Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

CMD Prompt Pop Up Blocking TDSS Killer on restart


  • This topic is locked This topic is locked
26 replies to this topic

#1 LordNoZoo

LordNoZoo

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:31 PM

Posted 06 June 2013 - 07:45 AM

Hello Boopme, thank you for taking the time to reply. 

 

It has been some time since I ran Combofix; infact had to search for the txt document (and more than one txt doc came-up - 4 infact - all same date and time however, maybe that's normal).  Below is the log in any case from a month or so ago. 

I haven't run the dds per this threads instructions, but rather will wait for further direction from you. 

 

Thank you again for your time and effort.  

 

 

 

ComboFix 13-05-13.01 - Administrator 13/05/2013  14:04:59.1.1 - x86
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
 * Created a new restore point
 * Resident AV is active
.
.
.
(((((((((((((((((((((((((   Files Created from 2013-04-13 to 2013-05-13  )))))))))))))))))))))))))))))))
.
.
2013-05-11 16:27 . 2013-05-11 16:27 -------- d-----w- c:\program files\Common Files\Java
2013-05-11 16:27 . 2013-04-04 12:35 94112 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-05-11 16:07 . 2013-05-11 16:07 691592 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-05-11 16:07 . 2013-05-11 16:07 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-05-10 15:26 . 2013-04-10 03:08 6906960 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{FB17E5AE-6E18-49E8-871D-054D5F42ED97}\mpengine.dll
2013-05-08 14:54 . 2013-05-08 14:54 0 ----a-w- c:\windows\system32\TempWmicBatchFile.bat
2013-05-08 02:29 . 2013-05-13 18:48 143688 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2013-05-03 17:20 . 2013-05-03 17:26 -------- d-----w- c:\documents and settings\All Users\Application Data\SecTaskMan
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-05-02 09:06 . 2010-05-09 16:52 238872 ------w- c:\windows\system32\MpSigStub.exe
2013-04-10 03:08 . 2010-05-14 14:07 6906960 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
2013-04-04 21:50 . 2013-03-14 00:47 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-03-30 17:39 . 2013-03-30 17:32 463856 ----a-w- C:\MGlogs.zip
2013-03-30 17:31 . 2013-03-30 17:31 1898001 ----a-w- c:\program files\MGtools.exe
2013-03-29 18:57 . 2013-03-29 18:57 35144 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2013-03-14 23:24 . 2012-06-28 13:08 861088 ----a-w- c:\windows\system32\npDeployJava1.dll
2013-03-14 23:24 . 2010-04-21 15:28 782240 ----a-w- c:\windows\system32\deployJava1.dll
2013-03-08 08:36 . 2004-08-04 12:00 293376 ----a-w- c:\windows\system32\winsrv.dll
2013-03-07 01:28 . 2004-08-04 12:00 2193408 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-03-07 00:50 . 2004-08-03 22:59 2070016 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-03-02 02:06 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2013-03-02 02:06 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2013-03-02 02:06 . 2004-08-04 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2013-03-02 01:25 . 2004-08-04 12:00 1867264 ----a-w- c:\windows\system32\win32k.sys
2013-03-02 01:08 . 2004-08-04 12:00 385024 ----a-w- c:\windows\system32\html.iec
2013-02-27 07:56 . 2006-07-27 19:38 2067456 ----a-w- c:\windows\system32\mstscax.dll
2013-02-19 21:15 . 2013-04-02 17:57 60920 ----a-w- c:\windows\system32\drivers\cfwids.sys
2013-02-19 21:12 . 2013-04-02 17:46 172416 ----a-w- c:\windows\system32\mfevtps.exe
2013-02-19 21:11 . 2012-07-17 22:09 91640 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2013-02-19 21:11 . 2013-04-02 17:58 10088 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2013-02-19 21:10 . 2013-04-02 17:57 92632 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2013-02-19 21:09 . 2012-07-17 22:07 565888 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2013-02-19 21:09 . 2013-04-02 17:58 84904 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2013-02-19 21:09 . 2013-04-02 17:57 363080 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2013-02-19 21:08 . 2013-04-02 17:57 65928 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2013-02-19 21:08 . 2013-04-02 17:57 235264 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2013-02-19 21:07 . 2012-07-17 22:04 133416 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2011-06-20 01:29 . 2011-06-20 01:29 231374 ----a-w- c:\program files\cc_20110619_182910.reg
2006-08-14 18:59 . 2006-08-14 18:57 21290704 ----a-w- c:\program files\AdbeRdr708_en_US.exe
2004-08-04 12:00 73728 --sha-w- c:\windows\RegisteredPackages\{DD90D410-1823-43EB-9A16-A2331BF08799}$BACKUP$\System\wmplayer.exe
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VTTrayp"="VTtrayp.exe" [2005-03-13 147456]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-04-01 1368064]
"MsmqIntCert"="mqrt.dll" [2008-04-14 177152]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-18 946352]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2013-01-15 1278064]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2013-03-12 253816]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Z1"="c:\documents and settings\Administrator\Desktop\mbar-1.05.0.1001\mbar\mbar.exe" [2013-05-13 1398856]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-10-16 214360]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer
.
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [x]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [x]
R3 HipShieldK;McAfee Inc. HipShieldK;c:\windows\system32\drivers\HipShieldK.sys [x]
R3 libusb0;libusb-win32 - Kernel Driver, Version 1.2.4.0;c:\windows\system32\drivers\libusb0.sys [x]
R3 MFE_RR;MFE_RR;c:\docume~1\ADMINI~1\LOCALS~1\Temp\mfe_rr.sys [x]
R3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\DRIVERS\mfendisk.sys [x]
R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [x]
S1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [x]
S2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [x]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [x]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe [x]
S2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe [x]
S2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe [x]
S2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\\mfefire.exe [x]
S2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [x]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [x]
S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [x]
S3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys [x]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [x]
S3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [x]
S3 mfendiskmp;mfendiskmp;c:\windows\system32\DRIVERS\mfendisk.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - mfeavfk01
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ    Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ    hpqcxs08 hpqddsvc
bdx REG_MULTI_SZ    scan
.
Contents of the 'Scheduled Tasks' folder
.
2013-05-12 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 02:20]
.
2013-05-13 c:\windows\Tasks\User_Feed_Synchronization-{BA0BB46C-BAEA-49B8-AFF8-61DE8D5641AD}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 10:31]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.castanet.net/
TCP: DhcpNameServer = 64.59.168.13 64.59.168.15 64.59.174.84
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - (no file)
Notify-!SASWinLogon - c:\program files\SUPERAntiSpyware\SASWINLO.DLL
SafeBoot-17987213.sys
SafeBoot-19012714.sys
SafeBoot-41924202.sys
SafeBoot-50000325.sys
MSConfigStartUp-CTFMON - (no file)
AddRemove-KB913433 - c:\windows\system32\MacroMed\Flash\genuinst.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-05-13 14:22
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-117609710-602162358-725345543-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,eb,02,59,ef,36,4b,33,47,be,e4,e7,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,07,6f,0f,db,06,1f,e8,41,b3,82,c9,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,eb,02,59,ef,36,4b,33,47,be,e4,e7,\
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_169_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_169_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,eb,02,59,ef,36,4b,33,47,be,e4,e7,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,eb,02,59,ef,36,4b,33,47,be,e4,e7,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(4764)
c:\windows\system32\WININET.dll
c:\progra~1\mcafee\SITEAD~1\saHook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2013-05-13  14:27:47
ComboFix-quarantined-files.txt  2013-05-13 21:27
.
Pre-Run: 47,275,827,200 bytes free
Post-Run: 47,205,253,120 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[Boot Loader]
Timeout=2
Default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[Operating Systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 942AB6442B8797DA75BD2A22C92CF31C

 



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,238 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:31 PM

Posted 09 June 2013 - 10:16 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

Search and delete the AdWare, PUP (Potentially Unwanted Program) installed on your computer.

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Delete tab follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Rn].txt (n is a number).
===

thisisujrt.gif Please download
Junkware Removal Tool to your Desktop.
  • Please close your security software to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista or 7, right-mouse click it and select Run as administrator.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete, depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your Desktop and will automatically open.
  • Please post the contents of JRT.txt into your reply.
===

I need more information before suggesting any other tools.

Please download and run this DDS Scanning Tool. Nothing will be deleted. It will just give me some additional information about your system.

Download DDS by sUBs from one of the following links, if you no longer have it available. Save it to your desktop.

1: DDS.scr (Not recommended if you use Chrome to download this .scr file. Use the other options.)
2: DDS.pif
3: DDS.COM

Double click on the DDS icon, allow it to run.
A small box will open, with an explanation about the tool. No input is needed, the scan is running.
Notepad will open with the results.
Follow the instructions that pop up for posting the results.
Please note: You may have to disable any script protection running if the scan fails to run.

dds_scr.gif

Please just paste the contents of the DDS.txt log in your next post. DO NOT attach the log.
===

Third party programs if not up to date can be the cause of infiltration an infection.

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===

Please paste the logs in your next reply, DO NOT ATTACH THEM
Let me know what problem persists.

#3 LordNoZoo

LordNoZoo
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:31 PM

Posted 09 June 2013 - 07:35 PM

Hello Nasdaq, thank you for responding. 

 

I've been using the Adware Cleaner program already so, the log shown is s9.  Also, I was unable to download the Security Check program from your link - a pop-up said to check if "the disc was full or if it  was write-protected" but I typed-in the coordinates directly and was able to download it from there. (Do you already know that the security check triggers the McAfee protection with an Artemis trojan alert which is "automatically removed" by McAfee? Gosh I hope so.)

Also, the PC has been running pretty well of late.  However, I did try running the TDSS Killer again just now (after running both the adware cleaner and the JRT) and I still get a system32/cmd prompt pop-up coming up on restart - after checking the loaded modules option - that prevents the TDSS KIller from running automatically.

 

In any case, here are the logs as requested, sorry for the long-winded message and, thank you again very much for your time.

 

PS. (2 logs from the DDS.com; I am not to zip-up and attach the "attach txt" unless specifically requested so, you will let me know if you want me to do that?)

 

# AdwCleaner v2.303 - Logfile created 06/09/2013 at 16:25:24
# Updated 08/06/2013 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : Administrator -
# Boot Mode : Normal
# Running from : C:\Documents and Settings\Administrator\Desktop\adwcleaner.exe
# Option [Delete]

***** [Services] *****

***** [Files / Folders] *****

***** [Registry] *****

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.6001.18702

[OK] Registry is clean.

*************************

AdwCleaner[R1].txt - [1553 octets] - [20/05/2013 12:26:01]
AdwCleaner[R2].txt - [1613 octets] - [20/05/2013 12:26:47]
AdwCleaner[R3].txt - [1673 octets] - [20/05/2013 12:28:02]
AdwCleaner[R4].txt - [979 octets] - [29/05/2013 17:57:56]
AdwCleaner[S1].txt - [1751 octets] - [20/05/2013 12:28:21]
AdwCleaner[S2].txt - [920 octets] - [27/05/2013 19:47:27]
AdwCleaner[S3].txt - [1038 octets] - [29/05/2013 17:58:43]
AdwCleaner[S4].txt - [1099 octets] - [01/06/2013 11:30:04]
AdwCleaner[S5].txt - [1160 octets] - [02/06/2013 12:31:23]
AdwCleaner[S6].txt - [1220 octets] - [03/06/2013 10:39:32]
AdwCleaner[S7].txt - [1280 octets] - [04/06/2013 14:50:26]
AdwCleaner[S8].txt - [1340 octets] - [05/06/2013 10:37:56]
AdwCleaner[S9].txt - [1271 octets] - [09/06/2013 16:25:24]

########## EOF - C:\AdwCleaner[S9].txt - [1331 octets] ##########

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 4.9.4 (05.06.2013:1)
OS: Microsoft Windows XP x86
Ran by Administrator on 09/06/2013 at 16:30:56.14
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

~~~ Services

 

~~~ Registry Values

Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\DisplayName
Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\URL

 

~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{978C152A-0BCF-4611-9BBB-424E1CD2FAC3}

