2C457317F3E ] MSPCLOCK C:\WINDOWS\system32\drivers\MSPCLOCK.sys
19:06:31.0250 2604 MSPCLOCK - ok
19:06:31.0265 2604 [ BAD59648BA099DA4A17680B39730CB3D ] MSPQM C:\WINDOWS\system32\drivers\MSPQM.sys
19:06:31.0265 2604 MSPQM - ok
19:06:31.0297 2604 [ AF5F4F3F14A8EA2C26DE30F7A1E17136 ] mssmbios C:\WINDOWS\system32\DRIVERS\mssmbios.sys
19:06:31.0297 2604 mssmbios - ok
19:06:31.0328 2604 [ DE6A75F5C270E756C5508D94B6CF68F5 ] Mup C:\WINDOWS\system32\drivers\Mup.sys
19:06:31.0328 2604 Mup - ok
19:06:31.0390 2604 [ 0102140028FAD045756796E1C685D695 ] napagent C:\WINDOWS\System32\qagentrt.dll
19:06:31.0406 2604 napagent - ok
19:06:31.0453 2604 [ 1DF7F42665C94B825322FAE71721130D ] NDIS C:\WINDOWS\system32\drivers\NDIS.sys
19:06:31.0468 2604 NDIS - ok
19:06:31.0515 2604 [ 064920813091F86E2CFD256434FE9DFD ] ndiscm C:\WINDOWS\system32\DRIVERS\NetMotCM.sys
19:06:31.0515 2604 ndiscm - ok
19:06:31.0547 2604 [ 0109C4F3850DFBAB279542515386AE22 ] NdisTapi C:\WINDOWS\system32\DRIVERS\ndistapi.sys
19:06:31.0547 2604 NdisTapi - ok
19:06:31.0594 2604 [ F927A4434C5028758A842943EF1A3849 ] Ndisuio C:\WINDOWS\system32\DRIVERS\ndisuio.sys
19:06:31.0594 2604 Ndisuio - ok
19:06:31.0609 2604 [ EDC1531A49C80614B2CFDA43CA8659AB ] NdisWan C:\WINDOWS\system32\DRIVERS\ndiswan.sys
19:06:31.0609 2604 NdisWan - ok
19:06:31.0640 2604 [ 9282BD12DFB069D3889EB3FCC1000A9B ] NDProxy C:\WINDOWS\system32\drivers\NDProxy.sys
19:06:31.0656 2604 NDProxy - ok
19:06:31.0703 2604 [ 5D81CF9A2F1A3A756B66CF684911CDF0 ] NetBIOS C:\WINDOWS\system32\DRIVERS\netbios.sys
19:06:31.0703 2604 NetBIOS - ok
19:06:31.0750 2604 [ 74B2B2F5BEA5E9A3DC021D685551BD3D ] NetBT C:\WINDOWS\system32\DRIVERS\netbt.sys
19:06:31.0765 2604 NetBT - ok
19:06:31.0812 2604 [ B857BA82860D7FF85AE29B095645563B ] NetDDE C:\WINDOWS\system32\netdde.exe
19:06:31.0812 2604 NetDDE - ok
19:06:31.0812 2604 [ B857BA82860D7FF85AE29B095645563B ] NetDDEdsdm C:\WINDOWS\system32\netdde.exe
19:06:31.0828 2604 NetDDEdsdm - ok
19:06:31.0844 2604 [ BF2466B3E18E970D8A976FB95FC1CA85 ] Netlogon C:\WINDOWS\system32\lsass.exe
19:06:31.0859 2604 Netlogon - ok
19:06:31.0875 2604 [ 13E67B55B3ABD7BF3FE7AAE5A0F9A9DE ] Netman C:\WINDOWS\System32\netman.dll
19:06:31.0890 2604 Netman - ok
19:06:31.0937 2604 [ D34612C5D02D026535B3095D620626AE ] NetTcpPortSharing C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
19:06:31.0937 2604 NetTcpPortSharing - ok
19:06:32.0000 2604 [ E9E47CFB2D461FA0FC75B7A74C6383EA ] NIC1394 C:\WINDOWS\system32\DRIVERS\nic1394.sys
19:06:32.0000 2604 NIC1394 - ok
19:06:32.0062 2604 [ 943337D786A56729263071623BBB9DE5 ] Nla C:\WINDOWS\System32\mswsock.dll
19:06:32.0078 2604 Nla - ok
19:06:32.0125 2604 [ 3182D64AE053D6FB034F44B6DEF8034A ] Npfs C:\WINDOWS\system32\drivers\Npfs.sys
19:06:32.0125 2604 Npfs - ok
19:06:32.0141 2604 [ 78A08DD6A8D65E697C18E1DB01C5CDCA ] Ntfs C:\WINDOWS\system32\drivers\Ntfs.sys
19:06:32.0172 2604 Ntfs - ok
19:06:32.0172 2604 [ BF2466B3E18E970D8A976FB95FC1CA85 ] NtLmSsp C:\WINDOWS\system32\lsass.exe
19:06:32.0172 2604 NtLmSsp - ok
19:06:32.0219 2604 [ 156F64A3345BD23C600655FB4D10BC08 ] NtmsSvc C:\WINDOWS\system32\ntmssvc.dll
19:06:32.0250 2604 NtmsSvc - ok
19:06:32.0281 2604 [ 73C1E1F395918BC2C6DD67AF7591A3AD ] Null C:\WINDOWS\system32\drivers\Null.sys
19:06:32.0281 2604 Null - ok
19:06:32.0312 2604 [ B305F3FAD35083837EF46A0BBCE2FC57 ] NwlnkFlt C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
19:06:32.0312 2604 NwlnkFlt - ok
19:06:32.0328 2604 [ C99B3415198D1AAB7227F2C88FD664B9 ] NwlnkFwd C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
19:06:32.0328 2604 NwlnkFwd - ok
19:06:32.0359 2604 [ CA33832DF41AFB202EE7AEB05145922F ] ohci1394 C:\WINDOWS\system32\DRIVERS\ohci1394.sys
19:06:32.0359 2604 ohci1394 - ok
19:06:32.0391 2604 [ 5575FAF8F97CE5E713D108C2A58D7C7C ] Parport C:\WINDOWS\system32\DRIVERS\parport.sys
19:06:32.0391 2604 Parport - ok
19:06:32.0406 2604 [ BEB3BA25197665D82EC7065B724171C6 ] PartMgr C:\WINDOWS\system32\drivers\PartMgr.sys
19:06:32.0406 2604 PartMgr - ok
19:06:32.0437 2604 [ 70E98B3FD8E963A6A46A2E6247E0BEA1 ] ParVdm C:\WINDOWS\system32\drivers\ParVdm.sys
19:06:32.0437 2604 ParVdm - ok
19:06:32.0453 2604 [ 505CBA425DF3BB230F244E1C23221058 ] PcdrNdisuio C:\WINDOWS\system32\DRIVERS\pcdrndisuio.sys
19:06:32.0484 2604 PcdrNdisuio - ok
19:06:32.0516 2604 [ A219903CCF74233761D92BEF471A07B1 ] PCI C:\WINDOWS\system32\DRIVERS\pci.sys
19:06:32.0516 2604 PCI - ok
19:06:32.0516 2604 PCIDump - ok
19:06:32.0562 2604 [ CCF5F451BB1A5A2A522A76E670000FF0 ] PCIIde C:\WINDOWS\system32\DRIVERS\pciide.sys
19:06:32.0562 2604 PCIIde - ok
19:06:32.0594 2604 [ 9E89EF60E9EE05E3F2EEF2DA7397F1C1 ] Pcmcia C:\WINDOWS\system32\drivers\Pcmcia.sys
19:06:32.0594 2604 Pcmcia - ok
19:06:32.0594 2604 PDCOMP - ok
19:06:32.0609 2604 PDFRAME - ok
19:06:32.0609 2604 PDRELI - ok
19:06:32.0625 2604 PDRFRAME - ok
19:06:32.0625 2604 perc2 - ok
19:06:32.0641 2604 perc2hib - ok
19:06:32.0719 2604 [ 65DF52F5B8B6E9BBD183505225C37315 ] PlugPlay C:\WINDOWS\system32\services.exe
19:06:32.0719 2604 PlugPlay - ok
19:06:32.0734 2604 [ BF2466B3E18E970D8A976FB95FC1CA85 ] PolicyAgent C:\WINDOWS\system32\lsass.exe
19:06:32.0734 2604 PolicyAgent - ok
19:06:32.0781 2604 [ EFEEC01B1D3CF84F16DDD24D9D9D8F99 ] PptpMiniport C:\WINDOWS\system32\DRIVERS\raspptp.sys
19:06:32.0781 2604 PptpMiniport - ok
19:06:32.0781 2604 [ BF2466B3E18E970D8A976FB95FC1CA85 ] ProtectedStorage C:\WINDOWS\system32\lsass.exe
19:06:32.0797 2604 ProtectedStorage - ok
19:06:32.0797 2604 [ 09298EC810B07E5D582CB3A3F9255424 ] PSched C:\WINDOWS\system32\DRIVERS\psched.sys
19:06:32.0797 2604 PSched - ok
19:06:32.0813 2604 [ 80D317BD1C3DBC5D4FE7B1678C60CADD ] Ptilink C:\WINDOWS\system32\DRIVERS\ptilink.sys
19:06:32.0813 2604 Ptilink - ok
19:06:32.0828 2604 [ 7C81AE3C9B82BA2DA437ED4D31BC56CF ] PxHelp20 C:\WINDOWS\system32\Drivers\PxHelp20.sys
19:06:32.0844 2604 PxHelp20 - ok
19:06:32.0859 2604 ql1080 - ok
19:06:32.0859 2604 Ql10wnt - ok
19:06:32.0875 2604 ql12160 - ok
19:06:32.0875 2604 ql1240 - ok
19:06:32.0891 2604 ql1280 - ok
