JohanF
-
Posts
63 -
Joined
-
Last visited
Content Type
Events
Profiles
Forums
Posts posted by JohanF
-
-
There were no error messages during the last reboot!
The AutoIt Error is also gone (I discovered that AutoRun Eater was not running and re-installed it which seemed to solve the problem) -
ComboFix 12-07-30.03 - User 2012/07/31 19:21:19.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3536.2878 [GMT 2:00]
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
AV: Kaspersky Anti-Virus *Disabled/Outdated* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Anti-Virus *Disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\3002.abs
c:\documents and settings\User\Application Data\tazebama
c:\documents and settings\User\Local Settings\Application Data\S-1-5-31-1286970278978-5713669491-166975984-320\dmc\Desktop_.ini
c:\documents and settings\User\Local Settings\Application Data\S-1-5-31-1286970278978-5713669491-166975984-320\dmc\Desktop_1.ini
c:\documents and settings\User\Local Settings\Application Data\S-1-5-31-1286970278978-5713669491-166975984-320\dmc\Desktop_2.ini
c:\documents and settings\User\Local Settings\Application Data\S-1-5-31-1286970278978-5713669491-166975984-320\Rotinom\Usb 2.0 Driver\S-1-5-31-1286970278978-5713669491-166975984-320\dmc\Desktop_.ini
c:\documents and settings\User\Local Settings\Application Data\S-1-5-31-1286970278978-5713669491-166975984-320\Rotinom\Usb 2.0 Driver\S-1-5-31-1286970278978-5713669491-166975984-320\dmc\Desktop_1.ini
c:\documents and settings\User\Local Settings\Application Data\S-1-5-31-1286970278978-5713669491-166975984-320\Rotinom\Usb 2.0 Driver\S-1-5-31-1286970278978-5713669491-166975984-320\dmc\Desktop_2.ini
c:\documents and settings\User\Local Settings\Application Data\S-1-5-31-1286970278978-5713669491-166975984-320\Rotinom\Usb 2.0 Driver\S-1-5-31-1286970278978-5713669491-166975984-320\tlsr\Desktop_.ini
c:\documents and settings\User\mail.dat
c:\documents and settings\User\mess.dat
c:\documents and settings\User\My Documents\~WRL0946.tmp
c:\documents and settings\User\My Documents\~WRL1821.tmp
c:\documents and settings\User\My Documents\~WRL2902.tmp
c:\windows\EventSystem.log
c:\windows\system32\test
.
.
((((((((((((((((((((((((( Files Created from 2012-06-28 to 2012-07-31 )))))))))))))))))))))))))))))))
.
.
2012-07-31 16:58 . 2012-07-31 16:58 -------- d-----w- c:\program files\Common Files\Adobe
2012-07-31 16:56 . 2012-07-31 16:56 -------- d-----w- c:\program files\Autorun Eater
2012-07-31 05:43 . 2012-07-31 15:04 -------- d-----w- c:\windows\system32\NtmsData
2012-07-30 11:19 . 2012-07-30 11:19 -------- d-----w- c:\documents and settings\User\Application Data\Avira
2012-07-30 11:19 . 2012-07-31 12:33 83392 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2012-07-30 11:19 . 2012-07-31 12:33 137928 ----a-w- c:\windows\system32\drivers\avipbb.sys
2012-07-30 11:19 . 2012-07-30 11:19 -------- d-----w- c:\program files\Avira
2012-07-30 11:19 . 2012-07-30 11:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2012-07-30 11:19 . 2011-09-15 21:55 36000 ----a-w- c:\windows\system32\drivers\avkmgr.sys
2012-07-30 10:37 . 2012-07-30 10:37 -------- d-----w- c:\documents and settings\User\Application Data\Malwarebytes
2012-07-30 10:37 . 2012-07-30 10:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-07-30 10:37 . 2012-07-31 08:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-07-30 10:37 . 2012-07-03 11:46 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-07-23 08:35 . 2012-07-23 08:35 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-31 16:44 . 2009-02-10 08:42 17408 ----a-w- c:\windows\system32\rpcnetp.exe
2012-07-31 16:44 . 2009-02-10 08:41 58288 ----a-w- c:\windows\system32\rpcnet.dll
2012-07-31 08:09 . 2009-02-10 08:43 17408 ----a-w- c:\windows\system32\rpcnetp.dll
2012-07-30 20:09 . 2009-02-27 15:27 0 ----a-w- c:\documents and settings\User\Local Settings\Application Data\WavXMapDrive.bat
2012-07-30 15:48 . 2009-02-10 15:56 143360 ----a-w- c:\windows\system32\igfxtray.exe
2012-07-30 13:48 . 2009-03-04 12:45 45056 ----a-w- c:\documents and settings\User\Application Data\Microsoft\Installer\{42929F0F-CE14-47AF-9FC7-FF297A603021}\NewShortcut1_42929F0FCE1447AF9FC7FF297A603021_1.exe
2012-07-30 11:21 . 2009-02-10 20:01 471040 ----a-w- c:\windows\system32\AESTFltr.exe
2012-07-30 11:21 . 2009-02-10 15:56 178712 ----a-w- c:\windows\system32\hkcmd.exe
2012-07-30 11:21 . 2009-02-10 15:56 150040 ----a-w- c:\windows\system32\igfxpers.exe
2012-07-30 11:21 . 2009-02-10 08:27 49152 ----a-w- c:\windows\system32\ico.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2012-07-30 218032]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2012-07-30 200704]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2012-07-30 483420]
"AESTFltr"="c:\windows\system32\AESTFltr.exe" [2012-07-30 471040]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2012-07-30 143360]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2012-07-30 178712]
"Persistence"="c:\windows\system32\igfxpers.exe" [2012-07-30 150040]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2012-07-30 136600]
"PMX Daemon"="ICO.EXE" [2012-07-30 49152]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2012-07-30 178712]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2012-07-30 128296]
"MobileBroadband"="c:\program files\Vodafone\Vodafone Mobile Broadband\Bin\MobileBroadband.exe" [2010-09-08 272384]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2012-07-31 348624]
"Autorun Eater"="c:\program files\Autorun Eater\oldmcdonald.exe" [2010-05-06 516216]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2008-8-15 604776]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2009-2-10 50688]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"CompatibleRUPSecurity"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"UacDisableNotify"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\documents and settings\User\Local Settings\Application Data\S-1-5-31-1286970278978-5713669491-166975984-320\dmc\Office2003 CD-Key.doc.exe"= ipsec
"c:\\WINDOWS\\system32\\igfxtray.exe"=
"c:\\Program Files\\IDT\\WDM\\sttray.exe"=
"c:\\Program Files\\WIDCOMM\\Bluetooth Software\\BTTray.exe"=
"c:\\Program Files\\Autorun Eater\\oldmcdonald.exe"=
"c:\\Program Files\\Google\\Update\\GoogleUpdate.exe"=
"c:\\Program Files\\Digital Line Detect\\DLG.exe"=
"c:\\Program Files\\DellTPad\\Apoint.exe"=
"c:\\Program Files\\Common Files\\InstallShield\\UpdateService\\ISUSPM.exe"=
"c:\windows\TEMP\fxslt.exe"= ipsec
"c:\\WINDOWS\\system32\\AESTFltr.exe"=
"c:\program files\DellTPad\ApMsgFwd.exe"= ipsec
"c:\\Program Files\\Messenger\\msmsgs.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
.
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [2012/07/30 01:19 PM 36000]
R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2012/07/30 01:19 PM 86224]
R2 ASFAgent;ASF Agent;c:\program files\Intel\ASF Agent\ASFAgent.exe [2007/04/19 07:56 AM 133968]
R2 Credential Vault Host Control Service;Credential Vault Host Control Service;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe [2008/11/11 06:35 PM 808296]
R2 Credential Vault Host Storage;Credential Vault Host Storage;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe [2008/11/11 06:35 PM 20840]
R2 VmbService;Vodafone Mobile Broadband Service;c:\program files\Vodafone\Vodafone Mobile Broadband\Bin\VmbService.exe [2010/09/08 03:44 PM 8704]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [2009/02/10 05:55 PM 112128]
R3 CCIDFILTER;Broadcom Smart Card Reader Filter Driver;c:\windows\system32\drivers\ccidflt.sys [2009/02/10 10:25 AM 12840]
R3 cvusbdrv;Broadcom USH CV;c:\windows\system32\drivers\cvusbdrv.sys [2009/02/10 05:57 PM 32808]
R3 d553bus;Dell Wireless 5530 HSPA Mobile Broadband Minicard Device driver (WDM);c:\windows\system32\drivers\d553bus.sys [2009/02/10 10:35 AM 300672]
R3 d553card;Dell Wireless 5530 HSPA Mobile Broadband Minicard i7;c:\windows\system32\drivers\d553card.sys [2009/02/10 10:35 AM 378368]
R3 d553gps;Dell Wireless 5530 HSPA Mobile Broadband Minicard GPS Port;c:\windows\system32\drivers\d553gps.sys [2009/02/10 10:35 AM 76328]
R3 d553mdfl;Dell Wireless 5530 HSPA Mobile Broadband Minicard Modem Filter;c:\windows\system32\drivers\d553mdfl.sys [2009/02/10 10:35 AM 14976]
R3 d553mdfl2;Dell Wireless 5530 HSPA Mobile Broadband Minicard Modem 2 Filter;c:\windows\system32\drivers\d553mdfl2.sys [2009/02/10 10:35 AM 14976]
R3 d553mdm;Dell Wireless 5530 HSPA Mobile Broadband Minicard Modem Driver;c:\windows\system32\drivers\d553mdm.sys [2009/02/10 10:35 AM 387200]
R3 d553mdm2;Dell Wireless 5530 HSPA Mobile Broadband Minicard Modem 2 Driver;c:\windows\system32\drivers\d553mdm2.sys [2009/02/10 10:35 AM 431616]
R3 d553nd5;Dell Wireless 5530 HSPA Mobile Broadband Minicard NetworkAdapter (NDIS);c:\windows\system32\drivers\d553nd5.sys [2009/02/10 10:35 AM 25984]
R3 d553unic;Dell Wireless 5530 HSPA Mobile Broadband Minicard NetworkAdapter (WDM);c:\windows\system32\drivers\d553unic.sys [2009/02/10 10:35 AM 402944]
R3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [2009/02/10 05:56 PM 244368]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2009/02/10 05:56 PM 110080]
R3 Sony_EricssonWWSC;Dell Wireless 5530 HSPA Mobile Broadband Minicard PC SC Port;c:\windows\system32\drivers\d553scard.sys [2009/02/10 10:35 AM 25640]
S2 Change Modem Device Service;Change Modem Device Service;c:\windows\system32\ChgService.exe [2011/10/14 10:22 AM 135168]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2012/01/04 04:55 PM 136176]
S3 cmnsusbser;Mobile Connector USB Device for Legacy Serial Communication LCT2053s;c:\windows\system32\drivers\cmnsusbser.sys [2011/10/14 10:22 AM 103424]
S3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\drivers\ewusbnet.sys [2011/08/02 02:28 PM 114432]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2012/01/04 04:55 PM 136176]
S3 hwusbfake;Huawei DataCard USB Fake;c:\windows\system32\drivers\ewusbfake.sys [2011/08/02 02:41 PM 100736]
S3 NvtSp50;NvtSp50 NDIS Protocol Driver;c:\windows\system32\Drivers\NvtSp50.sys --> c:\windows\system32\Drivers\NvtSp50.sys [?]
.
Contents of the 'Scheduled Tasks' folder
.
2012-07-31 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-01-04 11:22]
.
2012-07-31 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-01-04 11:22]
.
2012-07-31 c:\windows\Tasks\User_Feed_Synchronization-{310B6855-41DA-46A2-9124-C73B1D85E727}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 02:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://agriculture.kzntl.gov.za/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = proxy.kzntl.gov.za:3128
uInternet Settings,ProxyOverride = *.KZNTL.GOV.ZA; 10.200.188.*;<local>
IE: Add to Anti-Banner - c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations MP4\ie_banner_deny.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
TCP: DhcpNameServer = 10.0.0.2
TCP: Interfaces\{12EEDB33-EBF2-456A-9C3B-36CD89EFE58B}: NameServer = 196.43.1.11,196.25.1.11
TCP: Interfaces\{5B852397-714C-400B-85EC-DEFB87AD21CA}: NameServer = 196.43.1.11,196.25.1.11
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-WinApps - c:\documents and settings\User\Application Data\javainst.exe
HKLM-Run-ChangeTPMAuth - c:\program files\Wave Systems Corp\Common\ChangeTPMAuth.exe
HKLM-Run-WinApps - c:\documents and settings\User\Application Data\javainst.exe
HKLM_ActiveSetup-{6FF1DCAB-A6BA-468D-A7AC-CFEBDECB9BCA} - c:\documents and settings\User\Application Data\javainst.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-07-31 19:27
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1100)
c:\windows\system32\NetProvCredMan.dll
.
Completion time: 2012-07-31 19:29:03
ComboFix-quarantined-files.txt 2012-07-31 17:29
.
Pre-Run: 95,607,353,344 bytes free
Post-Run: 96,938,545,152 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 277A13F53FBAA259B2F6F47078E74575
-
Just to let you know - I rebooted before running the TDSKiller (moving from work to home) - the AutoIt Error window still pops up and I also got an "Avgnt.exe - Bad Image" error message : The application or DLL C:\Windows\system32\MSCTF.dll is not a valid Windows image. Please check this againstyour installation diskette.
-
Suspicious objects found...
