Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

iexplorer background and google redirect


  • This topic is locked This topic is locked
16 replies to this topic

#1 Speedr73

Speedr73

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:47 PM

Posted 01 October 2012 - 12:12 PM

Hello,

I need some help removing the Google redirect virus and also stopping iexplorer from running in the background. I am posting them both together because I hope they are related.

I have had the Google redirect issue before, and fixed it, but now that it's back with other issues I want professional help.

I have run both Malwarebytes and Spybot S&D.


DDS Log:


.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_29
Run by Ryan Deutsch at 12:30:01 on 2012-10-01
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.247 [GMT -4:00]
.
AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\HPSIsvc.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Mozilla Firefox\plugin-container.exe
.
============== Pseudo HJT Report ===============
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [uTorrent] "c:\documents and settings\ryan deutsch\desktop\uTorrent.exe" /MINIMIZED
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [Sonic] rundll32.exe "c:\documents and settings\ryan deutsch\local settings\application data\sonic\pvnlhils.dll",ir_fe_ocr_exit
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [Dell Wireless Manager UI] c:\windows\system32\WLTRAY
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] c:\program files\java\jre6\bin\jusched.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
StartupFolder: c:\docume~1\ryande~1\startm~1\programs\startup\dropbox.lnk - c:\documents and settings\ryan deutsch\application data\dropbox\bin\Dropbox.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
LSP: mswsock.dll
DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} - hxxp://h30155.www3.hp.com/ediags/dd/install/HPInstallMgr_v01_5.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1179341382980
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} - hxxps://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
TCP: Interfaces\{AADE349F-580E-45BD-9C75-C869607B31C5} : DhcpNameServer = 75.75.75.75 75.75.76.76
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\ryan deutsch\application data\mozilla\firefox\profiles\4rm96qvr.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - plugin: c:\documents and settings\ryan deutsch\application data\mozilla\plugins\npatgpc.dll
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\update\1.3.21.123\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_4_402_278.dll
.
============= SERVICES / DRIVERS ===============
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2011-9-30 64512]
R2 HPSIService;HP SI Service;c:\windows\system32\HPSIsvc.exe [2012-9-19 99896]
R2 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes' anti-malware\mbamscheduler.exe [2012-9-20 399432]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2009-10-14 22856]
S0 77938054;77938054;c:\windows\system32\drivers\06314150.sys --> c:\windows\system32\drivers\06314150.sys [?]
S2 FILESpy;FILESpy;\??\c:\program files\softwin\bitdefender9\filespy.sys --> c:\program files\softwin\bitdefender9\filespy.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-14 135664]
S2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2009-10-14 676936]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-9 250288]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-2-14 135664]
S3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:\windows\system32\drivers\hitmanpro35.sys [2011-11-17 23624]
S3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-5-2 79816]
S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-5-2 35272]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-5-2 34248]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-5-2 40552]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-9-25 114144]
S4 SeagateDashboardService;Seagate Dashboard Service;c:\program files\seagate\seagate dashboard\SeagateDashboardService.exe [2010-7-6 14088]
.
=============== Created Last 30 ================
.
2012-09-25 06:51:59 303760 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll
2012-09-25 05:15:45 -------- d-----w- c:\program files\Mozilla Maintenance Service
2012-09-21 06:02:46 -------- d-----w- C:\TDSSKiller_Quarantine
2012-09-21 05:46:41 -------- d-----w- C:\_OTM
2012-09-20 00:24:13 99896 ----a-w- c:\windows\system32\HPSIsvc.exe
2012-09-20 00:24:06 69632 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\HP1100PP.dll
2012-09-20 00:24:06 151552 ----a-w- c:\windows\system32\HP1100LM.DLL
2012-09-20 00:24:06 1511424 ----a-w- c:\windows\system32\HP1100SM.EXE
2012-09-20 00:23:46 316416 ----a-r- c:\windows\system32\Difxapi.dll
2012-09-20 00:23:46 284160 ----a-w- c:\windows\system32\mvhlewsi.DLL
2012-09-20 00:23:39 47104 ----a-w- c:\windows\system32\HP1100SMs.dll
2012-09-18 18:46:22 -------- d-----w- c:\documents and settings\ryan deutsch\application data\webex
2012-09-18 00:59:33 -------- d-----w- c:\documents and settings\ryan deutsch\local settings\application data\Sonic
2012-09-17 02:33:45 -------- d-----w- c:\program files\WebEx
.
==================== Find3M ====================
.
2012-09-21 06:03:46 52480 ----a-w- c:\windows\system32\drivers\i8042prt.sys
2012-09-21 03:08:11 73136 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-09-21 03:08:11 696240 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-09-07 21:04:46 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-23 07:40:46 1952768 ----a-w- c:\program files\tinyumbrella-5.00.06(2).exe
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: Hitachi_HTS541040G9AT00 rev.MB2OA61A -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x86E134B1]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x86e1a93c]; MOV EAX, [0x86e1aab0]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 nt!IofCallDriver[0x804E37C5] -> \Device\Harddisk0\DR0[0x87337AB8]
3 CLASSPNP[0xF75EFFD7] -> nt!IofCallDriver[0x804E37C5] -> [0x872AE030]
\Driver\atapi[0x8710E408] -> IRP_MJ_CREATE -> 0x86E134B1
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
_asm { MOV AX, 0x0; MOV SS, AX; MOV SP, 0x7c00; MOV DS, AX; CLD ; MOV CX, 0x80; MOV SI, SP; MOV DI, 0x600; MOV ES, AX; REP MOVSD ; JMP FAR 0x0:0x62d; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x86E132E2
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 12:31:28.73 ===============






GMER Log:

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-10-01 13:11:11
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort0 Hitachi_HTS541040G9AT00 rev.MB2OA61A
Running: gmer.exe; Driver: C:\DOCUME~1\RYANDE~1\LOCALS~1\Temp\uwloaaoc.sys


---- System - GMER 1.0.15 ----

SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xF75FF87E]
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xF75FFBFE]

---- Kernel code sections - GMER 1.0.15 ----

? C:\DOCUME~1\RYANDE~1\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2396] USER32.dll!DefWindowProcA + 11A 7E42C298 7 Bytes JMP 105CDF63 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2396] USER32.dll!SetWindowLongA + 19 7E42C2B6 7 Bytes JMP 105CDEF2 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2396] USER32.dll!GetWindowInfo 7E42C49C 5 Bytes JMP 10414536 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2396] USER32.dll!GetMenuContextHelpId + 1A 7E465319 7 Bytes JMP 10414B35 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3148] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E1DF4B9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3148] USER32.dll!DrawTextExW 7E42B415 6 Bytes PUSH 00C7AB2C; RET
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3148] USER32.dll!MessageBeep 7E431F7B 6 Bytes PUSH 00C8076C; RET
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3148] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E351F8F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3148] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E351F10 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3148] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E351F54 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3148] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E351E9C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3148] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E351ED6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3148] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E351FCA C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3148] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E2017EA C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3148] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E35218C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3148] ws2_32.dll!send 71AB4C27 6 Bytes PUSH 00C7941C; RET
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3148] ws2_32.dll!WSASend 71AB68FA 6 Bytes PUSH 00C79FA4; RET
.text C:\Program Files\Mozilla Firefox\firefox.exe[3284] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 01180C00 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[3284] kernel32.dll!lstrlenW + 43 7C809AEC 7 Bytes JMP 013B7B4C C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[3284] kernel32.dll!MapViewOfFileEx + 6A 7C80B9A0 7 Bytes JMP 013B7B29 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[3284] kernel32.dll!ValidateLocale + B130 7C844958 7 Bytes JMP 01183FAC C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[3284] USER32.dll!CreateWindowExW 7E42D0A3 6 Bytes PUSH 0271AB2C; RET
.text C:\Program Files\Mozilla Firefox\firefox.exe[3284] GDI32.dll!SetDIBitsToDevice + 20A 77F19E14 7 Bytes JMP 013B7AAA C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[3284] WS2_32.dll!send 71AB4C27 6 Bytes PUSH 0271941C; RET
.text C:\Program Files\Mozilla Firefox\firefox.exe[3284] WS2_32.dll!WSASend 71AB68FA 6 Bytes PUSH 02719FA4; RET

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior

---- EOF - GMER 1.0.15 ----

BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:47 PM

Posted 01 October 2012 - 11:54 PM

Greetings and Welcome to The Forums!!

My name is Gringo and I'll be glad to help you with your computer problems.

I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of us

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the Watch Topic Button, select Immediate Notification, and click on Proceed. This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of hartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

Security Check

  • Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

-AdwCleaner-

  • Please download AdwCleaner by Xplode onto your desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Delete.
  • Confirm each time with Ok.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile with your next answer.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.

--RogueKiller--

  • Download & SAVE to your Desktop RogueKiller or from here
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select "Run as Administrator to start"
  • For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • Then Click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • click on "delete"
  • Wait until the Status box shows "Deleting Finished"
  • Click on "Report" and copy/paste the content of the Notepad into your next reply.
  • The log should be found in RKreport[1].txt on your Desktop
  • Exit/Close RogueKiller+

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 Speedr73

Speedr73
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:47 PM

Posted 02 October 2012 - 12:01 PM

The security check log and AdwCleaner log are below, but I couldn't finish running RogueKiller. I got the blue stop error screen after starting the scan for RK.


Here is the technical information for the stop error screen:

***STOP: 0x0000008E (0xC0000005, 0xF750471D, 0xF774E570, 0x00000000)


*** atapi.sys - Address F750471D base at F74FA000, DateStamp 4802539d




Logs:


Results of screen317's Security Check version 0.99.51
Windows XP Service Pack 3 x86
Internet Explorer 7 Out of date!
``````````````Antivirus/Firewall Check:``````````````
Windows Security Center service is not running! This report may not be accurate!
`````````Anti-malware/Other Utilities Check:`````````
Out of date HijackThis installed!
Spybot - Search & Destroy
Malwarebytes Anti-Malware version 1.65.0.1400
HijackThis 2.0.2
Java™ 6 Update 29
Java version out of Date!
Adobe Flash Player 11.4.402.278
Adobe Reader 9 Adobe Reader out of Date!
Mozilla Firefox (15.0.1)
````````Process Check: objlist.exe by Laurent````````
`````````````````System Health check`````````````````
Total Fragmentation on Drive C:: 21% Defragment your hard drive soon! (Do NOT defrag if SSD!)
````````````````````End of Log``````````````````````





# AdwCleaner v2.003 - Logfile created 10/02/2012 at 12:30:50
# Updated 23/09/2012 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : Ryan Deutsch - DRGREENTHUMB
# Boot Mode : Normal
# Running from : C:\Documents and Settings\Ryan Deutsch\Desktop\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****

File Deleted : C:\Program Files\Mozilla Firefox\searchplugins\babylon.xml
File Deleted : C:\user.js
Folder Deleted : C:\Documents and Settings\All Users\Application Data\Viewpoint
Folder Deleted : C:\Documents and Settings\Ryan Deutsch\Application Data\Viewpoint
Folder Deleted : C:\Documents and Settings\Ryan Deutsch\Local Settings\Application Data\Conduit
Folder Deleted : C:\Program Files\Conduit

***** [Registry] *****

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{201F27D4-3704-41D6-89C1-AA35E39143ED}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{2EECD738-5844-4A99-B4B6-146BF802613B}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{3041D03E-FD4B-44E0-B742-2D9B88305F98}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{98889811-442D-49DD-99D7-DC866BE87DBC}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{FD6D90C0-E6EE-4BC6-B9F7-9ED319698007}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{201F27D4-3704-41D6-89C1-AA35E39143ED}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2EECD738-5844-4A99-B4B6-146BF802613B}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3041D03E-FD4B-44E0-B742-2D9B88305F98}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{98889811-442D-49DD-99D7-DC866BE87DBC}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FD6D90C0-E6EE-4BC6-B9F7-9ED319698007}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{09C554C3-109B-483C-A06B-F14172F1A947}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{35C1605E-438B-4D64-AAB1-8885F097A9B1}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{B12E99ED-69BD-437C-86BE-C862B9E5444D}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\escort.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AppID\escortApp.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AppID\escortEng.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AppID\escorTlbr.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AppID\esrv.EXE
Key Deleted : HKLM\SOFTWARE\Classes\b
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT3072254
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{9DBB28C1-1925-11D3-A498-00104B6EB52E}
Key Deleted : HKLM\Software\Conduit
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{83AA2913-C123-4146-85BD-AD8F93971D39}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\BabylonToolbar
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{03F998B2-0E00-11D3-A498-00104B6EB52E}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\3192AA38321C641458DBDAF83979D193
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\conduitEngine
Key Deleted : HKLM\Software\Viewpoint

***** [Internet Browsers] *****

-\\ Internet Explorer v7.0.5730.11

Restored : [HKCU\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKU\S-1-5-18\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]

-\\ Mozilla Firefox v15.0.1 (en-US)

Profile name : default
File : C:\Documents and Settings\Ryan Deutsch\Application Data\Mozilla\Firefox\Profiles\4rm96qvr.default\prefs.js

[OK] File is clean.

Profile name : default
File : C:\Documents and Settings\Administrator.DRGREENTHUMB\Application Data\Mozilla\Firefox\Profiles\1hv2myc3.default\prefs.js

C:\Documents and Settings\Administrator.DRGREENTHUMB\Application Data\Mozilla\Firefox\Profiles\1hv2myc3.default\user.js ... Deleted !

[OK] File is clean.

*************************

AdwCleaner[S1].txt - [4635 octets] - [02/10/2012 12:30:50]

########## EOF - C:\AdwCleaner[S1].txt - [4695 octets] ##########

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:47 PM

Posted 03 October 2012 - 01:11 AM

Hello

I Would like you to do the following.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 Speedr73

Speedr73
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:47 PM

Posted 03 October 2012 - 01:59 PM

Ok, so for this run ComboFix told me Lavasoft Ad-Watch Live was running. I couldn't find any .exe file under Lavasoft on my computer. Not sure whats running or what ComboFix found, but Lavasoft is not supposed to be running or even on my computer.

When I started a search for keyword Lavasoft, Windows installer popped up and tried to start installing Microsoft Frontpage. Not sure why that started, but it wasn't meant to happen.

Not sure if this will show in the log below, but ComboFIX popped up with a warning that I am infected with Rootkit.ZeroAccess!


For this round, those are the only things that came up.


The ComboFix log is below:



ComboFix 12-10-03.03 - Ryan Deutsch 10/03/2012 13:20:26.7.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.699 [GMT -4:00]
Running from: c:\documents and settings\Ryan Deutsch\Desktop\ComboFix.exe
AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\4e0b82c3.pad
c:\documents and settings\Ryan Deutsch\Local Settings\Application Data\Sonic\pvnlhils.dll
c:\documents and settings\Ryan Deutsch\Local Settings\Application Data\svcxdcl32_v.dll
c:\windows\system32\URTTemp
c:\windows\system32\URTTemp\fusion.dll
c:\windows\system32\URTTemp\mscoree.dll
c:\windows\system32\URTTemp\mscoree.dll.local
c:\windows\system32\URTTemp\mscorsn.dll
c:\windows\system32\URTTemp\mscorwks.dll
c:\windows\system32\URTTemp\msvcr71.dll
c:\windows\system32\URTTemp\regtlib.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-09-03 to 2012-10-03 )))))))))))))))))))))))))))))))
.
.
2012-10-03 16:50 . 2012-10-03 16:50 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-10-02 16:37 . 2012-10-02 16:45 14080 ----a-w- c:\windows\system32\drivers\TrueSight.sys
2012-10-02 06:39 . 2012-10-02 06:39 -------- d-----w- c:\program files\iPod
2012-10-02 06:38 . 2012-10-02 06:40 -------- d-----w- c:\program files\iTunes
2012-10-02 06:38 . 2012-10-02 06:40 -------- d-----w- c:\documents and settings\All Users\Application Data\188F1432-103A-4ffb-80F1-36B633C5C9E1
2012-10-02 06:33 . 2012-07-09 17:42 4547984 ----a-w- c:\windows\system32\usbaaplrc.dll
2012-10-02 06:33 . 2012-07-09 17:42 44032 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2012-09-25 05:15 . 2012-09-26 03:20 -------- d-----w- c:\program files\Mozilla Maintenance Service
2012-09-21 06:02 . 2012-09-21 06:02 -------- d-----w- C:\TDSSKiller_Quarantine
2012-09-21 05:46 . 2012-09-21 05:46 -------- d-----w- C:\_OTM
2012-09-20 00:24 . 2011-05-11 11:24 99896 ----a-w- c:\windows\system32\HPSIsvc.exe
2012-09-20 00:24 . 2011-04-02 20:03 1511424 ----a-w- c:\windows\system32\HP1100SM.EXE
2012-09-20 00:24 . 2011-04-02 20:03 151552 ----a-w- c:\windows\system32\HP1100LM.DLL
2012-09-20 00:24 . 2011-04-02 20:03 69632 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\HP1100PP.dll
2012-09-20 00:23 . 2011-04-02 22:11 284160 ----a-w- c:\windows\system32\mvhlewsi.DLL
2012-09-20 00:23 . 2009-07-08 16:38 316416 ----a-r- c:\windows\system32\Difxapi.dll
2012-09-20 00:23 . 2011-04-04 14:25 47104 ----a-w- c:\windows\system32\HP1100SMs.dll
2012-09-19 00:42 . 2012-09-19 00:42 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Sonic
2012-09-18 18:46 . 2012-10-02 18:46 -------- d-----w- c:\documents and settings\Ryan Deutsch\Application Data\webex
2012-09-18 00:59 . 2012-10-03 17:35 -------- d-----w- c:\documents and settings\Ryan Deutsch\Local Settings\Application Data\Sonic
2012-09-17 02:33 . 2012-09-17 02:35 -------- d-----w- c:\program files\WebEx
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-09-21 06:03 . 2004-08-04 05:14 52480 ----a-w- c:\windows\system32\drivers\i8042prt.sys
2012-09-21 03:08 . 2012-04-10 02:04 696240 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-09-21 03:08 . 2011-11-30 05:23 73136 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-09-07 21:04 . 2009-10-14 22:56 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-08-21 17:01 . 2010-11-20 21:30 106928 ----a-w- c:\windows\system32\GEARAspi.dll
2012-08-21 17:01 . 2009-08-13 03:27 26840 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2011-07-23 07:40 . 2011-07-23 07:40 1952768 ----a-w- c:\program files\tinyumbrella-5.00.06(2).exe
2012-05-29 10:48 . 2012-09-25 06:51 303760 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll
2012-09-25 06:52 . 2012-09-25 06:51 266720 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\documents and settings\Ryan Deutsch\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\documents and settings\Ryan Deutsch\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\documents and settings\Ryan Deutsch\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\documents and settings\Ryan Deutsch\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"uTorrent"="c:\documents and settings\Ryan Deutsch\Desktop\uTorrent.exe" [2012-03-16 742264]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2009-01-30 204288]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dell Wireless Manager UI"="c:\windows\system32\WLTRAY" [X]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-09-08 421888]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-08-28 59280]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-09-10 421776]
.
c:\documents and settings\Ryan Deutsch\Start Menu\Programs\Startup\
Dropbox.lnk - c:\documents and settings\Ryan Deutsch\Application Data\Dropbox\bin\Dropbox.exe [2012-5-24 27112840]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PHOTOfunSTUDIO 5.0 HD Edition.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\PHOTOfunSTUDIO 5.0 HD Edition.lnk
backup=c:\windows\pss\PHOTOfunSTUDIO 5.0 HD Edition.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Ryan Deutsch^Start Menu^Programs^Startup^Dropbox.lnk]
path=c:\documents and settings\Ryan Deutsch\Start Menu\Programs\Startup\Dropbox.lnk
backup=c:\windows\pss\Dropbox.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-01-03 07:37 843712 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2012-08-28 01:32 59280 ----a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
2005-04-06 01:05 339968 ----a-w- c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BrMfcWnd]
2006-06-28 12:46 622592 ------w- c:\program files\Brother\Brmfcmon\BrMfcWnd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ControlCenter3]
2006-06-29 17:18 77824 ----a-w- c:\program files\Brother\ControlCenter3\BrCtrCen.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ------w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupportCenter]
2009-05-21 14:55 206064 ----a-w- c:\program files\Dell Support Center\bin\sprtcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
2005-05-31 09:33 122941 ----a-w- c:\windows\system32\dla\tfswctrl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate]
2007-11-15 13:24 16384 ----a-w- c:\program files\Dell Support Center\gs_agent\custom\dsca.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
2005-02-23 22:19 53248 ------w- c:\program files\CyberLink\PowerDVD\DVDLauncher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2005-06-10 16:44 249856 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2005-06-10 16:44 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2012-09-10 03:30 421776 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware]
2012-09-07 21:04 766536 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
2006-02-28 19:28 26112 ----a-w- c:\program files\Real\RealPlayer\realplay.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Seagate Dashboard]
2010-07-06 19:32 79112 ----a-w- c:\program files\Seagate\Seagate Dashboard\MemeoLauncher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SetDefPrt]
2005-01-26 23:02 49152 ----a-w- c:\program files\Brother\Brmfl06b\BrStDvPt.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2009-07-16 19:46 25604904 ----a-r- c:\program files\Skype\Phone\Skype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2011-04-08 16:59 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent]
2012-03-16 00:21 742264 ----a-w- c:\documents and settings\Ryan Deutsch\Desktop\uTorrent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"MpfService"=2 (0x2)
