Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can't Remove Happili Trojan


  • This topic is locked This topic is locked
17 replies to this topic

#1 riley45

riley45

  • Members
  • 138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:51 PM

Posted 11 November 2012 - 09:20 PM

On Friday, 11/09/2012 I started getting Google redirects. I ran TDSSKiller (which found nothing) and Malware Bytes (which detected and deleted three files -- one which contained the Happili trojan and two which contained the BHO trojan). The files found and deleted by Malware Bytes are shown below:

C:\Documents and Settings\Owner\Local Settings\temp\0.6837268366905471 (Trojan.Happili) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\temp\900751.309105935.htm (Trojan.BHO) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-1704833363-758890274-2038612096-1003\Dc53.htm (Trojan.BHO) -> Quarantined and deleted successfully.

However, I continued to get Google redirects. I subsequently ran many other trojan removal programs, all of which found nothing. These included Rkill, Webroot ZeroAccess/Max++ Remover Tool, McAfee Stinger, Microsoft Windows Malicious Software Removal Tool, Super Antispyware, and Microsoft Security Essentials as well as additional runs TDSSKiller and Malware Bytes.

I also deleted temporary internet files, and cleared both the DNS cache and the Java cache. I also saw that under the LAN settings on my Internet Explorer browser, "Use a proxy server for your LAN" was unchecked. I even replaced the hosts file with a fresh version downloaded from Microsoft. All of the above steps were to no avail.

I saw a manual instruction on the Internet to remove the Happili trojan which said to open msconfig and look for rundll32.exe under the Start Up tab (C:\Documents and Settings\Owner\Local Settings\Application Data\Symantec\Microsoft\vpnphrtv.dll). I found the file and renamed it by changing one of the letters and then restarted my computer. This seemed to correct the Google redirect problem (even though I get a pop up when I start the computer stating that the aforementioned file cannot be found). I did not feel comfortable with this temporary fix, so I changed the name of the file back to its original name and the Google redirects returned.

Can you please help me find a proper fix for the Google redirect problem?

DDS (Ver_2012-11-07.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702
Run by Owner at 19:27:08 on 2012-11-11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1007.550 [GMT -5:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ================
.
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/
uURLSearchHooks: {472734EA-242A-422b-ADF8-83D1E48CC825} - <orphaned>
BHO: Babylon toolbar helper: {2EECD738-5844-4a99-B4B6-146BF802613B} - c:\program files\babylontoolbar\babylontoolbar\1.5.3.17\bh\BabylonToolbar.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AOL Toolbar: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - c:\program files\aol toolbar\toolbar.dll
TB: AOL Toolbar: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - c:\program files\aol toolbar\toolbar.dll
TB: Babylon Toolbar: {98889811-442D-49dd-99D7-DC866BE87DBC} - c:\program files\babylontoolbar\babylontoolbar\1.5.3.17\BabylonToolbarTlbr.dll
uRun: [Google Update] "c:\documents and settings\owner\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Microsoft] rundll32.exe "c:\documents and settings\owner\local settings\application data\symantec\microsoft\vpnphrtv.dll",DllRegisterServerW
mRun: [SunKistEM] c:\program files\digital media reader\shwiconem.exe
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
dRun: [Microsoft] rundll32.exe "c:\documents and settings\owner\local settings\application data\symantec\microsoft\vpnphrtv.dll",DllRegisterServerW
uPolicies-Explorer: NoDriveTypeAutoRun = dword:323
uPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDrives = dword:0
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
IE: &AOL Toolbar search - c:\program files\aol toolbar\toolbar.dll/SEARCH.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - {4982D40A-C53B-4615-B15B-B5B5E98D167C}
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: vzTCPConfig - hxxp://www.verizon.net/checkmypc/fios/includes/vzTCPConfig.CAB
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
DPF: {341FF14B-00CB-49F5-A427-A164DF1D5E1F} - hxxp://musicstore.connect.com/XSL/mb_us/html/activexplayer/SMALStreaming.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photo.walgreens.com/WalgreensActivia.cab
DPF: {5CB1506E-1DEA-4E63-89A7-E40E52AEA1FD} - hxxp://usfulfillment.puretracks.com/onager.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1342294003531
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {8BBDC81D-81B3-49EE-87E8-47B7A707FAE8} - hxxps://www2.gotomeeting.com/default/applets/g2mdlax.cab
DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} - hxxp://web1.shutterfly.com/downloads/Uploader.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://incommsolutions.webex.com/client/WBXclient-T27L10NSP31-13320/webex/ieatgpc.cab
DPF: {ED28050F-D713-43BA-A376-DCC5C35407D5} - hxxp://entimg.msn.com/client/msnmusax3606.cab
TCP: NameServer = 192.168.2.1
TCP: Interfaces\{ADCCC00B-5FE3-48CC-B779-B4B07275D68C} : DHCPNameServer = 192.168.2.1
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxsrvc.dll
Notify: NavLogon - <no file>
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class - {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - c:\program files\superantispyware\SASSEH.DLL
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2011-4-18 193552]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-11 116608]
R3 SS1022;Siemens SpeedStream Wireless USB Driver;c:\windows\system32\drivers\SSUSBN51.sys [2007-3-11 588160]
S1 leqpktih;leqpktih;\??\c:\windows\system32\drivers\leqpktih.sys --> c:\windows\system32\drivers\leqpktih.sys [?]
S2 EBPYWGVK;EBPYWGVK;\??\c:\windows\system32\ebpywgvk.agr --> c:\windows\system32\ebpywgvk.agr [?]
S2 mclserviceatl;Firesvc;c:\windows\system32\svchost.exe -k netsvcs [2005-3-23 14336]
S2 mctskshd.exe;Tdcmdpst;c:\windows\system32\svchost.exe -k netsvcs [2005-3-23 14336]
S3 MFE_RR;MFE_RR;c:\docume~1\owner\locals~1\temp\mfe_rr.sys [2012-4-11 16960]
S3 NPF;WinPcap Packet Driver (NPF);c:\windows\system32\drivers\npf.sys [2011-11-21 50704]
.
=============== Created Last 30 ================
.
2012-11-11 22:27:37 6918632 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{ad0b0d0b-cc14-4152-8a17-7ca363edc162}\mpengine.dll
2012-11-10 22:00:19 6918632 ------w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2012-11-10 19:17:20 -------- d-----w- c:\program files\stinger
2012-11-04 01:04:39 5632 ----a-w- c:\windows\system32\ptpusb.dll
2012-11-04 01:04:39 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
2012-11-04 01:04:39 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2012-11-04 01:04:38 159232 ----a-w- c:\windows\system32\ptpusd.dll
2012-10-13 01:24:10 1409 ----a-w- c:\windows\QTFont.for
.
==================== Find3M ====================
.
2012-09-30 00:54:26 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-08-31 02:03:50 193552 ----a-w- c:\windows\system32\drivers\MpFilter.sys
2012-08-28 15:14:53 916992 ----a-w- c:\windows\system32\wininet.dll
2012-08-28 15:14:53 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-08-28 15:14:52 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-08-28 12:07:15 385024 ----a-w- c:\windows\system32\html.iec
2012-08-24 13:53:22 177664 ----a-w- c:\windows\system32\wintrust.dll
2012-08-21 13:29:19 2192896 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-08-21 12:58:06 2069632 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-02-09 03:26:50 27024112 ----a-w- c:\program files\PowerPointViewer.exe
.
============= FINISH: 19:28:56.79 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:51 PM

Posted 11 November 2012 - 11:48 PM

Greetings and Welcome to The Forums!!

My name is Gringo and I'll be glad to help you with your malware problems.

I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of us

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the Watch Topic Button, select Immediate Notification, and click on Proceed. This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.




These are the programs I would like you to run next, if you have any problems with these just skip it and run the next one.

-Security Check-

  • Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

-AdwCleaner-

  • Please download AdwCleaner by Xplode onto your desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Delete.
  • Confirm each time with Ok.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile with your next answer.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.

--RogueKiller--

  • Download & SAVE to your Desktop RogueKiller or from here
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select "Run as Administrator to start"
  • For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • Then Click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • click on "delete"
  • Wait until the Status box shows "Deleting Finished"
  • Click on "Report" and copy/paste the content of the Notepad into your next reply.
  • The log should be found in RKreport[1].txt on your Desktop
  • Exit/Close RogueKiller+

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 riley45

riley45
  • Topic Starter

  • Members
  • 138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:51 PM

Posted 12 November 2012 - 11:12 AM

Thank you for getting back to me so quickly. I ran the three scans you suggested, and the results are as follows:

Results of screen317's Security Check version 0.99.54
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````Antivirus/Firewall Check:``````````````
Windows Security Center service is not running! This report may not be accurate!
Microsoft Security Essentials
`````````Anti-malware/Other Utilities Check:`````````
AOL Spyware Protection
SUPERAntiSpyware
Malwarebytes Anti-Malware version 1.65.1.1000
Java™ 6 Update 23
Java version out of Date!
Adobe Reader 7 Adobe Reader out of Date!
````````Process Check: objlist.exe by Laurent````````
Microsoft Security Essentials MSMpEng.exe
Microsoft Security Essentials msseces.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C:: 4%
````````````````````End of Log``````````````````````






# AdwCleaner v2.007 - Logfile created 11/12/2012 at 10:46:24
# Updated 06/11/2012 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : Owner - KEN
# Boot Mode : Normal
# Running from : C:\Documents and Settings\Owner\Desktop\BleepingComputer-1st Message\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****

File Deleted : C:\user.js
Folder Deleted : C:\DOCUME~1\Owner\LOCALS~1\Temp\BabylonToolbar
Folder Deleted : C:\Documents and Settings\All Users\Application Data\Babylon
Folder Deleted : C:\Documents and Settings\All Users\Application Data\Viewpoint
Folder Deleted : C:\Documents and Settings\Owner\Application Data\Babylon
Folder Deleted : C:\Documents and Settings\Owner\Application Data\BabylonToolbar
Folder Deleted : C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\48ppap2b.default\extensions\ffxtlbr@babylon.com
Folder Deleted : C:\Documents and Settings\Owner\Application Data\Viewpoint
Folder Deleted : C:\Documents and Settings\Owner\Local Settings\Application Data\Babylon
Folder Deleted : C:\Program Files\BabylonToolbar
Folder Deleted : C:\Program Files\Viewpoint

***** [Registry] *****

Key Deleted : HKCU\Software\BabylonToolbar
Key Deleted : HKCU\Software\Conduit
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4D79-A620-CCE0C0A66CC9}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{2EECD738-5844-4A99-B4B6-146BF802613B}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{98889811-442D-49DD-99D7-DC866BE87DBC}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{03F998B2-0E00-11D3-A498-00104B6EB52E}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2EECD738-5844-4A99-B4B6-146BF802613B}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{98889811-442D-49DD-99D7-DC866BE87DBC}
Key Deleted : HKLM\Software\Babylon
Key Deleted : HKLM\Software\BabylonToolbar
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{09C554C3-109B-483C-A06B-F14172F1A947}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{35C1605E-438B-4D64-AAB1-8885F097A9B1}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{B12E99ED-69BD-437C-86BE-C862B9E5444D}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{BDB69379-802F-4EAF-B541-F8DE92DD98DB}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\escort.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AppID\escortApp.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AppID\escortEng.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AppID\escorTlbr.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AppID\esrv.EXE
Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl
Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl.1
Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtlSecondary
Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtlSecondary.1
Key Deleted : HKLM\SOFTWARE\Classes\b
Key Deleted : HKLM\SOFTWARE\Classes\Babylon.dskBnd
Key Deleted : HKLM\SOFTWARE\Classes\Babylon.dskBnd.1
Key Deleted : HKLM\SOFTWARE\Classes\bbylnApp.appCore
Key Deleted : HKLM\SOFTWARE\Classes\bbylnApp.appCore.1
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{03F998B2-0E00-11D3-A498-00104B6EB52E}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{291BCCC1-6890-484A-89D3-318C928DAC1B}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{2EECD738-5844-4A99-B4B6-146BF802613B}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{97F2FF5B-260C-4CCF-834A-2DDA4E29E39E}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{98889811-442D-49DD-99D7-DC866BE87DBC}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{B8276A94-891D-453C-9FF3-715C042A2575}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{E46C8196-B634-44A1-AF6E-957C64278AB1}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{FFB9ADCB-8C79-4C29-81D3-74D46A93D370}
Key Deleted : HKLM\SOFTWARE\Classes\escort.escortIEPane
Key Deleted : HKLM\SOFTWARE\Classes\escort.escortIEPane.1
Key Deleted : HKLM\SOFTWARE\Classes\escort.escrtBtn.1
Key Deleted : HKLM\SOFTWARE\Classes\esrv.BabylonESrvc
Key Deleted : HKLM\SOFTWARE\Classes\esrv.BabylonESrvc.1
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{44C3C1DB-2127-433C-98EC-4C9412B5FC3A}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{4D5132DD-BB2B-4249-B5E0-D145A8C982E1}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{706D4A4B-184A-4434-B331-296B07493D2D}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{8BE10F21-185F-4CA0-B789-9921674C3993}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{94C0B25D-3359-4B10-B227-F96A77DB773F}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{B0B75FBA-7288-4FD3-A9EB-7EE27FA65599}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{B173667F-8395-4317-8DD6-45AD1FE00047}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{B32672B3-F656-46E0-B584-FE61C0BB6037}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{BFE569F7-646C-4512-969B-9BE3E580D393}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{C2434722-5C85-4CA0-BA69-1B67E7AB3D68}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{C2996524-2187-441F-A398-CD6CB6B3D020}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{E047E227-5342-4D94-80F7-CFB154BF55BD}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{E3F79BE9-24D4-4F4D-8C13-DF2C9899F82E}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{E77EEF95-3E83-4BB8-9C0D-4A5163774997}
Key Deleted : HKLM\SOFTWARE\Classes\Prod.cap
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{35C1605E-438B-4D64-AAB1-8885F097A9B1}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{6E8BF012-2C85-4834-B10A-1B31AF173D70}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}
Key Deleted : HKLM\Software\MetaStream
Key Deleted : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{03F998B2-0E00-11D3-A498-00104B6EB52E}
Key Deleted : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8375D9C8-634F-4ECB-8CF5-C7416BA5D542}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\BabylonToolbar
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\ViewpointMediaPlayer
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2EECD738-5844-4A99-B4B6-146BF802613B}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BabylonToolbar
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ViewpointMediaPlayer
Key Deleted : HKLM\SOFTWARE\MozillaPlugins\@viewpoint.com/VMP
Key Deleted : HKLM\Software\Viewpoint
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{98889811-442D-49DD-99D7-DC866BE87DBC}]

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.6001.18702

Replaced : [HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURls - Tabs] = hxxp://search.babylon.com/?babsrc=NT_ss&affID=101385&mntrId=a846c63d0000000000000002dd43387f&tt=090212_ctrl --> hxxp://www.google.com

-\\ Mozilla Firefox v [Unable to get version]

Profile name : default
File : C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\48ppap2b.default\prefs.js

C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\48ppap2b.default\user.js ... Deleted !

[OK] File is clean.

-\\ Google Chrome v23.0.1271.64

File : C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences

Deleted [l.79] : homepage = "hxxp://search.babylon.com/?babsrc=HP_ss&affID=101385&mntrId=a846c63d0000000000000002dd43387f&tt=090212_ctrl",

*************************

AdwCleaner[S1].txt - [8026 octets] - [12/11/2012 10:46:24]

########## EOF - C:\AdwCleaner[S1].txt - [8086 octets] ##########







RogueKiller V8.2.3 [11/07/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website: http://tigzy.geekstogo.com/roguekiller.php
Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : Owner [Admin rights]
Mode : Remove -- Date : 11/12/2012 10:57:15

¤¤¤ Bad processes : 2 ¤¤¤
[SUSP PATH][DLL] explorer.exe -- C:\WINDOWS\explorer.exe : C:\Documents and Settings\Owner\Local Settings\Application Data\Symantec\Microsoft\vpnphrtv.dll -> UNLOADED
[SUSP PATH][DLL] rundll32.exe -- C:\WINDOWS\system32\rundll32.exe : C:\Documents and Settings\Owner\Local Settings\Application Data\Symantec\Microsoft\vpnphrtv.dll -> KILLED [TermProc]

¤¤¤ Registry Entries : 5 ¤¤¤
[RUN][SUSP PATH] HKCU\[...]\Run : Microsoft (rundll32.exe "C:\Documents and Settings\Owner\Local Settings\Application Data\Symantec\Microsoft\vpnphrtv.dll",DllRegisterServerW) -> DELETED
[RUN][SUSP PATH] HKUS\.DEFAULT[...]\Run : Microsoft (rundll32.exe "C:\Documents and Settings\Owner\Local Settings\Application Data\Symantec\Microsoft\vpnphrtv.dll",DllRegisterServerW) -> DELETED
[DNS] HKLM\[...]\ControlSet001\Services\Parameters : NameServer (85.255.116.163;85.255.112.121) -> NOT REMOVED, USE DNSFIX
[DNS] HKLM\[...]\ControlSet003\Services\Parameters : NameServer (85.255.116.163;85.255.112.121) -> NOT REMOVED, USE DNSFIX
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\WINDOWS\system32\drivers\etc\hosts

127.0.0.1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST3100011A +++++
--- User ---
[MBR] 51cdbc7349b54537e9c39a85e3c1a8d0
[BSP] 95ed84d82cf00005de23acd4c67b3ee8 : MBR Code unknown
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 6924015 | Size: 92012 Mo
1 - [XXXXXX] FAT32 (0x0b) [VISIBLE] Offset (sectors): 63 | Size: 3380 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[2]_D_11122012_02d1057.txt >>
RKreport[1]_S_11122012_02d1055.txt ; RKreport[2]_D_11122012_02d1057.txt

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:51 PM

Posted 12 November 2012 - 11:23 AM

Hello

I Would like you to do the following.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 riley45

riley45
  • Topic Starter

  • Members
  • 138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:51 PM

Posted 14 November 2012 - 08:31 AM

I ran the ComboFix tool, and a window popped up saying that it found Rootkit Zero Access. Then another window popped up saying that "Rootkit is Detected". However, the computer froze up at this point and had to be restarted manually. I ran ComboFix again, and this time it successfully completed the scan. I do not have any more Google redirects, and my computer appears to be functioning normally.

The rundll32.exe entry in msconfig start up, along with the associated registry key (HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run), are no longer present. However, I noticed that the target file C:\Documents and Settings\Owner\Local Settings\Application Data\Symantec\Microsoft\vpnphrtv.dll still exists. Note that this file was created on the day that I started getting the Google redirects and as I mentioned before, seemed to be the cause of the problem. I am wondering whether I should delete this file. In addition, are any other instructions that you have?

Here is the ComboFix log:

ComboFix 12-11-12.03 - Owner 11/12/2012 18:18:23.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1007.711 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\BleepingComputer-2ndMessage\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\Owner\g2mdlhlpx.exe
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\eula.txt
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\TDSSKiller.exe
c:\windows\system32\
c:\windows\system32\404Fix.exe
c:\windows\system32\Agent.OMZ.Fix.exe
c:\windows\system32\dds_trash_log.cmd
c:\windows\system32\dumphive.exe
c:\windows\system32\IEDFix.C.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\o4Patch.exe
c:\windows\system32\Packet.dll
c:\windows\system32\Process.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tmp.reg
c:\windows\system32\URTTemp
c:\windows\system32\URTTemp\fusion.dll
c:\windows\system32\URTTemp\mscoree.dll
c:\windows\system32\URTTemp\mscoree.dll.local
c:\windows\system32\URTTemp\mscorsn.dll
c:\windows\system32\URTTemp\mscorwks.dll
c:\windows\system32\URTTemp\msvcr71.dll
c:\windows\system32\URTTemp\regtlib.exe
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\wpcap.dll
c:\windows\system32\WS2Fix.exe
c:\windows\system32\wuauclt.exe.tmp
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_NPF
-------\Service_NPF
.
.
((((((((((((((((((((((((( Files Created from 2012-10-12 to 2012-11-12 )))))))))))))))))))))))))))))))
.
.
2012-11-11 22:27 . 2012-10-12 05:56 6918632 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{AD0B0D0B-CC14-4152-8A17-7CA363EDC162}\mpengine.dll
2012-11-10 22:00 . 2012-10-12 05:56 6918632 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-11-10 19:17 . 2012-11-10 19:26 -------- d-----w- c:\program files\stinger
2012-11-04 01:04 . 2008-04-13 17:45 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
2012-11-04 01:04 . 2008-04-13 17:45 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2012-11-04 01:04 . 2001-08-18 02:36 5632 ----a-w- c:\windows\system32\ptpusb.dll
2012-11-04 01:04 . 2008-04-13 23:12 159232 ----a-w- c:\windows\system32\ptpusd.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-10-13 01:24 . 2012-10-13 01:24 1409 ----a-w- c:\windows\QTFont.for