17:42:59.0828 2388 TDSS rootkit removing tool 2.7.48.0 Jul 24 2012 13:16:32
17:42:59.0843 2388 ============================================================
17:42:59.0843 2388 Current date / time: 2012/07/31 17:42:59.0843
17:42:59.0843 2388 SystemInfo:
17:42:59.0843 2388
17:42:59.0843 2388 OS Version: 5.1.2600 ServicePack: 3.0
17:42:59.0843 2388 Product type: Workstation
17:42:59.0843 2388 ComputerName: EXTENSIONREC136
17:42:59.0843 2388 UserName: User
17:42:59.0843 2388 Windows directory: C:\WINDOWS
17:42:59.0843 2388 System windows directory: C:\WINDOWS
17:42:59.0843 2388 Processor architecture: Intel x86
17:42:59.0843 2388 Number of processors: 2
17:42:59.0843 2388 Page size: 0x1000
17:42:59.0843 2388 Boot type: Normal boot
17:42:59.0843 2388 ============================================================
17:43:00.0390 2388 Drive \Device\Harddisk0\DR0 - Size: 0x1BF2976000 (111.79 Gb), SectorSize: 0x200, Cylinders: 0x3901, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000050
17:43:00.0390 2388 Drive \Device\Harddisk1\DR5 - Size: 0xEEE00000 (3.73 Gb), SectorSize: 0x200, Cylinders: 0x1E7, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'W'
17:43:00.0390 2388 ============================================================
17:43:00.0390 2388 \Device\Harddisk0\DR0:
17:43:00.0390 2388 MBR partitions:
17:43:00.0390 2388 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x816E1, BlocksNum 0xDF120E0
17:43:00.0390 2388 \Device\Harddisk1\DR5:
17:43:00.0390 2388 MBR partitions:
17:43:00.0390 2388 \Device\Harddisk1\DR5\Partition0: MBR, Type 0xB, StartLBA 0x1F80, BlocksNum 0x775080
17:43:00.0390 2388 ============================================================
17:43:00.0437 2388 C: <-> \Device\Harddisk0\DR0\Partition0
17:43:00.0437 2388 ============================================================
17:43:00.0437 2388 Initialize success
17:43:00.0437 2388 ============================================================
17:44:18.0828 1532 ============================================================
17:44:18.0828 1532 Scan started
17:44:18.0828 1532 Mode: Manual; SigCheck; TDLFS;
17:44:18.0828 1532 ============================================================
17:44:19.0406 1532 Abiosdsk - ok
17:44:19.0468 1532 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
17:44:20.0750 1532 abp480n5 - ok
17:44:20.0796 1532 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
17:44:20.0906 1532 ACPI - ok
17:44:20.0906 1532 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
17:44:20.0984 1532 ACPIEC - ok
17:44:21.0031 1532 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
17:44:21.0156 1532 adpu160m - ok
17:44:21.0218 1532 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
17:44:21.0343 1532 aec - ok
17:44:21.0375 1532 AESTAud (20f078136f3bdc4c0405c0527b769303) C:\WINDOWS\system32\drivers\AESTAud.sys
17:44:21.0437 1532 AESTAud - ok
17:44:21.0500 1532 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
17:44:21.0562 1532 AFD - ok
17:44:21.0593 1532 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
17:44:21.0734 1532 agp440 - ok
17:44:21.0734 1532 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
17:44:21.0843 1532 agpCPQ - ok
17:44:21.0843 1532 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
17:44:21.0890 1532 Aha154x - ok
17:44:21.0890 1532 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
17:44:21.0984 1532 aic78u2 - ok
17:44:21.0984 1532 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
17:44:22.0062 1532 aic78xx - ok
17:44:22.0093 1532 Alerter (a9a3daa780ca6c9671a19d52456705b4) C:\WINDOWS\system32\alrsvc.dll
17:44:22.0171 1532 Alerter - ok
17:44:22.0187 1532 ALG (8c515081584a38aa007909cd02020b3d) C:\WINDOWS\System32\alg.exe
17:44:22.0250 1532 ALG - ok
17:44:22.0296 1532 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
17:44:22.0375 1532 AliIde - ok
17:44:22.0390 1532 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys
17:44:22.0468 1532 alim1541 - ok
17:44:22.0484 1532 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys
17:44:22.0578 1532 amdagp - ok
17:44:22.0593 1532 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
17:44:22.0625 1532 amsint - ok
17:44:22.0843 1532 AntiVirSchedulerService (0a1cc583e8147004e4ad4625d7fbf88c) C:\Program Files\Avira\AntiVir Desktop\sched.exe
17:44:22.0890 1532 AntiVirSchedulerService - ok
17:44:22.0937 1532 AntiVirService (c9a36ef935aced86aedf93e97e606911) C:\Program Files\Avira\AntiVir Desktop\avguard.exe
17:44:22.0937 1532 AntiVirService - ok
17:44:22.0984 1532 ApfiltrService (b83f9da84f7079451c1c6a4a2f140920) C:\WINDOWS\system32\DRIVERS\Apfiltr.sys
17:44:23.0031 1532 ApfiltrService - ok
17:44:23.0078 1532 AppMgmt (d8849f77c0b66226335a59d26cb4edc6) C:\WINDOWS\System32\appmgmts.dll
17:44:23.0156 1532 AppMgmt - ok
17:44:23.0187 1532 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
17:44:23.0312 1532 Arp1394 - ok
17:44:23.0390 1532 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
17:44:23.0468 1532 asc - ok
17:44:23.0500 1532 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
17:44:23.0531 1532 asc3350p - ok
17:44:23.0546 1532 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
17:44:23.0625 1532 asc3550 - ok
17:44:23.0718 1532 ASFAgent (9ad6ef4d591211a93848103368125b41) C:\Program Files\Intel\ASF Agent\ASFAgent.exe
17:44:23.0734 1532 ASFAgent - ok
17:44:23.0843 1532 aspnet_state (0e5e4957549056e2bf2c49f4f6b601ad) C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
17:44:23.0875 1532 aspnet_state - ok
17:44:23.0875 1532 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
17:44:23.0953 1532 AsyncMac - ok
17:44:23.0984 1532 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
17:44:24.0062 1532 atapi - ok
17:44:24.0062 1532 Atdisk - ok
17:44:24.0062 1532 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
17:44:24.0156 1532 Atmarpc - ok
17:44:24.0203 1532 AudioSrv (def7a7882bec100fe0b2ce2549188f9d) C:\WINDOWS\System32\audiosrv.dll
17:44:24.0281 1532 AudioSrv - ok
17:44:24.0296 1532 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
17:44:24.0390 1532 audstub - ok
17:44:24.0421 1532 avgntflt (d5541f0afb767e85fc412fc609d96a74) C:\WINDOWS\system32\DRIVERS\avgntflt.sys
17:44:24.0437 1532 avgntflt - ok
17:44:24.0515 1532 avipbb (7d967a682d4694df7fa57d63a2db01fe) C:\WINDOWS\system32\DRIVERS\avipbb.sys
17:44:24.0531 1532 avipbb - ok
17:44:24.0546 1532 avkmgr (271cfd1a989209b1964e24d969552bf7) C:\WINDOWS\system32\DRIVERS\avkmgr.sys
17:44:24.0562 1532 avkmgr - ok
17:44:24.0578 1532 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
17:44:24.0671 1532 Beep - ok
17:44:24.0734 1532 BITS (574738f61fca2935f5265dc4e5691314) C:\WINDOWS\system32\qmgr.dll
17:44:24.0890 1532 BITS - ok
17:44:24.0921 1532 Browser (a06ce3399d16db864f55faeb1f1927a9) C:\WINDOWS\System32\browser.dll
17:44:25.0015 1532 Browser - ok
17:44:25.0093 1532 btaudio (f688bbbe8e3e7e03e35caabd66616ddb) C:\WINDOWS\system32\drivers\btaudio.sys
17:44:25.0109 1532 btaudio - ok
17:44:25.0156 1532 BTDriver (2f9f111d31aa3fbbe5781d829a4524e6) C:\WINDOWS\system32\DRIVERS\btport.sys
17:44:25.0171 1532 BTDriver - ok
17:44:25.0296 1532 BTKRNL (38a3331e2f690d4cdc9de0604b9416e5) C:\WINDOWS\system32\DRIVERS\btkrnl.sys
17:44:25.0343 1532 BTKRNL - ok
17:44:25.0484 1532 btwdins (d48148110ae078cb7221d0fcf20adfec) C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
17:44:25.0500 1532 btwdins - ok
17:44:25.0562 1532 BTWDNDIS (80f61de965c116051614ac2f04222ff7) C:\WINDOWS\system32\DRIVERS\btwdndis.sys
17:44:25.0562 1532 BTWDNDIS - ok
17:44:25.0578 1532 btwmodem (5922bae0cd84924b9cd7e6bb515ee070) C:\WINDOWS\system32\DRIVERS\btwmodem.sys
17:44:25.0593 1532 btwmodem - ok
17:44:25.0609 1532 BTWUSB (d5af663711660d32ec230c6aaf7b6b83) C:\WINDOWS\system32\Drivers\btwusb.sys
17:44:25.0625 1532 BTWUSB - ok
17:44:25.0687 1532 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
17:44:25.0906 1532 cbidf - ok
17:44:25.0906 1532 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
17:44:25.0984 1532 cbidf2k - ok
17:44:26.0046 1532 CCIDFILTER (d006b6a67b8daed85e6d91783e9b45d6) C:\WINDOWS\system32\DRIVERS\ccidflt.sys
17:44:26.0046 1532 CCIDFILTER - ok
17:44:26.0062 1532 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
17:44:26.0140 1532 cd20xrnt - ok
17:44:26.0187 1532 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
17:44:26.0265 1532 Cdaudio - ok
17:44:26.0265 1532 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
17:44:26.0343 1532 Cdfs - ok
17:44:26.0359 1532 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
17:44:26.0468 1532 Cdrom - ok
17:44:26.0546 1532 Change Modem Device Service (9b4caefdbe28a24e3218775493784cdf) C:\WINDOWS\system32\ChgService.exe
17:44:26.0562 1532 Change Modem Device Service ( UnsignedFile.Multi.Generic ) - warning
17:44:26.0562 1532 Change Modem Device Service - detected UnsignedFile.Multi.Generic (1)
17:44:26.0562 1532 Changer - ok
17:44:26.0593 1532 CiSvc (1cfe720eb8d93a7158a4ebc3ab178bde) C:\WINDOWS\system32\cisvc.exe
17:44:26.0703 1532 CiSvc - ok
17:44:26.0703 1532 ClipSrv (34cbe729f38138217f9c80212a2a0c82) C:\WINDOWS\system32\clipsrv.exe
17:44:26.0796 1532 ClipSrv - ok
17:44:26.0875 1532 clr_optimization_v2.0.50727_32 (d87acaed61e417bba546ced5e7e36d9c) C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
17:44:26.0921 1532 clr_optimization_v2.0.50727_32 - ok
17:44:26.0953 1532 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
17:44:27.0031 1532 CmBatt - ok
17:44:27.0078 1532 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
17:44:27.0156 1532 CmdIde - ok
17:44:27.0234 1532 cmnsusbser (675d67423980fc1784b93aa47d350a31) C:\WINDOWS\system32\DRIVERS\cmnsusbser.sys
17:44:27.0312 1532 cmnsusbser - ok
17:44:27.0328 1532 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
17:44:27.0453 1532 Compbatt - ok
17:44:27.0453 1532 COMSysApp - ok
17:44:27.0500 1532 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
17:44:27.0625 1532 Cpqarray - ok
17:44:27.0781 1532 Credential Vault Host Control Service (9d57165906778c9e5e0ecb34b311564b) C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe
17:44:27.0828 1532 Credential Vault Host Control Service - ok
17:44:27.0828 1532 Credential Vault Host Storage (e31e97859deee648d5867eadfbdbf25a) C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe
17:44:27.0843 1532 Credential Vault Host Storage - ok
17:44:27.0890 1532 CryptSvc (3d4e199942e29207970e04315d02ad3b) C:\WINDOWS\System32\cryptsvc.dll
17:44:28.0000 1532 CryptSvc - ok
17:44:28.0031 1532 cvusbdrv (dc6429fbc73b0b0b38cc5386c8a607ed) C:\WINDOWS\system32\Drivers\cvusbdrv.sys
17:44:28.0046 1532 cvusbdrv - ok
17:44:28.0109 1532 d553bus (1b4957f756bcc7e5b23d2b6e84fc3f0e) C:\WINDOWS\system32\DRIVERS\d553bus.sys
17:44:28.0125 1532 d553bus - ok
17:44:28.0187 1532 d553card (7eaa24353b3c5589fc6648d2cb944731) C:\WINDOWS\system32\DRIVERS\d553card.sys
17:44:28.0203 1532 d553card - ok
17:44:28.0250 1532 d553gps (9d16a5902722aaceca7b25fc38caeeb0) C:\WINDOWS\system32\DRIVERS\d553gps.sys
17:44:28.0265 1532 d553gps - ok
17:44:28.0265 1532 d553mdfl (e276c9ad870ce72c9ec3a6d95786b185) C:\WINDOWS\system32\DRIVERS\d553mdfl.sys
17:44:28.0281 1532 d553mdfl - ok
17:44:28.0281 1532 d553mdfl2 (74cb6903cc8d6fa633840b368387aecc) C:\WINDOWS\system32\DRIVERS\d553mdfl2.sys
17:44:28.0281 1532 d553mdfl2 - ok
17:44:28.0312 1532 d553mdm (b7e23cb22df23065bdfd528ca7676666) C:\WINDOWS\system32\DRIVERS\d553mdm.sys
17:44:28.0343 1532 d553mdm - ok
17:44:28.0406 1532 d553mdm2 (38fe8eb16cfda18fc08b5a7b6ddb30f1) C:\WINDOWS\system32\DRIVERS\d553mdm2.sys
17:44:28.0421 1532 d553mdm2 - ok
17:44:28.0421 1532 d553nd5 (bfa2af917c240c5f97b9a2b39f595ee2) C:\WINDOWS\system32\DRIVERS\d553nd5.sys
17:44:28.0437 1532 d553nd5 - ok
17:44:28.0484 1532 d553unic (57c4fa520411a861db4284ebb7c9b1ef) C:\WINDOWS\system32\DRIVERS\d553unic.sys
17:44:28.0500 1532 d553unic - ok
17:44:28.0593 1532 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
17:44:28.0734 1532 dac2w2k - ok
17:44:28.0750 1532 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
17:44:28.0859 1532 dac960nt - ok
17:44:28.0921 1532 DcomLaunch (6b27a5c03dfb94b4245739065431322c) C:\WINDOWS\system32\rpcss.dll
17:44:29.0015 1532 DcomLaunch - ok
17:44:29.0078 1532 Dhcp (5e38d7684a49cacfb752b046357e0589) C:\WINDOWS\System32\dhcpcsvc.dll
17:44:29.0234 1532 Dhcp - ok
17:44:29.0265 1532 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
17:44:29.0375 1532 Disk - ok
17:44:29.0406 1532 DLABMFSM (a0500678a33802d8954153839301d539) C:\WINDOWS\system32\Drivers\DLABMFSM.SYS
17:44:29.0421 1532 DLABMFSM - ok
17:44:29.0421 1532 DLABOIOM (b8d2f68cac54d46281399f9092644794) C:\WINDOWS\system32\Drivers\DLABOIOM.SYS
17:44:29.0437 1532 DLABOIOM - ok
17:44:29.0437 1532 DLACDBHM (0ee93ab799d1cb4ec90b36f3612fe907) C:\WINDOWS\system32\Drivers\DLACDBHM.SYS
17:44:29.0453 1532 DLACDBHM - ok
17:44:29.0453 1532 DLADResM (87413b94ae1fabc117c4e8ae6725134e) C:\WINDOWS\system32\Drivers\DLADResM.SYS
17:44:29.0468 1532 DLADResM - ok
17:44:29.0484 1532 DLAIFS_M (766a148235be1c0039c974446e4c0edc) C:\WINDOWS\system32\Drivers\DLAIFS_M.SYS
17:44:29.0500 1532 DLAIFS_M - ok
17:44:29.0500 1532 DLAOPIOM (38267cca177354f1c64450a43a4f7627) C:\WINDOWS\system32\Drivers\DLAOPIOM.SYS
17:44:29.0515 1532 DLAOPIOM - ok
17:44:29.0515 1532 DLAPoolM (fd363369fd313b46b5aeab1a688b52e9) C:\WINDOWS\system32\Drivers\DLAPoolM.SYS
17:44:29.0531 1532 DLAPoolM - ok
17:44:29.0531 1532 DLARTL_M (336ae18f0912ef4fbe5518849e004d74) C:\WINDOWS\system32\Drivers\DLARTL_M.SYS
17:44:29.0546 1532 DLARTL_M - ok
17:44:29.0562 1532 DLAUDFAM (fd85f682c1cc2a7ca878c7a448e6d87e) C:\WINDOWS\system32\Drivers\DLAUDFAM.SYS
17:44:29.0578 1532 DLAUDFAM - ok
17:44:29.0578 1532 DLAUDF_M (af389ce587b6bf5bbdcd6f6abe5eabc0) C:\WINDOWS\system32\Drivers\DLAUDF_M.SYS
17:44:29.0593 1532 DLAUDF_M - ok
17:44:29.0593 1532 dmadmin - ok
17:44:29.0656 1532 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
17:44:29.0812 1532 dmboot - ok
17:44:29.0843 1532 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
17:44:29.0937 1532 dmio - ok
17:44:29.0953 1532 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
17:44:30.0031 1532 dmload - ok
17:44:30.0062 1532 dmserver (57edec2e5f59f0335e92f35184bc8631) C:\WINDOWS\System32\dmserver.dll
17:44:30.0156 1532 dmserver - ok
17:44:30.0203 1532 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
17:44:30.0328 1532 DMusic - ok
17:44:30.0343 1532 Dnscache (474b4dc3983173e4b4c9740b0dac98a6) C:\WINDOWS\System32\dnsrslvr.dll
17:44:30.0421 1532 Dnscache - ok
17:44:30.0453 1532 Dot3svc (0f0f6e687e5e15579ef4da8dd6945814) C:\WINDOWS\System32\dot3svc.dll
17:44:30.0546 1532 Dot3svc - ok
17:44:30.0578 1532 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
17:44:30.0656 1532 dpti2o - ok
17:44:30.0671 1532 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
17:44:30.0734 1532 drmkaud - ok
17:44:30.0750 1532 DRVMCDB (5d3b71bb2bb0009d65d290e2ef374bd3) C:\WINDOWS\system32\Drivers\DRVMCDB.SYS
17:44:30.0765 1532 DRVMCDB - ok
17:44:30.0765 1532 DRVNDDM (c591ba9f96f40a1fd6494dafdcd17185) C:\WINDOWS\system32\Drivers\DRVNDDM.SYS
17:44:30.0781 1532 DRVNDDM - ok
17:44:30.0812 1532 e1yexpress (10cbd2b278ce365b41de378632cb5ddb) C:\WINDOWS\system32\DRIVERS\e1y5132.sys
17:44:30.0828 1532 e1yexpress - ok
17:44:30.0875 1532 EapHost (2187855a7703adef0cef9ee4285182cc) C:\WINDOWS\System32\eapsvc.dll
17:44:30.0953 1532 EapHost - ok
17:44:30.0968 1532 ERSvc (bc93b4a066477954555966d77fec9ecb) C:\WINDOWS\System32\ersvc.dll
17:44:31.0062 1532 ERSvc - ok
17:44:31.0109 1532 Eventlog (65df52f5b8b6e9bbd183505225c37315) C:\WINDOWS\system32\services.exe
17:44:31.0140 1532 Eventlog - ok
17:44:31.0218 1532 EventSystem (d4991d98f2db73c60d042f1aef79efae) C:\WINDOWS\system32\es.dll
17:44:31.0265 1532 EventSystem - ok
17:44:31.0484 1532 EvtEng (87a32636c84555525700e623662e34d9) C:\Program Files\Intel\WiFi\bin\EvtEng.exe
17:44:31.0578 1532 EvtEng ( UnsignedFile.Multi.Generic ) - warning
17:44:31.0578 1532 EvtEng - detected UnsignedFile.Multi.Generic (1)
17:44:31.0687 1532 ewusbnet (9a8dfbcd14a37d3139aacd671a8444a6) C:\WINDOWS\system32\DRIVERS\ewusbnet.sys
17:44:31.0750 1532 ewusbnet - ok
17:44:31.0828 1532 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
17:44:32.0000 1532 Fastfat - ok
17:44:32.0062 1532 FastUserSwitchingCompatibility (1926899bf9ffe2602b63074971700412) C:\WINDOWS\System32\shsvcs.dll
17:44:32.0140 1532 FastUserSwitchingCompatibility - ok
17:44:32.0187 1532 Fax (e97d6a8684466df94ff3bc24fb787a07) C:\WINDOWS\system32\fxssvc.exe
17:44:32.0281 1532 Fax - ok
17:44:32.0296 1532 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
17:44:32.0375 1532 Fdc - ok
17:44:32.0375 1532 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
17:44:32.0453 1532 Fips - ok
17:44:32.0453 1532 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
17:44:32.0531 1532 Flpydisk - ok
17:44:32.0546 1532 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
17:44:32.0640 1532 FltMgr - ok
17:44:32.0734 1532 FontCache3.0.0.0 (8ba7c024070f2b7fdd98ed8a4ba41789) c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
17:44:32.0750 1532 FontCache3.0.0.0 - ok
17:44:32.0750 1532 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
17:44:32.0828 1532 Fs_Rec - ok
17:44:32.0859 1532 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
17:44:32.0953 1532 Ftdisk - ok
17:44:32.0968 1532 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
17:44:33.0062 1532 Gpc - ok
17:44:33.0218 1532 gupdate (f02a533f517eb38333cb12a9e8963773) C:\Program Files\Google\Update\GoogleUpdate.exe
17:44:33.0218 1532 gupdate - ok
17:44:33.0218 1532 gupdatem (f02a533f517eb38333cb12a9e8963773) C:\Program Files\Google\Update\GoogleUpdate.exe