 

~~~ Files

 

~~~ Folders

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 09/06/2013 at 16:36:15.98
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702
Run by Administrator at 16:40:06 on 2013-06-09
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.447.195 [GMT -7:00]
.
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
AV: Shaw Secure 9.01 *Enabled/Updated* {E7512ED5-4245-4B4D-AF3A-382D3F313F15}
FW: Shaw Secure 9.01 *Enabled*
FW: McAfee Firewall *Disabled*
.
============== Running Processes ================
.
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\msdtc.exe
C:\Program Files\Java\jre7\bin\jqs.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
C:\WINDOWS\system32\mfevtps.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.castanet.net/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
BHO: HP Print Enhancer: {0347C33E-8762-4905-BF09-768834316C61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: McAfee SiteAdvisor BHO: {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\program files\mcafee\siteadvisor\McIEPlg.dll
BHO: HP Smart BHO Class: {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: McAfee SiteAdvisor Toolbar: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\program files\mcafee\siteadvisor\McIEPlg.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [VTTrayp] VTtrayp.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe
mRun: [MsmqIntCert] regsvr32 /s mqrt.dll
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:323
uPolicies-Explorer: NoDriveAutoRun = dword:67108863
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDrives = dword:0
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office12\ONBttnIE.dll
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1341851542156
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1340575457296
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0017-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_17-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\program files\mcafee\msc\McSnIePl.dll
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\program files\mcafee\siteadvisor\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\program files\mcafee\siteadvisor\McIEPlg.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook - {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - c:\program files\windows defender\MpShHook.dll
.
============= SERVICES / DRIVERS ===============
.
R0 FixTDSS;TDSS Fixtool driver;c:\windows\system32\drivers\FixTDSS.sys [2013-5-22 26872]
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2012-7-17 565888]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2012-7-17 91640]
R2 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes' anti-malware\mbamscheduler.exe [2013-3-13 418376]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2013-4-2 167784]
R2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2013-4-2 167784]
R2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2013-4-2 167784]
R2 McProxy;McAfee Proxy Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2013-4-2 167784]
R2 McShield;McAfee McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2013-4-2 203840]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2013-4-2 169320]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2013-4-2 172416]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2013-4-2 60920]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2013-3-13 22856]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2013-4-2 235264]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2013-4-2 363080]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2013-4-2 84904]
S1 SASDIFSV;SASDIFSV;\??\c:\program files\superantispyware\sasdifsv.sys --> c:\program files\superantispyware\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\superantispyware\saskutil.sys --> c:\program files\superantispyware\SASKUTIL.SYS [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2013-3-13 701512]
S2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S3 HipShieldK;McAfee Inc. HipShieldK;c:\windows\system32\drivers\HipShieldK.sys [2013-4-2 146872]
S3 libusb0;libusb-win32 - Kernel Driver, Version 1.2.4.0;c:\windows\system32\drivers\libusb0.sys [2011-12-19 21504]
S3 MFE_RR;MFE_RR;\??\c:\docume~1\admini~1\locals~1\temp\mfe_rr.sys --> c:\docume~1\admini~1\locals~1\temp\mfe_rr.sys [?]
S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2013-4-2 65928]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2013-4-2 84904]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2013-4-2 92632]
S3 rt2870;D-Link 802.11n USB Wireless LAN Card Driver;c:\windows\system32\drivers\rt2870.sys [2010-4-4 715520]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2013-06-09 23:30:53 -------- d-----w- c:\windows\ERUNT
2013-06-09 23:30:20 -------- d-----w- C:\JRT
2013-05-28 03:51:32 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-05-28 03:51:32 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-05-25 16:00:01 -------- d-----w- c:\program files\VS Revo Group
2013-05-23 15:46:52 144896 ----a-w- c:\windows\system32\javacpl.cpl
2013-05-22 16:09:11 26872 ----a-w- c:\windows\system32\drivers\FixTDSS.sys
2013-05-22 16:09:11 -------- d-----w- c:\documents and settings\administrator\application data\FixTDSS
2013-05-22 14:13:59 -------- d-----w- c:\documents and settings\administrator\local settings\application data\PCHealth
2013-05-20 17:44:58 -------- d-----w- c:\program files\HitmanPro
2013-05-17 21:32:25 -------- d-----w- C:\TDSSKiller_Quarantine
2013-05-17 17:06:01 -------- d-----w- c:\program files\ESET
2013-05-17 14:51:01 7016152 ----a-w- c:\documents and settings\all users\application data\microsoft\windows defender\definition updates\{ea09e488-4372-40e6-bf98-70a64a36bf0f}\mpengine.dll
2013-05-17 14:44:09 -------- d-----w- c:\documents and settings\administrator\local settings\application data\TopArcadeHits
2013-05-13 20:33:57 -------- d-sha-r- C:\cmdcons
2013-05-13 20:28:08 98816 ----a-w- c:\windows\sed.exe
2013-05-13 20:28:08 256000 ----a-w- c:\windows\PEV.exe
2013-05-13 20:28:08 208896 ----a-w- c:\windows\MBR.exe
2013-05-11 16:27:07 94112 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-05-11 10:37:28 209472 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll
.
==================== Find3M  ====================
.
2013-05-08 14:54:34 0 ----a-w- c:\windows\system32\TempWmicBatchFile.bat
2013-05-02 09:06:08 238872 ------w- c:\windows\system32\MpSigStub.exe
2013-04-16 22:17:15 920064 ----a-w- c:\windows\system32\wininet.dll
2013-04-16 22:17:14 43520 ----a-w- c:\windows\system32\licmgr10.dll
2013-04-16 22:17:14 1469440 ------w- c:\windows\system32\inetcpl.cpl
2013-04-12 23:28:55 385024 ----a-w- c:\windows\system32\html.iec
2013-04-10 01:31:19 1876352 ----a-w- c:\windows\system32\win32k.sys
2013-04-04 21:50:32 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-03-30 17:31:45 1898001 ----a-w- c:\program files\MGtools.exe
2013-03-29 18:57:20 35144 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2013-03-14 23:24:41 861088 ----a-w- c:\windows\system32\npDeployJava1.dll
2013-03-14 23:24:41 782240 ----a-w- c:\windows\system32\deployJava1.dll
2011-06-20 01:29:45 231374 ----a-w- c:\program files\cc_20110619_182910.reg
2006-08-14 18:59:19 21290704 ----a-w- c:\program files\AdbeRdr708_en_US.exe
2004-08-04 12:00:00 73728 --sha-w- c:\windows\registeredpackages\{dd90d410-1823-43eb-9a16-a2331bf08799}$backup$\system\wmplayer.exe
.
============= FINISH: 16:41:20.54 ===============

 

 