19:06:32.0922 2604 [ FE0D99D6F31E4FAD8159F690D68DED9C ] RasAcd C:\WINDOWS\system32\DRIVERS\rasacd.sys
19:06:32.0922 2604 RasAcd - ok
19:06:32.0969 2604 [ AD188BE7BDF94E8DF4CA0A55C00A5073 ] RasAuto C:\WINDOWS\System32\rasauto.dll
19:06:32.0984 2604 RasAuto - ok
19:06:33.0016 2604 [ 11B4A627BC9614B885C4969BFA5FF8A6 ] Rasl2tp C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
19:06:33.0016 2604 Rasl2tp - ok
19:06:33.0063 2604 [ 76A9A3CBEADD68CC57CDA5E1D7448235 ] RasMan C:\WINDOWS\System32\rasmans.dll
19:06:33.0078 2604 RasMan - ok
19:06:33.0078 2604 [ 5BC962F2654137C9909C3D4603587DEE ] RasPppoe C:\WINDOWS\system32\DRIVERS\raspppoe.sys
19:06:33.0078 2604 RasPppoe - ok
19:06:33.0094 2604 [ FDBB1D60066FCFBB7452FD8F9829B242 ] Raspti C:\WINDOWS\system32\DRIVERS\raspti.sys
19:06:33.0094 2604 Raspti - ok
19:06:33.0109 2604 [ 7AD224AD1A1437FE28D89CF22B17780A ] Rdbss C:\WINDOWS\system32\DRIVERS\rdbss.sys
19:06:33.0109 2604 Rdbss - ok
19:06:33.0125 2604 [ 4912D5B403614CE99C28420F75353332 ] RDPCDD C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
19:06:33.0125 2604 RDPCDD - ok
19:06:33.0141 2604 [ 15CABD0F7C00C47C70124907916AF3F1 ] rdpdr C:\WINDOWS\system32\DRIVERS\rdpdr.sys
19:06:33.0141 2604 rdpdr - ok
19:06:33.0203 2604 [ 43AF5212BD8FB5BA6EED9754358BD8F7 ] RDPWD C:\WINDOWS\system32\drivers\RDPWD.sys
19:06:33.0203 2604 RDPWD - ok
19:06:33.0266 2604 [ 3C37BF86641BDA977C3BF8A840F3B7FA ] RDSessMgr C:\WINDOWS\system32\sessmgr.exe
19:06:33.0266 2604 RDSessMgr - ok
19:06:33.0328 2604 [ F828DD7E1419B6653894A8F97A0094C5 ] redbook C:\WINDOWS\system32\DRIVERS\redbook.sys
19:06:33.0328 2604 redbook - ok
19:06:33.0375 2604 [ 7E699FF5F59B5D9DE5390E3C34C67CF5 ] RemoteAccess C:\WINDOWS\System32\mprdim.dll
19:06:33.0375 2604 RemoteAccess - ok
19:06:33.0422 2604 [ 5B19B557B0C188210A56A6B699D90B8F ] RemoteRegistry C:\WINDOWS\system32\regsvc.dll
19:06:33.0422 2604 RemoteRegistry - ok
19:06:33.0469 2604 [ AAED593F84AFA419BBAE8572AF87CF6A ] RpcLocator C:\WINDOWS\system32\locator.exe
19:06:33.0469 2604 RpcLocator - ok
19:06:33.0500 2604 [ 6B27A5C03DFB94B4245739065431322C ] RpcSs C:\WINDOWS\system32\rpcss.dll
19:06:33.0516 2604 RpcSs - ok
19:06:33.0578 2604 [ 471B3F9741D762ABE75E9DEEA4787E47 ] RSVP C:\WINDOWS\system32\rsvp.exe
19:06:33.0578 2604 RSVP - ok
19:06:33.0656 2604 [ 1A2A445E8968B2019E75E08F3A1344FC ] RTL8023xp C:\WINDOWS\system32\DRIVERS\Rtlnicxp.sys
19:06:33.0656 2604 RTL8023xp - ok
19:06:33.0719 2604 [ D507C1400284176573224903819FFDA3 ] rtl8139 C:\WINDOWS\system32\DRIVERS\RTL8139.SYS
19:06:33.0719 2604 rtl8139 - ok
19:06:33.0750 2604 [ BF2466B3E18E970D8A976FB95FC1CA85 ] SamSs C:\WINDOWS\system32\lsass.exe
19:06:33.0750 2604 SamSs - ok
19:06:33.0781 2604 [ 86D007E7A654B9A71D1D7D856B104353 ] SCardSvr C:\WINDOWS\System32\SCardSvr.exe
19:06:33.0797 2604 SCardSvr - ok
19:06:33.0860 2604 [ 0A9A7365A1CA4319AA7C1D6CD8E4EAFA ] Schedule C:\WINDOWS\system32\schedsvc.dll
19:06:33.0860 2604 Schedule - ok
19:06:33.0907 2604 [ 90A3935D05B494A5A39D37E71F09A677 ] Secdrv C:\WINDOWS\system32\DRIVERS\secdrv.sys
19:06:33.0907 2604 Secdrv - ok
19:06:33.0938 2604 [ CBE612E2BB6A10E3563336191EDA1250 ] seclogon C:\WINDOWS\System32\seclogon.dll
19:06:33.0938 2604 seclogon - ok
19:06:33.0953 2604 [ 7FDD5D0684ECA8C1F68B4D99D124DCD0 ] SENS C:\WINDOWS\system32\sens.dll
19:06:33.0953 2604 SENS - ok
19:06:33.0969 2604 [ CCA207A8896D4C6A0C9CE29A4AE411A7 ] Serial C:\WINDOWS\system32\drivers\Serial.sys
19:06:33.0969 2604 Serial - ok
19:06:33.0985 2604 [ 8E6B8C671615D126FDC553D1E2DE5562 ] Sfloppy C:\WINDOWS\system32\drivers\Sfloppy.sys
19:06:33.0985 2604 Sfloppy - ok
19:06:34.0016 2604 [ 99BC0B50F511924348BE19C7C7313BBF ] ShellHWDetection C:\WINDOWS\System32\shsvcs.dll
19:06:34.0016 2604 ShellHWDetection - ok
19:06:34.0016 2604 Simbad - ok
19:06:34.0032 2604 Sparrow - ok
19:06:34.0047 2604 [ AB8B92451ECB048A4D1DE7C3FFCB4A9F ] splitter C:\WINDOWS\system32\drivers\splitter.sys
19:06:34.0047 2604 splitter - ok
19:06:34.0078 2604 [ 60784F891563FB1B767F70117FC2428F ] Spooler C:\WINDOWS\system32\spoolsv.exe
19:06:34.0110 2604 Spooler - ok
19:06:34.0125 2604 [ 76BB022C2FB6902FD5BDD4F78FC13A5D ] sr C:\WINDOWS\system32\DRIVERS\sr.sys
19:06:34.0125 2604 sr - ok
19:06:34.0172 2604 [ 3805DF0AC4296A34BA4BF93B346CC378 ] srservice C:\WINDOWS\system32\srsvc.dll
19:06:34.0188 2604 srservice - ok
19:06:34.0219 2604 [ 47DDFC2F003F7F9F0592C6874962A2E7 ] Srv C:\WINDOWS\system32\DRIVERS\srv.sys
19:06:34.0250 2604 Srv - ok
19:06:34.0266 2604 [ 0A5679B3714EDAB99E357057EE88FCA6 ] SSDPSRV C:\WINDOWS\System32\ssdpsrv.dll
19:06:34.0266 2604 SSDPSRV - ok
19:06:34.0297 2604 [ 8BAD69CBAC032D4BBACFCE0306174C30 ] stisvc C:\WINDOWS\system32\wiaservc.dll
19:06:34.0313 2604 stisvc - ok
19:06:34.0391 2604 [ 3941D127AEF12E93ADDF6FE6EE027E0F ] swenum C:\WINDOWS\system32\DRIVERS\swenum.sys
19:06:34.0391 2604 swenum - ok
19:06:34.0391 2604 [ 8CE882BCC6CF8A62F2B2323D95CB3D01 ] swmidi C:\WINDOWS\system32\drivers\swmidi.sys
19:06:34.0407 2604 swmidi - ok
19:06:34.0407 2604 SwPrv - ok
19:06:34.0422 2604 symc810 - ok
19:06:34.0438 2604 symc8xx - ok
19:06:34.0438 2604 sym_hi - ok
19:06:34.0453 2604 sym_u3 - ok
19:06:34.0469 2604 [ 8B83F3ED0F1688B4958F77CD6D2BF290 ] sysaudio C:\WINDOWS\system32\drivers\sysaudio.sys
19:06:34.0469 2604 sysaudio - ok
19:06:34.0500 2604 [ C7ABBC59B43274B1109DF6B24D617051 ] SysmonLog C:\WINDOWS\system32\smlogsvc.exe
19:06:34.0500 2604 SysmonLog - ok
19:06:34.0532 2604 [ 3CB78C17BB664637787C9A1C98F79C38 ] TapiSrv C:\WINDOWS\System32\tapisrv.dll
19:06:34.0547 2604 TapiSrv - ok
19:06:34.0610 2604 [ 9AEFA14BD6B182D61E3119FA5F436D3D ] Tcpip C:\WINDOWS\system32\DRIVERS\tcpip.sys
19:06:34.0641 2604 Tcpip - ok
19:06:34.0672 2604 [ 6471A66807F5E104E4885F5B67349397 ] TDPIPE C:\WINDOWS\system32\drivers\TDPIPE.sys
19:06:34.0672 2604 TDPIPE - ok
19:06:34.0688 2604 [ C56B6D0402371CF3700EB322EF3AAF61 ] TDTCP C:\WINDOWS\system32\drivers\TDTCP.sys
19:06:34.0688 2604 TDTCP - ok
19:06:34.0704 2604 [ 88155247177638048422893737429D9E ] TermDD C:\WINDOWS\system32\DRIVERS\termdd.sys