"McSysmon"=3 (0x3)
"McShield"=2 (0x2)
"McProxy"=2 (0x2)
"McODS"=3 (0x3)
"McNASvc"=2 (0x2)
"mcmscsvc"=2 (0x2)
"iPod Service"=3 (0x3)
"gupdatem"=3 (0x3)
"gupdate"=2 (0x2)
"AresChatServer"=3 (0x3)
"sprtsvc_dellsupportcenter"=2 (0x2)
"SeagateDashboardService"=2 (0x2)
"Pml Driver HPZ12"=2 (0x2)
"MBAMService"=2 (0x2)
"Lavasoft Ad-Aware Service"=2 (0x2)
"DSBrokerService"=3 (0x3)
"bgsvcgen"=2 (0x2)
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [9/30/2011 12:38 AM 64512]
R2 HPSIService;HP SI Service;c:\windows\system32\HPSIsvc.exe [9/19/2012 8:24 PM 99896]
R2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [9/20/2012 9:09 AM 399432]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [10/14/2009 6:56 PM 22856]
S0 77938054;77938054;c:\windows\system32\drivers\06314150.sys --> c:\windows\system32\drivers\06314150.sys [?]
S2 FILESpy;FILESpy;\??\c:\program files\Softwin\BitDefender9\filespy.sys --> c:\program files\Softwin\BitDefender9\filespy.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/14/2010 7:15 PM 135664]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [10/14/2009 6:56 PM 676936]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [4/9/2012 10:04 PM 250288]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2/14/2010 7:15 PM 135664]
S3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:\windows\system32\drivers\hitmanpro35.sys [11/17/2011 3:00 AM 23624]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [10/3/2012 12:50 PM 40776]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [9/25/2012 1:15 AM 114144]
S4 SeagateDashboardService;Seagate Dashboard Service;c:\program files\Seagate\Seagate Dashboard\SeagateDashboardService.exe [7/6/2010 3:32 PM 14088]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
*NewlyCreated* - WUAUSERV
.
Contents of the 'Scheduled Tasks' folder
.
2012-10-03 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-10 03:08]
.
2012-09-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 21:57]
.
2012-10-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-14 23:15]
.
2012-10-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-14 23:15]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
FF - ProfilePath - c:\documents and settings\Ryan Deutsch\Application Data\Mozilla\Firefox\Profiles\4rm96qvr.default\
FF - prefs.js: browser.startup.homepage - www.google.com
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-Sonic - c:\documents and settings\Ryan Deutsch\Local Settings\Application Data\Sonic\pvnlhils.dll
HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
SafeBoot-24370992.sys
SafeBoot-Lavasoft Ad-Aware Service
MSConfigStartUp-DellSupport - c:\program files\DellSupport\DSAgnt.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-10-03 13:36
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sonic = rundll32.exe "c:\documents and settings\Ryan Deutsch\Local Settings\Application Data\Sonic\pvnlhils.dll",ir_fe_ocr_exit?8???j???????
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: Hitachi_HTS541040G9AT00 rev.MB2OA61A -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x86F062E2
user & kernel MBR OK
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_278_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_278_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(652)
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\BCMLogon.dll
.
Completion time: 2012-10-03 13:40:49
ComboFix-quarantined-files.txt 2012-10-03 17:40
ComboFix2.txt 2011-12-02 05:14
.
Pre-Run: 5,320,613,888 bytes free
Post-Run: 5,488,226,304 bytes free
.
- - End Of File - - 9B9C75A0E000B05E0EA1919B2D1A7F6D

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:47 PM

Posted 03 October 2012 - 07:04 PM

Greetings

I want you to run these next,

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • it will ask to download extra definitions - ALLOW IT
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

If you have any problems running either one come back and let me know

please reply with the reports from TDSSKiller and aswMBR

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 Speedr73

Speedr73
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:47 PM

Posted 04 October 2012 - 01:31 AM

Looks like they both ran without problem.

Logs are below.



01:56:48.0135 3212 TDSS rootkit removing tool 2.8.10.0 Sep 17 2012 19:23:24
01:56:48.0395 3212 ============================================================
01:56:48.0395 3212 Current date / time: 2012/10/04 01:56:48.0395
01:56:48.0395 3212 SystemInfo:
01:56:48.0395 3212
01:56:48.0395 3212 OS Version: 5.1.2600 ServicePack: 3.0
01:56:48.0395 3212 Product type: Workstation
01:56:48.0395 3212 ComputerName: DRGREENTHUMB
01:56:48.0395 3212 UserName: Ryan Deutsch
01:56:48.0395 3212 Windows directory: C:\WINDOWS
01:56:48.0395 3212 System windows directory: C:\WINDOWS
01:56:48.0395 3212 Processor architecture: Intel x86
01:56:48.0395 3212 Number of processors: 1
01:56:48.0395 3212 Page size: 0x1000
01:56:48.0395 3212 Boot type: Normal boot
01:56:48.0395 3212 ============================================================
01:56:50.0498 3212 Drive \Device\Harddisk0\DR0 - Size: 0x950A60000 (37.26 Gb), SectorSize: 0x200, Cylinders: 0x1300, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
01:56:50.0498 3212 ============================================================
01:56:50.0498 3212 \Device\Harddisk0\DR0:
01:56:50.0498 3212 MBR partitions:
01:56:50.0498 3212 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x17886, BlocksNum 0x4421A9F
01:56:50.0498 3212 ============================================================
01:56:50.0578 3212 C: <-> \Device\Harddisk0\DR0\Partition1
01:56:50.0578 3212 ============================================================
01:56:50.0578 3212 Initialize success
01:56:50.0578 3212 ============================================================
01:56:52.0531 3612 ============================================================
01:56:52.0531 3612 Scan started
01:56:52.0531 3612 Mode: Manual;
01:56:52.0531 3612 ============================================================
01:56:53.0903 3612 ================ Scan system memory ========================
01:56:53.0903 3612 System memory - ok
01:56:53.0903 3612 ================ Scan services =============================
01:56:54.0283 3612 77938054 - ok
01:56:54.0293 3612 Abiosdsk - ok
01:56:54.0364 3612 [ 6ABB91494FE6C59089B9336452AB2EA3 ] abp480n5 C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
01:56:54.0374 3612 abp480n5 - ok
01:56:54.0534 3612 [ 8FD99680A539792A30E97944FDAECF17 ] ACPI C:\WINDOWS\system32\DRIVERS\ACPI.sys
01:56:54.0594 3612 ACPI - ok
01:56:54.0654 3612 [ 9859C0F6936E723E4892D7141B1327D5 ] ACPIEC C:\WINDOWS\system32\drivers\ACPIEC.sys
01:56:54.0664 3612 ACPIEC - ok
01:56:54.0854 3612 [ E12CFCF1DDBFC50948A75E6E38793225 ] AdobeFlashPlayerUpdateSvc C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
01:56:54.0934 3612 AdobeFlashPlayerUpdateSvc - ok
01:56:54.0994 3612 [ 9A11864873DA202C996558B2106B0BBC ] adpu160m C:\WINDOWS\system32\DRIVERS\adpu160m.sys
01:56:55.0035 3612 adpu160m - ok
01:56:55.0125 3612 [ 8BED39E3C35D6A489438B8141717A557 ] aec C:\WINDOWS\system32\drivers\aec.sys
01:56:55.0185 3612 aec - ok
01:56:55.0245 3612 [ 2C5C22990156A1063E19AD162191DC1D ] AegisP C:\WINDOWS\system32\DRIVERS\AegisP.sys
01:56:55.0255 3612 AegisP - ok
01:56:55.0345 3612 [ 7E775010EF291DA96AD17CA4B17137D7 ] AFD C:\WINDOWS\System32\drivers\afd.sys
01:56:55.0385 3612 AFD - ok
01:56:55.0415 3612 [ 08FD04AA961BDC77FB983F328334E3D7 ] agp440 C:\WINDOWS\system32\DRIVERS\agp440.sys
01:56:55.0425 3612 agp440 - ok
01:56:55.0465 3612 [ 03A7E0922ACFE1B07D5DB2EEB0773063 ] agpCPQ C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
01:56:55.0485 3612 agpCPQ - ok
01:56:55.0505 3612 [ C23EA9B5F46C7F7910DB3EAB648FF013 ] Aha154x C:\WINDOWS\system32\DRIVERS\aha154x.sys
01:56:55.0515 3612 Aha154x - ok
01:56:55.0545 3612 [ 19DD0FB48B0C18892F70E2E7D61A1529 ] aic78u2 C:\WINDOWS\system32\DRIVERS\aic78u2.sys
01:56:55.0565 3612 aic78u2 - ok
01:56:55.0605 3612 [ B7FE594A7468AA0132DEB03FB8E34326 ] aic78xx C:\WINDOWS\system32\DRIVERS\aic78xx.sys
01:56:55.0625 3612 aic78xx - ok
01:56:55.0675 3612 [ A9A3DAA780CA6C9671A19D52456705B4 ] Alerter C:\WINDOWS\system32\alrsvc.dll
01:56:55.0685 3612 Alerter - ok
01:56:55.0716 3612 [ 8C515081584A38AA007909CD02020B3D ] ALG C:\WINDOWS\System32\alg.exe
01:56:55.0726 3612 ALG - ok
01:56:55.0796 3612 [ 1140AB9938809700B46BB88E46D72A96 ] AliIde C:\WINDOWS\system32\DRIVERS\aliide.sys
01:56:55.0796 3612 AliIde - ok
01:56:55.0826 3612 [ CB08AED0DE2DD889A8A820CD8082D83C ] alim1541 C:\WINDOWS\system32\DRIVERS\alim1541.sys
01:56:55.0846 3612 alim1541 - ok
01:56:55.0866 3612 [ 95B4FB835E28AA1336CEEB07FD5B9398 ] amdagp C:\WINDOWS\system32\DRIVERS\amdagp.sys
01:56:55.0876 3612 amdagp - ok
01:56:55.0906 3612 [ 79F5ADD8D24BD6893F2903A3E2F3FAD6 ] amsint C:\WINDOWS\system32\DRIVERS\amsint.sys
01:56:55.0906 3612 amsint - ok
01:56:55.0996 3612 [ 090880E9BF20F928BC341F96D27C019E ] ApfiltrService C:\WINDOWS\system32\DRIVERS\Apfiltr.sys
01:56:56.0036 3612 ApfiltrService - ok
01:56:56.0096 3612 [ EC94E05B76D033B74394E7B2175103CF ] APPDRV C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS
01:56:56.0106 3612 APPDRV - ok
01:56:56.0316 3612 [ A5299D04ED225D64CF07A568A3E1BF8C ] Apple Mobile Device C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
01:56:56.0326 3612 Apple Mobile Device - ok
01:56:56.0336 3612 AppMgmt - ok
01:56:56.0376 3612 [ 62D318E9A0C8FC9B780008E724283707 ] asc C:\WINDOWS\system32\DRIVERS\asc.sys
01:56:56.0387 3612 asc - ok
01:56:56.0407 3612 [ 69EB0CC7714B32896CCBFD5EDCBEA447 ] asc3350p C:\WINDOWS\system32\DRIVERS\asc3350p.sys
01:56:56.0417 3612 asc3350p - ok
01:56:56.0437 3612 [ 5D8DE112AA0254B907861E9E9C31D597 ] asc3550 C:\WINDOWS\system32\DRIVERS\asc3550.sys
01:56:56.0447 3612 asc3550 - ok
01:56:56.0507 3612 [ D880831279ED91F9A4190A2DB9539EA9 ] ASCTRM C:\WINDOWS\system32\drivers\ASCTRM.sys
01:56:56.0507 3612 ASCTRM - ok
01:56:56.0717 3612 [ 0E5E4957549056E2BF2C49F4F6B601AD ] aspnet_state C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
01:56:56.0747 3612 aspnet_state - ok
01:56:56.0787 3612 [ B153AFFAC761E7F5FCFA822B9C4E97BC ] AsyncMac C:\WINDOWS\system32\DRIVERS\asyncmac.sys
01:56:56.0797 3612 AsyncMac - ok
01:56:56.0847 3612 [ 9F3A2F5AA6875C72BF062C712CFA2674 ] atapi C:\WINDOWS\system32\DRIVERS\atapi.sys
01:56:56.0847 3612 atapi - ok
01:56:56.0857 3612 Atdisk - ok
01:56:57.0057 3612 [ 6BDB117F5CF40FE91FF50E1BB3F28184 ] Ati HotKey Poller C:\WINDOWS\system32\Ati2evxx.exe
01:56:57.0178 3612 Ati HotKey Poller - ok
01:56:57.0578 3612 [ E9EBF7DCA6C5EB9C597035A10A5A6A1B ] ati2mtag C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
01:56:57.0929 3612 ati2mtag - ok
01:56:57.0979 3612 [ 9916C1225104BA14794209CFA8012159 ] Atmarpc C:\WINDOWS\system32\DRIVERS\atmarpc.sys
01:56:57.0999 3612 Atmarpc - ok
01:56:58.0059 3612 [ DEF7A7882BEC100FE0B2CE2549188F9D ] AudioSrv C:\WINDOWS\System32\audiosrv.dll
01:56:58.0079 3612 AudioSrv - ok
01:56:58.0119 3612 [ D9F724AA26C010A217C97606B160ED68 ] audstub C:\WINDOWS\system32\DRIVERS\audstub.sys
01:56:58.0129 3612 audstub - ok
01:56:58.0279 3612 [ C3AB2D6954C7B5103770832A3A6A591B ] BCM43XX C:\WINDOWS\system32\DRIVERS\bcmwl5.sys
01:56:58.0409 3612 BCM43XX - ok
01:56:58.0439 3612 [ 78123F44BE9E4768852A3A017E02D637 ] bcm4sbxp C:\WINDOWS\system32\DRIVERS\bcm4sbxp.sys
01:56:58.0449 3612 bcm4sbxp - ok
01:56:58.0520 3612 bdfdll - ok
01:56:58.0560 3612 [ DA1F27D85E0D1525F6621372E7B685E9 ] Beep C:\WINDOWS\system32\drivers\Beep.sys
01:56:58.0560 3612 Beep - ok
01:56:58.0670 3612 [ ACC9C8C560C567FAD6F79C977AB2EA09 ] bgsvcgen C:\WINDOWS\system32\bgsvcgen.exe
01:56:58.0720 3612 bgsvcgen - ok
01:56:58.0910 3612 [ 574738F61FCA2935F5265DC4E5691314 ] BITS C:\WINDOWS\system32\qmgr.dll
01:56:59.0080 3612 BITS - ok
01:56:59.0291 3612 [ DB5BEA73EDAF19AC68B2C0FAD0F92B1A ] Bonjour Service C:\Program Files\Bonjour\mDNSResponder.exe
01:56:59.0411 3612 Bonjour Service - ok
01:56:59.0501 3612 [ A06CE3399D16DB864F55FAEB1F1927A9 ] Browser C:\WINDOWS\System32\browser.dll
01:56:59.0581 3612 Browser - ok
01:57:00.0222 3612 [ 92A964547B96D697E5E9ED43B4297F5A ] BrScnUsb C:\WINDOWS\system32\DRIVERS\BrScnUsb.sys
01:57:00.0222 3612 BrScnUsb - ok
01:57:00.0262 3612 [ D48C13F4A409AEE8DAFADDAC81E34557 ] BrSerIf C:\WINDOWS\system32\Drivers\BrSerIf.sys
01:57:00.0282 3612 BrSerIf - ok
01:57:00.0302 3612 [ 8FA0AC830A8312912A3AA0C0431CBA0D ] BrUsbSer C:\WINDOWS\system32\Drivers\BrUsbSer.sys
01:57:00.0302 3612 BrUsbSer - ok
01:57:00.0312 3612 bvrp_pci - ok
01:57:00.0432 3612 catchme - ok
01:57:00.0452 3612 [ 90A673FC8E12A79AFBED2576F6A7AAF9 ] cbidf C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
01:57:00.0462 3612 cbidf - ok
01:57:00.0482 3612 [ 90A673FC8E12A79AFBED2576F6A7AAF9 ] cbidf2k C:\WINDOWS\system32\drivers\cbidf2k.sys
01:57:00.0482 3612 cbidf2k - ok
