Jump to content

MBAM Revoved but still PING.EXE

bobmmp

By bobmmp
in Resolved Malware Removal Logs

 Share

Recommended Posts

bobmmp

bobmmp

Posted
Posted

Over the past several months I have had repeat infections. malwarebytes has detected and reported clean. Then scan again later and bam, here we go again. Now Ping.exe keeps showing up in the sys tray. I kill it and it starts again.

Also, Mal. detected and cleaned cdrom.sys, now cd rom/dvd does not work.

Here is a combined MBAM log and dds.txt

Any help getting rid of this for good is appreciated!

Oh, did not see an edit feature for the post, but ESET runs in hide mode so cannot temp disable it? Might effects scans?

dds.txt

MBAMcombined.txt

Link to post
Share on other sites
  • 2 weeks later...
bobmmp

bobmmp

Posted
  • Author
Posted

Hi and welcome to Malwarebytes.

In the future, please post all logs directly into your reply instead of attaching them unless otherwise indicated. With that said, please update MBAM, run a Quick Scan, and post its log.

Next, run DDS again and post DDS.txt directly in your reply.

Good morning and thank you very much for your help.

Here are the scan. MBAM Scan and the DDS Scan. At the end of this, I am going post some previous MBAM, TDSSKiller Scans where I have cleaned the computer and reinfection seems to appear. My security center and ESET still seem to be affected by what ever happened.

*******************************************

MBAM

*******************************************

Malwarebytes' Anti-Malware 1.51.2.1300

www.malwarebytes.org

Database version: 911122308

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

12/23/2011 9:48:30 AM

mbam-log-2011-12-23 (09-48-30).txt

Scan type: Quick scan

Objects scanned: 228630

Time elapsed: 15 minute(s), 10 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

*****************************************

Current DDS Scan

*****************************************

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_30

Run by Bob at 10:23:55 on 2011-12-23

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.342 [GMT -7:00]

.

AV: ESET Smart Security 5.0 *Enabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

FW: ESET Personal firewall *Enabled*

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Wave Systems Corp\Common\DataServer.exe

C:\Program Files\ESET\ESET Smart Security\ekrn.exe

C:\WINDOWS\system32\inetsrv\inetinfo.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\PSIService.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\WINDOWS\System32\snmp.exe

c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe

C:\WINDOWS\System32\PAStiSvc.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.7\bin\tcsd_win32.exe

C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Apoint\Apoint.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe

C:\Program Files\Apoint\HidFind.exe

C:\Program Files\Apoint\Apntex.exe

C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

C:\WINDOWS\stsystra.exe

C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

C:\WINDOWS\System32\DLA\DLACTRLW.EXE

C:\Program Files\Microsoft IntelliType Pro\itype.exe

C:\Program Files\QuickTime\QTTask.exe

C:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe

C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_wp.exe

C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe

C:\WINDOWS\system32\taskmgr.exe

C:\WINDOWS\system32\NOTEPAD.EXE

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://mail.adigitalm.com/

uInternet Connection Wizard,ShellNext = hxxp://www.dell.com/

uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll

BHO: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll

BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll

BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL

BHO: Java Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

EB: &Discuss: {bdeade7f-c265-11d0-bced-00a0c90ab50f} - shdocvw.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [iSUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler

uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_1_0 -reboot 1

uRun: [Messenger (Yahoo!)] "c:\progra~1\yahoo!\messen~1\YahooMessenger.exe" -quiet

uRun: [TomTomHOME.exe] "c:\program files\tomtom home 2\TomTomHOMERunner.exe"

mRun: [Apoint] c:\program files\apoint\Apoint.exe

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [nwiz] nwiz.exe /installquiet

mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start

mRun: [intelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"

mRun: [intelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless

mRun: [sigmatelSysTrayApp] stsystra.exe

mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"

mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE

mRun: [iSUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup

mRun: [iSUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start

mRun: [sSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot

mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [RIMBBLaunchAgent.exe] c:\program files\common files\research in motion\usb drivers\RIMBBLaunchAgent.exe

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [egui] "c:\program files\eset\eset smart security\egui.exe" /hide /waitservice

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe

IE: &ieSpell Options - c:\program files\iespell\iespell.dll/SPELLOPTION.HTM

IE: &Yahoo! Search - file:///c:\program files\yahoo!\Common/ycsrch.htm

IE: Check &Spelling - c:\program files\iespell\iespell.dll/SPELLCHECK.HTM

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000

IE: Lookup on Merriam Webster - file://c:\program files\iespell\Merriam Webster.HTM

IE: Lookup on Wikipedia - file://c:\program files\iespell\wikipedia.HTM

IE: Yahoo! &Dictionary - file:///c:\program files\yahoo!\Common/ycdict.htm

IE: Yahoo! &Maps - file:///c:\program files\yahoo!\Common/ycmap.htm

IE: Yahoo! &SMS - file:///c:\program files\yahoo!\Common/ycsms.htm

IE: {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://c:\program files\iespell\iespell.dll/SPELLCHECK.HTM

IE: {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://c:\program files\iespell\iespell.dll/SPELLOPTION.HTM

IE: {CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} - "c:\program files\fiddler2\Fiddler.exe"

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

LSP: mswsock.dll

DPF: {210D0CBC-8B17-48D1-B294-1A338DD2EB3A} - hxxp://webcam.innonfifth.com:8080/VatDec.cab

DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab

DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll

DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab

DPF: {4EFA317A-8569-4788-B175-5BAF9731A549} - hxxps://www.microsoft.com/resources/virtuallabs/ActiveX/VMRCActiveXClient1.cab

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1151685220046

DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab

DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} - hxxp://64.84.107.59/activex/AMC.cab

DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab

DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} - hxxp://80.59.219.32:86/activex/AxisCamControl.cab

DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - hxxp://www.trendmicro.com/spyware-scan/as4web.cab

DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://webcam5.hrz.tu-darmstadt.de/activex/AMC.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

TCP: DhcpNameServer = 192.168.0.1

TCP: Interfaces\{5F922AB0-1979-4C86-9178-78ED53B12405} : DhcpNameServer = 192.168.0.1

AppInit_DLLs: wxvault.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

LSA: Authentication Packages = msv1_0 wvauth

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\bob\application data\mozilla\firefox\profiles\6h5kru6m.default\

FF - prefs.js: browser.search.selectedEngine - Live Search

FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll

FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordlegacyext.dll

FF - component: c:\program files\avg\avg10\firefox4\components\avgssff4.dll

FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprpchromebrowserrecordext.dll

FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll

FF - plugin: c:\progra~1\yahoo!\common\npyaxmpb.dll

FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll

FF - plugin: c:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll

FF - plugin: c:\program files\microsoft\office live\npOLW.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll

.

============= SERVICES / DRIVERS ===============

.

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2011-8-4 118104]

R2 ekrn;ESET Service;c:\program files\eset\eset smart security\ekrn.exe [2011-9-22 974944]

R2 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2011-4-22 92592]

S0 vqvhha;vqvhha;c:\windows\system32\drivers\btqjcpn.sys --> c:\windows\system32\drivers\btqjcpn.sys [?]

S3 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2009-3-15 34064]

S3 SPC610NC;SPC 610NC Laptop Camera;c:\windows\system32\drivers\SPC610NC.sys [2006-12-23 156800]

S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\microsoft visual studio 8\common7\ide\remote debugger\x86\msvsmon.exe [2006-12-2 2805000]

.

=============== Created Last 30 ================

.

2011-12-13 21:48:50 1692968 ----a-w- C:\avg_remover_stf_x86_2012_1796.exe

2011-12-13 21:13:05 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys

2011-12-13 21:13:05 62976 ----a-w- c:\windows\system32\dllcache\cdrom.sys

2011-11-29 19:33:37 -------- d-----w- C:\123AB

.

==================== Find3M ====================

.

2011-12-14 16:05:06 187776 ----a-w- c:\windows\system32\drivers\acpi.sys

2011-12-14 16:05:06 138496 ----a-w- c:\windows\system32\drivers\afd.sys

2011-11-30 17:33:26 89680 ----a-w- c:\documents and settings\bob\MSSSerif120.fon

2011-11-30 15:11:23 3714 --sha-w- c:\windows\system32\KGyGaAvL.sys

2011-11-12 00:56:25 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-11-10 12:54:13 472808 ----a-w- c:\windows\system32\deployJava1.dll

2011-11-10 10:27:10 73728 ----a-w- c:\windows\system32\javacpl.cpl

2011-10-10 14:22:41 692736 ----a-w- c:\windows\system32\inetcomm.dll

2011-09-28 07:06:50 599040 ----a-w- c:\windows\system32\crypt32.dll

2011-09-26 17:41:20 611328 ----a-w- c:\windows\system32\uiautomationcore.dll

2011-09-26 17:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll

2011-09-26 17:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll

.

============= FINISH: 10:25:57.85 ===============

Thanks again, looking forward to getting this all healthy again!

Link to post
Share on other sites
bobmmp

bobmmp

Posted
  • Author
Posted

Hi and welcome to Malwarebytes.

In the future, please post all logs directly into your reply instead of attaching them unless otherwise indicated. With that said, please update MBAM, run a Quick Scan, and post its log.

Next, run DDS again and post DDS.txt directly in your reply.

********************************************************************************

Here are the MBAM history logs plust KDSSKiller which took out 2 rootkits.

After I ran KDSSKiller, it said it cured two rootkits. This stopped Ping.EXE

********************************************************************************

*******************

MBAM 4/11/2011

*******************

Database version: 6333

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

4/11/2011 10:32:02 AM

mbam-log-2011-04-11 (10-32-02).txt

Scan type: Quick scan

Objects scanned: 189557

Time elapsed: 7 minute(s), 10 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 4

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

C:\program files\MJC (Trojan.Agent) -> Quarantined and deleted successfully.

C:\program files\MJC\mjc rounded div (Trojan.Agent) -> Quarantined and deleted successfully.

C:\program files\MJC\mjc rounded div\MJC (Trojan.Agent) -> Quarantined and deleted successfully.

C:\program files\MJC\mjc rounded div\MJC\roundeddiv (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:

C:\program files\MJC\mjc rounded div\MJC\roundeddiv\Thumbs.db (Trojan.Agent) -> Quarantined and deleted successfully.

