Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Sirefef Gen!C Infection. Need assistance to remove em.


  • This topic is locked This topic is locked
26 replies to this topic

#1 kokonapa

kokonapa

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:38 PM

Posted 17 May 2013 - 01:50 AM

Hello Sifus and Gurus,

 

I posted about my Sirefef Gen!c problem a while ago here and I was directed to inquire here, after I completed several procedures (downloading and running dds).

 

Well basically, my browser told me that my computer is infected by a Sirefef Gen!c. I also realized that I cant access pretty much everything that is password-based. e.g fb, twitter, college portal

 

I tried installing microsoft security essential as suggested by the browser but the installation could not complete. It says something about 0x80070643 error. Im pretty sure that I don't have any other security tools that might interrupt the installation.

 

Your kind assistance is very much appreciated. 

 

 

DDS (Ver_2012-11-20.01) - NTFS_x86 
Internet Explorer: 8.0.6001.18702  BrowserJavaVersion: 10.5.1
Run by Azmil Zulkifli at 14:46:35 on 2013-05-17
Microsoft Windows XP Home Edition  5.1.2600.3.1252.27.1033.18.3327.2608 [GMT 8:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ================
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\All Users\Application Data\BrowserProtect\2.6.1249.132\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\BrowserProtect.exe
C:\Program Files\Garena Plus\GarenaMessenger.exe
C:\Documents and Settings\All Users\Application Data\BrowserProtect\2.6.1249.132\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\BrowserProtect.exe
C:\Documents and Settings\Azmil Zulkifli\Application Data\Dropbox\bin\Dropbox.exe
C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe
C:\Program Files\PANDORA.TV\PanService\PandoraService.exe
C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe
C:\Documents and Settings\All Users\Application Data\Skype\Toolbars\Skype C2C Service\c2c_service.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Garena Plus\bbtalk\GarenaTalkOverlay.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
uURLSearchHooks: YTNavAssistPlugin Class: {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - c:\program files\yahoo!\companion\installs\cpn3\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478D38-C3F9-4efb-9B51-7695ECA05670} - c:\program files\yahoo!\companion\installs\cpn3\yt.dll
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: DivX Plus Web Player HTML5 <video>: {326E768D-4182-46FD-9C16-1449A49795F4} - c:\program files\divx\divx plus web player\ie\divxhtml5\DivXHTML5.dll
BHO: mixidj Helper Object: {4D6A9BBF-402C-4301-B1EF-28D04F71D761} - c:\program files\mixidj\mixidj\1.8.4.1\bh\mixidj.dll
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\oracle\javafx 2.1 runtime\bin\ssv.dll
BHO: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\oracle\javafx 2.1 runtime\bin\jp2ssv.dll
TB: Yahoo! Toolbar: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - c:\program files\yahoo!\companion\installs\cpn3\yt.dll
TB: MixiDJ Toolbar: {CA9B9C89-4662-4ADC-9C23-A452BECD5D19} - c:\program files\mixidj\mixidj\1.8.4.1\mixidjTlbr.dll
uRun: [Google Update] "c:\documents and settings\azmil zulkifli\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Messenger (Yahoo!)] "c:\progra~1\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [Steam] "c:\program files\steam\Steam.exe" -silent
uRun: [GarenaPlus] "c:\program files\garena plus\GarenaMessenger.exe" -autolaunch
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [PWRISOVM.EXE] c:\program files\poweriso\PWRISOVM.EXE
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [MSC] "c:\program files\microsoft security client\mssecex.exe" -hide -runkey
StartupFolder: c:\docume~1\azmilz~1\startm~1\programs\startup\dropbox.lnk - c:\documents and settings\azmil zulkifli\application data\dropbox\bin\Dropbox.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\micros~2\office14\ONBttnIE.dll/105
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office12\ONBttnIE.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
LSP: mswsock.dll
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{213A05C2-A704-4F45-94F8-53FB0A95F926} : DHCPNameServer = 192.168.1.1
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
Notify: AtiExtEvent - Ati2evxx.dll
AppInit_DLLs= c:\docume~1\alluse~1\applic~1\browse~1\261249~1.132\{c16c1~1\browse~1.dll 
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2013-1-20 195296]
R2 BrowserProtect;BrowserProtect;c:\documents and settings\all users\application data\browserprotect\2.6.1249.132\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\BrowserProtect.exe [2013-5-14 2787280]
R2 PanService;PandoraService;c:\program files\pandora.tv\panservice\PandoraService.exe [2012-3-24 624856]
R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\common files\pc tools\smonitor\StartManSvc.exe [2012-3-24 632792]
R2 Skype C2C Service;Skype C2C Service;c:\documents and settings\all users\application data\skype\toolbars\skype c2c service\c2c_service.exe [2013-4-15 3289208]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2013-2-28 161384]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2012-2-28 1691480]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [2012-2-29 13192]
S3 esgiguard;esgiguard;\??\c:\program files\enigma software group\spyhunter\esgiguard.sys --> c:\program files\enigma software group\spyhunter\esgiguard.sys [?]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [2012-2-29 8456]
S3 GGSAFERDriver;GGSAFER Driver;\??\c:\program files\garena plus\room\safedrv.sys --> c:\program files\garena plus\room\safedrv.sys [?]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\d:\ntglm7x.sys --> d:\NTGLM7X.sys [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2013-05-16 23:42:34 -------- d-----w- c:\program files\Enigma Software Group
2013-05-16 23:42:19 -------- d-----w- c:\windows\4941BFEB62C047A2801E998FC469CC2C.TMP
2013-05-16 23:42:17 -------- d-----w- c:\program files\common files\Wise Installation Wizard
2013-05-16 22:13:37 -------- d-----w- C:\780541799b799e0ced
2013-05-16 17:42:35 -------- d-----w- c:\windows\system32\NtmsData
2013-05-16 17:32:43 -------- d-----w- c:\documents and settings\all users\application data\Avira
2013-05-14 04:41:28 6906960 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{5869e37e-164e-4f8f-a636-9a16c0dbcea7}\mpengine.dll
2013-05-12 19:24:23 6906960 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2013-05-12 19:24:23 6906960 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{2ede2f9f-6952-40b4-bde5-f985f67df15c}\mpengine.dll
2013-05-10 18:47:59 -------- d-----w- c:\program files\Mail Password
2013-05-10 04:32:37 -------- d-----r- c:\program files\Skype
2013-04-29 07:22:27 238872 ------w- c:\windows\system32\MpSigStub.exe
2013-04-29 07:13:52 -------- d-----w- c:\program files\Microsoft Security Client
2013-04-27 20:16:33 -------- d-----w- c:\program files\Mega Codec Pack
2013-04-17 19:22:35 -------- d-----w- c:\documents and settings\azmil zulkifli\application data\mixidj
.
==================== Find3M  ====================
.
2013-05-15 12:00:20 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-05-15 12:00:20 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-04-29 07:33:10 138496 ----a-w- c:\windows\system32\drivers\AFD.SYS
2013-03-08 08:36:22 293376 ----a-w- c:\windows\system32\winsrv.dll
2013-03-07 01:32:25 2149888 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-03-07 00:50:30 2028544 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-03-02 02:06:31 916480 ----a-w- c:\windows\system32\wininet.dll
2013-03-02 02:06:30 43520 ------w- c:\windows\system32\licmgr10.dll
2013-03-02 02:06:30 1469440 ------w- c:\windows\system32\inetcpl.cpl
2013-03-02 01:25:02 1867264 ----a-w- c:\windows\system32\win32k.sys
2013-03-02 01:08:47 385024 ------w- c:\windows\system32\html.iec
2013-02-27 07:56:51 2067456 ----a-w- c:\windows\system32\mstscax.dll
.
============= FINISH: 14:46:44.76 ===============


BC AdBot (Login to Remove)

 


#2 satchfan

satchfan

  • Malware Response Team
  • 2,661 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:08:38 AM

Posted 17 May 2013 - 06:26 AM

Hello kokonapa and welcome to Bleeping Computer.

My name is Satchfan and I would be glad to help you with your computer problem.

Please read the following guidelines which will help to make cleaning your machine easier:

  • please follow all instructions in the order posted
  • please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear
  • all logs/reports, etc. must be posted in Notepad. Please ensure that word wrap is unchecked. In Notepad click Format, uncheck Word wrap if it is checked
  • if you don't understand something, please don't hesitate to ask for clarification before proceeding
  • the fixes are specific to your problem and should only be used for this issue on this machine.
  • please reply within 3 days. If you do not reply within this period I will post a reminder but topics with no reply in 4 days will be closed!

IMPORTANT:

Please DO NOT install/uninstall any programs unless asked to.
Please DO NOT run any scans other than those requested

======================================================

Please run these in the order requested.

Run TDSSKiller

Please download TDSSKiller.zip

  • extract it to your desktop
  • double click TDSSKiller.exe
  • press Start Scan
    • only if Malicious objects are found then ensure Cure is selected. Do not change it to Delete or Quarantine as it may delete infected files that are required for Windows to operate properly.
    • then click Continue > Reboot now
  • copy and paste the log in your next reply.
    • A copy of the log will be saved automatically to the root of the drive (typically C:\) called TDSSKiller_*** (*** denotes version & date)

======================================================

Download and run ComboFix

Download ComboFix from the following location:

Link

* IMPORTANT !!! Save ComboFix.exe to your Desktop
 

  • disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • see this Link  for programs that need to be disabled and instruction on how to disable them.
  • remember to re-enable them when we're done.
  • double click on ComboFix.exe & follow the prompts.
  • as part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.  It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue its malware removal procedures.

    IftheCFrecconsisalreadyinstalled.jpg


    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    WhenCFrecconsisinstalled.jpg


    Click on Yes, to continue scanning for malware.

Note: Do not mouse-click combofix's window while it is running. That may cause it to stall.

When finished, it will produce a log.   Please include the ComboFix.txt in your next reply. It can be found at C:\ComboFix.txt

Please also remember to include the TDSSKiller log

Thanks

Satchfan

 

 


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#3 kokonapa

kokonapa
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:38 PM

Posted 17 May 2013 - 05:59 PM

Hi Satchfan,

 

I followed the steps u provided. There's no problem for me running tdsskiller.

 

However im having a bit of a problem running combofix.

It is taking an awfully lots of time, now nearing three hours already. is this normal?

it is now 'stuck' after stage 50.

 

Okay, let me back up a little. I ran the combofix and it says that an antivirus program is detected, which is the MSE. It asked me to turn off mse but I recalled that I already uninstalled it through the remove program from control panel function. Also, there's no mse program files in my local disk, however there are mse launch button in my 'start' bar. 

 

I reckon this could probably because there are residuals mse file from me trying uninstalling/trying to re-install mse so I click ok so that the combofix can run. After a while, a window popped up saying that I am infected with Rootkit.ZeroAccess! and it need to reboot. After rebooting, combofix presumed its scan up until the stage 50. 



#4 satchfan

satchfan

  • Malware Response Team
  • 2,661 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:08:38 AM

Posted 18 May 2013 - 02:20 AM

Can you post the TDSSK log and also look to see if a ComboFix log has been produced; ComboFix logs are located at c:\combofix.txt, older logs are at c:\qoobox\combofix2.txt, c:\qoobox\ComboFix3.txt etc

 

Run RogueKiller


IMPORTANT: Please remove any usb or external drives from the computer before you run this scan!

Close all running programs.


Download one of these to your desktop:


for a 32-bt system download this version.
for 64-bit use this one.

  • close all running programs
  • for Windows Vista/Seven, right click -> run as administrator, for XP simply double-click on RogueKiller.exe
  • when the pre-scan is finished, click on Scan
  • click on Report and copy/paste the content in your next post
  • NOTE: DO NOT attempt to remove anything that the scan detects –everything that is reported is not necessarily bad

If the program is blocked, continue to try it several times. If it still doesn’t work, (it could happen), rename it to winlogon.exe.

 

Please post the contents of the RKreport.txt in your next reply with the TDSSK log and ComboFix log if there is one..
 

Thanks

 

Satchfan


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#5 kokonapa

kokonapa
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:38 PM

Posted 18 May 2013 - 05:59 AM

Hi Satchfan,

 

I tried looking for the combofix log, but it is no where to be found. I looked into the three directories you gave me, but I came up empty.

 

Anyway, here is the copy of tdssk log and RK report.