01:57:00.0532 3612 [ 0BE5AEF125BE881C4F854C554F2B025C ] CCDECODE C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
01:57:00.0542 3612 CCDECODE - ok
01:57:00.0593 3612 [ F3EC03299634490E97BBCE94CD2954C7 ] cd20xrnt C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
01:57:00.0603 3612 cd20xrnt - ok
01:57:00.0663 3612 [ C1B486A7658353D33A10CC15211A873B ] Cdaudio C:\WINDOWS\system32\drivers\Cdaudio.sys
01:57:00.0673 3612 Cdaudio - ok
01:57:00.0713 3612 [ C885B02847F5D2FD45A24E219ED93B32 ] Cdfs C:\WINDOWS\system32\drivers\Cdfs.sys
01:57:00.0733 3612 Cdfs - ok
01:57:00.0773 3612 [ 1F4260CC5B42272D71F79E570A27A4FE ] Cdrom C:\WINDOWS\system32\DRIVERS\cdrom.sys
01:57:00.0793 3612 Cdrom - ok
01:57:00.0803 3612 Changer - ok
01:57:00.0853 3612 [ 1CFE720EB8D93A7158A4EBC3AB178BDE ] CiSvc C:\WINDOWS\system32\cisvc.exe
01:57:00.0853 3612 CiSvc - ok
01:57:00.0883 3612 [ 34CBE729F38138217F9C80212A2A0C82 ] ClipSrv C:\WINDOWS\system32\clipsrv.exe
01:57:00.0893 3612 ClipSrv - ok
01:57:00.0963 3612 [ D87ACAED61E417BBA546CED5E7E36D9C ] clr_optimization_v2.0.50727_32 C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
01:57:00.0993 3612 clr_optimization_v2.0.50727_32 - ok
01:57:01.0053 3612 [ 0F6C187D38D98F8DF904589A5F94D411 ] CmBatt C:\WINDOWS\system32\DRIVERS\CmBatt.sys
01:57:01.0083 3612 CmBatt - ok
01:57:01.0123 3612 [ E5DCB56C533014ECBC556A8357C929D5 ] CmdIde C:\WINDOWS\system32\DRIVERS\cmdide.sys
01:57:01.0133 3612 CmdIde - ok
01:57:01.0163 3612 [ 6E4C9F21F0FAE8940661144F41B13203 ] Compbatt C:\WINDOWS\system32\DRIVERS\compbatt.sys
01:57:01.0163 3612 Compbatt - ok
01:57:01.0173 3612 COMSysApp - ok
01:57:01.0203 3612 [ 3EE529119EED34CD212A215E8C40D4B6 ] Cpqarray C:\WINDOWS\system32\DRIVERS\cpqarray.sys
01:57:01.0203 3612 Cpqarray - ok
01:57:01.0243 3612 [ 3D4E199942E29207970E04315D02AD3B ] CryptSvc C:\WINDOWS\System32\cryptsvc.dll
01:57:01.0264 3612 CryptSvc - ok
01:57:01.0354 3612 [ E550E7418984B65A78299D248F0A7F36 ] dac2w2k C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
01:57:01.0414 3612 dac2w2k - ok
01:57:01.0444 3612 [ 683789CAA3864EB46125AE86FF677D34 ] dac960nt C:\WINDOWS\system32\DRIVERS\dac960nt.sys
01:57:01.0454 3612 dac960nt - ok
01:57:01.0634 3612 [ 6B27A5C03DFB94B4245739065431322C ] DcomLaunch C:\WINDOWS\system32\rpcss.dll
01:57:01.0774 3612 DcomLaunch - ok
01:57:01.0864 3612 [ 5E38D7684A49CACFB752B046357E0589 ] Dhcp C:\WINDOWS\System32\dhcpcsvc.dll
01:57:01.0904 3612 Dhcp - ok
01:57:01.0934 3612 [ 044452051F3E02E7963599FC8F4F3E25 ] Disk C:\WINDOWS\system32\DRIVERS\disk.sys
01:57:01.0944 3612 Disk - ok
01:57:01.0955 3612 dmadmin - ok
01:57:02.0265 3612 [ D992FE1274BDE0F84AD826ACAE022A41 ] dmboot C:\WINDOWS\system32\drivers\dmboot.sys
01:57:02.0535 3612 dmboot - ok
01:57:02.0615 3612 [ 7C824CF7BBDE77D95C08005717A95F6F ] dmio C:\WINDOWS\system32\drivers\dmio.sys
01:57:02.0666 3612 dmio - ok
01:57:02.0736 3612 [ E9317282A63CA4D188C0DF5E09C6AC5F ] dmload C:\WINDOWS\system32\drivers\dmload.sys
01:57:02.0736 3612 dmload - ok
01:57:02.0786 3612 [ 57EDEC2E5F59F0335E92F35184BC8631 ] dmserver C:\WINDOWS\System32\dmserver.dll
01:57:02.0796 3612 dmserver - ok
01:57:02.0836 3612 [ 8A208DFCF89792A484E76C40E5F50B45 ] DMusic C:\WINDOWS\system32\drivers\DMusic.sys
01:57:02.0856 3612 DMusic - ok
01:57:02.0916 3612 [ 474B4DC3983173E4B4C9740B0DAC98A6 ] Dnscache C:\WINDOWS\System32\dnsrslvr.dll
01:57:02.0926 3612 Dnscache - ok
01:57:03.0026 3612 [ 0F0F6E687E5E15579EF4DA8DD6945814 ] Dot3svc C:\WINDOWS\System32\dot3svc.dll
01:57:03.0076 3612 Dot3svc - ok
01:57:03.0096 3612 [ 40F3B93B4E5B0126F2F5C0A7A5E22660 ] dpti2o C:\WINDOWS\system32\DRIVERS\dpti2o.sys
01:57:03.0106 3612 dpti2o - ok
01:57:03.0176 3612 [ 8F5FCFF8E8848AFAC920905FBD9D33C8 ] drmkaud C:\WINDOWS\system32\drivers\drmkaud.sys
01:57:03.0176 3612 drmkaud - ok
01:57:03.0266 3612 [ 96BC8F872F0270C10EDC3931F1C03776 ] drvmcdb C:\WINDOWS\system32\drivers\drvmcdb.sys
01:57:03.0296 3612 drvmcdb - ok
01:57:03.0326 3612 [ 5AFBEC7A6AC61B211633DFDB1D9E0C89 ] drvnddm C:\WINDOWS\system32\drivers\drvnddm.sys
01:57:03.0336 3612 drvnddm - ok
01:57:03.0397 3612 [ 3FCA03CBCA11269F973B70FA483C88EF ] E100B C:\WINDOWS\system32\DRIVERS\e100b325.sys
01:57:03.0437 3612 E100B - ok
01:57:03.0467 3612 [ 2187855A7703ADEF0CEF9EE4285182CC ] EapHost C:\WINDOWS\System32\eapsvc.dll
01:57:03.0477 3612 EapHost - ok
01:57:03.0507 3612 [ BC93B4A066477954555966D77FEC9ECB ] ERSvc C:\WINDOWS\System32\ersvc.dll
01:57:03.0517 3612 ERSvc - ok
01:57:03.0607 3612 [ 65DF52F5B8B6E9BBD183505225C37315 ] Eventlog C:\WINDOWS\system32\services.exe
01:57:03.0647 3612 Eventlog - ok
01:57:03.0797 3612 [ D4991D98F2DB73C60D042F1AEF79EFAE ] EventSystem C:\WINDOWS\system32\es.dll
01:57:03.0877 3612 EventSystem - ok
01:57:03.0947 3612 [ 38D332A6D56AF32635675F132548343E ] Fastfat C:\WINDOWS\system32\drivers\Fastfat.sys
01:57:03.0987 3612 Fastfat - ok
01:57:04.0068 3612 [ 1926899BF9FFE2602B63074971700412 ] FastUserSwitchingCompatibility C:\WINDOWS\System32\shsvcs.dll
01:57:04.0118 3612 FastUserSwitchingCompatibility - ok
01:57:04.0258 3612 [ E97D6A8684466DF94FF3BC24FB787A07 ] Fax C:\WINDOWS\system32\fxssvc.exe
01:57:04.0348 3612 Fax - ok
01:57:04.0408 3612 [ 92CDD60B6730B9F50F6A1A0C1F8CDC81 ] Fdc C:\WINDOWS\system32\DRIVERS\fdc.sys
01:57:04.0418 3612 Fdc - ok
01:57:04.0428 3612 FILESpy - ok
01:57:04.0508 3612 [ D45926117EB9FA946A6AF572FBE1CAA3 ] Fips C:\WINDOWS\system32\drivers\Fips.sys
01:57:04.0528 3612 Fips - ok
01:57:04.0819 3612 [ BB0667B0171B632B97EA759515476F07 ] FLEXnet Licensing Service C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
01:57:05.0049 3612 FLEXnet Licensing Service - ok
01:57:05.0069 3612 [ 9D27E7B80BFCDF1CDD9B555862D5E7F0 ] Flpydisk C:\WINDOWS\system32\DRIVERS\flpydisk.sys
01:57:05.0079 3612 Flpydisk - ok
01:57:05.0229 3612 [ B2CF4B0786F8212CB92ED2B50C6DB6B0 ] FltMgr C:\WINDOWS\system32\drivers\fltmgr.sys
01:57:05.0269 3612 FltMgr - ok
01:57:05.0379 3612 [ 8BA7C024070F2B7FDD98ED8A4BA41789 ] FontCache3.0.0.0 c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
01:57:05.0399 3612 FontCache3.0.0.0 - ok
01:57:05.0419 3612 [ 3E1E2BD4F39B0E2B7DC4F4D2BCC2779A ] Fs_Rec C:\WINDOWS\system32\drivers\Fs_Rec.sys
01:57:05.0419 3612 Fs_Rec - ok
01:57:05.0500 3612 [ 7C17235845D5AE3FB33EAD47B5881521 ] FTDIBUS C:\WINDOWS\system32\drivers\ftdibus.sys
01:57:05.0520 3612 FTDIBUS - ok
01:57:05.0590 3612 [ 6AC26732762483366C3969C9E4D2259D ] Ftdisk C:\WINDOWS\system32\DRIVERS\ftdisk.sys
01:57:05.0630 3612 Ftdisk - ok
01:57:05.0700 3612 [ 185ADA973B5020655CEE342059A86CBB ] GEARAspiWDM C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
01:57:05.0710 3612 GEARAspiWDM - ok
01:57:05.0770 3612 [ 0A02C63C8B144BD8C86B103DEE7C86A2 ] Gpc C:\WINDOWS\system32\DRIVERS\msgpc.sys
01:57:05.0780 3612 Gpc - ok
01:57:05.0950 3612 [ 8F0DE4FEF8201E306F9938B0905AC96A ] gupdate C:\Program Files\Google\Update\GoogleUpdate.exe
01:57:05.0990 3612 gupdate - ok
01:57:06.0050 3612 [ 8F0DE4FEF8201E306F9938B0905AC96A ] gupdatem C:\Program Files\Google\Update\GoogleUpdate.exe
01:57:06.0050 3612 gupdatem - ok
01:57:06.0241 3612 [ 4FCCA060DFE0C51A09DD5C3843888BCD ] helpsvc C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll
01:57:06.0251 3612 helpsvc - ok
01:57:06.0261 3612 HidServ - ok
01:57:06.0311 3612 [ CCF82C5EC8A7326C3066DE870C06DAF1 ] HidUsb C:\WINDOWS\system32\DRIVERS\hidusb.sys
01:57:06.0321 3612 HidUsb - ok
01:57:06.0421 3612 [ 72472B9CE5D02E443CFF49A40355455D ] hitmanpro35 C:\WINDOWS\system32\drivers\hitmanpro35.sys
01:57:06.0431 3612 hitmanpro35 - ok
01:57:06.0491 3612 [ 8878BD685E490239777BFE51320B88E9 ] hkmsvc C:\WINDOWS\System32\kmsvc.dll
01:57:06.0521 3612 hkmsvc - ok
01:57:06.0551 3612 [ B028377DEA0546A5FCFBA928A8AEFAE0 ] hpn C:\WINDOWS\system32\DRIVERS\hpn.sys
01:57:06.0561 3612 hpn - ok
01:57:06.0631 3612 [ A9D667F5308982A3305F364EB02458D0 ] HPSIService C:\WINDOWS\system32\HPSIsvc.exe
01:57:06.0661 3612 HPSIService - ok
01:57:06.0711 3612 [ 9F1D80908658EB7F1BF70809E0B51470 ] HPZid412 C:\WINDOWS\system32\DRIVERS\HPZid412.sys
01:57:06.0731 3612 HPZid412 - ok
01:57:06.0761 3612 [ F7E3E9D50F9CD3DE28085A8FDAA0A1C3 ] HPZipr12 C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
01:57:06.0761 3612 HPZipr12 - ok
01:57:06.0811 3612 [ CF1B7951B4EC8D13F3C93B74BB2B461B ] HPZius12 C:\WINDOWS\system32\DRIVERS\HPZius12.sys
01:57:06.0822 3612 HPZius12 - ok
01:57:06.0962 3612 [ C2A7D9109B7F10A455D13B2432837B16 ] HSFHWICH C:\WINDOWS\system32\DRIVERS\HSFHWICH.sys
01:57:07.0022 3612 HSFHWICH - ok
01:57:07.0502 3612 [ 9A0D0C461EF2B3D80CB7875B4B995E47 ] HSF_DP C:\WINDOWS\system32\DRIVERS\HSF_DP.sys
01:57:07.0853 3612 HSF_DP - ok
01:57:07.0993 3612 [ F6AACF5BCE2893E0C1754AFEB672E5C9 ] HTTP C:\WINDOWS\system32\Drivers\HTTP.sys
01:57:08.0083 3612 HTTP - ok
01:57:08.0153 3612 [ 6100A808600F44D999CEBDEF8841C7A3 ] HTTPFilter C:\WINDOWS\System32\w3ssl.dll
01:57:08.0163 3612 HTTPFilter - ok
01:57:08.0203 3612 [ 9368670BD426EBEA5E8B18A62416EC28 ] i2omgmt C:\WINDOWS\system32\drivers\i2omgmt.sys
01:57:08.0214 3612 i2omgmt - ok
01:57:08.0274 3612 [ F10863BF1CCC290BABD1A09188AE49E0 ] i2omp C:\WINDOWS\system32\DRIVERS\i2omp.sys
01:57:08.0274 3612 i2omp - ok
01:57:08.0344 3612 [ 4A0B06AA8943C1E332520F7440C0AA30 ] i8042prt C:\WINDOWS\system32\DRIVERS\i8042prt.sys
01:57:08.0364 3612 i8042prt - ok
01:57:08.0794 3612 [ C01AC32DC5C03076CFB852CB5DA5229C ] idsvc c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
01:57:09.0095 3612 idsvc - ok
01:57:09.0115 3612 [ 083A052659F5310DD8B6A6CB05EDCF8E ] Imapi C:\WINDOWS\system32\DRIVERS\imapi.sys
01:57:09.0145 3612 Imapi - ok
01:57:09.0265 3612 [ 30DEAF54A9755BB8546168CFE8A6B5E1 ] ImapiService C:\WINDOWS\system32\imapi.exe
01:57:09.0315 3612 ImapiService - ok
01:57:09.0365 3612 [ 4A40E045FAEE58631FD8D91AFC620719 ] ini910u C:\WINDOWS\system32\DRIVERS\ini910u.sys
01:57:09.0395 3612 ini910u - ok
01:57:09.0435 3612 [ B5466A9250342A7AA0CD1FBA13420678 ] IntelIde C:\WINDOWS\system32\DRIVERS\intelide.sys
01:57:09.0435 3612 IntelIde - ok
01:57:09.0475 3612 [ 8C953733D8F36EB2133F5BB58808B66B ] intelppm C:\WINDOWS\system32\DRIVERS\intelppm.sys
01:57:09.0485 3612 intelppm - ok
01:57:09.0545 3612 [ 3BB22519A194418D5FEC05D800A19AD0 ] Ip6Fw C:\WINDOWS\system32\drivers\ip6fw.sys
01:57:09.0595 3612 Ip6Fw - ok
01:57:09.0906 3612 [ 731F22BA402EE4B62748ADAF6363C182 ] IpFilterDriver C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
01:57:09.0916 3612 IpFilterDriver - ok
01:57:09.0946 3612 [ B87AB476DCF76E72010632B5550955F5 ] IpInIp C:\WINDOWS\system32\DRIVERS\ipinip.sys
01:57:09.0956 3612 IpInIp - ok
01:57:10.0066 3612 [ CC748EA12C6EFFDE940EE98098BF96BB ] IpNat C:\WINDOWS\system32\DRIVERS\ipnat.sys
01:57:10.0116 3612 IpNat - ok
01:57:10.0477 3612 [ BC0EA61246F8D940FBC5F652D337D6BD ] iPod Service C:\Program Files\iPod\bin\iPodService.exe
01:57:10.0747 3612 iPod Service - ok
01:57:10.0787 3612 [ 23C74D75E36E7158768DD63D92789A91 ] IPSec C:\WINDOWS\system32\DRIVERS\ipsec.sys
01:57:10.0787 3612 IPSec - ok
01:57:10.0827 3612 [ C93C9FF7B04D772627A3646D89F7BF89 ] IRENUM C:\WINDOWS\system32\DRIVERS\irenum.sys
01:57:10.0827 3612 IRENUM - ok
01:57:10.0877 3612 [ 05A299EC56E52649B1CF2FC52D20F2D7 ] isapnp C:\WINDOWS\system32\DRIVERS\isapnp.sys
01:57:10.0887 3612 isapnp - ok
01:57:11.0098 3612 [ 381B25DC8E958D905B33130D500BBF29 ] JavaQuickStarterService C:\Program Files\Java\jre6\bin\jqs.exe
01:57:11.0168 3612 JavaQuickStarterService - ok
01:57:11.0218 3612 [ 463C1EC80CD17420A542B7F36A36F128 ] Kbdclass C:\WINDOWS\system32\DRIVERS\kbdclass.sys
01:57:11.0228 3612 Kbdclass - ok
01:57:11.0328 3612 [ 692BCF44383D056AED41B045A323D378 ] kmixer C:\WINDOWS\system32\drivers\kmixer.sys
01:57:11.0328 3612 kmixer - ok
01:57:11.0388 3612 [ 1705745D900DABF2D89F90EBADDC7517 ] KSecDD C:\WINDOWS\system32\drivers\KSecDD.sys
01:57:11.0438 3612 KSecDD - ok
01:57:11.0508 3612 [ F385F4B02C535BFFE1D70CAB80838123 ] lanmanserver C:\WINDOWS\System32\srvsvc.dll
01:57:11.0548 3612 lanmanserver - ok
01:57:11.0628 3612 [ A8888A5327621856C0CEC4E385F69309 ] lanmanworkstation C:\WINDOWS\System32\wkssvc.dll
01:57:11.0678 3612 lanmanworkstation - ok
01:57:11.0729 3612 [ 336ABE8721CBC3110F1C6426DA633417 ] Lbd C:\WINDOWS\system32\DRIVERS\Lbd.sys
01:57:11.0749 3612 Lbd - ok
01:57:11.0759 3612 lbrtfdc - ok
01:57:11.0789 3612 [ A7DB739AE99A796D91580147E919CC59 ] LmHosts C:\WINDOWS\System32\lmhsvc.dll
01:57:11.0799 3612 LmHosts - ok
01:57:11.0839 3612 [ 65E794E86468B61F2BC79ABC48BC4433 ] MBAMProtector C:\WINDOWS\system32\drivers\mbam.sys
01:57:11.0839 3612 MBAMProtector - ok
01:57:12.0029 3612 [ 0DCF16B1449811EFA47AB52CAC84093C ] MBAMScheduler C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
01:57:12.0179 3612 MBAMScheduler - ok
01:57:12.0480 3612 [ 9EAABA4D601004BEA4DAA6E146E19A96 ] MBAMService C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
01:57:12.0710 3612 MBAMService - ok
01:57:12.0780 3612 [ 0DB7527DB188C7D967A37BB51BBF3963 ] MBAMSwissArmy C:\WINDOWS\system32\drivers\mbamswissarmy.sys
01:57:12.0800 3612 MBAMSwissArmy - ok
01:57:12.0850 3612 [ EEAEA6514BA7C9D273B5E87C4E1AAB30 ] mdmxsdk C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