*******************

MBAM 11/9/2011

*******************

Database version: 8125

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

11/9/2011 9:08:57 AM

mbam-log-2011-11-09 (09-08-57).txt

Scan type: Quick scan

Objects scanned: 209381

Time elapsed: 5 minute(s), 32 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 5

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\oWWKK8fRL9hTwjC8234A (Malware.Packer) -> Value: oWWKK8fRL9hTwjC8234A -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\av security 2012v121.exe (Malware.Packer) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\drivers\cdrom.sys (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\documents and settings\Bob\local settings\Temp\0.12187553257565276.exe (Trojan.Exploit.Drop) -> Quarantined and deleted successfully.

C:\documents and settings\Bob\local settings\Temp\0.9979782010782732.exe (Trojan.Exploit.Drop) -> Quarantined and deleted successfully.

C:\documents and settings\Bob\application data\ldr.ini (Malware.Trace) -> Quarantined and deleted successfully.

*******************

MBAM 11/9/2011 Re-scan

*******************

Database version: 8125

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

11/9/2011 12:26:40 PM

mbam-log-2011-11-09 (12-26-40).txt

Scan type: Full scan (C:\|)

Objects scanned: 496554

Time elapsed: 2 hour(s), 34 minute(s), 13 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\system volume information\_restore{46de8921-1d39-44d2-a9e9-64119261f211}\RP1416\A0140287.sys (Rootkit.0Access) -> Quarantined and deleted successfully.

*******************

MBAM 11/18/2011

*******************

Database version: 8189

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

11/18/2011 1:08:06 PM

mbam-log-2011-11-18 (13-08-06).txt

Scan type: Quick scan

Objects scanned: 215267

Time elapsed: 12 minute(s), 42 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\documents and settings\Bob\Desktop\av security 2012.lnk (Rogue.AVSecurity2012) -> Quarantined and deleted successfully.

*******************

MBAM 11/29/2011

*******************

Malwarebytes' Anti-Malware 1.51.2.1300

www.malwarebytes.org

Database version: 8273

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

11/29/2011 2:37:19 PM

mbam-log-2011-11-29 (14-37-19).txt

Scan type: Quick scan

Objects scanned: 208544

Time elapsed: 7 minute(s), 33 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1782351697 (Trojan.FakeAlert) -> Value: 1782351697 -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\documents and settings\Bob\local settings\application data\etf.exe1 (Trojan.FakeMS) -> Quarantined and deleted successfully.

*******************

MBAM 11/30/2011

*******************

Database version: 8273

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

11/30/2011 8:27:23 AM

mbam-log-2011-11-30 (08-27-23).txt

Scan type: Quick scan

Objects scanned: 221996

Time elapsed: 22 minute(s), 21 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 3

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\Temp\0.1723781414203639.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\0.7334956929411629.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\0.5426214126757316.exe (Exploit.Drop.2) -> Quarantined and deleted successfully.

*******************

MBAM 12/1/2011

*******************

Database version: 8273

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

12/1/2011 8:08:32 PM

mbam-log-2011-12-01 (20-08-32).txt

Scan type: Quick scan

Objects scanned: 222545

Time elapsed: 18 minute(s), 28 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MozillaAgent (Trojan.Dropper) -> Value: MozillaAgent -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\Temp\_ex-68.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

*******************

KDSSKiller

*******************

08:55:56.0265 3236 TDSS rootkit removing tool 2.6.23.0 Dec 13 2011 10:39:31

08:55:56.0328 3236 ============================================================

08:55:56.0328 3236 Current date / time: 2011/12/14 08:55:56.0328

08:55:56.0328 3236 SystemInfo:

08:55:56.0328 3236

08:55:56.0328 3236 OS Version: 5.1.2600 ServicePack: 3.0

08:55:56.0328 3236 Product type: Workstation

08:55:56.0328 3236 ComputerName: ADIGITALM

08:55:56.0328 3236 UserName: Bob

08:55:56.0328 3236 Windows directory: C:\WINDOWS

08:55:56.0328 3236 System windows directory: C:\WINDOWS

08:55:56.0328 3236 Processor architecture: Intel x86

08:55:56.0328 3236 Number of processors: 2

08:55:56.0328 3236 Page size: 0x1000

08:55:56.0328 3236 Boot type: Normal boot

08:55:56.0328 3236 ============================================================

08:55:58.0140 3236 Initialize success

08:56:35.0015 3456 ============================================================

08:56:35.0015 3456 Scan started

08:56:35.0015 3456 Mode: Manual;

08:56:35.0015 3456 ============================================================

08:56:35.0328 3456 Abiosdsk - ok

08:56:35.0359 3456 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS

08:56:35.0390 3456 abp480n5 - ok

08:56:35.0453 3456 ACPI (d8fb7d1c3f5bfa3f53fe9cc6367e9e99) C:\WINDOWS\system32\DRIVERS\ACPI.sys

08:56:35.0453 3456 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\ACPI.sys. Real md5: d8fb7d1c3f5bfa3f53fe9cc6367e9e99, Fake md5: 8fd99680a539792a30e97944fdaecf17

08:56:35.0468 3456 ACPI ( Virus.Win32.Rloader.a ) - infected

08:56:35.0468 3456 ACPI - detected Virus.Win32.Rloader.a (0)

08:56:35.0484 3456 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys

08:56:35.0500 3456 ACPIEC - ok

08:56:35.0531 3456 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys

08:56:35.0546 3456 adpu160m - ok

08:56:35.0656 3456 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys

08:56:35.0671 3456 aec - ok

08:56:35.0703 3456 AegisP (12dafd934641dcf61e446313bc261ec2) C:\WINDOWS\system32\DRIVERS\AegisP.sys

08:56:35.0734 3456 AegisP - ok

08:56:35.0781 3456 AFD (d883012f1019f2d2f4d928d95b701f75) C:\WINDOWS\System32\drivers\afd.sys

08:56:35.0812 3456 Suspicious file (Forged): C:\WINDOWS\System32\drivers\afd.sys. Real md5: d883012f1019f2d2f4d928d95b701f75, Fake md5: 1e44bc1e83d8fd2305f8d452db109cf9

08:56:35.0812 3456 AFD ( Rootkit.Win32.ZAccess.k ) - infected

08:56:35.0812 3456 AFD - detected Rootkit.Win32.ZAccess.k (0)

08:56:35.0859 3456 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys

08:56:35.0875 3456 agp440 - ok

08:56:35.0953 3456 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys

08:56:35.0968 3456 agpCPQ - ok

08:56:35.0984 3456 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys

08:56:36.0031 3456 Aha154x - ok

08:56:36.0062 3456 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys

08:56:36.0078 3456 aic78u2 - ok

08:56:36.0125 3456 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys

08:56:36.0140 3456 aic78xx - ok

08:56:36.0218 3456 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys

08:56:36.0234 3456 AliIde - ok

08:56:36.0281 3456 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys

08:56:36.0296 3456 alim1541 - ok

08:56:36.0312 3456 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys

08:56:36.0328 3456 amdagp - ok

08:56:36.0375 3456 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys

08:56:36.0421 3456 amsint - ok

08:56:36.0515 3456 ApfiltrService (090880e9bf20f928bc341f96d27c019e) C:\WINDOWS\system32\DRIVERS\Apfiltr.sys

08:56:36.0546 3456 ApfiltrService - ok

08:56:36.0578 3456 APPDRV (ec94e05b76d033b74394e7b2175103cf) C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS

08:56:36.0578 3456 APPDRV - ok

08:56:36.0625 3456 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys

08:56:36.0640 3456 Arp1394 - ok

08:56:36.0687 3456 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys

08:56:36.0703 3456 asc - ok

08:56:36.0781 3456 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys

08:56:36.0812 3456 asc3350p - ok

08:56:36.0843 3456 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys

08:56:36.0875 3456 asc3550 - ok

08:56:36.0937 3456 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

08:56:36.0953 3456 AsyncMac - ok

08:56:36.0984 3456 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys

08:56:36.0984 3456 atapi - ok

08:56:37.0078 3456 Atdisk - ok

08:56:37.0109 3456 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

08:56:37.0109 3456 Atmarpc - ok

08:56:37.0171 3456 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

08:56:37.0187 3456 audstub - ok

08:56:37.0234 3456 b57w2k (c0acd392ece55784884cc208aafa06ce) C:\WINDOWS\system32\DRIVERS\b57xp32.sys

08:56:37.0234 3456 b57w2k - ok

08:56:37.0265 3456 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

08:56:37.0281 3456 Beep - ok

08:56:37.0328 3456 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys

08:56:37.0359 3456 cbidf - ok

08:56:37.0421 3456 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

08:56:37.0421 3456 cbidf2k - ok

08:56:37.0484 3456 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys

08:56:37.0500 3456 CCDECODE - ok

08:56:37.0531 3456 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys

08:56:37.0531 3456 cd20xrnt - ok

08:56:37.0546 3456 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

08:56:37.0609 3456 Cdaudio - ok

08:56:37.0656 3456 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys

08:56:37.0656 3456 Cdfs - ok

08:56:37.0765 3456 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys

08:56:37.0796 3456 Cdrom - ok

08:56:37.0812 3456 Changer - ok

08:56:37.0890 3456 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys

08:56:37.0906 3456 CmBatt - ok

08:56:37.0937 3456 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys

08:56:37.0953 3456 CmdIde - ok

08:56:37.0984 3456 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys

08:56:37.0984 3456 Compbatt - ok

08:56:38.0031 3456 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys

08:56:38.0062 3456 Cpqarray - ok

08:56:38.0156 3456 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys

08:56:38.0203 3456 dac2w2k - ok

08:56:38.0250 3456 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys

08:56:38.0265 3456 dac960nt - ok

08:56:38.0343 3456 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys

08:56:38.0375 3456 Disk - ok

08:56:38.0453 3456 DLABOIOM (e2d0de31442390c35e3163c87cb6a9eb) C:\WINDOWS\system32\DLA\DLABOIOM.SYS

08:56:38.0484 3456 DLABOIOM - ok

08:56:38.0531 3456 DLACDBHM (d979bebcf7edcc9c9ee1857d1a68c67b) C:\WINDOWS\system32\Drivers\DLACDBHM.SYS