17:44:33.0234 1532 gupdatem - ok
17:44:33.0281 1532 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
17:44:33.0359 1532 HDAudBus - ok
17:44:33.0437 1532 helpsvc (4fcca060dfe0c51a09dd5c3843888bcd) C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll
17:44:33.0515 1532 helpsvc - ok
17:44:33.0562 1532 HidServ (deb04da35cc871b6d309b77e1443c796) C:\WINDOWS\System32\hidserv.dll
17:44:33.0640 1532 HidServ - ok
17:44:33.0656 1532 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
17:44:33.0781 1532 hidusb - ok
17:44:33.0828 1532 hkmsvc (8878bd685e490239777bfe51320b88e9) C:\WINDOWS\System32\kmsvc.dll
17:44:33.0968 1532 hkmsvc - ok
17:44:34.0031 1532 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
17:44:34.0109 1532 hpn - ok
17:44:34.0171 1532 HSFHWAZL (7290fb97535c317a237d4c73149c7e2c) C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys
17:44:34.0218 1532 HSFHWAZL - ok
17:44:34.0312 1532 HSF_DPV (f362c0b442337da8ab0608dfaa4ca076) C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys
17:44:34.0406 1532 HSF_DPV - ok
17:44:34.0437 1532 HTTP (f6aacf5bce2893e0c1754afeb672e5c9) C:\WINDOWS\system32\Drivers\HTTP.sys
17:44:34.0531 1532 HTTP - ok
17:44:34.0562 1532 HTTPFilter (6100a808600f44d999cebdef8841c7a3) C:\WINDOWS\System32\w3ssl.dll
17:44:34.0625 1532 HTTPFilter - ok
17:44:34.0671 1532 hwdatacard (93e5d34d95ff9011beed886e3627f442) C:\WINDOWS\system32\DRIVERS\ewusbmdm.sys
17:44:34.0750 1532 hwdatacard - ok
17:44:34.0812 1532 hwusbfake (922065957563d851b5a68b95aadac6ad) C:\WINDOWS\system32\DRIVERS\ewusbfake.sys
17:44:34.0875 1532 hwusbfake - ok
17:44:34.0906 1532 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
17:44:34.0984 1532 i2omgmt - ok
17:44:35.0046 1532 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys
17:44:35.0109 1532 i2omp - ok
17:44:35.0140 1532 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
17:44:35.0234 1532 i8042prt - ok
17:44:35.0406 1532 IAANTMON (f148c2e931bfc20397edc0a7b4f8e22b) C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
17:44:35.0421 1532 IAANTMON - ok
17:44:35.0937 1532 ialm (4f3139829f1ac202ff0d29c2fd6c15b6) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
17:44:36.0406 1532 ialm - ok
17:44:36.0625 1532 iaStor (692830b048aacd7e0d6ededf098acc01) C:\WINDOWS\system32\drivers\iaStor.sys
17:44:36.0656 1532 iaStor - ok
17:44:36.0843 1532 idsvc (c01ac32dc5c03076cfb852cb5da5229c) C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
17:44:37.0000 1532 idsvc - ok
17:44:37.0046 1532 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
17:44:37.0250 1532 Imapi - ok
17:44:37.0328 1532 ImapiService (30deaf54a9755bb8546168cfe8a6b5e1) C:\WINDOWS\system32\imapi.exe
17:44:37.0421 1532 ImapiService - ok
17:44:37.0453 1532 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
17:44:37.0531 1532 ini910u - ok
17:44:37.0578 1532 IntcHdmiAddService (64c301d73db18ebdc8680ca82d82af2d) C:\WINDOWS\system32\drivers\IntcHdmi.sys
17:44:37.0640 1532 IntcHdmiAddService - ok
17:44:37.0640 1532 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
17:44:37.0718 1532 IntelIde - ok
17:44:37.0750 1532 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
17:44:37.0828 1532 intelppm - ok
17:44:37.0859 1532 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
17:44:37.0968 1532 Ip6Fw - ok
17:44:38.0000 1532 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
17:44:38.0093 1532 IpFilterDriver - ok
17:44:38.0125 1532 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
17:44:38.0203 1532 IpInIp - ok
17:44:38.0218 1532 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
17:44:38.0312 1532 IpNat - ok
17:44:38.0312 1532 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
17:44:38.0390 1532 IPSec - ok
17:44:38.0390 1532 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
17:44:38.0421 1532 IRENUM - ok
17:44:38.0453 1532 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
17:44:38.0546 1532 isapnp - ok
17:44:38.0734 1532 JavaQuickStarterService (32192b4ebe8720ed8d49a455c962cb91) C:\Program Files\Java\jre6\bin\jqs.exe
17:44:38.0750 1532 JavaQuickStarterService - ok
17:44:38.0796 1532 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
17:44:38.0875 1532 Kbdclass - ok
17:44:38.0875 1532 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
17:44:38.0937 1532 kbdhid - ok
17:44:39.0000 1532 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
17:44:39.0125 1532 kmixer - ok
17:44:39.0156 1532 KSecDD (1705745d900dabf2d89f90ebaddc7517) C:\WINDOWS\system32\drivers\KSecDD.sys
17:44:39.0281 1532 KSecDD - ok
17:44:39.0328 1532 LanmanServer (f385f4b02c535bffe1d70cab80838123) C:\WINDOWS\System32\srvsvc.dll
17:44:39.0453 1532 LanmanServer - ok
17:44:39.0500 1532 lanmanworkstation (1b67b632786fef1c1bbaef46c2f3f2e6) C:\WINDOWS\System32\wkssvc.dll
17:44:39.0625 1532 lanmanworkstation - ok
17:44:39.0625 1532 lbrtfdc - ok
17:44:39.0656 1532 LmHosts (a7db739ae99a796d91580147e919cc59) C:\WINDOWS\System32\lmhsvc.dll
17:44:39.0781 1532 LmHosts - ok
17:44:39.0812 1532 mdmxsdk (0cea2d0d3fa284b85ed5b68365114f76) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
17:44:39.0828 1532 mdmxsdk - ok
17:44:39.0859 1532 Messenger (986b1ff5814366d71e0ac5755c88f2d3) C:\WINDOWS\System32\msgsvc.dll
17:44:39.0953 1532 Messenger - ok
17:44:39.0984 1532 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
17:44:40.0046 1532 mnmdd - ok
17:44:40.0109 1532 mnmsrvc (d18f1f0c101d06a1c1adf26eed16fcdd) C:\WINDOWS\system32\mnmsrvc.exe
17:44:40.0171 1532 mnmsrvc - ok
17:44:40.0203 1532 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
17:44:40.0265 1532 Modem - ok
17:44:40.0312 1532 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
17:44:40.0390 1532 Mouclass - ok
17:44:40.0406 1532 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
17:44:40.0500 1532 mouhid - ok
17:44:40.0515 1532 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
17:44:40.0593 1532 MountMgr - ok
17:44:40.0625 1532 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
17:44:40.0703 1532 mraid35x - ok
17:44:40.0718 1532 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
17:44:40.0812 1532 MRxDAV - ok
17:44:40.0875 1532 MRxSmb (60ae98742484e7ab80c3c1450e708148) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
17:44:40.0953 1532 MRxSmb - ok
17:44:40.0984 1532 MSDTC (a137f1470499a205abbb9aafb3b6f2b1) C:\WINDOWS\system32\msdtc.exe
17:44:41.0062 1532 MSDTC - ok
17:44:41.0062 1532 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
17:44:41.0156 1532 Msfs - ok
17:44:41.0156 1532 MSIServer - ok
17:44:41.0187 1532 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
17:44:41.0265 1532 MSKSSRV - ok
17:44:41.0281 1532 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
17:44:41.0359 1532 MSPCLOCK - ok
17:44:41.0359 1532 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
17:44:41.0437 1532 MSPQM - ok
17:44:41.0453 1532 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
17:44:41.0515 1532 mssmbios - ok
17:44:41.0531 1532 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
17:44:41.0609 1532 Mup - ok
17:44:41.0656 1532 napagent (0102140028fad045756796e1c685d695) C:\WINDOWS\System32\qagentrt.dll
17:44:41.0765 1532 napagent - ok
17:44:41.0765 1532 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
17:44:41.0843 1532 NDIS - ok
17:44:41.0875 1532 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
17:44:41.0937 1532 NdisTapi - ok
17:44:41.0968 1532 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
17:44:42.0031 1532 Ndisuio - ok
17:44:42.0046 1532 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
17:44:42.0140 1532 NdisWan - ok
17:44:42.0140 1532 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
17:44:42.0218 1532 NDProxy - ok
17:44:42.0218 1532 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
17:44:42.0281 1532 NetBIOS - ok
17:44:42.0312 1532 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
17:44:42.0406 1532 NetBT - ok
17:44:42.0453 1532 NetDDE (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe
17:44:42.0546 1532 NetDDE - ok
17:44:42.0546 1532 NetDDEdsdm (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe
17:44:42.0609 1532 NetDDEdsdm - ok
17:44:42.0656 1532 Netlogon (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
17:44:42.0718 1532 Netlogon - ok
17:44:42.0750 1532 Netman (13e67b55b3abd7bf3fe7aae5a0f9a9de) C:\WINDOWS\System32\netman.dll
17:44:42.0843 1532 Netman - ok
17:44:42.0921 1532 NetTcpPortSharing (d34612c5d02d026535b3095d620626ae) C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
17:44:42.0953 1532 NetTcpPortSharing - ok
17:44:43.0234 1532 NETw5x32 (a3b69acd14051ae87ab9e1823a508b6d) C:\WINDOWS\system32\DRIVERS\NETw5x32.sys
17:44:43.0578 1532 NETw5x32 - ok
17:44:43.0781 1532 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
17:44:43.0953 1532 NIC1394 - ok
17:44:44.0000 1532 Nla (832e4dd8964ab7acc880b2837cb1ed20) C:\WINDOWS\System32\mswsock.dll
17:44:44.0046 1532 Nla - ok
17:44:44.0078 1532 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
17:44:44.0156 1532 Npfs - ok
17:44:44.0250 1532 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
17:44:44.0375 1532 Ntfs - ok
17:44:44.0421 1532 NtLmSsp (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
17:44:44.0484 1532 NtLmSsp - ok
17:44:44.0578 1532 NtmsSvc (156f64a3345bd23c600655fb4d10bc08) C:\WINDOWS\system32\ntmssvc.dll
17:44:44.0703 1532 NtmsSvc - ok
17:44:44.0734 1532 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
17:44:44.0843 1532 Null - ok
17:44:44.0843 1532 NvtSp50 - ok
17:44:44.0859 1532 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
17:44:44.0953 1532 NwlnkFlt - ok
17:44:44.0968 1532 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
17:44:45.0062 1532 NwlnkFwd - ok
17:44:45.0093 1532 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
17:44:45.0156 1532 ohci1394 - ok
17:44:45.0234 1532 ose (7a56cf3e3f12e8af599963b16f50fb6a) C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
17:44:45.0250 1532 ose - ok
17:44:45.0265 1532 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
17:44:45.0343 1532 Parport - ok
17:44:45.0343 1532 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
17:44:45.0421 1532 PartMgr - ok
17:44:45.0421 1532 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
17:44:45.0484 1532 ParVdm - ok
17:44:45.0531 1532 PBADRV (4088c1ecd1f54281a92fa663b0fdc36f) C:\WINDOWS\system32\DRIVERS\PBADRV.sys
17:44:45.0546 1532 PBADRV - ok
17:44:45.0546 1532 PCASp50 - ok
17:44:45.0562 1532 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
17:44:45.0640 1532 PCI - ok
17:44:45.0656 1532 PCIDump - ok
17:44:45.0671 1532 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
17:44:45.0734 1532 PCIIde - ok
17:44:45.0750 1532 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
17:44:45.0828 1532 Pcmcia - ok
17:44:45.0828 1532 PDCOMP - ok
17:44:45.0828 1532 PDFRAME - ok
17:44:45.0828 1532 PDRELI - ok
17:44:45.0828 1532 PDRFRAME - ok
17:44:45.0859 1532 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
17:44:45.0921 1532 perc2 - ok
17:44:45.0937 1532 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
17:44:46.0000 1532 perc2hib - ok
17:44:46.0031 1532 PlugPlay (65df52f5b8b6e9bbd183505225c37315) C:\WINDOWS\system32\services.exe
17:44:46.0031 1532 PlugPlay - ok
17:44:46.0031 1532 PolicyAgent (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
17:44:46.0109 1532 PolicyAgent - ok
17:44:46.0125 1532 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
17:44:46.0218 1532 PptpMiniport - ok
17:44:46.0218 1532 ProtectedStorage (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
17:44:46.0281 1532 ProtectedStorage - ok
17:44:46.0296 1532 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
17:44:46.0359 1532 PSched - ok
17:44:46.0375 1532 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
17:44:46.0437 1532 Ptilink - ok
17:44:46.0453 1532 PxHelp20 (49452bfcec22f36a7a9b9c2181bc3042) C:\WINDOWS\system32\Drivers\PxHelp20.sys
17:44:46.0468 1532 PxHelp20 - ok
17:44:46.0484 1532 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
17:44:46.0562 1532 ql1080 - ok
17:44:46.0578 1532 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
17:44:46.0671 1532 Ql10wnt - ok
17:44:46.0687 1532 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
17:44:46.0750 1532 ql12160 - ok
17:44:46.0765 1532 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
17:44:46.0843 1532 ql1240 - ok
17:44:46.0859 1532 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
17:44:46.0937 1532 ql1280 - ok
17:44:46.0953 1532 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
17:44:47.0015 1532 RasAcd - ok
17:44:47.0078 1532 RasAuto (ad188be7bdf94e8df4ca0a55c00a5073) C:\WINDOWS\System32\rasauto.dll
17:44:47.0156 1532 RasAuto - ok
17:44:47.0187 1532 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
17:44:47.0281 1532 Rasl2tp - ok
17:44:47.0312 1532 RasMan (76a9a3cbeadd68cc57cda5e1d7448235) C:\WINDOWS\System32\rasmans.dll
17:44:47.0390 1532 RasMan - ok
17:44:47.0406 1532 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
17:44:47.0468 1532 RasPppoe - ok
17:44:47.0500 1532 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
17:44:47.0578 1532 Raspti - ok
17:44:47.0609 1532 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
17:44:47.0671 1532 Rdbss - ok
17:44:47.0687 1532 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
17:44:47.0750 1532 RDPCDD - ok
17:44:47.0781 1532 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
17:44:47.0859 1532 rdpdr - ok
17:44:47.0890 1532 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
17:44:47.0984 1532 RDPWD - ok
17:44:48.0015 1532 RDSessMgr (3c37bf86641bda977c3bf8a840f3b7fa) C:\WINDOWS\system32\sessmgr.exe
17:44:48.0093 1532 RDSessMgr - ok
17:44:48.0125 1532 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
17:44:48.0187 1532 redbook - ok
17:44:48.0312 1532 RegSrvc (d1875727d04eae948f139022dcad3d47) C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
17:44:48.0328 1532 RegSrvc ( UnsignedFile.Multi.Generic ) - warning
17:44:48.0328 1532 RegSrvc - detected UnsignedFile.Multi.Generic (1)
17:44:48.0437 1532 RemoteAccess (7e699ff5f59b5d9de5390e3c34c67cf5) C:\WINDOWS\System32\mprdim.dll
17:44:48.0515 1532 RemoteAccess - ok
17:44:48.0531 1532 RemoteRegistry (5b19b557b0c188210a56a6b699d90b8f) C:\WINDOWS\system32\regsvc.dll
17:44:48.0625 1532 RemoteRegistry - ok
17:44:48.0656 1532 rimmptsk (355aac141b214bef1dbc1483afd9bd50) C:\WINDOWS\system32\DRIVERS\rimmptsk.sys
17:44:48.0687 1532 rimmptsk - ok
17:44:48.0734 1532 RpcLocator (aaed593f84afa419bbae8572af87cf6a) C:\WINDOWS\system32\locator.exe
17:44:48.0828 1532 RpcLocator - ok
17:44:48.0875 1532 Rpcnet (3297445bb9fd3e8363e7559010ed2ae7) C:\WINDOWS\system32\rpcnet.exe
17:44:48.0890 1532 Rpcnet - ok
17:44:48.0953 1532 RpcSs (6b27a5c03dfb94b4245739065431322c) C:\WINDOWS\system32\rpcss.dll
17:44:48.0968 1532 RpcSs - ok
17:44:49.0015 1532 RSVP (471b3f9741d762abe75e9deea4787e47) C:\WINDOWS\system32\rsvp.exe
17:44:49.0140 1532 RSVP - ok
17:44:49.0343 1532 S24EventMonitor (8b4459365c254196f498a3cbc2898dbb) C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
17:44:49.0421 1532 S24EventMonitor ( UnsignedFile.Multi.Generic ) - warning
17:44:49.0421 1532 S24EventMonitor - detected UnsignedFile.Multi.Generic (1)
17:44:49.0515 1532 s24trans (87940243ea2ad3ebe274f5409c5e9072) C:\WINDOWS\system32\DRIVERS\s24trans.sys
17:44:49.0546 1532 s24trans ( UnsignedFile.Multi.Generic ) - warning
17:44:49.0546 1532 s24trans - detected UnsignedFile.Multi.Generic (1)
17:44:49.0578 1532 SamSs (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
17:44:49.0640 1532 SamSs - ok
17:44:49.0671 1532 SCardSvr (86d007e7a654b9a71d1d7d856b104353) C:\WINDOWS\System32\SCardSvr.exe
17:44:49.0859 1532 SCardSvr - ok
17:44:49.0906 1532 Schedule (0a9a7365a1ca4319aa7c1d6cd8e4eafa) C:\WINDOWS\system32\schedsvc.dll
17:44:49.0984 1532 Schedule - ok
17:44:50.0031 1532 sdbus (8d04819a3ce51b9eb47e5689b44d43c4) C:\WINDOWS\system32\DRIVERS\sdbus.sys
17:44:50.0125 1532 sdbus - ok
17:44:50.0171 1532 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
17:44:50.0203 1532 Secdrv - ok
17:44:50.0218 1532 seclogon (cbe612e2bb6a10e3563336191eda1250) C:\WINDOWS\System32\seclogon.dll
17:44:50.0296 1532 seclogon - ok
17:44:50.0296 1532 SENS (7fdd5d0684eca8c1f68b4d99d124dcd0) C:\WINDOWS\system32\sens.dll
17:44:50.0375 1532 SENS - ok
17:44:50.0406 1532 Serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
17:44:50.0500 1532 Serenum - ok
17:44:50.0515 1532 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
17:44:50.0625 1532 Serial - ok
17:44:50.0640 1532 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
17:44:50.0734 1532 Sfloppy - ok
17:44:50.0796 1532 SharedAccess (83f41d0d89645d7235c051ab1d9523ac) C:\WINDOWS\System32\ipnathlp.dll
17:44:50.0906 1532 SharedAccess - ok
17:44:50.0968 1532 ShellHWDetection (1926899bf9ffe2602b63074971700412) C:\WINDOWS\System32\shsvcs.dll
17:44:51.0062 1532 ShellHWDetection - ok
17:44:51.0062 1532 Simbad - ok
17:44:51.0109 1532 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys
17:44:51.0218 1532 sisagp - ok
17:44:51.0265 1532 Sony_EricssonWWSC (9d0e9f3d67d2260d6b146977276068d0) C:\WINDOWS\system32\DRIVERS\d553scard.sys
17:44:51.0265 1532 Sony_EricssonWWSC - ok
17:44:51.0296 1532 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
17:44:51.0359 1532 Sparrow - ok
17:44:51.0406 1532 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
17:44:51.0531 1532 splitter - ok
17:44:51.0546 1532 Spooler (d8e14a61acc1d4a6cd0d38aebac7fa3b) C:\WINDOWS\system32\spoolsv.exe
17:44:51.0671 1532 Spooler - ok