19:06:34.0704 2604 TermDD - ok
19:06:34.0782 2604 [ FF3477C03BE7201C294C35F684B3479F ] TermService C:\WINDOWS\System32\termsrv.dll
19:06:34.0797 2604 TermService - ok
19:06:34.0813 2604 [ 99BC0B50F511924348BE19C7C7313BBF ] Themes C:\WINDOWS\System32\shsvcs.dll
19:06:34.0813 2604 Themes - ok
19:06:34.0860 2604 [ DB7205804759FF62C34E3EFD8A4CC76A ] TlntSvr C:\WINDOWS\system32\tlntsvr.exe
19:06:34.0860 2604 TlntSvr - ok
19:06:34.0860 2604 TosIde - ok
19:06:34.0907 2604 [ 55BCA12F7F523D35CA3CB833C725F54E ] TrkWks C:\WINDOWS\system32\trkwks.dll
19:06:34.0907 2604 TrkWks - ok
19:06:34.0938 2604 [ C11362058918CD38C8B8D3E265DA80F5 ] TrueSight C:\WINDOWS\system32\drivers\TrueSight.sys
19:06:34.0969 2604 TrueSight - ok
19:06:35.0000 2604 [ 5787B80C2E3C5E2F56C2A233D91FA2C9 ] Udfs C:\WINDOWS\system32\drivers\Udfs.sys
19:06:35.0000 2604 Udfs - ok
19:06:35.0016 2604 ultra - ok
19:06:35.0063 2604 [ 402DDC88356B1BAC0EE3DD1580C76A31 ] Update C:\WINDOWS\system32\DRIVERS\update.sys
19:06:35.0079 2604 Update - ok
19:06:35.0126 2604 [ 1EBAFEB9A3FBDC41B8D9C7F0F687AD91 ] upnphost C:\WINDOWS\System32\upnphost.dll
19:06:35.0141 2604 upnphost - ok
19:06:35.0157 2604 [ 05365FB38FCA1E98F7A566AAAF5D1815 ] UPS C:\WINDOWS\System32\ups.exe
19:06:35.0157 2604 UPS - ok
19:06:35.0188 2604 [ 173F317CE0DB8E21322E71B7E60A27E8 ] usbccgp C:\WINDOWS\system32\DRIVERS\usbccgp.sys
19:06:35.0188 2604 usbccgp - ok
19:06:35.0219 2604 [ 65DCF09D0E37D4C6B11B5B0B76D470A7 ] usbehci C:\WINDOWS\system32\DRIVERS\usbehci.sys
19:06:35.0219 2604 usbehci - ok
19:06:35.0235 2604 [ 1AB3CDDE553B6E064D2E754EFE20285C ] usbhub C:\WINDOWS\system32\DRIVERS\usbhub.sys
19:06:35.0235 2604 usbhub - ok
19:06:35.0266 2604 [ A717C8721046828520C9EDF31288FC00 ] usbprint C:\WINDOWS\system32\DRIVERS\usbprint.sys
19:06:35.0266 2604 usbprint - ok
19:06:35.0297 2604 [ A0B8CF9DEB1184FBDD20784A58FA75D4 ] usbscan C:\WINDOWS\system32\DRIVERS\usbscan.sys
19:06:35.0297 2604 usbscan - ok
19:06:35.0329 2604 [ A32426D9B14A089EAA1D922E0C5801A9 ] USBSTOR C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
19:06:35.0344 2604 USBSTOR - ok
19:06:35.0344 2604 [ 26496F9DEE2D787FC3E61AD54821FFE6 ] usbuhci C:\WINDOWS\system32\DRIVERS\usbuhci.sys
19:06:35.0344 2604 usbuhci - ok
19:06:35.0360 2604 [ 0D3A8FAFCEACD8B7625CD549757A7DF1 ] VgaSave C:\WINDOWS\System32\drivers\vga.sys
19:06:35.0360 2604 VgaSave - ok
19:06:35.0391 2604 [ 3B3EFCDA263B8AC14FDF9CBDD0791B2E ] ViaIde C:\WINDOWS\system32\DRIVERS\viaide.sys
19:06:35.0391 2604 ViaIde - ok
19:06:35.0422 2604 [ 4C8FCB5CC53AAB716D810740FE59D025 ] VolSnap C:\WINDOWS\system32\drivers\VolSnap.sys
19:06:35.0422 2604 VolSnap - ok
19:06:35.0469 2604 [ 7A9DB3A67C333BF0BD42E42B8596854B ] VSS C:\WINDOWS\System32\vssvc.exe
19:06:35.0485 2604 VSS - ok
19:06:35.0516 2604 [ 54AF4B1D5459500EF0937F6D33B1914F ] W32Time C:\WINDOWS\system32\w32time.dll
19:06:35.0532 2604 W32Time - ok
19:06:35.0547 2604 [ E20B95BAEDB550F32DD489265C1DA1F6 ] Wanarp C:\WINDOWS\system32\DRIVERS\wanarp.sys
19:06:35.0547 2604 Wanarp - ok
19:06:35.0547 2604 WDICA - ok
19:06:35.0579 2604 [ 6768ACF64B18196494413695F0C3A00F ] wdmaud C:\WINDOWS\system32\drivers\wdmaud.sys
19:06:35.0579 2604 wdmaud - ok
19:06:35.0626 2604 [ 77A354E28153AD2D5E120A5A8687BC06 ] WebClient C:\WINDOWS\System32\webclnt.dll
19:06:35.0626 2604 WebClient - ok
19:06:35.0766 2604 [ 2D0E4ED081963804CCC196A0929275B5 ] winmgmt C:\WINDOWS\system32\wbem\WMIsvc.dll
19:06:35.0813 2604 winmgmt - ok
19:06:35.0876 2604 [ C51B4A5C05A5475708E3C81C7765B71D ] WmdmPmSN C:\WINDOWS\system32\MsPMSNSv.dll
19:06:35.0876 2604 WmdmPmSN - ok
19:06:35.0923 2604 [ E76F8807070ED04E7408A86D6D3A6137 ] Wmi C:\WINDOWS\System32\advapi32.dll
19:06:35.0938 2604 Wmi - ok
19:06:35.0969 2604 [ E0673F1106E62A68D2257E376079F821 ] WmiApSrv C:\WINDOWS\system32\wbem\wmiapsrv.exe
19:06:35.0969 2604 WmiApSrv - ok
19:06:36.0048 2604 [ F74E3D9A7FA9556C3BBB14D4E5E63D3B ] WMPNetworkSvc C:\Program Files\Windows Media Player\WMPNetwk.exe
19:06:36.0079 2604 WMPNetworkSvc - ok
19:06:36.0126 2604 [ F15FEAFFFBB3644CCC80C5DA584E6311 ] WudfPf C:\WINDOWS\system32\DRIVERS\WudfPf.sys
19:06:36.0126 2604 WudfPf - ok
19:06:36.0157 2604 [ 28B524262BCE6DE1F7EF9F510BA3985B ] WudfRd C:\WINDOWS\system32\DRIVERS\wudfrd.sys
19:06:36.0157 2604 WudfRd - ok
19:06:36.0188 2604 [ 05231C04253C5BC30B26CBAAE680ED89 ] WudfSvc C:\WINDOWS\System32\WUDFSvc.dll
19:06:36.0188 2604 WudfSvc - ok
19:06:36.0235 2604 [ 81DC3F549F44B1C1FFF022DEC9ECF30B ] WZCSVC C:\WINDOWS\System32\wzcsvc.dll
19:06:36.0251 2604 WZCSVC - ok
19:06:36.0313 2604 [ 295D21F14C335B53CB8154E5B1F892B9 ] xmlprov C:\WINDOWS\System32\xmlprov.dll
19:06:36.0313 2604 xmlprov - ok
19:06:36.0329 2604 ================ Scan global ===============================
19:06:36.0360 2604 [ 42F1F4C0AFB08410E5F02D4B13EBB623 ] C:\WINDOWS\system32\basesrv.dll
19:06:36.0454 2604 [ 8C7DCA4B158BF16894120786A7A5F366 ] C:\WINDOWS\system32\winsrv.dll
19:06:36.0813 2604 [ 8C7DCA4B158BF16894120786A7A5F366 ] C:\WINDOWS\system32\winsrv.dll
19:06:36.0907 2604 [ 65DF52F5B8B6E9BBD183505225C37315 ] C:\WINDOWS\system32\services.exe
19:06:36.0907 2604 [Global] - ok
19:06:36.0907 2604 ================ Scan MBR ==================================
19:06:36.0985 2604 [ 0AC6D996BCE152AED9600E6D6B797E2E ] \Device\Harddisk0\DR0
19:06:37.0157 2604 \Device\Harddisk0\DR0 - ok
19:06:37.0157 2604 ================ Scan VBR ==================================
19:06:37.0157 2604 [ 7778B3BFECAB06A8D5A6AB5949F65ED1 ] \Device\Harddisk0\DR0\Partition1
19:06:37.0157 2604 \Device\Harddisk0\DR0\Partition1 - ok
19:06:37.0173 2604 [ 38AA2534D22F30417E7919029EA27A67 ] \Device\Harddisk0\DR0\Partition2
19:06:37.0173 2604 \Device\Harddisk0\DR0\Partition2 - ok
19:06:37.0173 2604 ============================================================
19:06:37.0173 2604 Scan finished
19:06:37.0173 2604 ============================================================
19:06:37.0188 1500 Detected object count: 0
19:06:37.0188 1500 Actual detected object count: 0
19:07:22.0979 2512 Deinitialize success