08:56:38.0546 3456 DLACDBHM - ok

08:56:38.0546 3456 DLADResN (83545593e297f50a8e2524b4c071a153) C:\WINDOWS\system32\DLA\DLADResN.SYS

08:56:38.0578 3456 DLADResN - ok

08:56:38.0609 3456 DLAIFS_M (96e01d901cdc98c7817155cc057001bf) C:\WINDOWS\system32\DLA\DLAIFS_M.SYS

08:56:38.0625 3456 DLAIFS_M - ok

08:56:38.0640 3456 DLAOPIOM (0a60a39cc5e767980a31ca5d7238dfa9) C:\WINDOWS\system32\DLA\DLAOPIOM.SYS

08:56:38.0640 3456 DLAOPIOM - ok

08:56:38.0671 3456 DLAPoolM (9fe2b72558fc808357f427fd83314375) C:\WINDOWS\system32\DLA\DLAPoolM.SYS

08:56:38.0687 3456 DLAPoolM - ok

08:56:38.0781 3456 DLARTL_N (7ee0852ae8907689df25049dcd2342e8) C:\WINDOWS\system32\Drivers\DLARTL_N.SYS

08:56:38.0781 3456 DLARTL_N - ok

08:56:38.0812 3456 DLAUDFAM (f08e1dafac457893399e03430a6a1397) C:\WINDOWS\system32\DLA\DLAUDFAM.SYS

08:56:38.0828 3456 DLAUDFAM - ok

08:56:38.0859 3456 DLAUDF_M (e7d105ed1e694449d444a9933df8e060) C:\WINDOWS\system32\DLA\DLAUDF_M.SYS

08:56:38.0875 3456 DLAUDF_M - ok

08:56:38.0968 3456 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys

08:56:39.0015 3456 dmboot - ok

08:56:39.0093 3456 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys

08:56:39.0125 3456 dmio - ok

08:56:39.0156 3456 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

08:56:39.0171 3456 dmload - ok

08:56:39.0234 3456 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys

08:56:39.0234 3456 DMusic - ok

08:56:39.0265 3456 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys

08:56:39.0265 3456 dpti2o - ok

08:56:39.0312 3456 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys

08:56:39.0328 3456 drmkaud - ok

08:56:39.0406 3456 DRVMCDB (fd0f95981fef9073659d8ec58e40aa3c) C:\WINDOWS\system32\Drivers\DRVMCDB.SYS

08:56:39.0437 3456 DRVMCDB - ok

08:56:39.0484 3456 DRVNDDM (b4869d320428cdc5ec4d7f5e808e99b5) C:\WINDOWS\system32\Drivers\DRVNDDM.SYS

08:56:39.0484 3456 DRVNDDM - ok

08:56:39.0515 3456 E100B (3fca03cbca11269f973b70fa483c88ef) C:\WINDOWS\system32\DRIVERS\e100b325.sys

08:56:39.0515 3456 E100B - ok

08:56:39.0578 3456 eamon (9309c5c9831203436e64cf2ae605c5d7) C:\WINDOWS\system32\DRIVERS\eamon.sys

08:56:39.0578 3456 eamon - ok

08:56:39.0640 3456 ehdrv (deff87f04ab5f6dd5edf2b80853bbe10) C:\WINDOWS\system32\DRIVERS\ehdrv.sys

08:56:39.0687 3456 ehdrv - ok

08:56:39.0765 3456 epfw (5ba193ca0ae31209aaa39939ce6736b2) C:\WINDOWS\system32\DRIVERS\epfw.sys

08:56:39.0796 3456 epfw - ok

08:56:39.0828 3456 Epfwndis (75d3bcd3e0eded0ab0f96d9a10ff01c9) C:\WINDOWS\system32\DRIVERS\Epfwndis.sys

08:56:39.0828 3456 Epfwndis - ok

08:56:39.0890 3456 epfwtdi (dc64f26f35e32c9472bbf8acd84060d3) C:\WINDOWS\system32\DRIVERS\epfwtdi.sys

08:56:39.0906 3456 epfwtdi - ok

08:56:39.0984 3456 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys

08:56:40.0000 3456 Fastfat - ok

08:56:40.0046 3456 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys

08:56:40.0062 3456 Fdc - ok

08:56:40.0125 3456 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys

08:56:40.0125 3456 Fips - ok

08:56:40.0156 3456 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys

08:56:40.0171 3456 Flpydisk - ok

08:56:40.0234 3456 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys

08:56:40.0234 3456 FltMgr - ok

08:56:40.0296 3456 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

08:56:40.0312 3456 Fs_Rec - ok

08:56:40.0343 3456 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

08:56:40.0359 3456 Ftdisk - ok

08:56:40.0453 3456 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys

08:56:40.0453 3456 Gpc - ok

08:56:40.0515 3456 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys

08:56:40.0515 3456 HDAudBus - ok

08:56:40.0562 3456 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys

08:56:40.0562 3456 HidUsb - ok

08:56:40.0640 3456 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys

08:56:40.0656 3456 hpn - ok

08:56:40.0734 3456 HSF_DPV (e8ec1767ea315a39a0dd8989952ca0e9) C:\WINDOWS\system32\DRIVERS\HSX_DPV.sys

08:56:40.0750 3456 HSF_DPV - ok

08:56:40.0828 3456 HSXHWAZL (61478fa42ee04562e7f11f4dca87e9c8) C:\WINDOWS\system32\DRIVERS\HSXHWAZL.sys

08:56:40.0828 3456 HSXHWAZL - ok

08:56:40.0906 3456 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys

08:56:40.0906 3456 HTTP - ok

08:56:40.0968 3456 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys

08:56:40.0968 3456 i2omgmt - ok

08:56:41.0000 3456 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys

08:56:41.0015 3456 i2omp - ok

08:56:41.0078 3456 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys

08:56:41.0078 3456 i8042prt - ok

08:56:41.0140 3456 ICAM3NT5 (7e9dce459be666ab54f67e77cb7d1297) C:\WINDOWS\system32\Drivers\Icam3.sys

08:56:41.0156 3456 ICAM3NT5 - ok

08:56:41.0203 3456 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys

08:56:41.0203 3456 Imapi - ok

08:56:41.0250 3456 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys

08:56:41.0296 3456 ini910u - ok

08:56:41.0359 3456 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys

08:56:41.0359 3456 IntelIde - ok

08:56:41.0453 3456 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys

08:56:41.0453 3456 intelppm - ok

08:56:41.0484 3456 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys

08:56:41.0500 3456 Ip6Fw - ok

08:56:41.0515 3456 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

08:56:41.0546 3456 IpFilterDriver - ok

08:56:41.0578 3456 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys

08:56:41.0578 3456 IpInIp - ok

08:56:41.0625 3456 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys

08:56:41.0625 3456 IpNat - ok

08:56:41.0687 3456 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys

08:56:41.0687 3456 IPSec - ok

08:56:41.0765 3456 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys

08:56:41.0765 3456 IRENUM - ok

08:56:41.0812 3456 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys

08:56:41.0828 3456 isapnp - ok

08:56:41.0843 3456 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

08:56:41.0843 3456 Kbdclass - ok

08:56:41.0875 3456 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys

08:56:41.0875 3456 kbdhid - ok

08:56:41.0906 3456 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys

08:56:41.0906 3456 kmixer - ok

08:56:41.0968 3456 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys

08:56:41.0984 3456 KSecDD - ok

08:56:42.0062 3456 lbrtfdc - ok

08:56:42.0109 3456 mdmxsdk (e246a32c445056996074a397da56e815) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys

08:56:42.0125 3456 mdmxsdk - ok

08:56:42.0140 3456 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

08:56:42.0171 3456 mnmdd - ok

08:56:42.0250 3456 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys

08:56:42.0250 3456 Modem - ok

08:56:42.0265 3456 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys

08:56:42.0296 3456 Mouclass - ok

08:56:42.0375 3456 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys

08:56:42.0375 3456 mouhid - ok

08:56:42.0406 3456 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys

08:56:42.0421 3456 MountMgr - ok

08:56:42.0468 3456 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys

08:56:42.0484 3456 mraid35x - ok

08:56:42.0531 3456 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

08:56:42.0546 3456 MRxDAV - ok

08:56:42.0625 3456 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

08:56:42.0671 3456 MRxSmb - ok

08:56:42.0796 3456 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys

08:56:42.0828 3456 Msfs - ok

08:56:42.0859 3456 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys

08:56:42.0875 3456 MSKSSRV - ok

08:56:42.0921 3456 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

08:56:42.0921 3456 MSPCLOCK - ok

08:56:42.0953 3456 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys

08:56:42.0953 3456 MSPQM - ok

08:56:43.0015 3456 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

08:56:43.0015 3456 mssmbios - ok

08:56:43.0093 3456 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys

08:56:43.0109 3456 MSTEE - ok

08:56:43.0156 3456 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys

08:56:43.0187 3456 Mup - ok

08:56:43.0234 3456 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys

08:56:43.0250 3456 NABTSFEC - ok

08:56:43.0281 3456 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys

08:56:43.0296 3456 NDIS - ok

08:56:43.0312 3456 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys

08:56:43.0328 3456 NdisIP - ok

08:56:43.0437 3456 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

08:56:43.0453 3456 NdisTapi - ok

08:56:43.0500 3456 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

08:56:43.0531 3456 Ndisuio - ok

08:56:43.0546 3456 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

08:56:43.0562 3456 NdisWan - ok

08:56:43.0625 3456 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys

08:56:47.0125 3456 NDProxy - ok

08:56:47.0234 3456 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys

08:56:47.0250 3456 NetBIOS - ok

08:56:47.0281 3456 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys

08:56:47.0296 3456 NetBT - ok

08:56:47.0343 3456 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys

08:56:47.0343 3456 NIC1394 - ok

08:56:47.0406 3456 npf (6623e51595c0076755c29c00846c4eb2) C:\WINDOWS\system32\drivers\npf.sys

08:56:47.0406 3456 npf - ok

08:56:47.0437 3456 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys

08:56:47.0453 3456 Npfs - ok

08:56:47.0546 3456 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys

08:56:47.0593 3456 Ntfs - ok

08:56:47.0625 3456 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

08:56:47.0640 3456 Null - ok

08:56:47.0812 3456 nv (5796a04ccc99542fdfb43f2accd803df) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys

08:56:47.0953 3456 nv - ok

08:56:48.0046 3456 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

08:56:48.0062 3456 NwlnkFlt - ok

08:56:48.0093 3456 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

08:56:48.0109 3456 NwlnkFwd - ok

08:56:48.0171 3456 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys

08:56:48.0171 3456 ohci1394 - ok

08:56:48.0218 3456 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys

08:56:48.0218 3456 Parport - ok

08:56:48.0250 3456 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys

08:56:48.0265 3456 PartMgr - ok

08:56:48.0328 3456 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys

08:56:48.0359 3456 ParVdm - ok

08:56:48.0390 3456 PBADRV (6ef25fb20cd269e3e51d8ca54935fff2) C:\WINDOWS\system32\drivers\pbadrv.sys

08:56:48.0406 3456 PBADRV - ok

08:56:48.0453 3456 PCASp50 (07c02c892e8e1a72d6bf35004f0e9c5e) C:\WINDOWS\system32\Drivers\PCASp50.sys

08:56:48.0468 3456 PCASp50 - ok

08:56:48.0562 3456 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys

08:56:48.0562 3456 PCI - ok

08:56:48.0609 3456 PCIDump - ok

08:56:48.0640 3456 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys

08:56:48.0671 3456 PCIIde - ok

08:56:48.0703 3456 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys

08:56:48.0703 3456 Pcmcia - ok

08:56:48.0718 3456 PDCOMP - ok

08:56:48.0734 3456 PDFRAME - ok

08:56:48.0765 3456 PDRELI - ok

08:56:48.0781 3456 PDRFRAME - ok

08:56:48.0828 3456 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys

08:56:48.0828 3456 perc2 - ok

08:56:48.0875 3456 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys

08:56:48.0875 3456 perc2hib - ok

08:56:48.0953 3456 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys

08:56:48.0968 3456 PptpMiniport - ok

08:56:49.0062 3456 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

08:56:49.0062 3456 Ptilink - ok

08:56:49.0109 3456 PxHelp20 (d86b4a68565e444d76457f14172c875a) C:\WINDOWS\system32\Drivers\PxHelp20.sys

08:56:49.0125 3456 PxHelp20 - ok

08:56:49.0187 3456 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys

08:56:49.0203 3456 ql1080 - ok

08:56:49.0234 3456 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys

08:56:49.0234 3456 Ql10wnt - ok

08:56:49.0312 3456 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys

08:56:49.0328 3456 ql12160 - ok

08:56:49.0359 3456 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys

08:56:49.0406 3456 ql1240 - ok

08:56:49.0453 3456 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys

08:56:49.0484 3456 ql1280 - ok

08:56:49.0515 3456 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

08:56:49.0531 3456 RasAcd - ok

08:56:49.0625 3456 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

08:56:49.0640 3456 Rasl2tp - ok

08:56:49.0671 3456 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

08:56:49.0703 3456 RasPppoe - ok

08:56:49.0734 3456 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

08:56:49.0750 3456 Raspti - ok

08:56:49.0781 3456 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys

08:56:49.0781 3456 Rdbss - ok

08:56:49.0812 3456 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

08:56:49.0812 3456 RDPCDD - ok

08:56:49.0906 3456 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys

08:56:49.0921 3456 rdpdr - ok

08:56:49.0984 3456 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys

08:56:50.0015 3456 RDPWD - ok

08:56:50.0062 3456 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys

08:56:50.0078 3456 redbook - ok

08:56:50.0140 3456 RimUsb (616eac1b0e48b236a5a9b8ae07fdb81c) C:\WINDOWS\system32\Drivers\RimUsb.sys

08:56:50.0140 3456 RimUsb - ok

08:56:50.0218 3456 RimVSerPort (2c4fb2e9f039287767c384e46ee91030) C:\WINDOWS\system32\DRIVERS\RimSerial.sys

08:56:50.0218 3456 RimVSerPort - ok

08:56:50.0250 3456 ROOTMODEM (d8b0b4ade32574b2d9c5cc34dc0dbbe7) C:\WINDOWS\system32\Drivers\RootMdm.sys

08:56:50.0265 3456 ROOTMODEM - ok

08:56:50.0312 3456 s24trans (2e4e912ce95f5ef4d4a5079f6ce367fc) C:\WINDOWS\system32\DRIVERS\s24trans.sys

08:56:50.0343 3456 s24trans - ok

08:56:50.0421 3456 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys

08:56:50.0437 3456 Secdrv - ok

08:56:50.0562 3456 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys

08:56:50.0593 3456 serenum - ok

08:56:50.0640 3456 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys

08:56:50.0640 3456 Serial - ok

08:56:50.0671 3456 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys

08:56:50.0687 3456 Sfloppy - ok

08:56:50.0703 3456 Simbad - ok

08:56:50.0765 3456 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys

08:56:50.0765 3456 sisagp - ok

08:56:50.0828 3456 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys

08:56:50.0828 3456 SLIP - ok

08:56:50.0890 3456 SoC PC-Camera Service (a3d484ebd8c1f6db3739e892a6304951) C:\WINDOWS\system32\DRIVERS\pfc027.sys

08:56:50.0890 3456 SoC PC-Camera Service - ok

08:56:50.0968 3456 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys

08:56:50.0984 3456 Sparrow - ok

08:56:51.0031 3456 SPC610NC (4d5edc58542fe46801f6856f5a43e0d9) C:\WINDOWS\system32\DRIVERS\SPC610NC.SYS

08:56:51.0046 3456 SPC610NC - ok

08:56:51.0109 3456 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys

08:56:51.0125 3456 splitter - ok

08:56:51.0187 3456 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys

08:56:51.0187 3456 sr - ok

08:56:51.0281 3456 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys

08:56:51.0296 3456 Srv - ok

08:56:51.0375 3456 STHDA (3ad78e22210d3fbd9f76de84a8df19b5) C:\WINDOWS\system32\drivers\sthda.sys

08:56:51.0406 3456 STHDA - ok

08:56:51.0531 3456 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys

08:56:51.0531 3456 streamip - ok

08:56:51.0562 3456 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys

08:56:51.0578 3456 swenum - ok

08:56:51.0609 3456 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys

08:56:51.0625 3456 swmidi - ok

08:56:51.0671 3456 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys

08:56:51.0671 3456 symc810 - ok

08:56:51.0718 3456 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys

08:56:51.0734 3456 symc8xx - ok

08:56:51.0812 3456 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys

08:56:51.0843 3456 sym_hi - ok

08:56:51.0859 3456 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys

08:56:51.0875 3456 sym_u3 - ok

08:56:51.0937 3456 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys

08:56:51.0937 3456 sysaudio - ok

08:56:52.0015 3456 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys

08:56:52.0062 3456 Tcpip - ok

08:56:52.0171 3456 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys

08:56:52.0171 3456 TDPIPE - ok

08:56:52.0203 3456 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys

08:56:52.0203 3456 TDTCP - ok

08:56:52.0234 3456 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys

08:56:52.0250 3456 TermDD - ok

08:56:52.0296 3456 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys

08:56:52.0312 3456 TosIde - ok

08:56:52.0343 3456 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys

08:56:52.0375 3456 Udfs - ok

08:56:52.0453 3456 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys

08:56:52.0468 3456 ultra - ok

08:56:52.0531 3456 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys

08:56:52.0562 3456 Update - ok

08:56:52.0828 3456 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys

08:56:52.0843 3456 usbccgp - ok

08:56:52.0921 3456 USBCCID (2825e0e294686a26506690059e1f437a) C:\WINDOWS\system32\DRIVERS\usbccid.sys

08:56:52.0937 3456 USBCCID - ok

08:56:52.0984 3456 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys

08:56:53.0000 3456 usbehci - ok

08:56:53.0046 3456 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys

08:56:53.0062 3456 usbhub - ok

08:56:53.0093 3456 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys

08:56:53.0093 3456 usbprint - ok

08:56:53.0171 3456 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys

08:56:53.0187 3456 usbscan - ok

08:56:53.0265 3456 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

08:56:53.0265 3456 USBSTOR - ok

08:56:53.0281 3456 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys

08:56:53.0296 3456 usbuhci - ok

08:56:53.0328 3456 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys

08:56:53.0343 3456 VgaSave - ok

08:56:53.0406 3456 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys

08:56:53.0421 3456 viaagp - ok

08:56:53.0500 3456 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys

08:56:53.0500 3456 ViaIde - ok

08:56:53.0562 3456 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys

08:56:53.0578 3456 VolSnap - ok

08:56:53.0593 3456 vqvhha - ok

08:56:53.0687 3456 w39n51 (b1f126e7e28877106d60e6ff3998d033) C:\WINDOWS\system32\DRIVERS\w39n51.sys

08:56:53.0734 3456 w39n51 - ok

08:56:53.0828 3456 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys

08:56:53.0828 3456 Wanarp - ok

08:56:53.0890 3456 Wdf01000 (d918617b46457b9ac28027722e30f647) C:\WINDOWS\system32\Drivers\wdf01000.sys

08:56:53.0953 3456 Wdf01000 - ok

08:56:53.0968 3456 WDICA - ok

08:56:54.0031 3456 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys

08:56:54.0046 3456 wdmaud - ok

08:56:54.0109 3456 winachsf (ba6b6fb242a6ba4068c8b763063beb63) C:\WINDOWS\system32\DRIVERS\HSX_CNXT.sys

08:56:54.0140 3456 winachsf - ok

08:56:54.0281 3456 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys

08:56:54.0328 3456 WpdUsb - ok

08:56:54.0343 3456 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys

08:56:54.0359 3456 WS2IFSL - ok

08:56:54.0421 3456 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS

08:56:54.0437 3456 WSTCODEC - ok

08:56:54.0515 3456 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys

08:56:54.0546 3456 WudfPf - ok

08:56:54.0609 3456 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys

08:56:54.0625 3456 WudfRd - ok

08:56:54.0687 3456 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0

08:56:54.0906 3456 \Device\Harddisk0\DR0 - ok

08:56:54.0906 3456 Boot (0x1200) (17412757af2f8f331ed49ba180a9ccdc) \Device\Harddisk0\DR0\Partition0

08:56:54.0906 3456 \Device\Harddisk0\DR0\Partition0 - ok

08:56:54.0906 3456 ============================================================

08:56:54.0906 3456 Scan finished

08:56:54.0906 3456 ============================================================

08:56:54.0937 3448 Detected object count: 2

08:56:54.0937 3448 Actual detected object count: 2

09:01:53.0781 3448 Backup copy found, using it..