17:44:51.0687 1532 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
17:44:51.0750 1532 sr - ok
17:44:51.0781 1532 srservice (3805df0ac4296a34ba4bf93b346cc378) C:\WINDOWS\system32\srsvc.dll
17:44:51.0859 1532 srservice - ok
17:44:51.0890 1532 Srv (3bb03f2ba89d2be417206c373d2af17c) C:\WINDOWS\system32\DRIVERS\srv.sys
17:44:51.0968 1532 Srv - ok
17:44:52.0000 1532 SSDPSRV (0a5679b3714edab99e357057ee88fca6) C:\WINDOWS\System32\ssdpsrv.dll
17:44:52.0062 1532 SSDPSRV - ok
17:44:52.0140 1532 ssmdrv (a36ee93698802cd899f98bfd553d8185) C:\WINDOWS\system32\DRIVERS\ssmdrv.sys
17:44:52.0156 1532 ssmdrv - ok
17:44:52.0218 1532 STacSV (cb2449150a5ea17caa0b94363d9440cc) c:\drivers\audio\r205445\stacsv.exe
17:44:52.0265 1532 STacSV - ok
17:44:52.0468 1532 STHDA (886c708c91db573656d64c626468d707) C:\WINDOWS\system32\drivers\sthda.sys
17:44:52.0546 1532 STHDA - ok
17:44:52.0625 1532 stisvc (8bad69cbac032d4bbacfce0306174c30) C:\WINDOWS\system32\wiaservc.dll
17:44:52.0734 1532 stisvc - ok
17:44:52.0812 1532 stllssvr (de3e7a2345ebaa3ce8e6957dfb55fb15) C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
17:44:52.0828 1532 stllssvr ( UnsignedFile.Multi.Generic ) - warning
17:44:52.0828 1532 stllssvr - detected UnsignedFile.Multi.Generic (1)
17:44:52.0921 1532 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
17:44:52.0984 1532 swenum - ok
17:44:53.0031 1532 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
17:44:53.0125 1532 swmidi - ok
17:44:53.0125 1532 SwPrv - ok
17:44:53.0171 1532 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
17:44:53.0234 1532 symc810 - ok
17:44:53.0250 1532 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
17:44:53.0328 1532 symc8xx - ok
17:44:53.0343 1532 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
17:44:53.0421 1532 sym_hi - ok
17:44:53.0421 1532 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
17:44:53.0484 1532 sym_u3 - ok
17:44:53.0531 1532 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
17:44:53.0609 1532 sysaudio - ok
17:44:53.0640 1532 SysmonLog (c7abbc59b43274b1109df6b24d617051) C:\WINDOWS\system32\smlogsvc.exe
17:44:53.0718 1532 SysmonLog - ok
17:44:53.0765 1532 TapiSrv (3cb78c17bb664637787c9a1c98f79c38) C:\WINDOWS\System32\tapisrv.dll
17:44:53.0843 1532 TapiSrv - ok
17:44:53.0890 1532 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
17:44:53.0937 1532 Tcpip - ok
17:44:53.0984 1532 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
17:44:54.0046 1532 TDPIPE - ok
17:44:54.0093 1532 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
17:44:54.0156 1532 TDTCP - ok
17:44:54.0187 1532 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
17:44:54.0250 1532 TermDD - ok
17:44:54.0281 1532 TermService (ff3477c03be7201c294c35f684b3479f) C:\WINDOWS\System32\termsrv.dll
17:44:54.0375 1532 TermService - ok
17:44:54.0421 1532 Themes (1926899bf9ffe2602b63074971700412) C:\WINDOWS\System32\shsvcs.dll
17:44:54.0484 1532 Themes - ok
17:44:54.0515 1532 TlntSvr (db7205804759ff62c34e3efd8a4cc76a) C:\WINDOWS\system32\tlntsvr.exe
17:44:54.0578 1532 TlntSvr - ok
17:44:54.0609 1532 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys
17:44:54.0671 1532 TosIde - ok
17:44:54.0703 1532 TrkWks (55bca12f7f523d35ca3cb833c725f54e) C:\WINDOWS\system32\trkwks.dll
17:44:54.0781 1532 TrkWks - ok
17:44:54.0796 1532 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
17:44:54.0890 1532 Udfs - ok
17:44:54.0921 1532 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
17:44:54.0968 1532 ultra - ok
17:44:55.0031 1532 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
17:44:55.0125 1532 Update - ok
17:44:55.0156 1532 upnphost (1ebafeb9a3fbdc41b8d9c7f0f687ad91) C:\WINDOWS\System32\upnphost.dll
17:44:55.0203 1532 upnphost - ok
17:44:55.0203 1532 UPS (05365fb38fca1e98f7a566aaaf5d1815) C:\WINDOWS\System32\ups.exe
17:44:55.0281 1532 UPS - ok
17:44:55.0343 1532 usbccgp (c18d6c74953621346df6b0a11f80c1cc) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
17:44:55.0359 1532 usbccgp - ok
17:44:55.0421 1532 USBCCID (150442fa5224dc338028543e2fffa7b4) C:\WINDOWS\system32\DRIVERS\usbccid.sys
17:44:55.0421 1532 USBCCID - ok
17:44:55.0437 1532 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
17:44:55.0531 1532 usbehci - ok
17:44:55.0546 1532 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
17:44:55.0609 1532 usbhub - ok
17:44:55.0656 1532 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
17:44:55.0734 1532 usbprint - ok
17:44:55.0781 1532 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
17:44:55.0890 1532 USBSTOR - ok
17:44:55.0921 1532 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
17:44:56.0015 1532 usbuhci - ok
17:44:56.0015 1532 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
17:44:56.0109 1532 VgaSave - ok
17:44:56.0187 1532 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys
17:44:56.0281 1532 viaagp - ok
17:44:56.0312 1532 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
17:44:56.0406 1532 ViaIde - ok
17:44:56.0546 1532 VmbService (184f8f8c967a8455b0397944e864bae0) C:\Program Files\Vodafone\Vodafone Mobile Broadband\Bin\VmbService.exe
17:44:56.0546 1532 VmbService ( UnsignedFile.Multi.Generic ) - warning
17:44:56.0546 1532 VmbService - detected UnsignedFile.Multi.Generic (1)
17:44:56.0562 1532 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
17:44:56.0671 1532 VolSnap - ok
17:44:56.0750 1532 VSS (7a9db3a67c333bf0bd42e42b8596854b) C:\WINDOWS\System32\vssvc.exe
17:44:56.0812 1532 VSS - ok
17:44:56.0843 1532 w32time (54af4b1d5459500ef0937f6d33b1914f) C:\WINDOWS\system32\w32time.dll
17:44:56.0968 1532 w32time - ok
17:44:57.0000 1532 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
17:44:57.0078 1532 Wanarp - ok
17:44:57.0156 1532 Wdf01000 (fd47474bd21794508af449d9d91af6e6) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
17:44:57.0187 1532 Wdf01000 - ok
17:44:57.0187 1532 WDICA - ok
17:44:57.0250 1532 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
17:44:57.0343 1532 wdmaud - ok
17:44:57.0390 1532 WebClient (77a354e28153ad2d5e120a5a8687bc06) C:\WINDOWS\System32\webclnt.dll
17:44:57.0468 1532 WebClient - ok
17:44:57.0562 1532 winachsf (92ce6497076eac3083185c44157b3a46) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
17:44:57.0609 1532 winachsf - ok
17:44:57.0734 1532 winmgmt (2d0e4ed081963804ccc196a0929275b5) C:\WINDOWS\system32\wbem\WMIsvc.dll
17:44:57.0812 1532 winmgmt - ok
17:44:57.0859 1532 WmdmPmSN (c7e39ea41233e9f5b86c8da3a9f1e4a8) C:\WINDOWS\system32\mspmsnsv.dll
17:44:57.0937 1532 WmdmPmSN - ok
17:44:58.0015 1532 Wmi (e76f8807070ed04e7408a86d6d3a6137) C:\WINDOWS\System32\advapi32.dll
17:44:58.0031 1532 Wmi - ok
17:44:58.0140 1532 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
17:44:58.0203 1532 WmiAcpi - ok
17:44:58.0265 1532 WmiApSrv (e0673f1106e62a68d2257e376079f821) C:\WINDOWS\system32\wbem\wmiapsrv.exe
17:44:58.0343 1532 WmiApSrv - ok
17:44:58.0375 1532 wscsvc (7c278e6408d1dce642230c0585a854d5) C:\WINDOWS\system32\wscsvc.dll
17:44:58.0453 1532 wscsvc - ok
17:44:58.0500 1532 wuauserv (35321fb577cdc98ce3eb3a3eb9e4610a) C:\WINDOWS\system32\wuauserv.dll
17:44:58.0562 1532 wuauserv - ok
17:44:58.0593 1532 WZCSVC (81dc3f549f44b1c1fff022dec9ecf30b) C:\WINDOWS\System32\wzcsvc.dll
17:44:58.0687 1532 WZCSVC - ok
17:44:58.0703 1532 xmlprov (295d21f14c335b53cb8154e5b1f892b9) C:\WINDOWS\System32\xmlprov.dll
17:44:58.0781 1532 xmlprov - ok
17:44:58.0828 1532 MBR (0x1B8) (5c616939100b85e558da92b899a0fc36) \Device\Harddisk0\DR0
17:44:59.0328 1532 \Device\Harddisk0\DR0 - ok
17:44:59.0328 1532 MBR (0x1B8) (65e858a8a0293be11a920b0bc99d695e) \Device\Harddisk1\DR5
17:44:59.0906 1532 \Device\Harddisk1\DR5 - ok
17:44:59.0906 1532 Boot (0x1200) (d4aa1427426be4d63e57c9925208e842) \Device\Harddisk0\DR0\Partition0
17:44:59.0906 1532 \Device\Harddisk0\DR0\Partition0 - ok
17:44:59.0906 1532 Boot (0x1200) (57b9302739139f67b6fddb26d00ae863) \Device\Harddisk1\DR5\Partition0
17:44:59.0906 1532 \Device\Harddisk1\DR5\Partition0 - ok
17:44:59.0906 1532 ============================================================
17:44:59.0906 1532 Scan finished
17:44:59.0906 1532 ============================================================
17:45:00.0015 2032 Detected object count: 7
17:45:00.0015 2032 Actual detected object count: 7
17:45:26.0671 2032 Change Modem Device Service ( UnsignedFile.Multi.Generic ) - skipped by user
17:45:26.0671 2032 Change Modem Device Service ( UnsignedFile.Multi.Generic ) - User select action: Skip
17:45:26.0671 2032 EvtEng ( UnsignedFile.Multi.Generic ) - skipped by user
17:45:26.0671 2032 EvtEng ( UnsignedFile.Multi.Generic ) - User select action: Skip
17:45:26.0687 2032 RegSrvc ( UnsignedFile.Multi.Generic ) - skipped by user
17:45:26.0687 2032 RegSrvc ( UnsignedFile.Multi.Generic ) - User select action: Skip
17:45:26.0687 2032 S24EventMonitor ( UnsignedFile.Multi.Generic ) - skipped by user
17:45:26.0687 2032 S24EventMonitor ( UnsignedFile.Multi.Generic ) - User select action: Skip
17:45:26.0687 2032 s24trans ( UnsignedFile.Multi.Generic ) - skipped by user
17:45:26.0687 2032 s24trans ( UnsignedFile.Multi.Generic ) - User select action: Skip
17:45:26.0687 2032 stllssvr ( UnsignedFile.Multi.Generic ) - skipped by user
17:45:26.0687 2032 stllssvr ( UnsignedFile.Multi.Generic ) - User select action: Skip
17:45:26.0687 2032 VmbService ( UnsignedFile.Multi.Generic ) - skipped by user
17:45:26.0687 2032 VmbService ( UnsignedFile.Multi.Generic ) - User select action: Skip
17:47:47.0781 2868 Deinitialize success
-
OK, but what about the warning at the end of the DDS log?
(Warning: possible TDL3 rootkit infection !)
-
Yes, those settings are OK. The proxy server is not currently in use, but should remain there when he needs to connect through it. I'm currently online on the machine without any problems.
-
Malwarebytes Anti-Malware 1.62.0.1300
Database version: v2012.07.31.04
Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
User :: EXTENSIONREC136 [administrator]
2012/07/31 02:27:06 PM
mbam-log-2012-07-31 (14-27-06).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 218253
Time elapsed: 19 minute(s), 7 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 8
HKCR\CLSID\{1D4DB7D2-6EC9-47a3-BD87-1E41684E07BB} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\TypeLib\{1D4DB7D0-6EC9-47a3-BD87-1E41684E07BB} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\Interface\{1D4DB7D1-6EC9-47A3-BD87-1E41684E07BB} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\FunWebProductsInstaller.Start.1 (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\FunWebProductsInstaller.Start (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_AMSINT32 (Virus.Sality) -> Quarantined and deleted successfully.
HKLM\SYSTEM\CurrentControlSet\Services\amsint32 (Virus.Sality) -> Quarantined and deleted successfully.
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 3
HKLM\SOFTWARE\Microsoft\Security Center|AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Security Center|FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Security Center|UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
Folders Detected: 0
(No malicious items detected)
Files Detected: 0
(No malicious items detected)
(end)
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by User at 15:05:28 on 2012-07-31
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3536.2825 [GMT 2:00]
.
AV: Kaspersky Anti-Virus *Disabled/Outdated* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Anti-Virus *Disabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\drivers\audio\r205445\stacsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe
C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\WINDOWS\system32\AESTFltr.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ICO.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Vodafone\Vodafone Mobile Broadband\Bin\MobileBroadband.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\WINDOWS\system32\ChgService.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\WINDOWS\system32\rpcnet.exe
C:\Program Files\Vodafone\Vodafone Mobile Broadband\Bin\VmbService.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://agriculture.kzntl.gov.za/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = proxy.kzntl.gov.za:3128
uInternet Settings,ProxyOverride = *.KZNTL.GOV.ZA; 10.200.188.*;<local>
mWinlogon: System=ziswin.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [iSUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [WinApps] c:\documents and settings\user\application data\javainst.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [sysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
mRun: [AESTFltr] %SystemRoot%\system32\AESTFltr.exe /NoDlg
mRun: [igfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [PMX Daemon] ICO.EXE
mRun: [iAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [ChangeTPMAuth] c:\program files\wave systems corp\common\ChangeTPMAuth.exe /T:NTRU12
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Autorun Eater] c:\program files\autorun eater\oldmcdonald.exe
mRun: [WinApps] c:\documents and settings\user\application data\javainst.exe
mRun: [MobileBroadband] c:\program files\vodafone\vodafone mobile broadband\bin\MobileBroadband.exe /silent
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mExplorerRun: [WinApps] c:\documents and settings\user\application data\javainst.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
mPolicies-system: CompatibleRUPSecurity = 1 (0x1)
mPolicies-system: EnableLUA = 0 (0x0)
IE: Add to Anti-Banner - c:\program files\kaspersky lab\kaspersky anti-virus 6.0 for windows workstations mp4\ie_banner_deny.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1241690082484
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
TCP: Interfaces\{12EEDB33-EBF2-456A-9C3B-36CD89EFE58B} : NameServer = 196.43.1.11,196.25.1.11
TCP: Interfaces\{5B852397-714C-400B-85EC-DEFB87AD21CA} : NameServer = 196.43.1.11,196.25.1.11
Notify: igfxcui - igfxdev.dll
mASetup: {6FF1DCAB-A6BA-468D-A7AC-CFEBDECB9BCA} - c:\documents and settings\user\application data\javainst.exe
.
============= SERVICES / DRIVERS ===============
.
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [2012-7-30 36000]
R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\avira\antivir desktop\sched.exe [2012-7-30 86224]
R2 AntiVirService;Avira Realtime Protection;c:\program files\avira\antivir desktop\avguard.exe [2012-7-30 110032]
R2 ASFAgent;ASF Agent;c:\program files\intel\asf agent\ASFAgent.exe [2007-4-19 133968]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2012-7-30 83392]
R2 Change Modem Device Service;Change Modem Device Service;c:\windows\system32\ChgService.exe [2011-10-14 135168]
R2 Credential Vault Host Control Service;Credential Vault Host Control Service;c:\program files\broadcom corporation\broadcom ush host components\cv\bin\HostControlService.exe [2008-11-11 808296]
R2 Credential Vault Host Storage;Credential Vault Host Storage;c:\program files\broadcom corporation\broadcom ush host components\cv\bin\HostStorageService.exe [2008-11-11 20840]
R2 VmbService;Vodafone Mobile Broadband Service;c:\program files\vodafone\vodafone mobile broadband\bin\VmbService.exe [2010-9-8 8704]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [2009-2-10 112128]
R3 CCIDFILTER;Broadcom Smart Card Reader Filter Driver;c:\windows\system32\drivers\ccidflt.sys [2009-2-10 12840]
R3 cvusbdrv;Broadcom USH CV;c:\windows\system32\drivers\cvusbdrv.sys [2009-2-10 32808]
R3 d553bus;Dell Wireless 5530 HSPA Mobile Broadband Minicard Device driver (WDM);c:\windows\system32\drivers\d553bus.sys [2009-2-10 300672]
R3 d553card;Dell Wireless 5530 HSPA Mobile Broadband Minicard i7;c:\windows\system32\drivers\d553card.sys [2009-2-10 378368]
R3 d553gps;Dell Wireless 5530 HSPA Mobile Broadband Minicard GPS Port;c:\windows\system32\drivers\d553gps.sys [2009-2-10 76328]
R3 d553mdfl;Dell Wireless 5530 HSPA Mobile Broadband Minicard Modem Filter;c:\windows\system32\drivers\d553mdfl.sys [2009-2-10 14976]
R3 d553mdfl2;Dell Wireless 5530 HSPA Mobile Broadband Minicard Modem 2 Filter;c:\windows\system32\drivers\d553mdfl2.sys [2009-2-10 14976]
R3 d553mdm;Dell Wireless 5530 HSPA Mobile Broadband Minicard Modem Driver;c:\windows\system32\drivers\d553mdm.sys [2009-2-10 387200]
R3 d553mdm2;Dell Wireless 5530 HSPA Mobile Broadband Minicard Modem 2 Driver;c:\windows\system32\drivers\d553mdm2.sys [2009-2-10 431616]
R3 d553nd5;Dell Wireless 5530 HSPA Mobile Broadband Minicard NetworkAdapter (NDIS);c:\windows\system32\drivers\d553nd5.sys [2009-2-10 25984]
R3 d553unic;Dell Wireless 5530 HSPA Mobile Broadband Minicard NetworkAdapter (WDM);c:\windows\system32\drivers\d553unic.sys [2009-2-10 402944]
R3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [2009-2-10 244368]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2009-2-10 110080]
R3 Sony_EricssonWWSC;Dell Wireless 5530 HSPA Mobile Broadband Minicard PC SC Port;c:\windows\system32\drivers\d553scard.sys [2009-2-10 25640]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2012-1-4 136176]
S3 cmnsusbser;Mobile Connector USB Device for Legacy Serial Communication LCT2053s;c:\windows\system32\drivers\cmnsusbser.sys [2011-10-14 103424]
S3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\drivers\ewusbnet.sys [2011-8-2 114432]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2012-1-4 136176]
S3 hwusbfake;Huawei DataCard USB Fake;c:\windows\system32\drivers\ewusbfake.sys [2011-8-2 100736]
S3 NvtSp50;NvtSp50 NDIS Protocol Driver;c:\windows\system32\drivers\nvtsp50.sys --> c:\windows\system32\drivers\NvtSp50.sys [?]