No issues with aswMBR either:

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-09-18 19:09:26
-----------------------------
19:09:26.396 OS Version: Windows 5.1.2600 Service Pack 3
19:09:26.412 Number of processors: 2 586 0x401
19:09:26.412 ComputerName: YOUR-81F40AF718 UserName:
19:09:29.303 Initialize success
19:11:23.390 AVAST engine defs: 12091400
19:11:37.986 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-17
19:11:37.986 Disk 0 Vendor: Maxtor_6L200M0 BANC1G10 Size: 190782MB BusType: 3
19:11:38.018 Disk 0 MBR read successfully
19:11:38.018 Disk 0 MBR scan
19:11:38.064 Disk 0 unknown MBR code
19:11:38.064 Disk 0 Partition 1 00 0C FAT32 LBA RECOVERY 6142 MB offset 63
19:11:39.377 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 184629 MB offset 12579840
19:11:39.393 Disk 0 scanning sectors +390700800
19:11:39.471 Disk 0 scanning C:\WINDOWS\system32\drivers
19:11:59.897 Service scanning
19:12:18.276 Service MpKsl40b7b34b c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{17849164-25B1-46FE-87C6-9FC094DD89DE}\MpKsl40b7b34b.sys **LOCKED** 32
19:12:46.516 Modules scanning
19:13:15.585 Disk 0 trace - called modules:
19:13:15.616 ntkrnlpa.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll intelide.sys PCIIDEX.SYS
19:13:15.616 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86d6cab8]
19:13:15.616 3 CLASSPNP.SYS[f7548fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP1T0L0-17[0x86d1cb00]
19:13:16.320 AVAST engine scan C:\WINDOWS
19:13:45.591 AVAST engine scan C:\WINDOWS\system32
19:18:25.760 AVAST engine scan C:\WINDOWS\system32\drivers
19:18:52.875 AVAST engine scan C:\Documents and Settings\Compaq_Administrator.YOUR-81F40AF718
19:46:35.724 AVAST engine scan C:\Documents and Settings\All Users
19:48:26.224 Scan finished successfully
19:55:49.081 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Compaq_Administrator.YOUR-81F40AF718\Desktop\MBR.dat"
19:55:49.253 The log file has been saved successfully to "C:\Documents and Settings\Compaq_Administrator.YOUR-81F40AF718\Desktop\aswMBR.txt"