09:01:53.0953 3448 C:\WINDOWS\system32\DRIVERS\ACPI.sys - will be cured on reboot

09:01:53.0953 3448 ACPI ( Virus.Win32.Rloader.a ) - User select action: Cure

09:01:54.0218 3448 Backup copy found, using it..

09:01:54.0437 3448 C:\WINDOWS\System32\drivers\afd.sys - will be cured on reboot

09:01:56.0843 3448 AFD ( Rootkit.Win32.ZAccess.k ) - User select action: Cure

09:02:46.0296 3328 Deinitialize success

Thanks Again, will be thrilled when all is right again.

Link to post
Share on other sites
  • Staff
screen317

screen317

Posted
  • Staff
Posted

Hi,

My apologies for the delay.

Please update MBAM, run a Quick Scan, and post its log.

Next, please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

-screen317

Link to post
Share on other sites
bobmmp

bobmmp

Posted
  • Author
Posted

Hi,

My apologies for the delay.

Please update MBAM, run a Quick Scan, and post its log.

Next, please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

-screen317

Thanks, I understand holidays, shortages ...

I had to completely uninstall ESET Security Es. to kill it do to not having any control.

Now that the Malwarebytes, ComboFix and DDS are ran, reinstalling ESET.

I am getting use to the process of uninstalling and reinstalling :(

Thanks again. BTW, hope you had an awesome Christmas.

Combofix said it deleteted two instances of rootkit.zeroaccess and later it said it detected two more rootkits but did not report what they were, did a reboot then finished.

**************************************************************

1. First completed the MBAM quick scan, here is the results:

**************************************************************

Malwarebytes Anti-Malware 1.60.0.1800

www.malwarebytes.org

Database version: v2011.12.28.01

Windows XP Service Pack 3 x86 NTFS

Internet Explorer 8.0.6001.18702

Bob :: ADIGITALM [administrator]

12/27/2011 7:23:02 PM

mbam-log-2011-12-27 (19-23-02).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 229536

Time elapsed: 15 minute(s), 28 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

**************************************

2. Ran ComboFix - Here is the log:

**************************************

ComboFix 11-12-27.01 - Bob 12/27/2011 20:06:28.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.660 [GMT -7:00]

Running from: c:\documents and settings\Bob\Desktop\ComboFix.exe

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\All Users\Application Data\TEMP

C:\install.exe

c:\windows\$NtUninstallKB59619$

c:\windows\$NtUninstallKB59619$\2535997179

c:\windows\$NtUninstallKB59619$\3232639053\@

c:\windows\$NtUninstallKB59619$\3232639053\bckfg.tmp

c:\windows\$NtUninstallKB59619$\3232639053\cfg.ini

c:\windows\$NtUninstallKB59619$\3232639053\Desktop.ini

c:\windows\$NtUninstallKB59619$\3232639053\keywords

c:\windows\$NtUninstallKB59619$\3232639053\kwrd.dll

c:\windows\$NtUninstallKB59619$\3232639053\L\iahonoel

c:\windows\$NtUninstallKB59619$\3232639053\lsflt7.ver

c:\windows\$NtUninstallKB59619$\3232639053\U\00000001.@

c:\windows\$NtUninstallKB59619$\3232639053\U\00000002.@

c:\windows\$NtUninstallKB59619$\3232639053\U\00000004.@

c:\windows\$NtUninstallKB59619$\3232639053\U\80000000.@

c:\windows\$NtUninstallKB59619$\3232639053\U\80000004.@

c:\windows\$NtUninstallKB59619$\3232639053\U\80000032.@

c:\windows\system32\Cache

.

.

((((((((((((((((((((((((( Files Created from 2011-11-28 to 2011-12-28 )))))))))))))))))))))))))))))))

.

.

2011-12-14 21:22 . 2011-12-14 21:22 -------- d-----w- c:\program files\Common Files\Java

2011-12-13 21:48 . 2011-12-13 21:49 1692968 ----a-w- C:\avg_remover_stf_x86_2012_1796.exe

2011-12-13 21:13 . 2008-04-13 19:40 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys

2011-12-13 21:13 . 2008-04-13 19:40 62976 ----a-w- c:\windows\system32\dllcache\cdrom.sys

2011-11-29 19:33 . 2011-12-13 20:03 -------- d-----w- C:\123AB

2011-11-29 08:41 . 2011-11-29 08:41 -------- d-sh--w- c:\documents and settings\Administrator\IECompatCache

2011-11-29 08:40 . 2011-11-29 08:40 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE

2011-11-29 08:01 . 2011-11-29 08:01 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-12-14 16:05 . 2004-08-11 22:00 138496 ----a-w- c:\windows\system32\drivers\afd.sys

2011-12-14 16:05 . 2004-08-04 04:07 187776 ----a-w- c:\windows\system32\drivers\acpi.sys

2011-12-10 22:24 . 2011-04-11 15:46 20464 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-11-30 17:33 . 2006-09-26 21:46 89680 ----a-w- c:\documents and settings\Bob\MSSSerif120.fon

2011-11-12 00:56 . 2011-06-09 05:04 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-11-10 12:54 . 2010-05-13 19:01 472808 ----a-w- c:\windows\system32\deployJava1.dll

2011-11-10 10:27 . 2007-04-18 19:36 73728 ----a-w- c:\windows\system32\javacpl.cpl

2011-10-10 14:22 . 2004-08-11 22:12 692736 ----a-w- c:\windows\system32\inetcomm.dll

2011-06-22 15:51 . 2011-05-11 01:45 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2008-10-24 206112]

"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe" [2010-06-01 5252408]

"TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2011-04-22 247728]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-01-19 7401472]

"nwiz"="nwiz.exe" [2006-01-19 1519616]

"NVHotkey"="nvHotkey.dll" [2006-01-19 73728]

"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-28 667718]

"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-12-28 602182]

"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 282624]

"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-10 49152]

"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]

"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2008-10-24 206112]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2008-10-24 79136]

"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]

"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2008-06-10 1442888]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]

"RIMBBLaunchAgent.exe"="c:\program files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe" [2011-02-18 79192]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-6-22 24576]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=c:\windows\system32\wxvault.dll

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Authentication Packages REG_MULTI_SZ msv1_0 wvauth

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^EMBASSY Trust Suite Secure Update.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\EMBASSY Trust Suite Secure Update.lnk

backup=c:\windows\pss\EMBASSY Trust Suite Secure Update.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VProperty.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\VProperty.lnk

backup=c:\windows\pss\VProperty.lnkCommon Startup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Boingo Wi-Finder]

2011-12-14 20:15 2203 ----a-w- c:\program files\Boingo\Boingo Wi-Finder\Boingo.lnk

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DNS7reminder]

2006-11-27 16:25 255528 ----a-w- c:\program files\Nuance\NaturallySpeaking9\Ereg\Ereg.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Document Manager]

2006-03-09 17:26 98304 ----a-w- c:\program files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ModemOnHold]

2003-09-10 07:24 20480 ------w- c:\program files\NetWaiting\netwaiting.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

2011-06-03 15:37 273544 ----a-w- c:\program files\real\realplayer\Update\realsched.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

"DisableNotifications"= 1 (0x1)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\GlobalSCAPE\\CuteFTP 7 Home\\ftpte.exe"=

"c:\\Program Files\\Microsoft Visual Studio 8\\Common7\\IDE\\devenv.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\IDM Computer Solutions\\UltraEdit-32\\uedit32.exe"=

"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=

"c:\\Program Files\\Research In Motion\\BlackBerry Desktop\\Rim.Desktop.exe"=

.

R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [4/22/2011 5:21 AM 92592]

S0 vqvhha;vqvhha;c:\windows\system32\drivers\btqjcpn.sys --> c:\windows\system32\drivers\btqjcpn.sys [?]

S3 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [3/15/2009 1:13 PM 34064]

S3 SPC610NC;SPC 610NC Laptop Camera;c:\windows\system32\drivers\SPC610NC.sys [12/23/2006 11:27 PM 156800]

S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [12/2/2006 6:17 AM 2805000]

.

Contents of the 'Scheduled Tasks' folder

.

2009-03-23 c:\windows\Tasks\Microsoft_Hardware_Launch_IType_exe.job

- c:\program files\Microsoft IntelliType Pro\itype.exe [2008-06-10 19:56]

.

2011-12-28 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2841834785-1377149234-1346910322-1005.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 16:47]

.

2011-12-28 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2841834785-1377149234-1346910322-1005.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 16:47]

.

2011-12-28 c:\windows\Tasks\User_Feed_Synchronization-{52F71B14-476C-4C3F-A717-D9333F264825}.job

- c:\windows\system32\msfeedssync.exe [2006-10-17 10:31]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://mail.adigitalm.com/

uInternet Connection Wizard,ShellNext = hxxp://www.dell.com/

IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM

IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm

IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

IE: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTM

IE: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HTM

IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm

IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm

IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm

TCP: DhcpNameServer = 192.168.0.1

DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://webcam5.hrz.tu-darmstadt.de/activex/AMC.cab

FF - ProfilePath - c:\documents and settings\Bob\Application Data\Mozilla\Firefox\Profiles\6h5kru6m.default\

FF - prefs.js: browser.search.selectedEngine - Live Search

.

- - - - ORPHANS REMOVED - - - -

.

HKCU-Run-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

SafeBoot-62665652.sys

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-12-27 20:30

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'lsass.exe'(568)

c:\windows\system32\wvauth.dll

c:\windows\system32\biolsp.dll

.

