Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

text enhance malware removal request


  • This topic is locked This topic is locked
25 replies to this topic

#1 jochemjspaan

jochemjspaan

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:05:54 AM

Posted 18 September 2012 - 06:37 AM

Hello and thanks in advance for your help,

My computer seems to be infected by some kind of malware that creates hyperlinks to ads by hyperlinking words on random sites, you think it is a link to f.e. extra information while it brings you to an advertisement page. says: click to continue by: text enhance.

I followed the instructions on the preparation guide after trying to find a similar problem in the solve-it-yourself-at-home-topic. Computer couldn't finish the DSS scan, computer stops at threequarter of the scan and crashes, i.e. freezes. :mellow:

thnks!

Here the GMER log


GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-09-18 13:13:09
Windows 5.1.2600 Service Pack 2
Running: tofj7v1j.exe; Driver: I:\DOCUME~1\JOCHEM~1\LOCALS~1\Temp\uxtdypod.sys


---- Kernel code sections - GMER 1.0.15 ----

.text I:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB97A9380, 0x566465, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text I:\Program Files\Spotify\spotify.exe[2108] ntdll.dll!DbgBreakPoint 7C90120E 1 Byte [C3]
.text I:\Program Files\Spotify\spotify.exe[2108] ntdll.dll!DbgUiRemoteBreakin 7C951E0B 5 Bytes JMP 7C9236F5 I:\WINDOWS\system32\ntdll.dll (DLL-bestand voor NT-laag/Microsoft Corporation)
.text I:\Documents and Settings\Jochem Spaan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2408] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, 00, 31, 00] {SUB [EAX], AL; XOR [EAX], EAX}
.text I:\Documents and Settings\Jochem Spaan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2408] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2]
.text I:\Documents and Settings\Jochem Spaan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2408] ntdll.dll!NtMapViewOfSection + 6 7C90D524 1 Byte [28]
.text I:\Documents and Settings\Jochem Spaan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2408] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, 03, 31, 00] {SUB [EBX], AL; XOR [EAX], EAX}
.text I:\Documents and Settings\Jochem Spaan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2408] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2]
.text I:\Documents and Settings\Jochem Spaan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2408] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, 00, 31, 00]
.text I:\Documents and Settings\Jochem Spaan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2408] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2]
.text I:\Documents and Settings\Jochem Spaan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2408] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, 01, 31, 00] {TEST AL, 0x1; XOR [EAX], EAX}
.text I:\Documents and Settings\Jochem Spaan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2408] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2]
.text I:\Documents and Settings\Jochem Spaan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2408] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B91071A
.text I:\Documents and Settings\Jochem Spaan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2408] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2]
.text I:\Documents and Settings\Jochem Spaan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2408] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, 02, 31, 00] {TEST AL, 0x2; XOR [EAX], EAX}
.text I:\Documents and Settings\Jochem Spaan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2408] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2]
.text I:\Documents and Settings\Jochem Spaan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2408] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, 01, 31, 00]
.text I:\Documents and Settings\Jochem Spaan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2408] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2]
.text I:\Documents and Settings\Jochem Spaan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2408] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, 02, 31, 00]
.text I:\Documents and Settings\Jochem Spaan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2408] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2]
.text I:\Documents and Settings\Jochem Spaan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2408] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B91078B
.text I:\Documents and Settings\Jochem Spaan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2408] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2]
.text I:\Documents and Settings\Jochem Spaan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2408] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, 00, 31, 00] {TEST AL, 0x0; XOR [EAX], EAX}
.text I:\Documents and Settings\Jochem Spaan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2408] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2]
.text I:\Documents and Settings\Jochem Spaan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2408] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B9108B9
.text I:\Documents and Settings\Jochem Spaan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2408] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2]
.text I:\Documents and Settings\Jochem Spaan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2408] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, 01, 31, 00] {SUB [ECX], AL; XOR [EAX], EAX}
.text I:\Documents and Settings\Jochem Spaan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2408] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2]
.text I:\Documents and Settings\Jochem Spaan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2408] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, 02, 31, 00] {SUB [EDX], AL; XOR [EAX], EAX}
.text I:\Documents and Settings\Jochem Spaan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2408] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2]
.text I:\Documents and Settings\Jochem Spaan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2408] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 1 Byte [68]
.text I:\Documents and Settings\Jochem Spaan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2408] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, 03, 31, 00]
.text I:\Documents and Settings\Jochem Spaan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2408] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2]
.text I:\Documents and Settings\Jochem Spaan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3392] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, 00, 16, 00]
.text I:\Documents and Settings\Jochem Spaan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3392] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2]
.text I:\Documents and Settings\Jochem Spaan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3392] ntdll.dll!NtMapViewOfSection + 6 7C90D524 1 Byte [28]
.text I:\Documents and Settings\Jochem Spaan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3392] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, 03, 16, 00]
.text I:\Documents and Settings\Jochem Spaan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3392] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2]
.text I:\Documents and Settings\Jochem Spaan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3392] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, 00, 16, 00]
.text I:\Documents and Settings\Jochem Spaan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3392] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2]
.text I:\Documents and Settings\Jochem Spaan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3392] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, 01, 16, 00]
.text I:\Documents and Settings\Jochem Spaan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3392] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2]
.text I:\Documents and Settings\Jochem Spaan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3392] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B90EC1A
.text I:\Documents and Settings\Jochem Spaan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3392] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2]
.text I:\Documents and Settings\Jochem Spaan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3392] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, 02, 16, 00]
.text I:\Documents and Settings\Jochem Spaan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3392] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2]
.text I:\Documents and Settings\Jochem Spaan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3392] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, 01, 16, 00]
.text I:\Documents and Settings\Jochem Spaan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3392] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2]
.text I:\Documents and Settings\Jochem Spaan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3392] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, 02, 16, 00]
.text I:\Documents and Settings\Jochem Spaan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3392] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2]
.text I:\Documents and Settings\Jochem Spaan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3392] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B90EC8B
.text I:\Documents and Settings\Jochem Spaan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3392] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2]
.text I:\Documents and Settings\Jochem Spaan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3392] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, 00, 16, 00]
.text I:\Documents and Settings\Jochem Spaan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3392] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2]
.text I:\Documents and Settings\Jochem Spaan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3392] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B90EDB9
.text I:\Documents and Settings\Jochem Spaan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3392] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2]
.text I:\Documents and Settings\Jochem Spaan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3392] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, 01, 16, 00]
.text I:\Documents and Settings\Jochem Spaan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3392] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2]
.text I:\Documents and Settings\Jochem Spaan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3392] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, 02, 16, 00]
.text I:\Documents and Settings\Jochem Spaan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3392] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2]
.text I:\Documents and Settings\Jochem Spaan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3392] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 1 Byte [68]
.text I:\Documents and Settings\Jochem Spaan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3392] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, 03, 16, 00]
.text I:\Documents and Settings\Jochem Spaan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3392] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2]
.text I:\Documents and Settings\Jochem Spaan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4020] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, 00, 1B, 00] {SUB [EAX], AL; SBB EAX, [EAX]}
.text I:\Documents and Settings\Jochem Spaan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4020] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2]
.text I:\Documents and Settings\Jochem Spaan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4020] ntdll.dll!NtMapViewOfSection + 6 7C90D524 1 Byte [28]
.text I:\Documents and Settings\Jochem Spaan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4020] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, 03, 1B, 00] {SUB [EBX], AL; SBB EAX, [EAX]}
.text I:\Documents and Settings\Jochem Spaan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4020] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2]
.text I:\Documents and Settings\Jochem Spaan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4020] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, 00, 1B, 00]
.text I:\Documents and Settings\Jochem Spaan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4020] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2]
.text I:\Documents and Settings\Jochem Spaan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4020] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, 01, 1B, 00] {TEST AL, 0x1; SBB EAX, [EAX]}
.text I:\Documents and Settings\Jochem Spaan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4020] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2]
.text I:\Documents and Settings\Jochem Spaan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4020] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B90F11A
.text I:\Documents and Settings\Jochem Spaan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4020] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2]
.text I:\Documents and Settings\Jochem Spaan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4020] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, 02, 1B, 00] {TEST AL, 0x2; SBB EAX, [EAX]}
.text I:\Documents and Settings\Jochem Spaan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4020] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2]
.text I:\Documents and Settings\Jochem Spaan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4020] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, 01, 1B, 00]
.text I:\Documents and Settings\Jochem Spaan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4020] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2]
.text I:\Documents and Settings\Jochem Spaan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4020] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, 02, 1B, 00]
.text I:\Documents and Settings\Jochem Spaan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4020] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2]
.text I:\Documents and Settings\Jochem Spaan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4020] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B90F18B
.text I:\Documents and Settings\Jochem Spaan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4020] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2]
.text I:\Documents and Settings\Jochem Spaan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4020] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, 00, 1B, 00] {TEST AL, 0x0; SBB EAX, [EAX]}
.text I:\Documents and Settings\Jochem Spaan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4020] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2]
.text I:\Documents and Settings\Jochem Spaan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4020] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B90F2B9
.text I:\Documents and Settings\Jochem Spaan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4020] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2]
.text I:\Documents and Settings\Jochem Spaan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4020] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, 01, 1B, 00] {SUB [ECX], AL; SBB EAX, [EAX]}
.text I:\Documents and Settings\Jochem Spaan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4020] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2]
.text I:\Documents and Settings\Jochem Spaan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4020] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, 02, 1B, 00] {SUB [EDX], AL; SBB EAX, [EAX]}
.text I:\Documents and Settings\Jochem Spaan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4020] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2]
.text I:\Documents and Settings\Jochem Spaan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4020] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 1 Byte [68]
.text I:\Documents and Settings\Jochem Spaan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4020] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, 03, 1B, 00]
.text I:\Documents and Settings\Jochem Spaan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4020] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2]
---- Processes - GMER 1.0.15 ----

Library I:\Documents (*** hidden *** ) @ I:\Documents [3956] 0x00400000

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk1\DR2 sector 00: rootkit-like behavior

---- EOF - GMER 1.0.15 ----

BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:54 PM

Posted 19 September 2012 - 01:33 AM

Greetings and Welcome to The Forums!!

My name is Gringo and I'll be glad to help you with your computer problems.