 Results of screen317's Security Check version 0.99.64 
 Windows XP Service Pack 3 x86  
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Disabled! 
McAfee Anti-Virus and Anti-Spyware  
Shaw Secure 9.01                    
 Antivirus up to date! 
`````````Anti-malware/Other Utilities Check:`````````
 Windows Defender   
 Malwarebytes Anti-Malware version 1.75.0.1300 
 CCleaner    
 Java 7 Update 21 
 Adobe Reader 9 
 Adobe Reader XI 
````````Process Check: objlist.exe by Laurent```````` 
 Malwarebytes Anti-Malware mbamservice.exe 
 Malwarebytes Anti-Malware mbamgui.exe 
 Malwarebytes' Anti-Malware mbamscheduler.exe  
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C:: 3%
````````````````````End of Log``````````````````````



#4 LordNoZoo

LordNoZoo
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:31 PM

Posted 09 June 2013 - 07:58 PM

Sorry Nasdaq, one more thing, you did want to know what problems persist. 

 

Per my second post in the other thread (shown below) I still have a systemroot\system32\svchost.exe -k rpcss (incorrect image path) coming-up under the windows integrity check in Grinler's RKill (which, again, wasn't there before).

 

 

Posted 24 May 2013 - 05:46 PM

Oh, and also new - since, I'd say, the Java update 21 - in Grinler's RKill, I now get a systemroot\system32\svchost.exe -k rpcss (incorrect image path) under the windows integrity check that I wasn't getting afore, ever, until now.

 

If that tells you anything



#5 nasdaq

nasdaq

  • Malware Response Team
  • 40,238 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:31 PM

Posted 10 June 2013 - 07:26 AM

Remove this old version of Adobe Reader 9 using the Add/Remove Program list.
===


You do not need this Symanted tool.
It may just be the reason TDSSKILLER will not run.

Please run Notepad and copy the following text into a new file:

sc config FixTDSS start= disabled
sc stop FixTDSS
sc delete FixTDSS


Save the file to the desktop as remove.bat and make sure the "Save as type" field says "All files". Locate remove.bat on the Desktop and double-click on it to run it. A DOS box will open and close, that is normal.
If any errors errors encountered please post.
When done you can delete the remove.bat file.

Delete the file in bold.
c:\windows\system32\drivers\FixTDSS.sys

Restart the computer normally.

Give the TDSSKILLER and other try.
==

Please run the ComboFix one more time. If prompted to update please do. Post a fresh log for my review.

#6 LordNoZoo

LordNoZoo
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:31 PM

Posted 10 June 2013 - 01:14 PM

Good morning Nasdaq, thanks so much for your attendance, sorry to be such a bother. If I'm giving you too much information in response, please let me know.

 

 

Remove this old version of Adobe Reader 9 using the Add/Remove Program list

 

 

Only Adobe 9 file on the (Add/Rmove) list was an old "spelling and dictionary" (which I removed).  Unless it's Adobe AIR? Otherwise only Adobe XI and Flashplayer (recently updated version) and, the Adobe AIR.  I left the AIR on there but again, deleted the spelling & dictionary 9 program; thank you.

 

 

Please run Notepad and copy the following text into a new file

Save the file to the desktop as remove.bat and make sure the "Save as type" field says "All files". Locate remove.bat on the Desktop and double-click on it to run it. A DOS box will open and close, that is normal.
If any errors errors encountered please post.
When done you can delete the remove.bat file.

Delete the file in bold.
c:\windows\system32\drivers\FixTDSS.sys

Restart the computer normally.

Give the TDSSKILLER and other try.
 

 

Did all of that, went well, but, still had the cmd prompt box along with the "run TDSS?" box on the restart.  (Interesting to note though, the "run TDSS?" pop-up box had a different file name this time (80AC4D26-IBBE-4804-82E6-5674D9A7345.exe) than what I had saved it as on the desktop (ieexplorer.exe); maybe that's to be expected, dunno, but that's a first

 

Please run the ComboFix one more time. If prompted to update please do

 

I did, and was prompted with an update.  Please note, I had turned off both the real time scanning and firewalls on both McAfee and Malewarebytes but, Combofix said it (McAfee) was still "on" and that it would "run at my own risk".  I let it go as I didn't want to touch the PC as instucted by the program.  3 mins into the scan, I had a Virtual Memory too low pop-up which I also didn't touch (that closed after stage 50).  During stage 4, McAfee "detected and quarantined" a malicious file (also didn't touch that pop-up) and, after the ComboFix log popped-up I had to "reset Internet Explorer as default browser" (although I seem to recall I had to do that the last time I ran it as well).

 

Anyway, here is the log.  If you need me to run ComboFix again (if McAfee was indeed still on), I'm sure you will me know.  I haven't tried restarting the machine after the Combofix - wanted to get this log to you - but will do that now and report back, hopefully, if there's any thing else wonky.

 

Thanks again Nasdaq, I certainly do appreciate all your effort on my behalf.

 

ComboFix 13-06-08.02 - Administrator 10/06/2013  10:24:31.1.1 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.447.149 [GMT -7:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
AV: Shaw Secure 9.01 *Enabled/Updated* {E7512ED5-4245-4B4D-AF3A-382D3F313F15}
FW: McAfee Firewall *Disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
FW: Shaw Secure 9.01 *Enabled* {D4747503-0346-49EB-9262-997542F79BF4}
 * Resident AV is active
.
.
.
(((((((((((((((((((((((((   Files Created from 2013-05-10 to 2013-06-10  )))))))))))))))))))))))))))))))
.
.
2013-06-09 23:30 . 2013-06-09 23:30 -------- d-----w- c:\windows\ERUNT
2013-06-09 23:30 . 2013-06-09 23:30 -------- d-----w- C:\JRT
2013-05-28 03:51 . 2013-05-28 03:51 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-05-28 03:51 . 2013-05-28 03:51 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-05-25 16:00 . 2013-05-25 16:00 -------- d-----w- c:\program files\VS Revo Group
2013-05-23 15:46 . 2013-04-04 12:22 144896 ----a-w- c:\windows\system32\javacpl.cpl
2013-05-22 16:09 . 2013-05-22 16:09 -------- d-----w- c:\documents and settings\Administrator\Application Data\FixTDSS
2013-05-22 14:13 . 2013-05-22 14:13 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\PCHealth
2013-05-20 17:44 . 2013-05-20 17:44 -------- d-----w- c:\program files\HitmanPro
2013-05-17 21:32 . 2013-05-26 23:08 -------- d-----w- C:\TDSSKiller_Quarantine
2013-05-17 17:06 . 2013-05-17 17:06 -------- d-----w- c:\program files\ESET
2013-05-17 14:51 . 2013-05-13 06:19 7016152 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{EA09E488-4372-40E6-BF98-70A64A36BF0F}\mpengine.dll
2013-05-17 14:44 . 2013-05-17 16:39 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\TopArcadeHits
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-05-14 14:36 . 2013-03-30 17:32 600150 ----a-w- C:\MGlogs.zip
2013-05-13 06:19 . 2010-05-14 14:07 7016152 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
2013-05-08 14:54 . 2013-05-08 14:54 0 ----a-w- c:\windows\system32\TempWmicBatchFile.bat
2013-05-02 09:06 . 2010-05-09 16:52 238872 ------w- c:\windows\system32\MpSigStub.exe
2013-04-16 22:17 . 2004-08-04 12:00 920064 ----a-w- c:\windows\system32\wininet.dll
2013-04-16 22:17 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2013-04-16 22:17 . 2004-08-04 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2013-04-12 23:28 . 2004-08-04 12:00 385024 ----a-w- c:\windows\system32\html.iec
2013-04-10 01:31 . 2004-08-04 12:00 1876352 ----a-w- c:\windows\system32\win32k.sys
2013-04-04 21:50 . 2013-03-14 00:47 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-04-04 12:35 . 2013-05-11 16:27 94112 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-03-30 17:31 . 2013-03-30 17:31 1898001 ----a-w- c:\program files\MGtools.exe
2013-03-29 18:57 . 2013-03-29 18:57 35144 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2013-03-14 23:24 . 2012-06-28 13:08 861088 ----a-w- c:\windows\system32\npDeployJava1.dll
2013-03-14 23:24 . 2010-04-21 15:28 782240 ----a-w- c:\windows\system32\deployJava1.dll
2011-06-20 01:29 . 2011-06-20 01:29 231374 ----a-w- c:\program files\cc_20110619_182910.reg
2006-08-14 18:59 . 2006-08-14 18:57 21290704 ----a-w- c:\program files\AdbeRdr708_en_US.exe
2004-08-04 12:00 73728 --sha-w- c:\windows\RegisteredPackages\{DD90D410-1823-43EB-9A16-A2331BF08799}$BACKUP$\System\wmplayer.exe
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VTTrayp"="VTtrayp.exe" [2005-03-13 147456]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-04-01 1368064]
"MsmqIntCert"="mqrt.dll" [2008-04-14 177152]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2013-03-14 1278064]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2013-03-12 253816]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-10-16 214360]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37Crusader]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37CrusaderBoot]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
.
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [17/07/2012 3:09 PM 91640]
R2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [13/03/2013 5:48 PM 418376]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [13/03/2013 5:48 PM 701512]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [02/04/2013 10:57 AM 167784]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [02/04/2013 10:57 AM 167784]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [02/04/2013 10:57 AM 167784]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\Mcafee\SystemCore\mfefire.exe [02/04/2013 10:58 AM 169320]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [02/04/2013 10:46 AM 172416]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [02/04/2013 10:57 AM 60920]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [13/03/2013 5:47 PM 22856]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [02/04/2013 10:57 AM 363080]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [02/04/2013 10:58 AM 84904]
S1 SASDIFSV;SASDIFSV;\??\c:\program files\SUPERAntiSpyware\SASDIFSV.SYS --> c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.SYS --> c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [?]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [03/11/2006 7:19 PM 13592]
S3 HipShieldK;McAfee Inc. HipShieldK;c:\windows\system32\drivers\HipShieldK.sys [02/04/2013 11:01 AM 146872]
S3 libusb0;libusb-win32 - Kernel Driver, Version 1.2.4.0;c:\windows\system32\drivers\libusb0.sys [19/12/2011 7:46 PM 21504]
S3 MFE_RR;MFE_RR;\??\c:\docume~1\ADMINI~1\LOCALS~1\Temp\mfe_rr.sys --> c:\docume~1\ADMINI~1\LOCALS~1\Temp\mfe_rr.sys [?]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [02/04/2013 10:58 AM 84904]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [02/04/2013 10:57 AM 92632]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - 14028804
*NewlyCreated* - 89334600
*Deregistered* - 14028804
*Deregistered* - 89334600
*Deregistered* - mfeavfk01
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ    Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ    hpqcxs08 hpqddsvc
bdx REG_MULTI_SZ    scan
.
Contents of the 'Scheduled Tasks' folder
.
2013-06-10 c:\windows\Tasks\User_Feed_Synchronization-{BA0BB46C-BAEA-49B8-AFF8-61DE8D5641AD}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 10:31]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.castanet.net/
TCP: DhcpNameServer = 64.59.168.13 64.59.168.15 64.59.174.84
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
SafeBoot-04325841.sys
SafeBoot-11865956.sys
SafeBoot-14028804.sys
SafeBoot-15750995.sys
SafeBoot-20205275.sys
SafeBoot-33558739.sys
SafeBoot-39035753.sys
SafeBoot-40401454.sys
SafeBoot-45543478.sys
SafeBoot-50266177.sys
SafeBoot-59665480.sys
SafeBoot-70568550.sys
SafeBoot-73069124.sys
SafeBoot-84734350.sys
SafeBoot-94541839.sys
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-06-10 10:40
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-117609710-602162358-725345543-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,31,0d,a8,54,ef,0e,bb,4e,bd,9b,82,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,07,6f,0f,db,06,1f,e8,41,b3,82,c9,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,eb,02,59,ef,36,4b,33,47,be,e4,e7,\
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_202_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_202_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,eb,02,59,ef,36,4b,33,47,be,e4,e7,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,eb,02,59,ef,36,4b,33,47,be,e4,e7,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3804)
c:\windows\system32\WININET.dll
c:\progra~1\mcafee\SITEAD~1\saHook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2013-06-10  10:44:36
ComboFix-quarantined-files.txt  2013-06-10 17:44
ComboFix2.txt  2013-05-13 21:27
.
Pre-Run: 53,113,393,152 bytes free
Post-Run: 52,783,243,264 bytes free