 

 

02:01:20.0156 2332  TDSS rootkit removing tool 2.8.16.0 Feb 11 2013 18:50:42
02:01:20.0812 2332  ============================================================
02:01:20.0812 2332  Current date / time: 2013/05/18 02:01:20.0812
02:01:20.0812 2332  SystemInfo:
02:01:20.0812 2332  
02:01:20.0812 2332  OS Version: 5.1.2600 ServicePack: 3.0
02:01:20.0812 2332  Product type: Workstation
02:01:20.0812 2332  ComputerName: AZMIL
02:01:20.0812 2332  UserName: Azmil Zulkifli
02:01:20.0812 2332  Windows directory: C:\WINDOWS
02:01:20.0812 2332  System windows directory: C:\WINDOWS
02:01:20.0812 2332  Processor architecture: Intel x86
02:01:20.0812 2332  Number of processors: 2
02:01:20.0812 2332  Page size: 0x1000
02:01:20.0812 2332  Boot type: Normal boot
02:01:20.0812 2332  ============================================================
02:01:21.0750 2332  Drive \Device\Harddisk0\DR0 - Size: 0x4A85D56000 (298.09 Gb), SectorSize: 0x200, Cylinders: 0x9801, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
02:01:21.0906 2332  Drive \Device\Harddisk5\DR7 - Size: 0x1E3000000 (7.55 Gb), SectorSize: 0x200, Cylinders: 0x3D9, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'W'
02:01:21.0906 2332  ============================================================
02:01:21.0906 2332  \Device\Harddisk0\DR0:
02:01:21.0906 2332  MBR partitions:
02:01:21.0906 2332  \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0xC99F129
02:01:21.0937 2332  \Device\Harddisk0\DR0\Partition2: MBR, Type 0x7, StartLBA 0xC99F1A7, BlocksNum 0x18A8E51A
02:01:21.0937 2332  \Device\Harddisk5\DR7:
02:01:21.0937 2332  MBR partitions:
02:01:21.0937 2332  \Device\Harddisk5\DR7\Partition1: MBR, Type 0xC, StartLBA 0x3F, BlocksNum 0xF17FC1
02:01:21.0937 2332  ============================================================
02:01:21.0968 2332  C: <-> \Device\Harddisk0\DR0\Partition1
02:01:22.0000 2332  I: <-> \Device\Harddisk0\DR0\Partition2
02:01:22.0000 2332  ============================================================
02:01:22.0000 2332  Initialize success
02:01:22.0000 2332  ============================================================
02:01:25.0250 3724  ============================================================
02:01:25.0250 3724  Scan started
02:01:25.0250 3724  Mode: Manual; 
02:01:25.0250 3724  ============================================================
02:01:26.0312 3724  ================ Scan system memory ========================
02:01:26.0312 3724  System memory - ok
02:01:26.0312 3724  ================ Scan services =============================
02:01:26.0531 3724  Abiosdsk - ok
02:01:26.0546 3724  abp480n5 - ok
02:01:26.0578 3724  [ 8FD99680A539792A30E97944FDAECF17 ] ACPI            C:\WINDOWS\system32\DRIVERS\ACPI.sys
02:01:26.0578 3724  ACPI - ok
02:01:26.0625 3724  [ 9859C0F6936E723E4892D7141B1327D5 ] ACPIEC          C:\WINDOWS\system32\drivers\ACPIEC.sys
02:01:26.0625 3724  ACPIEC - ok
02:01:26.0671 3724  [ F040037B149FD0F5A5044AE563390FA7 ] AdobeFlashPlayerUpdateSvc C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
02:01:26.0671 3724  AdobeFlashPlayerUpdateSvc - ok
02:01:26.0687 3724  adpu160m - ok
02:01:26.0703 3724  [ 8BED39E3C35D6A489438B8141717A557 ] aec             C:\WINDOWS\system32\drivers\aec.sys
02:01:26.0703 3724  aec - ok
02:01:26.0734 3724  [ 1E44BC1E83D8FD2305F8D452DB109CF9 ] AFD             C:\WINDOWS\system32\DRIVERS\AFD.SYS
02:01:26.0734 3724  AFD - ok
02:01:26.0750 3724  Aha154x - ok
02:01:26.0750 3724  aic78u2 - ok
02:01:26.0750 3724  aic78xx - ok
02:01:26.0781 3724  [ A9A3DAA780CA6C9671A19D52456705B4 ] Alerter         C:\WINDOWS\system32\alrsvc.dll
02:01:26.0781 3724  Alerter - ok
02:01:26.0796 3724  [ 8C515081584A38AA007909CD02020B3D ] ALG             C:\WINDOWS\System32\alg.exe
02:01:26.0796 3724  ALG - ok
02:01:26.0796 3724  AliIde - ok
02:01:26.0843 3724  [ 267FC636801EDC5AB28E14036349E3BE ] Ambfilt         C:\WINDOWS\system32\drivers\Ambfilt.sys
02:01:26.0875 3724  Ambfilt - ok
02:01:26.0875 3724  amsint - ok
02:01:26.0875 3724  AppMgmt - ok
02:01:26.0890 3724  asc - ok
02:01:26.0890 3724  asc3350p - ok
02:01:26.0890 3724  asc3550 - ok
02:01:26.0968 3724  [ 776ACEFA0CA9DF0FAA51A5FB2F435705 ] aspnet_state    C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe
02:01:26.0984 3724  aspnet_state - ok
02:01:27.0000 3724  [ B153AFFAC761E7F5FCFA822B9C4E97BC ] AsyncMac        C:\WINDOWS\system32\DRIVERS\asyncmac.sys
02:01:27.0000 3724  AsyncMac - ok
02:01:27.0000 3724  [ 9F3A2F5AA6875C72BF062C712CFA2674 ] atapi           C:\WINDOWS\system32\DRIVERS\atapi.sys
02:01:27.0000 3724  atapi - ok
02:01:27.0000 3724  Atdisk - ok
02:01:27.0031 3724  [ 14DF9D3F4FDE2E7536E89402D2C5B8E9 ] Ati HotKey Poller C:\WINDOWS\system32\Ati2evxx.exe
02:01:27.0046 3724  Ati HotKey Poller - ok
02:01:27.0140 3724  [ E43A7639BE410B67059E48D3DD0AD405 ] ati2mtag        C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
02:01:27.0156 3724  ati2mtag - ok
02:01:27.0171 3724  [ E3B9FE6D478DC12EE9FB5169EE98D1BA ] AtiHdmiService  C:\WINDOWS\system32\drivers\AtiHdmi.sys
02:01:27.0171 3724  AtiHdmiService - ok
02:01:27.0187 3724  [ 9916C1225104BA14794209CFA8012159 ] Atmarpc         C:\WINDOWS\system32\DRIVERS\atmarpc.sys
02:01:27.0187 3724  Atmarpc - ok
02:01:27.0203 3724  [ DEF7A7882BEC100FE0B2CE2549188F9D ] AudioSrv        C:\WINDOWS\System32\audiosrv.dll
02:01:27.0203 3724  AudioSrv - ok
02:01:27.0234 3724  [ D9F724AA26C010A217C97606B160ED68 ] audstub         C:\WINDOWS\system32\DRIVERS\audstub.sys
02:01:27.0234 3724  audstub - ok
02:01:27.0250 3724  [ DA1F27D85E0D1525F6621372E7B685E9 ] Beep            C:\WINDOWS\system32\drivers\Beep.sys
02:01:27.0250 3724  Beep - ok
02:01:27.0281 3724  [ CFD4E51402DA9838B5A04AE680AF54A0 ] Browser         C:\WINDOWS\System32\browser.dll
02:01:27.0281 3724  Browser - ok
02:01:27.0390 3724  [ D9C8DC2D7EC28E3FF25C99EF17C8631A ] BrowserProtect  C:\Documents and Settings\All Users\Application Data\BrowserProtect\2.6.1249.132\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\BrowserProtect.exe
02:01:27.0437 3724  BrowserProtect - ok
02:01:27.0468 3724  [ 90A673FC8E12A79AFBED2576F6A7AAF9 ] cbidf2k         C:\WINDOWS\system32\drivers\cbidf2k.sys
02:01:27.0468 3724  cbidf2k - ok
02:01:27.0468 3724  cd20xrnt - ok
02:01:27.0500 3724  [ C1B486A7658353D33A10CC15211A873B ] Cdaudio         C:\WINDOWS\system32\drivers\Cdaudio.sys
02:01:27.0500 3724  Cdaudio - ok
02:01:27.0500 3724  [ C885B02847F5D2FD45A24E219ED93B32 ] Cdfs            C:\WINDOWS\system32\drivers\Cdfs.sys
02:01:27.0500 3724  Cdfs - ok
02:01:27.0515 3724  [ 1F4260CC5B42272D71F79E570A27A4FE ] Cdrom           C:\WINDOWS\system32\DRIVERS\cdrom.sys
02:01:27.0515 3724  Cdrom - ok
02:01:27.0515 3724  Changer - ok
02:01:27.0531 3724  [ 1CFE720EB8D93A7158A4EBC3AB178BDE ] CiSvc           C:\WINDOWS\system32\cisvc.exe
02:01:27.0531 3724  CiSvc - ok
02:01:27.0546 3724  [ 34CBE729F38138217F9C80212A2A0C82 ] ClipSrv         C:\WINDOWS\system32\clipsrv.exe
02:01:27.0546 3724  ClipSrv - ok
02:01:27.0593 3724  [ D87ACAED61E417BBA546CED5E7E36D9C ] clr_optimization_v2.0.50727_32 C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
02:01:27.0656 3724  clr_optimization_v2.0.50727_32 - ok
02:01:27.0687 3724  [ C5A75EB48E2344ABDC162BDA79E16841 ] clr_optimization_v4.0.30319_32 C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
02:01:27.0750 3724  clr_optimization_v4.0.30319_32 - ok
02:01:27.0750 3724  CmdIde - ok
02:01:27.0750 3724  COMSysApp - ok
02:01:27.0765 3724  Cpqarray - ok
02:01:27.0781 3724  [ 3D4E199942E29207970E04315D02AD3B ] CryptSvc        C:\WINDOWS\System32\cryptsvc.dll
02:01:27.0781 3724  CryptSvc - ok
02:01:27.0781 3724  dac2w2k - ok
02:01:27.0796 3724  dac960nt - ok
02:01:27.0843 3724  [ 6B27A5C03DFB94B4245739065431322C ] DcomLaunch      C:\WINDOWS\system32\rpcss.dll
02:01:27.0875 3724  DcomLaunch - ok
02:01:27.0890 3724  [ 5E38D7684A49CACFB752B046357E0589 ] Dhcp            C:\WINDOWS\System32\dhcpcsvc.dll
02:01:27.0906 3724  Dhcp - ok
02:01:27.0906 3724  [ 044452051F3E02E7963599FC8F4F3E25 ] Disk            C:\WINDOWS\system32\DRIVERS\disk.sys
02:01:27.0906 3724  Disk - ok
02:01:27.0906 3724  dmadmin - ok
02:01:27.0937 3724  [ D992FE1274BDE0F84AD826ACAE022A41 ] dmboot          C:\WINDOWS\system32\drivers\dmboot.sys
02:01:27.0953 3724  dmboot - ok
02:01:27.0968 3724  [ 7C824CF7BBDE77D95C08005717A95F6F ] dmio            C:\WINDOWS\system32\drivers\dmio.sys
02:01:27.0968 3724  dmio - ok
02:01:27.0968 3724  [ E9317282A63CA4D188C0DF5E09C6AC5F ] dmload          C:\WINDOWS\system32\drivers\dmload.sys
02:01:27.0968 3724  dmload - ok
02:01:27.0984 3724  [ 57EDEC2E5F59F0335E92F35184BC8631 ] dmserver        C:\WINDOWS\System32\dmserver.dll
02:01:27.0984 3724  dmserver - ok
02:01:28.0015 3724  [ 8A208DFCF89792A484E76C40E5F50B45 ] DMusic          C:\WINDOWS\system32\drivers\DMusic.sys
02:01:28.0015 3724  DMusic - ok
02:01:28.0031 3724  [ 5F7E24FA9EAB896051FFB87F840730D2 ] Dnscache        C:\WINDOWS\System32\dnsrslvr.dll
02:01:28.0031 3724  Dnscache - ok
02:01:28.0046 3724  [ 0F0F6E687E5E15579EF4DA8DD6945814 ] Dot3svc         C:\WINDOWS\System32\dot3svc.dll
02:01:28.0062 3724  Dot3svc - ok
02:01:28.0062 3724  dpti2o - ok
02:01:28.0062 3724  [ 8F5FCFF8E8848AFAC920905FBD9D33C8 ] drmkaud         C:\WINDOWS\system32\drivers\drmkaud.sys
02:01:28.0062 3724  drmkaud - ok
02:01:28.0078 3724  [ 2187855A7703ADEF0CEF9EE4285182CC ] EapHost         C:\WINDOWS\System32\eapsvc.dll
02:01:28.0078 3724  EapHost - ok
02:01:28.0093 3724  [ F07BA56B0235F15EFF8F10DC6389C42E ] epmntdrv        C:\WINDOWS\system32\epmntdrv.sys
02:01:28.0093 3724  epmntdrv - ok
02:01:28.0109 3724  [ BC93B4A066477954555966D77FEC9ECB ] ERSvc           C:\WINDOWS\System32\ersvc.dll
02:01:28.0109 3724  ERSvc - ok
02:01:28.0171 3724  esgiguard - ok
02:01:28.0171 3724  [ 1F2F4AB15CE03ECC257FEB2F6DC5A013 ] EuGdiDrv        C:\WINDOWS\system32\EuGdiDrv.sys
02:01:28.0171 3724  EuGdiDrv - ok
02:01:28.0187 3724  [ 65DF52F5B8B6E9BBD183505225C37315 ] Eventlog        C:\WINDOWS\system32\services.exe
02:01:28.0203 3724  Eventlog - ok
02:01:28.0218 3724  [ D4991D98F2DB73C60D042F1AEF79EFAE ] EventSystem     C:\WINDOWS\system32\es.dll