I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of us

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the Watch Topic Button, select Immediate Notification, and click on Proceed. This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of hartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

DeFogger:

  • Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger may ask you to reboot the machine, if it does - click OK
Do not re-enable these drivers until otherwise instructed.

-AdwCleaner-

  • Please download AdwCleaner by Xplode onto your desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Delete.
  • Confirm each time with Ok.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile with your next answer.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.

--RogueKiller--

  • Download & SAVE to your Desktop RogueKiller or from here
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select "Run as Administrator to start"
  • For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • Then Click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • click on "delete"
  • Wait until the Status box shows "Deleting Finished"
  • Click on "Report" and copy/paste the content of the Notepad into your next reply.
  • The log should be found in RKreport[1].txt on your Desktop
  • Exit/Close RogueKiller+

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 jochemjspaan

jochemjspaan
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:05:54 AM

Posted 19 September 2012 - 07:44 AM

Hey Gringo! Thanks for taking the time

Ran defogger,

ran adwcleaner but it did not finish the scan, got this: Line 2056 (File " I:\Documents and settings\jochem spaan\ bureaublad\adwcleaner.exe"): Autolt error: Variable used without being declared.

Ran Roguekiller, this is the log.


RogueKiller V8.0.4 [09/19/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 2) 32 bits version
Started in : Normal mode
User : Jochem Spaan [Admin rights]
Mode : Scan -- Date : 09/19/2012 14:32:20

Bad processes : 0

Registry Entries : 3
[RUN][SUSP PATH] HKCU\[...]\Run : (I:\DOCUME~1\JOCHEM~1\LOCALS~1\Temp\ptqlhchbya.exe) -> FOUND
[RUN][SUSP PATH] HKUS\S-1-5-21-2025429265-602162358-725345543-1003[...]\Run : (I:\DOCUME~1\JOCHEM~1\LOCALS~1\Temp\ptqlhchbya.exe) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

Particular Files / Folders:

Driver : [LOADED]

Infection :

HOSTS File:
--> I:\WINDOWS\system32\drivers\etc\hosts

127.0.0.1 localhost


MBR Check:

+++++ PhysicalDrive0: Hitachi HDS721010CLA332 +++++
--- User ---
[MBR] ffb1e44cc0a20424f89313a02be4047d
[BSP] e0991c43a211fffa165b5500c3b62d7b : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 953859 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[1].txt >>
RKreport[1].txt

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:54 PM

Posted 19 September 2012 - 12:41 PM

Greetings

I want you to run these next,

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • it will ask to download extra definitions - ALLOW IT
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

If you have any problems running either one come back and let me know

please reply with the reports from TDSSKiller and aswMBR

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 jochemjspaan

jochemjspaan
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:05:54 AM

Posted 19 September 2012 - 11:53 PM

Hey Gringo,

I ran both scans, here are the logs:

TDSS Killer:


06:41:49.0250 1120 TDSS rootkit removing tool 2.8.10.0 Sep 17 2012 19:23:24
06:41:49.0375 1120 ============================================================
06:41:49.0375 1120 Current date / time: 2012/09/20 06:41:49.0375
06:41:49.0375 1120 SystemInfo:
06:41:49.0375 1120
06:41:49.0375 1120 OS Version: 5.1.2600 ServicePack: 2.0
06:41:49.0375 1120 Product type: Workstation
06:41:49.0375 1120 ComputerName: MARIA
06:41:49.0375 1120 UserName: Jochem Spaan
06:41:49.0375 1120 Windows directory: I:\WINDOWS
06:41:49.0375 1120 System windows directory: I:\WINDOWS
06:41:49.0375 1120 Processor architecture: Intel x86
06:41:49.0375 1120 Number of processors: 2
06:41:49.0375 1120 Page size: 0x1000
06:41:49.0375 1120 Boot type: Normal boot
06:41:49.0375 1120 ============================================================
06:41:50.0765 1120 Drive \Device\Harddisk0\DR0 - Size: 0xE8E0DB6000 (931.51 Gb), SectorSize: 0x200, Cylinders: 0x1DB01, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
06:41:50.0796 1120 ============================================================
06:41:50.0796 1120 \Device\Harddisk0\DR0:
06:41:50.0796 1120 MBR partitions:
06:41:50.0796 1120 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x74701AC1
06:41:50.0796 1120 ============================================================
06:41:50.0812 1120 I: <-> \Device\Harddisk0\DR0\Partition1
06:41:50.0812 1120 ============================================================
06:41:50.0812 1120 Initialize success
06:41:50.0812 1120 ============================================================
06:41:53.0734 3908 ============================================================
06:41:53.0734 3908 Scan started
06:41:53.0734 3908 Mode: Manual;
06:41:53.0734 3908 ============================================================
06:41:54.0718 3908 ================ Scan system memory ========================
06:41:54.0718 3908 System memory - ok
06:41:54.0718 3908 ================ Scan services =============================
06:41:54.0796 3908 !SASCORE - ok
06:41:54.0906 3908 [ F7EABCA8375EA2DC6F35C4BCA4757515 ] A2DDA I:\Documents and Settings\Administrator\Bureaublad\antivirus\Run\a2ddax86.sys
06:41:54.0906 3908 A2DDA - ok
06:41:54.0968 3908 Abiosdsk - ok
06:41:54.0984 3908 abp480n5 - ok
06:41:55.0000 3908 [ 12139C5B5D7366E54EF3029C65B8CA97 ] ACPI I:\WINDOWS\system32\DRIVERS\ACPI.sys
06:41:55.0000 3908 ACPI - ok
06:41:55.0046 3908 [ 63F517B1A87DABF3F5ACB8A7952FC1D1 ] ACPIEC I:\WINDOWS\system32\drivers\ACPIEC.sys
06:41:55.0046 3908 ACPIEC - ok
06:41:55.0078 3908 [ 8B46D5A1D3EF08232C04D0EAFB871FB2 ] Adobe LM Service I:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
06:41:55.0078 3908 Adobe LM Service - ok
06:41:55.0093 3908 adpu160m - ok
06:41:55.0125 3908 [ 841F385C6CFAF66B58FBD898722BB4F0 ] aec I:\WINDOWS\system32\drivers\aec.sys
06:41:55.0125 3908 aec - ok
06:41:55.0171 3908 [ 55E6E1C51B6D30E54335750955453702 ] AFD I:\WINDOWS\System32\drivers\afd.sys
06:41:55.0171 3908 AFD - ok
06:41:55.0171 3908 Aha154x - ok
06:41:55.0187 3908 aic78u2 - ok
06:41:55.0187 3908 aic78xx - ok
06:41:55.0218 3908 [ C5EA8FACBEDBB459C93288B484A59379 ] Alerter I:\WINDOWS\system32\alrsvc.dll
06:41:55.0218 3908 Alerter - ok
06:41:55.0234 3908 [ 15CFF49392F765356EBBF05D87FFB6B2 ] ALG I:\WINDOWS\System32\alg.exe
06:41:55.0234 3908 ALG - ok
06:41:55.0250 3908 AliIde - ok
06:41:55.0296 3908 [ 267FC636801EDC5AB28E14036349E3BE ] Ambfilt I:\WINDOWS\system32\drivers\Ambfilt.sys
06:41:55.0312 3908 Ambfilt - ok
06:41:55.0312 3908 amsint - ok
06:41:55.0390 3908 [ F401929EE0CC92BFE7F15161CA535383 ] Apple Mobile Device I:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
06:41:55.0390 3908 Apple Mobile Device - ok
06:41:55.0390 3908 [ CC888653E0DEC81B525B956C77960F88 ] AppMgmt I:\WINDOWS\System32\appmgmts.dll
06:41:55.0390 3908 AppMgmt - ok
06:41:55.0406 3908 [ F0D692B0BFFB46E30EB3CEA168BBC49F ] Arp1394 I:\WINDOWS\system32\DRIVERS\arp1394.sys
06:41:55.0406 3908 Arp1394 - ok
06:41:55.0406 3908 asc - ok
06:41:55.0421 3908 asc3350p - ok
06:41:55.0421 3908 asc3550 - ok
06:41:55.0437 3908 [ 02000ABF34AF4C218C35D257024807D6 ] AsyncMac I:\WINDOWS\system32\DRIVERS\asyncmac.sys
06:41:55.0437 3908 AsyncMac - ok
06:41:55.0468 3908 [ CDFE4411A69C224BD1D11B2DA92DAC51 ] atapi I:\WINDOWS\system32\DRIVERS\atapi.sys
06:41:55.0468 3908 atapi - ok
06:41:55.0468 3908 Atdisk - ok
06:41:55.0484 3908 [ EC88DA854AB7D7752EC8BE11A741BB7F ] Atmarpc I:\WINDOWS\system32\DRIVERS\atmarpc.sys
06:41:55.0484 3908 Atmarpc - ok
06:41:55.0531 3908 [ D2AA479B238FF4CD0A5AA26AFC1CBE8C ] AudioSrv I:\WINDOWS\System32\audiosrv.dll
06:41:55.0531 3908 AudioSrv - ok
06:41:55.0578 3908 [ D9F724AA26C010A217C97606B160ED68 ] audstub I:\WINDOWS\system32\DRIVERS\audstub.sys
06:41:55.0578 3908 audstub - ok
06:41:55.0609 3908 [ DA1F27D85E0D1525F6621372E7B685E9 ] Beep I:\WINDOWS\system32\drivers\Beep.sys
06:41:55.0609 3908 Beep - ok
06:41:55.0656 3908 [ 772027CC5FFAEA3E7D10AF2691EE7095 ] BITS I:\WINDOWS\system32\qmgr.dll
06:41:55.0687 3908 BITS - ok
06:41:55.0734 3908 [ DB5BEA73EDAF19AC68B2C0FAD0F92B1A ] Bonjour Service I:\Program Files\Bonjour\mDNSResponder.exe
06:41:55.0734 3908 Bonjour Service - ok
06:41:55.0796 3908 [ 195B1255D9383AEFFBDFA8A11AE4D282 ] Browser I:\WINDOWS\System32\browser.dll
06:41:55.0796 3908 Browser - ok
06:41:55.0796 3908 [ 90A673FC8E12A79AFBED2576F6A7AAF9 ] cbidf2k I:\WINDOWS\system32\drivers\cbidf2k.sys
06:41:55.0796 3908 cbidf2k - ok
06:41:55.0812 3908 cd20xrnt - ok
06:41:55.0828 3908 [ C1B486A7658353D33A10CC15211A873B ] Cdaudio I:\WINDOWS\system32\drivers\Cdaudio.sys
06:41:55.0828 3908 Cdaudio - ok
06:41:55.0875 3908 [ CD7D5152DF32B47F4E36F710B35AAE02 ] Cdfs I:\WINDOWS\system32\drivers\Cdfs.sys
06:41:55.0875 3908 Cdfs - ok
06:41:55.0890 3908 [ AF9C19B3100FE010496B1A27181FBF72 ] Cdrom I:\WINDOWS\system32\DRIVERS\cdrom.sys
06:41:55.0890 3908 Cdrom - ok
06:41:55.0890 3908 Changer - ok
06:41:55.0906 3908 [ 81700207389CBE1911A5EAEE9FC812CE ] CiSvc I:\WINDOWS\system32\cisvc.exe
06:41:55.0906 3908 CiSvc - ok
06:41:55.0921 3908 [ 64D5673C075DD40E2F55387EE9B0CAD7 ] ClipSrv I:\WINDOWS\system32\clipsrv.exe
06:41:55.0921 3908 ClipSrv - ok
06:41:55.0937 3908 CmdIde - ok
06:41:55.0937 3908 COMSysApp - ok
06:41:55.0953 3908 Cpqarray - ok
06:41:55.0968 3908 [ 5F321535D399516B6D780FF9EF8D8B7A ] CryptSvc I:\WINDOWS\System32\cryptsvc.dll
06:41:55.0968 3908 CryptSvc - ok
06:41:56.0015 3908 [ B5ECADF7708960F1818C7FA015F4C239 ] CVirtA I:\WINDOWS\system32\DRIVERS\CVirtA.sys
06:41:56.0015 3908 CVirtA - ok
06:41:56.0125 3908 [ 66257CB4E4FB69887CDDC71663741435 ] CVPND I:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
06:41:56.0125 3908 CVPND - ok
06:41:56.0140 3908 [ 18994842386FD3039279D7865740ABBD ] CVPNDRVA I:\WINDOWS\system32\Drivers\CVPNDRVA.sys
06:41:56.0156 3908 CVPNDRVA - ok
06:41:56.0156 3908 dac2w2k - ok
06:41:56.0156 3908 dac960nt - ok
06:41:56.0203 3908 [ 75A47F738E7DB78000A55D743BDEE275 ] DcomLaunch I:\WINDOWS\system32\rpcss.dll
06:41:56.0218 3908 DcomLaunch - ok
06:41:56.0218 3908 [ D9B43E85B246711585844A43FB50FFD8 ] Dhcp I:\WINDOWS\System32\dhcpcsvc.dll
06:41:56.0234 3908 Dhcp - ok
06:41:56.0281 3908 [ 00CA44E4534865F8A3B64F7C0984BFF0 ] Disk I:\WINDOWS\system32\DRIVERS\disk.sys
06:41:56.0281 3908 Disk - ok
06:41:56.0281 3908 dmadmin - ok
06:41:56.0328 3908 [ D9542B70560CDA5C4F5E62B1EED412CD ] dmboot I:\WINDOWS\system32\drivers\dmboot.sys
06:41:56.0328 3908 dmboot - ok
06:41:56.0343 3908 [ B5F7AC6BB9445E9C59E0686FE52A47E8 ] dmio I:\WINDOWS\system32\drivers\dmio.sys
06:41:56.0343 3908 dmio - ok
06:41:56.0343 3908 [ E9317282A63CA4D188C0DF5E09C6AC5F ] dmload I:\WINDOWS\system32\drivers\dmload.sys
06:41:56.0343 3908 dmload - ok
06:41:56.0359 3908 [ DA7063647C9260E4CBEB6BDB648603BE ] dmserver I:\WINDOWS\System32\dmserver.dll
06:41:56.0359 3908 dmserver - ok
06:41:56.0390 3908 [ A6F881284AC1150E37D9AE47FF601267 ] DMusic I:\WINDOWS\system32\drivers\DMusic.sys
06:41:56.0390 3908 DMusic - ok
06:41:56.0437 3908 [ B5AA5AA5AC327BD7C1AEC0C58F0C1144 ] DNE I:\WINDOWS\system32\DRIVERS\dne2000.sys
06:41:56.0437 3908 DNE - ok
06:41:56.0437 3908 [ 57084F6EB6EC1951AA9B5B2B5EEB8E8B ] Dnscache I:\WINDOWS\System32\dnsrslvr.dll
06:41:56.0437 3908 Dnscache - ok
06:41:56.0453 3908 dpti2o - ok
06:41:56.0453 3908 [ 1ED4DBBAE9F5D558DBBA4CC450E3EB2E ] drmkaud I:\WINDOWS\system32\drivers\drmkaud.sys
06:41:56.0453 3908 drmkaud - ok
06:41:56.0484 3908 [ 30E8AFFED744EC4C79B4961F5FE10134 ] e.dentifier2 I:\WINDOWS\system32\DRIVERS\aabed2.sys
06:41:56.0484 3908 e.dentifier2 - ok
06:41:56.0515 3908 [ EC0F2B78C2E10F3B2A4A83022AF03030 ] ERSvc I:\WINDOWS\System32\ersvc.dll
06:41:56.0515 3908 ERSvc - ok
06:41:56.0562 3908 [ 1A00FCECA4E29A6B4B33A9D0B3E7CBA0 ] Eventlog I:\WINDOWS\system32\services.exe