2012-09-30 00:54 . 2011-10-07 01:28 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-08-31 02:03 . 2011-04-18 17:18 193552 ----a-w- c:\windows\system32\drivers\MpFilter.sys
2012-08-28 15:14 . 2005-03-23 16:53 916992 ----a-w- c:\windows\system32\wininet.dll
2012-08-28 15:14 . 2005-03-23 16:52 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-08-28 15:14 . 2005-03-23 16:52 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-08-28 12:07 . 2005-03-23 16:52 385024 ----a-w- c:\windows\system32\html.iec
2012-08-24 13:53 . 2005-03-23 16:53 177664 ----a-w- c:\windows\system32\wintrust.dll
2012-08-21 13:29 . 2005-03-23 16:52 2192896 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-08-21 12:58 . 2004-08-04 05:59 2069632 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-02-09 03:26 . 2011-02-09 03:26 27024112 ----a-w- c:\program files\PowerPointViewer.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunKistEM"="c:\program files\Digital Media Reader\shwiconem.exe" [2004-11-15 135168]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-05-11 98304]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-05-27 185896]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-09-12 947176]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Siemens SpeedStream Wireless USB.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Siemens SpeedStream Wireless USB.lnk
backup=c:\windows\pss\Siemens SpeedStream Wireless USB.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 18:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2005-05-11 16:23 98304 ----a-w- c:\program files\QuickTime\qttask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2008-05-27 01:41 185896 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
2006-03-30 20:45 313472 ----a-r- c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DW20.EXE"=
"c:\\Program Files\\Google\\Update\\GoogleUpdate.exe"=
"c:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AcroRd32.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
.
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 11:27 AM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 4:55 PM 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [8/11/2011 6:38 PM 116608]
R3 SS1022;Siemens SpeedStream Wireless USB Driver;c:\windows\system32\drivers\SSUSBN51.sys [3/11/2007 12:03 PM 588160]
S1 leqpktih;leqpktih;\??\c:\windows\system32\drivers\leqpktih.sys --> c:\windows\system32\drivers\leqpktih.sys [?]
S2 EBPYWGVK;EBPYWGVK;\??\c:\windows\system32\ebpywgvk.agr --> c:\windows\system32\ebpywgvk.agr [?]
S3 MFE_RR;MFE_RR;\??\c:\docume~1\Owner\LOCALS~1\Temp\mfe_rr.sys --> c:\docume~1\Owner\LOCALS~1\Temp\mfe_rr.sys [?]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
int15
iomegaaccess
nnsvc
sprtsvc_dellsupportcenter
olregcap
mctskshd.exe
tsmservice
nuvvid2
sfsync04
mclserviceatl
SeaPort
MKEMUSB
hclinetd
CTEXFIFX.DLL
lmouflt2
sysdown
ctdvda2k
s116bus
driverhardwarev2
RDID1007
.
Contents of the 'Scheduled Tasks' folder
.
2012-11-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-31 23:58]
.
2012-11-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-31 23:58]
.
2012-11-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1704833363-758890274-2038612096-1003Core.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-09-24 13:48]
.
2012-11-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1704833363-758890274-2038612096-1003UA.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-09-24 13:48]
.
2012-11-12 c:\windows\Tasks\Microsoft Antimalware Scheduled Scan.job
- c:\program files\Microsoft Security Client\MpCmdRun.exe [2012-09-12 21:25]
.
2012-11-12 c:\windows\Tasks\User_Feed_Synchronization-{C6EF6733-F01A-486F-B22E-DC9407039ED5}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.2.1
TCP: Interfaces\{ADCCC00B-5FE3-48CC-B779-B4B07275D68C}: DhcpNameServer = 192.168.2.1
DPF: vzTCPConfig - hxxp://www.verizon.net/checkmypc/fios/includes/vzTCPConfig.CAB
.
- - - - ORPHANS REMOVED - - - -
.
Notify-NavLogon - (no file)
SafeBoot-63098331.sys
SafeBoot-72335122.sys
SafeBoot-76977347.sys
SafeBoot-79427409.sys
MSConfigStartUp-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-11-12 18:54
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet006\Services\EBPYWGVK]
"ImagePath"="\??\c:\windows\system32\ebpywgvk.agr"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\System\ControlSet006\Enum\Root\LEGACY_NDISPROT.SYS\0000]
@DACL=(02 0000)
"Service"="Ndisprot.sys"
"Legacy"=dword:00000001
"ConfigFlags"=dword:00000000
"Class"="LegacyDriver"
"ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"
"DeviceDesc"="Ndisprot.sys"
"Capabilities"=dword:00000000
"Driver"="{8ECC055D-047F-11D1-A537-0000F8753ED1}\\0084"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1432)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(2832)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Client\MsMpEng.exe
c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
.
**************************************************************************
.
Completion time: 2012-11-12 19:02:27 - machine was rebooted
ComboFix-quarantined-files.txt 2012-11-13 00:02
ComboFix2.txt 2011-09-25 03:04
.
Pre-Run: 40,022,417,408 bytes free
Post-Run: 42,123,636,736 bytes free
.
- - End Of File - - 13010ED83C61152DD321EFF78EDF56C5

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:51 PM

Posted 14 November 2012 - 01:04 PM

Greetings

I want you to run these next,

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • it will ask to download extra definitions - ALLOW IT
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

If you have any problems running either one come back and let me know

please reply with the reports from TDSSKiller and aswMBR

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 riley45

riley45
  • Topic Starter

  • Members
  • 138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:51 PM

Posted 14 November 2012 - 09:07 PM

I first ran TDSSKiller which detected the infected file Rootkit.Boot.Pihar.C. I selected the default action Cure for this item, and TDSSKiller prompted me to reboot my computer in order complete the scan. At the time the scan was completed, my Microsoft Security Essentials antivirus software automatically detected five Trojans which I quarantined and subsequently deleted.

I then performed the aswMBR scan according to your instructions.

Here are the log file from the TDSSKiller scan, a list of the Trojans detected and deleted by Microsoft Security Essentials, and the log file from the aswMBR scan.


17:41:48.0656 0336 TDSS rootkit removing tool 2.8.15.0 Oct 31 2012 21:47:35
17:41:49.0078 0336 ============================================================
17:41:49.0078 0336 Current date / time: 2012/11/14 17:41:49.0078
17:41:49.0078 0336 SystemInfo:
17:41:49.0078 0336
17:41:49.0078 0336 OS Version: 5.1.2600 ServicePack: 3.0
17:41:49.0078 0336 Product type: Workstation
17:41:49.0078 0336 ComputerName: KEN
17:41:49.0078 0336 UserName: Owner
17:41:49.0078 0336 Windows directory: C:\WINDOWS
17:41:49.0078 0336 System windows directory: C:\WINDOWS
17:41:49.0078 0336 Processor architecture: Intel x86
17:41:49.0078 0336 Number of processors: 1
17:41:49.0078 0336 Page size: 0x1000
17:41:49.0078 0336 Boot type: Normal boot
17:41:49.0078 0336 ============================================================
17:41:51.0671 0336 Drive \Device\Harddisk0\DR0 - Size: 0x174A446000 (93.16 Gb), SectorSize: 0x200, Cylinders: 0x2F81, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
17:41:51.0906 0336 ============================================================
17:41:51.0906 0336 \Device\Harddisk0\DR0:
17:41:51.0906 0336 MBR partitions:
17:41:51.0906 0336 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x69A6EF, BlocksNum 0xB3B6752
17:41:51.0906 0336 \Device\Harddisk0\DR0\Partition2: MBR, Type 0xB, StartLBA 0x3F, BlocksNum 0x69A6B0
17:41:51.0906 0336 ============================================================
17:41:51.0953 0336 C: <-> \Device\Harddisk0\DR0\Partition1
17:41:51.0953 0336 D: <-> \Device\Harddisk0\DR0\Partition2
17:41:51.0953 0336 ============================================================
17:41:51.0953 0336 Initialize success
17:41:51.0953 0336 ============================================================
17:42:03.0015 3372 ============================================================
17:42:03.0015 3372 Scan started
17:42:03.0015 3372 Mode: Manual;
17:42:03.0015 3372 ============================================================
17:42:03.0312 3372 ================ Scan system memory ========================
17:42:03.0312 3372 System memory - ok
17:42:03.0328 3372 ================ Scan services =============================
17:42:03.0515 3372 [ C0393EB99A6C72C6BEF9BFC4A72B33A6 ] !SASCORE C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
17:42:03.0578 3372 !SASCORE - ok
17:42:03.0953 3372 Abiosdsk - ok
17:42:03.0984 3372 [ 6ABB91494FE6C59089B9336452AB2EA3 ] abp480n5 C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
17:42:04.0000 3372 abp480n5 - ok
17:42:04.0109 3372 [ 8FD99680A539792A30E97944FDAECF17 ] ACPI C:\WINDOWS\system32\DRIVERS\ACPI.sys
17:42:04.0171 3372 ACPI - ok
17:42:04.0250 3372 [ 9859C0F6936E723E4892D7141B1327D5 ] ACPIEC C:\WINDOWS\system32\drivers\ACPIEC.sys
17:42:04.0281 3372 ACPIEC - ok
17:42:04.0343 3372 [ 9A11864873DA202C996558B2106B0BBC ] adpu160m C:\WINDOWS\system32\DRIVERS\adpu160m.sys
17:42:04.0390 3372 adpu160m - ok
17:42:04.0500 3372 [ 8BED39E3C35D6A489438B8141717A557 ] aec C:\WINDOWS\system32\drivers\aec.sys
17:42:04.0531 3372 aec - ok
17:42:04.0640 3372 [ 1E44BC1E83D8FD2305F8D452DB109CF9 ] AFD C:\WINDOWS\System32\drivers\afd.sys
17:42:04.0687 3372 AFD - ok
17:42:04.0750 3372 [ 08FD04AA961BDC77FB983F328334E3D7 ] agp440 C:\WINDOWS\system32\DRIVERS\agp440.sys
17:42:04.0796 3372 agp440 - ok
17:42:04.0812 3372 [ 03A7E0922ACFE1B07D5DB2EEB0773063 ] agpCPQ C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
17:42:04.0843 3372 agpCPQ - ok
17:42:04.0890 3372 [ C23EA9B5F46C7F7910DB3EAB648FF013 ] Aha154x C:\WINDOWS\system32\DRIVERS\aha154x.sys
17:42:04.0906 3372 Aha154x - ok
17:42:04.0937 3372 [ 19DD0FB48B0C18892F70E2E7D61A1529 ] aic78u2 C:\WINDOWS\system32\DRIVERS\aic78u2.sys
17:42:04.0953 3372 aic78u2 - ok
17:42:04.0984 3372 [ B7FE594A7468AA0132DEB03FB8E34326 ] aic78xx C:\WINDOWS\system32\DRIVERS\aic78xx.sys
17:42:05.0000 3372 aic78xx - ok
17:42:06.0031 3372 [ 95AA37BEC6C72C277C2CAEAEE736DD2D ] ALCXWDM C:\WINDOWS\system32\drivers\ALCXWDM.SYS
17:42:06.0812 3372 ALCXWDM - ok
17:42:06.0859 3372 [ A9A3DAA780CA6C9671A19D52456705B4 ] Alerter C:\WINDOWS\system32\alrsvc.dll
17:42:06.0875 3372 Alerter - ok
17:42:06.0937 3372 [ 8C515081584A38AA007909CD02020B3D ] ALG C:\WINDOWS\System32\alg.exe
17:42:06.0968 3372 ALG - ok
17:42:07.0000 3372 [ 1140AB9938809700B46BB88E46D72A96 ] AliIde C:\WINDOWS\system32\DRIVERS\aliide.sys
17:42:07.0015 3372 AliIde - ok
17:42:07.0046 3372 [ CB08AED0DE2DD889A8A820CD8082D83C ] alim1541 C:\WINDOWS\system32\DRIVERS\alim1541.sys
17:42:07.0062 3372 alim1541 - ok
17:42:07.0093 3372 [ 95B4FB835E28AA1336CEEB07FD5B9398 ] amdagp C:\WINDOWS\system32\DRIVERS\amdagp.sys
17:42:07.0109 3372 amdagp - ok
17:42:07.0125 3372 [ 79F5ADD8D24BD6893F2903A3E2F3FAD6 ] amsint C:\WINDOWS\system32\DRIVERS\amsint.sys
17:42:07.0125 3372 amsint - ok
17:42:07.0656 3372 [ 60A92C8C19F007679F65521D779DCB93 ] AOL ACS C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
17:42:08.0312 3372 AOL ACS - ok
17:42:08.0328 3372 AppMgmt - ok
17:42:08.0765 3372 [ 62D318E9A0C8FC9B780008E724283707 ] asc C:\WINDOWS\system32\DRIVERS\asc.sys
17:42:08.0796 3372 asc - ok
17:42:08.0812 3372 [ 69EB0CC7714B32896CCBFD5EDCBEA447 ] asc3350p C:\WINDOWS\system32\DRIVERS\asc3350p.sys
17:42:08.0828 3372 asc3350p - ok
17:42:08.0843 3372 [ 5D8DE112AA0254B907861E9E9C31D597 ] asc3550 C:\WINDOWS\system32\DRIVERS\asc3550.sys
17:42:08.0843 3372 asc3550 - ok
17:42:08.0968 3372 [ E1A1206A4FB19B675E947B29CCD25FBA ] aspnet_state C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe
17:42:09.0000 3372 aspnet_state - ok
17:42:09.0046 3372 [ B153AFFAC761E7F5FCFA822B9C4E97BC ] AsyncMac C:\WINDOWS\system32\DRIVERS\asyncmac.sys
17:42:09.0078 3372 AsyncMac - ok
17:42:09.0140 3372 [ 9F3A2F5AA6875C72BF062C712CFA2674 ] atapi C:\WINDOWS\system32\DRIVERS\atapi.sys
17:42:09.0140 3372 atapi - ok
17:42:09.0156 3372 Atdisk - ok
17:42:09.0203 3372 [ 9916C1225104BA14794209CFA8012159 ] Atmarpc C:\WINDOWS\system32\DRIVERS\atmarpc.sys
17:42:09.0234 3372 Atmarpc - ok
17:42:09.0296 3372 [ DEF7A7882BEC100FE0B2CE2549188F9D ] AudioSrv C:\WINDOWS\System32\audiosrv.dll
17:42:09.0312 3372 AudioSrv - ok
17:42:09.0375 3372 [ D9F724AA26C010A217C97606B160ED68 ] audstub C:\WINDOWS\system32\DRIVERS\audstub.sys
17:42:09.0375 3372 audstub - ok
17:42:09.0406 3372 [ DA1F27D85E0D1525F6621372E7B685E9 ] Beep C:\WINDOWS\system32\drivers\Beep.sys
17:42:09.0406 3372 Beep - ok
17:42:09.0562 3372 [ 574738F61FCA2935F5265DC4E5691314 ] BITS C:\WINDOWS\system32\qmgr.dll
17:42:09.0718 3372 BITS - ok
17:42:09.0781 3372 [ CFD4E51402DA9838B5A04AE680AF54A0 ] Browser C:\WINDOWS\System32\browser.dll
17:42:09.0781 3372 Browser - ok
17:42:09.0828 3372 [ 2FE6D5BE0629F706197B30C0AA05DE30 ] BrPar C:\WINDOWS\System32\drivers\BrPar.sys
17:42:09.0828 3372 BrPar - ok
17:42:09.0843 3372 catchme - ok
17:42:09.0890 3372 [ 90A673FC8E12A79AFBED2576F6A7AAF9 ] cbidf C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
17:42:09.0921 3372 cbidf - ok
17:42:09.0937 3372 [ 90A673FC8E12A79AFBED2576F6A7AAF9 ] cbidf2k C:\WINDOWS\system32\drivers\cbidf2k.sys