02:01:28.0218 3724  EventSystem - ok
02:01:28.0234 3724  [ 38D332A6D56AF32635675F132548343E ] Fastfat         C:\WINDOWS\system32\drivers\Fastfat.sys
02:01:28.0250 3724  Fastfat - ok
02:01:28.0281 3724  [ 99BC0B50F511924348BE19C7C7313BBF ] FastUserSwitchingCompatibility C:\WINDOWS\System32\shsvcs.dll
02:01:28.0281 3724  FastUserSwitchingCompatibility - ok
02:01:28.0281 3724  [ 92CDD60B6730B9F50F6A1A0C1F8CDC81 ] Fdc             C:\WINDOWS\system32\drivers\Fdc.sys
02:01:28.0281 3724  Fdc - ok
02:01:28.0296 3724  [ D45926117EB9FA946A6AF572FBE1CAA3 ] Fips            C:\WINDOWS\system32\drivers\Fips.sys
02:01:28.0296 3724  Fips - ok
02:01:28.0296 3724  [ 9D27E7B80BFCDF1CDD9B555862D5E7F0 ] Flpydisk        C:\WINDOWS\system32\drivers\Flpydisk.sys
02:01:28.0296 3724  Flpydisk - ok
02:01:28.0328 3724  [ B2CF4B0786F8212CB92ED2B50C6DB6B0 ] FltMgr          C:\WINDOWS\system32\DRIVERS\fltMgr.sys
02:01:28.0328 3724  FltMgr - ok
02:01:28.0390 3724  [ 8BA7C024070F2B7FDD98ED8A4BA41789 ] FontCache3.0.0.0 C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
02:01:28.0390 3724  FontCache3.0.0.0 - ok
02:01:28.0390 3724  [ 3E1E2BD4F39B0E2B7DC4F4D2BCC2779A ] Fs_Rec          C:\WINDOWS\system32\drivers\Fs_Rec.sys
02:01:28.0390 3724  Fs_Rec - ok
02:01:28.0390 3724  [ 6AC26732762483366C3969C9E4D2259D ] Ftdisk          C:\WINDOWS\system32\DRIVERS\ftdisk.sys
02:01:28.0390 3724  Ftdisk - ok
02:01:28.0453 3724  GGSAFERDriver - ok
02:01:28.0453 3724  GMSIPCI - ok
02:01:28.0468 3724  [ 0A02C63C8B144BD8C86B103DEE7C86A2 ] Gpc             C:\WINDOWS\system32\DRIVERS\msgpc.sys
02:01:28.0468 3724  Gpc - ok
02:01:28.0484 3724  [ 573C7D0A32852B48F3058CFD8026F511 ] HDAudBus        C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
02:01:28.0484 3724  HDAudBus - ok
02:01:28.0531 3724  [ 4FCCA060DFE0C51A09DD5C3843888BCD ] helpsvc         C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll
02:01:28.0531 3724  helpsvc - ok
02:01:28.0546 3724  [ DEB04DA35CC871B6D309B77E1443C796 ] HidServ         C:\WINDOWS\System32\hidserv.dll
02:01:28.0546 3724  HidServ - ok
02:01:28.0562 3724  [ CCF82C5EC8A7326C3066DE870C06DAF1 ] hidusb          C:\WINDOWS\system32\DRIVERS\hidusb.sys
02:01:28.0562 3724  hidusb - ok
02:01:28.0578 3724  [ 8878BD685E490239777BFE51320B88E9 ] hkmsvc          C:\WINDOWS\System32\kmsvc.dll
02:01:28.0578 3724  hkmsvc - ok
02:01:28.0593 3724  hpn - ok
02:01:28.0609 3724  [ F80A415EF82CD06FFAF0D971528EAD38 ] HTTP            C:\WINDOWS\system32\Drivers\HTTP.sys
02:01:28.0609 3724  HTTP - ok
02:01:28.0640 3724  [ 6100A808600F44D999CEBDEF8841C7A3 ] HTTPFilter      C:\WINDOWS\System32\w3ssl.dll
02:01:28.0640 3724  HTTPFilter - ok
02:01:28.0640 3724  i2omgmt - ok
02:01:28.0656 3724  i2omp - ok
02:01:28.0703 3724  [ 4A0B06AA8943C1E332520F7440C0AA30 ] i8042prt        C:\WINDOWS\system32\DRIVERS\i8042prt.sys
02:01:28.0703 3724  i8042prt - ok
02:01:28.0796 3724  [ C01AC32DC5C03076CFB852CB5DA5229C ] idsvc           C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
02:01:28.0828 3724  idsvc - ok
02:01:28.0828 3724  [ 083A052659F5310DD8B6A6CB05EDCF8E ] Imapi           C:\WINDOWS\system32\DRIVERS\imapi.sys
02:01:28.0828 3724  Imapi - ok
02:01:28.0859 3724  [ 30DEAF54A9755BB8546168CFE8A6B5E1 ] ImapiService    C:\WINDOWS\system32\imapi.exe
02:01:28.0859 3724  ImapiService - ok
02:01:28.0859 3724  ini910u - ok
02:01:28.0953 3724  [ 08BAF30F6DE95814F58AF9CE7BBC5614 ] IntcAzAudAddService C:\WINDOWS\system32\drivers\RtkHDAud.sys
02:01:28.0968 3724  IntcAzAudAddService - ok
02:01:28.0968 3724  IntelIde - ok
02:01:28.0984 3724  [ 8C953733D8F36EB2133F5BB58808B66B ] intelppm        C:\WINDOWS\system32\DRIVERS\intelppm.sys
02:01:28.0984 3724  intelppm - ok
02:01:29.0000 3724  [ 3BB22519A194418D5FEC05D800A19AD0 ] Ip6Fw           C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
02:01:29.0000 3724  Ip6Fw - ok
02:01:29.0015 3724  [ 731F22BA402EE4B62748ADAF6363C182 ] IpFilterDriver  C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
02:01:29.0015 3724  IpFilterDriver - ok
02:01:29.0015 3724  [ B87AB476DCF76E72010632B5550955F5 ] IpInIp          C:\WINDOWS\system32\DRIVERS\ipinip.sys
02:01:29.0015 3724  IpInIp - ok
02:01:29.0031 3724  [ CC748EA12C6EFFDE940EE98098BF96BB ] IpNat           C:\WINDOWS\system32\DRIVERS\ipnat.sys
02:01:29.0031 3724  IpNat - ok
02:01:29.0046 3724  [ 23C74D75E36E7158768DD63D92789A91 ] IPSec           C:\WINDOWS\system32\DRIVERS\ipsec.sys
02:01:29.0046 3724  IPSec - ok
02:01:29.0078 3724  [ C93C9FF7B04D772627A3646D89F7BF89 ] IRENUM          C:\WINDOWS\system32\DRIVERS\irenum.sys
02:01:29.0078 3724  IRENUM - ok
02:01:29.0093 3724  [ 05A299EC56E52649B1CF2FC52D20F2D7 ] isapnp          C:\WINDOWS\system32\DRIVERS\isapnp.sys
02:01:29.0093 3724  isapnp - ok
02:01:29.0156 3724  [ 4F2143570D2250CA4C4A4C98553C82CD ] JavaQuickStarterService C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe
02:01:29.0156 3724  JavaQuickStarterService - ok
02:01:29.0156 3724  [ 463C1EC80CD17420A542B7F36A36F128 ] Kbdclass        C:\WINDOWS\system32\DRIVERS\kbdclass.sys
02:01:29.0156 3724  Kbdclass - ok
02:01:29.0187 3724  [ 9EF487A186DEA361AA06913A75B3FA99 ] kbdhid          C:\WINDOWS\system32\DRIVERS\kbdhid.sys
02:01:29.0187 3724  kbdhid - ok
02:01:29.0187 3724  [ 692BCF44383D056AED41B045A323D378 ] kmixer          C:\WINDOWS\system32\drivers\kmixer.sys
02:01:29.0203 3724  kmixer - ok
02:01:29.0218 3724  [ B467646C54CC746128904E1654C750C1 ] KSecDD          C:\WINDOWS\system32\drivers\KSecDD.sys
02:01:29.0218 3724  KSecDD - ok
02:01:29.0234 3724  [ 3A7C3CBE5D96B8AE96CE81F0B22FB527 ] LanmanServer    C:\WINDOWS\System32\srvsvc.dll
02:01:29.0234 3724  LanmanServer - ok
02:01:29.0265 3724  [ A8888A5327621856C0CEC4E385F69309 ] lanmanworkstation C:\WINDOWS\System32\wkssvc.dll
02:01:29.0265 3724  lanmanworkstation - ok
02:01:29.0281 3724  lbrtfdc - ok
02:01:29.0281 3724  [ A7DB739AE99A796D91580147E919CC59 ] LmHosts         C:\WINDOWS\System32\lmhsvc.dll
02:01:29.0281 3724  LmHosts - ok
02:01:29.0296 3724  [ 986B1FF5814366D71E0AC5755C88F2D3 ] Messenger       C:\WINDOWS\System32\msgsvc.dll
02:01:29.0296 3724  Messenger - ok
02:01:29.0375 3724  [ FAFE367D032ED82E9332B4C741A20216 ] Microsoft Office Groove Audit Service C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe
02:01:29.0375 3724  Microsoft Office Groove Audit Service - ok
02:01:29.0390 3724  [ 4AE068242760A1FB6E1A44BF4E16AFA6 ] mnmdd           C:\WINDOWS\system32\drivers\mnmdd.sys
02:01:29.0390 3724  mnmdd - ok
02:01:29.0406 3724  [ D18F1F0C101D06A1C1ADF26EED16FCDD ] mnmsrvc         C:\WINDOWS\system32\mnmsrvc.exe
02:01:29.0406 3724  mnmsrvc - ok
02:01:29.0421 3724  [ DFCBAD3CEC1C5F964962AE10E0BCC8E1 ] Modem           C:\WINDOWS\system32\drivers\Modem.sys
02:01:29.0421 3724  Modem - ok
02:01:29.0453 3724  [ C7D9F9717916B34C1B00DD4834AF485C ] Monfilt         C:\WINDOWS\system32\drivers\Monfilt.sys
02:01:29.0468 3724  Monfilt - ok
02:01:29.0484 3724  [ 35C9E97194C8CFB8430125F8DBC34D04 ] Mouclass        C:\WINDOWS\system32\DRIVERS\mouclass.sys
02:01:29.0484 3724  Mouclass - ok
02:01:29.0500 3724  [ B1C303E17FB9D46E87A98E4BA6769685 ] mouhid          C:\WINDOWS\system32\DRIVERS\mouhid.sys
02:01:29.0500 3724  mouhid - ok
02:01:29.0500 3724  [ A80B9A0BAD1B73637DBCBBA7DF72D3FD ] MountMgr        C:\WINDOWS\system32\drivers\MountMgr.sys
02:01:29.0500 3724  MountMgr - ok
02:01:29.0515 3724  [ CF105EE42E3F71E648CEBB3F666E1CF0 ] MpFilter        C:\WINDOWS\system32\DRIVERS\MpFilter.sys
02:01:29.0531 3724  MpFilter - ok
02:01:29.0531 3724  mraid35x - ok
02:01:29.0546 3724  [ 11D42BB6206F33FBB3BA0288D3EF81BD ] MRxDAV          C:\WINDOWS\system32\DRIVERS\mrxdav.sys
02:01:29.0562 3724  MRxDAV - ok
02:01:29.0578 3724  [ 7D304A5EB4344EBEEAB53A2FE3FFB9F0 ] MRxSmb          C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
02:01:29.0578 3724  MRxSmb - ok
02:01:29.0609 3724  [ A137F1470499A205ABBB9AAFB3B6F2B1 ] MSDTC           C:\WINDOWS\system32\msdtc.exe
02:01:29.0609 3724  MSDTC - ok
02:01:29.0640 3724  [ C941EA2454BA8350021D774DAF0F1027 ] Msfs            C:\WINDOWS\system32\drivers\Msfs.sys
02:01:29.0640 3724  Msfs - ok
02:01:29.0640 3724  MSIServer - ok
02:01:29.0671 3724  [ D1575E71568F4D9E14CA56B7B0453BF1 ] MSKSSRV         C:\WINDOWS\system32\drivers\MSKSSRV.sys
02:01:29.0671 3724  MSKSSRV - ok
02:01:29.0703 3724  MsMpSvc - ok
02:01:29.0734 3724  [ 325BB26842FC7CCC1FCCE2C457317F3E ] MSPCLOCK        C:\WINDOWS\system32\drivers\MSPCLOCK.sys
02:01:29.0734 3724  MSPCLOCK - ok
02:01:29.0734 3724  [ BAD59648BA099DA4A17680B39730CB3D ] MSPQM           C:\WINDOWS\system32\drivers\MSPQM.sys
02:01:29.0734 3724  MSPQM - ok
02:01:29.0750 3724  [ AF5F4F3F14A8EA2C26DE30F7A1E17136 ] mssmbios        C:\WINDOWS\system32\DRIVERS\mssmbios.sys
02:01:29.0750 3724  mssmbios - ok
02:01:29.0765 3724  [ DE6A75F5C270E756C5508D94B6CF68F5 ] Mup             C:\WINDOWS\system32\drivers\Mup.sys
02:01:29.0765 3724  Mup - ok
02:01:29.0781 3724  [ 0102140028FAD045756796E1C685D695 ] napagent        C:\WINDOWS\System32\qagentrt.dll
02:01:29.0781 3724  napagent - ok
02:01:29.0796 3724  [ 1DF7F42665C94B825322FAE71721130D ] NDIS            C:\WINDOWS\system32\drivers\NDIS.sys
02:01:29.0796 3724  NDIS - ok
02:01:29.0828 3724  [ 0109C4F3850DFBAB279542515386AE22 ] NdisTapi        C:\WINDOWS\system32\DRIVERS\ndistapi.sys
02:01:29.0828 3724  NdisTapi - ok
02:01:29.0843 3724  [ F927A4434C5028758A842943EF1A3849 ] Ndisuio         C:\WINDOWS\system32\DRIVERS\ndisuio.sys
02:01:29.0843 3724  Ndisuio - ok
02:01:29.0843 3724  [ EDC1531A49C80614B2CFDA43CA8659AB ] NdisWan         C:\WINDOWS\system32\DRIVERS\ndiswan.sys
02:01:29.0859 3724  NdisWan - ok
02:01:29.0859 3724  [ 9282BD12DFB069D3889EB3FCC1000A9B ] NDProxy         C:\WINDOWS\system32\drivers\NDProxy.sys
02:01:29.0859 3724  NDProxy - ok
02:01:29.0875 3724  [ 5D81CF9A2F1A3A756B66CF684911CDF0 ] NetBIOS         C:\WINDOWS\system32\DRIVERS\netbios.sys
02:01:29.0875 3724  NetBIOS - ok
02:01:29.0890 3724  [ FCFC7533925F4E8BFE8615214D77CB76 ] NetBT           C:\WINDOWS\system32\DRIVERS\netbt.sys
02:01:29.0890 3724  Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\netbt.sys. Real md5: FCFC7533925F4E8BFE8615214D77CB76, Fake md5: 74B2B2F5BEA5E9A3DC021D685551BD3D