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:03 PM

Posted 18 September 2012 - 07:34 PM

Hello

Lets get a deeper look into the system and see if something shows up.

Download and run OTL

Download OTL by Old Timer and save it to your Desktop.
  • Double click on OTL.exe to run it.
  • Under Output, ensure that Minimal Output is selected.
  • Under Extra Registry section, select Use SafeList.
  • Click the Scan All Users checkbox.
  • Click on Run Scan at the top left hand corner.
  • When done, two Notepad files will open.
    • OTL.txt <-- Will be opened and the that I need posted back here
    • Extra.txt <-- Will be minimized - save this one on your desktop in case I ask for it later
  • Please post the contents of OTL.txt in your next reply.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 cyke68

cyke68
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:02:03 PM

Posted 18 September 2012 - 07:58 PM

And here is the OldTimer log:


OTL logfile created on: 9/18/2012 8:48:42 PM - Run 1
OTL by OldTimer - Version 3.2.64.0 Folder = C:\Documents and Settings\Compaq_Administrator.YOUR-81F40AF718\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1015.29 Mb Total Physical Memory | 530.12 Mb Available Physical Memory | 52.21% Memory free
2.39 Gb Paging File | 1.96 Gb Available in Paging File | 81.98% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 180.30 Gb Total Space | 155.20 Gb Free Space | 86.08% Space Free | Partition Type: NTFS
Drive D: | 5.99 Gb Total Space | 0.95 Gb Free Space | 15.93% Space Free | Partition Type: FAT32

Computer Name: YOUR-81F40AF718 | User Name: Compaq_Administrator | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Compaq_Administrator.YOUR-81F40AF718\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
PRC - c:\Program Files\Microsoft Security Client\MsMpEng.exe (Microsoft Corporation)
PRC - C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe (Google Inc.)
PRC - C:\Program Files\Lexmark S300-S400 Series\lxeamon.exe ()
PRC - C:\Program Files\Lexmark S300-S400 Series\ezprint.exe ()
PRC - C:\WINDOWS\system32\lxeacoms.exe ( )
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\WINDOWS\ALCWZRD.EXE (RealTek Semicoductor Corp.)
PRC - C:\WINDOWS\SOUNDMAN.EXE (Realtek Semiconductor Corp.)
PRC - C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe (Hewlett-Packard)
PRC - C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
PRC - C:\WINDOWS\ALCMTR.EXE (Realtek Semiconductor Corp.)


========== Modules (No Company Name) ==========

MOD - C:\Program Files\Adobe\Reader 9.0\Reader\ViewerPS.dll ()
MOD - C:\Program Files\Google\Quick Search Box\bin\1.2.1151.245\rlz.dll ()
MOD - C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll ()
MOD - C:\Program Files\Lexmark S300-S400 Series\lxeamon.exe ()
MOD - C:\Program Files\Lexmark S300-S400 Series\epwizres.dll ()
MOD - C:\Program Files\Lexmark S300-S400 Series\lxeadrs.dll ()
MOD - C:\Program Files\Lexmark S300-S400 Series\lxeascw.dll ()
MOD - C:\Program Files\Lexmark S300-S400 Series\ezprint.exe ()
MOD - C:\WINDOWS\system32\cpwmon2k.dll ()
MOD - C:\WINDOWS\system32\spool\prtprocs\w32x86\lxeadrpp.dll ()
MOD - C:\WINDOWS\system32\spool\drivers\w32x86\3\lxeadatr.dll ()
MOD - C:\Program Files\Lexmark S300-S400 Series\iptk.dll ()
MOD - C:\Program Files\Lexmark S300-S400 Series\epoemdll.dll ()
MOD - C:\Program Files\Lexmark S300-S400 Series\epstring.dll ()
MOD - C:\Program Files\Lexmark S300-S400 Series\epwizard.dll ()
MOD - C:\Program Files\Lexmark S300-S400 Series\customui.dll ()
MOD - C:\Program Files\Lexmark S300-S400 Series\epfunct.dll ()
MOD - C:\Program Files\Lexmark S300-S400 Series\eputil.dll ()
MOD - C:\Program Files\Lexmark S300-S400 Series\imagutil.dll ()
MOD - C:\Program Files\Lexmark S300-S400 Series\lxeacaps.dll ()
MOD - C:\Program Files\Lexmark S300-S400 Series\lxeaptp.dll ()
MOD - C:\WINDOWS\system32\LXEAsmr.dll ()
MOD - C:\WINDOWS\system32\LXEAsm.dll ()
MOD - C:\Program Files\BackWeb\BackWeb Client\6.3.2.62\Program\bwfiles.dll ()
MOD - C:\Program Files\BackWeb\BackWeb Client\6.3.2.62\Program\FrExt.dll ()
MOD - C:\Program Files\BackWeb\BackWeb Client\6.3.2.62\Program\clntutil.dll ()
MOD - C:\Program Files\Compaq Connections\6750491\Program\frext-6750491.dll ()
MOD - C:\Program Files\Compaq Connections\6750491\Program\BWfiles-6750491.dll ()
MOD - C:\Program Files\Compaq Connections\6750491\Program\HPClientExt.dll ()


========== Services (SafeList) ==========

SRV - (HidServ) -- %SystemRoot%\System32\hidserv.dll File not found
SRV - (AdobeFlashPlayerUpdateSvc) -- C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe (Adobe Systems Incorporated)
SRV - (MsMpSvc) -- c:\Program Files\Microsoft Security Client\MsMpEng.exe (Microsoft Corporation)
SRV - (lxea_device) -- C:\WINDOWS\system32\lxeacoms.exe ( )
SRV - (lxeaCATSCustConnectService) -- C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxeaserv.exe ()


========== Driver Services (SafeList) ==========

DRV - (WDICA) -- File not found
DRV - (PDRFRAME) -- File not found
DRV - (PDRELI) -- File not found
DRV - (PDFRAME) -- File not found
DRV - (PDCOMP) -- File not found
DRV - (PCIDump) -- File not found
DRV - (lbrtfdc) -- File not found
DRV - (i2omgmt) -- File not found
DRV - (Changer) -- File not found
DRV - (TrueSight) -- C:\WINDOWS\system32\drivers\TrueSight.sys ()
DRV - (IntcAzAudAddService) -- C:\WINDOWS\system32\drivers\RtkHDAud.sys (Realtek Semiconductor Corp.)
DRV - (PcdrNdisuio) -- C:\WINDOWS\system32\drivers\PcdrNdisuio.sys (Windows ® 2000 DDK provider)
DRV - (RTL8023xp) -- C:\WINDOWS\system32\drivers\Rtlnicxp.sys (Realtek Semiconductor Corporation )
DRV - (rtl8139) -- C:\WINDOWS\system32\drivers\RTL8139.sys (Realtek Semiconductor Corporation)
DRV - (AgereSoftModem) -- C:\WINDOWS\system32\drivers\AGRSM.sys (Agere Systems)
DRV - (HdAudAddService) -- C:\WINDOWS\system32\drivers\Hdaudio.sys (Windows ® Server 2003 DDK provider)
DRV - (fasttx2k) -- C:\WINDOWS\system32\drivers\Fasttx2k.sys (Promise Technology, Inc.)
DRV - (ndiscm) -- C:\WINDOWS\system32\drivers\netmotcm.sys (Motorola Inc.)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=presario&pf=desktop
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=presario&pf=desktop
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
IE - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=presario&pf=desktop&parm1=seconduser
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=presario&pf=desktop&parm1=seconduser
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=presario&pf=desktop&parm1=seconduser
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=presario&pf=desktop&parm1=seconduser
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=presario&pf=desktop&parm1=seconduser
IE - HKU\.DEFAULT\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=presario&pf=desktop&parm1=seconduser
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=presario&pf=desktop&parm1=seconduser
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=presario&pf=desktop&parm1=seconduser
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=presario&pf=desktop&parm1=seconduser
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=presario&pf=desktop&parm1=seconduser
IE - HKU\S-1-5-18\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}