.
=============== Created Last 30 ================
.
2012-07-31 05:43:14 -------- d-----w- c:\windows\system32\NtmsData
2012-07-30 11:19:36 -------- d-----w- c:\documents and settings\user\application data\Avira
2012-07-30 11:19:08 83392 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2012-07-30 11:19:08 36000 ----a-w- c:\windows\system32\drivers\avkmgr.sys
2012-07-30 11:19:08 -------- d-----w- c:\program files\Avira
2012-07-30 11:19:08 -------- d-----w- c:\documents and settings\all users\application data\Avira
2012-07-30 10:37:13 -------- d-----w- c:\documents and settings\user\application data\Malwarebytes
2012-07-30 10:37:06 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2012-07-30 10:37:05 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-07-30 10:37:05 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-07-18 14:10:39 -------- d-----w- c:\documents and settings\user\application data\tazebama
2012-07-01 17:24:08 -------- d-sh--r- c:\documents and settings\user\local settings\application data\Start
.
==================== Find3M ====================
.
2012-07-31 12:56:40 17408 ----a-w- c:\windows\system32\rpcnetp.exe
2012-07-31 12:56:38 58288 ----a-w- c:\windows\system32\rpcnet.dll
2012-07-31 08:09:11 17408 ----a-w- c:\windows\system32\rpcnetp.dll
2012-07-30 15:48:43 143360 ----a-w- c:\windows\system32\igfxtray.exe
2012-07-30 11:21:57 471040 ----a-w- c:\windows\system32\AESTFltr.exe
2012-07-30 11:21:53 178712 ----a-w- c:\windows\system32\hkcmd.exe
2012-07-30 11:21:52 150040 ----a-w- c:\windows\system32\igfxpers.exe
2012-07-30 11:21:48 49152 ----a-w- c:\windows\system32\ico.exe
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD12 rev.11.0 -> Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: >>UNKNOWN [0x804D7000]<< >>UNKNOWN [0xBA0F8000]<< >>UNKNOWN [0xBA0E8000]<< >>UNKNOWN [0xB9E35000]<< >>UNKNOWN [0x806E4000]<<
_asm { DEC EBP; POP EDX; NOP ; ADD [EBX], AL; ADD [EAX], AL; ADD [EAX+EAX], AL; ADD [EAX], AL; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8AC2C478]
\Driver\Disk[0x8B26E190] -> IRP_MJ_CREATE -> 0xBA0FEBB0
3 [0xBA0F8FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Ide\IAAStorageDevice-1[0x8B238028]
\Driver\iaStor[0x8B2BB8A8] -> IRP_MJ_CREATE -> 0xB9E76ED4
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; MOV CX, 0x4; MOV BP, 0x7be; CMP BYTE [bP+0x0], 0x0; }
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 15:05:56.12 ===============
-
Thanks yes, let's close this!
-
John, I hope you're getting paid for working on these
If only I could get paid fro this!
- there's another one waiting for me with some very nasties on it (attacked my flash drive and all the AV software on it!)Somehow I thought that I was not suppose to remove any malware after submitting the DDS log. I'm currently scanning with MBAM again an will opt to remove them. Should I submit anything(log) after that?
-
Thanks, but I'm using XP - the desktop.ini file actually opens (even if the "Hide hidden system files" are checked).However, I think I solved it - the desktop.ini file was in the idividual user's startup folders. Deleting them there seems to do the job!
Thanks again for helping me!
-
Hi,
A friend came to me with his laptop with no icons apearing on the desktop. I managed to get them back by running explorer.exe via taskmanager, but suspected some malware infections as his anti-virus protection was outdated. I installed the Avira Free scanner, which detected thousands of files infected with W32/Sality.AT. A number of other trojans were also detected. After numerous reboot and re-scan attempts, and also a scan with MBAM, I still get the W32/Sality.AT virus as well as some other trojans like TR/Agent2, TR/Patched, TR/Crypt.XPACK and TR/Crypt.ZPACK.
Futhermore, a small AutoIt Error window pops up every time after a re-start with the message "Unable to open the script file"
Here are the DDS logs as well as the MBAM log:
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by User at 11:18:26 on 2012-07-31
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3536.2902 [GMT 2:00]
.
AV: Kaspersky Anti-Virus *Disabled/Outdated* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Anti-Virus *Disabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\drivers\audio\r205445\stacsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe
C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\WINDOWS\system32\AESTFltr.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ICO.EXE
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Vodafone\Vodafone Mobile Broadband\Bin\MobileBroadband.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\WINDOWS\system32\ChgService.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\WINDOWS\system32\rpcnet.exe
C:\Program Files\Vodafone\Vodafone Mobile Broadband\Bin\VmbService.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://agriculture.kzntl.gov.za/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = proxy.kzntl.gov.za:3128
uInternet Settings,ProxyOverride = *.KZNTL.GOV.ZA; 10.200.188.*;<local>
mWinlogon: System=ziswin.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [iSUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [WinApps] c:\documents and settings\user\application data\javainst.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [sysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
mRun: [AESTFltr] %SystemRoot%\system32\AESTFltr.exe /NoDlg
mRun: [igfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [PMX Daemon] ICO.EXE
mRun: [iAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [ChangeTPMAuth] c:\program files\wave systems corp\common\ChangeTPMAuth.exe /T:NTRU12
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Autorun Eater] c:\program files\autorun eater\oldmcdonald.exe
mRun: [WinApps] c:\documents and settings\user\application data\javainst.exe
mRun: [MobileBroadband] c:\program files\vodafone\vodafone mobile broadband\bin\MobileBroadband.exe /silent
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mExplorerRun: [WinApps] c:\documents and settings\user\application data\javainst.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
mPolicies-system: CompatibleRUPSecurity = 1 (0x1)
mPolicies-system: EnableLUA = 0 (0x0)
IE: Add to Anti-Banner - c:\program files\kaspersky lab\kaspersky anti-virus 6.0 for windows workstations mp4\ie_banner_deny.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1241690082484
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
TCP: Interfaces\{12EEDB33-EBF2-456A-9C3B-36CD89EFE58B} : NameServer = 196.43.1.11,196.25.1.11
TCP: Interfaces\{5B852397-714C-400B-85EC-DEFB87AD21CA} : NameServer = 196.43.1.11,196.25.1.11
Notify: igfxcui - igfxdev.dll
mASetup: {6FF1DCAB-A6BA-468D-A7AC-CFEBDECB9BCA} - c:\documents and settings\user\application data\javainst.exe
.
============= SERVICES / DRIVERS ===============
.
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [2012-7-30 36000]
R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\avira\antivir desktop\sched.exe [2012-7-30 86224]
R2 AntiVirService;Avira Realtime Protection;c:\program files\avira\antivir desktop\avguard.exe [2012-7-30 110032]
R2 ASFAgent;ASF Agent;c:\program files\intel\asf agent\ASFAgent.exe [2007-4-19 133968]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2012-7-30 74640]
R2 Change Modem Device Service;Change Modem Device Service;c:\windows\system32\ChgService.exe [2011-10-14 135168]
R2 Credential Vault Host Control Service;Credential Vault Host Control Service;c:\program files\broadcom corporation\broadcom ush host components\cv\bin\HostControlService.exe [2008-11-11 808296]
R2 Credential Vault Host Storage;Credential Vault Host Storage;c:\program files\broadcom corporation\broadcom ush host components\cv\bin\HostStorageService.exe [2008-11-11 20840]
R2 VmbService;Vodafone Mobile Broadband Service;c:\program files\vodafone\vodafone mobile broadband\bin\VmbService.exe [2010-9-8 8704]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [2009-2-10 112128]
R3 CCIDFILTER;Broadcom Smart Card Reader Filter Driver;c:\windows\system32\drivers\ccidflt.sys [2009-2-10 12840]
R3 cvusbdrv;Broadcom USH CV;c:\windows\system32\drivers\cvusbdrv.sys [2009-2-10 32808]
R3 d553bus;Dell Wireless 5530 HSPA Mobile Broadband Minicard Device driver (WDM);c:\windows\system32\drivers\d553bus.sys [2009-2-10 300672]
R3 d553card;Dell Wireless 5530 HSPA Mobile Broadband Minicard i7;c:\windows\system32\drivers\d553card.sys [2009-2-10 378368]
R3 d553gps;Dell Wireless 5530 HSPA Mobile Broadband Minicard GPS Port;c:\windows\system32\drivers\d553gps.sys [2009-2-10 76328]
R3 d553mdfl;Dell Wireless 5530 HSPA Mobile Broadband Minicard Modem Filter;c:\windows\system32\drivers\d553mdfl.sys [2009-2-10 14976]
R3 d553mdfl2;Dell Wireless 5530 HSPA Mobile Broadband Minicard Modem 2 Filter;c:\windows\system32\drivers\d553mdfl2.sys [2009-2-10 14976]
R3 d553mdm;Dell Wireless 5530 HSPA Mobile Broadband Minicard Modem Driver;c:\windows\system32\drivers\d553mdm.sys [2009-2-10 387200]
R3 d553mdm2;Dell Wireless 5530 HSPA Mobile Broadband Minicard Modem 2 Driver;c:\windows\system32\drivers\d553mdm2.sys [2009-2-10 431616]
R3 d553nd5;Dell Wireless 5530 HSPA Mobile Broadband Minicard NetworkAdapter (NDIS);c:\windows\system32\drivers\d553nd5.sys [2009-2-10 25984]
R3 d553unic;Dell Wireless 5530 HSPA Mobile Broadband Minicard NetworkAdapter (WDM);c:\windows\system32\drivers\d553unic.sys [2009-2-10 402944]
R3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [2009-2-10 244368]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2009-2-10 110080]
R3 Sony_EricssonWWSC;Dell Wireless 5530 HSPA Mobile Broadband Minicard PC SC Port;c:\windows\system32\drivers\d553scard.sys [2009-2-10 25640]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2012-1-4 136176]
S3 amsint32;amsint32;\??\c:\windows\system32\drivers\gnmoh.sys --> c:\windows\system32\drivers\gnmoh.sys [?]
S3 cmnsusbser;Mobile Connector USB Device for Legacy Serial Communication LCT2053s;c:\windows\system32\drivers\cmnsusbser.sys [2011-10-14 103424]
S3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\drivers\ewusbnet.sys [2011-8-2 114432]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2012-1-4 136176]
S3 hwusbfake;Huawei DataCard USB Fake;c:\windows\system32\drivers\ewusbfake.sys [2011-8-2 100736]
S3 NvtSp50;NvtSp50 NDIS Protocol Driver;c:\windows\system32\drivers\nvtsp50.sys --> c:\windows\system32\drivers\NvtSp50.sys [?]
.
=============== Created Last 30 ================
.
2012-07-31 05:43:14 -------- d-----w- c:\windows\system32\NtmsData
2012-07-30 11:19:36 -------- d-----w- c:\documents and settings\user\application data\Avira
2012-07-30 11:19:08 74640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2012-07-30 11:19:08 36000 ----a-w- c:\windows\system32\drivers\avkmgr.sys
2012-07-30 11:19:08 -------- d-----w- c:\program files\Avira
2012-07-30 11:19:08 -------- d-----w- c:\documents and settings\all users\application data\Avira
2012-07-30 10:37:13 -------- d-----w- c:\documents and settings\user\application data\Malwarebytes
2012-07-30 10:37:06 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2012-07-30 10:37:05 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-07-30 10:37:05 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-07-18 14:10:39 -------- d-----w- c:\documents and settings\user\application data\tazebama
2012-07-01 17:24:08 -------- d-sh--r- c:\documents and settings\user\local settings\application data\Start
.
==================== Find3M ====================
.
2012-07-31 08:51:00 17408 ----a-w- c:\windows\system32\rpcnetp.exe
2012-07-31 08:50:58 58288 ----a-w- c:\windows\system32\rpcnet.dll
2012-07-31 08:09:11 17408 ----a-w- c:\windows\system32\rpcnetp.dll
2012-07-30 15:48:43 143360 ----a-w- c:\windows\system32\igfxtray.exe
2012-07-30 11:21:57 471040 ----a-w- c:\windows\system32\AESTFltr.exe
2012-07-30 11:21:53 178712 ----a-w- c:\windows\system32\hkcmd.exe
2012-07-30 11:21:52 150040 ----a-w- c:\windows\system32\igfxpers.exe
2012-07-30 11:21:48 49152 ----a-w- c:\windows\system32\ico.exe
.
============= FINISH: 11:18:50.71 ===============
Attach.txt:
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 2009/02/27 05:27:27 PM
System Uptime: 2012/07/31 10:50:19 AM (1 hours ago)
.
Motherboard: Dell Inc. | | 0GY027
Processor: Intel® Core2 Duo CPU P8400 @ 2.26GHz | Microprocessor | 2260/266mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 112 GiB total, 89.22 GiB free.
D: is CDROM ()
E: is Removable
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
No restore point in system.
.
==== Installed Programs ======================
.
Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Reader 9
All Day Battery Life Configuration
Autorun Eater v2.5
Avira Free Antivirus
BioAPI Framework
Broadcom USH Host Components
BRU Report Writer version 9
Computer Basics
Computer Security and Privacy
Conexant HDA D330 MDC V.92 Modem
Dell 5530 Wireless Broadband Package
Dell Resource CD
Dell Security Device Driver Pack
Dell Touchpad
Digital Lifestyles
Digital Line Detect
Ericsson Wireless Manager
ESRI MapObjects 2 Runtime
Google Earth Plug-in
Google Update Helper
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Windows XP (KB945436)
Hotfix for Windows XP (KB949764)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB953955)
Hotfix for Windows XP (KB954434)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB958347)
Hotfix for Windows XP (KB959252)
Hotfix for Windows XP (KB961118)
Intel PROSet Wireless
Intel® Graphics Media Accelerator Driver
Intel® Network Connections 13.0.42.0
Intel® PRO Alerting Agent
Intel® PROSet/Wireless WiFi API
Intel® PROSet/Wireless WiFi Driver
Intel® Matrix Storage Manager
Java 6 Update 11
Java 6 Update 7
Malwarebytes Anti-Malware version 1.62.0.1300
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Baseline Security Analyzer 2.1
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft Office Professional Edition 2003
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
Modem Diagnostic Tool
Mouse Suite for Laptop Computers
MSXML 4.0 SP2 (KB936181)
MSXML 6.0 Parser (KB933579)
NetWaiting
NICI (Shared) U.S./Worldwide (128 bit) (2.7.4-1)
PowerDVD
Productivity Programs
Roxio Activation Module
Roxio Creator Audio
Roxio Creator BDAV Plugin
Roxio Creator Copy
Roxio Creator Data
Roxio Creator DE
Roxio Creator Tools
Roxio Drag-to-Disc
Roxio Express Labeler 3
Roxio Update Manager
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Media Player (KB952069)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB963027)
Sonic CinePlayer Decoder Pack
The Internet and the World Wide Web
Update for Windows XP (KB898461)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951618-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
VKOM 301USB version 5.458
Vodafone Mobile Broadband Lite
WebFldrs XP
WIDCOMM Bluetooth Software
Windows Driver Package - Dell Inc. PBADRV System (01/07/2008 1.0.1.5)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 8
Windows NT Messaging
Windows Presentation Foundation
XML Paper Specification Shared Components Pack 1.0
.
==== Event Viewer Messages From Past Week ========
.
2012/07/30 12:54:02 PM, error: PlugPlayManager [11] - The device Root\LEGACY_AMSINT32\0000 disappeared from the system without first being prepared for removal.
2012/07/30 11:35:56 AM, error: SCardSvr [610] - Smart Card Reader 'Broadcom Corp Contacted SmartCard 0' rejected IOCTL GET_STATE: The device has been removed.
2012/07/30 10:10:03 PM, error: Service Control Manager [7024] - The Avira Realtime Protection service terminated with service-specific error 303 (0x12F).
2012/07/30 10:09:43 PM, error: ACPI [43] - The system sleep operation failed
2012/07/30 01:25:51 PM, error: Service Control Manager [7034] - The Avira Realtime Protection service terminated unexpectedly. It has done this 3 time(s).
2012/07/30 01:25:38 PM, error: Service Control Manager [7031] - The Avira Realtime Protection service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
2012/07/30 01:25:28 PM, error: Service Control Manager [7031] - The Avira Realtime Protection service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
2012/07/24 04:34:42 PM, error: Dhcp [1002] - The IP address lease 41.8.139.236 for the Network Card with network address 001E101F0815 has been denied by the DHCP server 41.9.76.109 (The DHCP Server sent a DHCPNACK message).
.
==== End Of File ===========================
MBAM Log:
Malwarebytes Anti-Malware 1.62.0.1300
Database version: v2012.07.31.04
Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
User :: EXTENSIONREC136 [administrator]
2012/07/31 12:27:25 PM
mbam-log-2012-07-31 (12-50-53).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 218584
Time elapsed: 4 minute(s), 49 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 8
HKCR\CLSID\{1D4DB7D2-6EC9-47a3-BD87-1E41684E07BB} (PUP.MyWebSearch) -> No action taken.