02:01:29.0890 3724  NetBT ( Virus.Win32.ZAccess.aml ) - infected
02:01:29.0890 3724  NetBT - detected Virus.Win32.ZAccess.aml (0)
02:01:29.0906 3724  [ B857BA82860D7FF85AE29B095645563B ] NetDDE          C:\WINDOWS\system32\netdde.exe
02:01:29.0906 3724  NetDDE - ok
02:01:29.0906 3724  [ B857BA82860D7FF85AE29B095645563B ] NetDDEdsdm      C:\WINDOWS\system32\netdde.exe
02:01:29.0906 3724  NetDDEdsdm - ok
02:01:29.0953 3724  [ BF2466B3E18E970D8A976FB95FC1CA85 ] Netlogon        C:\WINDOWS\system32\lsass.exe
02:01:29.0953 3724  Netlogon - ok
02:01:29.0968 3724  [ 13E67B55B3ABD7BF3FE7AAE5A0F9A9DE ] Netman          C:\WINDOWS\System32\netman.dll
02:01:29.0984 3724  Netman - ok
02:01:30.0000 3724  [ D22CD77D4F0D63D1169BB35911BFF12D ] NetTcpPortSharing c:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe
02:01:30.0031 3724  NetTcpPortSharing - ok
02:01:30.0046 3724  [ 943337D786A56729263071623BBB9DE5 ] Nla             C:\WINDOWS\System32\mswsock.dll
02:01:30.0046 3724  Nla - ok
02:01:30.0046 3724  [ 3182D64AE053D6FB034F44B6DEF8034A ] Npfs            C:\WINDOWS\system32\drivers\Npfs.sys
02:01:30.0046 3724  Npfs - ok
02:01:30.0046 3724  NTACCESS - ok
02:01:30.0062 3724  [ 78A08DD6A8D65E697C18E1DB01C5CDCA ] Ntfs            C:\WINDOWS\system32\drivers\Ntfs.sys
02:01:30.0062 3724  Ntfs - ok
02:01:30.0078 3724  [ BF2466B3E18E970D8A976FB95FC1CA85 ] NtLmSsp         C:\WINDOWS\system32\lsass.exe
02:01:30.0078 3724  NtLmSsp - ok
02:01:30.0109 3724  [ 156F64A3345BD23C600655FB4D10BC08 ] NtmsSvc         C:\WINDOWS\system32\ntmssvc.dll
02:01:30.0109 3724  NtmsSvc - ok
02:01:30.0140 3724  [ 73C1E1F395918BC2C6DD67AF7591A3AD ] Null            C:\WINDOWS\system32\drivers\Null.sys
02:01:30.0140 3724  Null - ok
02:01:30.0171 3724  [ B305F3FAD35083837EF46A0BBCE2FC57 ] NwlnkFlt        C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
02:01:30.0171 3724  NwlnkFlt - ok
02:01:30.0171 3724  [ C99B3415198D1AAB7227F2C88FD664B9 ] NwlnkFwd        C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
02:01:30.0171 3724  NwlnkFwd - ok
02:01:30.0265 3724  [ 84DE1DD996B48B05ACE31AD015FA108A ] odserv          C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE
02:01:30.0281 3724  odserv - ok
02:01:30.0312 3724  [ 5A432A042DAE460ABE7199B758E8606C ] ose             C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
02:01:30.0328 3724  ose - ok
02:01:30.0390 3724  [ 77CDC6C43D8C3E05D0E21B36EAABEBAE ] PanService      C:\Program Files\PANDORA.TV\PanService\PandoraService.exe
02:01:30.0406 3724  PanService - ok
02:01:30.0421 3724  [ 5575FAF8F97CE5E713D108C2A58D7C7C ] Parport         C:\WINDOWS\system32\DRIVERS\parport.sys
02:01:30.0421 3724  Parport - ok
02:01:30.0437 3724  [ BEB3BA25197665D82EC7065B724171C6 ] PartMgr         C:\WINDOWS\system32\drivers\PartMgr.sys
02:01:30.0437 3724  PartMgr - ok
02:01:30.0453 3724  [ 70E98B3FD8E963A6A46A2E6247E0BEA1 ] ParVdm          C:\WINDOWS\system32\drivers\ParVdm.sys
02:01:30.0453 3724  ParVdm - ok
02:01:30.0453 3724  [ A219903CCF74233761D92BEF471A07B1 ] PCI             C:\WINDOWS\system32\DRIVERS\pci.sys
02:01:30.0453 3724  PCI - ok
02:01:30.0468 3724  PCIDump - ok
02:01:30.0468 3724  [ CCF5F451BB1A5A2A522A76E670000FF0 ] PCIIde          C:\WINDOWS\system32\DRIVERS\pciide.sys
02:01:30.0468 3724  PCIIde - ok
02:01:30.0484 3724  [ 9E89EF60E9EE05E3F2EEF2DA7397F1C1 ] Pcmcia          C:\WINDOWS\system32\drivers\Pcmcia.sys
02:01:30.0484 3724  Pcmcia - ok
02:01:30.0531 3724  [ C98CD9EE0012DF72206BD519DB9780D4 ] PCToolsSSDMonitorSvc C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe
02:01:30.0546 3724  PCToolsSSDMonitorSvc - ok
02:01:30.0562 3724  PDCOMP - ok
02:01:30.0562 3724  PDFRAME - ok
02:01:30.0562 3724  PDRELI - ok
02:01:30.0562 3724  PDRFRAME - ok
02:01:30.0578 3724  perc2 - ok
02:01:30.0578 3724  perc2hib - ok
02:01:30.0609 3724  [ 65DF52F5B8B6E9BBD183505225C37315 ] PlugPlay        C:\WINDOWS\system32\services.exe
02:01:30.0609 3724  PlugPlay - ok
02:01:30.0609 3724  [ BF2466B3E18E970D8A976FB95FC1CA85 ] PolicyAgent     C:\WINDOWS\system32\lsass.exe
02:01:30.0609 3724  PolicyAgent - ok
02:01:30.0625 3724  [ EFEEC01B1D3CF84F16DDD24D9D9D8F99 ] PptpMiniport    C:\WINDOWS\system32\DRIVERS\raspptp.sys
02:01:30.0625 3724  PptpMiniport - ok
02:01:30.0625 3724  [ BF2466B3E18E970D8A976FB95FC1CA85 ] ProtectedStorage C:\WINDOWS\system32\lsass.exe
02:01:30.0625 3724  ProtectedStorage - ok
02:01:30.0625 3724  [ 09298EC810B07E5D582CB3A3F9255424 ] PSched          C:\WINDOWS\system32\DRIVERS\psched.sys
02:01:30.0625 3724  PSched - ok
02:01:30.0640 3724  [ 80D317BD1C3DBC5D4FE7B1678C60CADD ] Ptilink         C:\WINDOWS\system32\DRIVERS\ptilink.sys
02:01:30.0640 3724  Ptilink - ok
02:01:30.0640 3724  ql1080 - ok
02:01:30.0640 3724  Ql10wnt - ok
02:01:30.0640 3724  ql12160 - ok
02:01:30.0656 3724  ql1240 - ok
02:01:30.0656 3724  ql1280 - ok
02:01:30.0656 3724  [ FE0D99D6F31E4FAD8159F690D68DED9C ] RasAcd          C:\WINDOWS\system32\DRIVERS\rasacd.sys
02:01:30.0656 3724  RasAcd - ok
02:01:30.0671 3724  [ AD188BE7BDF94E8DF4CA0A55C00A5073 ] RasAuto         C:\WINDOWS\System32\rasauto.dll
02:01:30.0671 3724  RasAuto - ok
02:01:30.0671 3724  [ 11B4A627BC9614B885C4969BFA5FF8A6 ] Rasl2tp         C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
02:01:30.0671 3724  Rasl2tp - ok
02:01:30.0687 3724  [ 76A9A3CBEADD68CC57CDA5E1D7448235 ] RasMan          C:\WINDOWS\System32\rasmans.dll
02:01:30.0703 3724  RasMan - ok
02:01:30.0703 3724  [ 5BC962F2654137C9909C3D4603587DEE ] RasPppoe        C:\WINDOWS\system32\DRIVERS\raspppoe.sys
02:01:30.0703 3724  RasPppoe - ok
02:01:30.0703 3724  [ FDBB1D60066FCFBB7452FD8F9829B242 ] Raspti          C:\WINDOWS\system32\DRIVERS\raspti.sys
02:01:30.0703 3724  Raspti - ok
02:01:30.0718 3724  [ 7AD224AD1A1437FE28D89CF22B17780A ] Rdbss           C:\WINDOWS\system32\DRIVERS\rdbss.sys
02:01:30.0718 3724  Rdbss - ok
02:01:30.0718 3724  [ 4912D5B403614CE99C28420F75353332 ] RDPCDD          C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
02:01:30.0718 3724  RDPCDD - ok
02:01:30.0750 3724  [ 43AF5212BD8FB5BA6EED9754358BD8F7 ] RDPWD           C:\WINDOWS\system32\drivers\RDPWD.sys
02:01:30.0750 3724  RDPWD - ok
02:01:30.0781 3724  [ 3C37BF86641BDA977C3BF8A840F3B7FA ] RDSessMgr       C:\WINDOWS\system32\sessmgr.exe
02:01:30.0796 3724  RDSessMgr - ok
02:01:30.0796 3724  [ F828DD7E1419B6653894A8F97A0094C5 ] redbook         C:\WINDOWS\system32\DRIVERS\redbook.sys
02:01:30.0796 3724  redbook - ok
02:01:30.0812 3724  [ 7E699FF5F59B5D9DE5390E3C34C67CF5 ] RemoteAccess    C:\WINDOWS\System32\mprdim.dll
02:01:30.0812 3724  RemoteAccess - ok
02:01:30.0828 3724  [ AAED593F84AFA419BBAE8572AF87CF6A ] RpcLocator      C:\WINDOWS\system32\locator.exe
02:01:30.0828 3724  RpcLocator - ok
02:01:30.0843 3724  [ 6B27A5C03DFB94B4245739065431322C ] RpcSs           C:\WINDOWS\system32\rpcss.dll
02:01:30.0843 3724  RpcSs - ok
02:01:30.0875 3724  [ 471B3F9741D762ABE75E9DEEA4787E47 ] RSVP            C:\WINDOWS\system32\rsvp.exe
02:01:30.0875 3724  RSVP - ok
02:01:30.0937 3724  [ D507C1400284176573224903819FFDA3 ] rtl8139         C:\WINDOWS\system32\DRIVERS\RTL8139.SYS
02:01:30.0937 3724  rtl8139 - ok
02:01:31.0000 3724  [ C6D34A1874CD2B212DC3E788091C64B4 ] RTLE8023xp      C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys
02:01:31.0000 3724  RTLE8023xp - ok
02:01:31.0015 3724  [ BF2466B3E18E970D8A976FB95FC1CA85 ] SamSs           C:\WINDOWS\system32\lsass.exe
02:01:31.0015 3724  SamSs - ok
02:01:31.0046 3724  [ 86D007E7A654B9A71D1D7D856B104353 ] SCardSvr        C:\WINDOWS\System32\SCardSvr.exe
02:01:31.0062 3724  SCardSvr - ok
02:01:31.0140 3724  [ 3B35CE540758BBABB721E234CB5A4F3F ] SCDEmu          C:\WINDOWS\system32\drivers\SCDEmu.sys
02:01:31.0140 3724  SCDEmu - ok
02:01:31.0203 3724  [ 0A9A7365A1CA4319AA7C1D6CD8E4EAFA ] Schedule        C:\WINDOWS\system32\schedsvc.dll
02:01:31.0218 3724  Schedule - ok
02:01:31.0250 3724  [ 90A3935D05B494A5A39D37E71F09A677 ] Secdrv          C:\WINDOWS\system32\DRIVERS\secdrv.sys
02:01:31.0250 3724  Secdrv - ok
02:01:31.0296 3724  [ CBE612E2BB6A10E3563336191EDA1250 ] seclogon        C:\WINDOWS\System32\seclogon.dll
02:01:31.0328 3724  seclogon - ok
02:01:31.0359 3724  [ 7FDD5D0684ECA8C1F68B4D99D124DCD0 ] SENS            C:\WINDOWS\system32\sens.dll
02:01:31.0375 3724  SENS - ok
02:01:31.0406 3724  [ 0F29512CCD6BEAD730039FB4BD2C85CE ] serenum         C:\WINDOWS\system32\DRIVERS\serenum.sys
02:01:31.0437 3724  serenum - ok
02:01:31.0437 3724  [ CCA207A8896D4C6A0C9CE29A4AE411A7 ] Serial          C:\WINDOWS\system32\DRIVERS\serial.sys
02:01:31.0453 3724  Serial - ok
02:01:31.0468 3724  SetupNTGLM7X - ok
02:01:31.0500 3724  [ 8E6B8C671615D126FDC553D1E2DE5562 ] Sfloppy         C:\WINDOWS\system32\drivers\Sfloppy.sys
02:01:31.0500 3724  Sfloppy - ok
02:01:31.0531 3724  [ 99BC0B50F511924348BE19C7C7313BBF ] ShellHWDetection C:\WINDOWS\System32\shsvcs.dll
02:01:31.0531 3724  ShellHWDetection - ok
02:01:31.0531 3724  Simbad - ok
02:01:32.0000 3724  [ 0C1B2E3A897397738D9F81CD3D152AF0 ] Skype C2C Service C:\Documents and Settings\All Users\Application Data\Skype\Toolbars\Skype C2C Service\c2c_service.exe
02:01:32.0453 3724  Skype C2C Service - ok
02:01:32.0515 3724  [ 7C15061CD0372487903B07B9BB03AFAD ] SkypeUpdate     C:\Program Files\Skype\Updater\Updater.exe
02:01:32.0515 3724  SkypeUpdate - ok
02:01:32.0531 3724  Sparrow - ok
02:01:32.0562 3724  [ AB8B92451ECB048A4D1DE7C3FFCB4A9F ] splitter        C:\WINDOWS\system32\drivers\splitter.sys
02:01:32.0562 3724  splitter - ok
02:01:32.0593 3724  [ 60784F891563FB1B767F70117FC2428F ] Spooler         C:\WINDOWS\system32\spoolsv.exe
02:01:32.0593 3724  Spooler - ok
02:01:32.0625 3724  [ 76BB022C2FB6902FD5BDD4F78FC13A5D ] sr              C:\WINDOWS\system32\DRIVERS\sr.sys
02:01:32.0625 3724  sr - ok
02:01:32.0640 3724  [ 3805DF0AC4296A34BA4BF93B346CC378 ] srservice       C:\WINDOWS\system32\srsvc.dll
02:01:32.0656 3724  srservice - ok
02:01:32.0671 3724  [ 47DDFC2F003F7F9F0592C6874962A2E7 ] Srv             C:\WINDOWS\system32\DRIVERS\srv.sys
02:01:32.0671 3724  Srv - ok