01:57:12.0860 3612 mdmxsdk - ok
01:57:12.0890 3612 [ 986B1FF5814366D71E0AC5755C88F2D3 ] Messenger C:\WINDOWS\System32\msgsvc.dll
01:57:12.0900 3612 Messenger - ok
01:57:12.0990 3612 [ BAFDD5E28BAEA99D7F4772AF2F5EC7EE ] mfeavfk C:\WINDOWS\system32\drivers\mfeavfk.sys
01:57:13.0010 3612 mfeavfk - ok
01:57:13.0050 3612 [ 1D003E3056A43D881597D6763E83B943 ] mfebopk C:\WINDOWS\system32\drivers\mfebopk.sys
01:57:13.0060 3612 mfebopk - ok
01:57:13.0131 3612 [ 41FE2F288E05A6C8AB85DD56770FFBAD ] mferkdk C:\WINDOWS\system32\drivers\mferkdk.sys
01:57:13.0171 3612 mferkdk - ok
01:57:13.0291 3612 [ 096B52EA918AA909BA5903D79E129005 ] mfesmfk C:\WINDOWS\system32\drivers\mfesmfk.sys
01:57:13.0311 3612 mfesmfk - ok
01:57:13.0341 3612 [ 4AE068242760A1FB6E1A44BF4E16AFA6 ] mnmdd C:\WINDOWS\system32\drivers\mnmdd.sys
01:57:13.0341 3612 mnmdd - ok
01:57:13.0411 3612 [ D18F1F0C101D06A1C1ADF26EED16FCDD ] mnmsrvc C:\WINDOWS\system32\mnmsrvc.exe
01:57:13.0421 3612 mnmsrvc - ok
01:57:13.0481 3612 [ DFCBAD3CEC1C5F964962AE10E0BCC8E1 ] Modem C:\WINDOWS\system32\drivers\Modem.sys
01:57:13.0511 3612 Modem - ok
01:57:13.0561 3612 [ 35C9E97194C8CFB8430125F8DBC34D04 ] Mouclass C:\WINDOWS\system32\DRIVERS\mouclass.sys
01:57:13.0571 3612 Mouclass - ok
01:57:13.0611 3612 [ B1C303E17FB9D46E87A98E4BA6769685 ] mouhid C:\WINDOWS\system32\DRIVERS\mouhid.sys
01:57:13.0621 3612 mouhid - ok
01:57:13.0661 3612 [ A80B9A0BAD1B73637DBCBBA7DF72D3FD ] MountMgr C:\WINDOWS\system32\drivers\MountMgr.sys
01:57:13.0671 3612 MountMgr - ok
01:57:13.0802 3612 [ CB8AF049AC9BE419A77ADAE288673359 ] MozillaMaintenance C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe
01:57:13.0842 3612 MozillaMaintenance - ok
01:57:13.0882 3612 [ 3F4BB95E5A44F3BE34824E8E7CAF0737 ] mraid35x C:\WINDOWS\system32\DRIVERS\mraid35x.sys
01:57:13.0882 3612 mraid35x - ok
01:57:13.0982 3612 [ 11D42BB6206F33FBB3BA0288D3EF81BD ] MRxDAV C:\WINDOWS\system32\DRIVERS\mrxdav.sys
01:57:14.0042 3612 MRxDAV - ok
01:57:14.0252 3612 [ 60AE98742484E7AB80C3C1450E708148 ] MRxSmb C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
01:57:14.0402 3612 MRxSmb - ok
01:57:14.0442 3612 [ A137F1470499A205ABBB9AAFB3B6F2B1 ] MSDTC C:\WINDOWS\system32\msdtc.exe
01:57:14.0442 3612 MSDTC - ok
01:57:14.0473 3612 [ C941EA2454BA8350021D774DAF0F1027 ] Msfs C:\WINDOWS\system32\drivers\Msfs.sys
01:57:14.0473 3612 Msfs - ok
01:57:14.0493 3612 MSIServer - ok
01:57:14.0533 3612 [ D1575E71568F4D9E14CA56B7B0453BF1 ] MSKSSRV C:\WINDOWS\system32\drivers\MSKSSRV.sys
01:57:14.0533 3612 MSKSSRV - ok
01:57:14.0553 3612 [ 325BB26842FC7CCC1FCCE2C457317F3E ] MSPCLOCK C:\WINDOWS\system32\drivers\MSPCLOCK.sys
01:57:14.0553 3612 MSPCLOCK - ok
01:57:14.0593 3612 [ BAD59648BA099DA4A17680B39730CB3D ] MSPQM C:\WINDOWS\system32\drivers\MSPQM.sys
01:57:14.0603 3612 MSPQM - ok
01:57:14.0613 3612 [ AF5F4F3F14A8EA2C26DE30F7A1E17136 ] mssmbios C:\WINDOWS\system32\DRIVERS\mssmbios.sys
01:57:14.0623 3612 mssmbios - ok
01:57:14.0673 3612 [ E53736A9E30C45FA9E7B5EAC55056D1D ] MSTEE C:\WINDOWS\system32\drivers\MSTEE.sys
01:57:14.0673 3612 MSTEE - ok
01:57:14.0743 3612 [ 2F625D11385B1A94360BFC70AAEFDEE1 ] Mup C:\WINDOWS\system32\drivers\Mup.sys
01:57:14.0783 3612 Mup - ok
01:57:14.0843 3612 [ 5B50F1B2A2ED47D560577B221DA734DB ] NABTSFEC C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
01:57:14.0873 3612 NABTSFEC - ok
01:57:15.0023 3612 [ 0102140028FAD045756796E1C685D695 ] napagent C:\WINDOWS\System32\qagentrt.dll
01:57:15.0123 3612 napagent - ok
01:57:15.0224 3612 [ 1DF7F42665C94B825322FAE71721130D ] NDIS C:\WINDOWS\system32\drivers\NDIS.sys
01:57:15.0284 3612 NDIS - ok
01:57:15.0314 3612 [ 7FF1F1FD8609C149AA432F95A8163D97 ] NdisIP C:\WINDOWS\system32\DRIVERS\NdisIP.sys
01:57:15.0324 3612 NdisIP - ok
01:57:15.0364 3612 [ 1AB3D00C991AB086E69DB84B6C0ED78F ] NdisTapi C:\WINDOWS\system32\DRIVERS\ndistapi.sys
01:57:15.0374 3612 NdisTapi - ok
01:57:15.0394 3612 [ F927A4434C5028758A842943EF1A3849 ] Ndisuio C:\WINDOWS\system32\DRIVERS\ndisuio.sys
01:57:15.0404 3612 Ndisuio - ok
01:57:15.0444 3612 [ EDC1531A49C80614B2CFDA43CA8659AB ] NdisWan C:\WINDOWS\system32\DRIVERS\ndiswan.sys
01:57:15.0484 3612 NdisWan - ok
01:57:15.0514 3612 [ 6215023940CFD3702B46ABC304E1D45A ] NDProxy C:\WINDOWS\system32\drivers\NDProxy.sys
01:57:15.0554 3612 NDProxy - ok
01:57:15.0604 3612 [ 5D81CF9A2F1A3A756B66CF684911CDF0 ] NetBIOS C:\WINDOWS\system32\DRIVERS\netbios.sys
01:57:15.0614 3612 NetBIOS - ok
01:57:15.0674 3612 [ 74B2B2F5BEA5E9A3DC021D685551BD3D ] NetBT C:\WINDOWS\system32\DRIVERS\netbt.sys
01:57:15.0734 3612 NetBT - ok
01:57:15.0814 3612 [ B857BA82860D7FF85AE29B095645563B ] NetDDE C:\WINDOWS\system32\netdde.exe
01:57:15.0854 3612 NetDDE - ok
01:57:15.0895 3612 [ B857BA82860D7FF85AE29B095645563B ] NetDDEdsdm C:\WINDOWS\system32\netdde.exe
01:57:15.0905 3612 NetDDEdsdm - ok
01:57:15.0965 3612 [ BF2466B3E18E970D8A976FB95FC1CA85 ] Netlogon C:\WINDOWS\system32\lsass.exe
01:57:15.0975 3612 Netlogon - ok
01:57:16.0065 3612 [ 13E67B55B3ABD7BF3FE7AAE5A0F9A9DE ] Netman C:\WINDOWS\System32\netman.dll
01:57:16.0125 3612 Netman - ok
01:57:16.0265 3612 [ D34612C5D02D026535B3095D620626AE ] NetTcpPortSharing c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
01:57:16.0315 3612 NetTcpPortSharing - ok
01:57:16.0405 3612 NICCONFIGSVC - ok
01:57:16.0535 3612 [ 832E4DD8964AB7ACC880B2837CB1ED20 ] Nla C:\WINDOWS\System32\mswsock.dll
01:57:16.0616 3612 Nla - ok
01:57:16.0656 3612 [ 3182D64AE053D6FB034F44B6DEF8034A ] Npfs C:\WINDOWS\system32\drivers\Npfs.sys
01:57:16.0666 3612 Npfs - ok
01:57:16.0886 3612 [ 78A08DD6A8D65E697C18E1DB01C5CDCA ] Ntfs C:\WINDOWS\system32\drivers\Ntfs.sys
01:57:17.0086 3612 Ntfs - ok
01:57:17.0096 3612 [ BF2466B3E18E970D8A976FB95FC1CA85 ] NtLmSsp C:\WINDOWS\system32\lsass.exe
01:57:17.0106 3612 NtLmSsp - ok
01:57:17.0297 3612 [ 156F64A3345BD23C600655FB4D10BC08 ] NtmsSvc C:\WINDOWS\system32\ntmssvc.dll
01:57:17.0437 3612 NtmsSvc - ok
01:57:17.0457 3612 [ 73C1E1F395918BC2C6DD67AF7591A3AD ] Null C:\WINDOWS\system32\drivers\Null.sys
01:57:17.0457 3612 Null - ok
01:57:18.0168 3612 [ 2B298519EDBFCF451D43E0F1E8F1006D ] nv C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
01:57:18.0799 3612 nv - ok
01:57:18.0829 3612 [ B305F3FAD35083837EF46A0BBCE2FC57 ] NwlnkFlt C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
01:57:18.0829 3612 NwlnkFlt - ok
01:57:18.0859 3612 [ C99B3415198D1AAB7227F2C88FD664B9 ] NwlnkFwd C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
01:57:18.0869 3612 NwlnkFwd - ok
01:57:18.0949 3612 [ F06D9977A75213888804EAA9CEB8598B ] O2SCBUS C:\WINDOWS\system32\DRIVERS\ozscr.sys
01:57:18.0989 3612 O2SCBUS - ok
01:57:19.0049 3612 [ B17228142CEC9B3C222239FD935A37CA ] omci C:\WINDOWS\system32\DRIVERS\omci.sys
01:57:19.0059 3612 omci - ok
01:57:19.0129 3612 [ 5575FAF8F97CE5E713D108C2A58D7C7C ] Parport C:\WINDOWS\system32\DRIVERS\parport.sys
01:57:19.0169 3612 Parport - ok
01:57:19.0229 3612 [ BEB3BA25197665D82EC7065B724171C6 ] PartMgr C:\WINDOWS\system32\drivers\PartMgr.sys
01:57:19.0229 3612 PartMgr - ok
01:57:19.0269 3612 [ 70E98B3FD8E963A6A46A2E6247E0BEA1 ] ParVdm C:\WINDOWS\system32\drivers\ParVdm.sys
01:57:19.0269 3612 ParVdm - ok
01:57:19.0340 3612 [ A219903CCF74233761D92BEF471A07B1 ] PCI C:\WINDOWS\system32\DRIVERS\pci.sys
01:57:19.0360 3612 PCI - ok
01:57:19.0370 3612 PCIDump - ok
01:57:19.0440 3612 [ CCF5F451BB1A5A2A522A76E670000FF0 ] PCIIde C:\WINDOWS\system32\DRIVERS\pciide.sys
01:57:19.0440 3612 PCIIde - ok
01:57:19.0510 3612 [ 9E89EF60E9EE05E3F2EEF2DA7397F1C1 ] Pcmcia C:\WINDOWS\system32\DRIVERS\pcmcia.sys
01:57:19.0540 3612 Pcmcia - ok
01:57:19.0550 3612 PDCOMP - ok
01:57:19.0570 3612 PDFRAME - ok
01:57:19.0580 3612 PDRELI - ok
01:57:19.0590 3612 PDRFRAME - ok
01:57:19.0630 3612 [ 6C14B9C19BA84F73D3A86DBA11133101 ] perc2 C:\WINDOWS\system32\DRIVERS\perc2.sys
01:57:19.0690 3612 perc2 - ok
01:57:19.0730 3612 [ F50F7C27F131AFE7BEBA13E14A3B9416 ] perc2hib C:\WINDOWS\system32\DRIVERS\perc2hib.sys
01:57:19.0770 3612 perc2hib - ok
01:57:20.0010 3612 [ 65DF52F5B8B6E9BBD183505225C37315 ] PlugPlay C:\WINDOWS\system32\services.exe
01:57:20.0020 3612 PlugPlay - ok
01:57:20.0081 3612 [ 9D84376931440F3679BEEF2A414FA493 ] Pml Driver HPZ12 C:\WINDOWS\system32\HPZipm12.exe
01:57:20.0111 3612 Pml Driver HPZ12 - ok
01:57:20.0121 3612 [ BF2466B3E18E970D8A976FB95FC1CA85 ] PolicyAgent C:\WINDOWS\system32\lsass.exe
01:57:20.0121 3612 PolicyAgent - ok
01:57:20.0181 3612 [ EFEEC01B1D3CF84F16DDD24D9D9D8F99 ] PptpMiniport C:\WINDOWS\system32\DRIVERS\raspptp.sys
01:57:20.0201 3612 PptpMiniport - ok
01:57:20.0211 3612 [ BF2466B3E18E970D8A976FB95FC1CA85 ] ProtectedStorage C:\WINDOWS\system32\lsass.exe
01:57:20.0221 3612 ProtectedStorage - ok
01:57:20.0271 3612 [ 09298EC810B07E5D582CB3A3F9255424 ] PSched C:\WINDOWS\system32\DRIVERS\psched.sys
01:57:20.0301 3612 PSched - ok
01:57:20.0321 3612 [ 80D317BD1C3DBC5D4FE7B1678C60CADD ] Ptilink C:\WINDOWS\system32\DRIVERS\ptilink.sys
01:57:20.0331 3612 Ptilink - ok
01:57:20.0411 3612 [ E42E3433DBB4CFFE8FDD91EAB29AEA8E ] PxHelp20 C:\WINDOWS\system32\Drivers\PxHelp20.sys
01:57:20.0421 3612 PxHelp20 - ok
01:57:20.0481 3612 [ 0A63FB54039EB5662433CABA3B26DBA7 ] ql1080 C:\WINDOWS\system32\DRIVERS\ql1080.sys
01:57:20.0491 3612 ql1080 - ok
01:57:20.0541 3612 [ 6503449E1D43A0FF0201AD5CB1B8C706 ] Ql10wnt C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
01:57:20.0551 3612 Ql10wnt - ok
01:57:20.0581 3612 [ 156ED0EF20C15114CA097A34A30D8A01 ] ql12160 C:\WINDOWS\system32\DRIVERS\ql12160.sys
01:57:20.0601 3612 ql12160 - ok
01:57:20.0621 3612 [ 70F016BEBDE6D29E864C1230A07CC5E6 ] ql1240 C:\WINDOWS\system32\DRIVERS\ql1240.sys
01:57:20.0641 3612 ql1240 - ok
01:57:20.0681 3612 [ 907F0AEEA6BC451011611E732BD31FCF ] ql1280 C:\WINDOWS\system32\DRIVERS\ql1280.sys
01:57:20.0701 3612 ql1280 - ok
01:57:20.0711 3612 [ FE0D99D6F31E4FAD8159F690D68DED9C ] RasAcd C:\WINDOWS\system32\DRIVERS\rasacd.sys
01:57:20.0721 3612 RasAcd - ok
01:57:20.0812 3612 [ AD188BE7BDF94E8DF4CA0A55C00A5073 ] RasAuto C:\WINDOWS\System32\rasauto.dll
01:57:20.0842 3612 RasAuto - ok
01:57:20.0892 3612 [ 11B4A627BC9614B885C4969BFA5FF8A6 ] Rasl2tp C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
01:57:20.0912 3612 Rasl2tp - ok
01:57:21.0022 3612 [ 76A9A3CBEADD68CC57CDA5E1D7448235 ] RasMan C:\WINDOWS\System32\rasmans.dll
01:57:21.0082 3612 RasMan - ok
01:57:21.0112 3612 [ 5BC962F2654137C9909C3D4603587DEE ] RasPppoe C:\WINDOWS\system32\DRIVERS\raspppoe.sys
01:57:21.0122 3612 RasPppoe - ok
01:57:21.0152 3612 [ FDBB1D60066FCFBB7452FD8F9829B242 ] Raspti C:\WINDOWS\system32\DRIVERS\raspti.sys
01:57:21.0162 3612 Raspti - ok
01:57:21.0292 3612 [ 7AD224AD1A1437FE28D89CF22B17780A ] Rdbss C:\WINDOWS\system32\DRIVERS\rdbss.sys
01:57:21.0342 3612 Rdbss - ok
01:57:21.0372 3612 [ 4912D5B403614CE99C28420F75353332 ] RDPCDD C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
01:57:21.0372 3612 RDPCDD - ok
01:57:21.0483 3612 [ 15CABD0F7C00C47C70124907916AF3F1 ] rdpdr C:\WINDOWS\system32\DRIVERS\rdpdr.sys
01:57:21.0553 3612 rdpdr - ok
01:57:21.0623 3612 [ 6728E45B66F93C08F11DE2E316FC70DD ] RDPWD C:\WINDOWS\system32\drivers\RDPWD.sys
01:57:21.0673 3612 RDPWD - ok
01:57:21.0753 3612 [ 3C37BF86641BDA977C3BF8A840F3B7FA ] RDSessMgr C:\WINDOWS\system32\sessmgr.exe
01:57:21.0803 3612 RDSessMgr - ok
01:57:21.0873 3612 [ B31B4588E4086D8D84ADBF9845C2402B ] redbook C:\WINDOWS\system32\DRIVERS\redbook.sys
01:57:21.0893 3612 redbook - ok
01:57:21.0903 3612 REGSpy - ok
01:57:21.0963 3612 [ 7E699FF5F59B5D9DE5390E3C34C67CF5 ] RemoteAccess C:\WINDOWS\System32\mprdim.dll
01:57:21.0983 3612 RemoteAccess - ok
01:57:22.0033 3612 [ AAED593F84AFA419BBAE8572AF87CF6A ] RpcLocator C:\WINDOWS\system32\locator.exe
01:57:22.0053 3612 RpcLocator - ok
01:57:22.0314 3612 [ 6B27A5C03DFB94B4245739065431322C ] RpcSs C:\WINDOWS\System32\rpcss.dll
01:57:22.0324 3612 RpcSs - ok
01:57:22.0464 3612 [ 471B3F9741D762ABE75E9DEEA4787E47 ] RSVP C:\WINDOWS\system32\rsvp.exe
01:57:22.0514 3612 RSVP - ok
01:57:22.0534 3612 [ BF2466B3E18E970D8A976FB95FC1CA85 ] SamSs C:\WINDOWS\system32\lsass.exe
01:57:22.0534 3612 SamSs - ok
01:57:22.0604 3612 [ 86D007E7A654B9A71D1D7D856B104353 ] SCardSvr C:\WINDOWS\System32\SCardSvr.exe
01:57:22.0644 3612 SCardSvr - ok
01:57:22.0804 3612 [ 0A9A7365A1CA4319AA7C1D6CD8E4EAFA ] Schedule C:\WINDOWS\system32\schedsvc.dll
01:57:22.0875 3612 Schedule - ok
01:57:22.0985 3612 [ 7D8F2E031561DAA91826C7370C2478B8 ] SeagateDashboardService C:\Program Files\Seagate\Seagate Dashboard\SeagateDashboardService.exe
01:57:22.0995 3612 SeagateDashboardService - ok
01:57:23.0045 3612 [ 90A3935D05B494A5A39D37E71F09A677 ] Secdrv C:\WINDOWS\system32\DRIVERS\secdrv.sys
01:57:23.0055 3612 Secdrv - ok
01:57:23.0095 3612 [ CBE612E2BB6A10E3563336191EDA1250 ] seclogon C:\WINDOWS\System32\seclogon.dll
01:57:23.0105 3612 seclogon - ok
01:57:23.0135 3612 [ 7FDD5D0684ECA8C1F68B4D99D124DCD0 ] SENS C:\WINDOWS\system32\sens.dll
01:57:23.0155 3612 SENS - ok
01:57:23.0215 3612 [ 0F29512CCD6BEAD730039FB4BD2C85CE ] serenum C:\WINDOWS\system32\DRIVERS\serenum.sys