HKCR\TypeLib\{1D4DB7D0-6EC9-47a3-BD87-1E41684E07BB} (PUP.MyWebSearch) -> No action taken.
HKCR\Interface\{1D4DB7D1-6EC9-47A3-BD87-1E41684E07BB} (PUP.MyWebSearch) -> No action taken.
HKCR\FunWebProductsInstaller.Start.1 (PUP.MyWebSearch) -> No action taken.
HKCR\FunWebProductsInstaller.Start (PUP.MyWebSearch) -> No action taken.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (PUP.MyWebSearch) -> No action taken.
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_AMSINT32 (Virus.Sality) -> No action taken.
HKLM\SYSTEM\CurrentControlSet\Services\amsint32 (Virus.Sality) -> No action taken.
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 3
HKLM\SOFTWARE\Microsoft\Security Center|AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKLM\SOFTWARE\Microsoft\Security Center|FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKLM\SOFTWARE\Microsoft\Security Center|UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
Folders Detected: 0
(No malicious items detected)
Files Detected: 0
(No malicious items detected)
(end)
I'm sure some clever person will be able to help me here! Thanks in advance!
Johan
-
Sorry to open this thread again, but some new irritation came up...
I created another user profile on this machine. Now, whenever I log in under the new username, a text file pops up in notepad with the following text:
[.ShellClassInfo]
LocalizedResourceName=@%SystemRoot%\sytem32\Shell32.dll, -21787
I have deleted the desktop.ini file in C:\Documents and Settings\All Users\Start Menu\Programs\Startup and C:\Documents and Settings\All Users\Start Menu\Programs, (as indicated on the Microsoft Support site), but it doesn't help.
-
Success!!
It wasn't easy - I first tried downloading the free tool (RRT), but the link took me to a download site for something else called CaSIR which seemed as if it will fix every registry entry damaged by the malware and more (sounds to good to be true!). I downloaded it, but AVG reported a trojan horse in the exe file
I also scanned it with Avira which reported that it is clean, but I decided not to take any chances.Then I downloaded the registry file and installed it, but that did not solve my problem.
Finally I tried to fix the registry manually, but was aslo not successfull.
Then I compared the registry entries with those on my other PC and changed values accordingly - voilla!!
Under HideFileExt the CheckedValue should be = 1 and the UncheckedValue = 0
Under SuperHidden the CheckedValue should be = 0 and the UncheckedValue = 1
I can still not boot in Safe Mode and I suspect ComboFix will still not run, but at this stage I don't think there's any reason to try and solve either?
It would be interesting to know though if CaSIR is as usefull as it claims to be or if it is indeed some trojan carrier?
-
I've got a feeling that this is going to work!!
Will report back tomorrow (bed-time now!)...
-
No, I just click Apply at the bottom, but it is actually applied to all folders (when I do it on my other XP computer).
-
No, I think you misunderstood me there - when exploring a folder or drive, I wish to see hidden files and folders as well as the file extensions. This option is set by deselecting the two options under the Advanced settings on the View tab of the folder options. Hidden files will then display as dimmed/greyed icons, but can still be opened.
My problem is that when I remove the two ticks and click apply and close the folder options window, the two options are ticked again when I re-open the Folder Options (on the specific PC we are working on).
(To un-hide the affected files and folders, I use the attrib command, but this is not the issue now.)
-
Yes, for sure!
I fairly often work with external/flash drives of other people and quite often these are infected with worms like WORM/Agent.xxxxxx or W32/xxxxxx which hides folders as system files and then place their own executable file there with the same name as that of the folder and the folder icon in an attempt to trick one into double-clicking the exe file. If the extension is not hidden and system files are shown, it it is much easier to see that there is a problem.
The fact that these two folder option settings are automatically switched back on after I have switched it off is the biggest reason for my suspicion of the presence of malware.
-
OK file extensions and hidden OS files are still being hidden
-
I havn't done anything, but internet access is back.
-
The options to hide fle extensions and protected operating system files keep being selected and CombFix still shows no progress.I have also lost the internet connection now.
-
All processes killed
========== OTL ==========
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable|dword:0 /E : value set successfully!
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer| /E : value set successfully!
========== FILES ==========
File\Folder c:\windows\007493_.tmp not found.
File\Folder c:\windows\system32\SET2E8.tmp not found.
File\Folder c:\windows\006137_.tmp not found.
========== COMMANDS ==========
[EMPTYFLASH]
User: All Users
User: B.T.J. Mkhize
User: D.K. Gumbi
User: Default User
User: Guest
User: LocalService
User: M.G. Ntshangase
User: M.T. Xulu
User: N.P. Mathe
User: NetworkService
User: R.A. Cele
User: T.H. Ngcobo
->Flash cache emptied: 379 bytes
User: T.M. Mvelase
User: X.L. Sithole
Total Flash Files Cleaned = 0.00 mb
[EMPTYTEMP]
User: All Users
User: B.T.J. Mkhize
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
User: D.K. Gumbi
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
User: Guest
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
User: M.G. Ntshangase
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
User: M.T. Xulu
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
User: N.P. Mathe
->Temp folder emptied: 162 bytes
->Temporary Internet Files folder emptied: 67 bytes
User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes
User: R.A. Cele
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
User: T.H. Ngcobo
->Temp folder emptied: 429445 bytes
->Temporary Internet Files folder emptied: 1260472 bytes
->FireFox cache emptied: 62393611 bytes
->Google Chrome cache emptied: 819568 bytes
->Flash cache emptied: 0 bytes
User: T.M. Mvelase
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
User: X.L. Sithole
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 1119318 bytes
%systemroot%\System32 .tmp files removed: 45355601 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 675 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 37343 bytes
RecycleBin emptied: 0 bytes
Total Files Cleaned = 106.00 mb
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully
OTL by OldTimer - Version 3.2.54.1 log created on 07262012_094917
Files\Folders moved on Reboot...
PendingFileRenameOperations files...
Registry entries deleted on Reboot...
-
Extras.txt:
OTL Extras logfile created on: 2012/07/25 02:25:16 PM - Run 1
OTL by OldTimer - Version 3.2.54.1 Folder = C:\Documents and Settings\T.H. Ngcobo\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00001C09 | Country: South Africa | Language: ENS | Date Format: yyyy/MM/dd
494.73 Mb Total Physical Memory | 283.39 Mb Available Physical Memory | 57.28% Memory free
1.40 Gb Paging File | 1.01 Gb Available in Paging File | 71.90% Paging File free
Paging file location(s): C:\pagefile.sys 0 0 [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.26 Gb Total Space | 25.55 Gb Free Space | 68.56% Space Free | Partition Type: NTFS
Computer Name: VRYHEID-LM | User Name: T.H. Ngcobo | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days
========== Extra Registry (SafeList) ==========
========== File Associations ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l
[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
========== Shell Spawning ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
http [open] -- Reg Error: Key error.
https [open] -- Reg Error: Key error.
InternetShortcut [open] -- rundll32.exe ieframe.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- Reg Error: Key error.
scrfile [install] -- Reg Error: Key error.
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
========== Security Center Settings ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"UpdatesDisableNotify" = 0
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]
========== System Restore Settings ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2
========== Firewall Settings ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0
========== Authorized Applications List ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Parental Control\ParentalControl.exe" = C:\Program Files\Parental Control\ParentalControl.exe:*:Enabled:Crawler Parental Control -- (Crawler.com)
"C:\Program Files\AVG\AVG8\avgupd.exe" = C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe
"C:\Program Files\AVG\AVG2012\avgmfapx.exe" = C:\Program Files\AVG\AVG2012\avgmfapx.exe:*:Enabled:AVG Installer -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG2012\avgdiagex.exe" = C:\Program Files\AVG\AVG2012\avgdiagex.exe:*:Enabled:AVG Diagnostics 2012 -- (AVG Technologies CZ, s.r.o.)
========== HKEY_LOCAL_MACHINE Uninstall List ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{29F15D3F-5B37-44DB-BB89-390B3AD1404E}" = IEEE 802.11g Wireless Cardbus/PCI Adapter
"{3248F0A8-6813-11D6-A77B-00B0D0150060}" = J2SE Runtime Environment 5.0 Update 6
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{6D12EC75-E7D3-4EAD-AB10-E1F3AFF94AA6}" = AVG 2012
"{7029D123-6CF0-4414-A3B2-4B3B99B21E59}" = e-Sword
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel® Extreme Graphics Driver
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{91F93C15-D326-4B19-9DB5-1DC78634397C}" = newBruReports
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{AC76BA86-7AD7-1033-7B44-A81000000003}" = Adobe Reader 8.1.0
"{B143D835-EBAF-4A39-8B31-1868FF4166C1}" = AVG 2012
"{BAF78226-3200-4DB4-BE33-4D922A799840}" = Windows Presentation Foundation
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"ArcExplorer Java Edition" = ArcExplorer Java Edition
"AVG" = AVG 2012
"Brother HL-5150D" = Brother HL-5150D
"ESET Online Scanner" = ESET Online Scanner v3
"HijackThis" = HijackThis 1.99.1
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"InstallShield_{29F15D3F-5B37-44DB-BB89-390B3AD1404E}" = IEEE 802.11g Wireless Cardbus/PCI Adapter
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.62.0.1300
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox 13.0.1 (x86 en-US)" = Mozilla Firefox 13.0.1 (x86 en-US)
"MozillaMaintenanceService" = Mozilla Maintenance Service
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"Parental Control" = Crawler Parental Control
"PROSet" = Intel® PRO Network Adapters and Drivers
"VKOM 301USB Normal Version_is1" = VKOM 301USB version 5.458
"WIC" = Windows Imaging Component
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinZip" = WinZip
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"XpsEPSC" = XML Paper Specification Shared Components Pack 1.0
========== Last 20 Event Log Errors ==========
[ Application Events ]
Error - 2009/01/08 09:33:01 AM | Computer Name = VRYHEID-LM | Source = Application Hang | ID = 1002
Description = Hanging application WINWORD.EXE, version 11.0.5604.0, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.
Error - 2009/01/08 11:35:16 AM | Computer Name = VRYHEID-LM | Source = Application Hang | ID = 1002
Description = Hanging application WINWORD.EXE, version 11.0.5604.0, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.
Error - 2009/02/02 07:45:19 AM | Computer Name = VRYHEID-LM | Source = Application Error | ID = 1000
Description = Faulting application ctoolbar.exe, version 4.5.0.222, faulting module
ctoolbar.exe, version 4.5.0.222, fault address 0x0001ac44.
Error - 2009/02/05 05:46:33 AM | Computer Name = VRYHEID-LM | Source = Application Hang | ID = 1002
Description = Hanging application WINWORD.EXE, version 11.0.5604.0, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.
Error - 2009/02/16 03:17:10 AM | Computer Name = VRYHEID-LM | Source = Application Hang | ID = 1002
Description = Hanging application EXCEL.EXE, version 11.0.5612.0, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.
Error - 2009/02/26 08:12:48 AM | Computer Name = VRYHEID-LM | Source = Application Error | ID = 1000
Description = Faulting application BRSVC01A.EXE, version 1.0.0.4, faulting module
unknown, version 0.0.0.0, fault address 0x0012e824.
Error - 2009/02/26 09:00:59 AM | Computer Name = VRYHEID-LM | Source = Application Error | ID = 1000
Description = Faulting application BRSVC01A.EXE, version 1.0.0.4, faulting module
unknown, version 0.0.0.0, fault address 0x0012e824.
Error - 2009/02/26 09:19:45 AM | Computer Name = VRYHEID-LM | Source = Application Error | ID = 1000
Description = Faulting application BRSVC01A.EXE, version 1.0.0.4, faulting module
unknown, version 0.0.0.0, fault address 0x0012e824.
Error - 2009/04/06 04:40:29 AM | Computer Name = VRYHEID-LM | Source = Application Hang | ID = 1002
Description = Hanging application WINWORD.EXE, version 11.0.5604.0, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.
Error - 2009/04/06 07:15:57 AM | Computer Name = VRYHEID-LM | Source = Application Hang | ID = 1002
Description = Hanging application WINWORD.EXE, version 11.0.5604.0, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.
[ System Events ]
Error - 2012/07/24 08:17:02 AM | Computer Name = VRYHEID-LM | Source = Print | ID = 6161
Description = The document Test Page owned by T.H. Ngcobo failed to print on printer
Brother HL-5070N series (Copy 1). Data type: NT EMF 1.008. Size of the spool file
in bytes: 196608. Number of bytes printed: 0. Total number of pages in the document:
1. Number of pages printed: 0. Client machine: \\VRYHEID-LM. Win32 error code returned
by the print processor: 2 (0x2).
Error - 2012/07/24 08:17:04 AM | Computer Name = VRYHEID-LM | Source = Print | ID = 6161
Description = The document Test Page owned by T.H. Ngcobo failed to print on printer
Brother HL-5070N series (Copy 1). Data type: NT EMF 1.008. Size of the spool file
in bytes: 0. Number of bytes printed: 0. Total number of pages in the document:
0. Number of pages printed: 0. Client machine: \\VRYHEID-LM. Win32 error code returned
by the print processor: 259 (0x103).
Error - 2012/07/24 08:18:01 AM | Computer Name = VRYHEID-LM | Source = Service Control Manager | ID = 7016
Description = The BrSplService service has reported an invalid current state 0.
Error - 2012/07/24 09:35:16 AM | Computer Name = VRYHEID-LM | Source = Print | ID = 6161
Description = The document Test Page owned by T.H. Ngcobo failed to print on printer
Brother HL-5070N series (Copy 1). Data type: NT EMF 1.008. Size of the spool file
in bytes: 196608. Number of bytes printed: 0. Total number of pages in the document:
1. Number of pages printed: 0. Client machine: \\VRYHEID-LM. Win32 error code returned
by the print processor: 2 (0x2).
Error - 2012/07/24 09:35:18 AM | Computer Name = VRYHEID-LM | Source = Print | ID = 6161
Description = The document Test Page owned by T.H. Ngcobo failed to print on printer
Brother HL-5070N series (Copy 1). Data type: NT EMF 1.008. Size of the spool file
in bytes: 0. Number of bytes printed: 0. Total number of pages in the document:
0. Number of pages printed: 0. Client machine: \\VRYHEID-LM. Win32 error code returned
by the print processor: 259 (0x103).
Error - 2012/07/25 02:27:42 AM | Computer Name = VRYHEID-LM | Source = Print | ID = 6161
Description = The document Test Page owned by T.H. Ngcobo failed to print on printer
Brother HL-5070N series (Copy 1). Data type: NT EMF 1.008. Size of the spool file
in bytes: 196608. Number of bytes printed: 0. Total number of pages in the document:
1. Number of pages printed: 0. Client machine: \\VRYHEID-LM. Win32 error code returned
by the print processor: 2 (0x2).
Error - 2012/07/25 02:27:44 AM | Computer Name = VRYHEID-LM | Source = Print | ID = 6161
Description = The document Test Page owned by T.H. Ngcobo failed to print on printer
Brother HL-5070N series (Copy 1). Data type: NT EMF 1.008. Size of the spool file
in bytes: 0. Number of bytes printed: 0. Total number of pages in the document:
0. Number of pages printed: 0. Client machine: \\VRYHEID-LM. Win32 error code returned
by the print processor: 259 (0x103).
Error - 2012/07/25 03:20:29 AM | Computer Name = VRYHEID-LM | Source = Print | ID = 6161
Description = The document Test Page owned by T.H. Ngcobo failed to print on printer
Brother HL-5070N series (Copy 1). Data type: NT EMF 1.008. Size of the spool file
in bytes: 196608. Number of bytes printed: 0. Total number of pages in the document:
1. Number of pages printed: 0. Client machine: \\VRYHEID-LM. Win32 error code returned
by the print processor: 2 (0x2).
Error - 2012/07/25 03:20:31 AM | Computer Name = VRYHEID-LM | Source = sr | ID = 1
Description = The System Restore filter encountered the unexpected error '0xC0000001'
while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring
the volume.
Error - 2012/07/25 03:20:31 AM | Computer Name = VRYHEID-LM | Source = Print | ID = 6161
Description = The document Test Page owned by T.H. Ngcobo failed to print on printer
Brother HL-5070N series (Copy 1). Data type: NT EMF 1.008. Size of the spool file
in bytes: 0. Number of bytes printed: 0. Total number of pages in the document:
0. Number of pages printed: 0. Client machine: \\VRYHEID-LM. Win32 error code returned
by the print processor: 259 (0x103).
< End of report >
-
OTL.txt:
OTL logfile created on: 2012/07/25 02:25:16 PM - Run 1
OTL by OldTimer - Version 3.2.54.1 Folder = C:\Documents and Settings\T.H. Ngcobo\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00001C09 | Country: South Africa | Language: ENS | Date Format: yyyy/MM/dd
494.73 Mb Total Physical Memory | 283.39 Mb Available Physical Memory | 57.28% Memory free
1.40 Gb Paging File | 1.01 Gb Available in Paging File | 71.90% Paging File free
Paging file location(s): C:\pagefile.sys 0 0 [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.26 Gb Total Space | 25.55 Gb Free Space | 68.56% Space Free | Partition Type: NTFS
Computer Name: VRYHEID-LM | User Name: T.H. Ngcobo | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days
========== Processes (SafeList) ==========
PRC - C:\Documents and Settings\T.H. Ngcobo\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation)
PRC - C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
PRC - C:\Program Files\AVG\AVG2012\avgtray.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\AVG\AVG2012\avgwdsvc.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\WINDOWS\system32\ChgService.exe ()
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Parental Control\ParentalControl.exe (Crawler.com)
PRC - C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe (Sun Microsystems, Inc.)
PRC - C:\Program Files\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.51 V1.00\WlanCU.exe ()
========== Modules (No Company Name) ==========
MOD - C:\WINDOWS\system32\ChgService.exe ()
MOD - C:\Program Files\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.51 V1.00\WlanDll.dll ()
MOD - C:\Program Files\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.51 V1.00\WlanCU.exe ()
========== Win32 Services (SafeList) ==========
SRV - (MBAMService) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation)
SRV - (MozillaMaintenance) -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe (Mozilla Foundation)
SRV - (avgwd) -- C:\Program Files\AVG\AVG2012\avgwdsvc.exe (AVG Technologies CZ, s.r.o.)