.
- - End Of File - - F4E9D6D72F60300C28A46B0E0282EE46
8F558EB6672622401DA993E1E865C861



#7 nasdaq

nasdaq

  • Malware Response Team
  • 40,238 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:31 PM

Posted 11 June 2013 - 07:36 AM

Did all of that, went well, but, still had the cmd prompt box along with the "run TDSS?" box on the restart. (Interesting to note though, the "run TDSS?" pop-up box had a different file name this time (80AC4D26-IBBE-4804-82E6-5674D9A7345.exe) than what I had saved it as on the desktop (ieexplorer.exe); maybe that's to be expected, dunno, but that's a first


Both ieexplorer.exe and 80AC4D26-IBBE-4804-82E6-5674D9A7345.exe are suspicious.

Please delete the current version of TDSSKILLER.EXE and restart the computer normall.
Download and run a fresh copy.

Read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • Double-click on TDSSKiller.exe to run the application.
    tdss1.png
  • Click Change parameters
    settings20121003115955.png
  • Check the boxes next to Verify Driver Digital Signature and Detect TDLFS file system, then click OK
    tdss3.png
  • Click on the Start Scan button to begin the scan and wait for it to finish.
    NOTE: Do not use the computer during the scan!
  • During the scan it will look similar to the image below:
    tdss4.jpg
  • When it finishes, you will either see a report that no threats were found like below:
    tdss5.jpg
    If no threats are found at this point, just click the Report selection on the top right of the form to generate a log. A log file report will pop which you can just close since the report file is already saved.
  • If any infection or suspected items are found, you will see a window similar to below:
    tdss7.jpg
    • If you have files that are shown to fail signature check do not take any action on these. Make sure you select Skip. I will tell you what to do with these later. They may not be issues at all.
    • If Suspicious objects are detected, the default action will be Skip. Leave the default set to Skip.
    • If Malicious objects are detected, they will show in the Scan results. TDSSKiller automatically selects an action (Cure or Delete) for malicious objects
    • Make sure that Cure is selected. Important! - If Cure is not available, please choose Skip instead. Do not choose Delete unless instructed to do so.
  • Click Continue to apply selected actions.
  • A reboot may be required to complete disinfection. A window like the below will appear:
    tdss6.jpg
    Reboot immediately if TDSSKiller states that one is needed.
  • Whether an infection is found or not, a log file should have already been created on your C: drive (or whatever drive you boot from) in the root folder named something like TDSSKiller.2.1.1_27.12.2009_14.17.04_log.txt which is based on the program version # and date and time run.
  • Paste the log to your next reply, DO NOT ATTACH IT.
===

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2


If your operating system is 64 bit download this tool:
SystemLook_x64.exe
  • Double-click SystemLook.exe to run it.
  • Copy and paste the content of the following bold text into the main textfield:
    :filefind
    ieexplorer.exe
    80AC4D26-IBBE-4804-82E6-5674D9A7345.exe
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
  • Note: The log can also be found on your Desktop entitled SystemLook.txt


#8 LordNoZoo

LordNoZoo
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:31 PM

Posted 11 June 2013 - 09:42 AM

Morning, or afternoon as the case may be Nasdaq.  As mellon scratchers go, this seems to be a real honey-doodle, sorry about that.

 

 

Please delete the current version of TDSSKILLER.EXE and restart the computer normall.
Download and run a fresh copy.

Read carefully and follow these steps.

  • Download TDSSKiller and save it to your Desktop.
  • Double-click on TDSSKiller.exe to run the application.

 

 

Note, I had renamed the file (from tdsskiller.exe to ieexplorer.exe) on the desktop.  Here is the log - only unsigned files - an old hp deskjet printer? (Which until I'd say about a year ago, had an old version Flashplayer 6 as part of its Solution Centre attachement - I didn't know it until I "uninstalled Flashplayer" post the Zero Access infection a year ago to clear and update the flashplayer and, I ended-up having to do it twice).  For what that's worth.

Here's the log:

 

07:06:13.0265 2852  TDSS rootkit removing tool 2.8.16.0 Feb 11 2013 18:50:42
07:06:15.0046 2852  ============================================================
07:06:15.0046 2852  Current date / time: 2013/06/11 07:06:15.0046
07:06:15.0046 2852  SystemInfo:
07:06:15.0046 2852 
07:06:15.0046 2852  OS Version: 5.1.2600 ServicePack: 3.0
07:06:15.0046 2852  Product type: Workstation
07:06:15.0046 2852  ComputerName:
07:06:15.0046 2852  UserName: Administrator
07:06:15.0046 2852  Windows directory: C:\WINDOWS
07:06:15.0046 2852  System windows directory: C:\WINDOWS
07:06:15.0046 2852  Processor architecture: Intel x86
07:06:15.0046 2852  Number of processors: 1
07:06:15.0046 2852  Page size: 0x1000
07:06:15.0046 2852  Boot type: Normal boot
07:06:15.0046 2852  ============================================================
07:06:17.0515 2852  Drive \Device\Harddisk0\DR0 - Size: 0x12A1F16000 (74.53 Gb), SectorSize: 0x200, Cylinders: 0x2601, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
07:06:17.0546 2852  ============================================================
07:06:17.0546 2852  \Device\Harddisk0\DR0:
07:06:17.0546 2852  MBR partitions:
07:06:17.0546 2852  \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x950A5C1
07:06:17.0546 2852  ============================================================
07:06:17.0640 2852  C: <-> \Device\Harddisk0\DR0\Partition1
07:06:17.0640 2852  ============================================================
07:06:17.0640 2852  Initialize success
07:06:17.0640 2852  ============================================================
07:06:25.0750 3860  ============================================================
07:06:25.0750 3860  Scan started
07:06:25.0750 3860  Mode: Manual; SigCheck; TDLFS;
07:06:25.0750 3860  ============================================================
07:06:27.0171 3860  ================ Scan system memory ========================
07:06:27.0203 3860  System memory - ok
07:06:27.0203 3860  ================ Scan services =============================
07:06:27.0328 3860  Abiosdsk - ok
07:06:27.0328 3860  abp480n5 - ok
07:06:27.0390 3860  [ 8FD99680A539792A30E97944FDAECF17 ] ACPI            C:\WINDOWS\system32\DRIVERS\ACPI.sys
07:06:27.0890 3860  ACPI - ok
07:06:27.0937 3860  [ 9859C0F6936E723E4892D7141B1327D5 ] ACPIEC          C:\WINDOWS\system32\drivers\ACPIEC.sys
07:06:28.0140 3860  ACPIEC - ok
07:06:28.0140 3860  adpu160m - ok
07:06:28.0187 3860  [ 75BEE80A25FC7F690DCD57570DC159C1 ] aeaudio         C:\WINDOWS\system32\drivers\aeaudio.sys
07:06:28.0453 3860  aeaudio - ok
07:06:28.0484 3860  [ 8BED39E3C35D6A489438B8141717A557 ] aec             C:\WINDOWS\system32\drivers\aec.sys
07:06:28.0687 3860  aec - ok
07:06:28.0718 3860  [ 1E44BC1E83D8FD2305F8D452DB109CF9 ] AFD             C:\WINDOWS\System32\drivers\afd.sys
07:06:29.0015 3860  AFD - ok
07:06:29.0031 3860  Aha154x - ok
07:06:29.0046 3860  aic78u2 - ok
07:06:29.0062 3860  aic78xx - ok
07:06:29.0109 3860  [ A9A3DAA780CA6C9671A19D52456705B4 ] Alerter         C:\WINDOWS\system32\alrsvc.dll
07:06:29.0343 3860  Alerter - ok
07:06:29.0359 3860  [ 8C515081584A38AA007909CD02020B3D ] ALG             C:\WINDOWS\System32\alg.exe
07:06:29.0453 3860  ALG - ok
07:06:29.0453 3860  AliIde - ok
07:06:29.0500 3860  [ E6A2299284013EC4DE3419481A62069F ] AmdK8           C:\WINDOWS\system32\DRIVERS\AmdK8.sys
07:06:29.0843 3860  AmdK8 - ok
07:06:29.0859 3860  amsint - ok
07:06:29.0906 3860  [ D8849F77C0B66226335A59D26CB4EDC6 ] AppMgmt         C:\WINDOWS\System32\appmgmts.dll
07:06:30.0046 3860  AppMgmt - ok
07:06:30.0062 3860  asc - ok
07:06:30.0078 3860  asc3350p - ok
07:06:30.0078 3860  asc3550 - ok
07:06:30.0218 3860  [ 0E5E4957549056E2BF2C49F4F6B601AD ] aspnet_state    C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
07:06:30.0578 3860  aspnet_state - ok
07:06:30.0625 3860  [ B153AFFAC761E7F5FCFA822B9C4E97BC ] AsyncMac        C:\WINDOWS\system32\DRIVERS\asyncmac.sys
07:06:30.0796 3860  AsyncMac - ok
07:06:30.0828 3860  [ 9F3A2F5AA6875C72BF062C712CFA2674 ] atapi           C:\WINDOWS\system32\DRIVERS\atapi.sys
07:06:31.0000 3860  atapi - ok
07:06:31.0015 3860  Atdisk - ok
07:06:31.0062 3860  [ 9916C1225104BA14794209CFA8012159 ] Atmarpc         C:\WINDOWS\system32\DRIVERS\atmarpc.sys
07:06:31.0281 3860  Atmarpc - ok
07:06:31.0328 3860  [ DEF7A7882BEC100FE0B2CE2549188F9D ] AudioSrv        C:\WINDOWS\System32\audiosrv.dll
07:06:31.0546 3860  AudioSrv - ok
07:06:31.0578 3860  [ D9F724AA26C010A217C97606B160ED68 ] audstub         C:\WINDOWS\system32\DRIVERS\audstub.sys
07:06:31.0781 3860  audstub - ok
07:06:31.0828 3860  [ DA1F27D85E0D1525F6621372E7B685E9 ] Beep            C:\WINDOWS\system32\drivers\Beep.sys
07:06:32.0015 3860  Beep - ok
07:06:32.0078 3860  [ 574738F61FCA2935F5265DC4E5691314 ] BITS            C:\WINDOWS\system32\qmgr.dll
07:06:32.0500 3860  BITS - ok
07:06:32.0531 3860  [ CFD4E51402DA9838B5A04AE680AF54A0 ] Browser         C:\WINDOWS\System32\browser.dll
07:06:32.0718 3860  Browser - ok
07:06:32.0859 3860  catchme - ok
07:06:32.0906 3860  [ 90A673FC8E12A79AFBED2576F6A7AAF9 ] cbidf2k         C:\WINDOWS\system32\drivers\cbidf2k.sys
07:06:33.0109 3860  cbidf2k - ok
07:06:33.0125 3860  cd20xrnt - ok
07:06:33.0171 3860  [ C1B486A7658353D33A10CC15211A873B ] Cdaudio         C:\WINDOWS\system32\drivers\Cdaudio.sys
07:06:33.0359 3860  Cdaudio - ok
07:06:33.0406 3860  [ C885B02847F5D2FD45A24E219ED93B32 ] Cdfs            C:\WINDOWS\system32\drivers\Cdfs.sys
07:06:33.0765 3860  Cdfs - ok
07:06:33.0828 3860  [ 1F4260CC5B42272D71F79E570A27A4FE ] Cdrom           C:\WINDOWS\system32\DRIVERS\cdrom.sys
07:06:34.0062 3860  Cdrom - ok
07:06:34.0140 3860  [ 25C323075C5EA4A2555E35355A01F793 ] cfwids          C:\WINDOWS\system32\drivers\cfwids.sys
07:06:34.0500 3860  cfwids - ok
07:06:34.0500 3860  Changer - ok
07:06:34.0562 3860  [ 1CFE720EB8D93A7158A4EBC3AB178BDE ] CiSvc           C:\WINDOWS\system32\cisvc.exe
07:06:34.0781 3860  CiSvc - ok
07:06:34.0828 3860  [ 34CBE729F38138217F9C80212A2A0C82 ] ClipSrv         C:\WINDOWS\system32\clipsrv.exe
07:06:35.0312 3860  ClipSrv - ok
07:06:35.0390 3860  [ D87ACAED61E417BBA546CED5E7E36D9C ] clr_optimization_v2.0.50727_32 C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
07:06:36.0093 3860  clr_optimization_v2.0.50727_32 - ok
07:06:36.0234 3860  [ C5A75EB48E2344ABDC162BDA79E16841 ] clr_optimization_v4.0.30319_32 C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
07:06:36.0546 3860  clr_optimization_v4.0.30319_32 - ok
07:06:36.0546 3860  CmdIde - ok
07:06:36.0562 3860  COMSysApp - ok
07:06:36.0593 3860  Cpqarray - ok
07:06:36.0640 3860  [ 3D4E199942E29207970E04315D02AD3B ] CryptSvc        C:\WINDOWS\System32\cryptsvc.dll
07:06:36.0843 3860  CryptSvc - ok
07:06:36.0859 3860  dac2w2k - ok
07:06:36.0859 3860  dac960nt - ok
07:06:36.0921 3860  [ 6B27A5C03DFB94B4245739065431322C ] DcomLaunch      C:\WINDOWS\system32\rpcss.dll
07:06:37.0015 3860  DcomLaunch - ok
07:06:37.0093 3860  [ 5E38D7684A49CACFB752B046357E0589 ] Dhcp            C:\WINDOWS\System32\dhcpcsvc.dll
07:06:37.0281 3860  Dhcp - ok
07:06:37.0312 3860  [ 044452051F3E02E7963599FC8F4F3E25 ] Disk            C:\WINDOWS\system32\DRIVERS\disk.sys
07:06:37.0578 3860  Disk - ok
07:06:37.0578 3860  dmadmin - ok
07:06:37.0687 3860  [ D992FE1274BDE0F84AD826ACAE022A41 ] dmboot          C:\WINDOWS\system32\drivers\dmboot.sys
07:06:38.0062 3860  dmboot - ok
07:06:38.0125 3860  [ 7C824CF7BBDE77D95C08005717A95F6F ] dmio            C:\WINDOWS\system32\DRIVERS\dmio.sys
07:06:38.0359 3860  dmio - ok
07:06:38.0406 3860  [ E9317282A63CA4D188C0DF5E09C6AC5F ] dmload          C:\WINDOWS\system32\drivers\dmload.sys
07:06:38.0687 3860  dmload - ok
07:06:38.0734 3860  [ 57EDEC2E5F59F0335E92F35184BC8631 ] dmserver        C:\WINDOWS\System32\dmserver.dll
07:06:39.0062 3860  dmserver - ok
07:06:39.0078 3860  [ 8A208DFCF89792A484E76C40E5F50B45 ] DMusic          C:\WINDOWS\system32\drivers\DMusic.sys
07:06:39.0468 3860  DMusic - ok
07:06:39.0515 3860  [ 5F7E24FA9EAB896051FFB87F840730D2 ] Dnscache        C:\WINDOWS\System32\dnsrslvr.dll
07:06:39.0859 3860  Dnscache - ok
07:06:39.0921 3860  [ 0F0F6E687E5E15579EF4DA8DD6945814 ] Dot3svc         C:\WINDOWS\System32\dot3svc.dll
07:06:40.0187 3860  Dot3svc - ok
07:06:40.0203 3860  dpti2o - ok
07:06:40.0250 3860  [ 8F5FCFF8E8848AFAC920905FBD9D33C8 ] drmkaud         C:\WINDOWS\system32\drivers\drmkaud.sys
07:06:40.0484 3860  drmkaud - ok
07:06:40.0531 3860  [ 2187855A7703ADEF0CEF9EE4285182CC ] EapHost         C:\WINDOWS\System32\eapsvc.dll
07:06:40.0765 3860  EapHost - ok
07:06:40.0828 3860  [ BC93B4A066477954555966D77FEC9ECB ] ERSvc           C:\WINDOWS\System32\ersvc.dll