01:57:23.0225 3612 serenum - ok
01:57:23.0315 3612 [ CCA207A8896D4C6A0C9CE29A4AE411A7 ] Serial C:\WINDOWS\system32\DRIVERS\serial.sys
01:57:23.0335 3612 Serial - ok
01:57:23.0365 3612 [ 8E6B8C671615D126FDC553D1E2DE5562 ] Sfloppy C:\WINDOWS\system32\drivers\Sfloppy.sys
01:57:23.0365 3612 Sfloppy - ok
01:57:23.0536 3612 [ 83F41D0D89645D7235C051AB1D9523AC ] SharedAccess C:\WINDOWS\System32\ipnathlp.dll
01:57:23.0626 3612 SharedAccess - ok
01:57:23.0686 3612 [ 1926899BF9FFE2602B63074971700412 ] ShellHWDetection C:\WINDOWS\System32\shsvcs.dll
01:57:23.0696 3612 ShellHWDetection - ok
01:57:23.0706 3612 Simbad - ok
01:57:23.0756 3612 [ 6B33D0EBD30DB32E27D1D78FE946A754 ] sisagp C:\WINDOWS\system32\DRIVERS\sisagp.sys
01:57:23.0766 3612 sisagp - ok
01:57:23.0826 3612 [ 866D538EBE33709A5C9F5C62B73B7D14 ] SLIP C:\WINDOWS\system32\DRIVERS\SLIP.sys
01:57:23.0826 3612 SLIP - ok
01:57:23.0886 3612 [ 83C0F71F86D3BDAF915685F3D568B20E ] Sparrow C:\WINDOWS\system32\DRIVERS\sparrow.sys
01:57:23.0886 3612 Sparrow - ok
01:57:23.0926 3612 [ AB8B92451ECB048A4D1DE7C3FFCB4A9F ] splitter C:\WINDOWS\system32\drivers\splitter.sys
01:57:23.0926 3612 splitter - ok
01:57:24.0016 3612 [ D8E14A61ACC1D4A6CD0D38AEBAC7FA3B ] Spooler C:\WINDOWS\system32\spoolsv.exe
01:57:24.0026 3612 Spooler - ok
01:57:24.0106 3612 sprtsvc_dellsupportcenter - ok
01:57:24.0146 3612 [ 76BB022C2FB6902FD5BDD4F78FC13A5D ] sr C:\WINDOWS\system32\DRIVERS\sr.sys
01:57:24.0166 3612 sr - ok
01:57:24.0297 3612 [ 3805DF0AC4296A34BA4BF93B346CC378 ] srservice C:\WINDOWS\system32\srsvc.dll
01:57:24.0347 3612 srservice - ok
01:57:24.0527 3612 [ 3BB03F2BA89D2BE417206C373D2AF17C ] Srv C:\WINDOWS\system32\DRIVERS\srv.sys
01:57:24.0637 3612 Srv - ok
01:57:24.0687 3612 [ 98625722AD52B40305E74AAA83C93086 ] sscdbhk5 C:\WINDOWS\system32\drivers\sscdbhk5.sys
01:57:24.0687 3612 sscdbhk5 - ok
01:57:24.0737 3612 [ 0A5679B3714EDAB99E357057EE88FCA6 ] SSDPSRV C:\WINDOWS\System32\ssdpsrv.dll
01:57:24.0787 3612 SSDPSRV - ok
01:57:24.0827 3612 [ D79412E3942C8A257253487536D5A994 ] ssrtln C:\WINDOWS\system32\drivers\ssrtln.sys
01:57:24.0827 3612 ssrtln - ok
01:57:24.0988 3612 [ 5813D453EF8CE49D607C255CF128ACEB ] STAC97 C:\WINDOWS\system32\drivers\stac97.sys
01:57:25.0068 3612 STAC97 - ok
01:57:25.0248 3612 [ 8BAD69CBAC032D4BBACFCE0306174C30 ] stisvc C:\WINDOWS\system32\wiaservc.dll
01:57:25.0358 3612 stisvc - ok
01:57:25.0378 3612 [ 77813007BA6265C4B6098187E6ED79D2 ] streamip C:\WINDOWS\system32\DRIVERS\StreamIP.sys
01:57:25.0388 3612 streamip - ok
01:57:25.0448 3612 [ 3941D127AEF12E93ADDF6FE6EE027E0F ] swenum C:\WINDOWS\system32\DRIVERS\swenum.sys
01:57:25.0448 3612 swenum - ok
01:57:25.0488 3612 [ 8CE882BCC6CF8A62F2B2323D95CB3D01 ] swmidi C:\WINDOWS\system32\drivers\swmidi.sys
01:57:25.0508 3612 swmidi - ok
01:57:25.0518 3612 SwPrv - ok
01:57:25.0558 3612 [ 1FF3217614018630D0A6758630FC698C ] symc810 C:\WINDOWS\system32\DRIVERS\symc810.sys
01:57:25.0568 3612 symc810 - ok
01:57:25.0588 3612 [ 070E001D95CF725186EF8B20335F933C ] symc8xx C:\WINDOWS\system32\DRIVERS\symc8xx.sys
01:57:25.0599 3612 symc8xx - ok
01:57:25.0629 3612 [ 80AC1C4ABBE2DF3B738BF15517A51F2C ] sym_hi C:\WINDOWS\system32\DRIVERS\sym_hi.sys
01:57:25.0639 3612 sym_hi - ok
01:57:25.0659 3612 [ BF4FAB949A382A8E105F46EBB4937058 ] sym_u3 C:\WINDOWS\system32\DRIVERS\sym_u3.sys
01:57:25.0669 3612 sym_u3 - ok
01:57:25.0719 3612 [ 8B83F3ED0F1688B4958F77CD6D2BF290 ] sysaudio C:\WINDOWS\system32\drivers\sysaudio.sys
01:57:25.0739 3612 sysaudio - ok
01:57:25.0789 3612 [ C7ABBC59B43274B1109DF6B24D617051 ] SysmonLog C:\WINDOWS\system32\smlogsvc.exe
01:57:25.0819 3612 SysmonLog - ok
01:57:25.0929 3612 [ 3CB78C17BB664637787C9A1C98F79C38 ] TapiSrv C:\WINDOWS\System32\tapisrv.dll
01:57:26.0009 3612 TapiSrv - ok
01:57:26.0149 3612 [ 9AEFA14BD6B182D61E3119FA5F436D3D ] Tcpip C:\WINDOWS\system32\DRIVERS\tcpip.sys
01:57:26.0279 3612 Tcpip - ok
01:57:26.0310 3612 [ 6471A66807F5E104E4885F5B67349397 ] TDPIPE C:\WINDOWS\system32\drivers\TDPIPE.sys
01:57:26.0310 3612 TDPIPE - ok
01:57:26.0340 3612 [ C56B6D0402371CF3700EB322EF3AAF61 ] TDTCP C:\WINDOWS\system32\drivers\TDTCP.sys
01:57:26.0350 3612 TDTCP - ok
01:57:26.0400 3612 [ 88155247177638048422893737429D9E ] TermDD C:\WINDOWS\system32\DRIVERS\termdd.sys
01:57:26.0410 3612 TermDD - ok
01:57:26.0560 3612 [ FF3477C03BE7201C294C35F684B3479F ] TermService C:\WINDOWS\System32\termsrv.dll
01:57:26.0660 3612 TermService - ok
01:57:26.0780 3612 [ D0177776E11B0B3F272EEBD262A69661 ] tfsnboio C:\WINDOWS\system32\dla\tfsnboio.sys
01:57:26.0790 3612 tfsnboio - ok
01:57:26.0860 3612 [ 599804BC938B8305A5422319774DA871 ] tfsncofs C:\WINDOWS\system32\dla\tfsncofs.sys
01:57:26.0870 3612 tfsncofs - ok
01:57:26.0890 3612 [ A1902C00ADC11C4D83F8E3ED947A6A32 ] tfsndrct C:\WINDOWS\system32\dla\tfsndrct.sys
01:57:26.0890 3612 tfsndrct - ok
01:57:26.0910 3612 [ D8DDB3F2B1BEF15CFF6728D89C042C61 ] tfsndres C:\WINDOWS\system32\dla\tfsndres.sys
01:57:26.0910 3612 tfsndres - ok
01:57:26.0960 3612 [ C4F2DEA75300971CDAEE311007DE138D ] tfsnifs C:\WINDOWS\system32\dla\tfsnifs.sys
01:57:26.0991 3612 tfsnifs - ok
01:57:27.0011 3612 [ 272925BE0EA919F08286D2EE6F102B0F ] tfsnopio C:\WINDOWS\system32\dla\tfsnopio.sys
01:57:27.0021 3612 tfsnopio - ok
01:57:27.0041 3612 [ 7B7D955E5CEBC2FB88B03EF875D52A2F ] tfsnpool C:\WINDOWS\system32\dla\tfsnpool.sys
01:57:27.0041 3612 tfsnpool - ok
01:57:27.0091 3612 [ E3D01263109D800C1967C12C10A0B018 ] tfsnudf C:\WINDOWS\system32\dla\tfsnudf.sys
01:57:27.0131 3612 tfsnudf - ok
01:57:27.0181 3612 [ B9E9C377906E3A65BC74598FFF7F7458 ] tfsnudfa C:\WINDOWS\system32\dla\tfsnudfa.sys
01:57:27.0221 3612 tfsnudfa - ok
01:57:27.0291 3612 [ 1926899BF9FFE2602B63074971700412 ] Themes C:\WINDOWS\System32\shsvcs.dll
01:57:27.0291 3612 Themes - ok
01:57:27.0331 3612 [ F2790F6AF01321B172AA62F8E1E187D9 ] TosIde C:\WINDOWS\system32\DRIVERS\toside.sys
01:57:27.0331 3612 TosIde - ok
01:57:27.0401 3612 [ 55BCA12F7F523D35CA3CB833C725F54E ] TrkWks C:\WINDOWS\system32\trkwks.dll
01:57:27.0431 3612 TrkWks - ok
01:57:27.0471 3612 [ 5787B80C2E3C5E2F56C2A233D91FA2C9 ] Udfs C:\WINDOWS\system32\drivers\Udfs.sys
01:57:27.0491 3612 Udfs - ok
01:57:27.0521 3612 [ 1B698A51CD528D8DA4FFAED66DFC51B9 ] ultra C:\WINDOWS\system32\DRIVERS\ultra.sys
01:57:27.0531 3612 ultra - ok
01:57:27.0712 3612 [ 402DDC88356B1BAC0EE3DD1580C76A31 ] Update C:\WINDOWS\system32\DRIVERS\update.sys
01:57:27.0842 3612 Update - ok
01:57:27.0922 3612 [ 1EBAFEB9A3FBDC41B8D9C7F0F687AD91 ] upnphost C:\WINDOWS\System32\upnphost.dll
01:57:27.0982 3612 upnphost - ok
01:57:28.0012 3612 [ 05365FB38FCA1E98F7A566AAAF5D1815 ] UPS C:\WINDOWS\System32\ups.exe
01:57:28.0022 3612 UPS - ok
01:57:28.0082 3612 [ 73B41F4EAD65F355962168D766AF0F2E ] USBAAPL C:\WINDOWS\system32\Drivers\usbaapl.sys
01:57:28.0102 3612 USBAAPL - ok
01:57:28.0182 3612 [ E919708DB44ED8543A7C017953148330 ] usbaudio C:\WINDOWS\system32\drivers\usbaudio.sys
01:57:28.0202 3612 usbaudio - ok
01:57:28.0282 3612 [ 173F317CE0DB8E21322E71B7E60A27E8 ] usbccgp C:\WINDOWS\system32\DRIVERS\usbccgp.sys
01:57:28.0292 3612 usbccgp - ok
01:57:28.0332 3612 [ 65DCF09D0E37D4C6B11B5B0B76D470A7 ] usbehci C:\WINDOWS\system32\DRIVERS\usbehci.sys
01:57:28.0342 3612 usbehci - ok
01:57:28.0383 3612 [ 1AB3CDDE553B6E064D2E754EFE20285C ] usbhub C:\WINDOWS\system32\DRIVERS\usbhub.sys
01:57:28.0403 3612 usbhub - ok
01:57:28.0453 3612 [ A717C8721046828520C9EDF31288FC00 ] usbprint C:\WINDOWS\system32\DRIVERS\usbprint.sys
01:57:28.0463 3612 usbprint - ok
01:57:28.0503 3612 [ A0B8CF9DEB1184FBDD20784A58FA75D4 ] usbscan C:\WINDOWS\system32\DRIVERS\usbscan.sys
01:57:28.0503 3612 usbscan - ok
01:57:28.0533 3612 [ A32426D9B14A089EAA1D922E0C5801A9 ] USBSTOR C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
01:57:28.0543 3612 USBSTOR - ok
01:57:28.0573 3612 [ 26496F9DEE2D787FC3E61AD54821FFE6 ] usbuhci C:\WINDOWS\system32\DRIVERS\usbuhci.sys
01:57:28.0573 3612 usbuhci - ok
01:57:28.0643 3612 [ 63BBFCA7F390F4C49ED4B96BFB1633E0 ] usbvideo C:\WINDOWS\system32\Drivers\usbvideo.sys
01:57:28.0683 3612 usbvideo - ok
01:57:28.0713 3612 [ 0D3A8FAFCEACD8B7625CD549757A7DF1 ] VgaSave C:\WINDOWS\System32\drivers\vga.sys
01:57:28.0713 3612 VgaSave - ok
01:57:28.0773 3612 [ 754292CE5848B3738281B4F3607EAEF4 ] viaagp C:\WINDOWS\system32\DRIVERS\viaagp.sys
01:57:28.0783 3612 viaagp - ok
01:57:28.0803 3612 [ 3B3EFCDA263B8AC14FDF9CBDD0791B2E ] ViaIde C:\WINDOWS\system32\DRIVERS\viaide.sys
01:57:28.0813 3612 ViaIde - ok
01:57:28.0863 3612 [ 4C8FCB5CC53AAB716D810740FE59D025 ] VolSnap C:\WINDOWS\system32\drivers\VolSnap.sys
01:57:28.0873 3612 VolSnap - ok
01:57:29.0013 3612 [ 7A9DB3A67C333BF0BD42E42B8596854B ] VSS C:\WINDOWS\System32\vssvc.exe
01:57:29.0124 3612 VSS - ok
01:57:29.0204 3612 [ 54AF4B1D5459500EF0937F6D33B1914F ] w32time C:\WINDOWS\system32\w32time.dll
01:57:29.0264 3612 w32time - ok
01:57:29.0284 3612 [ E20B95BAEDB550F32DD489265C1DA1F6 ] Wanarp C:\WINDOWS\system32\DRIVERS\wanarp.sys
01:57:29.0304 3612 Wanarp - ok
01:57:29.0314 3612 wanatw - ok
01:57:29.0384 3612 [ 4A954A20A4C73D6DB13C0FE25F3F1B0C ] wceusbsh C:\WINDOWS\system32\DRIVERS\wceusbsh.sys
01:57:29.0424 3612 wceusbsh - ok
01:57:29.0434 3612 WDICA - ok
01:57:29.0474 3612 [ 6768ACF64B18196494413695F0C3A00F ] wdmaud C:\WINDOWS\system32\drivers\wdmaud.sys
01:57:29.0504 3612 wdmaud - ok
01:57:29.0574 3612 [ 77A354E28153AD2D5E120A5A8687BC06 ] WebClient C:\WINDOWS\System32\webclnt.dll
01:57:29.0604 3612 WebClient - ok
01:57:30.0045 3612 [ CE545A84BF3411E7516FA8DA51AD9D93 ] winachsf C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
01:57:30.0275 3612 winachsf - ok
01:57:30.0425 3612 [ 2D0E4ED081963804CCC196A0929275B5 ] winmgmt C:\WINDOWS\system32\wbem\WMIsvc.dll
01:57:30.0476 3612 winmgmt - ok
01:57:30.0496 3612 wltrysvc - ok
01:57:30.0546 3612 [ 051B1BDECD6DEE18C771B5D5EC7F044D ] WmdmPmSN C:\WINDOWS\system32\MsPMSNSv.dll
01:57:30.0556 3612 WmdmPmSN - ok
01:57:30.0626 3612 [ E0673F1106E62A68D2257E376079F821 ] WmiApSrv C:\WINDOWS\system32\wbem\wmiapsrv.exe
01:57:30.0676 3612 WmiApSrv - ok
01:57:31.0116 3612 [ 6BAB4DC65515A098505F8B3D01FB6FE5 ] WMPNetworkSvc C:\Program Files\Windows Media Player\WMPNetwk.exe
01:57:31.0427 3612 WMPNetworkSvc - ok
01:57:31.0487 3612 [ C60DC16D4E406810FAD54B98DC92D5EC ] WpdUsb C:\WINDOWS\system32\DRIVERS\wpdusb.sys
01:57:31.0497 3612 WpdUsb - ok
01:57:31.0547 3612 [ 6ABE6E225ADB5A751622A9CC3BC19CE8 ] WS2IFSL C:\WINDOWS\System32\drivers\ws2ifsl.sys
01:57:31.0557 3612 WS2IFSL - ok
01:57:31.0637 3612 [ 7C278E6408D1DCE642230C0585A854D5 ] wscsvc C:\WINDOWS\system32\wscsvc.dll
01:57:31.0637 3612 wscsvc - ok
01:57:31.0687 3612 [ C98B39829C2BBD34E454150633C62C78 ] WSTCODEC C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
01:57:31.0697 3612 WSTCODEC - ok
01:57:31.0727 3612 [ 35321FB577CDC98CE3EB3A3EB9E4610A ] wuauserv C:\WINDOWS\system32\wuauserv.dll
01:57:31.0737 3612 wuauserv - ok
01:57:31.0797 3612 [ F15FEAFFFBB3644CCC80C5DA584E6311 ] WudfPf C:\WINDOWS\system32\DRIVERS\WudfPf.sys
01:57:31.0817 3612 WudfPf - ok
01:57:31.0888 3612 [ 28B524262BCE6DE1F7EF9F510BA3985B ] WudfRd C:\WINDOWS\system32\DRIVERS\wudfrd.sys
01:57:31.0908 3612 WudfRd - ok
01:57:31.0968 3612 [ 05231C04253C5BC30B26CBAAE680ED89 ] WudfSvc C:\WINDOWS\System32\WUDFSvc.dll
01:57:31.0988 3612 WudfSvc - ok
01:57:32.0208 3612 [ 81DC3F549F44B1C1FFF022DEC9ECF30B ] WZCSVC C:\WINDOWS\System32\wzcsvc.dll
01:57:32.0398 3612 WZCSVC - ok
01:57:32.0478 3612 [ 295D21F14C335B53CB8154E5B1F892B9 ] xmlprov C:\WINDOWS\System32\xmlprov.dll
01:57:32.0518 3612 xmlprov - ok
01:57:32.0538 3612 ================ Scan global ===============================
01:57:32.0609 3612 [ 42F1F4C0AFB08410E5F02D4B13EBB623 ] C:\WINDOWS\system32\basesrv.dll
01:57:32.0719 3612 [ 1618F36D4F7F6CCCEB3EE44BA95BE85C ] C:\WINDOWS\system32\winsrv.dll
01:57:32.0929 3612 [ 1618F36D4F7F6CCCEB3EE44BA95BE85C ] C:\WINDOWS\system32\winsrv.dll
01:57:32.0979 3612 [ 65DF52F5B8B6E9BBD183505225C37315 ] C:\WINDOWS\system32\services.exe
01:57:32.0979 3612 [Global] - ok
01:57:32.0979 3612 ================ Scan MBR ==================================
01:57:32.0999 3612 [ 91722E6BC3A2B40FF00222DCA4A3DB3E ] \Device\Harddisk0\DR0
01:57:32.0999 3612 Suspicious mbr (Forged): \Device\Harddisk0\DR0
01:57:33.0029 3612 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.c ) - infected
01:57:33.0029 3612 \Device\Harddisk0\DR0 - detected Rootkit.Boot.Pihar.c (0)
01:57:33.0029 3612 ================ Scan VBR ==================================
01:57:33.0059 3612 [ B2149695601B6E572912E0CABEF82F6D ] \Device\Harddisk0\DR0\Partition1
01:57:33.0069 3612 \Device\Harddisk0\DR0\Partition1 - ok
01:57:33.0069 3612 ============================================================
01:57:33.0069 3612 Scan finished
01:57:33.0069 3612 ============================================================
01:57:33.0089 3288 Detected object count: 1
01:57:33.0089 3288 Actual detected object count: 1
01:57:50.0114 3288 \Device\Harddisk0\DR0\# - copied to quarantine
01:57:50.0114 3288 \Device\Harddisk0\DR0 - copied to quarantine