02:01:32.0703 3724  [ 0A5679B3714EDAB99E357057EE88FCA6 ] SSDPSRV         C:\WINDOWS\System32\ssdpsrv.dll
02:01:32.0718 3724  SSDPSRV - ok
02:01:32.0734 3724  Steam Client Service - ok
02:01:32.0765 3724  [ 8BAD69CBAC032D4BBACFCE0306174C30 ] stisvc          C:\WINDOWS\system32\wiaservc.dll
02:01:32.0765 3724  stisvc - ok
02:01:32.0781 3724  [ 3941D127AEF12E93ADDF6FE6EE027E0F ] swenum          C:\WINDOWS\system32\DRIVERS\swenum.sys
02:01:32.0781 3724  swenum - ok
02:01:32.0781 3724  [ 8CE882BCC6CF8A62F2B2323D95CB3D01 ] swmidi          C:\WINDOWS\system32\drivers\swmidi.sys
02:01:32.0781 3724  swmidi - ok
02:01:32.0796 3724  SwPrv - ok
02:01:32.0796 3724  symc810 - ok
02:01:32.0796 3724  symc8xx - ok
02:01:32.0796 3724  sym_hi - ok
02:01:32.0812 3724  sym_u3 - ok
02:01:32.0828 3724  [ 8B83F3ED0F1688B4958F77CD6D2BF290 ] sysaudio        C:\WINDOWS\system32\drivers\sysaudio.sys
02:01:32.0828 3724  sysaudio - ok
02:01:32.0843 3724  [ C7ABBC59B43274B1109DF6B24D617051 ] SysmonLog       C:\WINDOWS\system32\smlogsvc.exe
02:01:32.0843 3724  SysmonLog - ok
02:01:32.0859 3724  [ 3CB78C17BB664637787C9A1C98F79C38 ] TapiSrv         C:\WINDOWS\System32\tapisrv.dll
02:01:32.0875 3724  TapiSrv - ok
02:01:32.0890 3724  [ 9AEFA14BD6B182D61E3119FA5F436D3D ] Tcpip           C:\WINDOWS\system32\DRIVERS\tcpip.sys
02:01:32.0890 3724  Tcpip - ok
02:01:32.0921 3724  [ 6471A66807F5E104E4885F5B67349397 ] TDPIPE          C:\WINDOWS\system32\drivers\TDPIPE.sys
02:01:32.0921 3724  TDPIPE - ok
02:01:32.0937 3724  [ C56B6D0402371CF3700EB322EF3AAF61 ] TDTCP           C:\WINDOWS\system32\drivers\TDTCP.sys
02:01:32.0937 3724  TDTCP - ok
02:01:32.0953 3724  [ 88155247177638048422893737429D9E ] TermDD          C:\WINDOWS\system32\DRIVERS\termdd.sys
02:01:32.0953 3724  TermDD - ok
02:01:32.0968 3724  [ FF3477C03BE7201C294C35F684B3479F ] TermService     C:\WINDOWS\System32\termsrv.dll
02:01:32.0968 3724  TermService - ok
02:01:32.0984 3724  [ 99BC0B50F511924348BE19C7C7313BBF ] Themes          C:\WINDOWS\System32\shsvcs.dll
02:01:32.0984 3724  Themes - ok
02:01:32.0984 3724  TosIde - ok
02:01:33.0000 3724  [ 55BCA12F7F523D35CA3CB833C725F54E ] TrkWks          C:\WINDOWS\system32\trkwks.dll
02:01:33.0000 3724  TrkWks - ok
02:01:33.0015 3724  [ 5787B80C2E3C5E2F56C2A233D91FA2C9 ] Udfs            C:\WINDOWS\system32\drivers\Udfs.sys
02:01:33.0015 3724  Udfs - ok
02:01:33.0015 3724  ultra - ok
02:01:33.0031 3724  [ 402DDC88356B1BAC0EE3DD1580C76A31 ] Update          C:\WINDOWS\system32\DRIVERS\update.sys
02:01:33.0046 3724  Update - ok
02:01:33.0062 3724  [ 1EBAFEB9A3FBDC41B8D9C7F0F687AD91 ] upnphost        C:\WINDOWS\System32\upnphost.dll
02:01:33.0062 3724  upnphost - ok
02:01:33.0062 3724  [ 05365FB38FCA1E98F7A566AAAF5D1815 ] UPS             C:\WINDOWS\System32\ups.exe
02:01:33.0062 3724  UPS - ok
02:01:33.0093 3724  [ 173F317CE0DB8E21322E71B7E60A27E8 ] usbccgp         C:\WINDOWS\system32\DRIVERS\usbccgp.sys
02:01:33.0093 3724  usbccgp - ok
02:01:33.0109 3724  [ 65DCF09D0E37D4C6B11B5B0B76D470A7 ] usbehci         C:\WINDOWS\system32\DRIVERS\usbehci.sys
02:01:33.0109 3724  usbehci - ok
02:01:33.0125 3724  [ 1AB3CDDE553B6E064D2E754EFE20285C ] usbhub          C:\WINDOWS\system32\DRIVERS\usbhub.sys
02:01:33.0125 3724  usbhub - ok
02:01:33.0140 3724  [ A0B8CF9DEB1184FBDD20784A58FA75D4 ] usbscan         C:\WINDOWS\system32\DRIVERS\usbscan.sys
02:01:33.0140 3724  usbscan - ok
02:01:33.0156 3724  [ A32426D9B14A089EAA1D922E0C5801A9 ] usbstor         C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
02:01:33.0156 3724  usbstor - ok
02:01:33.0171 3724  [ 26496F9DEE2D787FC3E61AD54821FFE6 ] usbuhci         C:\WINDOWS\system32\DRIVERS\usbuhci.sys
02:01:33.0171 3724  usbuhci - ok
02:01:33.0171 3724  [ 0D3A8FAFCEACD8B7625CD549757A7DF1 ] VgaSave         C:\WINDOWS\System32\drivers\vga.sys
02:01:33.0171 3724  VgaSave - ok
02:01:33.0187 3724  ViaIde - ok
02:01:33.0218 3724  [ 4C8FCB5CC53AAB716D810740FE59D025 ] VolSnap         C:\WINDOWS\system32\drivers\VolSnap.sys
02:01:33.0218 3724  VolSnap - ok
02:01:33.0234 3724  [ 7A9DB3A67C333BF0BD42E42B8596854B ] VSS             C:\WINDOWS\System32\vssvc.exe
02:01:33.0234 3724  VSS - ok
02:01:33.0265 3724  [ 54AF4B1D5459500EF0937F6D33B1914F ] W32Time         C:\WINDOWS\system32\w32time.dll
02:01:33.0265 3724  W32Time - ok
02:01:33.0265 3724  [ E20B95BAEDB550F32DD489265C1DA1F6 ] Wanarp          C:\WINDOWS\system32\DRIVERS\wanarp.sys
02:01:33.0281 3724  Wanarp - ok
02:01:33.0296 3724  [ FD47474BD21794508AF449D9D91AF6E6 ] Wdf01000        C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
02:01:33.0312 3724  Wdf01000 - ok
02:01:33.0312 3724  WDICA - ok
02:01:33.0328 3724  [ 6768ACF64B18196494413695F0C3A00F ] wdmaud          C:\WINDOWS\system32\drivers\wdmaud.sys
02:01:33.0328 3724  wdmaud - ok
02:01:33.0343 3724  [ 77A354E28153AD2D5E120A5A8687BC06 ] WebClient       C:\WINDOWS\System32\webclnt.dll
02:01:33.0343 3724  WebClient - ok
02:01:33.0390 3724  [ 2D0E4ED081963804CCC196A0929275B5 ] winmgmt         C:\WINDOWS\system32\wbem\WMIsvc.dll
02:01:33.0390 3724  winmgmt - ok
02:01:33.0406 3724  [ C7E39EA41233E9F5B86C8DA3A9F1E4A8 ] WmdmPmSN        C:\WINDOWS\system32\mspmsnsv.dll
02:01:33.0406 3724  WmdmPmSN - ok
02:01:33.0453 3724  [ E0673F1106E62A68D2257E376079F821 ] WmiApSrv        C:\WINDOWS\system32\wbem\wmiapsrv.exe
02:01:33.0453 3724  WmiApSrv - ok
02:01:33.0593 3724  [ DCF3E3EDF5109EE8BC02FE6E1F045795 ] WPFFontCache_v0400 C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe
02:01:33.0609 3724  WPFFontCache_v0400 - ok
02:01:33.0625 3724  [ 6ABE6E225ADB5A751622A9CC3BC19CE8 ] WS2IFSL         C:\WINDOWS\System32\drivers\ws2ifsl.sys
02:01:33.0640 3724  WS2IFSL - ok
02:01:33.0656 3724  [ 81DC3F549F44B1C1FFF022DEC9ECF30B ] WZCSVC          C:\WINDOWS\System32\wzcsvc.dll
02:01:33.0687 3724  WZCSVC - ok
02:01:33.0718 3724  [ 295D21F14C335B53CB8154E5B1F892B9 ] xmlprov         C:\WINDOWS\System32\xmlprov.dll
02:01:33.0718 3724  xmlprov - ok
02:01:33.0750 3724  [ F5E5F944E63A9B5F6E76C2EBB2AC462F ] xusb21          C:\WINDOWS\system32\DRIVERS\xusb21.sys
02:01:33.0750 3724  xusb21 - ok
02:01:33.0812 3724  [ DD0042F0C3B606A6A8B92D49AFB18AD6 ] YahooAUService  C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
02:01:33.0828 3724  YahooAUService - ok
02:01:33.0828 3724  ================ Scan global ===============================
02:01:33.0859 3724  [ 42F1F4C0AFB08410E5F02D4B13EBB623 ] C:\WINDOWS\system32\basesrv.dll
02:01:33.0890 3724  [ 69AE2B2E6968C316536E5B10B9702E63 ] C:\WINDOWS\system32\winsrv.dll
02:01:33.0890 3724  [ 69AE2B2E6968C316536E5B10B9702E63 ] C:\WINDOWS\system32\winsrv.dll
02:01:33.0921 3724  [ 65DF52F5B8B6E9BBD183505225C37315 ] C:\WINDOWS\system32\services.exe
02:01:33.0937 3724  [Global] - ok
02:01:33.0937 3724  ================ Scan MBR ==================================
02:01:33.0937 3724  [ 8F558EB6672622401DA993E1E865C861 ] \Device\Harddisk0\DR0
02:01:34.0125 3724  \Device\Harddisk0\DR0 - ok
02:01:34.0125 3724  [ 8F558EB6672622401DA993E1E865C861 ] \Device\Harddisk5\DR7
02:01:37.0453 3724  \Device\Harddisk5\DR7 - ok
02:01:37.0453 3724  ================ Scan VBR ==================================
02:01:37.0453 3724  [ 1CE7931C7A8BE7D5DA0867BCC182DBB9 ] \Device\Harddisk0\DR0\Partition1
02:01:37.0453 3724  \Device\Harddisk0\DR0\Partition1 - ok
02:01:37.0468 3724  [ 615228366D745BD1CD75E39E1438AE73 ] \Device\Harddisk0\DR0\Partition2
02:01:37.0468 3724  \Device\Harddisk0\DR0\Partition2 - ok
02:01:37.0484 3724  [ C14A810D840C2FC0B8A3EA6349771E91 ] \Device\Harddisk5\DR7\Partition1
02:01:37.0484 3724  \Device\Harddisk5\DR7\Partition1 - ok
02:01:37.0484 3724  ============================================================
02:01:37.0484 3724  Scan finished
02:01:37.0484 3724  ============================================================
02:01:37.0484 3292  Detected object count: 1
02:01:37.0484 3292  Actual detected object count: 1
02:02:25.0109 3292  C:\WINDOWS\system32\DRIVERS\netbt.sys - copied to quarantine
02:02:26.0093 3292  C:\WINDOWS\$NtUninstallKB44335$\820026831\@ - copied to quarantine
02:02:26.0093 3292  C:\WINDOWS\$NtUninstallKB44335$\820026831\Desktop.ini - copied to quarantine
02:02:26.0093 3292  C:\WINDOWS\$NtUninstallKB44335$\820026831\L\00000004.@ - copied to quarantine
02:02:26.0093 3292  C:\WINDOWS\$NtUninstallKB44335$\820026831\L\201d3dde - copied to quarantine
02:02:26.0109 3292  C:\WINDOWS\$NtUninstallKB44335$\820026831\L\6715e287 - copied to quarantine
02:02:26.0125 3292  C:\WINDOWS\$NtUninstallKB44335$\820026831\L\76603ac3 - copied to quarantine
02:02:26.0125 3292  C:\WINDOWS\$NtUninstallKB44335$\820026831\L\drtancov - copied to quarantine
02:02:26.0140 3292  C:\WINDOWS\$NtUninstallKB44335$\820026831\U\00000004.@ - copied to quarantine
02:02:26.0156 3292  C:\WINDOWS\$NtUninstallKB44335$\820026831\U\00000008.@ - copied to quarantine
02:02:26.0234 3292  C:\WINDOWS\$NtUninstallKB44335$\820026831\U\000000cb.@ - copied to quarantine
02:02:26.0250 3292  C:\WINDOWS\$NtUninstallKB44335$\820026831\U\80000000.@ - copied to quarantine
02:02:26.0265 3292  C:\WINDOWS\$NtUninstallKB44335$\820026831\U\80000032.@ - copied to quarantine
02:02:27.0093 3292  Backup copy found, using it..
02:02:27.0093 3292  C:\WINDOWS\system32\DRIVERS\netbt.sys - will be cured on reboot
02:02:27.0109 3292  C:\WINDOWS\$NtUninstallKB44335$\2880019891 - will be deleted on reboot
02:02:27.0109 3292  C:\WINDOWS\$NtUninstallKB44335$\820026831\@ - will be deleted on reboot
02:02:27.0109 3292  C:\WINDOWS\$NtUninstallKB44335$\820026831\Desktop.ini - will be deleted on reboot
02:02:27.0171 3292  C:\WINDOWS\$NtUninstallKB44335$\820026831\U\00000004.@ - will be deleted on reboot
02:02:27.0171 3292  C:\WINDOWS\$NtUninstallKB44335$\820026831\U\00000008.@ - will be deleted on reboot
02:02:27.0171 3292  C:\WINDOWS\$NtUninstallKB44335$\820026831\U\000000cb.@ - will be deleted on reboot
02:02:27.0171 3292  C:\WINDOWS\$NtUninstallKB44335$\820026831\U\80000000.@ - will be deleted on reboot
02:02:27.0171 3292  C:\WINDOWS\$NtUninstallKB44335$\820026831\U\80000032.@ - will be deleted on reboot
02:02:27.0171 3292  NetBT ( Virus.Win32.ZAccess.aml ) - User select action: Cure 
02:02:35.0109 3172  Deinitialize success
 