06:41:56.0562 3908 Eventlog - ok
06:41:56.0593 3908 [ 68180553F674B487BE777CFD6BE70726 ] EventSystem I:\WINDOWS\system32\es.dll
06:41:56.0593 3908 EventSystem - ok
06:41:56.0625 3908 [ 3117F595E9615E04F05A54FC15A03B20 ] Fastfat I:\WINDOWS\system32\drivers\Fastfat.sys
06:41:56.0625 3908 Fastfat - ok
06:41:56.0625 3908 [ 394FD6CE1AC84BB318B806A6F8D90F66 ] FastUserSwitchingCompatibility I:\WINDOWS\System32\shsvcs.dll
06:41:56.0625 3908 FastUserSwitchingCompatibility - ok
06:41:56.0656 3908 [ CED2E8396A8838E59D8FD529C680E02C ] Fdc I:\WINDOWS\system32\drivers\Fdc.sys
06:41:56.0656 3908 Fdc - ok
06:41:56.0671 3908 [ DAC8CAB287A959C2F717D3748177374B ] Fips I:\WINDOWS\system32\drivers\Fips.sys
06:41:56.0671 3908 Fips - ok
06:41:56.0671 3908 [ 0DD1DE43115B93F4D85E889D7A86F548 ] Flpydisk I:\WINDOWS\system32\drivers\Flpydisk.sys
06:41:56.0671 3908 Flpydisk - ok
06:41:56.0703 3908 [ 157754F0DF355A9E0A6F54721914F9C6 ] FltMgr I:\WINDOWS\system32\DRIVERS\fltMgr.sys
06:41:56.0718 3908 FltMgr - ok
06:41:56.0796 3908 [ 7DFF82ACDAB23414ABC2A95FEF8982F8 ] ForceWare Intelligent Application Manager (IAM) I:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
06:41:56.0812 3908 ForceWare Intelligent Application Manager (IAM) - ok
06:41:56.0812 3908 [ 3E1E2BD4F39B0E2B7DC4F4D2BCC2779A ] Fs_Rec I:\WINDOWS\system32\drivers\Fs_Rec.sys
06:41:56.0812 3908 Fs_Rec - ok
06:41:56.0828 3908 [ FA8CA22E70245C81FF29C36AF56292FC ] Ftdisk I:\WINDOWS\system32\DRIVERS\ftdisk.sys
06:41:56.0828 3908 Ftdisk - ok
06:41:56.0859 3908 [ 8182FF89C65E4D38B2DE4BB0FB18564E ] GEARAspiWDM I:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
06:41:56.0859 3908 GEARAspiWDM - ok
06:41:56.0906 3908 [ C0F1D4A21DE5A415DF8170616703DEBF ] Gpc I:\WINDOWS\system32\DRIVERS\msgpc.sys
06:41:56.0906 3908 Gpc - ok
06:41:56.0968 3908 [ F02A533F517EB38333CB12A9E8963773 ] gupdate I:\Program Files\Google\Update\GoogleUpdate.exe
06:41:56.0984 3908 gupdate - ok
06:41:56.0984 3908 [ F02A533F517EB38333CB12A9E8963773 ] gupdatem I:\Program Files\Google\Update\GoogleUpdate.exe
06:41:56.0984 3908 gupdatem - ok
06:41:57.0000 3908 [ 3FCC124B6E08EE0E9351F717DD136939 ] HDAudBus I:\WINDOWS\system32\DRIVERS\HDAudBus.sys
06:41:57.0000 3908 HDAudBus - ok
06:41:57.0031 3908 [ 3F658987C756ABFA3384BC830F6C4E21 ] helpsvc I:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll
06:41:57.0031 3908 helpsvc - ok
06:41:57.0062 3908 [ 229574A46459152C9C20942AC5172335 ] HidServ I:\WINDOWS\System32\hidserv.dll
06:41:57.0062 3908 HidServ - ok
06:41:57.0093 3908 [ 1DE6783B918F540149AA69943BDFEBA8 ] hidusb I:\WINDOWS\system32\DRIVERS\hidusb.sys
06:41:57.0093 3908 hidusb - ok
06:41:57.0093 3908 hpn - ok
06:41:57.0140 3908 [ 9F8B0F4276F618964FD118BE4289B7CD ] HTTP I:\WINDOWS\system32\Drivers\HTTP.sys
06:41:57.0140 3908 HTTP - ok
06:41:57.0187 3908 [ 930A625A3CE2CCBF309CCF02C1F7053D ] HTTPFilter I:\WINDOWS\System32\w3ssl.dll
06:41:57.0187 3908 HTTPFilter - ok
06:41:57.0187 3908 i2omgmt - ok
06:41:57.0203 3908 i2omp - ok
06:41:57.0203 3908 [ F8AA320C6A0409C0380E5D8A99D76EC6 ] Imapi I:\WINDOWS\system32\DRIVERS\imapi.sys
06:41:57.0203 3908 Imapi - ok
06:41:57.0250 3908 [ F85149AA4AFEA9200484715CF15F568D ] ImapiService I:\WINDOWS\system32\imapi.exe
06:41:57.0250 3908 ImapiService - ok
06:41:57.0250 3908 ini910u - ok
06:41:57.0390 3908 [ 4716F7EE8FB7FD02596ECE1EC70AFF53 ] IntcAzAudAddService I:\WINDOWS\system32\drivers\RtkHDAud.sys
06:41:57.0421 3908 IntcAzAudAddService - ok
06:41:57.0437 3908 IntelIde - ok
06:41:57.0484 3908 [ 17F6AE3CB6B478C6054E2E894A6D89BF ] intelppm I:\WINDOWS\system32\DRIVERS\intelppm.sys
06:41:57.0484 3908 intelppm - ok
06:41:57.0515 3908 [ 4448006B6BC60E6C027932CFC38D6855 ] Ip6Fw I:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
06:41:57.0515 3908 Ip6Fw - ok
06:41:57.0546 3908 [ 731F22BA402EE4B62748ADAF6363C182 ] IpFilterDriver I:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
06:41:57.0546 3908 IpFilterDriver - ok
06:41:57.0578 3908 [ E1EC7F5DA720B640CD8FB8424F1B14BB ] IpInIp I:\WINDOWS\system32\DRIVERS\ipinip.sys
06:41:57.0578 3908 IpInIp - ok
06:41:57.0578 3908 [ B5A8E215AC29D24D60B4D1250EF05ACE ] IpNat I:\WINDOWS\system32\DRIVERS\ipnat.sys
06:41:57.0578 3908 IpNat - ok
06:41:57.0656 3908 [ E6BE7A41A28D8F2DB174957454D32448 ] iPod Service I:\Program Files\iPod\bin\iPodService.exe
06:41:57.0656 3908 iPod Service - ok
06:41:57.0656 3908 [ 64537AA5C003A6AFEEE1DF819062D0D1 ] IPSec I:\WINDOWS\system32\DRIVERS\ipsec.sys
06:41:57.0656 3908 IPSec - ok
06:41:57.0703 3908 [ 50708DAA1B1CBB7D6AC1CF8F56A24410 ] IRENUM I:\WINDOWS\system32\DRIVERS\irenum.sys
06:41:57.0703 3908 IRENUM - ok
06:41:57.0718 3908 [ FD298AD13ACB19FC43B627ACA0806231 ] isapnp I:\WINDOWS\system32\DRIVERS\isapnp.sys
06:41:57.0718 3908 isapnp - ok
06:41:57.0750 3908 [ 59549E9180CE29D832289E1A1D9E3C60 ] Kbdclass I:\WINDOWS\system32\DRIVERS\kbdclass.sys
06:41:57.0765 3908 Kbdclass - ok
06:41:57.0765 3908 [ 6B97674104B15A2DD135F7B365223194 ] kbdhid I:\WINDOWS\system32\DRIVERS\kbdhid.sys
06:41:57.0765 3908 kbdhid - ok
06:41:57.0781 3908 [ D93CAD07C5683DB066B0B2D2D3790EAD ] kmixer I:\WINDOWS\system32\drivers\kmixer.sys
06:41:57.0781 3908 kmixer - ok
06:41:57.0796 3908 [ 674D3E5A593475915DC6643317192403 ] KSecDD I:\WINDOWS\system32\drivers\KSecDD.sys
06:41:57.0796 3908 KSecDD - ok
06:41:57.0828 3908 [ 95F1D37DE9AA1432968F7266BC853F4F ] lanmanserver I:\WINDOWS\System32\srvsvc.dll
06:41:57.0828 3908 lanmanserver - ok
06:41:57.0875 3908 [ C576F64B07A277B0DCA0185DB75098AD ] lanmanworkstation I:\WINDOWS\System32\wkssvc.dll
06:41:57.0875 3908 lanmanworkstation - ok
06:41:57.0890 3908 lbrtfdc - ok
06:41:57.0937 3908 [ A3A959D256C4BC662F6A29C4809CD583 ] LmHosts I:\WINDOWS\System32\lmhsvc.dll
06:41:57.0937 3908 LmHosts - ok
06:41:57.0984 3908 [ 4F74184920B2D6E33024409B4C5C57C1 ] McciCMService I:\Program Files\Common Files\Motive\McciCMService.exe
06:41:57.0984 3908 McciCMService - ok
06:41:58.0000 3908 [ 1405B1431F51CAB25FE9B2ECF13CB198 ] Messenger I:\WINDOWS\System32\msgsvc.dll
06:41:58.0000 3908 Messenger - ok
06:41:58.0031 3908 [ 4AE068242760A1FB6E1A44BF4E16AFA6 ] mnmdd I:\WINDOWS\system32\drivers\mnmdd.sys
06:41:58.0031 3908 mnmdd - ok
06:41:58.0062 3908 [ 8CA3298EE96D6B75F28C991518DC2DD9 ] mnmsrvc I:\WINDOWS\system32\mnmsrvc.exe
06:41:58.0062 3908 mnmsrvc - ok
06:41:58.0062 3908 [ 7151BE7FE5BD6671BF8AB745C419A42E ] Modem I:\WINDOWS\system32\drivers\Modem.sys
06:41:58.0062 3908 Modem - ok
06:41:58.0109 3908 [ C7D9F9717916B34C1B00DD4834AF485C ] Monfilt I:\WINDOWS\system32\drivers\Monfilt.sys
06:41:58.0125 3908 Monfilt - ok
06:41:58.0125 3908 [ 0FF36CA1AC0B7D2E46C291D30B516DF1 ] Mouclass I:\WINDOWS\system32\DRIVERS\mouclass.sys
06:41:58.0125 3908 Mouclass - ok
06:41:58.0140 3908 [ 18017899254E01371E1A39754D6BF98C ] mouhid I:\WINDOWS\system32\DRIVERS\mouhid.sys
06:41:58.0140 3908 mouhid - ok
06:41:58.0156 3908 [ 65653F3B4477F3C63E68A9659F85EE2E ] MountMgr I:\WINDOWS\system32\drivers\MountMgr.sys
06:41:58.0156 3908 MountMgr - ok
06:41:58.0156 3908 mraid35x - ok
06:41:58.0171 3908 [ 9BD4DCB5412921864A7AACDEDFBD1923 ] MREMP50 I:\PROGRA~1\COMMON~1\Motive\MREMP50.SYS
06:41:58.0171 3908 MREMP50 - ok
06:41:58.0171 3908 MREMP50a64 - ok
06:41:58.0171 3908 MREMPR5 - ok
06:41:58.0187 3908 MRENDIS5 - ok
06:41:58.0203 3908 [ 07C02C892E8E1A72D6BF35004F0E9C5E ] MRESP50 I:\PROGRA~1\COMMON~1\Motive\MRESP50.SYS
06:41:58.0203 3908 MRESP50 - ok
06:41:58.0203 3908 MRESP50a64 - ok
06:41:58.0218 3908 [ 46EDCC8F2DB2F322C24F48785CB46366 ] MRxDAV I:\WINDOWS\system32\DRIVERS\mrxdav.sys
06:41:58.0218 3908 MRxDAV - ok
06:41:58.0234 3908 [ FB6C89BB3CE282B08BDB1E3C179E1C39 ] MRxSmb I:\WINDOWS\system32\DRIVERS\mrxsmb.sys
06:41:58.0234 3908 MRxSmb - ok
06:41:58.0265 3908 [ AEFD24AA5703407480527C395EE07565 ] MSDTC I:\WINDOWS\system32\msdtc.exe
06:41:58.0265 3908 MSDTC - ok
06:41:58.0281 3908 [ 561B3A4333CA2DBDBA28B5B956822519 ] Msfs I:\WINDOWS\system32\drivers\Msfs.sys
06:41:58.0281 3908 Msfs - ok
06:41:58.0281 3908 MSIServer - ok
06:41:58.0296 3908 [ AE431A8DD3C1D0D0610CDBAC16057AD0 ] MSKSSRV I:\WINDOWS\system32\drivers\MSKSSRV.sys
06:41:58.0296 3908 MSKSSRV - ok
06:41:58.0312 3908 [ 13E75FEF9DFEB08EEDED9D0246E1F448 ] MSPCLOCK I:\WINDOWS\system32\drivers\MSPCLOCK.sys
06:41:58.0312 3908 MSPCLOCK - ok
06:41:58.0328 3908 [ 1988A33FF19242576C3D0EF9CE785DA7 ] MSPQM I:\WINDOWS\system32\drivers\MSPQM.sys
06:41:58.0328 3908 MSPQM - ok
06:41:58.0359 3908 [ 469541F8BFD2B32659D5D463A6714BCE ] mssmbios I:\WINDOWS\system32\DRIVERS\mssmbios.sys
06:41:58.0359 3908 mssmbios - ok
06:41:58.0390 3908 [ 82035E0F41C2DD05AE41D27FE6CF7DE1 ] Mup I:\WINDOWS\system32\drivers\Mup.sys
06:41:58.0390 3908 Mup - ok
06:41:58.0406 3908 [ 558635D3AF1C7546D26067D5D9B6959E ] NDIS I:\WINDOWS\system32\drivers\NDIS.sys