07:06:41.0046 3860  ERSvc - ok
07:06:41.0109 3860  [ 65DF52F5B8B6E9BBD183505225C37315 ] Eventlog        C:\WINDOWS\system32\services.exe
07:06:41.0218 3860  Eventlog - ok
07:06:41.0343 3860  [ D4991D98F2DB73C60D042F1AEF79EFAE ] EventSystem     C:\WINDOWS\system32\es.dll
07:06:41.0546 3860  EventSystem - ok
07:06:41.0609 3860  [ 38D332A6D56AF32635675F132548343E ] Fastfat         C:\WINDOWS\system32\drivers\Fastfat.sys
07:06:41.0843 3860  Fastfat - ok
07:06:41.0921 3860  [ 99BC0B50F511924348BE19C7C7313BBF ] FastUserSwitchingCompatibility C:\WINDOWS\System32\shsvcs.dll
07:06:42.0312 3860  FastUserSwitchingCompatibility - ok
07:06:42.0359 3860  [ 92CDD60B6730B9F50F6A1A0C1F8CDC81 ] Fdc             C:\WINDOWS\system32\drivers\Fdc.sys
07:06:42.0609 3860  Fdc - ok
07:06:42.0640 3860  [ CFC4CC73C903152A23E1DB28EABA1F03 ] FETND5BV        C:\WINDOWS\system32\DRIVERS\fetnd5bv.sys
07:06:42.0921 3860  FETND5BV - ok
07:06:42.0921 3860  FETNDIS - ok
07:06:42.0984 3860  [ B0F11E97B051E7DCCA40B0453F985636 ] FETNDISB        C:\WINDOWS\system32\DRIVERS\fetnd5b.sys
07:06:43.0328 3860  FETNDISB - ok
07:06:43.0343 3860  [ D45926117EB9FA946A6AF572FBE1CAA3 ] Fips            C:\WINDOWS\system32\drivers\Fips.sys
07:06:43.0593 3860  Fips - ok
07:06:43.0625 3860  [ 9D27E7B80BFCDF1CDD9B555862D5E7F0 ] Flpydisk        C:\WINDOWS\system32\drivers\Flpydisk.sys
07:06:43.0843 3860  Flpydisk - ok
07:06:43.0921 3860  [ B2CF4B0786F8212CB92ED2B50C6DB6B0 ] FltMgr          C:\WINDOWS\system32\drivers\fltmgr.sys
07:06:44.0171 3860  FltMgr - ok
07:06:44.0281 3860  [ 8BA7C024070F2B7FDD98ED8A4BA41789 ] FontCache3.0.0.0 c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
07:06:44.0343 3860  FontCache3.0.0.0 - ok
07:06:44.0375 3860  [ 3E1E2BD4F39B0E2B7DC4F4D2BCC2779A ] Fs_Rec          C:\WINDOWS\system32\drivers\Fs_Rec.sys
07:06:44.0640 3860  Fs_Rec - ok
07:06:44.0687 3860  [ 6AC26732762483366C3969C9E4D2259D ] Ftdisk          C:\WINDOWS\system32\DRIVERS\ftdisk.sys
07:06:44.0937 3860  Ftdisk - ok
07:06:44.0953 3860  [ 3A74C423CF6BCCA6982715878F450A3B ] gagp30kx        C:\WINDOWS\system32\DRIVERS\gagp30kx.sys
07:06:45.0203 3860  gagp30kx - ok
07:06:45.0250 3860  [ 0A02C63C8B144BD8C86B103DEE7C86A2 ] Gpc             C:\WINDOWS\system32\DRIVERS\msgpc.sys
07:06:45.0453 3860  Gpc - ok
07:06:45.0593 3860  [ 4FCCA060DFE0C51A09DD5C3843888BCD ] helpsvc         C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll
07:06:45.0843 3860  helpsvc - ok
07:06:45.0859 3860  HidServ - ok
07:06:46.0031 3860  [ D61E53E3FEC0C92BC8DD3969FAD63F87 ] HipShieldK      C:\WINDOWS\system32\drivers\HipShieldK.sys
07:06:46.0359 3860  HipShieldK - ok
07:06:46.0421 3860  [ 8878BD685E490239777BFE51320B88E9 ] hkmsvc          C:\WINDOWS\System32\kmsvc.dll
07:06:46.0625 3860  hkmsvc - ok
07:06:46.0640 3860  hpn - ok
07:06:46.0859 3860  [ CE0FCEC4D4D860F36D972759B11EAF0F ] hpqcxs08        C:\Program Files\HP\Digital Imaging\bin\hpqcxs08.dll
07:06:46.0906 3860  hpqcxs08 ( UnsignedFile.Multi.Generic ) - warning
07:06:46.0906 3860  hpqcxs08 - detected UnsignedFile.Multi.Generic (1)
07:06:46.0984 3860  [ 7DA3211AC63EDD90B8ECA1CA1ABFD43B ] hpqddsvc        C:\Program Files\HP\Digital Imaging\bin\hpqddsvc.dll
07:06:47.0187 3860  hpqddsvc ( UnsignedFile.Multi.Generic ) - warning
07:06:47.0187 3860  hpqddsvc - detected UnsignedFile.Multi.Generic (1)
07:06:47.0265 3860  [ D03D10F7DED688FECF50F8FBF1EA9B8A ] HPZid412        C:\WINDOWS\system32\DRIVERS\HPZid412.sys
07:06:47.0796 3860  HPZid412 - ok
07:06:47.0875 3860  [ 89F41658929393487B6B7D13C8528CE3 ] HPZipr12        C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
07:06:47.0968 3860  HPZipr12 - ok
07:06:48.0015 3860  [ ABCB05CCDBF03000354B9553820E39F8 ] HPZius12        C:\WINDOWS\system32\DRIVERS\HPZius12.sys
07:06:48.0109 3860  HPZius12 - ok
07:06:48.0281 3860  [ F80A415EF82CD06FFAF0D971528EAD38 ] HTTP            C:\WINDOWS\system32\Drivers\HTTP.sys
07:06:48.0625 3860  HTTP - ok
07:06:48.0796 3860  [ 6100A808600F44D999CEBDEF8841C7A3 ] HTTPFilter      C:\WINDOWS\System32\w3ssl.dll
07:06:49.0015 3860  HTTPFilter - ok
07:06:49.0015 3860  i2omgmt - ok
07:06:49.0031 3860  i2omp - ok
07:06:49.0078 3860  [ 4A0B06AA8943C1E332520F7440C0AA30 ] i8042prt        C:\WINDOWS\system32\DRIVERS\i8042prt.sys
07:06:49.0312 3860  i8042prt - ok
07:06:49.0500 3860  [ C01AC32DC5C03076CFB852CB5DA5229C ] idsvc           c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
07:06:49.0906 3860  idsvc - ok
07:06:49.0937 3860  [ 083A052659F5310DD8B6A6CB05EDCF8E ] Imapi           C:\WINDOWS\system32\DRIVERS\imapi.sys
07:06:50.0140 3860  Imapi - ok
07:06:50.0250 3860  [ 30DEAF54A9755BB8546168CFE8A6B5E1 ] ImapiService    C:\WINDOWS\system32\imapi.exe
07:06:50.0531 3860  ImapiService - ok
07:06:50.0546 3860  ini910u - ok
07:06:50.0562 3860  IntelIde - ok
07:06:50.0593 3860  [ 3BB22519A194418D5FEC05D800A19AD0 ] Ip6Fw           C:\WINDOWS\system32\drivers\ip6fw.sys
07:06:50.0828 3860  Ip6Fw - ok
07:06:50.0859 3860  [ 731F22BA402EE4B62748ADAF6363C182 ] IpFilterDriver  C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
07:06:51.0078 3860  IpFilterDriver - ok
07:06:51.0109 3860  [ B87AB476DCF76E72010632B5550955F5 ] IpInIp          C:\WINDOWS\system32\DRIVERS\ipinip.sys
07:06:51.0328 3860  IpInIp - ok
07:06:51.0421 3860  [ CC748EA12C6EFFDE940EE98098BF96BB ] IpNat           C:\WINDOWS\system32\DRIVERS\ipnat.sys
07:06:51.0671 3860  IpNat - ok
07:06:51.0703 3860  [ 23C74D75E36E7158768DD63D92789A91 ] IPSec           C:\WINDOWS\system32\DRIVERS\ipsec.sys
07:06:51.0921 3860  IPSec - ok
07:06:51.0937 3860  [ C93C9FF7B04D772627A3646D89F7BF89 ] IRENUM          C:\WINDOWS\system32\DRIVERS\irenum.sys
07:06:52.0109 3860  IRENUM - ok
07:06:52.0171 3860  [ 05A299EC56E52649B1CF2FC52D20F2D7 ] isapnp          C:\WINDOWS\system32\DRIVERS\isapnp.sys
07:06:52.0375 3860  isapnp - ok
07:06:52.0609 3860  [ 5739F2821D49975CEDE6BF0153D0CF01 ] JavaQuickStarterService C:\Program Files\Java\jre7\bin\jqs.exe
07:06:52.0921 3860  JavaQuickStarterService - ok
07:06:52.0968 3860  [ 463C1EC80CD17420A542B7F36A36F128 ] Kbdclass        C:\WINDOWS\system32\DRIVERS\kbdclass.sys
07:06:53.0218 3860  Kbdclass - ok
07:06:53.0281 3860  [ 692BCF44383D056AED41B045A323D378 ] kmixer          C:\WINDOWS\system32\drivers\kmixer.sys
07:06:53.0500 3860  kmixer - ok
07:06:53.0531 3860  [ B467646C54CC746128904E1654C750C1 ] KSecDD          C:\WINDOWS\system32\drivers\KSecDD.sys
07:06:53.0734 3860  KSecDD - ok
07:06:53.0765 3860  [ 3A7C3CBE5D96B8AE96CE81F0B22FB527 ] lanmanserver    C:\WINDOWS\System32\srvsvc.dll
07:06:54.0062 3860  lanmanserver - ok
07:06:54.0187 3860  [ A8888A5327621856C0CEC4E385F69309 ] lanmanworkstation C:\WINDOWS\System32\wkssvc.dll
07:06:54.0531 3860  lanmanworkstation - ok
07:06:54.0546 3860  lbrtfdc - ok
07:06:54.0625 3860  [ B280C4608AC389DA9515A35AC4CAB0FD ] libusb0         C:\WINDOWS\system32\drivers\libusb0.sys
07:06:55.0062 3860  libusb0 ( UnsignedFile.Multi.Generic ) - warning
07:06:55.0062 3860  libusb0 - detected UnsignedFile.Multi.Generic (1)
07:06:55.0156 3860  [ A7DB739AE99A796D91580147E919CC59 ] LmHosts         C:\WINDOWS\System32\lmhsvc.dll
07:06:55.0390 3860  LmHosts - ok
07:06:55.0453 3860  [ 4470E3C1E0C3378E4CAB137893C12C3A ] MBAMProtector   C:\WINDOWS\system32\drivers\mbam.sys
07:06:55.0859 3860  MBAMProtector - ok
07:06:56.0062 3860  [ 65085456FD9A74D7F1A999520C299ECB ] MBAMScheduler   C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
07:06:56.0453 3860  MBAMScheduler - ok
07:06:56.0625 3860  [ E0D7732F2D2E24B2DB3F67B6750295B8 ] MBAMService     C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
07:06:56.0859 3860  MBAMService - ok
07:06:57.0031 3860  [ ECAB006AC6136F1307E140B633CDB8C2 ] McAfee SiteAdvisor Service C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
07:06:57.0218 3860  McAfee SiteAdvisor Service - ok
07:06:57.0265 3860  [ ECAB006AC6136F1307E140B633CDB8C2 ] McMPFSvc        C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
07:06:57.0296 3860  McMPFSvc - ok
07:06:57.0343 3860  [ ECAB006AC6136F1307E140B633CDB8C2 ] mcmscsvc        C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
07:06:57.0375 3860  mcmscsvc - ok
07:06:57.0421 3860  [ ECAB006AC6136F1307E140B633CDB8C2 ] McNaiAnn        C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
07:06:57.0453 3860  McNaiAnn - ok
07:06:57.0468 3860  [ ECAB006AC6136F1307E140B633CDB8C2 ] McNASvc         C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
07:06:57.0484 3860  McNASvc - ok
07:06:57.0843 3860  [ E352CC1723B3B69A7BB1E81DBC9D9D78 ] McODS           C:\Program Files\McAfee\VirusScan\mcods.exe
07:06:58.0156 3860  McODS - ok
07:06:58.0187 3860  [ ECAB006AC6136F1307E140B633CDB8C2 ] McProxy         C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
07:06:58.0218 3860  McProxy - ok
07:06:58.0375 3860  [ 6FE0532CB16300C09D098F808EAAEE9D ] McShield        C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe
07:06:58.0656 3860  McShield - ok
07:06:58.0687 3860  [ 986B1FF5814366D71E0AC5755C88F2D3 ] Messenger       C:\WINDOWS\System32\msgsvc.dll
07:06:58.0937 3860  Messenger - ok
07:06:59.0031 3860  [ 6708AD7D9ABDD6FDE1EB9B54FFE426B0 ] mfeapfk         C:\WINDOWS\system32\drivers\mfeapfk.sys
07:06:59.0328 3860  mfeapfk - ok
07:06:59.0421 3860  [ 375DE90B68533D9D0D7766D4CCB4CA32 ] mfeavfk         C:\WINDOWS\system32\drivers\mfeavfk.sys
07:06:59.0968 3860  mfeavfk - ok
07:06:59.0984 3860  mfeavfk01 - ok
07:07:00.0078 3860  [ 5ED806D4DF27AC11236BD9AD2CC10B7E ] mfebopk         C:\WINDOWS\system32\drivers\mfebopk.sys
07:07:00.0281 3860  mfebopk - ok
07:07:00.0453 3860  [ 1A427BB508ACBEE09A88F08D1CA38E2F ] mfefire         C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe
07:07:00.0734 3860  mfefire - ok
07:07:00.0765 3860  [ 16BF9475BFCFAA420A8CB29E40284457 ] mfefirek        C:\WINDOWS\system32\drivers\mfefirek.sys
07:07:01.0140 3860  mfefirek - ok
07:07:01.0203 3860  [ 875452ECDF4AEBE12B8C2EFD8599A36F ] mfehidk         C:\WINDOWS\system32\drivers\mfehidk.sys
07:07:01.0687 3860  mfehidk - ok
07:07:01.0765 3860  [ 3004E3FE086E76D7D6DFB9A851ED6F10 ] mfendisk        C:\WINDOWS\system32\DRIVERS\mfendisk.sys
07:07:01.0953 3860  mfendisk - ok
07:07:01.0968 3860  [ 3004E3FE086E76D7D6DFB9A851ED6F10 ] mfendiskmp      C:\WINDOWS\system32\DRIVERS\mfendisk.sys
07:07:02.0000 3860  mfendiskmp - ok
07:07:02.0046 3860  [ D669ACBE7672819109706C3CFF6BD1DB ] mferkdet        C:\WINDOWS\system32\drivers\mferkdet.sys
07:07:02.0203 3860  mferkdet - ok
07:07:02.0250 3860  [ 1328C929A2F801BB93DBDFCDC25E0E7A ] mfetdi2k        C:\WINDOWS\system32\drivers\mfetdi2k.sys
07:07:02.0406 3860  mfetdi2k - ok
07:07:02.0468 3860  [ D66A1A16166897A5F7D04961F582F03B ] mfevtp          C:\WINDOWS\system32\mfevtps.exe
07:07:02.0609 3860  mfevtp - ok
07:07:02.0609 3860  MFE_RR - ok
07:07:02.0656 3860  [ 63C34814492AA65FC517B002DE77B191 ] MidiSyn         C:\WINDOWS\system32\drivers\MidiSyn.sys
07:07:02.0890 3860  MidiSyn - ok
07:07:02.0937 3860  [ 4AE068242760A1FB6E1A44BF4E16AFA6 ] mnmdd           C:\WINDOWS\system32\drivers\mnmdd.sys
07:07:03.0125 3860  mnmdd - ok
07:07:03.0171 3860  [ D18F1F0C101D06A1C1ADF26EED16FCDD ] mnmsrvc         C:\WINDOWS\system32\mnmsrvc.exe
07:07:03.0359 3860  mnmsrvc - ok
07:07:03.0406 3860  [ DFCBAD3CEC1C5F964962AE10E0BCC8E1 ] Modem           C:\WINDOWS\system32\drivers\Modem.sys
07:07:03.0593 3860  Modem - ok
07:07:03.0593 3860  [ 35C9E97194C8CFB8430125F8DBC34D04 ] Mouclass        C:\WINDOWS\system32\DRIVERS\mouclass.sys
07:07:03.0781 3860  Mouclass - ok
07:07:03.0812 3860  [ A80B9A0BAD1B73637DBCBBA7DF72D3FD ] MountMgr        C:\WINDOWS\system32\drivers\MountMgr.sys
07:07:04.0000 3860  MountMgr - ok
07:07:04.0171 3860  [ 70C14F5CCA5CF73F8A645C73A01D8726 ] MQAC            C:\WINDOWS\system32\drivers\mqac.sys
07:07:04.0328 3860  MQAC - ok
07:07:04.0328 3860  mraid35x - ok
07:07:04.0375 3860  [ 11D42BB6206F33FBB3BA0288D3EF81BD ] MRxDAV          C:\WINDOWS\system32\DRIVERS\mrxdav.sys
07:07:04.0593 3860  MRxDAV - ok
07:07:04.0640 3860  [ 7D304A5EB4344EBEEAB53A2FE3FFB9F0 ] MRxSmb          C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
07:07:05.0062 3860  MRxSmb - ok
07:07:05.0109 3860  [ A137F1470499A205ABBB9AAFB3B6F2B1 ] MSDTC           C:\WINDOWS\system32\msdtc.exe
07:07:05.0312 3860  MSDTC - ok
07:07:05.0359 3860  [ C941EA2454BA8350021D774DAF0F1027 ] Msfs            C:\WINDOWS\system32\drivers\Msfs.sys
07:07:05.0546 3860  Msfs - ok
07:07:05.0546 3860  MSIServer - ok
07:07:05.0578 3860  [ ECAB006AC6136F1307E140B633CDB8C2 ] MSK80Service    C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
07:07:05.0593 3860  MSK80Service - ok
07:07:05.0625 3860  [ D1575E71568F4D9E14CA56B7B0453BF1 ] MSKSSRV         C:\WINDOWS\system32\drivers\MSKSSRV.sys
07:07:05.0812 3860  MSKSSRV - ok
07:07:05.0859 3860  [ AFB909B537AAE1BEAE7BBDB6A36D40B0 ] MSMQ            C:\WINDOWS\system32\mqsvc.exe
07:07:05.0937 3860  MSMQ - ok
07:07:05.0984 3860  [ 7F955FF3B1BB93376EBE75D5ACCDC6DB ] MSMQTriggers    C:\WINDOWS\system32\mqtgsvc.exe
07:07:06.0078 3860  MSMQTriggers - ok