 

 

RogueKiller V8.5.4 [Mar 18 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
 
Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : Azmil Zulkifli [Admin rights]
Mode : Scan -- Date : 05/18/2013 18:55:51
| ARK || FAK || MBR |
 
¤¤¤ Bad processes : 8 ¤¤¤
[DLL] explorer.exe -- C:\WINDOWS\explorer.exe : c:\DOCUME~1\ALLUSE~1\APPLIC~1\BROWSE~1\261249~1.132\{C16C1~1\BROWSE~1.DLL [x] -> UNLOADED
[DLL] explorer.exe -- C:\WINDOWS\explorer.exe : C:\Documents and Settings\All Users\Application Data\Microsoft\Media Tools\plugins\pl-b2e730376325753834d77280c183157b.dll [x] -> UNLOADED
[BLACKLIST] BrowserProtect.exe -- C:\Documents and Settings\All Users\Application Data\BrowserProtect\2.6.1249.132\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\BrowserProtect.exe [7] -> KILLED [TermProc]
[BLACKLIST] BrowserProtect.exe -- C:\Documents and Settings\All Users\Application Data\BrowserProtect\2.6.1249.132\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\BrowserProtect.exe [7] -> KILLED [TermProc]
[RESIDUE] BrowserProtect.exe -- C:\Documents and Settings\All Users\Application Data\BrowserProtect\2.6.1249.132\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\BrowserProtect.exe [7] -> KILLED [TermProc]
[RESIDUE] BrowserProtect.exe -- C:\Documents and Settings\All Users\Application Data\BrowserProtect\2.6.1249.132\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\BrowserProtect.exe [7] -> KILLED [TermProc]
[DLL] explorer.exe -- C:\WINDOWS\explorer.exe : c:\DOCUME~1\ALLUSE~1\APPLIC~1\BROWSE~1\261249~1.132\{C16C1~1\BROWSE~1.DLL [x] -> UNLOADED
[DLL] explorer.exe -- C:\WINDOWS\explorer.exe : C:\Documents and Settings\All Users\Application Data\Microsoft\Media Tools\plugins\pl-b2e730376325753834d77280c183157b.dll [x] -> UNLOADED
 
¤¤¤ Registry Entries : 5 ¤¤¤
[Services][BLACKLIST] HKLM\[...]\ControlSet001\Services\BrowserProtect (C:\Documents and Settings\All Users\Application Data\BrowserProtect\2.6.1249.132\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\BrowserProtect.exe) [7] -> FOUND
[Services][BLACKLIST] HKLM\[...]\ControlSet002\Services\BrowserProtect (C:\Documents and Settings\All Users\Application Data\BrowserProtect\2.6.1249.132\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\BrowserProtect.exe) [7] -> FOUND
[HJPOL] HKCU\[...]\System : disableregistrytools (0) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[APPINIT][SUSP PATH] HKLM\[...]\Windows : AppInit_DLLs (c:\Documents and Settings\All Users\Application Data\BrowserProtect\2.6.1249.132\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\BrowserProtect.dll) [7] -> FOUND
 
¤¤¤ Particular Files / Folders: ¤¤¤
 
¤¤¤ Driver : [LOADED] ¤¤¤
 
¤¤¤ HOSTS File: ¤¤¤
--> C:\WINDOWS\system32\drivers\etc\hosts
 
127.0.0.1       localhost
 
 
¤¤¤ MBR Check: ¤¤¤
 
+++++ PhysicalDrive0: WDC WD3200AAKS-75B3A0 +++++
--- User ---
[MBR] 7ad6624efd648aab186ca78bfecbab7f
[BSP] 7b1391a4fcfdc2a36c1f5e42b87977fb : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 103230 Mo
1 - [XXXXXX] EXTEN-LBA (0x0f) [VISIBLE] Offset (sectors): 211415400 | Size: 202012 Mo
User = LL1 ... OK!
User = LL2 ... OK!
 
Finished : << RKreport[2]_S_05182013_02d1855.txt >>
RKreport[1]_S_05182013_02d1832.txt ; RKreport[2]_S_05182013_02d1855.txt


#6 satchfan

satchfan

  • Malware Response Team
  • 2,661 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:08:38 AM

Posted 18 May 2013 - 07:35 AM

Uninstall BrowserProtect

  • click Start, Settings, Control Panel, Add or remove programs
  • click on BrowserProtect and then Uninstall.

===================================================

Run aswMBR

  • download aswMBR.exe to your desktop.
  • double click aswMBR.exe to run it
  • if asked, accept the AVAST virus definition download
  • click the "Scan" button to start scan
  • on completion of the scan click Save log, save it to your desktop and post in your next reply. Note - do NOT attempt any Fix yet.

===================================================

Please run RogueKiller again and post the new log.

Include the following in your next post :

aswMBR log
RKreport.txt


Thanks

Satchfan

 


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#7 kokonapa

kokonapa
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:38 PM

Posted 18 May 2013 - 08:49 AM

Okay, here you go. aswMBR log and latest RKreport

 

 

aswMBR version 0.9.9.1771 Copyright© 2011 AVAST Software
Run date: 2013-05-18 21:07:16
-----------------------------
21:07:16.468    OS Version: Windows 5.1.2600 Service Pack 3
21:07:16.468    Number of processors: 2 586 0x1706
21:07:16.468    ComputerName: AZMIL  UserName: 
21:07:17.046    Initialize success
21:17:40.609    AVAST engine defs: 13051800
21:18:42.906    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-e
21:18:42.906    Disk 0 Vendor: WDC_WD3200AAKS-75B3A0 01.03A01 Size: 305245MB BusType: 3
21:18:42.984    Disk 0 MBR read successfully
21:18:42.984    Disk 0 MBR scan
21:18:43.031    Disk 0 Windows XP default MBR code
21:18:43.031    Disk 0 Partition 1 80 (A) 07    HPFS/NTFS NTFS       103230 MB offset 63
21:18:43.031    Disk 0 Partition - 00     0F Extended LBA            202012 MB offset 211415400
21:18:43.046    Disk 0 Partition 2 00     07    HPFS/NTFS NTFS       202012 MB offset 211415463
21:18:43.046    Disk 0 scanning sectors +625137345
21:18:43.109    Disk 0 scanning C:\WINDOWS\system32\drivers
21:18:46.546    Service scanning
21:18:48.515    Service GMSIPCI D:\INSTALL\GMSIPCI.SYS **LOCKED** 21
21:18:50.484    Service NTACCESS D:\NTACCESS.sys **LOCKED** 21
21:18:51.921    Service SetupNTGLM7X D:\NTGLM7X.sys **LOCKED** 21
21:18:54.781    Modules scanning
21:18:57.000    Disk 0 trace - called modules:
21:18:57.015    ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS 
21:18:57.015    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a301ab8]
21:18:57.015    3 CLASSPNP.SYS[f7637fd7] -> nt!IofCallDriver -> \Device\00000065[0x8a3799e8]
21:18:57.015    5 ACPI.sys[f75ae620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-e[0x8a302d98]
21:18:57.421    AVAST engine scan C:\WINDOWS
21:19:08.656    AVAST engine scan C:\WINDOWS\system32
21:20:46.890    AVAST engine scan C:\WINDOWS\system32\drivers
21:20:53.843    AVAST engine scan C:\Documents and Settings\Azmil Zulkifli
21:25:10.578    AVAST engine scan C:\Documents and Settings\All Users
21:26:28.437    File: C:\Documents and Settings\All Users\Application Data\Microsoft\Media Tools\MediaIconsOverlays.dll  **INFECTED** Win32:Dropper-gen [Drp]
21:27:09.953    Scan finished successfully
21:43:45.171    Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Azmil Zulkifli\Desktop\MBR.dat"
21:43:45.171    The log file has been saved successfully to "C:\Documents and Settings\Azmil Zulkifli\Desktop\aswMBR.txt"
 
 

 

RogueKiller V8.5.4 [Mar 18 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
 
Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : Azmil Zulkifli [Admin rights]
Mode : Scan -- Date : 05/18/2013 21:46:18
| ARK || FAK || MBR |
 
¤¤¤ Bad processes : 2 ¤¤¤
[DLL] explorer.exe -- C:\WINDOWS\explorer.exe : c:\DOCUME~1\ALLUSE~1\APPLIC~1\BROWSE~1\261249~1.132\{C16C1~1\BROWSE~1.DLL [x] -> UNLOADED
[DLL] explorer.exe -- C:\WINDOWS\explorer.exe : C:\Documents and Settings\All Users\Application Data\Microsoft\Media Tools\plugins\pl-b2e730376325753834d77280c183157b.dll [x] -> UNLOADED
 
¤¤¤ Registry Entries : 3 ¤¤¤
[Services][BLACKLIST] HKLM\[...]\ControlSet002\Services\BrowserProtect (C:\Documents and Settings\All Users\Application Data\BrowserProtect\2.6.1249.132\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\BrowserProtect.exe) [7] -> FOUND
[HJPOL] HKCU\[...]\System : disableregistrytools (0) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
 
¤¤¤ Particular Files / Folders: ¤¤¤
 
¤¤¤ Driver : [LOADED] ¤¤¤
 
¤¤¤ HOSTS File: ¤¤¤
--> C:\WINDOWS\system32\drivers\etc\hosts
 
127.0.0.1       localhost
 
 
¤¤¤ MBR Check: ¤¤¤
 
+++++ PhysicalDrive0: WDC WD3200AAKS-75B3A0 +++++
--- User ---
[MBR] 7ad6624efd648aab186ca78bfecbab7f
[BSP] 7b1391a4fcfdc2a36c1f5e42b87977fb : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 103230 Mo
1 - [XXXXXX] EXTEN-LBA (0x0f) [VISIBLE] Offset (sectors): 211415400 | Size: 202012 Mo
User = LL1 ... OK!
User = LL2 ... OK!
 