06:41:58.0406 3908 NDIS - ok
06:41:58.0421 3908 [ 08D43BBDACDF23F34D79E44ED35C1B4C ] NdisTapi I:\WINDOWS\system32\DRIVERS\ndistapi.sys
06:41:58.0421 3908 NdisTapi - ok
06:41:58.0437 3908 [ 34D6CD56409DA9A7ED573E1C90A308BF ] Ndisuio I:\WINDOWS\system32\DRIVERS\ndisuio.sys
06:41:58.0437 3908 Ndisuio - ok
06:41:58.0453 3908 [ 0B90E255A9490166AB368CD55A529893 ] NdisWan I:\WINDOWS\system32\DRIVERS\ndiswan.sys
06:41:58.0453 3908 NdisWan - ok
06:41:58.0453 3908 [ 59FC3FB44D2669BC144FD87826BB571F ] NDProxy I:\WINDOWS\system32\drivers\NDProxy.sys
06:41:58.0453 3908 NDProxy - ok
06:41:58.0468 3908 [ 3A2ACA8FC1D7786902CA434998D7CEB4 ] NetBIOS I:\WINDOWS\system32\DRIVERS\netbios.sys
06:41:58.0468 3908 NetBIOS - ok
06:41:58.0484 3908 [ 0C80E410CD2F47134407EE7DD19CC86B ] NetBT I:\WINDOWS\system32\DRIVERS\netbt.sys
06:41:58.0484 3908 NetBT - ok
06:41:58.0500 3908 [ 7E61D52D2D9259C63DFB6C156719D3B4 ] NetDDE I:\WINDOWS\system32\netdde.exe
06:41:58.0500 3908 NetDDE - ok
06:41:58.0515 3908 [ 7E61D52D2D9259C63DFB6C156719D3B4 ] NetDDEdsdm I:\WINDOWS\system32\netdde.exe
06:41:58.0515 3908 NetDDEdsdm - ok
06:41:58.0531 3908 [ 34A82DEBEFB057FCCCBE15F619FC98A7 ] Netlogon I:\WINDOWS\system32\lsass.exe
06:41:58.0531 3908 Netlogon - ok
06:41:58.0546 3908 [ B2665A1B502EC037388B7919CBD58C28 ] Netman I:\WINDOWS\System32\netman.dll
06:41:58.0546 3908 Netman - ok
06:41:58.0578 3908 [ 5C5C53DB4FEF16CF87B9911C7E8C6FBC ] NIC1394 I:\WINDOWS\system32\DRIVERS\nic1394.sys
06:41:58.0578 3908 NIC1394 - ok
06:41:58.0640 3908 [ FF59588E31F864FED9D0258969559A4B ] Nla I:\WINDOWS\System32\mswsock.dll
06:41:58.0640 3908 Nla - ok
06:41:58.0640 3908 [ 4F601BCB8F64EA3AC0994F98FED03F8E ] Npfs I:\WINDOWS\system32\drivers\Npfs.sys
06:41:58.0640 3908 Npfs - ok
06:41:58.0687 3908 [ 198FF60A42802C319FBA58FDB13EEE49 ] nSvcIp I:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
06:41:58.0687 3908 nSvcIp - ok
06:41:58.0703 3908 [ B78BE402C3F63DD55521F73876951CDD ] Ntfs I:\WINDOWS\system32\drivers\Ntfs.sys
06:41:58.0703 3908 Ntfs - ok
06:41:58.0703 3908 [ 34A82DEBEFB057FCCCBE15F619FC98A7 ] NtLmSsp I:\WINDOWS\system32\lsass.exe
06:41:58.0718 3908 NtLmSsp - ok
06:41:58.0734 3908 [ AC75E028773CBBD7D8B1313F382E7C05 ] NtmsSvc I:\WINDOWS\system32\ntmssvc.dll
06:41:58.0765 3908 NtmsSvc - ok
06:41:58.0781 3908 [ 73C1E1F395918BC2C6DD67AF7591A3AD ] Null I:\WINDOWS\system32\drivers\Null.sys
06:41:58.0781 3908 Null - ok
06:41:59.0000 3908 [ CD9ED87B4FC6EC41D3B5BE0B923843FC ] nv I:\WINDOWS\system32\DRIVERS\nv4_mini.sys
06:41:59.0078 3908 nv - ok
06:41:59.0078 3908 [ C61927D27B75ED56723F2508F1A6B1BE ] NVENETFD I:\WINDOWS\system32\DRIVERS\NVENETFD.sys
06:41:59.0078 3908 NVENETFD - ok
06:41:59.0093 3908 [ C529B614EF88BE0F62B886C67B516550 ] nvnetbus I:\WINDOWS\system32\DRIVERS\nvnetbus.sys
06:41:59.0093 3908 nvnetbus - ok
06:41:59.0109 3908 [ 02A9F366BCB94B286E34825B2094CB38 ] nvsmu I:\WINDOWS\system32\DRIVERS\nvsmu.sys
06:41:59.0109 3908 nvsmu - ok
06:41:59.0125 3908 [ E48C1AA03B6519B51756E3232C093300 ] nvsvc I:\WINDOWS\system32\nvsvc32.exe
06:41:59.0125 3908 nvsvc - ok
06:41:59.0171 3908 [ B305F3FAD35083837EF46A0BBCE2FC57 ] NwlnkFlt I:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
06:41:59.0171 3908 NwlnkFlt - ok
06:41:59.0171 3908 [ C99B3415198D1AAB7227F2C88FD664B9 ] NwlnkFwd I:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
06:41:59.0171 3908 NwlnkFwd - ok
06:41:59.0203 3908 [ 0951DB8E5823EA366B0E408D71E1BA2A ] ohci1394 I:\WINDOWS\system32\DRIVERS\ohci1394.sys
06:41:59.0203 3908 ohci1394 - ok
06:41:59.0218 3908 [ 83A120F43A1424D9C51701FD91D3BC8E ] Parport I:\WINDOWS\system32\drivers\Parport.sys
06:41:59.0218 3908 Parport - ok
06:41:59.0218 3908 [ 3334430C29DC338092F79C38EF7B4CD0 ] PartMgr I:\WINDOWS\system32\drivers\PartMgr.sys
06:41:59.0218 3908 PartMgr - ok
06:41:59.0250 3908 [ 1EADE28746A64C21E0A808BB12A63326 ] ParVdm I:\WINDOWS\system32\drivers\ParVdm.sys
06:41:59.0250 3908 ParVdm - ok
06:41:59.0265 3908 [ 3060407163C2DAF8B0DBC878C3052CF0 ] PCI I:\WINDOWS\system32\DRIVERS\pci.sys
06:41:59.0265 3908 PCI - ok
06:41:59.0265 3908 PCIDump - ok
06:41:59.0281 3908 [ B31EDEBA4DA28283F6B8DC4756FB9585 ] PCIIde I:\WINDOWS\system32\DRIVERS\pciide.sys
06:41:59.0281 3908 PCIIde - ok
06:41:59.0296 3908 [ 8673108CAD88D629BA0F7758EC5B1924 ] Pcmcia I:\WINDOWS\system32\drivers\Pcmcia.sys
06:41:59.0296 3908 Pcmcia - ok
06:41:59.0296 3908 PDCOMP - ok
06:41:59.0312 3908 PDFRAME - ok
06:41:59.0312 3908 PDRELI - ok
06:41:59.0328 3908 PDRFRAME - ok
06:41:59.0328 3908 perc2 - ok
06:41:59.0328 3908 perc2hib - ok
06:41:59.0375 3908 [ 1A00FCECA4E29A6B4B33A9D0B3E7CBA0 ] PlugPlay I:\WINDOWS\system32\services.exe
06:41:59.0375 3908 PlugPlay - ok
06:41:59.0375 3908 [ 34A82DEBEFB057FCCCBE15F619FC98A7 ] PolicyAgent I:\WINDOWS\system32\lsass.exe
06:41:59.0375 3908 PolicyAgent - ok
06:41:59.0390 3908 [ 1C5CC65AAC0783C344F16353E60B72AC ] PptpMiniport I:\WINDOWS\system32\DRIVERS\raspptp.sys
06:41:59.0390 3908 PptpMiniport - ok
06:41:59.0390 3908 [ 34A82DEBEFB057FCCCBE15F619FC98A7 ] ProtectedStorage I:\WINDOWS\system32\lsass.exe
06:41:59.0390 3908 ProtectedStorage - ok
06:41:59.0406 3908 [ 48671F327553DCF1D27F6197F622A668 ] PSched I:\WINDOWS\system32\DRIVERS\psched.sys
06:41:59.0406 3908 PSched - ok
06:41:59.0406 3908 [ 80D317BD1C3DBC5D4FE7B1678C60CADD ] Ptilink I:\WINDOWS\system32\DRIVERS\ptilink.sys
06:41:59.0406 3908 Ptilink - ok
06:41:59.0421 3908 ql1080 - ok
06:41:59.0421 3908 Ql10wnt - ok
06:41:59.0421 3908 ql12160 - ok
06:41:59.0437 3908 ql1240 - ok
06:41:59.0437 3908 ql1280 - ok
06:41:59.0437 3908 [ FE0D99D6F31E4FAD8159F690D68DED9C ] RasAcd I:\WINDOWS\system32\DRIVERS\rasacd.sys
06:41:59.0437 3908 RasAcd - ok
06:41:59.0453 3908 [ 8E033B9D88FCDD9FCBD1ED74A2E4CEC7 ] RasAuto I:\WINDOWS\System32\rasauto.dll
06:41:59.0453 3908 RasAuto - ok
06:41:59.0468 3908 [ 98FAEB4A4DCF812BA1C6FCA4AA3E115C ] Rasl2tp I:\WINDOWS\system32\DRIVERS\rasl2tp.sys
06:41:59.0468 3908 Rasl2tp - ok
06:41:59.0484 3908 [ C5009C76C4BB3CF7A65C4C228C96845F ] RasMan I:\WINDOWS\System32\rasmans.dll
06:41:59.0531 3908 RasMan - ok
06:41:59.0546 3908 [ 7306EEED8895454CBED4669BE9F79FAA ] RasPppoe I:\WINDOWS\system32\DRIVERS\raspppoe.sys
06:41:59.0546 3908 RasPppoe - ok
06:41:59.0562 3908 [ FDBB1D60066FCFBB7452FD8F9829B242 ] Raspti I:\WINDOWS\system32\DRIVERS\raspti.sys
06:41:59.0562 3908 Raspti - ok
06:41:59.0578 3908 [ 29D66245ADBA878FFF574CD66ABD2884 ] Rdbss I:\WINDOWS\system32\DRIVERS\rdbss.sys
06:41:59.0578 3908 Rdbss - ok
06:41:59.0593 3908 [ 4912D5B403614CE99C28420F75353332 ] RDPCDD I:\WINDOWS\system32\DRIVERS\RDPCDD.sys
06:41:59.0593 3908 RDPCDD - ok
06:41:59.0609 3908 [ A2CAE2C60BC37E0751EF9DDA7CEAF4AD ] rdpdr I:\WINDOWS\system32\DRIVERS\rdpdr.sys
06:41:59.0609 3908 rdpdr - ok
06:41:59.0625 3908 [ D4F5643D7714EF499AE9527FDCD50894 ] RDPWD I:\WINDOWS\system32\drivers\RDPWD.sys
06:41:59.0625 3908 RDPWD - ok
06:41:59.0656 3908 [ A81B92D6AE9F0433B14A54DBF63A1FF3 ] RDSessMgr I:\WINDOWS\system32\sessmgr.exe
06:41:59.0656 3908 RDSessMgr - ok
06:41:59.0671 3908 [ 7BB9C58A13323F5EDC89C88F98C80CBA ] redbook I:\WINDOWS\system32\DRIVERS\redbook.sys
06:41:59.0671 3908 redbook - ok
06:41:59.0687 3908 [ BF6297975D92B0950783034257961544 ] RemoteAccess I:\WINDOWS\System32\mprdim.dll
06:41:59.0687 3908 RemoteAccess - ok
06:41:59.0703 3908 [ D01BB100558945178E4BCB33B0FE9364 ] RemoteRegistry I:\WINDOWS\system32\regsvc.dll
06:41:59.0718 3908 RemoteRegistry - ok
06:41:59.0734 3908 [ 69B970645E78C1ED5FA7CAF34A1A13E6 ] RpcLocator I:\WINDOWS\system32\locator.exe
06:41:59.0734 3908 RpcLocator - ok
06:41:59.0765 3908 [ 75A47F738E7DB78000A55D743BDEE275 ] RpcSs I:\WINDOWS\system32\rpcss.dll
06:41:59.0765 3908 RpcSs - ok
06:41:59.0796 3908 [ AD1B5F1B99FFF08C99F443D784711A81 ] RSVP I:\WINDOWS\system32\rsvp.exe
06:41:59.0812 3908 RSVP - ok
06:41:59.0828 3908 [ 34A82DEBEFB057FCCCBE15F619FC98A7 ] SamSs I:\WINDOWS\system32\lsass.exe
06:41:59.0828 3908 SamSs - ok
06:41:59.0828 3908 SASKUTIL - ok
06:41:59.0875 3908 [ 11344A685293C0A5D228DE5381CD9E5D ] SCardSvr I:\WINDOWS\System32\SCardSvr.exe
06:41:59.0875 3908 SCardSvr - ok
06:41:59.0921 3908 [ D245B3E32F8AB3B2FB576AFCFDEC105E ] Schedule I:\WINDOWS\system32\schedsvc.dll
06:41:59.0921 3908 Schedule - ok
06:41:59.0937 3908 [ D26E26EA516450AF9D072635C60387F4 ] Secdrv I:\WINDOWS\system32\DRIVERS\secdrv.sys
06:41:59.0937 3908 Secdrv - ok
06:41:59.0953 3908 [ 2D5122859174871C07E8F4640884AFBF ] seclogon I:\WINDOWS\System32\seclogon.dll
06:41:59.0953 3908 seclogon - ok
06:41:59.0953 3908 [ 08C43746105E0C231ED2AC620C2F0F86 ] SENS I:\WINDOWS\system32\sens.dll
06:41:59.0953 3908 SENS - ok
06:41:59.0968 3908 [ 97E86D03D082D369CB025113B4B7B781 ] Serial I:\WINDOWS\system32\drivers\Serial.sys
06:41:59.0968 3908 Serial - ok