IE - HKU\S-1-5-20\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}

IE - HKU\S-1-5-21-3291263471-3854962766-3140342222-1008\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=presario&pf=desktop
IE - HKU\S-1-5-21-3291263471-3854962766-3140342222-1008\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=presario&pf=desktop
IE - HKU\S-1-5-21-3291263471-3854962766-3140342222-1008\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=presario&pf=desktop
IE - HKU\S-1-5-21-3291263471-3854962766-3140342222-1008\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=presario&pf=desktop
IE - HKU\S-1-5-21-3291263471-3854962766-3140342222-1008\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
IE - HKU\S-1-5-21-3291263471-3854962766-3140342222-1008\..\SearchScopes,DefaultScope = {CFE08BDE-AE2B-4ABF-A2DA-215A21F75A2F}
IE - HKU\S-1-5-21-3291263471-3854962766-3140342222-1008\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
IE - HKU\S-1-5-21-3291263471-3854962766-3140342222-1008\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7
IE - HKU\S-1-5-21-3291263471-3854962766-3140342222-1008\..\SearchScopes\{CFE08BDE-AE2B-4ABF-A2DA-215A21F75A2F}: "URL" = http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8&rlz=1I7GGLL_enUS336
IE - HKU\S-1-5-21-3291263471-3854962766-3140342222-1008\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-3291263471-3854962766-3140342222-1008\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local


========== FireFox ==========

FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\5.1.10411.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@movenetworks.com/Quantum Media Player: C:\Documents and Settings\Compaq_Administrator.YOUR-81F40AF718\Application Data\Move Networks\plugins\npqmp071706000001.dll (Move Networks)
FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=6.0.11.2027: C:\Program Files\Real\RealPlayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprjplug;version=1.0.2.2088: C:\Program Files\Real\RealPlayer\Netscape6\nprjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpjplug;version=6.0.12.1040: C:\Program Files\Real\RealPlayer\Netscape6\nprpjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=: File not found
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@movenetworks.com/Quantum Media Player: C:\Documents and Settings\Compaq_Administrator.YOUR-81F40AF718\Application Data\Move Networks\plugins\npqmp071706000001.dll (Move Networks)

FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\moveplayer@movenetworks.com: C:\Documents and Settings\Compaq_Administrator.YOUR-81F40AF718\Application Data\Move Networks [2011/01/29 16:37:46 | 000,000,000 | ---D | M]


O1 HOSTS File: ([2004/08/04 14:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Lexmark Toolbar) - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll ()
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.7529.1424\swg.dll (Google Inc.)
O2 - BHO: (Lexmark Printable Web) - {D2C5E510-BE6D-42CC-9F61-E4F939078474} - C:\Program Files\Lexmark Printable Web\bho.dll ()
O3 - HKLM\..\Toolbar: (Lexmark Toolbar) - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll ()
O3 - HKU\S-1-5-21-3291263471-3854962766-3140342222-1008\..\Toolbar\ShellBrowser: (Lexmark Toolbar) - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll ()
O3 - HKU\S-1-5-21-3291263471-3854962766-3140342222-1008\..\Toolbar\WebBrowser: (Lexmark Toolbar) - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll ()
O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\ALCMTR.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [AlcWzrd] C:\WINDOWS\ALCWZRD.EXE (RealTek Semicoductor Corp.)
O4 - HKLM..\Run: [EzPrint] C:\Program Files\Lexmark S300-S400 Series\ezprint.exe ()
O4 - HKLM..\Run: [Google Quick Search Box] C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe (Google Inc.)
O4 - HKLM..\Run: [High Definition Audio Property Page Shortcut] C:\WINDOWS\System32\Hdaudpropshortcut.exe (Windows ® Server 2003 DDK provider)
O4 - HKLM..\Run: [HPBootOp] C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe (Hewlett-Packard Company)
O4 - HKLM..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k File not found
O4 - HKLM..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\LSBurnWatcher.exe (Hewlett-Packard Company)
O4 - HKLM..\Run: [lxeamon.exe] C:\Program Files\Lexmark S300-S400 Series\lxeamon.exe ()
O4 - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [SoundMan] C:\WINDOWS\SOUNDMAN.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Compaq Connections.lnk = C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe (Hewlett-Packard)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-3291263471-3854962766-3140342222-1008\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra Button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm ()
O9 - Extra 'Tools' menuitem : Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm ()
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O16 - DPF: {1C11B948-582A-433F-A98D-A8C4D5CC64F2} https://lowes.2020.net/Core/Player/2020PlayerAX_Win32.cab (20-20 3D Viewer)
O16 - DPF: {31435657-9980-0010-8000-00AA00389B71} http://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab (Reg Error: Key error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} http://premium1.tds.net/files/tds/onlinescanner/fscax.cab (F-Secure Online Scanner 3.0)
O16 - DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} http://office.microsoft.com/officeupdate/content/opuc4.cab (Office Update Installation Engine)
O16 - DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab (Java Plug-in 1.5.0)
O16 - DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} https://juniper.net/dana-cached/sc/JuniperSetupClient.cab (JuniperSetupClientControl Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 75.75.75.75 75.75.76.76
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{AFD2B09C-3714-4274-91CF-D668373D0EA0}: DhcpNameServer = 75.75.75.75 75.75.76.76
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Compaq_Administrator.YOUR-81F40AF718\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Compaq_Administrator.YOUR-81F40AF718\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/01/27 11:10:32 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2001/07/28 07:07:38 | 000,000,000 | -HS- | M] () - D:\AUTOEXEC.BAT -- [ FAT32 ]
O32 - AutoRun File - [2004/04/30 23:01:14 | 000,000,053 | -HS- | M] () - D:\Autorun.inf -- [ FAT32 ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2012/09/18 20:47:14 | 000,600,064 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Compaq_Administrator.YOUR-81F40AF718\Desktop\OTL.exe
[2012/09/18 19:09:17 | 004,731,392 | ---- | C] (AVAST Software) -- C:\Documents and Settings\Compaq_Administrator.YOUR-81F40AF718\Desktop\aswMBR.exe
[2012/09/18 19:05:49 | 002,212,440 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Compaq_Administrator.YOUR-81F40AF718\Desktop\tdsskiller.exe
[2012/09/18 00:06:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Compaq_Administrator.YOUR-81F40AF718\Desktop\RK_Quarantine
[2012/09/16 18:28:41 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Compaq_Administrator.YOUR-81F40AF718\Start Menu\Programs\Administrative Tools
[2012/09/16 18:27:48 | 000,607,260 | R--- | C] (Swearware) -- C:\Documents and Settings\Compaq_Administrator.YOUR-81F40AF718\Desktop\dds.com
[2012/09/16 10:00:01 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Security Client
[2012/09/16 09:52:50 | 010,288,512 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\Compaq_Administrator.YOUR-81F40AF718\Desktop\mseinstall.exe
[2012/09/16 08:55:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2012/09/16 08:55:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2012/09/15 23:05:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2012/09/15 23:05:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[15 C:\Documents and Settings\All Users\*.tmp files -> C:\Documents and Settings\All Users\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/09/18 20:47:40 | 000,000,248 | ---- | M] () -- C:\WINDOWS\System\hpsysdrv.dat
[2012/09/18 20:47:26 | 000,600,064 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Compaq_Administrator.YOUR-81F40AF718\Desktop\OTL.exe
[2012/09/18 20:45:29 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/09/18 20:45:07 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2012/09/18 20:45:03 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/09/18 20:45:02 | 1064,685,568 | -HS- | M] () -- C:\hiberfil.sys
[2012/09/18 20:13:20 | 000,000,384 | -H-- | M] () -- C:\WINDOWS\tasks\Microsoft Antimalware Scheduled Scan.job
[2012/09/18 19:55:49 | 000,000,512 | ---- | M] () -- C:\Documents and Settings\Compaq_Administrator.YOUR-81F40AF718\Desktop\MBR.dat
[2012/09/18 19:53:00 | 000,000,830 | ---- | M] () -- C:\WINDOWS\tasks\Adobe Flash Player Updater.job
[2012/09/18 19:45:04 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2012/09/18 19:09:26 | 004,731,392 | ---- | M] (AVAST Software) -- C:\Documents and Settings\Compaq_Administrator.YOUR-81F40AF718\Desktop\aswMBR.exe
[2012/09/18 19:06:11 | 002,212,440 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Compaq_Administrator.YOUR-81F40AF718\Desktop\tdsskiller.exe
[2012/09/18 00:06:25 | 000,014,080 | ---- | M] () -- C:\WINDOWS\System32\drivers\TrueSight.sys
[2012/09/18 00:06:23 | 001,378,816 | ---- | M] () -- C:\Documents and Settings\Compaq_Administrator.YOUR-81F40AF718\Desktop\RogueKiller.exe
[2012/09/17 23:58:07 | 000,512,737 | ---- | M] () -- C:\Documents and Settings\Compaq_Administrator.YOUR-81F40AF718\Desktop\adwcleaner.exe
[2012/09/17 23:54:38 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Compaq_Administrator.YOUR-81F40AF718\defogger_reenable
[2012/09/17 23:53:41 | 000,050,477 | ---- | M] () -- C:\Documents and Settings\Compaq_Administrator.YOUR-81F40AF718\Desktop\Defogger.exe
[2012/09/16 18:32:40 | 000,302,592 | ---- | M] () -- C:\Documents and Settings\Compaq_Administrator.YOUR-81F40AF718\Desktop\of76toob.exe
[2012/09/16 18:28:04 | 000,607,260 | R--- | M] (Swearware) -- C:\Documents and Settings\Compaq_Administrator.YOUR-81F40AF718\Desktop\dds.com
[2012/09/16 10:08:39 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2012/09/16 10:02:37 | 000,001,945 | ---- | M] () -- C:\WINDOWS\epplauncher.mif
[2012/09/16 09:52:52 | 010,288,512 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\Compaq_Administrator.YOUR-81F40AF718\Desktop\mseinstall.exe
[2012/09/15 22:47:01 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2012/09/06 10:09:35 | 000,557,559 | ---- | M] () -- C:\Documents and Settings\Compaq_Administrator.YOUR-81F40AF718\Desktop\Western Reg Mo 9_5_12.JPG
[2012/09/06 10:08:02 | 000,578,874 | ---- | M] () -- C:\Documents and Settings\Compaq_Administrator.YOUR-81F40AF718\Desktop\Western 9_5_12 Termite Insp.JPG
[2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[15 C:\Documents and Settings\All Users\*.tmp files -> C:\Documents and Settings\All Users\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/09/18 19:55:49 | 000,000,512 | ---- | C] () -- C:\Documents and Settings\Compaq_Administrator.YOUR-81F40AF718\Desktop\MBR.dat
[2012/09/18 00:06:25 | 000,014,080 | ---- | C] () -- C:\WINDOWS\System32\drivers\TrueSight.sys
[2012/09/18 00:05:40 | 001,378,816 | ---- | C] () -- C:\Documents and Settings\Compaq_Administrator.YOUR-81F40AF718\Desktop\RogueKiller.exe
[2012/09/17 23:57:01 | 000,512,737 | ---- | C] () -- C:\Documents and Settings\Compaq_Administrator.YOUR-81F40AF718\Desktop\adwcleaner.exe
[2012/09/17 23:54:38 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Compaq_Administrator.YOUR-81F40AF718\defogger_reenable
[2012/09/17 23:53:40 | 000,050,477 | ---- | C] () -- C:\Documents and Settings\Compaq_Administrator.YOUR-81F40AF718\Desktop\Defogger.exe
[2012/09/16 18:32:35 | 000,302,592 | ---- | C] () -- C:\Documents and Settings\Compaq_Administrator.YOUR-81F40AF718\Desktop\of76toob.exe
[2012/09/16 10:11:06 | 000,000,384 | -H-- | C] () -- C:\WINDOWS\tasks\Microsoft Antimalware Scheduled Scan.job
[2012/09/16 10:01:09 | 000,001,706 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Security Essentials.lnk
[2012/09/06 10:09:35 | 000,557,559 | ---- | C] () -- C:\Documents and Settings\Compaq_Administrator.YOUR-81F40AF718\Desktop\Western Reg Mo 9_5_12.JPG
[2012/09/06 10:08:02 | 000,578,874 | ---- | C] () -- C:\Documents and Settings\Compaq_Administrator.YOUR-81F40AF718\Desktop\Western 9_5_12 Termite Insp.JPG
[2012/05/14 21:49:04 | 000,219,032 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2012/02/14 21:05:25 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2011/07/09 14:01:37 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/04/22 19:46:52 | 000,000,850 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2009/11/19 17:05:13 | 000,000,159 | ---- | C] () -- C:\Documents and Settings\Compaq_Administrator.YOUR-81F40AF718\Local Settings\Application Data\fusioncache.dat
[2009/04/24 23:56:56 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Compaq_Administrator.YOUR-81F40AF718\Application Data\wklnhst.dat