07:07:06.0125 3860  [ 325BB26842FC7CCC1FCCE2C457317F3E ] MSPCLOCK        C:\WINDOWS\system32\drivers\MSPCLOCK.sys
07:07:06.0312 3860  MSPCLOCK - ok
07:07:06.0359 3860  [ BAD59648BA099DA4A17680B39730CB3D ] MSPQM           C:\WINDOWS\system32\drivers\MSPQM.sys
07:07:06.0546 3860  MSPQM - ok
07:07:06.0562 3860  [ AF5F4F3F14A8EA2C26DE30F7A1E17136 ] mssmbios        C:\WINDOWS\system32\DRIVERS\mssmbios.sys
07:07:06.0734 3860  mssmbios - ok
07:07:06.0781 3860  [ D48659BB24C48345D926ECB45C1EBDF5 ] MTsensor        C:\WINDOWS\system32\DRIVERS\ASACPI.sys
07:07:06.0843 3860  MTsensor - ok
07:07:06.0921 3860  [ DE6A75F5C270E756C5508D94B6CF68F5 ] Mup             C:\WINDOWS\system32\drivers\Mup.sys
07:07:07.0171 3860  Mup - ok
07:07:07.0234 3860  [ 0102140028FAD045756796E1C685D695 ] napagent        C:\WINDOWS\System32\qagentrt.dll
07:07:07.0437 3860  napagent - ok
07:07:07.0484 3860  [ 1DF7F42665C94B825322FAE71721130D ] NDIS            C:\WINDOWS\system32\drivers\NDIS.sys
07:07:07.0687 3860  NDIS - ok
07:07:07.0703 3860  [ 0109C4F3850DFBAB279542515386AE22 ] NdisTapi        C:\WINDOWS\system32\DRIVERS\ndistapi.sys
07:07:08.0015 3860  NdisTapi - ok
07:07:08.0062 3860  [ F927A4434C5028758A842943EF1A3849 ] Ndisuio         C:\WINDOWS\system32\DRIVERS\ndisuio.sys
07:07:08.0390 3860  Ndisuio - ok
07:07:08.0421 3860  [ EDC1531A49C80614B2CFDA43CA8659AB ] NdisWan         C:\WINDOWS\system32\DRIVERS\ndiswan.sys
07:07:08.0656 3860  NdisWan - ok
07:07:08.0703 3860  [ 9282BD12DFB069D3889EB3FCC1000A9B ] NDProxy         C:\WINDOWS\system32\drivers\NDProxy.sys
07:07:09.0109 3860  NDProxy - ok
07:07:09.0171 3860  [ A081CB6FB9A12668F233EB5414BE3A0E ] Net Driver HPZ12 C:\WINDOWS\system32\HPZinw12.dll
07:07:09.0390 3860  Net Driver HPZ12 ( UnsignedFile.Multi.Generic ) - warning
07:07:09.0390 3860  Net Driver HPZ12 - detected UnsignedFile.Multi.Generic (1)
07:07:09.0421 3860  [ 5D81CF9A2F1A3A756B66CF684911CDF0 ] NetBIOS         C:\WINDOWS\system32\DRIVERS\netbios.sys
07:07:09.0671 3860  NetBIOS - ok
07:07:09.0703 3860  [ 74B2B2F5BEA5E9A3DC021D685551BD3D ] NetBT           C:\WINDOWS\system32\DRIVERS\netbt.sys
07:07:09.0906 3860  NetBT - ok
07:07:09.0921 3860  [ B857BA82860D7FF85AE29B095645563B ] NetDDE          C:\WINDOWS\system32\netdde.exe
07:07:10.0156 3860  NetDDE - ok
07:07:10.0171 3860  [ B857BA82860D7FF85AE29B095645563B ] NetDDEdsdm      C:\WINDOWS\system32\netdde.exe
07:07:10.0359 3860  NetDDEdsdm - ok
07:07:10.0609 3860  [ BF2466B3E18E970D8A976FB95FC1CA85 ] Netlogon        C:\WINDOWS\system32\lsass.exe
07:07:10.0875 3860  Netlogon - ok
07:07:10.0906 3860  [ 13E67B55B3ABD7BF3FE7AAE5A0F9A9DE ] Netman          C:\WINDOWS\System32\netman.dll
07:07:11.0109 3860  Netman - ok
07:07:11.0171 3860  [ D34612C5D02D026535B3095D620626AE ] NetTcpPortSharing c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
07:07:11.0203 3860  NetTcpPortSharing - ok
07:07:11.0265 3860  [ 943337D786A56729263071623BBB9DE5 ] Nla             C:\WINDOWS\System32\mswsock.dll
07:07:11.0562 3860  Nla - ok
07:07:11.0609 3860  [ 3182D64AE053D6FB034F44B6DEF8034A ] Npfs            C:\WINDOWS\system32\drivers\Npfs.sys
07:07:11.0812 3860  Npfs - ok
07:07:12.0265 3860  [ 78A08DD6A8D65E697C18E1DB01C5CDCA ] Ntfs            C:\WINDOWS\system32\drivers\Ntfs.sys
07:07:12.0765 3860  Ntfs - ok
07:07:12.0781 3860  [ BF2466B3E18E970D8A976FB95FC1CA85 ] NtLmSsp         C:\WINDOWS\system32\lsass.exe
07:07:13.0171 3860  NtLmSsp - ok
07:07:13.0250 3860  [ 156F64A3345BD23C600655FB4D10BC08 ] NtmsSvc         C:\WINDOWS\system32\ntmssvc.dll
07:07:13.0515 3860  NtmsSvc - ok
07:07:13.0546 3860  [ A568B9A9FFE2D9387222A5C90F86D731 ] NTSIM           C:\WINDOWS\system32\ntsim.sys
07:07:13.0609 3860  NTSIM ( UnsignedFile.Multi.Generic ) - warning
07:07:13.0609 3860  NTSIM - detected UnsignedFile.Multi.Generic (1)
07:07:13.0687 3860  [ 73C1E1F395918BC2C6DD67AF7591A3AD ] Null            C:\WINDOWS\system32\drivers\Null.sys
07:07:13.0875 3860  Null - ok
07:07:13.0906 3860  [ B305F3FAD35083837EF46A0BBCE2FC57 ] NwlnkFlt        C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
07:07:14.0093 3860  NwlnkFlt - ok
07:07:14.0125 3860  [ C99B3415198D1AAB7227F2C88FD664B9 ] NwlnkFwd        C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
07:07:14.0375 3860  NwlnkFwd - ok
07:07:14.0609 3860  [ 785F487A64950F3CB8E9F16253BA3B7B ] odserv          C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE
07:07:14.0984 3860  odserv - ok
07:07:15.0171 3860  [ 5A432A042DAE460ABE7199B758E8606C ] ose             C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
07:07:15.0390 3860  ose - ok
07:07:15.0453 3860  [ 5575FAF8F97CE5E713D108C2A58D7C7C ] Parport         C:\WINDOWS\system32\DRIVERS\parport.sys
07:07:15.0640 3860  Parport - ok
07:07:15.0671 3860  [ BEB3BA25197665D82EC7065B724171C6 ] PartMgr         C:\WINDOWS\system32\drivers\PartMgr.sys
07:07:15.0906 3860  PartMgr - ok
07:07:16.0000 3860  [ 70E98B3FD8E963A6A46A2E6247E0BEA1 ] ParVdm          C:\WINDOWS\system32\drivers\ParVdm.sys
07:07:16.0218 3860  ParVdm - ok
07:07:16.0234 3860  [ A219903CCF74233761D92BEF471A07B1 ] PCI             C:\WINDOWS\system32\DRIVERS\pci.sys
07:07:16.0437 3860  PCI - ok
07:07:16.0468 3860  PCIDump - ok
07:07:16.0625 3860  [ CCF5F451BB1A5A2A522A76E670000FF0 ] PCIIde          C:\WINDOWS\system32\DRIVERS\pciide.sys
07:07:16.0953 3860  PCIIde - ok
07:07:17.0031 3860  [ 9E89EF60E9EE05E3F2EEF2DA7397F1C1 ] Pcmcia          C:\WINDOWS\system32\drivers\Pcmcia.sys
07:07:17.0296 3860  Pcmcia - ok
07:07:17.0312 3860  PDCOMP - ok
07:07:17.0328 3860  PDFRAME - ok
07:07:17.0328 3860  PDRELI - ok
07:07:17.0343 3860  PDRFRAME - ok
07:07:17.0359 3860  perc2 - ok
07:07:17.0375 3860  perc2hib - ok
07:07:17.0437 3860  [ 65DF52F5B8B6E9BBD183505225C37315 ] PlugPlay        C:\WINDOWS\system32\services.exe
07:07:17.0484 3860  PlugPlay - ok
07:07:17.0562 3860  [ 65BC271F337637731D3C71455AE1F476 ] Pml Driver HPZ12 C:\WINDOWS\system32\HPZipm12.dll
07:07:17.0843 3860  Pml Driver HPZ12 ( UnsignedFile.Multi.Generic ) - warning
07:07:17.0843 3860  Pml Driver HPZ12 - detected UnsignedFile.Multi.Generic (1)
07:07:17.0890 3860  [ BF2466B3E18E970D8A976FB95FC1CA85 ] PolicyAgent     C:\WINDOWS\system32\lsass.exe
07:07:18.0046 3860  PolicyAgent - ok
07:07:18.0125 3860  [ EFEEC01B1D3CF84F16DDD24D9D9D8F99 ] PptpMiniport    C:\WINDOWS\system32\DRIVERS\raspptp.sys
07:07:18.0515 3860  PptpMiniport - ok
07:07:18.0546 3860  [ A32BEBAF723557681BFC6BD93E98BD26 ] Processor       C:\WINDOWS\system32\DRIVERS\processr.sys
07:07:18.0750 3860  Processor - ok
07:07:18.0812 3860  [ BF2466B3E18E970D8A976FB95FC1CA85 ] ProtectedStorage C:\WINDOWS\system32\lsass.exe
07:07:18.0984 3860  ProtectedStorage - ok
07:07:19.0015 3860  [ 09298EC810B07E5D582CB3A3F9255424 ] PSched          C:\WINDOWS\system32\DRIVERS\psched.sys
07:07:19.0218 3860  PSched - ok
07:07:19.0265 3860  [ 80D317BD1C3DBC5D4FE7B1678C60CADD ] Ptilink         C:\WINDOWS\system32\DRIVERS\ptilink.sys
07:07:19.0515 3860  Ptilink - ok
07:07:19.0531 3860  ql1080 - ok
07:07:19.0546 3860  Ql10wnt - ok
07:07:19.0562 3860  ql12160 - ok
07:07:19.0578 3860  ql1240 - ok
07:07:19.0593 3860  ql1280 - ok
07:07:19.0671 3860  [ FE0D99D6F31E4FAD8159F690D68DED9C ] RasAcd          C:\WINDOWS\system32\DRIVERS\rasacd.sys
07:07:20.0109 3860  RasAcd - ok
07:07:20.0187 3860  [ AD188BE7BDF94E8DF4CA0A55C00A5073 ] RasAuto         C:\WINDOWS\System32\rasauto.dll
07:07:20.0406 3860  RasAuto - ok
07:07:20.0437 3860  [ 11B4A627BC9614B885C4969BFA5FF8A6 ] Rasl2tp         C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
07:07:20.0640 3860  Rasl2tp - ok
07:07:20.0750 3860  [ 76A9A3CBEADD68CC57CDA5E1D7448235 ] RasMan          C:\WINDOWS\System32\rasmans.dll
07:07:20.0984 3860  RasMan - ok
07:07:21.0000 3860  [ 5BC962F2654137C9909C3D4603587DEE ] RasPppoe        C:\WINDOWS\system32\DRIVERS\raspppoe.sys
07:07:21.0218 3860  RasPppoe - ok
07:07:21.0281 3860  [ FDBB1D60066FCFBB7452FD8F9829B242 ] Raspti          C:\WINDOWS\system32\DRIVERS\raspti.sys
07:07:21.0468 3860  Raspti - ok
07:07:21.0578 3860  [ 7AD224AD1A1437FE28D89CF22B17780A ] Rdbss           C:\WINDOWS\system32\DRIVERS\rdbss.sys
07:07:21.0765 3860  Rdbss - ok
07:07:21.0906 3860  [ 4912D5B403614CE99C28420F75353332 ] RDPCDD          C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
07:07:22.0140 3860  RDPCDD - ok
07:07:22.0171 3860  [ 15CABD0F7C00C47C70124907916AF3F1 ] rdpdr           C:\WINDOWS\system32\DRIVERS\rdpdr.sys
07:07:22.0375 3860  rdpdr - ok
07:07:22.0437 3860  [ 43AF5212BD8FB5BA6EED9754358BD8F7 ] RDPWD           C:\WINDOWS\system32\drivers\RDPWD.sys
07:07:23.0015 3860  RDPWD - ok
07:07:23.0156 3860  [ 3C37BF86641BDA977C3BF8A840F3B7FA ] RDSessMgr       C:\WINDOWS\system32\sessmgr.exe
07:07:23.0359 3860  RDSessMgr - ok
07:07:23.0375 3860  [ F828DD7E1419B6653894A8F97A0094C5 ] redbook         C:\WINDOWS\system32\DRIVERS\redbook.sys
07:07:23.0671 3860  redbook - ok
07:07:23.0750 3860  [ 7E699FF5F59B5D9DE5390E3C34C67CF5 ] RemoteAccess    C:\WINDOWS\System32\mprdim.dll
07:07:23.0937 3860  RemoteAccess - ok
07:07:24.0000 3860  [ 5B19B557B0C188210A56A6B699D90B8F ] RemoteRegistry  C:\WINDOWS\system32\regsvc.dll
07:07:24.0281 3860  RemoteRegistry - ok
07:07:24.0359 3860  [ 96F7A9A7BF0C9C0440A967440065D33C ] RMCAST          C:\WINDOWS\system32\drivers\RMCast.sys
07:07:24.0562 3860  RMCAST - ok
07:07:24.0609 3860  [ AAED593F84AFA419BBAE8572AF87CF6A ] RpcLocator      C:\WINDOWS\system32\locator.exe
07:07:24.0828 3860  RpcLocator - ok
07:07:24.0921 3860  [ 6B27A5C03DFB94B4245739065431322C ] RpcSs           C:\WINDOWS\System32\rpcss.dll
07:07:24.0984 3860  RpcSs - ok
07:07:25.0046 3860  [ 471B3F9741D762ABE75E9DEEA4787E47 ] RSVP            C:\WINDOWS\system32\rsvp.exe
07:07:25.0250 3860  RSVP - ok
07:07:25.0375 3860  [ A6886CAF9D03DADE7144171E471ECA6F ] rt2870          C:\WINDOWS\system32\DRIVERS\rt2870.sys
07:07:25.0781 3860  rt2870 ( UnsignedFile.Multi.Generic ) - warning
07:07:25.0781 3860  rt2870 - detected UnsignedFile.Multi.Generic (1)
07:07:25.0812 3860  [ BF2466B3E18E970D8A976FB95FC1CA85 ] SamSs           C:\WINDOWS\system32\lsass.exe
07:07:26.0015 3860  SamSs - ok
07:07:26.0031 3860  SASDIFSV - ok
07:07:26.0031 3860  SASKUTIL - ok
07:07:26.0093 3860  [ 86D007E7A654B9A71D1D7D856B104353 ] SCardSvr        C:\WINDOWS\System32\SCardSvr.exe
07:07:26.0281 3860  SCardSvr - ok
07:07:26.0328 3860  [ 0A9A7365A1CA4319AA7C1D6CD8E4EAFA ] Schedule        C:\WINDOWS\system32\schedsvc.dll
07:07:26.0578 3860  Schedule - ok
07:07:26.0593 3860  [ 90A3935D05B494A5A39D37E71F09A677 ] Secdrv          C:\WINDOWS\system32\DRIVERS\secdrv.sys
07:07:26.0718 3860  Secdrv - ok
07:07:26.0781 3860  [ CBE612E2BB6A10E3563336191EDA1250 ] seclogon        C:\WINDOWS\System32\seclogon.dll
07:07:27.0000 3860  seclogon - ok
07:07:27.0031 3860  [ 9A4C4A4B191200F12085D188BE70E4E3 ] senfilt         C:\WINDOWS\system32\drivers\senfilt.sys
07:07:27.0296 3860  senfilt - ok
07:07:27.0375 3860  [ 7FDD5D0684ECA8C1F68B4D99D124DCD0 ] SENS            C:\WINDOWS\system32\sens.dll
07:07:27.0609 3860  SENS - ok
07:07:27.0640 3860  [ 0F29512CCD6BEAD730039FB4BD2C85CE ] serenum         C:\WINDOWS\system32\DRIVERS\serenum.sys
07:07:27.0953 3860  serenum - ok
07:07:27.0984 3860  [ CCA207A8896D4C6A0C9CE29A4AE411A7 ] Serial          C:\WINDOWS\system32\DRIVERS\serial.sys
07:07:28.0187 3860  Serial - ok
07:07:28.0250 3860  [ 8E6B8C671615D126FDC553D1E2DE5562 ] Sfloppy         C:\WINDOWS\system32\drivers\Sfloppy.sys
07:07:28.0500 3860  Sfloppy - ok
07:07:28.0578 3860  [ 83F41D0D89645D7235C051AB1D9523AC ] SharedAccess    C:\WINDOWS\System32\ipnathlp.dll
07:07:28.0859 3860  SharedAccess - ok
07:07:28.0875 3860  [ 99BC0B50F511924348BE19C7C7313BBF ] ShellHWDetection C:\WINDOWS\System32\shsvcs.dll
07:07:28.0906 3860  ShellHWDetection - ok
07:07:28.0921 3860  Simbad - ok
07:07:29.0078 3860  [ 93560891704BBF5FF11E8D16C41698E5 ] smwdm           C:\WINDOWS\system32\drivers\smwdm.sys
07:07:29.0609 3860  smwdm - ok
07:07:29.0843 3860  [ 3978F082274F723AD5A0A8058C2417DD ] SoundMAX Agent Service (default) C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
07:07:29.0921 3860  SoundMAX Agent Service (default) ( UnsignedFile.Multi.Generic ) - warning
07:07:29.0921 3860  SoundMAX Agent Service (default) - detected UnsignedFile.Multi.Generic (1)
07:07:29.0921 3860  Sparrow - ok
07:07:29.0953 3860  [ AB8B92451ECB048A4D1DE7C3FFCB4A9F ] splitter        C:\WINDOWS\system32\drivers\splitter.sys
07:07:30.0171 3860  splitter - ok
07:07:30.0218 3860  [ 60784F891563FB1B767F70117FC2428F ] Spooler         C:\WINDOWS\system32\spoolsv.exe
07:07:30.0687 3860  Spooler - ok
07:07:30.0875 3860  [ 76BB022C2FB6902FD5BDD4F78FC13A5D ] sr              C:\WINDOWS\system32\DRIVERS\sr.sys
07:07:30.0984 3860  sr - ok
07:07:31.0046 3860  [ 3805DF0AC4296A34BA4BF93B346CC378 ] srservice       C:\WINDOWS\system32\srsvc.dll
07:07:31.0171 3860  srservice - ok
07:07:31.0203 3860  [ 47DDFC2F003F7F9F0592C6874962A2E7 ] Srv             C:\WINDOWS\system32\DRIVERS\srv.sys
07:07:31.0562 3860  Srv - ok
07:07:31.0593 3860  [ 0A5679B3714EDAB99E357057EE88FCA6 ] SSDPSRV         C:\WINDOWS\System32\ssdpsrv.dll