06:41:59.0968 3908 [ 0D13B6DF6E9E101013A7AFB0CE629FE0 ] Sfloppy I:\WINDOWS\system32\drivers\Sfloppy.sys
06:41:59.0968 3908 Sfloppy - ok
06:42:00.0000 3908 [ 34F401E1756261320B16D42900A70163 ] SharedAccess I:\WINDOWS\System32\ipnathlp.dll
06:42:00.0000 3908 SharedAccess - ok
06:42:00.0015 3908 [ 394FD6CE1AC84BB318B806A6F8D90F66 ] ShellHWDetection I:\WINDOWS\System32\shsvcs.dll
06:42:00.0015 3908 ShellHWDetection - ok
06:42:00.0031 3908 Simbad - ok
06:42:00.0031 3908 Sparrow - ok
06:42:00.0062 3908 [ 8E186B8F23295D1E42C573B82B80D548 ] splitter I:\WINDOWS\system32\drivers\splitter.sys
06:42:00.0062 3908 splitter - ok
06:42:00.0109 3908 [ CCCB8B94B17466EFB9DC27F42625B0E5 ] Spooler I:\WINDOWS\system32\spoolsv.exe
06:42:00.0109 3908 Spooler - ok
06:42:00.0125 3908 [ A859C2DA6B06024C9B4D995B90FE8175 ] sr I:\WINDOWS\system32\DRIVERS\sr.sys
06:42:00.0125 3908 sr - ok
06:42:00.0140 3908 [ 0B96A1E4252F663222C9C3BAC89F596C ] srservice I:\WINDOWS\system32\srsvc.dll
06:42:00.0140 3908 srservice - ok
06:42:00.0171 3908 [ 7A4F147CC6B133F905F6E65E2F8669FB ] Srv I:\WINDOWS\system32\DRIVERS\srv.sys
06:42:00.0171 3908 Srv - ok
06:42:00.0203 3908 [ B02FDCE64F64CDE3AA809D28D25D2A12 ] SSDPSRV I:\WINDOWS\System32\ssdpsrv.dll
06:42:00.0203 3908 SSDPSRV - ok
06:42:00.0218 3908 [ A52AA02DDB663FEF22C18C693B0EE891 ] stisvc I:\WINDOWS\system32\wiaservc.dll
06:42:00.0234 3908 stisvc - ok
06:42:00.0250 3908 [ 03C1BAE4766E2450219D20B993D6E046 ] swenum I:\WINDOWS\system32\DRIVERS\swenum.sys
06:42:00.0250 3908 swenum - ok
06:42:00.0250 3908 [ 94ABC808FC4B6D7D2BBF42B85E25BB4D ] swmidi I:\WINDOWS\system32\drivers\swmidi.sys
06:42:00.0250 3908 swmidi - ok
06:42:00.0250 3908 SwPrv - ok
06:42:00.0265 3908 symc810 - ok
06:42:00.0265 3908 symc8xx - ok
06:42:00.0265 3908 sym_hi - ok
06:42:00.0281 3908 sym_u3 - ok
06:42:00.0281 3908 [ 650AD082D46BAC0E64C9C0E0928492FD ] sysaudio I:\WINDOWS\system32\drivers\sysaudio.sys
06:42:00.0281 3908 sysaudio - ok
06:42:00.0328 3908 [ C4D7D00C5EA67A557C95C44E3A226BAD ] SysmonLog I:\WINDOWS\system32\smlogsvc.exe
06:42:00.0328 3908 SysmonLog - ok
06:42:00.0359 3908 [ F38C48EE55AD051BF5474F5BDD69C846 ] TapiSrv I:\WINDOWS\System32\tapisrv.dll
06:42:00.0406 3908 TapiSrv - ok
06:42:00.0453 3908 [ 2A5554FC5B1E04E131230E3CE035C3F9 ] Tcpip I:\WINDOWS\system32\DRIVERS\tcpip.sys
06:42:00.0453 3908 Tcpip - ok
06:42:00.0500 3908 [ 38D437CF2D98965F239B0ABCD66DCB0F ] TDPIPE I:\WINDOWS\system32\drivers\TDPIPE.sys
06:42:00.0500 3908 TDPIPE - ok
06:42:00.0578 3908 [ ED0580AF02502D00AD8C4C066B156BE9 ] TDTCP I:\WINDOWS\system32\drivers\TDTCP.sys
06:42:00.0578 3908 TDTCP - ok
06:42:00.0625 3908 [ A540A99C281D933F3D69D55E48727F47 ] TermDD I:\WINDOWS\system32\DRIVERS\termdd.sys
06:42:00.0640 3908 TermDD - ok
06:42:00.0671 3908 [ E2CE999886A4636026F157DEB886AA94 ] TermService I:\WINDOWS\System32\termsrv.dll
06:42:00.0718 3908 TermService - ok
06:42:00.0750 3908 [ 394FD6CE1AC84BB318B806A6F8D90F66 ] Themes I:\WINDOWS\System32\shsvcs.dll
06:42:00.0750 3908 Themes - ok
06:42:00.0765 3908 [ BBC15C8D711D558FB5BACCB3C922FEAC ] TlntSvr I:\WINDOWS\system32\tlntsvr.exe
06:42:00.0812 3908 TlntSvr - ok
06:42:00.0812 3908 TosIde - ok
06:42:00.0859 3908 [ E6EBF15491C5F80C55DA23821A75C9DD ] TrkWks I:\WINDOWS\system32\trkwks.dll
06:42:00.0859 3908 TrkWks - ok
06:42:00.0875 3908 [ 12F70256F140CD7D52C58C7048FDE657 ] Udfs I:\WINDOWS\system32\drivers\Udfs.sys
06:42:00.0875 3908 Udfs - ok
06:42:00.0890 3908 ultra - ok
06:42:00.0906 3908 [ AFF2E5045961BBC0A602BB6F95EB1345 ] Update I:\WINDOWS\system32\DRIVERS\update.sys
06:42:00.0906 3908 Update - ok
06:42:00.0921 3908 [ 348B60067B10EFA7D7763EE44674108C ] upnphost I:\WINDOWS\System32\upnphost.dll
06:42:00.0921 3908 upnphost - ok
06:42:00.0953 3908 [ 5124D4054C62991A65D616F202965740 ] UPS I:\WINDOWS\System32\ups.exe
06:42:00.0953 3908 UPS - ok
06:42:00.0968 3908 [ EAFE1E00739AFE6C51487A050E772E17 ] USBAAPL I:\WINDOWS\system32\Drivers\usbaapl.sys
06:42:00.0984 3908 USBAAPL - ok
06:42:01.0015 3908 [ BFFD9F120CC63BCBAA3D840F3EEF9F79 ] usbccgp I:\WINDOWS\system32\DRIVERS\usbccgp.sys
06:42:01.0015 3908 usbccgp - ok
06:42:01.0031 3908 [ 15E993BA2F6946B2BFBBFCD30398621E ] usbehci I:\WINDOWS\system32\DRIVERS\usbehci.sys
06:42:01.0031 3908 usbehci - ok
06:42:01.0031 3908 [ C72F40947F92CEA56A8FB532EDF025F1 ] usbhub I:\WINDOWS\system32\DRIVERS\usbhub.sys
06:42:01.0031 3908 usbhub - ok
06:42:01.0046 3908 [ BDFE799A8531BAD8A5A985821FE78760 ] usbohci I:\WINDOWS\system32\DRIVERS\usbohci.sys
06:42:01.0046 3908 usbohci - ok
06:42:01.0078 3908 [ A42369B7CD8886CD7C70F33DA6FCBCF5 ] usbprint I:\WINDOWS\system32\DRIVERS\usbprint.sys
06:42:01.0078 3908 usbprint - ok
06:42:01.0171 3908 [ A6BC71402F4F7DD5B77FD7F4A8DDBA85 ] usbscan I:\WINDOWS\system32\DRIVERS\usbscan.sys
06:42:01.0171 3908 usbscan - ok
06:42:01.0187 3908 [ 6CD7B22193718F1D17A47A1CD6D37E75 ] usbstor I:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
06:42:01.0187 3908 usbstor - ok
06:42:01.0187 3908 [ 8A60EDD72B4EA5AEA8202DAF0E427925 ] VgaSave I:\WINDOWS\System32\drivers\vga.sys
06:42:01.0187 3908 VgaSave - ok
06:42:01.0187 3908 ViaIde - ok
06:42:01.0265 3908 [ 4D90D2768B7D0902B011BF6707B10423 ] VolSnap I:\WINDOWS\system32\drivers\VolSnap.sys
06:42:01.0265 3908 VolSnap - ok
06:42:01.0343 3908 [ 0354BA3A5BA5E28CC247EB5F5DD8793C ] vsdatant I:\WINDOWS\system32\vsdatant.sys
06:42:01.0468 3908 vsdatant - ok
06:42:01.0500 3908 [ FAEC7A09C545A16B7534FF57CC8E2A4A ] VSS I:\WINDOWS\System32\vssvc.exe
06:42:01.0500 3908 VSS - ok
06:42:01.0546 3908 [ EF361E7A6319C445C21C81A131CF1F99 ] W32Time I:\WINDOWS\system32\w32time.dll
06:42:01.0562 3908 W32Time - ok
06:42:01.0562 3908 [ 984EF0B9788ABF89974CFED4BFBAACBC ] Wanarp I:\WINDOWS\system32\DRIVERS\wanarp.sys
06:42:01.0562 3908 Wanarp - ok
06:42:01.0562 3908 WDICA - ok
06:42:01.0593 3908 [ 2797F33EBF50466020C430EE4F037933 ] wdmaud I:\WINDOWS\system32\drivers\wdmaud.sys
06:42:01.0593 3908 wdmaud - ok
06:42:01.0609 3908 [ 79C65680B625D636BF4884F0A0C995E2 ] WebClient I:\WINDOWS\System32\webclnt.dll
06:42:01.0609 3908 WebClient - ok
06:42:01.0656 3908 [ 1216C926603C1369AA16763E83304D23 ] Windows SteadyState I:\Program Files\Windows SteadyState\SCTSvc.exe
06:42:01.0656 3908 Windows SteadyState - ok
06:42:01.0687 3908 [ 032793A8E6288C4C60FF30542EEAB22B ] WinDriver6 I:\WINDOWS\system32\drivers\windrvr6.sys
06:42:01.0687 3908 WinDriver6 - ok
06:42:01.0765 3908 [ B0E590C9260BB08F0832383FDB6EEBFB ] winmgmt I:\WINDOWS\system32\wbem\WMIsvc.dll
06:42:01.0781 3908 winmgmt - ok
06:42:01.0812 3908 [ 2706E00334C86DD2E5279A47600C916A ] WmdmPmSN I:\WINDOWS\system32\mspmsnsv.dll
06:42:01.0812 3908 WmdmPmSN - ok
06:42:01.0843 3908 [ 9027CB58964747D4B3C4CBE9EA74C07F ] Wmi I:\WINDOWS\System32\advapi32.dll
06:42:01.0859 3908 Wmi - ok
06:42:01.0890 3908 [ AE2C8544E747C20062DB27456EA2D67A ] WmiAcpi I:\WINDOWS\system32\DRIVERS\wmiacpi.sys
06:42:01.0890 3908 WmiAcpi - ok
06:42:01.0937 3908 [ 2398E9F520DF78A96FCD577F3A261E98 ] WmiApSrv I:\WINDOWS\system32\wbem\wmiapsrv.exe
06:42:01.0937 3908 WmiApSrv - ok
06:42:01.0968 3908 [ D24E5FCF419D4E0DFF27B08EFC022625 ] wscsvc I:\WINDOWS\system32\wscsvc.dll
06:42:01.0968 3908 wscsvc - ok
06:42:02.0000 3908 [ 2C25B42C668A3CF104ACBD946D6688BB ] wuauserv I:\WINDOWS\system32\wuauserv.dll
06:42:02.0015 3908 wuauserv - ok
06:42:02.0046 3908 [ 0D87D0A91D7B86EC07223A27CD6BD157 ] WZCSVC I:\WINDOWS\System32\wzcsvc.dll
06:42:02.0046 3908 WZCSVC - ok
06:42:02.0078 3908 [ F4C8D4B0A294AAF37FE50C407B6E03F9 ] xmlprov I:\WINDOWS\System32\xmlprov.dll
06:42:02.0078 3908 xmlprov - ok
06:42:02.0093 3908 ================ Scan global ===============================
06:42:02.0109 3908 [ 4B22C98030F2E803F34605E760C69370 ] I:\WINDOWS\system32\basesrv.dll
06:42:02.0125 3908 [ 0F4D27E51A92A70E833D40B5451CB5BD ] I:\WINDOWS\system32\winsrv.dll
06:42:02.0125 3908 [ 0F4D27E51A92A70E833D40B5451CB5BD ] I:\WINDOWS\system32\winsrv.dll
06:42:02.0140 3908 [ 1A00FCECA4E29A6B4B33A9D0B3E7CBA0 ] I:\WINDOWS\system32\services.exe
06:42:02.0140 3908 [Global] - ok
06:42:02.0140 3908 ================ Scan MBR ==================================
06:42:02.0171 3908 [ 3051207086651214E435112E51817DC5 ] \Device\Harddisk0\DR0
06:42:02.0359 3908 \Device\Harddisk0\DR0 - ok
06:42:02.0359 3908 ================ Scan VBR ==================================
06:42:02.0359 3908 [ 12D96B12904CE619ECAEEA5972A67D04 ] \Device\Harddisk0\DR0\Partition1
06:42:02.0359 3908 \Device\Harddisk0\DR0\Partition1 - ok
06:42:02.0359 3908 ============================================================
06:42:02.0359 3908 Scan finished
06:42:02.0359 3908 ============================================================
06:42:02.0375 2992 Detected object count: 0
06:42:02.0375 2992 Actual detected object count: 0