SRV - (Change Modem Device Service) -- C:\WINDOWS\system32\ChgService.exe ()
========== Driver Services (SafeList) ==========
DRV - (WDICA) -- File not found
DRV - (PDRFRAME) -- File not found
DRV - (PDRELI) -- File not found
DRV - (PDFRAME) -- File not found
DRV - (PDCOMP) -- File not found
DRV - (PCIDump) -- File not found
DRV - (mbr) -- C:\DOCUME~1\TH7BB1~1.NGC\LOCALS~1\Temp\mbr.sys File not found
DRV - (lbrtfdc) -- File not found
DRV - (i2omgmt) -- File not found
DRV - (Changer) -- File not found
DRV - (MBAMProtector) -- C:\WINDOWS\system32\drivers\mbam.sys (Malwarebytes Corporation)
DRV - (AVGIDSHX) -- C:\WINDOWS\system32\drivers\avgidshx.sys (AVG Technologies CZ, s.r.o. )
DRV - (Avgldx86) -- C:\WINDOWS\system32\drivers\avgldx86.sys (AVG Technologies CZ, s.r.o.)
DRV - (Avgrkx86) -- C:\WINDOWS\system32\drivers\avgrkx86.sys (AVG Technologies CZ, s.r.o.)
DRV - (Avgmfx86) -- C:\WINDOWS\system32\drivers\avgmfx86.sys (AVG Technologies CZ, s.r.o.)
DRV - (cmnsusbser) -- C:\WINDOWS\system32\drivers\cmnsusbser.sys (Mobile Connector)
DRV - (W8335XP) -- C:\WINDOWS\system32\drivers\Mrv8000c.sys (Marvell Semiconductor, Inc)
DRV - (SMBios) -- C:\WINDOWS\system32\drivers\SMBios.sys (Intel Corporation)
DRV - (sf) -- C:\WINDOWS\system32\drivers\sf.sys (Sonic Focus, Inc)
DRV - (BrPar) -- C:\WINDOWS\system32\drivers\BRPAR.SYS (Brother Industries Ltd.)
========== Standard Registry (SafeList) ==========
========== Internet Explorer ==========
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src=IE-SearchBox&Form=IE8SRC
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = localhost:3128
========== FireFox ==========
FF - prefs.js..network.proxy.type: 0
FF - user.js - File not found
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{F53C93F1-07D5-430c-86D4-C9531B27DFAF}: C:\Program Files\AVG\AVG2012\Firefox\DoNotTrack\ [2012/07/06 10:03:01 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 13.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/07/21 01:29:17 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 13.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins
[2012/07/21 01:29:42 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\T.H. Ngcobo\Application Data\Mozilla\Extensions
[2012/07/25 08:45:29 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\T.H. Ngcobo\Application Data\Mozilla\Firefox\Profiles\qjmj1hwr.default\extensions
[2012/07/21 01:29:17 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2012/06/15 00:20:49 | 000,085,472 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2012/06/15 00:19:40 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2012/06/15 00:19:40 | 000,002,040 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml
========== Chrome ==========
CHR - homepage:
CHR - homepage:
O1 HOSTS File: ([2003/03/31 14:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (AVG Do Not Track) - {31332EEF-CB9F-458F-AFEB-D30E9A66B6BA} - C:\Program Files\AVG\AVG2012\avgdtiex.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (Sun Microsystems, Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (&Crawler Toolbar) - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll File not found
O4 - HKLM..\Run: [AVG_TRAY] C:\Program Files\AVG\AVG2012\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [ParentalControl] C:\Program Files\Parental Control\ParentalControl.Exe (Crawler.com)
O4 - HKLM..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [userFaultCheck] %systemroot%\system32\dumprep 0 -u File not found
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Wireless Configuration Utility HW.51.lnk = C:\Program Files\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.51 V1.00\WlanCU.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoControlPanel = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSaveSettings = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoMultiIE = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LWA = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LWB = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LWC = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LWD = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LWE = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LWF = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LWG = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LWH = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LWI = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LWJ = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LWK = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LWL = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LWM = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LWN = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LWO = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LWP = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LWQ = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LWR = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LWS = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LWT = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LWU = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LWV = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LWW = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LWX = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LWY = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LWZ = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoFind = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableClock = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoDispCPL = 0
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\NPJPI150_06.dll (Sun Microsystems, Inc.)
O9 - Extra Button: AVG Do Not Track - {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - C:\Program Files\AVG\AVG2012\avgdtiex.dll (AVG Technologies CZ, s.r.o.)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://windowsupdate.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1342541062625 (WUWebControl Class)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab (Java Plug-in 1.5.0_06)
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab (Java Plug-in 1.5.0_06)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab (Java Plug-in 1.5.0_06)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{F040A7DC-1F30-4821-B9D4-DCDECB54CFB5}: NameServer = 196.43.1.11,196.25.1.11
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG2012\avgpp.dll (AVG Technologies CZ, s.r.o.)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (System) - File not found
O20 - Winlogon\Notify\igfxcui: DllName - (igfxsrvc.dll) - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/08/06 15:00:19 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{5245c1fc-1b37-11dd-9825-001111232aa1}\Shell\Auto\command - "" = D:\
O33 - MountPoints2\{5245c1fc-1b37-11dd-9825-001111232aa1}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{5245c1fc-1b37-11dd-9825-001111232aa1}\Shell\AutoRun\command - "" = C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL auto.exe
O33 - MountPoints2\{6a391068-9697-11dc-97b1-001111232aa1}\Shell - "" = Autorun
O33 - MountPoints2\{6a391068-9697-11dc-97b1-001111232aa1}\Shell\AutoRun\command - "" = F:\SCVVHSOT.exe
O33 - MountPoints2\{6a391068-9697-11dc-97b1-001111232aa1}\Shell\Open\command - "" = F:\SCVVHSOT.exe
O33 - MountPoints2\{6b872f6f-06d0-11dd-9813-001111232aa1}\Shell - "" = AutoRun
O33 - MountPoints2\{6b872f6f-06d0-11dd-9813-001111232aa1}\Shell\Auto\command - "" = D:\MicrosoftPowerPoint.exe
O33 - MountPoints2\{6b872f6f-06d0-11dd-9813-001111232aa1}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{6b872f6f-06d0-11dd-9813-001111232aa1}\Shell\AutoRun\command - "" = C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL MicrosoftPowerPoint.exe
O33 - MountPoints2\{92fe0eb3-bf4e-11dc-97d9-001111232aa1}\Shell - "" = Autorun
O33 - MountPoints2\{92fe0eb3-bf4e-11dc-97d9-001111232aa1}\Shell\AutoRun\command - "" = SCVVHSOT.exe
O33 - MountPoints2\{92fe0eb3-bf4e-11dc-97d9-001111232aa1}\Shell\Open\command - "" = SCVVHSOT.exe
O33 - MountPoints2\{96a15227-ba04-11dc-97d5-001111232aa1}\Shell - "" = AutoRun
O33 - MountPoints2\{96a15227-ba04-11dc-97d5-001111232aa1}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{96a15227-ba04-11dc-97d5-001111232aa1}\Shell\AutoRun\command - "" = D:\LaunchU3.exe -a
O33 - MountPoints2\{d51aa597-9736-11dc-97b4-001111232aa1}\Shell\AutoRun\command - "" = ntde1ect.com
O33 - MountPoints2\{d51aa597-9736-11dc-97b4-001111232aa1}\Shell\explore\Command - "" = ntde1ect.com
O33 - MountPoints2\{d51aa597-9736-11dc-97b4-001111232aa1}\Shell\open\Command - "" = ntde1ect.com
O34 - HKLM BootExecute: (autocheck autochk *)
O34 - HKLM BootExecute: (C:\PROGRA~1\AVG\AVG2012\avgrsx.exe /sync /restart)
O34 - HKLM BootExecute: (sprecovr \SystemRoot\sprecovr.txt)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
NetSvcs: 6to4 - File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
CREATERESTOREPOINT
Restore point Set: OTL Restore Point
========== Files/Folders - Created Within 30 Days ==========
[2012/07/25 14:21:25 | 000,596,480 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\T.H. Ngcobo\Desktop\OTL.exe
[2012/07/25 09:22:45 | 000,000,000 | --SD | C] -- C:\ComboFix
[2012/07/25 08:48:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2012/07/25 08:47:59 | 000,022,344 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2012/07/25 08:47:59 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2012/07/25 08:47:05 | 010,652,120 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\T.H. Ngcobo\Desktop\mbam-setup-1.62.0.1300.exe
[2012/07/21 01:30:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\T.H. Ngcobo\My Documents\Downloads
[2012/07/21 01:29:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\T.H. Ngcobo\Local Settings\Application Data\Mozilla
[2012/07/21 01:29:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\T.H. Ngcobo\Application Data\Mozilla
[2012/07/21 01:29:19 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Maintenance Service
[2012/07/21 01:29:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Mozilla
[2012/07/21 01:29:14 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
[2012/07/20 22:20:39 | 004,584,441 | R--- | C] (Swearware) -- C:\Documents and Settings\T.H. Ngcobo\Desktop\ComboFix.exe
[2012/07/20 08:42:04 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2012/07/20 08:35:08 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2012/07/20 08:35:08 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2012/07/20 08:35:08 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2012/07/20 08:35:08 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2012/07/20 08:33:43 | 000,000,000 | ---D | C] -- C:\Qoobox
[2012/07/20 08:33:03 | 000,000,000 | ---D | C] -- C:\WINDOWS\erdnt
[2012/07/19 14:21:10 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2012/07/19 10:25:29 | 000,000,000 | -HSD | C] -- C:\Config.Msi
[2012/07/19 08:28:36 | 000,000,000 | ---D | C] -- C:\53982c37fb4e5f4cb42dd1e3
[2012/07/19 08:08:04 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\T.H. Ngcobo\IECompatCache
[2012/07/19 08:06:24 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\T.H. Ngcobo\PrivacIE
[2012/07/19 08:01:49 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\T.H. Ngcobo\IETldCache
[2012/07/18 08:51:44 | 000,000,000 | ---D | C] -- C:\WINDOWS\ie8updates
[2012/07/17 17:57:52 | 000,000,000 | ---D | C] -- C:\WINDOWS\Prefetch
[2012/07/17 17:43:09 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\scripting
[2012/07/17 17:42:46 | 000,000,000 | ---D | C] -- C:\WINDOWS\l2schemas
[2012/07/17 17:42:44 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\en
[2012/07/17 08:34:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\AVG
[2012/07/17 08:20:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\T.H. Ngcobo\Desktop\rkilletc
[2012/07/16 22:11:26 | 002,136,664 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\T.H. Ngcobo\Desktop\TDSSKiller.exe
[2012/07/09 14:44:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\T.H. Ngcobo\Application Data\Macromedia
[2012/07/09 10:32:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\T.H. Ngcobo\Local Settings\Application Data\Google
[2012/07/09 10:31:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\T.H. Ngcobo\Local Settings\Application Data\Deployment
[2012/07/06 08:54:20 | 000,000,000 | ---D | C] -- C:\TDSSKiller_Quarantine
[2012/07/06 08:46:31 | 000,000,000 | R--D | C] -- C:\Documents and Settings\T.H. Ngcobo\Start Menu\Programs\Administrative Tools
[2012/07/05 14:40:56 | 000,000,000 | ---D | C] -- C:\Program Files\HijackThis
[2012/07/04 16:08:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\T.H. Ngcobo\Application Data\Malwarebytes
[2012/07/04 16:08:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[7 C:\Documents and Settings\T.H. Ngcobo\My Documents\*.tmp files -> C:\Documents and Settings\T.H. Ngcobo\My Documents\*.tmp -> ]
[5 C:\*.tmp files -> C:\*.tmp -> ]
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[188 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
========== Files - Modified Within 30 Days ==========
[2012/07/25 14:21:00 | 000,596,480 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\T.H. Ngcobo\Desktop\OTL.exe
[2012/07/25 09:21:01 | 000,013,694 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/07/25 09:20:23 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/07/25 08:48:06 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2012/07/25 08:45:49 | 010,652,120 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\T.H. Ngcobo\Desktop\mbam-setup-1.62.0.1300.exe
[2012/07/24 15:40:48 | 004,584,441 | R--- | M] (Swearware) -- C:\Documents and Settings\T.H. Ngcobo\Desktop\ComboFix.exe
[2012/07/24 14:24:19 | 102,076,494 | ---- | M] () -- C:\WINDOWS\System32\drivers\AVG\incavi.avm
[2012/07/21 01:40:25 | 000,000,815 | ---- | M] () -- C:\Documents and Settings\T.H. Ngcobo\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2012/07/21 01:29:21 | 000,000,742 | ---- | M] () -- C:\Documents and Settings\T.H. Ngcobo\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2012/07/21 01:29:21 | 000,000,724 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2012/07/21 00:32:14 | 000,000,108 | ---- | M] () -- C:\Documents and Settings\T.H. Ngcobo\Desktop\fixme.reg
[2012/07/20 10:27:54 | 000,000,144 | ---- | M] () -- C:\Documents and Settings\T.H. Ngcobo\Desktop\rk-proxy.reg
[2012/07/20 08:42:13 | 000,000,327 | RHS- | M] () -- C:\boot.ini
[2012/07/19 10:56:45 | 000,441,882 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2012/07/19 10:56:45 | 000,071,692 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2012/07/19 10:14:56 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2012/07/19 08:42:37 | 000,199,344 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2012/07/18 09:01:21 | 002,000,252 | ---- | M] () -- C:\WINDOWS\iis6.BAK
[2012/07/17 18:04:00 | 000,027,520 | ---- | M] () -- C:\Documents and Settings\T.H. Ngcobo\Local Settings\Application Data\dt.dat
[2012/07/17 16:37:07 | 000,250,048 | RHS- | M] () -- C:\ntldr
[2012/07/17 13:20:03 | 000,049,695 | ---- | M] () -- C:\WINDOWS\System32\drivers\AVG\iavichjg.avm
[2012/07/17 09:23:46 | 000,002,497 | ---- | M] () -- C:\Documents and Settings\T.H. Ngcobo\Desktop\MS Word.lnk
[2012/07/17 08:34:05 | 000,000,702 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\AVG 2012.lnk
[2012/07/16 22:11:26 | 002,136,664 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\T.H. Ngcobo\Desktop\TDSSKiller.exe
[2012/07/03 13:46:44 | 000,022,344 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[7 C:\Documents and Settings\T.H. Ngcobo\My Documents\*.tmp files -> C:\Documents and Settings\T.H. Ngcobo\My Documents\*.tmp -> ]
[5 C:\*.tmp files -> C:\*.tmp -> ]
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[188 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
========== Files Created - No Company Name ==========
[2012/07/25 08:48:06 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2012/07/21 01:29:21 | 000,000,742 | ---- | C] () -- C:\Documents and Settings\T.H. Ngcobo\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2012/07/21 01:29:21 | 000,000,730 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Mozilla Firefox.lnk
[2012/07/21 01:29:21 | 000,000,724 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2012/07/21 00:36:57 | 000,000,108 | ---- | C] () -- C:\Documents and Settings\T.H. Ngcobo\Desktop\fixme.reg
[2012/07/20 10:27:54 | 000,000,144 | ---- | C] () -- C:\Documents and Settings\T.H. Ngcobo\Desktop\rk-proxy.reg
[2012/07/20 08:42:13 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2012/07/20 08:42:05 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2012/07/20 08:35:08 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2012/07/20 08:35:08 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2012/07/20 08:35:08 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2012/07/20 08:35:08 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2012/07/20 08:35:08 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2012/07/19 08:01:47 | 000,000,803 | ---- | C] () -- C:\Documents and Settings\T.H. Ngcobo\Start Menu\Programs\Internet Explorer.lnk
[2012/07/17 18:31:48 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2012/07/17 18:31:48 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\dllcache\iacenc.dll
[2012/07/17 18:04:00 | 000,027,520 | ---- | C] () -- C:\Documents and Settings\T.H. Ngcobo\Local Settings\Application Data\dt.dat
[2011/10/17 09:09:29 | 000,135,168 | ---- | C] () -- C:\WINDOWS\System32\ChgService.exe
[2007/08/31 09:15:04 | 000,000,080 | ---- | C] () -- C:\Documents and Settings\T.H. Ngcobo\Favorites.axl
[2007/08/08 07:55:52 | 000,017,920 | ---- | C] () -- C:\Documents and Settings\T.H. Ngcobo\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2007/08/07 15:27:37 | 000,000,260 | ---- | C] () -- C:\Documents and Settings\T.H. Ngcobo\aimsproxy.properties
[2007/08/07 15:27:37 | 000,000,202 | ---- | C] () -- C:\Documents and Settings\T.H. Ngcobo\aimsclient.properties