01:57:50.0204 3288 \Device\Harddisk0\DR0\TDLFS\ldrm - copied to quarantine
01:57:50.0204 3288 \Device\Harddisk0\DR0\TDLFS\cmd64.dll - copied to quarantine
01:57:50.0254 3288 \Device\Harddisk0\DR0\TDLFS\drv32 - copied to quarantine
01:57:50.0294 3288 \Device\Harddisk0\DR0\TDLFS\drv64 - copied to quarantine
01:57:50.0294 3288 \Device\Harddisk0\DR0\TDLFS\config.ini - copied to quarantine
01:57:50.0294 3288 \Device\Harddisk0\DR0\TDLFS\servers.dat - copied to quarantine
01:57:50.0364 3288 \Device\Harddisk0\DR0\TDLFS\ldr16 - copied to quarantine
01:57:50.0364 3288 \Device\Harddisk0\DR0\TDLFS\ldr32 - copied to quarantine
01:57:50.0364 3288 \Device\Harddisk0\DR0\TDLFS\ldr64 - copied to quarantine
01:57:50.0364 3288 \Device\Harddisk0\DR0\TDLFS\s - copied to quarantine
01:57:50.0374 3288 \Device\Harddisk0\DR0\TDLFS\u - copied to quarantine
01:57:50.0404 3288 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.c ) - will be cured on reboot
01:57:50.0434 3288 \Device\Harddisk0\DR0 - ok
01:57:50.0444 3288 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.c ) - User select action: Cure
01:57:56.0613 3640 Deinitialize success








aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-10-04 02:09:45
-----------------------------
02:09:45.778 OS Version: Windows 5.1.2600 Service Pack 3
02:09:45.778 Number of processors: 1 586 0xD08
02:09:45.778 ComputerName: DRGREENTHUMB UserName: Ryan Deutsch
02:09:47.681 Initialize success
02:13:20.627 AVAST engine defs: 12100302
02:13:29.850 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
02:13:29.850 Disk 0 Vendor: Hitachi_HTS541040G9AT00 MB2OA61A Size: 38154MB BusType: 3
02:13:29.870 Disk 0 MBR read successfully
02:13:29.870 Disk 0 MBR scan
02:13:29.960 Disk 0 unknown MBR code
02:13:29.960 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 47 MB offset 63
02:13:29.980 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 34883 MB offset 96390
02:13:30.000 Disk 0 Partition 3 00 DB CP/M / CTOS Dell 8.0 3216 MB offset 71537445
02:13:30.020 Disk 0 scanning sectors +78124095
02:13:30.181 Disk 0 scanning C:\WINDOWS\system32\drivers
02:14:01.235 Service scanning
02:14:44.477 Modules scanning
02:15:04.236 Disk 0 trace - called modules:
02:15:04.586 ntoskrnl.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys
02:15:04.586 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x87386ab8]
02:15:04.586 3 CLASSPNP.SYS[f75effd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x8738a198]
02:15:06.229 AVAST engine scan C:\WINDOWS
02:15:22.182 AVAST engine scan C:\WINDOWS\system32
02:24:06.986 AVAST engine scan C:\WINDOWS\system32\drivers
02:24:42.417 AVAST engine scan C:\Documents and Settings\Ryan Deutsch
02:27:20.505 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Ryan Deutsch\Desktop\MBR.dat"
02:27:20.535 The log file has been saved successfully to "C:\Documents and Settings\Ryan Deutsch\Desktop\aswMBR.txt"

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:47 PM

Posted 04 October 2012 - 02:39 AM

Greetings

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 Speedr73

Speedr73
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:47 PM

Posted 04 October 2012 - 02:03 PM

Looks like the Rootkit.ZeroAccess! is still there. Or at least it was this time when ComboFix ran. Also, the Lavasoft Ad-watch is still showing as running when ComboFix starts.


The new log is below...




ComboFix 12-10-04.02 - Ryan Deutsch 10/04/2012 14:35:22.8.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.705 [GMT -4:00]
Running from: c:\documents and settings\Ryan Deutsch\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Ryan Deutsch\Desktop\CFScript.txt
AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
.
.
((((((((((((((((((((((((( Files Created from 2012-09-04 to 2012-10-04 )))))))))))))))))))))))))))))))
.
.
2012-10-03 16:50 . 2012-10-03 16:50 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-10-02 16:37 . 2012-10-02 16:45 14080 ----a-w- c:\windows\system32\drivers\TrueSight.sys
2012-10-02 06:39 . 2012-10-02 06:39 -------- d-----w- c:\program files\iPod
2012-10-02 06:38 . 2012-10-02 06:40 -------- d-----w- c:\program files\iTunes
2012-10-02 06:38 . 2012-10-02 06:40 -------- d-----w- c:\documents and settings\All Users\Application Data\188F1432-103A-4ffb-80F1-36B633C5C9E1
2012-10-02 06:33 . 2012-07-09 17:42 4547984 ----a-w- c:\windows\system32\usbaaplrc.dll
2012-10-02 06:33 . 2012-07-09 17:42 44032 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2012-09-25 05:15 . 2012-09-26 03:20 -------- d-----w- c:\program files\Mozilla Maintenance Service
2012-09-21 06:02 . 2012-09-21 06:02 -------- d-----w- C:\TDSSKiller_Quarantine
2012-09-21 05:46 . 2012-09-21 05:46 -------- d-----w- C:\_OTM
2012-09-20 00:24 . 2011-05-11 11:24 99896 ----a-w- c:\windows\system32\HPSIsvc.exe
2012-09-20 00:24 . 2011-04-02 20:03 1511424 ----a-w- c:\windows\system32\HP1100SM.EXE
2012-09-20 00:24 . 2011-04-02 20:03 151552 ----a-w- c:\windows\system32\HP1100LM.DLL
2012-09-20 00:24 . 2011-04-02 20:03 69632 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\HP1100PP.dll
2012-09-20 00:23 . 2011-04-02 22:11 284160 ----a-w- c:\windows\system32\mvhlewsi.DLL
2012-09-20 00:23 . 2009-07-08 16:38 316416 ----a-r- c:\windows\system32\Difxapi.dll
2012-09-20 00:23 . 2011-04-04 14:25 47104 ----a-w- c:\windows\system32\HP1100SMs.dll
2012-09-19 00:42 . 2012-09-19 00:42 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Sonic
2012-09-18 18:46 . 2012-10-02 18:46 -------- d-----w- c:\documents and settings\Ryan Deutsch\Application Data\webex
2012-09-18 00:59 . 2012-10-03 17:35 -------- d-----w- c:\documents and settings\Ryan Deutsch\Local Settings\Application Data\Sonic
2012-09-17 02:33 . 2012-09-17 02:35 -------- d-----w- c:\program files\WebEx
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-09-21 06:03 . 2004-08-04 05:14 52480 ----a-w- c:\windows\system32\drivers\i8042prt.sys
2012-09-21 03:08 . 2012-04-10 02:04 696240 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-09-21 03:08 . 2011-11-30 05:23 73136 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-09-07 21:04 . 2009-10-14 22:56 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-08-21 17:01 . 2010-11-20 21:30 106928 ----a-w- c:\windows\system32\GEARAspi.dll
2012-08-21 17:01 . 2009-08-13 03:27 26840 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2011-07-23 07:40 . 2011-07-23 07:40 1952768 ----a-w- c:\program files\tinyumbrella-5.00.06(2).exe
2012-05-29 10:48 . 2012-09-25 06:51 303760 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll
2012-09-25 06:52 . 2012-09-25 06:51 266720 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\documents and settings\Ryan Deutsch\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\documents and settings\Ryan Deutsch\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\documents and settings\Ryan Deutsch\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\documents and settings\Ryan Deutsch\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"uTorrent"="c:\documents and settings\Ryan Deutsch\Desktop\uTorrent.exe" [2012-03-16 742264]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2009-01-30 204288]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dell Wireless Manager UI"="c:\windows\system32\WLTRAY" [X]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-09-08 421888]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-08-28 59280]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-09-10 421776]
.
c:\documents and settings\Ryan Deutsch\Start Menu\Programs\Startup\
Dropbox.lnk - c:\documents and settings\Ryan Deutsch\Application Data\Dropbox\bin\Dropbox.exe [2012-5-24 27112840]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PHOTOfunSTUDIO 5.0 HD Edition.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\PHOTOfunSTUDIO 5.0 HD Edition.lnk
backup=c:\windows\pss\PHOTOfunSTUDIO 5.0 HD Edition.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Ryan Deutsch^Start Menu^Programs^Startup^Dropbox.lnk]
path=c:\documents and settings\Ryan Deutsch\Start Menu\Programs\Startup\Dropbox.lnk
backup=c:\windows\pss\Dropbox.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-01-03 07:37 843712 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2012-08-28 01:32 59280 ----a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
2005-04-06 01:05 339968 ----a-w- c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BrMfcWnd]
2006-06-28 12:46 622592 ------w- c:\program files\Brother\Brmfcmon\BrMfcWnd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ControlCenter3]
2006-06-29 17:18 77824 ----a-w- c:\program files\Brother\ControlCenter3\BrCtrCen.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ------w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupportCenter]
2009-05-21 14:55 206064 ----a-w- c:\program files\Dell Support Center\bin\sprtcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
2005-05-31 09:33 122941 ----a-w- c:\windows\system32\dla\tfswctrl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate]
2007-11-15 13:24 16384 ----a-w- c:\program files\Dell Support Center\gs_agent\custom\dsca.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
2005-02-23 22:19 53248 ------w- c:\program files\CyberLink\PowerDVD\DVDLauncher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2005-06-10 16:44 249856 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2005-06-10 16:44 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2012-09-10 03:30 421776 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware]
2012-09-07 21:04 766536 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
2006-02-28 19:28 26112 ----a-w- c:\program files\Real\RealPlayer\realplay.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Seagate Dashboard]
2010-07-06 19:32 79112 ----a-w- c:\program files\Seagate\Seagate Dashboard\MemeoLauncher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SetDefPrt]
2005-01-26 23:02 49152 ----a-w- c:\program files\Brother\Brmfl06b\BrStDvPt.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2009-07-16 19:46 25604904 ----a-r- c:\program files\Skype\Phone\Skype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2011-04-08 16:59 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent]
2012-03-16 00:21 742264 ----a-w- c:\documents and settings\Ryan Deutsch\Desktop\uTorrent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"MpfService"=2 (0x2)
"McSysmon"=3 (0x3)
"McShield"=2 (0x2)
"McProxy"=2 (0x2)
"McODS"=3 (0x3)
"McNASvc"=2 (0x2)
"mcmscsvc"=2 (0x2)
"iPod Service"=3 (0x3)
"gupdatem"=3 (0x3)
"gupdate"=2 (0x2)
"AresChatServer"=3 (0x3)
"sprtsvc_dellsupportcenter"=2 (0x2)
"SeagateDashboardService"=2 (0x2)
"Pml Driver HPZ12"=2 (0x2)
"MBAMService"=2 (0x2)
"Lavasoft Ad-Aware Service"=2 (0x2)
"DSBrokerService"=3 (0x3)
"bgsvcgen"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\Ryan Deutsch\\Desktop\\uTorrent.exe"=
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [9/30/2011 12:38 AM 64512]
R2 HPSIService;HP SI Service;c:\windows\system32\HPSIsvc.exe [9/19/2012 8:24 PM 99896]
R2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [9/20/2012 9:09 AM 399432]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [10/14/2009 6:56 PM 22856]
S0 77938054;77938054;c:\windows\system32\drivers\06314150.sys --> c:\windows\system32\drivers\06314150.sys [?]
S2 FILESpy;FILESpy;\??\c:\program files\Softwin\BitDefender9\filespy.sys --> c:\program files\Softwin\BitDefender9\filespy.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/14/2010 7:15 PM 135664]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [10/14/2009 6:56 PM 676936]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [4/9/2012 10:04 PM 250288]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2/14/2010 7:15 PM 135664]
S3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:\windows\system32\drivers\hitmanpro35.sys [11/17/2011 3:00 AM 23624]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [10/3/2012 12:50 PM 40776]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [9/25/2012 1:15 AM 114144]
S4 SeagateDashboardService;Seagate Dashboard Service;c:\program files\Seagate\Seagate Dashboard\SeagateDashboardService.exe [7/6/2010 3:32 PM 14088]
.
Contents of the 'Scheduled Tasks' folder
.
2012-10-04 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-10 03:08]
.
2012-10-04 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 21:57]
.
2012-10-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-14 23:15]
.
2012-10-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-14 23:15]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
FF - ProfilePath - c:\documents and settings\Ryan Deutsch\Application Data\Mozilla\Firefox\Profiles\4rm96qvr.default\
FF - prefs.js: browser.startup.homepage - www.google.com
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-82005099.sys
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-10-04 14:51