And aswMBR

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-09-20 06:42:26
-----------------------------
06:42:26.812 OS Version: Windows 5.1.2600 Service Pack 2
06:42:26.812 Number of processors: 2 586 0xF0D
06:42:26.812 ComputerName: MARIA UserName:
06:42:29.093 Initialize success
06:42:34.718 Disk 0 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
06:42:34.718 Disk 0 Vendor: Hitachi_HDS721010CLA332 JP4OA3MA Size: 953869MB BusType: 3
06:42:34.734 Device \Driver\usbstor -> DriverStartIo USBSTOR.SYS f7740f26
06:42:34.765 Disk 1 MBR read successfully
06:42:34.765 Disk 1 MBR scan
06:42:34.765 Disk 1 Windows XP default MBR code
06:42:34.765 Disk 1 MBR hidden
06:42:34.765 Disk 1 Partition 1 80 (A) 07 HPFS/NTFS NTFS 953859 MB offset 63
06:42:34.812 Disk 1 scanning I:\WINDOWS\system32\drivers
06:42:38.218 Service scanning
06:42:44.921 Modules scanning
06:42:49.578 Disk 1 trace - called modules:
06:42:49.578 ntoskrnl.exe CLASSPNP.SYS disk.sys hal.dll
06:42:49.578 1 nt!IofCallDriver -> \Device\Harddisk1\DR2[0x8a9a1ab8]
06:42:49.578 Scan finished successfully
06:45:28.281 Disk 1 MBR has been saved successfully to "I:\Documents and Settings\Jochem Spaan\Bureaublad\MBR.dat"
06:45:28.281 The log file has been saved successfully to "I:\Documents and Settings\Jochem Spaan\Bureaublad\aswMBR.txt"


I'm seeing only ok's, that can't be bad!

#6 jochemjspaan

jochemjspaan
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:05:54 AM

Posted 20 September 2012 - 12:08 AM

Oops did'nt allow update of aswMBR, hang on...

Edited by jochemjspaan, 20 September 2012 - 12:08 AM.


#7 jochemjspaan

jochemjspaan
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:05:54 AM

Posted 20 September 2012 - 12:19 AM

Ran the scan, here is the log.