07:07:31.0718 3860  SSDPSRV - ok
07:07:31.0921 3860  [ 8BAD69CBAC032D4BBACFCE0306174C30 ] stisvc          C:\WINDOWS\system32\wiaservc.dll
07:07:32.0187 3860  stisvc - ok
07:07:32.0203 3860  [ 3941D127AEF12E93ADDF6FE6EE027E0F ] swenum          C:\WINDOWS\system32\DRIVERS\swenum.sys
07:07:32.0468 3860  swenum - ok
07:07:32.0515 3860  [ 8CE882BCC6CF8A62F2B2323D95CB3D01 ] swmidi          C:\WINDOWS\system32\drivers\swmidi.sys
07:07:32.0765 3860  swmidi - ok
07:07:32.0765 3860  SwPrv - ok
07:07:32.0781 3860  symc810 - ok
07:07:32.0796 3860  symc8xx - ok
07:07:32.0812 3860  sym_hi - ok
07:07:32.0812 3860  sym_u3 - ok
07:07:32.0843 3860  [ 8B83F3ED0F1688B4958F77CD6D2BF290 ] sysaudio        C:\WINDOWS\system32\drivers\sysaudio.sys
07:07:33.0296 3860  sysaudio - ok
07:07:33.0593 3860  [ C7ABBC59B43274B1109DF6B24D617051 ] SysmonLog       C:\WINDOWS\system32\smlogsvc.exe
07:07:33.0781 3860  SysmonLog - ok
07:07:33.0859 3860  [ 3CB78C17BB664637787C9A1C98F79C38 ] TapiSrv         C:\WINDOWS\System32\tapisrv.dll
07:07:34.0109 3860  TapiSrv - ok
07:07:34.0187 3860  [ 9AEFA14BD6B182D61E3119FA5F436D3D ] Tcpip           C:\WINDOWS\system32\DRIVERS\tcpip.sys
07:07:34.0281 3860  Tcpip - ok
07:07:34.0343 3860  [ 6471A66807F5E104E4885F5B67349397 ] TDPIPE          C:\WINDOWS\system32\drivers\TDPIPE.sys
07:07:34.0531 3860  TDPIPE - ok
07:07:34.0546 3860  [ C56B6D0402371CF3700EB322EF3AAF61 ] TDTCP           C:\WINDOWS\system32\drivers\TDTCP.sys
07:07:34.0750 3860  TDTCP - ok
07:07:34.0781 3860  [ 88155247177638048422893737429D9E ] TermDD          C:\WINDOWS\system32\DRIVERS\termdd.sys
07:07:35.0000 3860  TermDD - ok
07:07:35.0078 3860  [ FF3477C03BE7201C294C35F684B3479F ] TermService     C:\WINDOWS\System32\termsrv.dll
07:07:35.0265 3860  TermService - ok
07:07:35.0296 3860  [ 99BC0B50F511924348BE19C7C7313BBF ] Themes          C:\WINDOWS\System32\shsvcs.dll
07:07:35.0312 3860  Themes - ok
07:07:35.0390 3860  [ DB7205804759FF62C34E3EFD8A4CC76A ] TlntSvr         C:\WINDOWS\system32\tlntsvr.exe
07:07:35.0531 3860  TlntSvr - ok
07:07:35.0546 3860  TosIde - ok
07:07:35.0593 3860  [ 55BCA12F7F523D35CA3CB833C725F54E ] TrkWks          C:\WINDOWS\system32\trkwks.dll
07:07:35.0875 3860  TrkWks - ok
07:07:35.0906 3860  [ 5787B80C2E3C5E2F56C2A233D91FA2C9 ] Udfs            C:\WINDOWS\system32\drivers\Udfs.sys
07:07:36.0125 3860  Udfs - ok
07:07:36.0140 3860  ultra - ok
07:07:36.0218 3860  [ 402DDC88356B1BAC0EE3DD1580C76A31 ] Update          C:\WINDOWS\system32\DRIVERS\update.sys
07:07:36.0484 3860  Update - ok
07:07:36.0593 3860  [ 1EBAFEB9A3FBDC41B8D9C7F0F687AD91 ] upnphost        C:\WINDOWS\System32\upnphost.dll
07:07:36.0843 3860  upnphost - ok
07:07:36.0875 3860  [ 05365FB38FCA1E98F7A566AAAF5D1815 ] UPS             C:\WINDOWS\System32\ups.exe
07:07:37.0062 3860  UPS - ok
07:07:37.0093 3860  [ 173F317CE0DB8E21322E71B7E60A27E8 ] usbccgp         C:\WINDOWS\system32\DRIVERS\usbccgp.sys
07:07:37.0296 3860  usbccgp - ok
07:07:37.0328 3860  [ 65DCF09D0E37D4C6B11B5B0B76D470A7 ] usbehci         C:\WINDOWS\system32\DRIVERS\usbehci.sys
07:07:37.0609 3860  usbehci - ok
07:07:37.0671 3860  [ 1AB3CDDE553B6E064D2E754EFE20285C ] usbhub          C:\WINDOWS\system32\DRIVERS\usbhub.sys
07:07:37.0875 3860  usbhub - ok
07:07:37.0906 3860  [ A717C8721046828520C9EDF31288FC00 ] usbprint        C:\WINDOWS\system32\DRIVERS\usbprint.sys
07:07:38.0140 3860  usbprint - ok
07:07:38.0234 3860  [ A0B8CF9DEB1184FBDD20784A58FA75D4 ] usbscan         C:\WINDOWS\system32\DRIVERS\usbscan.sys
07:07:38.0421 3860  usbscan - ok
07:07:38.0500 3860  [ A32426D9B14A089EAA1D922E0C5801A9 ] USBSTOR         C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
07:07:38.0765 3860  USBSTOR - ok
07:07:38.0781 3860  [ 26496F9DEE2D787FC3E61AD54821FFE6 ] usbuhci         C:\WINDOWS\system32\DRIVERS\usbuhci.sys
07:07:38.0953 3860  usbuhci - ok
07:07:38.0984 3860  [ 0D3A8FAFCEACD8B7625CD549757A7DF1 ] VgaSave         C:\WINDOWS\System32\drivers\vga.sys
07:07:39.0234 3860  VgaSave - ok
07:07:39.0265 3860  [ FF711CE141339479363E6E4B0FF328B9 ] viagfx          C:\WINDOWS\system32\DRIVERS\vtmini.sys
07:07:39.0671 3860  viagfx - ok
07:07:39.0734 3860  [ 3B3EFCDA263B8AC14FDF9CBDD0791B2E ] ViaIde          C:\WINDOWS\system32\DRIVERS\viaide.sys
07:07:39.0953 3860  ViaIde - ok
07:07:40.0015 3860  [ 4C8FCB5CC53AAB716D810740FE59D025 ] VolSnap         C:\WINDOWS\system32\drivers\VolSnap.sys
07:07:40.0234 3860  VolSnap - ok
07:07:40.0343 3860  [ 7A9DB3A67C333BF0BD42E42B8596854B ] VSS             C:\WINDOWS\System32\vssvc.exe
07:07:40.0484 3860  VSS - ok
07:07:40.0687 3860  [ 54AF4B1D5459500EF0937F6D33B1914F ] W32Time         C:\WINDOWS\system32\w32time.dll
07:07:41.0031 3860  W32Time - ok
07:07:41.0093 3860  [ E20B95BAEDB550F32DD489265C1DA1F6 ] Wanarp          C:\WINDOWS\system32\DRIVERS\wanarp.sys
07:07:41.0640 3860  Wanarp - ok
07:07:41.0640 3860  WDICA - ok
07:07:41.0718 3860  [ 6768ACF64B18196494413695F0C3A00F ] wdmaud          C:\WINDOWS\system32\drivers\wdmaud.sys
07:07:41.0953 3860  wdmaud - ok
07:07:42.0000 3860  [ 77A354E28153AD2D5E120A5A8687BC06 ] WebClient       C:\WINDOWS\System32\webclnt.dll
07:07:42.0250 3860  WebClient - ok
07:07:42.0375 3860  [ F45DD1E1365D857DD08BC23563370D0E ] WinDefend       C:\Program Files\Windows Defender\MsMpEng.exe
07:07:42.0421 3860  WinDefend - ok
07:07:42.0718 3860  [ 2D0E4ED081963804CCC196A0929275B5 ] winmgmt         C:\WINDOWS\system32\wbem\WMIsvc.dll
07:07:43.0000 3860  winmgmt - ok
07:07:43.0062 3860  [ C51B4A5C05A5475708E3C81C7765B71D ] WmdmPmSN        C:\WINDOWS\system32\MsPMSNSv.dll
07:07:43.0421 3860  WmdmPmSN - ok
07:07:43.0546 3860  [ E76F8807070ED04E7408A86D6D3A6137 ] Wmi             C:\WINDOWS\System32\advapi32.dll
07:07:43.0671 3860  Wmi - ok
07:07:43.0703 3860  [ E0673F1106E62A68D2257E376079F821 ] WmiApSrv        C:\WINDOWS\system32\wbem\wmiapsrv.exe
07:07:44.0046 3860  WmiApSrv - ok
07:07:44.0218 3860  [ F74E3D9A7FA9556C3BBB14D4E5E63D3B ] WMPNetworkSvc   C:\Program Files\Windows Media Player\WMPNetwk.exe
07:07:44.0484 3860  WMPNetworkSvc - ok
07:07:44.0859 3860  [ DCF3E3EDF5109EE8BC02FE6E1F045795 ] WPFFontCache_v0400 C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe
07:07:45.0328 3860  WPFFontCache_v0400 - ok
07:07:45.0390 3860  [ 6ABE6E225ADB5A751622A9CC3BC19CE8 ] WS2IFSL         C:\WINDOWS\System32\drivers\ws2ifsl.sys
07:07:45.0593 3860  WS2IFSL - ok
07:07:45.0656 3860  [ 7C278E6408D1DCE642230C0585A854D5 ] wscsvc          C:\WINDOWS\system32\wscsvc.dll
07:07:45.0875 3860  wscsvc - ok
07:07:45.0953 3860  [ 35321FB577CDC98CE3EB3A3EB9E4610A ] wuauserv        C:\WINDOWS\system32\wuauserv.dll
07:07:46.0140 3860  wuauserv - ok
07:07:46.0171 3860  [ F15FEAFFFBB3644CCC80C5DA584E6311 ] WudfPf          C:\WINDOWS\system32\DRIVERS\WudfPf.sys
07:07:46.0234 3860  WudfPf - ok
07:07:46.0265 3860  [ 28B524262BCE6DE1F7EF9F510BA3985B ] WudfRd          C:\WINDOWS\system32\DRIVERS\wudfrd.sys
07:07:46.0328 3860  WudfRd - ok
07:07:46.0359 3860  [ 05231C04253C5BC30B26CBAAE680ED89 ] WudfSvc         C:\WINDOWS\System32\WUDFSvc.dll
07:07:46.0421 3860  WudfSvc - ok
07:07:46.0578 3860  [ 81DC3F549F44B1C1FFF022DEC9ECF30B ] WZCSVC          C:\WINDOWS\System32\wzcsvc.dll
07:07:46.0890 3860  WZCSVC - ok
07:07:46.0953 3860  [ 295D21F14C335B53CB8154E5B1F892B9 ] xmlprov         C:\WINDOWS\System32\xmlprov.dll
07:07:47.0312 3860  xmlprov - ok
07:07:47.0328 3860  ================ Scan global ===============================
07:07:47.0421 3860  [ 42F1F4C0AFB08410E5F02D4B13EBB623 ] C:\WINDOWS\system32\basesrv.dll
07:07:47.0531 3860  [ 69AE2B2E6968C316536E5B10B9702E63 ] C:\WINDOWS\system32\winsrv.dll
07:07:47.0921 3860  [ 69AE2B2E6968C316536E5B10B9702E63 ] C:\WINDOWS\system32\winsrv.dll
07:07:47.0953 3860  [ 65DF52F5B8B6E9BBD183505225C37315 ] C:\WINDOWS\system32\services.exe
07:07:47.0953 3860  [Global] - ok
07:07:47.0953 3860  ================ Scan MBR ==================================
07:07:47.0984 3860  [ 8F558EB6672622401DA993E1E865C861 ] \Device\Harddisk0\DR0
07:07:48.0906 3860  \Device\Harddisk0\DR0 - ok
07:07:48.0906 3860  ================ Scan VBR ==================================
07:07:48.0906 3860  [ 6782DAF7C6F3D83E9910AB896FF2CA5F ] \Device\Harddisk0\DR0\Partition1
07:07:48.0906 3860  \Device\Harddisk0\DR0\Partition1 - ok
07:07:48.0906 3860  ============================================================
07:07:48.0906 3860  Scan finished
07:07:48.0906 3860  ============================================================
07:07:49.0031 3964  Detected object count: 8
07:07:49.0031 3964  Actual detected object count: 8
07:08:41.0000 3964  hpqcxs08 ( UnsignedFile.Multi.Generic ) - skipped by user
07:08:41.0000 3964  hpqcxs08 ( UnsignedFile.Multi.Generic ) - User select action: Skip
07:08:41.0000 3964  hpqddsvc ( UnsignedFile.Multi.Generic ) - skipped by user
07:08:41.0000 3964  hpqddsvc ( UnsignedFile.Multi.Generic ) - User select action: Skip
07:08:41.0000 3964  libusb0 ( UnsignedFile.Multi.Generic ) - skipped by user
07:08:41.0000 3964  libusb0 ( UnsignedFile.Multi.Generic ) - User select action: Skip
07:08:41.0000 3964  Net Driver HPZ12 ( UnsignedFile.Multi.Generic ) - skipped by user
07:08:41.0000 3964  Net Driver HPZ12 ( UnsignedFile.Multi.Generic ) - User select action: Skip
07:08:41.0000 3964  NTSIM ( UnsignedFile.Multi.Generic ) - skipped by user
07:08:41.0000 3964  NTSIM ( UnsignedFile.Multi.Generic ) - User select action: Skip
07:08:41.0000 3964  Pml Driver HPZ12 ( UnsignedFile.Multi.Generic ) - skipped by user
07:08:41.0000 3964  Pml Driver HPZ12 ( UnsignedFile.Multi.Generic ) - User select action: Skip
07:08:41.0015 3964  rt2870 ( UnsignedFile.Multi.Generic ) - skipped by user
07:08:41.0015 3964  rt2870 ( UnsignedFile.Multi.Generic ) - User select action: Skip
07:08:41.0015 3964  SoundMAX Agent Service (default) ( UnsignedFile.Multi.Generic ) - skipped by user
07:08:41.0015 3964  SoundMAX Agent Service (default) ( UnsignedFile.Multi.Generic ) - User select action: Skip

 

 

Both ieexplorer.exe and 80AC4D26-IBBE-4804-82E6-5674D9A7345.exe are suspicious

  • Copy and paste the content of the following bold text into the main textfield:
    :filefind
    ieexplorer.exe
    80AC4D26-IBBE-4804-82E6-5674D9A7345.exe

 

 

Again Nasdaq, I had renamed the file to ieexplorer.exe.  However, when I ran the (former) TDSSKiller file yesterday after restarting the PC after running the ComboFix (testing restart) it came up with yet another different file name so, I took the liberty of adding it to the search (SystemLook).  Unfortunately, tried as I might to record the file names correctly, it appears that I did not as they didn't show-up.  Here is the log, I will wait for your further direction.

I cannot thank you enough for your help Nasdaq...bleeping computer!

 

 

SystemLook 30.07.11 by jpshortstuff
Log created at 07:25 on 11/06/2013 by Administrator
Administrator - Elevation successful

========== filefind ==========

Searching for "ieexplorer.exe"
No files found.

Searching for "80AC4D26-IBBE-4804-82E6-5674D9A7345.exe"
No files found.

Searching for "83OD8350-58CB-48AB-B7C9-70DB284A83FD.exe"
No files found.

-= EOF =-



#9 nasdaq

nasdaq

  • Malware Response Team
  • 40,238 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:31 PM

Posted 11 June 2013 - 12:33 PM

The TDSSKILLER log is clean.

Any remaining issues?

#10 LordNoZoo

LordNoZoo
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:31 PM

Posted 11 June 2013 - 01:15 PM

Thanks Nasdaq.  So, not to worry then about the cmd prompt pop-up that still comes-up when rebooting following loaded modules (in the TDSS Killer program)?

Also, while I have you, if I may, the machine still seems choppy, run alot of virtual memory (getting the minimun low pop-up quite a bit of late) and, I do get a few times a day malewarebytes blocking "outgoing" malicious sites.  Don't know if it's relative or not, but again, while I have you thought I should mention them.

 

I will of course take any advice/recommendations you may have for me on the above, or any other suggestions you may have. If everything's coming-up clean then I'm not to worry. 

Thank you again for your time throughout.



#11 nasdaq

nasdaq

  • Malware Response Team
  • 40,238 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:31 PM

Posted 12 June 2013 - 07:26 AM

So, not to worry then about the cmd prompt pop-up that still comes-up when rebooting following loaded modules (in the TDSS Killer program)?


FixTDSS was disable in post no. 5. I see not reason for it to be started when you boot your systems.

Lets check the registry.


Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2


If your operating system is 64 bit download this tool:
SystemLook_x64.exe
  • Double-click SystemLook.exe to run it.
  • Copy and paste the content of the following bold text into the main textfield:
    :regfind
    FixTDSS
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

Also open the boot.ini file in the C;\ root folder.
Is there any reference to FixTdss or the presence of a CMD function in the log.