17:42:09.0937 3372 cbidf2k - ok
17:42:09.0953 3372 [ F3EC03299634490E97BBCE94CD2954C7 ] cd20xrnt C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
17:42:09.0953 3372 cd20xrnt - ok
17:42:09.0984 3372 [ C1B486A7658353D33A10CC15211A873B ] Cdaudio C:\WINDOWS\system32\drivers\Cdaudio.sys
17:42:10.0000 3372 Cdaudio - ok
17:42:10.0031 3372 [ C885B02847F5D2FD45A24E219ED93B32 ] Cdfs C:\WINDOWS\system32\drivers\Cdfs.sys
17:42:10.0062 3372 Cdfs - ok
17:42:10.0125 3372 [ 814ACB9B8A55804D9878248B3C79F862 ] Cdr4_xp C:\WINDOWS\system32\drivers\Cdr4_xp.sys
17:42:10.0187 3372 Cdr4_xp - ok
17:42:10.0234 3372 [ BCE7213F8AA1BC9D5C08F81CB05E10A7 ] Cdralw2k C:\WINDOWS\system32\drivers\Cdralw2k.sys
17:42:10.0312 3372 Cdralw2k - ok
17:42:10.0390 3372 [ 1F4260CC5B42272D71F79E570A27A4FE ] Cdrom C:\WINDOWS\system32\DRIVERS\cdrom.sys
17:42:10.0421 3372 Cdrom - ok
17:42:10.0421 3372 Changer - ok
17:42:10.0484 3372 [ 1CFE720EB8D93A7158A4EBC3AB178BDE ] CiSvc C:\WINDOWS\system32\cisvc.exe
17:42:10.0531 3372 CiSvc - ok
17:42:10.0625 3372 [ 34CBE729F38138217F9C80212A2A0C82 ] ClipSrv C:\WINDOWS\system32\clipsrv.exe
17:42:10.0687 3372 ClipSrv - ok
17:42:10.0750 3372 [ E5DCB56C533014ECBC556A8357C929D5 ] CmdIde C:\WINDOWS\system32\DRIVERS\cmdide.sys
17:42:10.0750 3372 CmdIde - ok
17:42:10.0765 3372 COMSysApp - ok
17:42:10.0781 3372 [ 3EE529119EED34CD212A215E8C40D4B6 ] Cpqarray C:\WINDOWS\system32\DRIVERS\cpqarray.sys
17:42:10.0781 3372 Cpqarray - ok
17:42:10.0843 3372 [ 3D4E199942E29207970E04315D02AD3B ] CryptSvc C:\WINDOWS\System32\cryptsvc.dll
17:42:10.0859 3372 CryptSvc - ok
17:42:10.0875 3372 ctdvda2k - ok
17:42:10.0890 3372 CTEXFIFX.DLL - ok
17:42:10.0953 3372 [ E550E7418984B65A78299D248F0A7F36 ] dac2w2k C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
17:42:11.0000 3372 dac2w2k - ok
17:42:11.0015 3372 [ 683789CAA3864EB46125AE86FF677D34 ] dac960nt C:\WINDOWS\system32\DRIVERS\dac960nt.sys
17:42:11.0031 3372 dac960nt - ok
17:42:11.0187 3372 [ 6B27A5C03DFB94B4245739065431322C ] DcomLaunch C:\WINDOWS\system32\rpcss.dll
17:42:11.0328 3372 DcomLaunch - ok
17:42:11.0390 3372 [ 5E38D7684A49CACFB752B046357E0589 ] Dhcp C:\WINDOWS\System32\dhcpcsvc.dll
17:42:11.0437 3372 Dhcp - ok
17:42:11.0453 3372 [ 044452051F3E02E7963599FC8F4F3E25 ] Disk C:\WINDOWS\system32\DRIVERS\disk.sys
17:42:11.0468 3372 Disk - ok
17:42:11.0484 3372 dmadmin - ok
17:42:11.0765 3372 [ D992FE1274BDE0F84AD826ACAE022A41 ] dmboot C:\WINDOWS\system32\drivers\dmboot.sys
17:42:12.0046 3372 dmboot - ok
17:42:12.0125 3372 [ 7C824CF7BBDE77D95C08005717A95F6F ] dmio C:\WINDOWS\system32\drivers\dmio.sys
17:42:12.0171 3372 dmio - ok
17:42:12.0218 3372 [ E9317282A63CA4D188C0DF5E09C6AC5F ] dmload C:\WINDOWS\system32\drivers\dmload.sys
17:42:12.0218 3372 dmload - ok
17:42:12.0281 3372 [ 57EDEC2E5F59F0335E92F35184BC8631 ] dmserver C:\WINDOWS\System32\dmserver.dll
17:42:12.0296 3372 dmserver - ok
17:42:12.0343 3372 [ 8A208DFCF89792A484E76C40E5F50B45 ] DMusic C:\WINDOWS\system32\drivers\DMusic.sys
17:42:12.0359 3372 DMusic - ok
17:42:12.0406 3372 [ 5F7E24FA9EAB896051FFB87F840730D2 ] Dnscache C:\WINDOWS\System32\dnsrslvr.dll
17:42:12.0421 3372 Dnscache - ok
17:42:12.0515 3372 [ 0F0F6E687E5E15579EF4DA8DD6945814 ] Dot3svc C:\WINDOWS\System32\dot3svc.dll
17:42:12.0546 3372 Dot3svc - ok
17:42:12.0593 3372 [ 40F3B93B4E5B0126F2F5C0A7A5E22660 ] dpti2o C:\WINDOWS\system32\DRIVERS\dpti2o.sys
17:42:12.0593 3372 dpti2o - ok
17:42:12.0609 3372 driverhardwarev2 - ok
17:42:12.0656 3372 [ 8F5FCFF8E8848AFAC920905FBD9D33C8 ] drmkaud C:\WINDOWS\system32\drivers\drmkaud.sys
17:42:12.0656 3372 drmkaud - ok
17:42:12.0750 3372 [ 7D91DC6342248369F94D6EBA0CF42E99 ] E100B C:\WINDOWS\system32\DRIVERS\e100b325.sys
17:42:12.0796 3372 E100B - ok
17:42:12.0859 3372 [ 2187855A7703ADEF0CEF9EE4285182CC ] EapHost C:\WINDOWS\System32\eapsvc.dll
17:42:12.0875 3372 EapHost - ok
17:42:12.0875 3372 EBPYWGVK - ok
17:42:12.0937 3372 [ BC93B4A066477954555966D77FEC9ECB ] ERSvc C:\WINDOWS\System32\ersvc.dll
17:42:12.0937 3372 ERSvc - ok
17:42:13.0015 3372 [ 65DF52F5B8B6E9BBD183505225C37315 ] Eventlog C:\WINDOWS\system32\services.exe
17:42:13.0062 3372 Eventlog - ok
17:42:13.0171 3372 [ D4991D98F2DB73C60D042F1AEF79EFAE ] EventSystem C:\WINDOWS\system32\es.dll
17:42:13.0250 3372 EventSystem - ok
17:42:13.0343 3372 [ 38D332A6D56AF32635675F132548343E ] Fastfat C:\WINDOWS\system32\drivers\Fastfat.sys
17:42:13.0390 3372 Fastfat - ok
17:42:13.0453 3372 [ 99BC0B50F511924348BE19C7C7313BBF ] FastUserSwitchingCompatibility C:\WINDOWS\System32\shsvcs.dll
17:42:13.0484 3372 FastUserSwitchingCompatibility - ok
17:42:13.0515 3372 [ 92CDD60B6730B9F50F6A1A0C1F8CDC81 ] Fdc C:\WINDOWS\system32\DRIVERS\fdc.sys
17:42:13.0515 3372 Fdc - ok
17:42:13.0546 3372 [ D45926117EB9FA946A6AF572FBE1CAA3 ] Fips C:\WINDOWS\system32\drivers\Fips.sys
17:42:13.0562 3372 Fips - ok
17:42:13.0625 3372 [ 9D27E7B80BFCDF1CDD9B555862D5E7F0 ] Flpydisk C:\WINDOWS\system32\DRIVERS\flpydisk.sys
17:42:13.0640 3372 Flpydisk - ok
17:42:13.0718 3372 [ B2CF4B0786F8212CB92ED2B50C6DB6B0 ] FltMgr C:\WINDOWS\system32\drivers\fltmgr.sys
17:42:13.0765 3372 FltMgr - ok
17:42:13.0812 3372 [ 3E1E2BD4F39B0E2B7DC4F4D2BCC2779A ] Fs_Rec C:\WINDOWS\system32\drivers\Fs_Rec.sys
17:42:13.0812 3372 Fs_Rec - ok
17:42:13.0859 3372 [ 6AC26732762483366C3969C9E4D2259D ] Ftdisk C:\WINDOWS\system32\DRIVERS\ftdisk.sys
17:42:13.0906 3372 Ftdisk - ok
17:42:13.0953 3372 [ 0A02C63C8B144BD8C86B103DEE7C86A2 ] Gpc C:\WINDOWS\system32\DRIVERS\msgpc.sys
17:42:13.0968 3372 Gpc - ok
17:42:14.0093 3372 [ 8F0DE4FEF8201E306F9938B0905AC96A ] gupdate C:\Program Files\Google\Update\GoogleUpdate.exe
17:42:14.0140 3372 gupdate - ok
17:42:14.0203 3372 [ 8F0DE4FEF8201E306F9938B0905AC96A ] gupdatem C:\Program Files\Google\Update\GoogleUpdate.exe
17:42:14.0203 3372 gupdatem - ok
17:42:14.0203 3372 hclinetd - ok
17:42:14.0328 3372 [ 4FCCA060DFE0C51A09DD5C3843888BCD ] helpsvc C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll
17:42:14.0343 3372 helpsvc - ok
17:42:14.0375 3372 [ DEB04DA35CC871B6D309B77E1443C796 ] HidServ C:\WINDOWS\System32\hidserv.dll
17:42:14.0390 3372 HidServ - ok
17:42:14.0406 3372 [ CCF82C5EC8A7326C3066DE870C06DAF1 ] HidUsb C:\WINDOWS\system32\DRIVERS\hidusb.sys
17:42:14.0421 3372 HidUsb - ok
17:42:14.0484 3372 [ 8878BD685E490239777BFE51320B88E9 ] hkmsvc C:\WINDOWS\System32\kmsvc.dll
17:42:14.0500 3372 hkmsvc - ok
17:42:14.0562 3372 [ B028377DEA0546A5FCFBA928A8AEFAE0 ] hpn C:\WINDOWS\system32\DRIVERS\hpn.sys
17:42:14.0562 3372 hpn - ok
17:42:14.0703 3372 [ 33DFC0AFA95F9A2C753FF2ADB7D4A21F ] HSFHWBS2 C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys
17:42:14.0765 3372 HSFHWBS2 - ok
17:42:15.0140 3372 [ B2DFC168D6F7512FAEA085253C5A37AD ] HSF_DP C:\WINDOWS\system32\DRIVERS\HSF_DP.sys
17:42:15.0500 3372 HSF_DP - ok
17:42:15.0625 3372 [ F80A415EF82CD06FFAF0D971528EAD38 ] HTTP C:\WINDOWS\system32\Drivers\HTTP.sys
17:42:15.0718 3372 HTTP - ok
17:42:15.0765 3372 [ 6100A808600F44D999CEBDEF8841C7A3 ] HTTPFilter C:\WINDOWS\System32\w3ssl.dll
17:42:15.0781 3372 HTTPFilter - ok
17:42:15.0828 3372 [ 9368670BD426EBEA5E8B18A62416EC28 ] i2omgmt C:\WINDOWS\system32\drivers\i2omgmt.sys
17:42:15.0828 3372 i2omgmt - ok
17:42:15.0890 3372 [ F10863BF1CCC290BABD1A09188AE49E0 ] i2omp C:\WINDOWS\system32\DRIVERS\i2omp.sys
17:42:15.0890 3372 i2omp - ok
17:42:15.0968 3372 [ 4A0B06AA8943C1E332520F7440C0AA30 ] i8042prt C:\WINDOWS\system32\DRIVERS\i8042prt.sys
17:42:15.0984 3372 i8042prt - ok
17:42:16.0265 3372 [ 0ACEBB31989CBF9A5663FE4A33D28D21 ] ialm C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
17:42:16.0500 3372 ialm - ok
17:42:16.0546 3372 [ 083A052659F5310DD8B6A6CB05EDCF8E ] Imapi C:\WINDOWS\system32\DRIVERS\imapi.sys
17:42:16.0562 3372 Imapi - ok
17:42:16.0656 3372 [ 30DEAF54A9755BB8546168CFE8A6B5E1 ] ImapiService C:\WINDOWS\system32\imapi.exe
17:42:16.0703 3372 ImapiService - ok
17:42:16.0765 3372 [ 4A40E045FAEE58631FD8D91AFC620719 ] ini910u C:\WINDOWS\system32\DRIVERS\ini910u.sys
17:42:16.0765 3372 ini910u - ok
17:42:16.0781 3372 int15 - ok
17:42:16.0812 3372 [ B5466A9250342A7AA0CD1FBA13420678 ] IntelIde C:\WINDOWS\system32\DRIVERS\intelide.sys
17:42:16.0828 3372 IntelIde - ok
17:42:16.0875 3372 [ 8C953733D8F36EB2133F5BB58808B66B ] intelppm C:\WINDOWS\system32\DRIVERS\intelppm.sys
17:42:16.0890 3372 intelppm - ok
17:42:16.0906 3372 iomegaaccess - ok
17:42:16.0968 3372 [ 3BB22519A194418D5FEC05D800A19AD0 ] Ip6Fw C:\WINDOWS\system32\drivers\ip6fw.sys
17:42:16.0984 3372 Ip6Fw - ok
17:42:17.0015 3372 [ 731F22BA402EE4B62748ADAF6363C182 ] IpFilterDriver C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
17:42:17.0031 3372 IpFilterDriver - ok
17:42:17.0062 3372 [ B87AB476DCF76E72010632B5550955F5 ] IpInIp C:\WINDOWS\system32\DRIVERS\ipinip.sys
17:42:17.0078 3372 IpInIp - ok
17:42:17.0156 3372 [ CC748EA12C6EFFDE940EE98098BF96BB ] IpNat C:\WINDOWS\system32\DRIVERS\ipnat.sys
17:42:17.0218 3372 IpNat - ok
17:42:17.0250 3372 [ 23C74D75E36E7158768DD63D92789A91 ] IPSec C:\WINDOWS\system32\DRIVERS\ipsec.sys
17:42:17.0281 3372 IPSec - ok
17:42:17.0328 3372 [ C93C9FF7B04D772627A3646D89F7BF89 ] IRENUM C:\WINDOWS\system32\DRIVERS\irenum.sys
17:42:17.0328 3372 IRENUM - ok
17:42:17.0375 3372 [ 05A299EC56E52649B1CF2FC52D20F2D7 ] isapnp C:\WINDOWS\system32\DRIVERS\isapnp.sys
17:42:17.0390 3372 isapnp - ok
17:42:17.0562 3372 [ 691B9B7C0CC1653732717D292D6B305D ] JavaQuickStarterService C:\Program Files\Java\jre6\bin\jqs.exe
17:42:17.0609 3372 JavaQuickStarterService - ok
17:42:17.0671 3372 [ 463C1EC80CD17420A542B7F36A36F128 ] Kbdclass C:\WINDOWS\system32\DRIVERS\kbdclass.sys
17:42:17.0671 3372 Kbdclass - ok
17:42:17.0718 3372 [ 9EF487A186DEA361AA06913A75B3FA99 ] kbdhid C:\WINDOWS\system32\DRIVERS\kbdhid.sys
17:42:17.0718 3372 kbdhid - ok
17:42:17.0812 3372 [ 692BCF44383D056AED41B045A323D378 ] kmixer C:\WINDOWS\system32\drivers\kmixer.sys
17:42:17.0859 3372 kmixer - ok
17:42:17.0953 3372 [ B467646C54CC746128904E1654C750C1 ] KSecDD C:\WINDOWS\system32\drivers\KSecDD.sys
17:42:17.0968 3372 KSecDD - ok
17:42:18.0062 3372 [ 3A7C3CBE5D96B8AE96CE81F0B22FB527 ] lanmanserver C:\WINDOWS\System32\srvsvc.dll
17:42:18.0093 3372 lanmanserver - ok
17:42:18.0187 3372 [ A8888A5327621856C0CEC4E385F69309 ] lanmanworkstation C:\WINDOWS\System32\wkssvc.dll
17:42:18.0234 3372 lanmanworkstation - ok
17:42:18.0234 3372 lbrtfdc - ok
17:42:18.0250 3372 leqpktih - ok
17:42:18.0296 3372 [ A7DB739AE99A796D91580147E919CC59 ] LmHosts C:\WINDOWS\System32\lmhsvc.dll
17:42:18.0312 3372 LmHosts - ok
17:42:18.0312 3372 lmouflt2 - ok
17:42:18.0328 3372 mclserviceatl - ok
17:42:18.0343 3372 mctskshd.exe - ok
17:42:18.0390 3372 [ 3C318B9CD391371BED62126581EE9961 ] mdmxsdk C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
17:42:18.0406 3372 mdmxsdk - ok
17:42:18.0453 3372 [ 986B1FF5814366D71E0AC5755C88F2D3 ] Messenger C:\WINDOWS\System32\msgsvc.dll
17:42:18.0468 3372 Messenger - ok
17:42:18.0609 3372 MFE_RR - ok
17:42:18.0640 3372 MKEMUSB - ok
17:42:18.0687 3372 [ 4AE068242760A1FB6E1A44BF4E16AFA6 ] mnmdd C:\WINDOWS\system32\drivers\mnmdd.sys
17:42:18.0703 3372 mnmdd - ok
17:42:18.0750 3372 [ D18F1F0C101D06A1C1ADF26EED16FCDD ] mnmsrvc C:\WINDOWS\system32\mnmsrvc.exe
17:42:18.0765 3372 mnmsrvc - ok
17:42:18.0812 3372 [ DFCBAD3CEC1C5F964962AE10E0BCC8E1 ] Modem C:\WINDOWS\system32\drivers\Modem.sys
17:42:18.0828 3372 Modem - ok
17:42:18.0859 3372 [ 35C9E97194C8CFB8430125F8DBC34D04 ] Mouclass C:\WINDOWS\system32\DRIVERS\mouclass.sys
17:42:18.0859 3372 Mouclass - ok
17:42:18.0921 3372 [ B1C303E17FB9D46E87A98E4BA6769685 ] mouhid C:\WINDOWS\system32\DRIVERS\mouhid.sys
17:42:18.0921 3372 mouhid - ok
17:42:18.0968 3372 [ A80B9A0BAD1B73637DBCBBA7DF72D3FD ] MountMgr C:\WINDOWS\system32\drivers\MountMgr.sys
17:42:18.0984 3372 MountMgr - ok
17:42:19.0078 3372 [ EE728AF83850DDAD9A3FCAC0AAB3AD97 ] MpFilter C:\WINDOWS\system32\DRIVERS\MpFilter.sys
17:42:19.0140 3372 MpFilter - ok
17:42:19.0312 3372 [ A69630D039C38018689190234F866D77 ] MpKsl3df3bfce c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{C84D7400-5590-44EF-8A90-CF1C0F261A70}\MpKsl3df3bfce.sys
17:42:19.0312 3372 MpKsl3df3bfce - ok
17:42:19.0375 3372 [ 3F4BB95E5A44F3BE34824E8E7CAF0737 ] mraid35x C:\WINDOWS\system32\DRIVERS\mraid35x.sys
17:42:19.0375 3372 mraid35x - ok
17:42:19.0453 3372 [ 11D42BB6206F33FBB3BA0288D3EF81BD ] MRxDAV C:\WINDOWS\system32\DRIVERS\mrxdav.sys
17:42:19.0500 3372 MRxDAV - ok
17:42:19.0703 3372 [ 7D304A5EB4344EBEEAB53A2FE3FFB9F0 ] MRxSmb C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
17:42:19.0843 3372 MRxSmb - ok
17:42:19.0953 3372 [ B490BD0678CB6A4890A86020ED106C75 ] MSCSPTISRV C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
17:42:19.0984 3372 MSCSPTISRV - ok
17:42:20.0031 3372 [ A137F1470499A205ABBB9AAFB3B6F2B1 ] MSDTC C:\WINDOWS\system32\msdtc.exe
17:42:20.0031 3372 MSDTC - ok
17:42:20.0062 3372 [ C941EA2454BA8350021D774DAF0F1027 ] Msfs C:\WINDOWS\system32\drivers\Msfs.sys
17:42:20.0078 3372 Msfs - ok
17:42:20.0078 3372 MSIServer - ok
17:42:20.0140 3372 [ D1575E71568F4D9E14CA56B7B0453BF1 ] MSKSSRV C:\WINDOWS\system32\drivers\MSKSSRV.sys
17:42:20.0140 3372 MSKSSRV - ok
17:42:20.0218 3372 [ E077FCA2A7E79FB9BF67D3E30B5CE593 ] MsMpSvc c:\Program Files\Microsoft Security Client\MsMpEng.exe
17:42:20.0218 3372 MsMpSvc - ok
17:42:20.0265 3372 [ 325BB26842FC7CCC1FCCE2C457317F3E ] MSPCLOCK C:\WINDOWS\system32\drivers\MSPCLOCK.sys
17:42:20.0265 3372 MSPCLOCK - ok
17:42:20.0296 3372 [ BAD59648BA099DA4A17680B39730CB3D ] MSPQM C:\WINDOWS\system32\drivers\MSPQM.sys
17:42:20.0296 3372 MSPQM - ok