:wink:

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-09-20 07:07:06
-----------------------------
07:07:06.812 OS Version: Windows 5.1.2600 Service Pack 2
07:07:06.812 Number of processors: 2 586 0xF0D
07:07:06.812 ComputerName: MARIA UserName:
07:07:09.078 Initialize success
07:07:58.218 AVAST engine defs: 12091901
07:08:30.781 Disk 0 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
07:08:30.781 Disk 0 Vendor: Hitachi_HDS721010CLA332 JP4OA3MA Size: 953869MB BusType: 3
07:08:30.781 Device \Driver\usbstor -> DriverStartIo USBSTOR.SYS f7740f26
07:08:30.796 Disk 1 MBR read successfully
07:08:30.796 Disk 1 MBR scan
07:08:30.812 Disk 1 Windows XP default MBR code
07:08:30.812 Disk 1 MBR hidden
07:08:30.812 Disk 1 Partition 1 80 (A) 07 HPFS/NTFS NTFS 953859 MB offset 63
07:08:30.859 Disk 1 scanning I:\WINDOWS\system32\drivers
07:08:36.500 Service scanning
07:08:48.031 Modules scanning
07:08:51.859 Disk 1 trace - called modules:
07:08:51.875 ntoskrnl.exe CLASSPNP.SYS disk.sys hal.dll
07:08:51.875 1 nt!IofCallDriver -> \Device\Harddisk1\DR2[0x8a9a1ab8]
07:08:54.250 AVAST engine scan I:\WINDOWS
07:09:10.718 AVAST engine scan I:\WINDOWS\system32
07:11:16.500 AVAST engine scan I:\WINDOWS\system32\drivers
07:11:55.890 AVAST engine scan I:\Documents and Settings\Jochem Spaan
07:16:12.125 Disk 1 MBR has been saved successfully to "I:\Documents and Settings\Jochem Spaan\Bureaublad\MBR.dat"
07:16:12.125 The log file has been saved successfully to "I:\Documents and Settings\Jochem Spaan\Bureaublad\aswMBR.txt"

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:54 PM

Posted 20 September 2012 - 12:38 AM

Hello

I Would like you to do the following.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 jochemjspaan

jochemjspaan
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:05:54 AM

Posted 20 September 2012 - 02:29 AM

hello gringo,

dowloaded combofix, ran it, it installed the recovery console but when it started to scan, the program fell silent/ froze up. Tried three times, froze up all three times. Last message being that it would try to start the scan and that it would take no more than ten minutes. I waited for about twenty minutes and no apparent change, saw/ heard nothing to indicate something was still going on. Restarted with a hard reset since I could find no other way to get out of the program.

The malware by the way seems to be gone, I am not getting any random links anymore but it seems that would not be on the account of combofix because it did'nt finish.

What to do next?

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:54 PM

Posted 20 September 2012 - 02:42 AM

Hello

Ok lets try this, I want you to run combofix in safe mode but it is very important that when combofix reboots the computer for you to direct it back into safe mode so it can finish the scan.

Boot into Safe Mode

Reboot your computer in Safe Mode.
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
  • Login on your usual account.

after combofix has finished its scan please post the report back here.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 jochemjspaan

jochemjspaan
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:05:54 AM

Posted 20 September 2012 - 03:22 AM

??? cannot startup in safemodus,

breaks of in mid startup sequence and reccomends startup in normal modus. if I try to restart in safe modus again same story.

Three possibility's in safe modus, tried all three to no avail.

#12 jochemjspaan

jochemjspaan
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:05:54 AM

Posted 20 September 2012 - 03:57 AM

started up in diagnostic mode (same as safe mode?) through run msconfig .

Ran combofix and it froze up again, when you run the combofix scan, do typically you see anything moving in the dos box that tracks the progress of the scan? Normally you see something of a progress meter and you hear the computer working, but when I start combofix up, it makes no sound at all and no progress is communicated.

#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:54 PM

Posted 20 September 2012 - 12:36 PM

  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box
ComboFix /nombr
  • click ok

copy and paste the report into this topic for me to review

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#14 jochemjspaan

jochemjspaan
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:05:54 AM

Posted 20 September 2012 - 12:56 PM

Hey Gringo,

Here is the log:

Some sentences are written in dutch, if you need a translation please let me know.



ComboFix 12-09-20.02 - Jochem Spaan 20-09-2012 19:47:11.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.31.1043.18.3071.2494 [GMT 2:00]
Gestart vanuit: i:\documents and settings\Jochem Spaan\Bureaublad\ComboFix.exe
gebruikte Opdracht switches :: /nombr
.
.
(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
i:\documents and settings\All Users\Application Data\Codecv
i:\documents and settings\All Users\Application Data\Codecv\background.html
i:\documents and settings\All Users\Application Data\Codecv\bhoclass.dll
i:\documents and settings\All Users\Application Data\Codecv\content.js
i:\documents and settings\All Users\Application Data\Codecv\data\content.js
i:\documents and settings\All Users\Application Data\Codecv\data\jsondb.js
i:\documents and settings\All Users\Application Data\Codecv\fcnakadmodnjnflbkhcfaklcapmfmaph.crx
i:\documents and settings\All Users\Application Data\Codecv\settings.ini
I:\readme.txt
I:\setup.exe
i:\windows\system32\shimg.dll
.
i:\windows\system32\drivers\i8042prt.sys . . . is verdwenen!
.
.
(((((((((((((((((((( Bestanden Gemaakt van 2012-08-20 to 2012-09-20 ))))))))))))))))))))))))))))))
.
.
2012-09-04 12:20 . 2012-09-04 12:20 -------- d-----w- i:\documents and settings\Jochem Spaan\Application Data\Malwarebytes
2012-09-04 12:19 . 2012-09-04 12:19 -------- d-----w- i:\documents and settings\All Users\Application Data\Malwarebytes
.
.
.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-10 05:29 . 2012-07-10 05:29 476936 ----a-w- i:\windows\system32\npdeployJava1.dll
2012-07-10 05:29 . 2011-06-13 10:42 472840 ----a-w- i:\windows\system32\deployJava1.dll
2011-08-30 10:29 . 2011-08-30 10:28 21073936 ----a-w- i:\program files\vlc-1.1.11-win32.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Xvid"="i:\program files\Xvid\CheckUpdate.exe" [2011-01-17 8192]
"uTorrent"="i:\program files\uTorrent\uTorrent.exe" [2012-09-20 896912]
"Spotify Web Helper"="i:\program files\Spotify\Data\SpotifyWebHelper.exe" [2012-08-20 1193176]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2011-04-14 20053608]
"QuickTime Task"="i:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"NvMediaCenter"="i:\windows\system32\NvMcTray.dll" [2010-03-16 110696]
"NvCplDaemon"="i:\windows\system32\NvCpl.dll" [2010-03-16 13670504]
"Logoff"="i:\program files\Windows SteadyState\SCTUINotify.exe" [2008-05-30 163856]
"iTunesHelper"="i:\program files\iTunes\iTunesHelper.exe" [2012-06-07 421776]
"EPSON Stylus Photo RX500"="i:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2K1.EXE" [2003-06-02 99840]
"Bubble"="i:\program files\Windows SteadyState\Bubble.exe" [2008-05-30 182288]
"APSDaemon"="i:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-05-30 59280]
"Adobe ARM"="i:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="i:\windows\system32\CTFMON.EXE" [2004-08-04 15360]
.
i:\documents and settings\Jochem Spaan\Menu Start\Programma's\Opstarten\
Adobe Gamma.lnk - i:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
.
i:\documents and settings\All Users\Menu Start\Programma's\Opstarten\
VPN Client.lnk - i:\windows\Installer\{B0BF7057-6869-4E4B-920C-EA2A58DA07F0}\Icon3E5562ED7.ico [2011-7-6 6144]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideFastUserSwitching"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"i:\\Program Files\\uTorrent\\uTorrent.exe"=
"i:\\Program Files\\Spotify\\spotify.exe"=
.
R1 A2DDA;A2 Direct Disk Access Support Driver;i:\documents and settings\Administrator\Bureaublad\antivirus\Run\a2ddax86.sys [9-7-2012 17:24 17904]
R2 Windows SteadyState;Windows SteadyState Service;i:\program files\Windows SteadyState\SCTSvc.exe [30-5-2008 14:41 115728]
R3 e.dentifier2;SmartCard Reader ABN AMRO e.dentifier2;i:\windows\system32\drivers\aabed2.sys [5-10-2011 8:37 21888]
S1 SASKUTIL;SASKUTIL;\??\i:\program files\SUPERAntiSpyware\SASKUTIL.SYS --> i:\program files\SUPERAntiSpyware\SASKUTIL.SYS [?]
S2 !SASCORE;SAS Core Service;"i:\program files\SUPERAntiSpyware\SASCORE.EXE" --> i:\program files\SUPERAntiSpyware\SASCORE.EXE [?]
S2 gupdate;Google Update-service (gupdate);i:\program files\Google\Update\GoogleUpdate.exe [24-10-2011 7:45 136176]
S3 Ambfilt;Ambfilt;i:\windows\system32\drivers\Ambfilt.sys [21-5-2011 14:36 1691480]
S3 gupdatem;Google Update-service (gupdatem);i:\program files\Google\Update\GoogleUpdate.exe [24-10-2011 7:45 136176]
.
Inhoud van de 'Gedeelde Taken' map
.
2012-09-20 i:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- i:\program files\Google\Update\GoogleUpdate.exe [2011-10-24 05:45]
.
2012-09-20 i:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- i:\program files\Google\Update\GoogleUpdate.exe [2011-10-24 05:45]
.
2012-09-20 i:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2025429265-602162358-725345543-1003Core.job
- i:\documents and settings\Jochem Spaan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-08-22 10:18]
.
2012-09-20 i:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2025429265-602162358-725345543-1003UA.job
- i:\documents and settings\Jochem Spaan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-08-22 10:18]
.
.
------- Bijkomende Scan -------
.
uStart Page = about:blank
mStart Page = hxxp://search.gboxapp.com/
uInternet Settings,ProxyOverride = *.local
TCP: DhcpNameServer = 192.168.1.254
.
- - - - ORPHANS VERWIJDERD - - - -
.
HKLM-Run-nwiz - nwiz.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-09-20 19:51
Windows 5.1.2600 Service Pack 2 NTFS
.
scannen van verborgen processen ...
.
scannen van verborgen autostart items ...
.
scannen van verborgen bestanden ...
.
Scan succesvol afgerond
verborgen bestanden: 0
.
**************************************************************************
.
Voltooingstijd: 2012-09-20 19:52:22
ComboFix-quarantined-files.txt 2012-09-20 17:52
.
Pre-Run: 163.066.130.432 bytes beschikbaar
Post-Run: 164.324.270.080 bytes beschikbaar
.
- - End Of File - - E933501B11CE44F5FC274AFB8DE94C86

#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:54 PM

Posted 20 September 2012 - 04:38 PM

Hello

Lets get a deeper look into the system and see if something shows up.

Download and run OTL

Download OTL by Old Timer and save it to your Desktop.
  • Double click on OTL.exe to run it.
  • Under Output, ensure that Minimal Output is selected.
  • Under Extra Registry section, select Use SafeList.
  • Click the Scan All Users checkbox.
  • Click on Run Scan at the top left hand corner.
  • When done, two Notepad files will open.
    • OTL.txt <-- Will be opened and the that I need posted back here
    • Extra.txt <-- Will be minimized - save this one on your desktop in case I ask for it later
  • Please post the contents of OTL.txt in your next reply.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users