========== LOP Check ==========
[2012/07/24 15:31:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Autorun Eater
[2012/07/04 12:58:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVG2012
[2012/03/02 09:04:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\avg9
[2012/03/02 09:13:21 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\Common Files
[2009/02/26 13:50:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Grisoft
[2012/07/24 14:24:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MFAData
[2012/07/11 14:22:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ParentalControl
[2012/03/02 09:51:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\T.H. Ngcobo\Application Data\AVG2012
[2007/08/07 11:29:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\T.H. Ngcobo\Application Data\Grisoft
[2007/08/08 15:19:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\T.H. Ngcobo\Application Data\ParentalControl
========== Purity Check ==========
========== Custom Scans ==========
< %SYSTEMDRIVE%\*.* >
[2007/08/06 15:00:19 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
[2007/08/07 08:05:41 | 000,000,211 | ---- | M] () -- C:\Boot.bak
[2012/07/20 08:42:13 | 000,000,327 | RHS- | M] () -- C:\boot.ini
[2004/08/03 23:00:00 | 000,260,272 | RHS- | M] () -- C:\cmldr
[2007/08/06 15:00:19 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
[2007/08/06 15:00:19 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2008/01/03 16:07:33 | 000,000,484 | ---- | M] () -- C:\LOG1.log
[2008/07/10 12:56:10 | 000,000,484 | ---- | M] () -- C:\LOG2.log
[2008/01/18 10:05:28 | 000,000,484 | ---- | M] () -- C:\LOG3.log
[2009/01/09 15:29:10 | 000,000,484 | ---- | M] () -- C:\LOG4.log
[2009/04/02 14:07:54 | 000,000,484 | ---- | M] () -- C:\LOGB.log
[2007/08/06 15:00:19 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2007/08/07 07:59:54 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
[2012/07/17 16:37:07 | 000,250,048 | RHS- | M] () -- C:\ntldr
[2012/07/25 09:40:17 | 1067,544,576 | -HS- | M] () -- C:\pagefile.sys
[2008/01/22 11:42:07 | 000,017,696 | ---- | M] () -- C:\Rescued document.txt
[2012/07/20 10:27:54 | 000,000,732 | ---- | M] () -- C:\rkill.log
[2012/07/06 08:54:52 | 000,077,280 | ---- | M] () -- C:\TDSSKiller.2.7.44.0_06.07.2012_08.52.53_log.txt
[2012/07/20 23:51:35 | 000,076,042 | ---- | M] () -- C:\TDSSKiller.2.7.46.0_20.07.2012_23.48.15_log.txt
[5 C:\*.tmp files -> C:\*.tmp -> ]
< %systemroot%\Fonts\*.com >
[2006/04/18 15:39:28 | 000,026,040 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalMonospace.CompositeFont
[2006/06/29 14:53:56 | 000,026,489 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSansSerif.CompositeFont
[2006/04/18 15:39:28 | 000,029,779 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSerif.CompositeFont
[2006/06/29 14:58:52 | 000,030,808 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalUserInterface.CompositeFont
< %systemroot%\Fonts\*.dll >
< %systemroot%\Fonts\*.ini >
[2007/08/06 14:59:55 | 000,000,067 | -HS- | M] () -- C:\WINDOWS\Fonts\desktop.ini
< %systemroot%\Fonts\*.ini2 >
< %systemroot%\Fonts\*.exe >
< %systemroot%\system32\spool\prtprocs\w32x86\*.* >
[2003/08/29 02:00:00 | 000,026,288 | ---- | M] (Brother Industries ,Ltd ) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\BRPP2KA.DLL
[2008/07/06 14:06:10 | 000,089,088 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
[2003/06/18 17:31:48 | 000,018,944 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\mdippr.dll
[2008/07/06 12:50:03 | 000,597,504 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\printfilterpipelinesvc.exe
< %systemroot%\REPAIR\*.bak1 >
< %systemroot%\REPAIR\*.ini >
< %systemroot%\system32\*.jpg >
< %systemroot%\*.jpg >
< %systemroot%\*.png >
< %systemroot%\*.scr >
< %systemroot%\*._sy >
< %APPDATA%\Adobe\Update\*.* >
< %ALLUSERSPROFILE%\Favorites\*.* >
< %APPDATA%\Microsoft\*.* >
< %PROGRAMFILES%\*.* >
< %APPDATA%\Update\*.* >
< %systemroot%\*. /mp /s >
< %systemroot%\System32\config\*.sav >
[2007/08/06 13:29:58 | 000,094,208 | ---- | M] () -- C:\WINDOWS\System32\config\default.sav
[2007/08/06 13:29:58 | 000,626,688 | ---- | M] () -- C:\WINDOWS\System32\config\software.sav
[2007/08/06 13:29:58 | 000,425,984 | ---- | M] () -- C:\WINDOWS\System32\config\system.sav
< %PROGRAMFILES%\bak. /s >
< %systemroot%\system32\bak. /s >
< %ALLUSERSPROFILE%\Start Menu\*.lnk /x >
[2012/07/17 17:46:48 | 000,000,272 | -HS- | M] () -- C:\Documents and Settings\All Users\Start Menu\desktop.ini
< %systemroot%\system32\config\systemprofile\*.dat /x >
< %systemroot%\*.config >
< %systemroot%\system32\*.db >
< %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x >
[2007/08/07 08:54:06 | 000,000,177 | -HS- | M] () -- C:\Documents and Settings\T.H. Ngcobo\Application Data\Microsoft\Internet Explorer\Quick Launch\desktop.ini
[2007/08/06 15:07:42 | 000,000,079 | ---- | M] () -- C:\Documents and Settings\T.H. Ngcobo\Application Data\Microsoft\Internet Explorer\Quick Launch\Show Desktop.scf
< %USERPROFILE%\Desktop\*.exe >
[2012/07/21 00:08:56 | 000,050,688 | ---- | M] (Atribune.org) -- C:\Documents and Settings\T.H. Ngcobo\Desktop\ATF-Cleaner.exe
[2012/07/24 15:40:48 | 004,584,441 | R--- | M] (Swearware) -- C:\Documents and Settings\T.H. Ngcobo\Desktop\ComboFix.exe
[2002/08/07 14:02:18 | 000,581,632 | ---- | M] (Joshua F. Madison) -- C:\Documents and Settings\T.H. Ngcobo\Desktop\Convert.exe
[2012/07/25 08:45:49 | 010,652,120 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\T.H. Ngcobo\Desktop\mbam-setup-1.62.0.1300.exe
[2012/07/25 14:21:00 | 000,596,480 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\T.H. Ngcobo\Desktop\OTL.exe
[2012/07/16 22:11:26 | 002,136,664 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\T.H. Ngcobo\Desktop\TDSSKiller.exe
[2008/05/31 19:49:32 | 331,805,736 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\T.H. Ngcobo\Desktop\WindowsXP-KB936929-SP3-x86-ENU.exe
< %PROGRAMFILES%\Common Files\*.* >
< %systemroot%\*.src >
< %systemroot%\install\*.* >
< %systemroot%\system32\DLL\*.* >
< %systemroot%\system32\HelpFiles\*.* >
< %systemroot%\system32\rundll\*.* >
< %systemroot%\winn32\*.* >
< %systemroot%\Java\*.* >
< %systemroot%\system32\test\*.* >
< %systemroot%\system32\Rundll32\*.* >
< %systemroot%\AppPatch\Custom\*.* >
< %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x >
< %PROGRAMFILES%\PC-Doctor\Downloads\*.* >
< %PROGRAMFILES%\Internet Explorer\*.tmp >
< %PROGRAMFILES%\Internet Explorer\*.dat >
< %USERPROFILE%\My Documents\*.exe >
< %USERPROFILE%\*.exe >
< %systemroot%\ADDINS\*.* >
< %systemroot%\assembly\*.bak2 >
< %systemroot%\Config\*.* >
< %systemroot%\REPAIR\*.bak2 >
< %systemroot%\SECURITY\Database\*.sdb /x >
< %systemroot%\SYSTEM\*.bak2 >
< %systemroot%\Web\*.bak2 >
< %systemroot%\Driver Cache\*.* >
< %PROGRAMFILES%\Mozilla Firefox\0*.exe >
< %ProgramFiles%\Microsoft Common\*.* >
< %ProgramFiles%\TinyProxy. >
< %USERPROFILE%\Favorites\*.url /x >
[2007/08/07 08:54:06 | 000,000,122 | -HS- | M] () -- C:\Documents and Settings\T.H. Ngcobo\Favorites\Desktop.ini
< %systemroot%\system32\*.bk >
< %systemroot%\*.te >
< %systemroot%\system32\system32\*.* >
< %ALLUSERSPROFILE%\*.dat /x >
< %systemroot%\system32\drivers\*.rmv >
< dir /b "%systemroot%\system32\*.exe" | find /i " " /c >
< dir /b "%systemroot%\*.exe" | find /i " " /c >
< %PROGRAMFILES%\Microsoft\*.* >
< %systemroot%\System32\Wbem\proquota.exe >
< %PROGRAMFILES%\Mozilla Firefox\*.dat >
< %USERPROFILE%\Cookies\*.txt /x >
[2011/10/17 14:42:00 | 000,000,067 | -HS- | M] () -- C:\Documents and Settings\T.H. Ngcobo\Cookies\desktop.ini
[2012/07/25 10:30:31 | 000,032,768 | -HS- | M] () -- C:\Documents and Settings\T.H. Ngcobo\Cookies\index.dat
< %SystemRoot%\system32\fonts\*.* >
< HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >
< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs >
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install\\LastSuccessTime: 2007-12-14 01:04:00
< End of report >
-
Here is the dds log after removing those 4 files and rebooting:
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 7.0.5730.11
Run by T.H. Ngcobo at 10:28:48 on 2012-07-25
.
============== Running Processes ===============
.
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AVG\AVG2012\avgwdsvc.exe
C:\WINDOWS\system32\ChgService.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Parental Control\ParentalControl.Exe
C:\Program Files\AVG\AVG2012\avgtray.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.51 V1.00\WlanCU.exe
C:\Documents and Settings\T.H. Ngcobo\Desktop\rkilletc\dds.com
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
mStart Page = about:blank
uInternet Settings,ProxyServer = localhost:3128
mWinlogon: Userinit=c:\windows\system32\userinit.exe,System,
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Do Not Track: {31332eef-cb9f-458f-afeb-d30e9a66b6ba} - c:\program files\avg\avg2012\avgdtiex.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
TB: &Crawler Toolbar: {4b3803ea-5230-4dc3-a7fc-33638f3d3542} - c:\progra~1\crawler\toolbar\ctbr.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [igfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [sunJavaUpdateSched] c:\program files\java\jre1.5.0_06\bin\jusched.exe
mRun: [ParentalControl] c:\program files\parental control\ParentalControl.Exe /SERVICE
mRun: [userFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [AVG_TRAY] "c:\program files\avg\avg2012\avgtray.exe"
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
uPolicies-explorer: NoMultiIE = 0 (0x0)
uPolicies-explorer: LWA = 0 (0x0)
uPolicies-explorer: LWB = 0 (0x0)
uPolicies-explorer: LWC = 0 (0x0)
uPolicies-explorer: LWD = 0 (0x0)
uPolicies-explorer: LWE = 0 (0x0)
uPolicies-explorer: LWF = 0 (0x0)
uPolicies-explorer: LWG = 0 (0x0)
uPolicies-explorer: LWH = 0 (0x0)
uPolicies-explorer: LWI = 0 (0x0)
uPolicies-explorer: LWJ = 0 (0x0)
uPolicies-explorer: LWK = 0 (0x0)
uPolicies-explorer: LWL = 0 (0x0)
uPolicies-explorer: LWM = 0 (0x0)
uPolicies-explorer: LWN = 0 (0x0)
uPolicies-explorer: LWO = 0 (0x0)
uPolicies-explorer: LWP = 0 (0x0)
uPolicies-explorer: LWQ = 0 (0x0)
uPolicies-explorer: LWR = 0 (0x0)
uPolicies-explorer: LWS = 0 (0x0)
uPolicies-explorer: LWT = 0 (0x0)
uPolicies-explorer: LWU = 0 (0x0)
uPolicies-explorer: LWV = 0 (0x0)
uPolicies-explorer: LWW = 0 (0x0)
uPolicies-explorer: LWX = 0 (0x0)
uPolicies-explorer: LWY = 0 (0x0)
uPolicies-explorer: LWZ = 0 (0x0)
uPolicies-system: DisableClock = 0 (0x0)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
IE: {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - c:\program files\avg\avg2012\avgdtiex.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://windowsupdate.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1342541062625
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
TCP: Interfaces\{F040A7DC-1F30-4821-B9D4-DCDECB54CFB5} : NameServer = 196.43.1.11,196.25.1.11
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg2012\avgpp.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\t.h. ngcobo\application data\mozilla\firefox\profiles\qjmj1hwr.default\
FF - prefs.js: network.proxy.type - 0
.
============= SERVICES / DRIVERS ===============
.
R? cmnsusbser;Mobile Connector USB Device for Legacy Serial Communication LCT2053s
R? MozillaMaintenance;Mozilla Maintenance Service
S? AVGIDSHX;AVGIDSHX
S? Avgldx86;AVG AVI Loader Driver
S? Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield
S? Avgrkx86;AVG Anti-Rootkit Driver
S? avgwd;AVG WatchDog
S? Change Modem Device Service;Change Modem Device Service
S? MBAMProtector;MBAMProtector
S? MBAMService;MBAMService
.
=============== Created Last 30 ================
.
2012-07-25 07:22:45 -------- d-s---w- C:\ComboFix
2012-07-25 06:47:59 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-07-25 06:47:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-07-20 06:42:04 -------- d-sha-r- C:\cmdcons
2012-07-20 06:35:08 98816 ----a-w- c:\windows\sed.exe
2012-07-20 06:35:08 518144 ----a-w- c:\windows\SWREG.exe
2012-07-20 06:35:08 256000 ----a-w- c:\windows\PEV.exe
2012-07-20 06:35:08 208896 ----a-w- c:\windows\MBR.exe
2012-07-19 12:21:10 -------- d-----w- c:\program files\ESET
2012-07-19 06:28:36 -------- d-----w- C:\53982c37fb4e5f4cb42dd1e3
2012-07-19 06:08:04 -------- d-sh--w- c:\documents and settings\t.h. ngcobo\IECompatCache
2012-07-19 06:06:24 -------- d-sh--w- c:\documents and settings\t.h. ngcobo\PrivacIE
2012-07-19 06:01:49 -------- d-sh--w- c:\documents and settings\t.h. ngcobo\IETldCache
2012-07-18 06:57:00 521728 -c----w- c:\windows\system32\dllcache\jsdbgui.dll
2012-07-18 06:52:53 6144 -c----w- c:\windows\system32\dllcache\iecompat.dll
2012-07-18 06:51:44 -------- d-----w- c:\windows\ie8updates
2012-07-18 06:50:58 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2012-07-18 06:50:53 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2012-07-18 06:50:50 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2012-07-17 16:34:51 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys
2012-07-17 16:31:48 3072 -c----w- c:\windows\system32\dllcache\iacenc.dll
2012-07-17 16:31:48 3072 ------w- c:\windows\system32\iacenc.dll
2012-07-17 16:28:12 456320 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2012-07-17 16:28:07 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
2012-07-17 16:27:28 105472 -c----w- c:\windows\system32\dllcache\mup.sys
2012-07-17 16:24:29 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
2012-07-17 16:24:13 45568 -c----w- c:\windows\system32\dllcache\wab.exe
2012-07-17 16:24:08 590848 -c----w- c:\windows\system32\dllcache\rpcrt4.dll
2012-07-17 16:23:50 978944 -c----w- c:\windows\system32\dllcache\mfc42.dll
2012-07-17 16:23:50 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll
2012-07-17 16:23:13 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll
2012-07-17 16:22:28 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2012-07-17 16:21:59 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2012-07-17 16:19:41 81920 -c----w- c:\windows\system32\dllcache\fontsub.dll
2012-07-17 16:19:41 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll
2012-07-17 16:17:36 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2012-07-17 16:13:49 331776 -c----w- c:\windows\system32\dllcache\msadce.dll
2012-07-17 16:12:52 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2012-07-17 16:12:46 203136 -c----w- c:\windows\system32\dllcache\rmcast.sys
2012-07-17 16:06:01 15384 ----a-w- c:\windows\system32\wuapi.dll.mui
2012-07-17 15:45:18 79872 -c----w- c:\windows\system32\dllcache\msxml6r.dll
2012-07-17 15:45:18 1372672 -c----w- c:\windows\system32\dllcache\msxml6.dll
2012-07-17 15:44:42 9728 ------w- c:\windows\system32\rwnh.dll
2012-07-17 15:44:41 10752 ------w- c:\windows\system32\smtpapi.dll
2012-07-17 15:42:51 11053008 ------w- c:\program files\msn\msncorefiles\install\msn9components\msncli.exe
2012-07-17 15:42:46 -------- d-----w- c:\windows\l2schemas
2012-07-17 15:42:45 229376 ------w- c:\program files\msn\msncorefiles\oobe\obelog.dll
2012-07-17 15:42:44 966656 ------w- c:\program files\msn\msncorefiles\oobe\obemetal.dll
2012-07-17 15:42:44 86016 ------w- c:\program files\msn\msncorefiles\oobe\obepopc.dll
2012-07-17 15:42:44 77824 ------w- c:\program files\msn\msncorefiles\oobe\obemtllc.dll
2012-07-17 15:42:44 -------- d-----w- c:\windows\system32\en
2012-07-17 14:38:58 97280 ----a-w- c:\windows\system32\SET2E6.tmp
2012-07-17 14:37:58 75264 ----a-w- c:\windows\system32\SET1A0.tmp
2012-07-09 08:32:25 -------- d-----w- c:\documents and settings\t.h. ngcobo\local settings\application data\Google
2012-07-09 08:31:17 -------- d-----w- c:\documents and settings\t.h. ngcobo\local settings\application data\Deployment
2012-07-06 06:54:20 -------- d-----w- C:\TDSSKiller_Quarantine
2012-07-04 14:08:59 -------- d-----w- c:\documents and settings\t.h. ngcobo\application data\Malwarebytes
2012-07-04 14:08:40 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2012-07-02 09:27:04 6400 -c--a-w- c:\windows\system32\dllcache\enum1394.sys
2012-07-02 09:27:04 6400 ----a-w- c:\windows\system32\drivers\enum1394.sys
2012-07-02 09:27:02 61696 ----a-w- c:\windows\system32\drivers\ohci1394.sys
2012-07-02 09:27:02 53376 ----a-w- c:\windows\system32\drivers\1394bus.sys
.
==================== Find3M ====================
.
2012-06-13 13:19:59 1866112 ----a-w- c:\windows\system32\win32k.sys
2012-06-05 15:50:25 1372672 ----a-w- c:\windows\system32\msxml6.dll
2012-06-05 15:50:25 1172480 ----a-w- c:\windows\system32\msxml3.dll
2012-06-04 04:32:08 152576 ----a-w- c:\windows\system32\schannel.dll
2012-06-02 13:19:44 22040 ----a-w- c:\windows\system32\wucltui.dll.mui
2012-06-02 13:19:38 219160 ----a-w- c:\windows\system32\wuaucpl.cpl
2012-06-02 13:19:38 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2012-06-02 13:19:30 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui
2012-05-31 13:22:09 599040 ----a-w- c:\windows\system32\crypt32.dll
2012-05-04 13:16:13 2148352 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-05-04 12:32:19 2026496 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-05-02 13:46:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
.
============= FINISH: 10:31:06.62 ===============
The AutoIt Error is also gone (I discovered that AutoRun Eater was not running and re-installed it which seemed to solve the problem)
- there's another one waiting for me with some very nasties on it (attacked my flash drive and all the AV software on it!)
I also scanned it with Avira which reported that it is clean, but I decided not to take any chances.
The options to hide fle extensions and protected operating system files keep being selected and CombFix still shows no progress.
Can't get rid of W32/Sality.AT
in Resolved Malware Removal Logs
Posted
Thanks Mr Tate for you help! I'm giving one of the freeware firewalls as well as one of the spyware blocking applications as listed in your links a try to prevent a repetition. For now I think you can close the thread - this machine is now running like new!