17:42:20.0328 3372 [ AF5F4F3F14A8EA2C26DE30F7A1E17136 ] mssmbios C:\WINDOWS\system32\DRIVERS\mssmbios.sys
17:42:20.0328 3372 mssmbios - ok
17:42:20.0406 3372 [ DE6A75F5C270E756C5508D94B6CF68F5 ] Mup C:\WINDOWS\system32\drivers\Mup.sys
17:42:20.0421 3372 Mup - ok
17:42:20.0453 3372 [ E1CDF20697D992CF83FF86DD04DF1285 ] mxnic C:\WINDOWS\system32\DRIVERS\mxnic.sys
17:42:20.0468 3372 mxnic - ok
17:42:20.0609 3372 [ 0102140028FAD045756796E1C685D695 ] napagent C:\WINDOWS\System32\qagentrt.dll
17:42:20.0734 3372 napagent - ok
17:42:20.0828 3372 [ 1DF7F42665C94B825322FAE71721130D ] NDIS C:\WINDOWS\system32\drivers\NDIS.sys
17:42:20.0875 3372 NDIS - ok
17:42:20.0906 3372 [ 0109C4F3850DFBAB279542515386AE22 ] NdisTapi C:\WINDOWS\system32\DRIVERS\ndistapi.sys
17:42:20.0906 3372 NdisTapi - ok
17:42:20.0953 3372 [ F927A4434C5028758A842943EF1A3849 ] Ndisuio C:\WINDOWS\system32\DRIVERS\ndisuio.sys
17:42:20.0953 3372 Ndisuio - ok
17:42:21.0015 3372 [ EDC1531A49C80614B2CFDA43CA8659AB ] NdisWan C:\WINDOWS\system32\DRIVERS\ndiswan.sys
17:42:21.0046 3372 NdisWan - ok
17:42:21.0093 3372 [ 9282BD12DFB069D3889EB3FCC1000A9B ] NDProxy C:\WINDOWS\system32\drivers\NDProxy.sys
17:42:21.0109 3372 NDProxy - ok
17:42:21.0140 3372 [ 5D81CF9A2F1A3A756B66CF684911CDF0 ] NetBIOS C:\WINDOWS\system32\DRIVERS\netbios.sys
17:42:21.0156 3372 NetBIOS - ok
17:42:21.0234 3372 [ 74B2B2F5BEA5E9A3DC021D685551BD3D ] NetBT C:\WINDOWS\system32\DRIVERS\netbt.sys
17:42:21.0296 3372 NetBT - ok
17:42:21.0359 3372 [ B857BA82860D7FF85AE29B095645563B ] NetDDE C:\WINDOWS\system32\netdde.exe
17:42:21.0406 3372 NetDDE - ok
17:42:21.0437 3372 [ B857BA82860D7FF85AE29B095645563B ] NetDDEdsdm C:\WINDOWS\system32\netdde.exe
17:42:21.0453 3372 NetDDEdsdm - ok
17:42:21.0484 3372 [ BF2466B3E18E970D8A976FB95FC1CA85 ] Netlogon C:\WINDOWS\system32\lsass.exe
17:42:21.0484 3372 Netlogon - ok
17:42:21.0562 3372 [ 13E67B55B3ABD7BF3FE7AAE5A0F9A9DE ] Netman C:\WINDOWS\System32\netman.dll
17:42:21.0625 3372 Netman - ok
17:42:21.0796 3372 [ 943337D786A56729263071623BBB9DE5 ] Nla C:\WINDOWS\System32\mswsock.dll
17:42:21.0859 3372 Nla - ok
17:42:21.0875 3372 nnsvc - ok
17:42:21.0921 3372 [ 3182D64AE053D6FB034F44B6DEF8034A ] Npfs C:\WINDOWS\system32\drivers\Npfs.sys
17:42:21.0937 3372 Npfs - ok
17:42:22.0125 3372 [ 78A08DD6A8D65E697C18E1DB01C5CDCA ] Ntfs C:\WINDOWS\system32\drivers\Ntfs.sys
17:42:22.0328 3372 Ntfs - ok
17:42:22.0375 3372 [ BF2466B3E18E970D8A976FB95FC1CA85 ] NtLmSsp C:\WINDOWS\system32\lsass.exe
17:42:22.0375 3372 NtLmSsp - ok
17:42:22.0546 3372 [ 156F64A3345BD23C600655FB4D10BC08 ] NtmsSvc C:\WINDOWS\system32\ntmssvc.dll
17:42:22.0703 3372 NtmsSvc - ok
17:42:22.0765 3372 [ 73C1E1F395918BC2C6DD67AF7591A3AD ] Null C:\WINDOWS\system32\drivers\Null.sys
17:42:22.0765 3372 Null - ok
17:42:22.0781 3372 nuvvid2 - ok
17:42:23.0390 3372 [ 2B298519EDBFCF451D43E0F1E8F1006D ] nv C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
17:42:24.0015 3372 nv - ok
17:42:24.0062 3372 [ B305F3FAD35083837EF46A0BBCE2FC57 ] NwlnkFlt C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
17:42:24.0078 3372 NwlnkFlt - ok
17:42:24.0093 3372 [ C99B3415198D1AAB7227F2C88FD664B9 ] NwlnkFwd C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
17:42:24.0109 3372 NwlnkFwd - ok
17:42:24.0109 3372 olregcap - ok
17:42:24.0234 3372 [ 7A56CF3E3F12E8AF599963B16F50FB6A ] ose C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
17:42:24.0265 3372 ose - ok
17:42:24.0312 3372 [ C90018BAFDC7098619A4A95B046B30F3 ] P3 C:\WINDOWS\system32\DRIVERS\p3.sys
17:42:24.0328 3372 P3 - ok
17:42:24.0390 3372 [ DCACC2FC7DC0A3D7A60BEB81FA233822 ] PACSPTISVR C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
17:42:24.0531 3372 PACSPTISVR - ok
17:42:24.0578 3372 [ 5575FAF8F97CE5E713D108C2A58D7C7C ] Parport C:\WINDOWS\system32\DRIVERS\parport.sys
17:42:24.0609 3372 Parport - ok
17:42:24.0625 3372 [ BEB3BA25197665D82EC7065B724171C6 ] PartMgr C:\WINDOWS\system32\drivers\PartMgr.sys
17:42:24.0640 3372 PartMgr - ok
17:42:24.0687 3372 [ 70E98B3FD8E963A6A46A2E6247E0BEA1 ] ParVdm C:\WINDOWS\system32\drivers\ParVdm.sys
17:42:24.0687 3372 ParVdm - ok
17:42:24.0750 3372 [ D0084A9ADE989FE703E4F22171F4E4DC ] PCANDIS5 C:\WINDOWS\system32\PCANDIS5.SYS
17:42:24.0765 3372 PCANDIS5 - ok
17:42:24.0828 3372 [ A219903CCF74233761D92BEF471A07B1 ] PCI C:\WINDOWS\system32\DRIVERS\pci.sys
17:42:24.0843 3372 PCI - ok
17:42:24.0859 3372 PCIDump - ok
17:42:24.0906 3372 [ CCF5F451BB1A5A2A522A76E670000FF0 ] PCIIde C:\WINDOWS\system32\DRIVERS\pciide.sys
17:42:24.0906 3372 PCIIde - ok
17:42:24.0984 3372 [ 9E89EF60E9EE05E3F2EEF2DA7397F1C1 ] Pcmcia C:\WINDOWS\system32\drivers\Pcmcia.sys
17:42:25.0031 3372 Pcmcia - ok
17:42:25.0031 3372 PDCOMP - ok
17:42:25.0046 3372 PDFRAME - ok
17:42:25.0046 3372 PDRELI - ok
17:42:25.0062 3372 PDRFRAME - ok
17:42:25.0109 3372 [ 6C14B9C19BA84F73D3A86DBA11133101 ] perc2 C:\WINDOWS\system32\DRIVERS\perc2.sys
17:42:25.0125 3372 perc2 - ok
17:42:25.0140 3372 [ F50F7C27F131AFE7BEBA13E14A3B9416 ] perc2hib C:\WINDOWS\system32\DRIVERS\perc2hib.sys
17:42:25.0140 3372 perc2hib - ok
17:42:25.0203 3372 [ 65DF52F5B8B6E9BBD183505225C37315 ] PlugPlay C:\WINDOWS\system32\services.exe
17:42:25.0218 3372 PlugPlay - ok
17:42:25.0234 3372 [ BF2466B3E18E970D8A976FB95FC1CA85 ] PolicyAgent C:\WINDOWS\system32\lsass.exe
17:42:25.0234 3372 PolicyAgent - ok
17:42:25.0281 3372 [ EFEEC01B1D3CF84F16DDD24D9D9D8F99 ] PptpMiniport C:\WINDOWS\system32\DRIVERS\raspptp.sys
17:42:25.0312 3372 PptpMiniport - ok
17:42:25.0421 3372 [ BDDCAF3DDD6C54229E8703E6382CA761 ] PrismXL C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
17:42:25.0484 3372 PrismXL - ok
17:42:25.0500 3372 [ BF2466B3E18E970D8A976FB95FC1CA85 ] ProtectedStorage C:\WINDOWS\system32\lsass.exe
17:42:25.0500 3372 ProtectedStorage - ok
17:42:25.0562 3372 [ 09298EC810B07E5D582CB3A3F9255424 ] PSched C:\WINDOWS\system32\DRIVERS\psched.sys
17:42:25.0578 3372 PSched - ok
17:42:25.0625 3372 [ 80D317BD1C3DBC5D4FE7B1678C60CADD ] Ptilink C:\WINDOWS\system32\DRIVERS\ptilink.sys
17:42:25.0640 3372 Ptilink - ok
17:42:25.0687 3372 [ 86724469CD077901706854974CD13C3E ] PxHelp20 C:\WINDOWS\system32\Drivers\PxHelp20.sys
17:42:25.0703 3372 PxHelp20 - ok
17:42:25.0734 3372 [ 0A63FB54039EB5662433CABA3B26DBA7 ] ql1080 C:\WINDOWS\system32\DRIVERS\ql1080.sys
17:42:25.0750 3372 ql1080 - ok
17:42:25.0796 3372 [ 6503449E1D43A0FF0201AD5CB1B8C706 ] Ql10wnt C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
17:42:25.0796 3372 Ql10wnt - ok
17:42:25.0828 3372 [ 156ED0EF20C15114CA097A34A30D8A01 ] ql12160 C:\WINDOWS\system32\DRIVERS\ql12160.sys
17:42:25.0843 3372 ql12160 - ok
17:42:25.0875 3372 [ 70F016BEBDE6D29E864C1230A07CC5E6 ] ql1240 C:\WINDOWS\system32\DRIVERS\ql1240.sys
17:42:25.0875 3372 ql1240 - ok
17:42:25.0906 3372 [ 907F0AEEA6BC451011611E732BD31FCF ] ql1280 C:\WINDOWS\system32\DRIVERS\ql1280.sys
17:42:25.0921 3372 ql1280 - ok
17:42:25.0953 3372 [ FE0D99D6F31E4FAD8159F690D68DED9C ] RasAcd C:\WINDOWS\system32\DRIVERS\rasacd.sys
17:42:25.0953 3372 RasAcd - ok
17:42:26.0015 3372 [ AD188BE7BDF94E8DF4CA0A55C00A5073 ] RasAuto C:\WINDOWS\System32\rasauto.dll
17:42:26.0046 3372 RasAuto - ok
17:42:26.0109 3372 [ 11B4A627BC9614B885C4969BFA5FF8A6 ] Rasl2tp C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
17:42:26.0125 3372 Rasl2tp - ok
17:42:26.0203 3372 [ 76A9A3CBEADD68CC57CDA5E1D7448235 ] RasMan C:\WINDOWS\System32\rasmans.dll
17:42:26.0265 3372 RasMan - ok
17:42:26.0312 3372 [ 5BC962F2654137C9909C3D4603587DEE ] RasPppoe C:\WINDOWS\system32\DRIVERS\raspppoe.sys
17:42:26.0328 3372 RasPppoe - ok
17:42:26.0375 3372 [ FDBB1D60066FCFBB7452FD8F9829B242 ] Raspti C:\WINDOWS\system32\DRIVERS\raspti.sys
17:42:26.0375 3372 Raspti - ok
17:42:26.0453 3372 [ 7AD224AD1A1437FE28D89CF22B17780A ] Rdbss C:\WINDOWS\system32\DRIVERS\rdbss.sys
17:42:26.0500 3372 Rdbss - ok
17:42:26.0515 3372 RDID1007 - ok
17:42:26.0531 3372 [ 4912D5B403614CE99C28420F75353332 ] RDPCDD C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
17:42:26.0546 3372 RDPCDD - ok
17:42:26.0640 3372 [ 15CABD0F7C00C47C70124907916AF3F1 ] rdpdr C:\WINDOWS\system32\DRIVERS\rdpdr.sys
17:42:26.0718 3372 rdpdr - ok
17:42:26.0812 3372 [ 43AF5212BD8FB5BA6EED9754358BD8F7 ] RDPWD C:\WINDOWS\system32\drivers\RDPWD.sys
17:42:26.0859 3372 RDPWD - ok
17:42:26.0953 3372 [ 3C37BF86641BDA977C3BF8A840F3B7FA ] RDSessMgr C:\WINDOWS\system32\sessmgr.exe
17:42:27.0000 3372 RDSessMgr - ok
17:42:27.0031 3372 [ F828DD7E1419B6653894A8F97A0094C5 ] redbook C:\WINDOWS\system32\DRIVERS\redbook.sys
17:42:27.0062 3372 redbook - ok
17:42:27.0109 3372 [ 7E699FF5F59B5D9DE5390E3C34C67CF5 ] RemoteAccess C:\WINDOWS\System32\mprdim.dll
17:42:27.0125 3372 RemoteAccess - ok
17:42:27.0203 3372 [ AAED593F84AFA419BBAE8572AF87CF6A ] RpcLocator C:\WINDOWS\system32\locator.exe
17:42:27.0218 3372 RpcLocator - ok
17:42:27.0375 3372 [ 6B27A5C03DFB94B4245739065431322C ] RpcSs C:\WINDOWS\System32\rpcss.dll
17:42:27.0375 3372 RpcSs - ok
17:42:27.0468 3372 [ 471B3F9741D762ABE75E9DEEA4787E47 ] RSVP C:\WINDOWS\system32\rsvp.exe
17:42:27.0515 3372 RSVP - ok
17:42:27.0531 3372 s116bus - ok
17:42:27.0546 3372 [ BF2466B3E18E970D8A976FB95FC1CA85 ] SamSs C:\WINDOWS\system32\lsass.exe
17:42:27.0546 3372 SamSs - ok
17:42:27.0609 3372 [ 39763504067962108505BFF25F024345 ] SASDIFSV C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
17:42:27.0609 3372 SASDIFSV - ok
17:42:27.0656 3372 [ 77B9FC20084B48408AD3E87570EB4A85 ] SASKUTIL C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
17:42:27.0718 3372 SASKUTIL - ok
17:42:27.0781 3372 [ 86D007E7A654B9A71D1D7D856B104353 ] SCardSvr C:\WINDOWS\System32\SCardSvr.exe
17:42:27.0828 3372 SCardSvr - ok
17:42:27.0921 3372 [ 0A9A7365A1CA4319AA7C1D6CD8E4EAFA ] Schedule C:\WINDOWS\system32\schedsvc.dll
17:42:27.0984 3372 Schedule - ok
17:42:28.0000 3372 SeaPort - ok
17:42:28.0046 3372 [ 90A3935D05B494A5A39D37E71F09A677 ] Secdrv C:\WINDOWS\system32\DRIVERS\secdrv.sys
17:42:28.0062 3372 Secdrv - ok
17:42:28.0093 3372 [ CBE612E2BB6A10E3563336191EDA1250 ] seclogon C:\WINDOWS\System32\seclogon.dll
17:42:28.0109 3372 seclogon - ok
17:42:28.0156 3372 [ 7FDD5D0684ECA8C1F68B4D99D124DCD0 ] SENS C:\WINDOWS\system32\sens.dll
17:42:28.0171 3372 SENS - ok
17:42:28.0203 3372 [ 0F29512CCD6BEAD730039FB4BD2C85CE ] Serenum C:\WINDOWS\system32\DRIVERS\serenum.sys
17:42:28.0203 3372 Serenum - ok
17:42:28.0234 3372 [ CCA207A8896D4C6A0C9CE29A4AE411A7 ] Serial C:\WINDOWS\system32\DRIVERS\serial.sys
17:42:28.0265 3372 Serial - ok
17:42:28.0281 3372 [ 8E6B8C671615D126FDC553D1E2DE5562 ] Sfloppy C:\WINDOWS\system32\drivers\Sfloppy.sys
17:42:28.0281 3372 Sfloppy - ok
17:42:28.0296 3372 sfsync04 - ok
17:42:28.0437 3372 [ 83F41D0D89645D7235C051AB1D9523AC ] SharedAccess C:\WINDOWS\System32\ipnathlp.dll
17:42:28.0546 3372 SharedAccess - ok
17:42:28.0609 3372 [ 99BC0B50F511924348BE19C7C7313BBF ] ShellHWDetection C:\WINDOWS\System32\shsvcs.dll
17:42:28.0609 3372 ShellHWDetection - ok
17:42:28.0625 3372 Simbad - ok
17:42:28.0703 3372 [ 6B33D0EBD30DB32E27D1D78FE946A754 ] sisagp C:\WINDOWS\system32\DRIVERS\sisagp.sys
17:42:28.0718 3372 sisagp - ok
17:42:28.0781 3372 [ 83C0F71F86D3BDAF915685F3D568B20E ] Sparrow C:\WINDOWS\system32\DRIVERS\sparrow.sys
17:42:28.0796 3372 Sparrow - ok
17:42:28.0843 3372 [ AB8B92451ECB048A4D1DE7C3FFCB4A9F ] splitter C:\WINDOWS\system32\drivers\splitter.sys
17:42:28.0859 3372 splitter - ok
17:42:28.0906 3372 [ 60784F891563FB1B767F70117FC2428F ] Spooler C:\WINDOWS\system32\spoolsv.exe
17:42:28.0921 3372 Spooler - ok
17:42:28.0937 3372 sprtsvc_dellsupportcenter - ok
17:42:29.0015 3372 [ 1B7447278005E38E464B34A7E841D628 ] SPTISRV C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
17:42:29.0093 3372 SPTISRV - ok
17:42:29.0156 3372 [ 76BB022C2FB6902FD5BDD4F78FC13A5D ] sr C:\WINDOWS\system32\DRIVERS\sr.sys
17:42:29.0187 3372 sr - ok
17:42:29.0281 3372 [ 3805DF0AC4296A34BA4BF93B346CC378 ] srservice C:\WINDOWS\system32\srsvc.dll
17:42:29.0328 3372 srservice - ok
17:42:29.0468 3372 [ 47DDFC2F003F7F9F0592C6874962A2E7 ] Srv C:\WINDOWS\system32\DRIVERS\srv.sys
17:42:29.0593 3372 Srv - ok
17:42:29.0828 3372 [ D795709932C74E00B804D99CF9A3AFD6 ] SS1022 C:\WINDOWS\system32\DRIVERS\SSUSBN51.sys
17:42:30.0156 3372 SS1022 - ok
17:42:30.0234 3372 [ 0A5679B3714EDAB99E357057EE88FCA6 ] SSDPSRV C:\WINDOWS\System32\ssdpsrv.dll
17:42:30.0250 3372 SSDPSRV - ok
17:42:30.0328 3372 [ F05B8D10BD6AD4CBB561E29D5BE2C674 ] SSScsiSV C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
17:42:30.0359 3372 SSScsiSV - ok
17:42:30.0500 3372 [ 8BAD69CBAC032D4BBACFCE0306174C30 ] stisvc C:\WINDOWS\system32\wiaservc.dll
17:42:30.0609 3372 stisvc - ok
17:42:30.0687 3372 [ 86CA1A5C15A5A98D5533945FB1120B05 ] SunkFilt C:\WINDOWS\System32\Drivers\sunkfilt.sys
17:42:30.0703 3372 SunkFilt - ok
17:42:30.0734 3372 [ 3941D127AEF12E93ADDF6FE6EE027E0F ] swenum C:\WINDOWS\system32\DRIVERS\swenum.sys
17:42:30.0734 3372 swenum - ok
17:42:30.0796 3372 [ 8CE882BCC6CF8A62F2B2323D95CB3D01 ] swmidi C:\WINDOWS\system32\drivers\swmidi.sys
17:42:30.0812 3372 swmidi - ok
17:42:30.0828 3372 SwPrv - ok
17:42:30.0875 3372 [ 1FF3217614018630D0A6758630FC698C ] symc810 C:\WINDOWS\system32\DRIVERS\symc810.sys
17:42:30.0875 3372 symc810 - ok
17:42:30.0906 3372 [ 070E001D95CF725186EF8B20335F933C ] symc8xx C:\WINDOWS\system32\DRIVERS\symc8xx.sys
17:42:30.0906 3372 symc8xx - ok
17:42:30.0937 3372 [ 80AC1C4ABBE2DF3B738BF15517A51F2C ] sym_hi C:\WINDOWS\system32\DRIVERS\sym_hi.sys
17:42:30.0937 3372 sym_hi - ok
17:42:30.0984 3372 [ BF4FAB949A382A8E105F46EBB4937058 ] sym_u3 C:\WINDOWS\system32\DRIVERS\sym_u3.sys
17:42:31.0000 3372 sym_u3 - ok