- - - - - - - > 'explorer.exe'(3436)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Intel\Wireless\Bin\EvtEng.exe

c:\program files\Intel\Wireless\Bin\S24EvMon.exe

c:\program files\Intel\Wireless\Bin\WLKeeper.exe

c:\windows\System32\SCardSvr.exe

c:\program files\Wave Systems Corp\Common\DataServer.exe

c:\windows\system32\inetsrv\inetinfo.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe

c:\program files\Dell\QuickSet\NICCONFIGSVC.exe

c:\windows\system32\nvsvc32.exe

c:\windows\system32\PSIService.exe

c:\program files\Intel\Wireless\Bin\RegSrvc.exe

c:\windows\System32\snmp.exe

c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe

c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe

c:\windows\System32\PAStiSvc.exe

c:\program files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.7\bin\tcsd_win32.exe

c:\windows\system32\rundll32.exe

c:\program files\Apoint\HidFind.exe

c:\windows\stsystra.exe

c:\program files\Apoint\Apntex.exe

c:\progra~1\Intel\Wireless\Bin\Dot1XCfg.exe

c:\progra~1\Yahoo!\MESSEN~1\ymsgr_tray.exe

c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\agent.exe

.

**************************************************************************

.

Completion time: 2011-12-27 20:41:04 - machine was rebooted

ComboFix-quarantined-files.txt 2011-12-28 03:40

.

Pre-Run: 12,272,414,720 bytes free

Post-Run: 12,740,771,840 bytes free

.

- - End Of File - - 8D0DD1D249B11EF566D71A816FE2DF42

*****************************

3. Finally ran DDS DSS Log:

*****************************

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_30

Run by Bob at 21:26:11 on 2011-12-27

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.546 [GMT -7:00]

.

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost.exe -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Wave Systems Corp\Common\DataServer.exe

C:\WINDOWS\system32\inetsrv\inetinfo.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\PSIService.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\WINDOWS\System32\snmp.exe

c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe

C:\WINDOWS\System32\PAStiSvc.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.7\bin\tcsd_win32.exe

C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe

C:\Program Files\Apoint\Apoint.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe

C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

C:\Program Files\Apoint\HidFind.exe

C:\WINDOWS\stsystra.exe

C:\Program Files\Apoint\Apntex.exe

C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

C:\WINDOWS\System32\DLA\DLACTRLW.EXE

C:\Program Files\Microsoft IntelliType Pro\itype.exe

C:\Program Files\QuickTime\QTTask.exe

C:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe

C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe

C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\notepad.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://mail.adigitalm.com/

uInternet Connection Wizard,ShellNext = hxxp://www.dell.com/

uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll

BHO: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll

BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll

BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL

BHO: Java Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

EB: &Discuss: {bdeade7f-c265-11d0-bced-00a0c90ab50f} - shdocvw.dll

uRun: [iSUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler

uRun: [Messenger (Yahoo!)] "c:\progra~1\yahoo!\messen~1\YahooMessenger.exe" -quiet

uRun: [TomTomHOME.exe] "c:\program files\tomtom home 2\TomTomHOMERunner.exe"

mRun: [Apoint] c:\program files\apoint\Apoint.exe

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [nwiz] nwiz.exe /installquiet

mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start

mRun: [intelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"

mRun: [intelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless

mRun: [sigmatelSysTrayApp] stsystra.exe

mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"

mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE

mRun: [iSUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup

mRun: [iSUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start

mRun: [sSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot

mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [RIMBBLaunchAgent.exe] c:\program files\common files\research in motion\usb drivers\RIMBBLaunchAgent.exe

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe

IE: &ieSpell Options - c:\program files\iespell\iespell.dll/SPELLOPTION.HTM

IE: &Yahoo! Search - file:///c:\program files\yahoo!\Common/ycsrch.htm

IE: Check &Spelling - c:\program files\iespell\iespell.dll/SPELLCHECK.HTM

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000

IE: Lookup on Merriam Webster - file://c:\program files\iespell\Merriam Webster.HTM

IE: Lookup on Wikipedia - file://c:\program files\iespell\wikipedia.HTM

IE: Yahoo! &Dictionary - file:///c:\program files\yahoo!\Common/ycdict.htm

IE: Yahoo! &Maps - file:///c:\program files\yahoo!\Common/ycmap.htm

IE: Yahoo! &SMS - file:///c:\program files\yahoo!\Common/ycsms.htm

IE: {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://c:\program files\iespell\iespell.dll/SPELLCHECK.HTM

IE: {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://c:\program files\iespell\iespell.dll/SPELLOPTION.HTM

IE: {CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} - "c:\program files\fiddler2\Fiddler.exe"

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

DPF: {210D0CBC-8B17-48D1-B294-1A338DD2EB3A} - hxxp://webcam.innonfifth.com:8080/VatDec.cab

DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab

DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll

DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab

DPF: {4EFA317A-8569-4788-B175-5BAF9731A549} - hxxps://www.microsoft.com/resources/virtuallabs/ActiveX/VMRCActiveXClient1.cab

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1151685220046

DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab

DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} - hxxp://64.84.107.59/activex/AMC.cab

DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab

DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} - hxxp://80.59.219.32:86/activex/AxisCamControl.cab

DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - hxxp://www.trendmicro.com/spyware-scan/as4web.cab

DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://webcam5.hrz.tu-darmstadt.de/activex/AMC.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

TCP: DhcpNameServer = 192.168.0.1

TCP: Interfaces\{5F922AB0-1979-4C86-9178-78ED53B12405} : DhcpNameServer = 192.168.0.1

AppInit_DLLs: c:\windows\system32\wxvault.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

LSA: Authentication Packages = msv1_0 wvauth

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\bob\application data\mozilla\firefox\profiles\6h5kru6m.default\

FF - prefs.js: browser.search.selectedEngine - Live Search

.

============= SERVICES / DRIVERS ===============

.

R2 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2011-4-22 92592]

S0 vqvhha;vqvhha;c:\windows\system32\drivers\btqjcpn.sys --> c:\windows\system32\drivers\btqjcpn.sys [?]

S3 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2009-3-15 34064]

S3 SPC610NC;SPC 610NC Laptop Camera;c:\windows\system32\drivers\SPC610NC.sys [2006-12-23 156800]

S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\microsoft visual studio 8\common7\ide\remote debugger\x86\msvsmon.exe [2006-12-2 2805000]

.

=============== Created Last 30 ================

.

2011-12-28 02:45:49 -------- d-sha-r- C:\cmdcons

2011-12-28 02:42:14 98816 ----a-w- c:\windows\sed.exe

2011-12-28 02:42:14 518144 ----a-w- c:\windows\SWREG.exe

2011-12-28 02:42:14 256000 ----a-w- c:\windows\PEV.exe

2011-12-28 02:42:14 208896 ----a-w- c:\windows\MBR.exe

2011-12-13 21:48:50 1692968 ----a-w- C:\avg_remover_stf_x86_2012_1796.exe

2011-12-13 21:13:05 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys

2011-12-13 21:13:05 62976 ----a-w- c:\windows\system32\dllcache\cdrom.sys

2011-11-29 19:33:37 -------- d-----w- C:\123AB

.

==================== Find3M ====================

.

2011-12-14 16:05:06 187776 ----a-w- c:\windows\system32\drivers\acpi.sys

2011-12-14 16:05:06 138496 ----a-w- c:\windows\system32\drivers\afd.sys

2011-12-10 22:24:06 20464 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-11-30 17:33:26 89680 ----a-w- c:\documents and settings\bob\MSSSerif120.fon

2011-11-30 15:11:23 3714 --sha-w- c:\windows\system32\KGyGaAvL.sys

2011-11-12 00:56:25 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-11-10 12:54:13 472808 ----a-w- c:\windows\system32\deployJava1.dll

2011-11-10 10:27:10 73728 ----a-w- c:\windows\system32\javacpl.cpl

2011-10-10 14:22:41 692736 ----a-w- c:\windows\system32\inetcomm.dll

.

============= FINISH: 21:27:39.68 ===============

Link to post
Share on other sites
  • Staff
screen317

screen317

Posted
  • Staff
Posted

Hi,

Please delete your copy of ComboFix, download the latest version from here, and save it to your Desktop. Do not run it yet.

Next, please open Notepad - don't use any other text editor than notepad or the script will fail.

Copy/paste the text in the box below into Notepad:

Driver::
vqvhha

Save this as CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new DDS log.

-screen317

Link to post
Share on other sites
bobmmp

bobmmp

Posted
  • Author
Posted

Hi,

Please delete your copy of ComboFix, download the latest version from here, and save it to your Desktop. Do not run it yet.

Next, please open Notepad - don't use any other text editor than notepad or the script will fail.

Copy/paste the text in the box below into Notepad:

Driver::
vqvhha

Save this as CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new DDS log.

-screen317

OK, ran combofix with the script and then dds again, here are logs, first combox

******************************************

Combo Fix

******************************************

ComboFix 12-01-02.01 - Bob 01/02/2012 12:51:09.3.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.549 [GMT -7:00]

Running from: c:\documents and settings\Bob\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Bob\Desktop\CFScript.txt

* Created a new restore point

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

-------\Service_vqvhha

.

.

((((((((((((((((((((((((( Files Created from 2011-12-02 to 2012-01-02 )))))))))))))))))))))))))))))))

.

.

2011-12-14 21:22 . 2011-12-14 21:22 -------- d-----w- c:\program files\Common Files\Java

2011-12-13 21:48 . 2011-12-13 21:49 1692968 ----a-w- C:\avg_remover_stf_x86_2012_1796.exe

2011-12-13 21:13 . 2008-04-13 19:40 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys

2011-12-13 21:13 . 2008-04-13 19:40 62976 ----a-w- c:\windows\system32\dllcache\cdrom.sys

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-12-14 16:05 . 2004-08-11 22:00 138496 ----a-w- c:\windows\system32\drivers\afd.sys

2011-12-14 16:05 . 2004-08-04 04:07 187776 ----a-w- c:\windows\system32\drivers\acpi.sys

2011-12-10 22:24 . 2011-04-11 15:46 20464 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-11-30 17:33 . 2006-09-26 21:46 89680 ----a-w- c:\documents and settings\Bob\MSSSerif120.fon

2011-11-23 13:25 . 2004-08-11 22:00 1859584 ----a-w- c:\windows\system32\win32k.sys

2011-11-12 00:56 . 2011-06-09 05:04 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-11-10 12:54 . 2010-05-13 19:01 472808 ----a-w- c:\windows\system32\deployJava1.dll

2011-11-10 10:27 . 2007-04-18 19:36 73728 ----a-w- c:\windows\system32\javacpl.cpl

2011-11-04 19:20 . 2004-08-11 22:00 916992 ----a-w- c:\windows\system32\wininet.dll

2011-11-04 19:20 . 2004-08-11 22:00 43520 ----a-w- c:\windows\system32\licmgr10.dll

2011-11-04 19:20 . 2004-08-11 22:00 1469440 ------w- c:\windows\system32\inetcpl.cpl

2011-11-04 11:23 . 2004-08-11 22:00 385024 ----a-w- c:\windows\system32\html.iec

2011-11-01 16:07 . 2004-08-11 22:00 1288704 ----a-w- c:\windows\system32\ole32.dll

2011-10-28 05:31 . 2004-08-11 22:00 33280 ----a-w- c:\windows\system32\csrsrv.dll

2011-10-25 13:37 . 2004-08-11 22:00 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe

2011-10-25 12:52 . 2004-08-04 03:59 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe

2011-10-18 11:13 . 2004-08-11 22:00 186880 ----a-w- c:\windows\system32\encdec.dll

2011-10-10 14:22 . 2004-08-11 22:12 692736 ----a-w- c:\windows\system32\inetcomm.dll

2011-06-22 15:51 . 2011-05-11 01:45 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

((((((((((((((((((((((((((((( SnapShot_2011-12-28_16.07.27 )))))))))))))))))))))))))))))))))))))))))

.