Finished : << RKreport[3]_S_05182013_02d2146.txt >>
RKreport[1]_S_05182013_02d1832.txt ; RKreport[2]_S_05182013_02d1855.txt ; RKreport[3]_S_05182013_02d2146.txt


#8 satchfan

satchfan

  • Malware Response Team
  • 2,661 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:08:38 AM

Posted 18 May 2013 - 10:29 AM

Please download DeFogger to your desktop.

Double click DeFogger to run the tool.

  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK

IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Do not re-enable these drivers until otherwise instructed.

When you’ve done that, please try running ComboFix again.

Satchfan

 


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#9 kokonapa

kokonapa
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:38 PM

Posted 18 May 2013 - 10:54 AM

combofix ran completely.  here's the log. 

 

 

ComboFix 13-05-18.02 - Azmil Zulkifli 2013/05/18  23:40:29.4.2 - x86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.3327.2958 [GMT 8:00]
Running from: c:\documents and settings\Azmil Zulkifli\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
.
.
(((((((((((((((((((((((((   Files Created from 2013-04-18 to 2013-05-18  )))))))))))))))))))))))))))))))
.
.
2013-05-17 18:02 . 2013-05-17 18:02 -------- d-----w- C:\TDSSKiller_Quarantine
2013-05-16 23:42 . 2013-05-16 23:42 -------- d-----w- c:\program files\Enigma Software Group
2013-05-16 23:42 . 2013-05-17 00:08 -------- d-----w- c:\windows\4941BFEB62C047A2801E998FC469CC2C.TMP
2013-05-16 23:42 . 2013-05-16 23:42 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2013-05-16 22:13 . 2013-05-16 22:18 -------- d-----w- C:\780541799b799e0ced
2013-05-16 17:42 . 2013-05-16 20:47 -------- d-----w- c:\windows\system32\NtmsData
2013-05-16 17:32 . 2013-05-16 22:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2013-05-14 04:41 . 2013-04-16 22:31 6906960 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{5869E37E-164E-4F8F-A636-9A16C0DBCEA7}\mpengine.dll
2013-05-12 19:24 . 2013-04-16 22:31 6906960 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2013-05-12 19:24 . 2013-04-16 22:31 6906960 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{2EDE2F9F-6952-40B4-BDE5-F985F67DF15C}\mpengine.dll
2013-05-10 18:47 . 2013-05-10 18:48 -------- d-----w- c:\program files\Mail Password
2013-05-10 04:33 . 2013-05-10 04:53 -------- d-----w- c:\documents and settings\Azmil Zulkifli\Application Data\Skype
2013-05-10 04:32 . 2013-05-10 04:32 -------- d-----w- c:\program files\Common Files\Skype
2013-05-10 04:32 . 2013-05-10 04:36 -------- d-----r- c:\program files\Skype
2013-05-10 04:31 . 2013-05-10 04:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2013-04-30 21:24 . 2013-04-30 21:24 1581056 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Media Tools\plugins\pl-b2e730376325753834d77280c183157b.dll
2013-04-29 07:22 . 2013-05-02 15:28 238872 ------w- c:\windows\system32\MpSigStub.exe
2013-04-29 07:13 . 2013-04-29 07:14 -------- d-----w- c:\program files\Microsoft Security Client
2013-04-27 20:16 . 2013-04-27 20:16 -------- d-----w- c:\program files\Mega Codec Pack
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-05-17 18:03 . 2008-04-14 12:00 162816 ----a-w- c:\windows\system32\drivers\netbt.sys
2013-05-15 12:00 . 2012-04-06 07:36 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-05-15 12:00 . 2012-04-06 07:36 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-04-29 07:33 . 2008-04-14 12:00 138496 ----a-w- c:\windows\system32\drivers\AFD.SYS
2013-03-08 08:36 . 2008-04-14 12:00 293376 ----a-w- c:\windows\system32\winsrv.dll
2013-03-07 01:32 . 2008-04-14 12:00 2149888 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-03-07 00:50 . 2008-04-14 00:01 2028544 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-03-02 02:06 . 2008-04-14 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2013-03-02 02:06 . 2008-04-14 12:00 43520 ------w- c:\windows\system32\licmgr10.dll
2013-03-02 02:06 . 2008-04-14 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2013-03-02 01:25 . 2008-04-14 12:00 1867264 ----a-w- c:\windows\system32\win32k.sys
2013-03-02 01:08 . 2008-04-14 12:00 385024 ------w- c:\windows\system32\html.iec
2013-02-27 07:56 . 2012-02-28 12:48 2067456 ----a-w- c:\windows\system32\mstscax.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{81017EA9-9AA8-4A6A-9734-7AF40E7D593F}"= "c:\program files\Yahoo!\Companion\Installs\cpn3\yt.dll" [2013-05-01 1500952]
.
[HKEY_CLASSES_ROOT\clsid\{81017ea9-9aa8-4a6a-9734-7af40e7d593f}]
[HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin.1]
[HKEY_CLASSES_ROOT\TypeLib\{003028C2-EA1C-4676-A316-B5CB50917002}]
[HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\0MediaIconsOerlay]
@="{1EC23CFF-4C58-458f-924C-8519AEF61B32}"
[HKEY_CLASSES_ROOT\CLSID\{1EC23CFF-4C58-458f-924C-8519AEF61B32}]
2013-04-27 20:16 224256 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Media Tools\MediaIconsOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2013-04-10 05:37 130736 ----a-w- c:\documents and settings\Azmil Zulkifli\Application Data\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2013-04-10 05:37 130736 ----a-w- c:\documents and settings\Azmil Zulkifli\Application Data\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2013-04-10 05:37 130736 ----a-w- c:\documents and settings\Azmil Zulkifli\Application Data\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2013-04-10 05:37 130736 ----a-w- c:\documents and settings\Azmil Zulkifli\Application Data\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe" [2012-02-22 6591800]
"Steam"="c:\program files\Steam\Steam.exe" [2013-05-03 1635752]
"GarenaPlus"="c:\program files\Garena Plus\GarenaMessenger.exe" [2013-05-09 9829680]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-03-02 98304]
"RTHDCPL"="RTHDCPL.EXE" [2008-03-31 16857600]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-04-04 843712]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2008-07-07 167936]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2013-02-13 1263952]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
.
c:\documents and settings\Azmil Zulkifli\Start Menu\Programs\Startup\
Dropbox.lnk - c:\documents and settings\Azmil Zulkifli\Application Data\Dropbox\bin\Dropbox.exe [2013-4-10 27151288]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
.
R?2 PanService;PandoraService;c:\program files\PANDORA.TV\PanService\PandoraService.exe [2012/03/24 09:19 nm 624856]
R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\Common Files\PC Tools\sMonitor\StartManSvc.exe [2012/03/24 09:21 nm 632792]
R2 Skype C2C Service;Skype C2C Service;c:\documents and settings\All Users\Application Data\Skype\Toolbars\Skype C2C Service\c2c_service.exe [2013/04/15 03:27 nm 3289208]
R2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [2013/02/28 06:45 nm 161384]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2012/02/28 10:05 nm 1691480]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [2012/02/29 12:05 13192]
S3 esgiguard;esgiguard;\??\c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys --> c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys [?]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [2012/02/29 12:05 8456]
S3 GGSAFERDriver;GGSAFER Driver;\??\c:\program files\Garena Plus\Room\safedrv.sys --> c:\program files\Garena Plus\Room\safedrv.sys [?]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\d:\ntglm7x.sys --> d:\NTGLM7X.sys [?]
.
Contents of the 'Scheduled Tasks' folder
.
2013-05-18 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-06 12:00]
.
2013-05-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1645522239-2025429265-1801674531-1004Core.job
- c:\documents and settings\Azmil Zulkifli\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-02-28 13:10]
.
2013-05-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1645522239-2025429265-1801674531-1004UA.job
- c:\documents and settings\Azmil Zulkifli\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-02-28 13:10]
.
2013-05-13 c:\windows\Tasks\Microsoft Antimalware Scheduled Scan.job
- c:\program files\Microsoft Security Client\MpCmdRun.exe [2013-01-27 03:11]
.
2013-05-18 c:\windows\Tasks\MpIdleTask.job
- c:\program files\Microsoft Security Client\MpCmdRun.exe [2013-01-27 03:11]
.
2013-05-18 c:\windows\Tasks\RMSchedule.job
- c:\program files\Registry Mechanic\RegMech.exe [2012-03-24 02:02]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 192.168.1.1
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-MSC - c:\program files\Microsoft Security Client\mssecex.exe
SafeBoot-84625319.sys
AddRemove-InstallShield_{9322A850-9091-4D0E-B252-3E82EDA3D94A} - c:\program files\InstallShield Installation Information\{9322A850-9091-4D0E-B252-3E82EDA3D94A}\setup.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-05-18 23:48
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ... 
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_202_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_202_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(768)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\atiadlxx.dll
.
- - - - - - - > 'explorer.exe'(3536)
c:\windows\system32\WININET.dll
c:\documents and settings\All Users\Application Data\Microsoft\Media Tools\MediaIconsOverlays.dll
c:\documents and settings\Azmil Zulkifli\Application Data\Dropbox\bin\DropboxExt.19.dll
c:\progra~1\MICROS~2\Office12\GRA8E1~1.DLL
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\documents and settings\All Users\Application Data\Microsoft\Media Tools\plugins\pl-b2e730376325753834d77280c183157b.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe
c:\windows\RTHDCPL.EXE
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
c:\progra~1\Yahoo!\Messenger\ymsgr_tray.exe
c:\windows\system32\imapi.exe
c:\windows\System32\rundll32.exe
c:\windows\System32\rundll32.exe
.
**************************************************************************
.
Completion time: 2013-05-18  23:49:18 - machine was rebooted
ComboFix-quarantined-files.txt  2013-05-18 15:49
.
Pre-Run: 50,985,381,888 bytes free
Post-Run: 51,084,787,712 bytes free
.
- - End Of File - - 3C036E7ACF4C069C567A5E83FF5066D6


#10 satchfan

satchfan

  • Malware Response Team
  • 2,661 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:08:38 AM

Posted 19 May 2013 - 04:02 AM

Hi kokonapa

Open ComboFix

Please do the following:
 

  • close any open browsers
  • close/disable all anti virus and anti malware programs so that they do not interfere with the running of ComboFix
  • open notepad and copy/paste the text in the codebox below into it:

File::
c:\documents and settings\All Users\Application Data\Microsoft\Media Tools\MediaIconsOverlays.dll
c:\documents and settings\All Users\Application Data\Microsoft\Media Tools\plugins\pl-b2e730376325753834d77280c183157b.dll

DirLook::
C:\780541799b799e0ced

DDS::
BHO: mixidj Helper Object: {4D6A9BBF-402C-4301-B1EF-28D04F71D761} - c:\program files\mixidj\mixidj\1.8.4.1\bh\mixidj.dll
TB: MixiDJ Toolbar: {CA9B9C89-4662-4ADC-9C23-A452BECD5D19} - c:\program files\mixidj\mixidj\1.8.4.1\mixidjTlbr.dll

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\0MediaIconsOerlay]
[-HKEY_CLASSES_ROOT\CLSID\{1EC23CFF-4C58-458f-924C-8519AEF61B32}]

ClearJavaCache::

Save this as "CFScript.txt", and as  Type: All Files (*.*) in the same location as ComboFix.exe

CFScriptB-4.gif

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it produces a log at C:\ComboFix.txt.  Post the contents of Combofix.txt in your next reply.

===================================================

Run Security Check

Download Security Check by screen317 from here or here.

  • save it to your Desktop
  • double click SecurityCheck.exe and follow the onscreen instructions inside of the black box
  • a Notepad document should open automatically called checkup.txt; please post the contents of that document.

Thanks

Satchfan

 


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#11 satchfan

satchfan

  • Malware Response Team
  • 2,661 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:08:38 AM

Posted 22 May 2013 - 10:54 AM

Hi kokonapa

It has been several days since I sent my last set of instructions to help with your computer problem.

Please let me know if you are having problems.

Thanks

Satchfan


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#12 kokonapa

kokonapa
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:38 PM

Posted 23 May 2013 - 12:34 AM

Sorry, haven't got the chance to tinker my pc as im having an exam. will try to get back to u in half a day

 

cheers!



#13 satchfan

satchfan

  • Malware Response Team
  • 2,661 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:08:38 AM

Posted 23 May 2013 - 01:57 AM

:thumbup2:


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#14 kokonapa

kokonapa
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:38 PM

Posted 24 May 2013 - 10:05 AM

done, and done. Here you go. Sorry for the late reply. 