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_278_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_278_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(648)
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\BCMLogon.dll
.
Completion time: 2012-10-04 14:54:29
ComboFix-quarantined-files.txt 2012-10-04 18:54
ComboFix2.txt 2012-10-03 17:40
ComboFix3.txt 2011-12-02 05:14
.
Pre-Run: 5,299,142,656 bytes free
Post-Run: 5,440,081,920 bytes free
.
- - End Of File - - D9A6704F83B5EEC902CE52B660F5DA20

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:47 PM

Posted 04 October 2012 - 02:19 PM

Hello

I would like to see a report that combofix makes.

extra combofix report

  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box
C:\Qoobox\Add-Remove Programs.txt
  • click ok

copy and paste the report into this topic for me to review

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 Speedr73

Speedr73
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:47 PM

Posted 04 October 2012 - 04:37 PM

µTorrent
Adobe Flash Player 11 ActiveX
Adobe Flash Player 11 Plugin
Adobe Reader 9.4.6
Adobe SVG Viewer 3.0
ALPS Touch Pad Driver
AOLIcon
Apple Application Support
Apple Mobile Device Support
Apple Software Update
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
Bonjour
Broadcom Management Programs 2
Brother MFL-Pro Suite
C-Major Audio
Cisco WebEx Meetings
Compatibility Pack for the 2007 Office system
Conexant D480 MDC V.9x Modem
Critical Update for Windows Media Player 11 (KB959772)
Dell Digital Jukebox Driver
Dell Driver Reset Tool
Dell Support Center (Support Software)
Dell System Restore
Dell Wireless WLAN Card
Digital Content Portal
Digital Line Detect
DivX Setup
Dropbox
ELIcon
Google
Google Update Helper
HiJackThis
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
HP LaserJet Professional P1100-P1560-P1600 Series
Internal Network Card Power Management
iTunes
Java Auto Updater
Java™ 6 Update 29
Learn2 Player (Uninstall Only)
Malwarebytes Anti-Malware version 1.65.0.1400
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Professional with FrontPage
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft SQL Server Compact 3.5 SP1 English
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319
Modem Helper
Mozilla Firefox 15.0.1 (x86 en-US)
Mozilla Maintenance Service
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
Musicmatch for Windows Media Player
NetWaiting
Network Recording Player
Photo Click
PHOTOfunSTUDIO 5.0 HD Edition
PowerDVD 5.5
QFolder
QuickSet
QuickTime
RealPlayer Basic
Rosetta Stone Version 3
RZ Video Converter
Seagate Dashboard
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Skype web features
Skype™ 4.1
Sonic DLA
Sonic MyDVD LE
Sonic RecordNow Audio
Sonic RecordNow Copy
Sonic RecordNow Data
Spotify
Spybot - Search & Destroy
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB973815)
VC 9.0 Runtime
VC80CRTRedist - 8.0.50727.4053
Vuze
WebEx Recorder and Player
WebFldrs XP
WinAVI All in One Converter
Windows Driver Package - FTDI CDM Driver Package (02/17/2009 2.04.16)
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Player 10
Windows Media Player 11
Windows XP Service Pack 3
WinRAR archiver

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:47 PM

Posted 04 October 2012 - 08:13 PM

Hello

:P2P Warning!:

IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

Please note that as long as you are using any form of Peer-to-Peer networking and downloading files from non-documented sources, you can expect infestations of malware to occur
Once upon a time, P2P file sharing was fairly safe. That is no longer true. P2P programs form a direct conduit on to your computer, their security measures are easily circumvented and malware writers are increasingly exploiting them to spread their wares on to your computer. Further to that, if your P2P program is not configured correctly, your computer may be sharing more files than you realise. There have been cases where people's passwords, address books and other personal, private, and financial details have been exposed to a file sharing network by a badly configured program.

Please read these short reports on the dangers of peer-2-peer programs and file sharing.

FBI Cyber Education Letter
File sharing infects 500,000 computers
USAToday
infoworld


These logs are looking allot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs

NOTE** Because of the cleanup process some of the programs I have listed may not be in add/remove anymore this is fine just move to the next item on the list.

You can remove these programs using add/remove or you can use the free uninstaller from Revo (Revo does allot better of a job)

Programs to remove

µTorrent
Adobe Reader 9.4.6
Java™ 6 Update 29
Vuze
[/list]


  • Please download and install Revo Uninstaller Free
  • Double click Revo Uninstaller to run it.
  • From the list of programs double click on The Program to remove
  • When prompted if you want to uninstall click Yes.
  • Be sure the Moderate option is selected then click Next.
  • The program will run, If prompted again click Yes
  • when the built-in uninstaller is finished click on Next.
  • Once the program has searched for leftovers click Next.
  • Check/tick the bolded items only on the list then click Delete
  • when prompted click on Yes and then on next.
  • put a check on any folders that are found and select delete
  • when prompted select yes then on next
  • Once done click Finish.
.

Update Adobe Reader

Recently there have been vulnerabilities detected in older versions of Adobe Reader. It is strongly suggested that you update to the current version.

You can download it from http://www.adobe.com/products/acrobat/readstep2.html
After installing the latest Adobe Reader, uninstall all previous versions.
If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

If you don't like Adobe Reader (53 MB), you can download Foxit PDF Reader(7 MB) from here. It's a much smaller file to download and uses a lot less resources than Adobe Reader.

Note: When installing FoxitReader, be careful not to install anything to do with AskBar.
[/list]

Install Java:

Please go here to install Java

  • click on the Free Java Download Button
  • click on Agree and start Free download
  • click on Run
  • click on run again
  • click on install
  • when install is complete click on close

Clean Out Temp Files

  • This small application you may want to keep and use once a week to keep the computer clean.

    Download CCleaner from here http://www.ccleaner.com/

  • Run the installer to install the application.
  • When it gives you the option to install Yahoo toolbar uncheck the box next to it.
  • Run CCleaner. (make sure under Windows tab all the boxes of Internet Explorer and Windows explorer are checked. Under System check Empty Recycle Bin and Temporary Files. Under Application tab all the boxes should be checked).
  • Click Run Cleaner.
  • Close CCleaner.

: Malwarebytes' Anti-Malware :

  • I would like you to rerun MBAM
  • Double-click mbam icon
  • go to the update tab at the top
  • click on check for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidentally close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Download HijackThis

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a log file button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the Analyze This button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

"information and logs"

  • In your next post I need the following

  • Log From MBAM
  • report from Hijackthis
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 Speedr73

Speedr73
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:47 PM

Posted 05 October 2012 - 01:37 AM

After I installed Java, I got a popup that said "Installer : Wrapper.CreateFile failed with error 5: Access is denied."

Other than that everything seems to be ok and the other installs and updates went well.




Malwarebytes Anti-Malware 1.65.0.1400
www.malwarebytes.org

Database version: v2012.10.05.01

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 7.0.5730.11
Ryan Deutsch :: DRGREENTHUMB [administrator]

10/5/2012 2:14:01 AM
mbam-log-2012-10-05 (02-14-01).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 241005
Time elapsed: 12 minute(s), 55 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)






Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 2:31:59 AM, on 10/5/2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\HPSIsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre7\bin\jqs.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Dell Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [uTorrent] "C:\Documents and Settings\Ryan Deutsch\Desktop\uTorrent.exe" /MINIMIZED
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Dropbox.lnk = C:\Documents and Settings\Ryan Deutsch\Application Data\Dropbox\bin\Dropbox.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} (FixController Control) - http://h30155.www3.hp.com/ediags/dd/install/HPInstallMgr_v01_5.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1179341382980
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: HP SI Service (HPSIService) - HP - C:\WINDOWS\system32\HPSIsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Oracle Corporation - C:\Program Files\Java\jre7\bin\jqs.exe
O23 - Service: MBAMScheduler - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 6415 bytes

#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:47 PM

Posted 05 October 2012 - 07:35 AM

Greetings

These logs are looking very good, we are almost done!!! Just one more scan to go.

:Remove unneeded start-up entries:

This part of the fix is purely optional
These are programs that start up when you turn on your computer but don't need to be, any of these programs you can click on their icons (or start from the control panel) and start the program when you need it. By stopping these programs you will boot up faster and your computer will work faster.

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Run HijackThis
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):

    • O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
      O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
      O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
      O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
      O4 - HKCU\..\Run: [uTorrent] "C:\Documents and Settings\Ryan Deutsch\Desktop\uTorrent.exe" /MINIMIZED
      O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
      O4 - Startup: Dropbox.lnk = C:\Documents and Settings\Ryan Deutsch\Application Data\Dropbox\bin\Dropbox.exe
  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application.

    NOTE**You can research each of those lines >here< and see if you want to keep them or not
    just copy the name between the brackets and paste into the search space
    O4 - HKLM\..\Run: [IntelliPoint]


NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

Eset Online Scanner

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

Go Eset web page to run an online scanner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the Run ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
  • When asked, allow the add/on to be installed
    • Click Start
  • Make sure that the option Remove found threats is unticked
  • Click on Advanced Settings, ensure the options
    Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • wait for the virus definitions to be downloaded
  • Wait for the scan to finish

When the scan is complete

  • If no threats were found
  • put a checkmark in "Uninstall application on close"
  • close program
  • report to me that nothing was found

  • If threats were found
  • click on "list of threats found"
  • click on "export to text file" and save it as ESET SCAN and save to the desktop
  • Click on back
  • put a checkmark in "Uninstall application on close"
  • click on finish
  • close program
  • copy and paste the report here


Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 Speedr73

Speedr73
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:47 PM

Posted 05 October 2012 - 03:55 PM

Here is the ESET Scan report...


C:\Qoobox\Quarantine\C\Documents and Settings\Ryan Deutsch\Local Settings\Application Data\Sonic\pvnlhils.dll.vir Win32/Kryptik.AMNG trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000019.dll Win32/Kryptik.AMNG trojan
C:\TDSSKiller_Quarantine\04.10.2012_01.56.48\mbr0000\tdlfs0000\tsk0001.dta Win64/Olmarik.AK trojan
C:\TDSSKiller_Quarantine\04.10.2012_01.56.48\mbr0000\tdlfs0000\tsk0002.dta a variant of Win32/Rootkit.Kryptik.OX trojan
C:\TDSSKiller_Quarantine\04.10.2012_01.56.48\mbr0000\tdlfs0000\tsk0003.dta Win64/Olmarik.AK trojan
C:\TDSSKiller_Quarantine\04.10.2012_01.56.48\mbr0000\tdlfs0000\tsk0007.dta Win32/Olmarik.AFK trojan
C:\TDSSKiller_Quarantine\04.10.2012_01.56.48\mbr0000\tdlfs0000\tsk0008.dta Win64/Olmarik.AK trojan




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users