17:42:31.0031 3372 [ 8B83F3ED0F1688B4958F77CD6D2BF290 ] sysaudio C:\WINDOWS\system32\drivers\sysaudio.sys
17:42:31.0046 3372 sysaudio - ok
17:42:31.0062 3372 sysdown - ok
17:42:31.0125 3372 [ C7ABBC59B43274B1109DF6B24D617051 ] SysmonLog C:\WINDOWS\system32\smlogsvc.exe
17:42:31.0156 3372 SysmonLog - ok
17:42:31.0281 3372 [ 3CB78C17BB664637787C9A1C98F79C38 ] TapiSrv C:\WINDOWS\System32\tapisrv.dll
17:42:31.0359 3372 TapiSrv - ok
17:42:31.0500 3372 [ 9AEFA14BD6B182D61E3119FA5F436D3D ] Tcpip C:\WINDOWS\system32\DRIVERS\tcpip.sys
17:42:31.0625 3372 Tcpip - ok
17:42:31.0687 3372 [ 6471A66807F5E104E4885F5B67349397 ] TDPIPE C:\WINDOWS\system32\drivers\TDPIPE.sys
17:42:31.0687 3372 TDPIPE - ok
17:42:31.0750 3372 [ C56B6D0402371CF3700EB322EF3AAF61 ] TDTCP C:\WINDOWS\system32\drivers\TDTCP.sys
17:42:31.0765 3372 TDTCP - ok
17:42:31.0812 3372 [ 88155247177638048422893737429D9E ] TermDD C:\WINDOWS\system32\DRIVERS\termdd.sys
17:42:31.0828 3372 TermDD - ok
17:42:31.0953 3372 [ FF3477C03BE7201C294C35F684B3479F ] TermService C:\WINDOWS\System32\termsrv.dll
17:42:32.0046 3372 TermService - ok
17:42:32.0109 3372 [ 99BC0B50F511924348BE19C7C7313BBF ] Themes C:\WINDOWS\System32\shsvcs.dll
17:42:32.0109 3372 Themes - ok
17:42:32.0171 3372 [ F2790F6AF01321B172AA62F8E1E187D9 ] TosIde C:\WINDOWS\system32\DRIVERS\toside.sys
17:42:32.0171 3372 TosIde - ok
17:42:32.0250 3372 [ 55BCA12F7F523D35CA3CB833C725F54E ] TrkWks C:\WINDOWS\system32\trkwks.dll
17:42:32.0281 3372 TrkWks - ok
17:42:32.0281 3372 tsmservice - ok
17:42:32.0343 3372 [ 5787B80C2E3C5E2F56C2A233D91FA2C9 ] Udfs C:\WINDOWS\system32\drivers\Udfs.sys
17:42:32.0359 3372 Udfs - ok
17:42:32.0421 3372 [ 1B698A51CD528D8DA4FFAED66DFC51B9 ] ultra C:\WINDOWS\system32\DRIVERS\ultra.sys
17:42:32.0437 3372 ultra - ok
17:42:32.0593 3372 [ 402DDC88356B1BAC0EE3DD1580C76A31 ] Update C:\WINDOWS\system32\DRIVERS\update.sys
17:42:32.0734 3372 Update - ok
17:42:32.0828 3372 [ 1EBAFEB9A3FBDC41B8D9C7F0F687AD91 ] upnphost C:\WINDOWS\System32\upnphost.dll
17:42:32.0890 3372 upnphost - ok
17:42:32.0921 3372 [ 05365FB38FCA1E98F7A566AAAF5D1815 ] UPS C:\WINDOWS\System32\ups.exe
17:42:32.0937 3372 UPS - ok
17:42:32.0984 3372 [ 173F317CE0DB8E21322E71B7E60A27E8 ] usbccgp C:\WINDOWS\system32\DRIVERS\usbccgp.sys
17:42:33.0000 3372 usbccgp - ok
17:42:33.0062 3372 [ 65DCF09D0E37D4C6B11B5B0B76D470A7 ] usbehci C:\WINDOWS\system32\DRIVERS\usbehci.sys
17:42:33.0062 3372 usbehci - ok
17:42:33.0125 3372 [ 1AB3CDDE553B6E064D2E754EFE20285C ] usbhub C:\WINDOWS\system32\DRIVERS\usbhub.sys
17:42:33.0140 3372 usbhub - ok
17:42:33.0187 3372 [ A717C8721046828520C9EDF31288FC00 ] usbprint C:\WINDOWS\system32\DRIVERS\usbprint.sys
17:42:33.0187 3372 usbprint - ok
17:42:33.0250 3372 [ A0B8CF9DEB1184FBDD20784A58FA75D4 ] usbscan C:\WINDOWS\system32\DRIVERS\usbscan.sys
17:42:33.0265 3372 usbscan - ok
17:42:33.0296 3372 [ A32426D9B14A089EAA1D922E0C5801A9 ] USBSTOR C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
17:42:33.0312 3372 USBSTOR - ok
17:42:33.0343 3372 [ 26496F9DEE2D787FC3E61AD54821FFE6 ] usbuhci C:\WINDOWS\system32\DRIVERS\usbuhci.sys
17:42:33.0359 3372 usbuhci - ok
17:42:33.0406 3372 [ 0D3A8FAFCEACD8B7625CD549757A7DF1 ] VgaSave C:\WINDOWS\System32\drivers\vga.sys
17:42:33.0421 3372 VgaSave - ok
17:42:33.0468 3372 [ 754292CE5848B3738281B4F3607EAEF4 ] viaagp C:\WINDOWS\system32\DRIVERS\viaagp.sys
17:42:33.0484 3372 viaagp - ok
17:42:33.0500 3372 [ 3B3EFCDA263B8AC14FDF9CBDD0791B2E ] ViaIde C:\WINDOWS\system32\DRIVERS\viaide.sys
17:42:33.0500 3372 ViaIde - ok
17:42:33.0531 3372 [ 4C8FCB5CC53AAB716D810740FE59D025 ] VolSnap C:\WINDOWS\system32\drivers\VolSnap.sys
17:42:33.0562 3372 VolSnap - ok
17:42:33.0671 3372 [ 7A9DB3A67C333BF0BD42E42B8596854B ] VSS C:\WINDOWS\System32\vssvc.exe
17:42:33.0796 3372 VSS - ok
17:42:33.0875 3372 [ 54AF4B1D5459500EF0937F6D33B1914F ] W32Time C:\WINDOWS\system32\w32time.dll
17:42:33.0921 3372 W32Time - ok
17:42:33.0968 3372 [ E20B95BAEDB550F32DD489265C1DA1F6 ] Wanarp C:\WINDOWS\system32\DRIVERS\wanarp.sys
17:42:33.0984 3372 Wanarp - ok
17:42:34.0062 3372 [ 0A716C08CB13C3A8F4F51E882DBF7416 ] wanatw C:\WINDOWS\system32\DRIVERS\wanatw4.sys
17:42:34.0062 3372 wanatw - ok
17:42:34.0078 3372 WDICA - ok
17:42:34.0125 3372 [ 6768ACF64B18196494413695F0C3A00F ] wdmaud C:\WINDOWS\system32\drivers\wdmaud.sys
17:42:34.0156 3372 wdmaud - ok
17:42:34.0218 3372 [ 77A354E28153AD2D5E120A5A8687BC06 ] WebClient C:\WINDOWS\System32\webclnt.dll
17:42:34.0234 3372 WebClient - ok
17:42:34.0500 3372 [ 2DC7C0B6175A0A8ED84A4F70199C93B5 ] winachsf C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
17:42:34.0734 3372 winachsf - ok
17:42:34.0828 3372 [ 2D0E4ED081963804CCC196A0929275B5 ] winmgmt C:\WINDOWS\system32\wbem\WMIsvc.dll
17:42:34.0875 3372 winmgmt - ok
17:42:34.0937 3372 [ C51B4A5C05A5475708E3C81C7765B71D ] WmdmPmSN C:\WINDOWS\system32\MsPMSNSv.dll
17:42:34.0953 3372 WmdmPmSN - ok
17:42:35.0046 3372 [ E0673F1106E62A68D2257E376079F821 ] WmiApSrv C:\WINDOWS\system32\wbem\wmiapsrv.exe
17:42:35.0093 3372 WmiApSrv - ok
17:42:35.0437 3372 [ F74E3D9A7FA9556C3BBB14D4E5E63D3B ] WMPNetworkSvc C:\Program Files\Windows Media Player\WMPNetwk.exe
17:42:35.0750 3372 WMPNetworkSvc - ok
17:42:35.0812 3372 [ CF4DEF1BF66F06964DC0D91844239104 ] WpdUsb C:\WINDOWS\system32\Drivers\wpdusb.sys
17:42:35.0828 3372 WpdUsb - ok
17:42:35.0890 3372 [ 6ABE6E225ADB5A751622A9CC3BC19CE8 ] WS2IFSL C:\WINDOWS\System32\drivers\ws2ifsl.sys
17:42:35.0906 3372 WS2IFSL - ok
17:42:35.0953 3372 [ 7C278E6408D1DCE642230C0585A854D5 ] wscsvc C:\WINDOWS\system32\wscsvc.dll
17:42:35.0984 3372 wscsvc - ok
17:42:36.0015 3372 [ 35321FB577CDC98CE3EB3A3EB9E4610A ] wuauserv C:\WINDOWS\system32\wuauserv.dll
17:42:36.0031 3372 wuauserv - ok
17:42:36.0093 3372 [ F15FEAFFFBB3644CCC80C5DA584E6311 ] WudfPf C:\WINDOWS\system32\DRIVERS\WudfPf.sys
17:42:36.0125 3372 WudfPf - ok
17:42:36.0187 3372 [ 05231C04253C5BC30B26CBAAE680ED89 ] WudfSvc C:\WINDOWS\System32\WUDFSvc.dll
17:42:36.0203 3372 WudfSvc - ok
17:42:36.0406 3372 [ 81DC3F549F44B1C1FFF022DEC9ECF30B ] WZCSVC C:\WINDOWS\System32\wzcsvc.dll
17:42:36.0562 3372 WZCSVC - ok
17:42:36.0625 3372 [ 295D21F14C335B53CB8154E5B1F892B9 ] xmlprov C:\WINDOWS\System32\xmlprov.dll
17:42:36.0671 3372 xmlprov - ok
17:42:36.0703 3372 ================ Scan global ===============================
17:42:36.0765 3372 [ 42F1F4C0AFB08410E5F02D4B13EBB623 ] C:\WINDOWS\system32\basesrv.dll
17:42:36.0890 3372 [ 8C7DCA4B158BF16894120786A7A5F366 ] C:\WINDOWS\system32\winsrv.dll
17:42:37.0093 3372 [ 8C7DCA4B158BF16894120786A7A5F366 ] C:\WINDOWS\system32\winsrv.dll
17:42:37.0156 3372 [ 65DF52F5B8B6E9BBD183505225C37315 ] C:\WINDOWS\system32\services.exe
17:42:37.0156 3372 [Global] - ok
17:42:37.0156 3372 ================ Scan MBR ==================================
17:42:37.0203 3372 [ B20939CD98B7710036274839082AE757 ] \Device\Harddisk0\DR0
17:42:37.0250 3372 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.c ) - infected
17:42:37.0250 3372 \Device\Harddisk0\DR0 - detected Rootkit.Boot.Pihar.c (0)
17:42:37.0265 3372 ================ Scan VBR ==================================
17:42:37.0265 3372 [ 61A80946A5CF680CABB2ECACE9503F29 ] \Device\Harddisk0\DR0\Partition1
17:42:37.0265 3372 \Device\Harddisk0\DR0\Partition1 - ok
17:42:37.0281 3372 [ 339718BCA0BFF6EB5673B1279951BE06 ] \Device\Harddisk0\DR0\Partition2
17:42:37.0281 3372 \Device\Harddisk0\DR0\Partition2 - ok
17:42:37.0281 3372 ============================================================
17:42:37.0281 3372 Scan finished
17:42:37.0281 3372 ============================================================
17:42:37.0296 2480 Detected object count: 1
17:42:37.0296 2480 Actual detected object count: 1
17:44:28.0937 2480 \Device\Harddisk0\DR0\# - copied to quarantine
17:44:29.0203 2480 \Device\Harddisk0\DR0 - copied to quarantine
17:44:29.0500 2480 \Device\Harddisk0\DR0\TDLFS\ldrm - copied to quarantine
17:44:29.0656 2480 \Device\Harddisk0\DR0\TDLFS\cmd.dll - copied to quarantine
17:44:29.0875 2480 \Device\Harddisk0\DR0\TDLFS\cmd64.dll - copied to quarantine
17:44:31.0109 2480 \Device\Harddisk0\DR0\TDLFS\drv32 - copied to quarantine
17:44:36.0296 2480 \Device\Harddisk0\DR0\TDLFS\drv64 - copied to quarantine
17:44:36.0421 2480 \Device\Harddisk0\DR0\TDLFS\servers.dat - copied to quarantine
17:44:36.0437 2480 \Device\Harddisk0\DR0\TDLFS\config.ini - copied to quarantine
17:44:36.0531 2480 \Device\Harddisk0\DR0\TDLFS\ldr16 - copied to quarantine
17:44:37.0031 2480 \Device\Harddisk0\DR0\TDLFS\ldr32 - copied to quarantine
17:44:37.0109 2480 \Device\Harddisk0\DR0\TDLFS\ldr64 - copied to quarantine
17:44:37.0187 2480 \Device\Harddisk0\DR0\TDLFS\s - copied to quarantine
17:44:37.0203 2480 \Device\Harddisk0\DR0\TDLFS\u - copied to quarantine
17:44:37.0328 2480 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.c ) - will be cured on reboot
17:44:37.0343 2480 \Device\Harddisk0\DR0 - ok
17:44:37.0484 2480 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.c ) - User select action: Cure
17:44:48.0734 3100 Deinitialize success


Microsoft Securities Essentials Detected Items*

Detected Item Alert Level Date Action
Trojan:Win32/Orsam!rts High 11/14/2012 17:51 Quarantined
Trojan:Win32/Alureon.gen!AD Severe 11/14/2012 17:51 Quarantined
Trojan:DOS/Alureon.J Severe 11/14/2012 17:51 Quarantined
Trojan:Win64/Alureon.gen!L Severe 11/14/2012 17:51 Quarantined
Trojan:Win64/Alureon.gen!F Severe 11/14/2012 17:51 Quarantined

* These items were automatically detected by Microsoft Security Essentials after TDSSKiller was run. I subsequently deleted them from my computer.


aswMBR version 0.9.9.1707 Copyright© 2011 AVAST Software
Run date: 2012-11-14 17:54:52
-----------------------------
17:54:52.546 OS Version: Windows 5.1.2600 Service Pack 3
17:54:52.546 Number of processors: 1 586 0x401
17:54:52.546 ComputerName: KEN UserName:
17:54:54.171 Initialize success
17:58:36.953 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
17:58:36.968 Disk 0 Vendor: ST3100011A 3.02 Size: 95396MB BusType: 3
17:58:36.984 Disk 0 MBR read successfully
17:58:36.984 Disk 0 MBR scan
17:58:36.984 Disk 0 unknown MBR code
17:58:36.984 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 92012 MB offset 6924015
17:58:37.000 Disk 0 Partition 2 00 0B FAT32 RECOVERY 3380 MB offset 63
17:58:37.000 Disk 0 scanning sectors +195366465
17:58:37.109 Disk 0 scanning C:\WINDOWS\system32\drivers
17:58:56.312 Service scanning
17:59:19.109 Service MpKsl818bb112 c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{C84D7400-5590-44EF-8A90-CF1C0F261A70}\MpKsl818bb112.sys **LOCKED** 32
17:59:44.078 Modules scanning
18:00:10.375 Disk 0 trace - called modules:
18:00:10.390 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys
18:00:10.890 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8734c030]
18:00:10.890 3 CLASSPNP.SYS[f77b2fd7] -> nt!IofCallDriver -> \Device\00000087[0x87373eb0]
18:00:10.890 5 ACPI.sys[f767b620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x8735a940]
18:00:10.890 Scan finished successfully
18:00:41.421 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Owner\Desktop\BleepingComputer-3rd Message\MBR.dat"
18:00:41.421 The log file has been saved successfully to "C:\Documents and Settings\Owner\Desktop\BleepingComputer-3rd Message\aswMBR.txt"

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:51 PM

Posted 14 November 2012 - 09:18 PM

Greetings

Funny how MSE was able to get at it only after we ran our tools

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 riley45

riley45
  • Topic Starter

  • Members
  • 138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:51 PM

Posted 15 November 2012 - 12:10 PM

Per your instructions, I created the CFScript.txt file and then dragged it into the ComboFix.exe file causing the ComboFix to begin running.

During the run of ComboFix, a window popped up indicating that Rootkit.ZeroAccess! located in the tcp/ip stack was detected, and then another window popped up stating that "Rootkit was detected". (As a point of information, my previous run of ComboFix on Monday produced these same two messages.) ComboFix next prompted me to reboot my computer and then completed the scan without producing any additional warning or detection messages.

This run of ComboFix took about 40 minutes to complete compared to my previous run which took just over an hour. Moreover, my run of ComboFix today went smoothly without any computer freeze ups or other glitches.

My computer seems to be running properly without any Google redirects or other problems.

Here is the contents of the log file from today's run of ComboFix:


ComboFix 12-11-14.01 - Owner 11/15/2012 10:02:20.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1007.698 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\BleepingComputer-2ndMessage\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\BleepingComputer-2ndMessage\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
((((((((((((((((((((((((( Files Created from 2012-10-15 to 2012-11-15 )))))))))))))))))))))))))))))))
.
.
2012-11-15 02:04 . 2012-10-12 05:56 6918632 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{26A0125B-9F15-467D-84D7-B2F4A4BAEA07}\mpengine.dll
2012-11-15 01:57 . 2012-11-15 01:57 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\PCHealth
2012-11-14 00:48 . 2012-10-12 05:56 6918632 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-11-13 01:37 . 2012-11-13 01:37 -------- d-----w- c:\program files\Common Files\Java