 

ComboFix 13-05-18.02 - Azmil Zulkifli 2013/05/24  22:48:49.5.2 - x86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.3327.2960 [GMT 8:00]
Running from: c:\documents and settings\Azmil Zulkifli\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Azmil Zulkifli\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
FILE ::
"c:\documents and settings\All Users\Application Data\Microsoft\Media Tools\MediaIconsOverlays.dll"
"c:\documents and settings\All Users\Application Data\Microsoft\Media Tools\plugins\pl-b2e730376325753834d77280c183157b.dll"
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\Microsoft\Media Tools\MediaIconsOverlays.dll
c:\documents and settings\All Users\Application Data\Microsoft\Media Tools\plugins\pl-b2e730376325753834d77280c183157b.dll
c:\documents and settings\All Users\Application Data\TEMP
c:\program files\mixidj\mixidj\1.8.4.1\bh\mixidj.dll
c:\program files\mixidj\mixidj\1.8.4.1\mixidjTlbr.dll
c:\windows\$NtUninstallKB44335$
c:\windows\$NtUninstallKB44335$\2150134678
c:\windows\$NtUninstallKB44335$\820026831\@
c:\windows\$NtUninstallKB44335$\820026831\Desktop.ini
c:\windows\$NtUninstallKB44335$\820026831\L\00000004.@
c:\windows\$NtUninstallKB44335$\820026831\L\76603ac3
c:\windows\$NtUninstallKB44335$\820026831\L\drtancov
c:\windows\$NtUninstallKB44335$\820026831\U\00000004.@
c:\windows\$NtUninstallKB44335$\820026831\U\00000008.@
c:\windows\$NtUninstallKB44335$\820026831\U\000000cb.@
c:\windows\$NtUninstallKB44335$\820026831\U\80000000.@
c:\windows\$NtUninstallKB44335$\820026831\U\80000032.@
.
Infected copy of c:\windows\system32\drivers\netbt.sys was found and disinfected 
Restored copy from - The cat found it :) 
.
(((((((((((((((((((((((((   Files Created from 2013-04-24 to 2013-05-24  )))))))))))))))))))))))))))))))
.
.
2013-05-24 14:46 . 2013-05-17 18:03 162816 -c--a-w- c:\windows\system32\dllcache\netbt.sys
2013-05-24 14:46 . 2013-05-17 18:03 162816 ----a-w- c:\windows\system32\drivers\netbt.sys
2013-05-17 18:02 . 2013-05-17 18:02 -------- d-----w- C:\TDSSKiller_Quarantine
2013-05-16 23:42 . 2013-05-16 23:42 -------- d-----w- c:\program files\Enigma Software Group
2013-05-16 23:42 . 2013-05-17 00:08 -------- d-----w- c:\windows\4941BFEB62C047A2801E998FC469CC2C.TMP
2013-05-16 23:42 . 2013-05-16 23:42 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2013-05-16 22:13 . 2013-05-16 22:18 -------- d-----w- C:\780541799b799e0ced
2013-05-16 17:42 . 2013-05-16 20:47 -------- d-----w- c:\windows\system32\NtmsData
2013-05-16 17:32 . 2013-05-16 22:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2013-05-14 04:41 . 2013-04-16 22:31 6906960 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{5869E37E-164E-4F8F-A636-9A16C0DBCEA7}\mpengine.dll
2013-05-12 19:24 . 2013-04-16 22:31 6906960 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2013-05-12 19:24 . 2013-04-16 22:31 6906960 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{2EDE2F9F-6952-40B4-BDE5-F985F67DF15C}\mpengine.dll
2013-05-10 18:47 . 2013-05-10 18:48 -------- d-----w- c:\program files\Mail Password
2013-05-10 04:33 . 2013-05-10 04:53 -------- d-----w- c:\documents and settings\Azmil Zulkifli\Application Data\Skype
2013-05-10 04:32 . 2013-05-10 04:32 -------- d-----w- c:\program files\Common Files\Skype
2013-05-10 04:32 . 2013-05-24 07:57 -------- d-----r- c:\program files\Skype
2013-05-10 04:31 . 2013-05-10 04:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2013-04-29 07:22 . 2013-05-02 15:28 238872 ------w- c:\windows\system32\MpSigStub.exe
2013-04-29 07:13 . 2013-04-29 07:14 -------- d-----w- c:\program files\Microsoft Security Client
2013-04-27 20:16 . 2013-04-27 20:16 -------- d-----w- c:\program files\Mega Codec Pack
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-05-15 12:00 . 2012-04-06 07:36 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-05-15 12:00 . 2012-04-06 07:36 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-04-29 07:33 . 2008-04-14 12:00 138496 ----a-w- c:\windows\system32\drivers\AFD.SYS
2013-04-16 22:17 . 2008-04-14 12:00 920064 ----a-w- c:\windows\system32\wininet.dll
2013-04-16 22:17 . 2008-04-14 12:00 43520 ------w- c:\windows\system32\licmgr10.dll
2013-04-16 22:17 . 2008-04-14 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2013-04-12 23:28 . 2008-04-14 12:00 385024 ------w- c:\windows\system32\html.iec
2013-04-10 01:31 . 2008-04-14 12:00 1876352 ----a-w- c:\windows\system32\win32k.sys
2013-03-08 08:36 . 2008-04-14 12:00 293376 ----a-w- c:\windows\system32\winsrv.dll
2013-03-07 01:32 . 2008-04-14 12:00 2149888 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-03-07 00:50 . 2008-04-14 00:01 2028544 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-02-27 07:56 . 2012-02-28 12:48 2067456 ----a-w- c:\windows\system32\mstscax.dll
.
.
((((((((((((((((((((((((((((((((((((((((((((   Look   )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of C:\780541799b799e0ced ----
.
2013-01-27 09:03 . 2013-01-27 09:03 61 ----a-w- c:\780541799b799e0ced\setup.ini
2013-01-27 06:46 . 2013-01-27 06:46 7106560 ----a-w- c:\780541799b799e0ced\x86\epp.msi
2013-01-27 06:37 . 2013-01-27 06:37 182224 ----a-w- c:\780541799b799e0ced\EppManifest.dll
2013-01-27 04:05 . 2013-01-27 04:05 43088 ----a-w- c:\780541799b799e0ced\EN-US\setupres.dll.mui
2013-01-27 03:11 . 2013-01-27 03:11 847920 ----a-w- c:\780541799b799e0ced\x86\setup.exe
2013-01-27 03:11 . 2013-01-27 03:11 26064 ----a-w- c:\780541799b799e0ced\CompAppsContent.dll
2013-01-27 03:11 . 2013-01-27 03:11 324584 ----a-w- c:\780541799b799e0ced\epplauncher.exe
2013-01-27 03:08 . 2013-01-27 03:08 8760 ----a-w- c:\780541799b799e0ced\setupres.dll
2013-01-20 07:58 . 2013-01-20 07:58 707448 ----a-w- c:\780541799b799e0ced\x86\LegitLib.dll
2013-01-20 07:58 . 2013-01-20 07:58 196416 ----a-w- c:\780541799b799e0ced\x86\sqmapi.dll
2013-01-20 07:57 . 2013-01-20 07:57 1850368 ----a-w- c:\780541799b799e0ced\x86\dw20shared.msi
2013-01-20 07:57 . 2013-01-20 07:57 1241780 ----a-w- c:\780541799b799e0ced\x86\Windows6.0-KB981889-v2.msu
2013-01-20 07:57 . 2013-01-20 07:57 907883 ----a-w- c:\780541799b799e0ced\x86\Windows6.1-KB981889.msu
2013-01-20 07:57 . 2013-01-20 07:57 143927 ----a-w- c:\780541799b799e0ced\EN-US\EULA.RTF
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{81017EA9-9AA8-4A6A-9734-7AF40E7D593F}"= "c:\program files\Yahoo!\Companion\Installs\cpn3\yt.dll" [2013-05-01 1500952]
.
[HKEY_CLASSES_ROOT\clsid\{81017ea9-9aa8-4a6a-9734-7af40e7d593f}]
[HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin.1]
[HKEY_CLASSES_ROOT\TypeLib\{003028C2-EA1C-4676-A316-B5CB50917002}]
[HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2013-04-10 05:37 130736 ----a-w- c:\documents and settings\Azmil Zulkifli\Application Data\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2013-04-10 05:37 130736 ----a-w- c:\documents and settings\Azmil Zulkifli\Application Data\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2013-04-10 05:37 130736 ----a-w- c:\documents and settings\Azmil Zulkifli\Application Data\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2013-04-10 05:37 130736 ----a-w- c:\documents and settings\Azmil Zulkifli\Application Data\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe" [2012-02-22 6591800]
"Steam"="c:\program files\Steam\Steam.exe" [2013-05-03 1635752]
"GarenaPlus"="c:\program files\Garena Plus\GarenaMessenger.exe" [2013-05-09 9829680]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-03-02 98304]
"RTHDCPL"="RTHDCPL.EXE" [2008-03-31 16857600]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-04-04 843712]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2008-07-07 167936]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2013-02-13 1263952]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
.
c:\documents and settings\Azmil Zulkifli\Start Menu\Programs\Startup\
Dropbox.lnk - c:\documents and settings\Azmil Zulkifli\Application Data\Dropbox\bin\Dropbox.exe [2013-4-10 27151288]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
.
R?2 PanService;PandoraService;c:\program files\PANDORA.TV\PanService\PandoraService.exe [2012/03/24 09:19 nm 624856]
R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\Common Files\PC Tools\sMonitor\StartManSvc.exe [2012/03/24 09:21 nm 632792]
R2 Skype C2C Service;Skype C2C Service;c:\documents and settings\All Users\Application Data\Skype\Toolbars\Skype C2C Service\c2c_service.exe [2013/05/14 01:26 nm 3289208]
R2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [2013/02/28 06:45 nm 161384]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2012/02/28 10:05 nm 1691480]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [2012/02/29 12:05 13192]
S3 esgiguard;esgiguard;\??\c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys --> c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys [?]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [2012/02/29 12:05 8456]
S3 GGSAFERDriver;GGSAFER Driver;\??\c:\program files\Garena Plus\Room\safedrv.sys --> c:\program files\Garena Plus\Room\safedrv.sys [?]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\d:\ntglm7x.sys --> d:\NTGLM7X.sys [?]
.
Contents of the 'Scheduled Tasks' folder
.
2013-05-24 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-06 12:00]
.
2013-05-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1645522239-2025429265-1801674531-1004Core.job
- c:\documents and settings\Azmil Zulkifli\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-02-28 13:10]
.
2013-05-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1645522239-2025429265-1801674531-1004UA.job
- c:\documents and settings\Azmil Zulkifli\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-02-28 13:10]
.
2013-05-18 c:\windows\Tasks\Microsoft Antimalware Scheduled Scan.job
- c:\program files\Microsoft Security Client\MpCmdRun.exe [2013-01-27 03:11]
.
2013-05-24 c:\windows\Tasks\MpIdleTask.job
- c:\program files\Microsoft Security Client\MpCmdRun.exe [2013-01-27 03:11]
.
2013-05-24 c:\windows\Tasks\RMSchedule.job
- c:\program files\Registry Mechanic\RegMech.exe [2012-03-24 02:02]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 192.168.1.1
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-05-24 22:57
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ... 
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_202_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_202_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(768)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\atiadlxx.dll
.
- - - - - - - > 'explorer.exe'(336)
c:\windows\system32\WININET.dll
c:\documents and settings\Azmil Zulkifli\Application Data\Dropbox\bin\DropboxExt.19.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\docume~1\AZMILZ~1\LOCALS~1\Temp\catchme.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe
c:\windows\RTHDCPL.EXE
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
c:\progra~1\Yahoo!\Messenger\ymsgr_tray.exe
c:\windows\System32\rundll32.exe
.
**************************************************************************
.
Completion time: 2013-05-24  22:58:20 - machine was rebooted
ComboFix-quarantined-files.txt  2013-05-24 14:58
ComboFix2.txt  2013-05-18 15:49
.
Pre-Run: 51,493,298,176 bytes free
Post-Run: 51,703,648,256 bytes free
.
- - End Of File - - F99D6B9185B5A4C96E52CCAC264C5D41
 

 

 Results of screen317's Security Check version 0.99.61  
 Windows XP Service Pack 3 x86   
 Internet Explorer 8  
``````````````Antivirus/Firewall Check:`````````````` 
 Windows Firewall Enabled!  
`````````Anti-malware/Other Utilities Check:````````` 
 JavaFX 2.1.1    
 Java™ 7 Update 5  
 Java version out of Date! 
 Adobe Flash Player 11.7.700.202  
 Adobe Reader 10.1.3 Adobe Reader out of Date!  
````````Process Check: objlist.exe by Laurent````````  
`````````````````System Health check````````````````` 
 Total Fragmentation on Drive C:: 22% Defragment your hard drive soon! (Do NOT defrag if SSD!)
````````````````````End of Log`````````````````````` 


#15 satchfan

satchfan

  • Malware Response Team
  • 2,661 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:08:38 AM

Posted 24 May 2013 - 05:32 PM

That’s looking much better.

We need to deal with Microsoft Security Essentials, (MSE). The best thing is to remove all traces and then re-install it when the computer is clean.

Go here to download the removal tool and then run it to remove remnants.

=============================================

Download Malwarebytes-Anti-Malware

Click here.

  • double-click mbam-setup.exe and follow the prompts to install the program.
  • at the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware. and Launch Malwarebytes' Anti-Malware, then click Finish..
  • if an update is found, it will download and install the latest version.
  • once the program has loaded, select Perform quick scan, then click Scan.
  • when the scan is complete, click OK, then Show Results to view the results.
  • be sure that everything is checked, and click Remove Selected.
  • when removal is completed, a log report will open in Notepad and you may be prompted to restart your computer - (see Note below)
  • the log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • copy and paste the contents of that report in your next reply and exit MBAM.

NOTE: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Can you tell me if there are any outstanding problems.

Satchfan

 


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users