Post the content if not sure.

Edited by nasdaq, 12 June 2013 - 07:27 AM.


#12 LordNoZoo

LordNoZoo
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:31 PM

Posted 12 June 2013 - 08:18 AM

 

FixTDSS was disable in post no. 5. I see not reason for it to be started when you boot your systems

 

Forgive me Nasdaq, I don't mean to confuse.  2 different TDSS programs: FixTDSS by Symantec removed in Post 5; and, TDSSKiller by Kaspersky still on the machine.  I still have the cmd prompt pop-up blocking the TDSSKiller by Kaspersky from running (following restart) if I check the loaded module box and then reboot the machine as required. After restart, the cmd prompt pop-up and the runTDSS? boxes both just sit there staring at each other.

 

 

Lets check the registry Double-click SystemLook.exe to run it.

Copy and paste the content of the following bold text into the main textfield:
:regfind
FixTDSS

 

Here is the log:

 

SystemLook 30.07.11 by jpshortstuff
Log created at 05:30 on 12/06/2013 by Administrator
Administrator - Elevation successful

 

========== regfind ==========

 

Searching for "FixTDSS"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\QCEC6R6X\FixTDSS[1].exe"="TDSS Fix Tool"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\Documents and Settings\Administrator\Desktop\FixTDSS.exe"="TDSS Fix Tool"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_FIXTDSS]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_FIXTDSS]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_FIXTDSS]
[HKEY_USERS\S-1-5-21-117609710-602162358-725345543-500\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\QCEC6R6X\FixTDSS[1].exe"="TDSS Fix Tool"
[HKEY_USERS\S-1-5-21-117609710-602162358-725345543-500\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\Documents and Settings\Administrator\Desktop\FixTDSS.exe"="TDSS Fix Tool"

 

-= EOF =-

 

Also open the boot.ini file in the C;\ root folder.
Is there any reference to FixTdss or the presence of a CMD function in the log.

 

Hope I have the right folder.  (I notice a number of files shown as almost transparent/faded-out if you will in that directory, including the referenced boot.ini file and, a cmdcons folder? Just so you know). 

 

In any case, here is the boot.ini contents:

 

[Boot Loader]
Timeout=2
Default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[Operating Systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

 

Don't know if any of this is helping you Nasdaq, and I really am sorry to be such a bother.  Thank you for your patience and help. 

 

PS. I have a Windows Update notice this morning.  Is it alright to go ahead with that? or would you rather I wait?

 

Thanks Nasdaq.



#13 nasdaq

nasdaq

  • Malware Response Team
  • 40,238 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:31 PM

Posted 12 June 2013 - 08:42 AM

PS. I have a Windows Update notice this morning. Is it alright to go ahead with that? or would you rather I wait?

New security updates were issues by Microsoft. Wait, try this first.

Open notepad and copy/paste the text in the quote box below into it:

Registry::
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_FIXTDSS]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_FIXTDSS]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_FIXTDSS]
[-HKEY_USERS\S-1-5-21-117609710-602162358-725345543-500\Software\Microsoft\Windows\ShellNoRoam\MUICache]
[-HKEY_USERS\S-1-5-21-117609710-602162358-725345543-500\Software\Microsoft\Windows\ShellNoRoam\MUICache]

ClearJavaCache::
Save this as CFScript.txt on your desktop.

CFScriptB-4.gif

Referring to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.

Restart the computer normally and let me know if the problem persists.

p.s.
You may be asked to update ComboFix, please do.

#14 LordNoZoo

LordNoZoo
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:31 PM

Posted 12 June 2013 - 10:01 AM

That's interesting Nasdaq, I definitely turned-off the McAfee firewall when Combofix told me to, but I note at the top of the log it says it's enabled. 

 

Also, my Malewarebytes and McAfee lower taskbar icons disappear (each time) we've run Combofix, which they did also just now, but this time the McAfee icon didn't return...it's gonzo and I don't know what happened to it (?) seems awfully curious to me. 

 

(If we ever get through this process, I am definitely going to some other av program, McAfee is...heavy and unreliable! It came with the ISP.)

 

Here is the log.  I will now restart the machine (make sure it boots properly) and then try the TDSSKiller by Kaspersky again with the loaded modules box checked and see if the cmd prompt pop up box comes with it on that restart (or no) and report back (hopefully) in another post.

 

Thanks again Nasdaq.

 

Referring to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.

 

ComboFix 13-06-08.02 - Administrator 12/06/2013   7:31.2.1 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.447.152 [GMT -7:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
AV: Shaw Secure 9.01 *Enabled/Updated* {E7512ED5-4245-4B4D-AF3A-382D3F313F15}
FW: McAfee Firewall *Enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
FW: Shaw Secure 9.01 *Enabled* {D4747503-0346-49EB-9262-997542F79BF4}
.
.
(((((((((((((((((((((((((   Files Created from 2013-05-12 to 2013-06-12  )))))))))))))))))))))))))))))))
.
.
2013-06-09 23:30 . 2013-06-09 23:30 -------- d-----w- c:\windows\ERUNT
2013-06-09 23:30 . 2013-06-11 22:40 -------- d-----w- C:\JRT
2013-05-28 03:51 . 2013-05-28 03:51 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-05-28 03:51 . 2013-05-28 03:51 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-05-25 16:00 . 2013-05-25 16:00 -------- d-----w- c:\program files\VS Revo Group
2013-05-23 15:46 . 2013-04-04 12:22 144896 ----a-w- c:\windows\system32\javacpl.cpl
2013-05-22 16:09 . 2013-05-22 16:09 -------- d-----w- c:\documents and settings\Administrator\Application Data\FixTDSS
2013-05-22 14:13 . 2013-05-22 14:13 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\PCHealth
2013-05-20 17:44 . 2013-05-20 17:44 -------- d-----w- c:\program files\HitmanPro
2013-05-17 21:32 . 2013-05-26 23:08 -------- d-----w- C:\TDSSKiller_Quarantine
2013-05-17 17:06 . 2013-05-17 17:06 -------- d-----w- c:\program files\ESET
2013-05-17 14:51 . 2013-05-13 06:19 7016152 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{EA09E488-4372-40E6-BF98-70A64A36BF0F}\mpengine.dll
2013-05-17 14:44 . 2013-05-17 16:39 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\TopArcadeHits
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-05-14 14:36 . 2013-03-30 17:32 600150 ----a-w- C:\MGlogs.zip
2013-05-13 06:19 . 2010-05-14 14:07 7016152 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
2013-05-08 14:54 . 2013-05-08 14:54 0 ----a-w- c:\windows\system32\TempWmicBatchFile.bat
2013-05-02 09:06 . 2010-05-09 16:52 238872 ------w- c:\windows\system32\MpSigStub.exe
2013-04-16 22:17 . 2004-08-04 12:00 920064 ----a-w- c:\windows\system32\wininet.dll
2013-04-16 22:17 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2013-04-16 22:17 . 2004-08-04 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2013-04-12 23:28 . 2004-08-04 12:00 385024 ----a-w- c:\windows\system32\html.iec
2013-04-10 01:31 . 2004-08-04 12:00 1876352 ----a-w- c:\windows\system32\win32k.sys
2013-04-04 21:50 . 2013-03-14 00:47 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-04-04 12:35 . 2013-05-11 16:27 94112 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-03-30 17:31 . 2013-03-30 17:31 1898001 ----a-w- c:\program files\MGtools.exe
2013-03-29 18:57 . 2013-03-29 18:57 35144 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2013-03-14 23:24 . 2012-06-28 13:08 861088 ----a-w- c:\windows\system32\npDeployJava1.dll
2013-03-14 23:24 . 2010-04-21 15:28 782240 ----a-w- c:\windows\system32\deployJava1.dll
2011-06-20 01:29 . 2011-06-20 01:29 231374 ----a-w- c:\program files\cc_20110619_182910.reg
2006-08-14 18:59 . 2006-08-14 18:57 21290704 ----a-w- c:\program files\AdbeRdr708_en_US.exe
2004-08-04 12:00 73728 --sha-w- c:\windows\RegisteredPackages\{DD90D410-1823-43EB-9A16-A2331BF08799}$BACKUP$\System\wmplayer.exe
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VTTrayp"="VTtrayp.exe" [2005-03-13 147456]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-04-01 1368064]
"MsmqIntCert"="mqrt.dll" [2008-04-14 177152]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2013-03-14 1278064]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2013-03-12 253816]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-10-16 214360]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37Crusader]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37CrusaderBoot]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
.
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [17/07/2012 3:09 PM 91640]
R2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [13/03/2013 5:48 PM 418376]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [13/03/2013 5:48 PM 701512]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [02/04/2013 10:57 AM 167784]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [02/04/2013 10:57 AM 167784]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [02/04/2013 10:57 AM 167784]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\Mcafee\SystemCore\mfefire.exe [02/04/2013 10:58 AM 169320]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [02/04/2013 10:46 AM 172416]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [02/04/2013 10:57 AM 60920]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [13/03/2013 5:47 PM 22856]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [02/04/2013 10:57 AM 363080]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [02/04/2013 10:58 AM 84904]
S1 SASDIFSV;SASDIFSV;\??\c:\program files\SUPERAntiSpyware\SASDIFSV.SYS --> c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.SYS --> c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [?]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [03/11/2006 7:19 PM 13592]
S3 HipShieldK;McAfee Inc. HipShieldK;c:\windows\system32\drivers\HipShieldK.sys [02/04/2013 11:01 AM 146872]
S3 libusb0;libusb-win32 - Kernel Driver, Version 1.2.4.0;c:\windows\system32\drivers\libusb0.sys [19/12/2011 7:46 PM 21504]
S3 MFE_RR;MFE_RR;\??\c:\docume~1\ADMINI~1\LOCALS~1\Temp\mfe_rr.sys --> c:\docume~1\ADMINI~1\LOCALS~1\Temp\mfe_rr.sys [?]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [02/04/2013 10:58 AM 84904]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [02/04/2013 10:57 AM 92632]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - mfeavfk01
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ    Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ    hpqcxs08 hpqddsvc
bdx REG_MULTI_SZ    scan
.
Contents of the 'Scheduled Tasks' folder
.
2013-06-12 c:\windows\Tasks\User_Feed_Synchronization-{BA0BB46C-BAEA-49B8-AFF8-61DE8D5641AD}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 10:31]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.castanet.net/
TCP: DhcpNameServer = 64.59.168.13 64.59.168.15 64.59.174.84
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-24499359.sys
SafeBoot-66490183.sys
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-06-12 07:43
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-117609710-602162358-725345543-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,31,0d,a8,54,ef,0e,bb,4e,bd,9b,82,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,07,6f,0f,db,06,1f,e8,41,b3,82,c9,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,eb,02,59,ef,36,4b,33,47,be,e4,e7,\
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_202_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_202_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,eb,02,59,ef,36,4b,33,47,be,e4,e7,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,eb,02,59,ef,36,4b,33,47,be,e4,e7,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3952)
c:\windows\system32\WININET.dll
c:\progra~1\mcafee\SITEAD~1\saHook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2013-06-12  07:45:43
ComboFix-quarantined-files.txt  2013-06-12 14:45
ComboFix2.txt  2013-06-10 17:44
ComboFix3.txt  2013-05-13 21:27
.
Pre-Run: 52,592,902,144 bytes free
Post-Run: 52,241,055,744 bytes free
.
- - End Of File - - CE86ED42D5905F97A5326E339BDA06D1
8F558EB6672622401DA993E1E865C861



#15 LordNoZoo

LordNoZoo
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:31 PM

Posted 12 June 2013 - 10:34 AM

No, regrettably, still getting both a cmd prompt pop-up and the run TDSSKiller? boxes coming up on the restart when I check the loaded modules box in the TDSSKiller by Kaspersky. Sorry to say Nasdaq.  Anyhow, perhaps you see something in the last ComboFix log.

 

My McAfee icon did return once I restarted (and I certainly did have to turn back on both the firewall and the real time scanning).  For you info.

Bleeping computer!






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users