========== ZeroAccess Check ==========

[2010/03/05 09:35:10 | 000,000,592 | ---- | M] () -- C:\WINDOWS\system32\config\systemprofile\Cookies\system@mcafee[2].txt
[2005/09/02 04:28:52 | 000,000,227 | RHS- | M] () -- C:\WINDOWS\assembly\Desktop.ini

< End of report >

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:03 PM

Posted 19 September 2012 - 12:58 PM

Hello

Run this custom script and when it is complete I need to know how the computer is doing

Run OTL Script

  • Double-click OTL.exe to start the program.
  • Copy and Paste the following code into the Posted Image textbox. Do not include the word Code
    :OTL
    FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
    FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=: File not found
    O4 - HKLM..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k File not found
    O16 - DPF: {31435657-9980-0010-8000-00AA00389B71} http://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab (Reg Error: Key error.)
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
    [2010/03/05 09:35:10 | 000,000,592 | ---- | M] () -- C:\WINDOWS\system32\config\systemprofile\Cookies\system@mcafee[2].txt
    [2005/09/02 04:28:52 | 000,000,227 | RHS- | M] () -- C:\WINDOWS\assembly\Desktop.ini  
    :Files
    ipconfig /flushdns /c
    :Commands
    [PURITY]
    [emptyjava]
    [EMPTYFLASH]
    
  • Then click the Run Fix button at the top.
  • Click Posted Image.
  • OTL may ask to reboot the machine. Please do so if asked.
  • The report should appear in Notepad after the reboot.Copy and Paste that report in your next reply.

Let me know How things are doing

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 cyke68

cyke68
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:02:03 PM

Posted 19 September 2012 - 08:17 PM

I've run the scrip, results are as follows:

========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\Software\MozillaPlugins\@Apple.com/iTunes,version=\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\KernelFaultCheck deleted successfully.
Starting removal of ActiveX control {31435657-9980-0010-8000-00AA00389B71}
C:\WINDOWS\Downloaded Program Files\wvc1dmo.inf moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{31435657-9980-0010-8000-00AA00389B71}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{31435657-9980-0010-8000-00AA00389B71}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{31435657-9980-0010-8000-00AA00389B71}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{31435657-9980-0010-8000-00AA00389B71}\ not found.
Starting removal of ActiveX control {E2883E8F-472F-4FB0-9522-AC9BF37916A7}
C:\WINDOWS\Downloaded Program Files\gp.inf not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
C:\WINDOWS\system32\config\systemprofile\Cookies\system@mcafee[2].txt moved successfully.
C:\WINDOWS\assembly\Desktop.ini moved successfully.
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Documents and Settings\Compaq_Administrator.YOUR-81F40AF718\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Compaq_Administrator.YOUR-81F40AF718\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========

[EMPTYJAVA]

User: Administrator

User: All Users

User: Compaq_Administrator
->Java cache emptied: 9905850 bytes

User: Compaq_Administrator.YOUR-81F40AF718
->Java cache emptied: 12258413 bytes

User: Default User

User: LocalService

User: NetworkService

Total Java Files Cleaned = 21.00 mb


[EMPTYFLASH]

User: Administrator

User: All Users

User: Compaq_Administrator
->Flash cache emptied: 348 bytes

User: Compaq_Administrator.YOUR-81F40AF718
->Flash cache emptied: 73771 bytes

User: Default User
->Flash cache emptied: 41620 bytes

User: LocalService
->Flash cache emptied: 13023 bytes

User: NetworkService
->Flash cache emptied: 6089 bytes

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.64.0 log created on 09192012_210310

EDIT: I just tried to manually update definitions for MS Security Essentials. It errored out (immediately). PC is otherwise behaving normally from what I have seen. Hmmm.