2012-11-13 01:36 . 2012-11-13 01:36 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-11-13 01:36 . 2012-11-13 01:36 477168 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-11-13 01:32 . 2012-11-13 01:32 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2012-11-10 19:17 . 2012-11-10 19:26 -------- d-----w- c:\program files\stinger
2012-11-04 01:04 . 2008-04-13 17:45 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
2012-11-04 01:04 . 2008-04-13 17:45 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2012-11-04 01:04 . 2001-08-18 02:36 5632 ----a-w- c:\windows\system32\ptpusb.dll
2012-11-04 01:04 . 2008-04-13 23:12 159232 ----a-w- c:\windows\system32\ptpusd.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-11-13 01:36 . 2011-11-07 04:47 473072 ----a-w- c:\windows\system32\deployJava1.dll
2012-10-22 08:37 . 2005-03-23 16:53 1866368 ----a-w- c:\windows\system32\win32k.sys
2012-10-13 01:24 . 2012-10-13 01:24 1409 ----a-w- c:\windows\QTFont.for
2012-10-02 18:04 . 2005-03-23 16:52 58368 ----a-w- c:\windows\system32\synceng.dll
2012-09-30 00:54 . 2011-10-07 01:28 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-08-31 02:03 . 2011-04-18 17:18 193552 ----a-w- c:\windows\system32\drivers\MpFilter.sys
2012-08-28 15:14 . 2005-03-23 16:53 916992 ----a-w- c:\windows\system32\wininet.dll
2012-08-28 15:14 . 2005-03-23 16:52 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-08-28 15:14 . 2005-03-23 16:52 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-08-28 12:07 . 2005-03-23 16:52 385024 ----a-w- c:\windows\system32\html.iec
2012-08-24 13:53 . 2005-03-23 16:53 177664 ----a-w- c:\windows\system32\wintrust.dll
2012-08-21 13:29 . 2005-03-23 16:52 2192896 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-08-21 12:58 . 2004-08-04 05:59 2069632 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-02-09 03:26 . 2011-02-09 03:26 27024112 ----a-w- c:\program files\PowerPointViewer.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunKistEM"="c:\program files\Digital Media Reader\shwiconem.exe" [2004-11-15 135168]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-05-11 98304]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-05-27 185896]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-09-12 947176]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-09-17 254896]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Siemens SpeedStream Wireless USB.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Siemens SpeedStream Wireless USB.lnk
backup=c:\windows\pss\Siemens SpeedStream Wireless USB.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 18:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2005-05-11 16:23 98304 ----a-w- c:\program files\QuickTime\qttask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2008-05-27 01:41 185896 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
2006-03-30 20:45 313472 ----a-r- c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DW20.EXE"=
"c:\\Program Files\\Google\\Update\\GoogleUpdate.exe"=
"c:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AcroRd32.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
.
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 11:27 AM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 4:55 PM 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [8/11/2011 6:38 PM 116608]
R3 SS1022;Siemens SpeedStream Wireless USB Driver;c:\windows\system32\drivers\SSUSBN51.sys [3/11/2007 12:03 PM 588160]
S1 leqpktih;leqpktih;\??\c:\windows\system32\drivers\leqpktih.sys --> c:\windows\system32\drivers\leqpktih.sys [?]
S2 EBPYWGVK;EBPYWGVK;\??\c:\windows\system32\ebpywgvk.agr --> c:\windows\system32\ebpywgvk.agr [?]
S3 MFE_RR;MFE_RR;\??\c:\docume~1\Owner\LOCALS~1\Temp\mfe_rr.sys --> c:\docume~1\Owner\LOCALS~1\Temp\mfe_rr.sys [?]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
int15
iomegaaccess
nnsvc
sprtsvc_dellsupportcenter
olregcap
mctskshd.exe
tsmservice
nuvvid2
sfsync04
mclserviceatl
SeaPort
MKEMUSB
hclinetd
CTEXFIFX.DLL
lmouflt2
sysdown
ctdvda2k
s116bus
driverhardwarev2
RDID1007
.
Contents of the 'Scheduled Tasks' folder
.
2012-11-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-31 23:58]
.
2012-11-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-31 23:58]
.
2012-11-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1704833363-758890274-2038612096-1003Core.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-09-24 13:48]
.
2012-11-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1704833363-758890274-2038612096-1003UA.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-09-24 13:48]
.
2012-11-15 c:\windows\Tasks\Microsoft Antimalware Scheduled Scan.job
- c:\program files\Microsoft Security Client\MpCmdRun.exe [2012-09-12 21:25]
.
2012-11-15 c:\windows\Tasks\User_Feed_Synchronization-{C6EF6733-F01A-486F-B22E-DC9407039ED5}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.2.1
TCP: Interfaces\{ADCCC00B-5FE3-48CC-B779-B4B07275D68C}: DhcpNameServer = 192.168.2.1
DPF: vzTCPConfig - hxxp://www.verizon.net/checkmypc/fios/includes/vzTCPConfig.CAB
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-01270830.sys
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-11-15 10:27
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet006\Services\EBPYWGVK]
"ImagePath"="\??\c:\windows\system32\ebpywgvk.agr"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\System\ControlSet006\Enum\Root\LEGACY_NDISPROT.SYS\0000]
@DACL=(02 0000)
"Service"="Ndisprot.sys"
"Legacy"=dword:00000001
"ConfigFlags"=dword:00000000
"Class"="LegacyDriver"
"ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"
"DeviceDesc"="Ndisprot.sys"
"Capabilities"=dword:00000000
"Driver"="{8ECC055D-047F-11D1-A537-0000F8753ED1}\\0084"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1324)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
Completion time: 2012-11-15 10:30:42
ComboFix-quarantined-files.txt 2012-11-15 15:30
ComboFix2.txt 2012-11-13 00:02
ComboFix3.txt 2011-09-25 03:04
.
Pre-Run: 41,859,940,352 bytes free
Post-Run: 42,081,468,416 bytes free
.
- - End Of File - - 1D8FFC36454CD41DB4DB0D5182A2115E

#10 riley45

riley45
  • Topic Starter

  • Members
  • 138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:51 PM

Posted 15 November 2012 - 12:52 PM

As a follow-up to my reply from a few minutes ago, I would like to add the following:

My Microsoft Security Essentials (MSE) just prompted me that the following updates are available to install on my computer:

Security Update for Microsoft .NET Framework 1.1 SP1 on Windows XP, Windows Vista, and Windows Server 2008 x86 (KB2698023)

I selected the recommended Express Install for these updates, and MSE began to install these updates on my computer. The installation seemed to be proceeding normally, but just before the installation appeared to be complete, I received a message from MSE stating that these updates could not be installed.

Is MSE's inability to install these updates on PC in any way related to the problems that were detected by ComboFix and the other scanning tools that you asked me to run, or is this a separate issue?

Please advise.

#11 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:51 PM

Posted 15 November 2012 - 01:01 PM

These logs are looking allot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs

NOTE** Because of the cleanup process some of the programs I have listed may not be in add/remove anymore this is fine just move to the next item on the list.

You can remove these programs using add/remove or you can use the free uninstaller from Revo (Revo does allot better of a job)

Programs to remove

Adobe Reader 7.0.9
Babylon toolbar on IE
Coupon Printer for Windows
Java™ 6 Update 23
[/list]


  • Please download and install Revo Uninstaller Free
  • Double click Revo Uninstaller to run it.
  • From the list of programs double click on The Program to remove
  • When prompted if you want to uninstall click Yes.
  • Be sure the Moderate option is selected then click Next.
  • The program will run, If prompted again click Yes
  • when the built-in uninstaller is finished click on Next.
  • Once the program has searched for leftovers click Next.
  • Check/tick the bolded items only on the list then click Delete
  • when prompted click on Yes and then on next.
  • put a check on any folders that are found and select delete
  • when prompted select yes then on next
  • Once done click Finish.
.

Update Adobe Reader

Recently there have been vulnerabilities detected in older versions of Adobe Reader. It is strongly suggested that you update to the current version.

You can download it from http://www.adobe.com/products/acrobat/readstep2.html
After installing the latest Adobe Reader, uninstall all previous versions.
If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

If you don't like Adobe Reader (53 MB), you can download Foxit PDF Reader(7 MB) from here. It's a much smaller file to download and uses a lot less resources than Adobe Reader.

Note: When installing FoxitReader, be careful not to install anything to do with AskBar.
[/list]

Install Java:

Please go here to install Java

  • click on the Free Java Download Button
  • click on Agree and start Free download
  • click on Run
  • click on run again
  • click on install
  • when install is complete click on close

Clean Out Temp Files

  • This small application you may want to keep and use once a week to keep the computer clean.

    Download CCleaner from here http://www.ccleaner.com/

  • Run the installer to install the application.
  • When it gives you the option to install Yahoo toolbar uncheck the box next to it.
  • Run CCleaner. (make sure under Windows tab all the boxes of Internet Explorer and Windows explorer are checked. Under System check Empty Recycle Bin and Temporary Files. Under Application tab all the boxes should be checked).
  • Click Run Cleaner.
  • Close CCleaner.

: Malwarebytes' Anti-Malware :

  • I would like you to rerun MBAM
  • Double-click mbam icon
  • go to the update tab at the top
  • click on check for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidentally close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Download HijackThis

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a log file button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the Analyze This button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

"information and logs"

  • In your next post I need the following

  • Log From MBAM
  • report from Hijackthis
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#12 riley45

riley45
  • Topic Starter

  • Members
  • 138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:51 PM

Posted 15 November 2012 - 09:55 PM

I downloaded and ran the Revo Uninstaller and used it to remove the Coupon Printer for Windows and Java 6 Update 23 from my system. The Babylon Toolbar for IE was not in the add/remove list as this item was deleted by one of the previous scans that I performed. I decided not to remove my current version of Acrobat Reader (version 7.0.9) as the latest version of this software (version 11) requires a 1024x768 screen resolution whereas my monitor has a 800x600 resolution. In light of this, what do you recommend I do with regards to my Adobe Reader?

I then downloaded and installed the latest version of Java (Version 7 Update 9) onto my computer.

Next, I downloaded and ran CCleaner according to your instructions.

Finally, I did a quick scan with Malwarebytes as well as a scan with HijackThis. No malicious items were found by Malware bytes.

My computer continues to work properly without any Google redirects. However, the file C:\Documents and Settings\Owner\Local Settings\Application Data\Symantec\Microsoft\vpnphrtv.dll -- which was created on the day that I started getting the Google redirects and as I previously mentioned, seemed to be the cause of the problem -- still exists on my system. Should I manually delete this file?

The logs from both the Malwarebytes and HijackThis runs are shown below:



Malwarebytes Anti-Malware 1.65.1.1000
www.malwarebytes.org

Database version: v2012.11.15.08

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Owner :: KEN [administrator]

11/15/2012 17:42:05
mbam-log-2012-11-15 (17-42-05).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 208408
Time elapsed: 14 minute(s), 48 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)




Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 18:12:24, on 11/15/2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\Java\jre7\bin\jqs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: (no name) - {472734EA-242A-422b-ADF8-83D1E48CC825} - (no file)
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: vzTCPConfig - http://www.verizon.net/checkmypc/fios/includes/vzTCPConfig.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {341FF14B-00CB-49F5-A427-A164DF1D5E1F} (MALPlaybackCtrl Class) - http://musicstore.connect.com/XSL/mb_us/html/activexplayer/SMALStreaming.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -
O16 - DPF: {5CB1506E-1DEA-4E63-89A7-E40E52AEA1FD} (OnagerCtrl Class) - http://usfulfillment.puretracks.com/onager.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1342294003531
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {8BBDC81D-81B3-49EE-87E8-47B7A707FAE8} (GoToMeeting/GoToWebinar Web Starter) - https://www2.gotomeeting.com/default/applets/g2mdlax.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://incommsolutions.webex.com/client/WBXclient-T27L10NSP31-13320/webex/ieatgpc.cab