+ 2012-01-02 20:10 . 2012-01-02 20:10 16384 c:\windows\Temp\Perflib_Perfdata_6f8.dat

+ 2012-01-02 19:42 . 2012-01-02 19:42 16384 c:\windows\Temp\Perflib_Perfdata_6e4.dat

+ 2012-01-02 20:10 . 2012-01-02 20:10 16384 c:\windows\Temp\Perflib_Perfdata_5b0.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2008-10-24 206112]

"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe" [2010-06-01 5252408]

"TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2011-04-22 247728]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-01-19 7401472]

"nwiz"="nwiz.exe" [2006-01-19 1519616]

"NVHotkey"="nvHotkey.dll" [2006-01-19 73728]

"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-28 667718]

"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-12-28 602182]

"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 282624]

"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-10 49152]

"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]

"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2008-10-24 206112]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2008-10-24 79136]

"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]

"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2008-06-10 1442888]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]

"RIMBBLaunchAgent.exe"="c:\program files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe" [2011-02-18 79192]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-6-22 24576]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=c:\windows\system32\wxvault.dll

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Authentication Packages REG_MULTI_SZ msv1_0 wvauth

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^EMBASSY Trust Suite Secure Update.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\EMBASSY Trust Suite Secure Update.lnk

backup=c:\windows\pss\EMBASSY Trust Suite Secure Update.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VProperty.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\VProperty.lnk

backup=c:\windows\pss\VProperty.lnkCommon Startup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Boingo Wi-Finder]

2011-12-14 20:15 2203 ----a-w- c:\program files\Boingo\Boingo Wi-Finder\Boingo.lnk

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DNS7reminder]

2006-11-27 16:25 255528 ----a-w- c:\program files\Nuance\NaturallySpeaking9\Ereg\Ereg.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Document Manager]

2006-03-09 17:26 98304 ----a-w- c:\program files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ModemOnHold]

2003-09-10 07:24 20480 ------w- c:\program files\NetWaiting\netwaiting.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

2011-06-03 15:37 273544 ----a-w- c:\program files\real\realplayer\Update\realsched.exe

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"DisableNotifications"= 1 (0x1)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\GlobalSCAPE\\CuteFTP 7 Home\\ftpte.exe"=

"c:\\Program Files\\Microsoft Visual Studio 8\\Common7\\IDE\\devenv.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\IDM Computer Solutions\\UltraEdit-32\\uedit32.exe"=

"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=

"c:\\Program Files\\Research In Motion\\BlackBerry Desktop\\Rim.Desktop.exe"=

.

R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [4/22/2011 5:21 AM 92592]

S3 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [3/15/2009 1:13 PM 34064]

S3 SPC610NC;SPC 610NC Laptop Camera;c:\windows\system32\drivers\SPC610NC.sys [12/23/2006 11:27 PM 156800]

S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [12/2/2006 6:17 AM 2805000]

.

Contents of the 'Scheduled Tasks' folder

.

2009-03-23 c:\windows\Tasks\Microsoft_Hardware_Launch_IType_exe.job

- c:\program files\Microsoft IntelliType Pro\itype.exe [2008-06-10 19:56]

.

2012-01-02 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2841834785-1377149234-1346910322-1005.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 16:47]

.

2012-01-02 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2841834785-1377149234-1346910322-1005.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 16:47]

.

2012-01-02 c:\windows\Tasks\User_Feed_Synchronization-{52F71B14-476C-4C3F-A717-D9333F264825}.job

- c:\windows\system32\msfeedssync.exe [2006-10-17 10:31]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://mail.adigitalm.com/

uInternet Connection Wizard,ShellNext = hxxp://www.dell.com/

IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM

IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm

IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

IE: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTM

IE: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HTM

IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm

IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm

IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm

DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://webcam5.hrz.tu-darmstadt.de/activex/AMC.cab

FF - ProfilePath - c:\documents and settings\Bob\Application Data\Mozilla\Firefox\Profiles\6h5kru6m.default\

FF - prefs.js: browser.search.selectedEngine - Live Search

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2012-01-02 13:10

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'lsass.exe'(500)

c:\windows\system32\wvauth.dll

c:\windows\system32\biolsp.dll

.

- - - - - - - > 'explorer.exe'(3032)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Intel\Wireless\Bin\EvtEng.exe

c:\program files\Intel\Wireless\Bin\S24EvMon.exe

c:\program files\Intel\Wireless\Bin\WLKeeper.exe

c:\windows\System32\SCardSvr.exe

c:\program files\Wave Systems Corp\Common\DataServer.exe

c:\windows\system32\inetsrv\inetinfo.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe

c:\program files\Dell\QuickSet\NICCONFIGSVC.exe

c:\windows\system32\nvsvc32.exe

c:\windows\system32\PSIService.exe

c:\program files\Intel\Wireless\Bin\RegSrvc.exe

c:\windows\System32\snmp.exe

c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe

c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe

c:\windows\System32\PAStiSvc.exe

c:\program files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.7\bin\tcsd_win32.exe

c:\windows\system32\wscntfy.exe

c:\windows\system32\rundll32.exe

c:\windows\stsystra.exe

c:\program files\Apoint\HidFind.exe

c:\program files\Apoint\Apntex.exe

c:\progra~1\Yahoo!\MESSEN~1\ymsgr_tray.exe

.

**************************************************************************

.

Completion time: 2012-01-02 13:18:42 - machine was rebooted

ComboFix-quarantined-files.txt 2012-01-02 20:18

ComboFix2.txt 2011-12-28 16:12

ComboFix3.txt 2011-12-28 03:41

.

Pre-Run: 12,129,710,080 bytes free

Post-Run: 11,976,597,504 bytes free

.

- - End Of File - - 1EF3C09DE540E4800BF1AC1DC3A2DD60

************************************************************

DDS

************************************************************

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_30

Run by Bob at 13:23:51 on 2012-01-02

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.597 [GMT -7:00]

.

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost.exe -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Wave Systems Corp\Common\DataServer.exe

C:\WINDOWS\system32\inetsrv\inetinfo.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\PSIService.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\WINDOWS\System32\snmp.exe

c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe

C:\WINDOWS\System32\PAStiSvc.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.7\bin\tcsd_win32.exe

C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Apoint\Apoint.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe

C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

C:\WINDOWS\stsystra.exe

C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

C:\WINDOWS\System32\DLA\DLACTRLW.EXE

C:\Program Files\Apoint\HidFind.exe

C:\Program Files\Apoint\Apntex.exe

C:\Program Files\Microsoft IntelliType Pro\itype.exe

C:\Program Files\QuickTime\QTTask.exe

C:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe

C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe

C:\WINDOWS\explorer.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://mail.adigitalm.com/

uInternet Connection Wizard,ShellNext = hxxp://www.dell.com/

uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll

BHO: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll

BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll

BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL

BHO: Java Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

EB: &Discuss: {bdeade7f-c265-11d0-bced-00a0c90ab50f} - shdocvw.dll

uRun: [iSUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler

uRun: [Messenger (Yahoo!)] "c:\progra~1\yahoo!\messen~1\YahooMessenger.exe" -quiet

uRun: [TomTomHOME.exe] "c:\program files\tomtom home 2\TomTomHOMERunner.exe"

mRun: [Apoint] c:\program files\apoint\Apoint.exe

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [nwiz] nwiz.exe /installquiet

mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start

mRun: [intelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"

mRun: [intelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless

mRun: [sigmatelSysTrayApp] stsystra.exe

mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"

mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE

mRun: [iSUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup

mRun: [iSUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start

mRun: [sSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot

mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [RIMBBLaunchAgent.exe] c:\program files\common files\research in motion\usb drivers\RIMBBLaunchAgent.exe

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe

IE: &ieSpell Options - c:\program files\iespell\iespell.dll/SPELLOPTION.HTM

IE: &Yahoo! Search - file:///c:\program files\yahoo!\Common/ycsrch.htm

IE: Check &Spelling - c:\program files\iespell\iespell.dll/SPELLCHECK.HTM

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000

IE: Lookup on Merriam Webster - file://c:\program files\iespell\Merriam Webster.HTM

IE: Lookup on Wikipedia - file://c:\program files\iespell\wikipedia.HTM

IE: Yahoo! &Dictionary - file:///c:\program files\yahoo!\Common/ycdict.htm

IE: Yahoo! &Maps - file:///c:\program files\yahoo!\Common/ycmap.htm

IE: Yahoo! &SMS - file:///c:\program files\yahoo!\Common/ycsms.htm

IE: {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://c:\program files\iespell\iespell.dll/SPELLCHECK.HTM

IE: {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://c:\program files\iespell\iespell.dll/SPELLOPTION.HTM

IE: {CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} - "c:\program files\fiddler2\Fiddler.exe"

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

DPF: {210D0CBC-8B17-48D1-B294-1A338DD2EB3A} - hxxp://webcam.innonfifth.com:8080/VatDec.cab

DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab

DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll

DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab

DPF: {4EFA317A-8569-4788-B175-5BAF9731A549} - hxxps://www.microsoft.com/resources/virtuallabs/ActiveX/VMRCActiveXClient1.cab

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1151685220046

DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab

DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} - hxxp://64.84.107.59/activex/AMC.cab

DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab

DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} - hxxp://80.59.219.32:86/activex/AxisCamControl.cab

DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - hxxp://www.trendmicro.com/spyware-scan/as4web.cab

DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://webcam5.hrz.tu-darmstadt.de/activex/AMC.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

AppInit_DLLs: c:\windows\system32\wxvault.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

LSA: Authentication Packages = msv1_0 wvauth

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\bob\application data\mozilla\firefox\profiles\6h5kru6m.default\

FF - prefs.js: browser.search.selectedEngine - Live Search

.