Edited by cyke68, 19 September 2012 - 08:47 PM.


#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:03 PM

Posted 19 September 2012 - 10:16 PM

uninstall MSE and reinstall and see if it updates - also check windows update



gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 cyke68

cyke68
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:02:03 PM

Posted 20 September 2012 - 05:59 PM

Hi, I was able to uninstall/reinstall MSE, but it again errored out at the stage of updating virus definitions. I also tried to check the firewall and received the message, "Due to an unidentified problem, Windows cannot display Windows Firewall settings." Also unable to manually retrieve updates from the Windows Update website...

#12 cyke68

cyke68
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:02:03 PM

Posted 22 September 2012 - 05:54 PM

Update: MSE, Windows Firewall, and Windows Update are all now back up and running. Services impacting these programs had been disabled and needed to be reset. Everything seems to be running smoothly, but please advise if you'd like me to do anything else.

#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:03 PM

Posted 22 September 2012 - 09:36 PM

Hello

I Would like you to do the following.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#14 cyke68

cyke68
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:02:03 PM

Posted 23 September 2012 - 11:48 AM

Thanks again. No problems running Combo Fix and everything is still running as expected. Here is the log:

ComboFix 12-09-23.02 - Compaq_Administrator 09/23/2012 12:18:00.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.588 [GMT -4:00]
Running from: c:\documents and settings\Compaq_Administrator.YOUR-81F40AF718\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\docume~1\COMPAQ~1.YOU\LOCALS~1\Temp\IadHide5.dll
c:\documents and settings\Administrator\WINDOWS
c:\documents and settings\All Users\SPL12.tmp
c:\documents and settings\All Users\SPL13.tmp
c:\documents and settings\All Users\SPL15.tmp
c:\documents and settings\All Users\SPL16.tmp
c:\documents and settings\All Users\SPL1C.tmp
c:\documents and settings\All Users\SPL23.tmp
c:\documents and settings\All Users\SPL2D.tmp
c:\documents and settings\All Users\SPL5.tmp
c:\documents and settings\All Users\SPL6.tmp
c:\documents and settings\All Users\SPL7.tmp
c:\documents and settings\All Users\SPL8.tmp
c:\documents and settings\All Users\SPLC.tmp
c:\documents and settings\All Users\SPLD.tmp
c:\documents and settings\All Users\SPLE.tmp
c:\documents and settings\All Users\SPLF.tmp
c:\documents and settings\Compaq_Administrator.YOUR-81F40AF718\Local Settings\Temp\IadHide5.dll
c:\documents and settings\Compaq_Administrator.YOUR-81F40AF718\WINDOWS
c:\documents and settings\Compaq_Administrator\WINDOWS
c:\documents and settings\Default User\WINDOWS
c:\windows\system32\config\systemprofile\WINDOWS
c:\windows\system32\URTTemp
c:\windows\system32\URTTemp\fusion.dll
c:\windows\system32\URTTemp\mscoree.dll
c:\windows\system32\URTTemp\mscoree.dll.local
c:\windows\system32\URTTemp\mscorsn.dll
c:\windows\system32\URTTemp\mscorwks.dll
c:\windows\system32\URTTemp\msvcr71.dll
c:\windows\system32\URTTemp\regtlib.exe
D:\Autorun.inf
.
.
((((((((((((((((((((((((( Files Created from 2012-08-23 to 2012-09-23 )))))))))))))))))))))))))))))))
.
.
2012-09-22 22:13 . 2012-09-19 04:59 6980552 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{0955CEED-54CD-462D-B398-07E67E64352C}\mpengine.dll
2012-09-22 18:38 . 2012-09-19 04:59 6980552 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-09-20 01:35 . 2012-09-20 01:36 -------- d-----w- C:\6e17a6660466be335ac596cf0c6842
2012-09-20 01:25 . 2012-09-20 01:25 -------- d-----w- c:\program files\Microsoft Security Client
2012-09-20 01:03 . 2012-09-20 01:03 -------- d-----w- C:\_OTL
2012-09-18 04:06 . 2012-09-18 04:06 14080 ----a-w- c:\windows\system32\drivers\TrueSight.sys
2012-09-16 12:56 . 2012-09-16 12:56 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-09-20 22:53 . 2012-05-09 12:54 696240 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-09-20 22:53 . 2011-06-27 13:14 73136 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-08-28 15:14 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-08-28 15:14 . 2004-08-04 11:00 916992 ----a-w- c:\windows\system32\wininet.dll
2012-08-28 15:14 . 2004-08-04 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-08-28 12:07 . 2004-08-04 12:00 385024 ----a-w- c:\windows\system32\html.iec
2012-07-06 13:58 . 2004-08-04 12:00 78336 ----a-w- c:\windows\system32\browser.dll
2012-07-04 14:05 . 2004-08-04 12:00 139784 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-07-03 13:40 . 2004-08-04 12:00 1866112 ----a-w- c:\windows\system32\win32k.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-19 68856]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-03-18 61952]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-04-05 77824]
"Persistence"="c:\windows\system32\igfxpers.exe" [2005-04-05 114688]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-02-26 245760]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 253952]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-09-02 180269]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"SoundMan"="SOUNDMAN.EXE" [2005-09-21 86016]
"AlcWzrd"="ALCWZRD.EXE" [2005-09-21 2807808]
"lxeamon.exe"="c:\program files\Lexmark S300-S400 Series\lxeamon.exe" [2010-05-05 770728]
"EzPrint"="c:\program files\Lexmark S300-S400 Series\ezprint.exe" [2010-01-18 139944]
"Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2010-06-03 126976]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-04-14 421160]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-11 919008]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-07-31 38872]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 931200]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Compaq Connections.lnk - c:\program files\Compaq Connections\6750491\Program\Compaq Connections.exe [2005-9-2 45056]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Quick Search Box]
2010-06-03 23:58 126976 ----a-w- c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2007-07-19 00:46 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Compaq Connections\\6750491\\Program\\Compaq Connections.exe"=
.
R2 lxea_device;lxea_device;c:\windows\system32\lxeacoms.exe -service --> c:\windows\system32\lxeacoms.exe -service [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/12/2010 2:27 PM 135664]
S2 lxeaCATSCustConnectService;lxeaCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxeaserv.exe [6/1/2010 5:16 PM 98984]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [5/9/2012 8:54 AM 250288]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2/12/2010 2:27 PM 135664]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
Contents of the 'Scheduled Tasks' folder
.
2012-09-22 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-09 22:53]
.
2012-09-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 15:50]
.
2012-09-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-12 18:27]
.
2012-09-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-12 18:27]
.
2012-09-23 c:\windows\Tasks\Microsoft Antimalware Scheduled Scan.job
- c:\program files\Microsoft Security Client\MpCmdRun.exe [2012-03-26 21:03]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.comcast.net/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=presario&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=presario&pf=desktop
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office10\EXCEL.EXE/3000
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-mcmscsvc
SafeBoot-MCODS
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-09-23 12:35
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_278_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_278_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(1812)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\program files\Google\Quick Search Box\bin\1.2.1151.245\qsb.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Client\MsMpEng.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\SOUNDMAN.EXE
c:\windows\ALCWZRD.EXE
c:\windows\system32\lxeacoms.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2012-09-23 12:40:23 - machine was rebooted
ComboFix-quarantined-files.txt 2012-09-23 16:40
.
Pre-Run: 166,128,922,624 bytes free
Post-Run: 168,582,914,048 bytes free
.
- - End Of File - - 8B92A993879982675F44352775281253

#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:03 PM

Posted 23 September 2012 - 03:38 PM

Greetings

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users