O16 - DPF: {ED28050F-D713-43BA-A376-DCC5C35407D5} (MsnMusicAx Class) - http://entimg.msn.com/client/msnmusax3606.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.163;85.255.112.121
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.116.163;85.255.112.121
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: SAS Core Service (!SASCORE) - SUPERAntiSpyware.com - C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Oracle Corporation - C:\Program Files\Java\jre7\bin\jqs.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe

--
End of file - 7724 bytes

#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:51 PM

Posted 15 November 2012 - 10:09 PM

Greetings

In that post I have linked to a program called foxit reader - try that - I like it allot and if it works fine then dump adobe

These logs are looking very good, we are almost done!!! Just one more scan to go.

:Remove unneeded start-up entries:

This part of the fix is purely optional
These are programs that start up when you turn on your computer but don't need to be, any of these programs you can click on their icons (or start from the control panel) and start the program when you need it. By stopping these programs you will boot up faster and your computer will work faster.

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Run HijackThis
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):

    • O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
      O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
      O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
      O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application.

    NOTE**You can research each of those lines >here< and see if you want to keep them or not
    just copy the name between the brackets and paste into the search space
    O4 - HKLM\..\Run: [IntelliPoint]


NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

Eset Online Scanner

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

Go Eset web page to run an online scanner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the Run ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
  • When asked, allow the add/on to be installed
    • Click Start
  • Make sure that the option Remove found threats is unticked
  • Click on Advanced Settings, ensure the options
    Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • wait for the virus definitions to be downloaded
  • Wait for the scan to finish

When the scan is complete

  • If no threats were found
  • put a checkmark in "Uninstall application on close"
  • close program
  • report to me that nothing was found

  • If threats were found
  • click on "list of threats found"
  • click on "export to text file" and save it as ESET SCAN and save to the desktop
  • Click on back
  • put a checkmark in "Uninstall application on close"
  • click on finish
  • close program
  • copy and paste the report here


Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#14 riley45

riley45
  • Topic Starter

  • Members
  • 138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:51 PM

Posted 16 November 2012 - 04:59 AM

I ran HijackThis which found the four start up entries listed in your previous post. Per your recommendation, I put a check mark next to each of these items and then clicked on the "Fix checked" button.

I then downloaded and ran the ESET Online Scanner. The scan found 23 potential threats.

When I turned my Microsoft Security Essentials (MSE) back on following the ESET scan, MSE detected the trojan Backdoor:Win32/Cycbot!cfg which it quarantined and subsequently deleted from my computer.

MSE also prompted me to install the following updates on my computer:

Security Update for Microsoft .NET Framework 1.1 SP1 on Windows XP, Windows Vista, and Windows Server 2008 x86 (KB2698023)

These are the same updates that MSE prompted me to install following my run of ComboFix yesterday. As before, when I selected the recommended Express Install for these updates, the installation seemed to be proceeding normally, but just before the installation appeared to be complete, I received a message from MSE stating that these updates could not be installed.

Here is the log file from the ESET scan:


C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\48ppap2b.default\extensions\ddrbbxnzwu@ddrbbxnzwu.org.xpi JS/Redirector.NCI trojan
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\User Data\Default\Default\aagcdedcdegfgeddgegbgegedegdgbgg\background.html Win32/BHO.OEI trojan
C:\Documents and Settings\Owner\Local Settings\Application Data\{6417728F-C791-11E1-8270-B8AC6F996F26}\manager.js JS/Redirector.NCG trojan
C:\Documents and Settings\Owner\My Documents\SmitfraudFix.exe multiple threats
C:\Documents and Settings\Owner\My Documents\SmitfraudFix\Process.exe Win32/PrcView application
C:\Documents and Settings\Owner\My Documents\SmitfraudFix\restart.exe Win32/Shutdown.NAA application
C:\My Documents Mike 12-12-07\Downloaded Executeable Programs\BearInst.exe a variant of Win32/Adware.OnFlow.AA application
C:\Qoobox\Quarantine\C\WINDOWS\system32\hjkRBcdd.ini.vir Win32/Adware.Virtumonde.NEO application
C:\Qoobox\Quarantine\C\WINDOWS\system32\hjkRBcdd.ini2.vir Win32/Adware.Virtumonde.NEO application
C:\Qoobox\Quarantine\C\WINDOWS\system32\Process.exe.vir Win32/PrcView application
C:\System Volume Information\_restore{D23EFF2A-BFEF-46A5-8364-D064E372DF2B}\RP328\A0041029.dll a variant of Win32/Toolbar.Babylon application
C:\System Volume Information\_restore{D23EFF2A-BFEF-46A5-8364-D064E372DF2B}\RP328\A0041030.dll Win32/Toolbar.Babylon application
C:\System Volume Information\_restore{D23EFF2A-BFEF-46A5-8364-D064E372DF2B}\RP328\A0041031.exe probably a variant of Win32/Toolbar.Babylon application
C:\System Volume Information\_restore{D23EFF2A-BFEF-46A5-8364-D064E372DF2B}\RP328\A0041032.dll Win32/Toolbar.Babylon application
C:\System Volume Information\_restore{D23EFF2A-BFEF-46A5-8364-D064E372DF2B}\RP328\A0041034.dll Win32/Toolbar.Babylon application
C:\System Volume Information\_restore{D23EFF2A-BFEF-46A5-8364-D064E372DF2B}\RP328\A0042234.exe Win32/PrcView application
C:\TDSSKiller_Quarantine\11.04.2012_16.28.06\rtkt0000\svc0000\tsk0000.dta Win32/Sirefef.DA trojan
C:\TDSSKiller_Quarantine\11.04.2012_16.28.06\rtkt0000\zafs0000\tsk0010.dta Win32/Olmarik.AVQ trojan
C:\TDSSKiller_Quarantine\11.04.2012_16.28.06\rtkt0000\zafs0000\tsk0017.dta probably a variant of Win32/Agent.GSJKHXJ trojan
C:\TDSSKiller_Quarantine\11.04.2012_16.28.06\rtkt0000\zafs0000\tsk0019.dta Win32/Sirefef.ES trojan
C:\TDSSKiller_Quarantine\11.04.2012_16.28.06\rtkt0000\zafs0000\tsk0021.dta a variant of Win32/Sirefef.EU trojan
C:\TDSSKiller_Quarantine\14.11.2012_17.41.49\mbr0000\tdlfs0000\tsk0002.dta a variant of Win64/Olmarik.AM trojan
C:\TDSSKiller_Quarantine\14.11.2012_17.41.49\mbr0000\tdlfs0000\tsk0003.dta Win32/Olmarik.AWO trojan

#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:51 PM

Posted 16 November 2012 - 02:18 PM

Hello

try going to windows update and updating it from there

There are some minor things in your online scan that should be removed.


delete files

  • Copy all text in the quote box (below)...to Notepad.

    @echo off
    rd /s /q "C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\48ppap2b.default\extensions\ddrbbxnzwu@ddrbbxnzwu.org.xpi"
    rd /s /q "C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\User Data\Default\Default\aagcdedcdegfgeddgegbgegedegdgbgg\"
    del /f /s /q "C:\Documents and Settings\Owner\Local Settings\Application Data\{6417728F-C791-11E1-8270-B8AC6F996F26}\"
    del /f /s /q "C:\Documents and Settings\Owner\My Documents\SmitfraudFix.exe"
    del /f /s /q "C:\Documents and Settings\Owner\My Documents\SmitfraudFix\Process.exe"
    del /f /s /q "C:\Documents and Settings\Owner\My Documents\SmitfraudFix\restart.exe"
    del /f /s /q "C:\My Documents Mike 12-12-07\Downloaded Executeable Programs\BearInst.exe"
    del %0

  • Save the Notepad file on your desktop...as delfile.bat... save type as "All Files"
    It should look like this: Posted Image<--XPPosted Image<--vista
  • Double click on delfile.bat to execute it.
    A black CMD window will flash, then disappear...this is normal.
  • The files and folders, if found...will have been deleted and the "delfile.bat" file will also be deleted.


The rest of the Online scan is only reporting backups created during the course of this fix C:\Qoobox\Quarantine\, and/or items located in System Restore's cache C:\System Volume Information\, Whatever is in these folders can't harm you unless you choose to perform a manual restore. the following steps will remove these backups.




Very well done!! This is my general post for when your logs show no more signs of malware - Please let me know if you still are having problems with your computer and what these problems are.


:Why we need to remove some of our tools:

Some of the tools we have used to clean your computer were made by fellow malware fighters and are very powerful and if used incorrectly or at the wronge time can make the computer an expensive paper weight.
They are updated all the time and some of them more than once a day so by the time you are ready to use them again they will already be outdated.

The following procedures will implement some cleanup procedures to remove these tools. It will also reset your System Restore by flushing out previous restore points and create a new restore point. It will also remove all the backups our tools may have made.
:DeFogger:

Note** Defogger only needs to be run if it was run when we first started. If you have not already run it then skip this.

  • To re-enable your Emulation drivers, double click DeFogger to run the tool.
  • The application window will appear
  • Click the Re-enable button to re-enable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK.
Your Emulation drivers are now re-enabled.

:Uninstall ComboFix:

  • turn off all active protection software
  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box ComboFix /Uninstall and click OK.
  • Note the space between the X and the /Uninstall, it needs to be there.
  • Posted Image

:Remove the rest of our tools:

Please download OTCleanIt and save it to desktop. This tool will remove all the tools we used to clean your pc.
  • Double-click OTCleanIt.exe.
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes, if not delete it by yourself.
  • If asked to restart the computer, please do so
Note: If you receive a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the internet, please allow it to do so.

:The programs you can keep:

Some of the programs that we have used would be a good idea to keep and used often in helping to keep the computer clean. I use these programs on my computer.

Revo Uninstaller Free - this is the uninstaller that I had you download and works allot better than add/remove in windows and has saved me more than once from corrupted installs and uninstalls

CCleaner - This is a good program to clean out temp files, I would use this once a week or before any malware scan to remove unwanted temp files - It has a built in registry cleaner but I would leave that alone and not use any registry cleaner

Malwarebytes' Anti-Malware The Gold standerd today in antimalware scanners

:Security programs:

One of the questions I am asked all the time is "What programs do you use" I have at this time 4 computers in my home and I have this setup on all 4 of them.

  • Microsoft Security Essentials - provides real-time protection for your home PC that guards against viruses, spyware, and other malicious software.
  • WinPatrol As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge.
  • Malwarebytes' Anti-Malware Malwarebytes' Anti-Malware is a new and powerful anti-malware tool. It is
    totally free but for real-time protection you will have to pay a small one-time fee. We used this to help clean your computer and recomend keeping it and using often. (I have upgraded to the paid version of MBAM and I am glad I did)


    Note** If you decide to install MSE you will need to uninstall your present Antivirus

:Security awareness:

The other question I am asked all the time is "How can I prevent this from happening again." and the short answer to that is to be aware of what is out there and how to start spotting dangers.

Here are some articles that are must reads and should be read by everybody in your household that uses the internet

internetsafety

Internet Safety for Kids

Here is some more reading for you from some of my colleges

PC Safety and Security - What Do I Need? from my friends at Tech Support Forum

COMPUTER SECURITY - a short guide to staying safer online from my friends at Malware Removal

quoted from Tech Support Forum

Conclusion

There is no such thing as ‘perfect security’. This applies to many things, not just computer systems. Using the above guide you should be able to take all the reasonable steps you can to prevent infection. However, the most important part of all this is you, the user. Surf sensibly and think before you download a file or click on a link. Take a few moments to assess the possible risks and you should be able to enjoy all the internet has to offer.


I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can then be closed.

I Will Keep This Open For About Three Days, If Anything Comes Up - Just Come Back And Let Me Know, after that time you will have to send me a PM

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users