============= SERVICES / DRIVERS ===============

.

R2 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2011-4-22 92592]

S3 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2009-3-15 34064]

S3 SPC610NC;SPC 610NC Laptop Camera;c:\windows\system32\drivers\SPC610NC.sys [2006-12-23 156800]

S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\microsoft visual studio 8\common7\ide\remote debugger\x86\msvsmon.exe [2006-12-2 2805000]

.

=============== Created Last 30 ================

.

2011-12-28 02:45:49 -------- d-sha-r- C:\cmdcons

2011-12-28 02:42:14 98816 ----a-w- c:\windows\sed.exe

2011-12-28 02:42:14 518144 ----a-w- c:\windows\SWREG.exe

2011-12-28 02:42:14 256000 ----a-w- c:\windows\PEV.exe

2011-12-28 02:42:14 208896 ----a-w- c:\windows\MBR.exe

2011-12-13 21:48:50 1692968 ----a-w- C:\avg_remover_stf_x86_2012_1796.exe

2011-12-13 21:13:05 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys

2011-12-13 21:13:05 62976 ----a-w- c:\windows\system32\dllcache\cdrom.sys

.

==================== Find3M ====================

.

2011-12-14 16:05:06 187776 ----a-w- c:\windows\system32\drivers\acpi.sys

2011-12-14 16:05:06 138496 ----a-w- c:\windows\system32\drivers\afd.sys

2011-12-10 22:24:06 20464 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-11-30 17:33:26 89680 ----a-w- c:\documents and settings\bob\MSSSerif120.fon

2011-11-30 15:11:23 3714 --sha-w- c:\windows\system32\KGyGaAvL.sys

2011-11-23 13:25:32 1859584 ----a-w- c:\windows\system32\win32k.sys

2011-11-12 00:56:25 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-11-10 12:54:13 472808 ----a-w- c:\windows\system32\deployJava1.dll

2011-11-10 10:27:10 73728 ----a-w- c:\windows\system32\javacpl.cpl

2011-11-04 19:20:51 916992 ----a-w- c:\windows\system32\wininet.dll

2011-11-04 19:20:51 43520 ----a-w- c:\windows\system32\licmgr10.dll

2011-11-04 19:20:51 1469440 ------w- c:\windows\system32\inetcpl.cpl

2011-11-04 11:23:59 385024 ----a-w- c:\windows\system32\html.iec

2011-11-01 16:07:10 1288704 ----a-w- c:\windows\system32\ole32.dll

2011-10-28 05:31:48 33280 ----a-w- c:\windows\system32\csrsrv.dll

2011-10-25 13:37:08 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe

2011-10-25 12:52:02 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe

2011-10-18 11:13:22 186880 ----a-w- c:\windows\system32\encdec.dll

2011-10-10 14:22:41 692736 ----a-w- c:\windows\system32\inetcomm.dll

.

============= FINISH: 13:24:29.57 ===============

Link to post
Share on other sites
  • Staff
screen317

screen317

Posted
  • Staff
Posted

Hi,

I apologize for the delay.

Next, please use the Internet Explorer browser and click here to use the F-Secure Online Scanner.

  • Click Start Scanning.
  • You should get a notification bar (on top) to install the ActiveX control.
  • Click on it and select to install the ActiveX.
  • Once the ActiveX is installed, you should accept the License terms by clicking OK below to start the scan.
  • In case you are having problems with installing the ActiveX/starting the scan, please read here.
  • Click the Full System Scan button.
  • It will start to download scanner components and databases. This can take a while.
  • The main scan will start.
  • Once the scan has finished scanning, click the Automatic cleaning (recommended) button
  • It could be possible that your firewall gives an alert - allow it, because that's a connection you establish to submit infected files to F-Secure.
  • The cleaning can take a while, so please be patient.
  • Then click the Show report button and Copy/Paste what is present under results in your next reply.

Next, download my Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me know how things are running now and what issues remain.

-screen317

Link to post
Share on other sites
bobmmp

bobmmp

Posted
  • Author
Posted

Go for it.

Prior to running F-Secure online scan I uninstalled ESET Securtiy Suite.

One thing I noticed running the online scan that was different than your instructions was once I clicked on the link, I got redirected to a different page on the F-secure site. The scanner used Java and never did ask for ActiveX since it was using the java virtual machine.

Here are the two scan results:

Scanned:

Files: 88326

System: 4697

Not scanned: 9

Actions:

Disinfected: 0

Renamed: 0

Deleted: 0

Not cleaned: 0

Submitted: 0

Files not scanned:

C:\HIBERFIL.SYS

C:\PAGEFILE.SYS

C:\WINDOWS\SYSTEM32\CONFIG\SAM

C:\WINDOWS\SYSTEM32\CONFIG\SECURITY

C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM

C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT

C:\DOCUMENTS AND SETTINGS\BOB\LOCAL SETTINGS\TEMP\HSPERFDATA_BOB\2476

C:\DOCUMENTS AND SETTINGS\BOB\LOCAL SETTINGS\TEMP\HSPERFDATA_BOB\2712

--------------------------------------------------------------------------------

Options

Scanning engines:

Scanning options:

Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML XXX ANI AVB BAT CMD JOB LSP MAP MHT MIF PHP POT SWF WMF NWS TAR

Use advanced heuristics

Results of screen317's Security Check version 0.99.30

Windows XP Service Pack 3 x86

Internet Explorer 8

``````````````````````````````

Antivirus/Firewall Check:

Windows Firewall Enabled!

ESET Online Scanner v3

WMI entry may not exist for antivirus; attempting automatic update.

```````````````````````````````

Anti-malware/Other Utilities Check:

Out of date Spybot installed!

Spybot - Search & Destroy 1.5.2.20

Spybot - Search & Destroy

CCleaner

Java 6 Update 30

Adobe Flash Player 10.1.85.3 Flash Player out of Date!

Adobe Reader 9 Adobe Reader out of date!

Mozilla Firefox 5.0. Firefox out of Date!

````````````````````````````````

Process Check:

objlist.exe by Laurent

``````````End of Log````````````

Thanks for your help. Going to wait to re-install ESET since my last group of scans have been clean and I only get the GUI after the initial install. Once system is rebooted, I get the permissions / path error.

Link to post
Share on other sites
  • Staff
screen317

screen317

Posted
  • Staff
Posted

Hi,

Run TFC by OldTimer to clear temporary files:

  • Please download TFC from here and save it to your desktop.
  • Close any open programs and Internet browsers.
  • Double click TFC.exe to run it and once it opens click on the Start button on the lower left of the program to allow it to begin cleaning.
  • Please be patient as clearing out temp files may take a while.
  • Once it completes you may be prompted to restart your computer, please do so.
  • Once it's finished you may delete TFC.exe from your Desktop or save it for later use for the cleaning of temporary files.

Navigate to Start --> Run, and type Combofix /uninstall in the box that appears. Click OK afterward. Notice the space between the X and the /uninstall

This uninstalls all of ComboFix's components.

Delete SecurityCheck.

After that, navigate to Start --> Control Panel --> Add or Remove Programs, and uninstall the following program (if present):

ESET Online Scanner v3

Spybot - Search & Destroy 1.5.2.20

Spybot - Search & Destroy

Adobe Flash Player 10.1.85.3

Adobe Reader 9

Restart your computer.

Get the latest version of Adobe Reader, and Adobe Flash Player.

Also update Firefox-- ensure you are using version 9.

Reboot.

Install ESET.

Can you take a screenshot of the error you are receiving?

Link to post
Share on other sites
bobmmp

bobmmp

Posted
  • Author
Posted

OK, did all of the above. Installed Eset again and all works fine until after reboot.

Image shows after install:

systray.jpg

eset5.jpg

esetgui.jpg

Now after reboot:

Does not start up in sys tray, but shows in processes

systrayafterreboot.jpg

Shows in processes

processafterreboot.jpg

And finally when I try to access the gui by the start menu > All Programs > ... >Eset Security Suite

I get this error:

eset5afterrreboot.jpg

I run ESET on 4 windows machines, on win 7 3 XP and this only happened after infection.

Link to post
Share on other sites
bobmmp

bobmmp

Posted
  • Author
Posted

Yes, they seem to. Computer runs faster... ping.exe is not there. Just seems like eset will not run correctly. I was carefully to fully remove it prior to reinstalling also. Used there uninstall tool in the event you have installation issues. Just odd it runs fine after installation then bam, reboot and here you go again? I worry that I am not protected.

Link to post
Share on other sites
  • Staff
screen317

screen317

Posted
  • Staff
Posted

You're very welcome. Here is my standard prevention speech after dealing with infection:

I highly recommend the PRO version of MBAM; with it, it's likely that this issue would have been prevented in the first place.

Do update MBAM and run a Quick Scan. We released a new version recently.

Now that your computer seems to be in proper working order, please take the following steps to help prevent reinfection:

1) Download and install Javacool's SpywareBlaster, which will prevent malware from being installed on your computer. A tutorial on it can be found here.

2) Go to Windows Update frequently to get all of the latest updates (security or otherwise) for Windows.

3) Make sure your programs are up to date! Older versions may contain security risks. To find out what programs need to be updated, please run Secunia's Software Inspector.

4) WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:

  • Green to go
  • Yellow for caution
  • Red to stop

WOT has an addon available for both Firefox and IE.

5) Be sure to update your Antivirus and Antispyware programs often!

Finally, please also take the time to read Tony Klein's excellent article on: So How Did I Get Infected in the First Place?

Safe surfing,

-screen317

Link to post
Share on other sites
  • 1 month later...
  • Staff
screen317

screen317

Posted
  • Staff
Posted

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.