Jump to content

Smart Fortress 2012, Search Engine Redirect - Potential Rootkit?


Recommended Posts

Good Afternoon!,

One of our company workstations has come down with a bit of a bug.

It started with faux-anti-virus software called Smart Fortress 2012 being installed to the user's computer.

I was able to remove that (or so I thought), but the user continues to experience his search queries being redirected (often to Happili).

It's my understanding that his system may have been compromised with a root kit.

I thought it best to post up here before taking further action...

A 'Quick Scan' with MBAM:

Malwarebytes' Anti-Malware 1.36

Database version: 2130

Windows 5.1.2600 Service Pack 3

5/16/2012 11:30:03 AM

mbam-log-2012-05-16 (11-30-03).txt

Scan type: Quick Scan

Objects scanned: 108433

Time elapsed: 8 minute(s), 30 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

DDS logs:

DDS.txt:

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.6001.18702

Run by Steve Hill at 11:30:54 on 2012-05-16

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.991.334 [GMT -7:00]

.

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Memeo\AutoBackup\MemeoBackgroundService.exe

C:\Program Files\Seagate\Seagate Dashboard\SeagateDashboardService.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\RunDll32.exe

svchost.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Camera Assistant Software for ViewSonic\traybar.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\RDS\PLDLnk.exe

C:\Program Files\RDS\PLTBar.exe

C:\Program Files\Fonality\HUD3.0\HUD3.exe

C:\Program Files\RDS\RMClient\PMCTray.exe

C:\Program Files\Camera Assistant Software for ViewSonic\CEC_MAIN.exe

C:\Program Files\Seagate\Seagate Dashboard\MemeoDashboard.exe

C:\Program Files\Memeo\AutoBackup\InstantBackup.exe

C:\Program Files\Seagate\Seagate Dashboard\HipServAgent\HipServAgent.exe

C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE

C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE

C:\Program Files\Java\jre6\bin\jucheck.exe

C:\Program Files\Adobe\Acrobat 9.0\Acrobat\AcroTray.exe

C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

C:\Program Files\Common Files\Adobe\Updater6\Adobe_Updater.exe

C:\WINDOWS\system32\igfxsrvc.exe

.

============== Pseudo HJT Report ===============

.

mURLSearchHooks: H - No File

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.7227.1100\swg.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll

TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File

TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File

TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File

{e7df6bff-55a5-4eb7-a673-4ed3e9456d39}

TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

mRun: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd

mRun: [igfxtray] c:\windows\system32\igfxtray.exe

mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe

mRun: [igfxpers] c:\windows\system32\igfxpers.exe

mRun: [Camera Assistant Software] "c:\program files\camera assistant software for viewsonic\traybar.exe"

mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"

mRun: [JobHisInit] c:\program files\rds\rmclient\JobHisInit.exe

mRun: [MplSetUp] c:\program files\rds\rmclient\MplSetUp.exe

mRun: [Memeo Instant Backup] c:\program files\memeo\autobackup\MemeoLauncher2.exe --silent --no_ui

mRun: [Memeo AutoSync] c:\program files\memeo\autosync\MemeoLauncher2.exe --silent

mRun: [seagate Dashboard] c:\program files\seagate\seagate dashboard\MemeoLauncher.exe --silent --no_ui

mRun: [shacds] rundll32.exe "c:\docume~1\steveh~1\locals~1\temp\shacds.dll",CreateRenderToEnvMap

mRun: [ntvmsi] rundll32.exe "c:\docume~1\steveh~1\locals~1\temp\ntvmsi.dll",EnumDriveModeReset

mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

StartupFolder: c:\docume~1\steveh~1\startm~1\programs\startup\hud30~1.lnk - c:\program files\fonality\hud3.0\HUD3.exe

StartupFolder: c:\docume~1\steveh~1\startm~1\programs\startup\mybackup.lnk - c:\windows\system32\bu.bat

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autodo~1.lnk - c:\program files\rds\PLDLnk.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\functi~1.lnk - c:\program files\rds\PLTBar.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\smartd~1.lnk - c:\program files\rds\rmclient\PMClient.exe

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=67633

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1198027027828

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab

DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100

TCP: DhcpNameServer = 192.168.1.3 192.168.1.7

TCP: Interfaces\{F5D56A8A-030B-4E4B-9CDF-8B7B4CB7BCA0} : DhcpNameServer = 192.168.1.3 192.168.1.7

Notify: igfxcui - igfxdev.dll

Notify: LMIinit - LMIinit.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

.

============= SERVICES / DRIVERS ===============

.

R0 Fasttrak;Fasttrak;c:\windows\system32\drivers\Fasttrak.sys [2003-7-7 75520]

R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2009-5-14 47640]

R2 MemeoBackgroundService;MemeoBackgroundService;c:\program files\memeo\autobackup\MemeoBackgroundService.exe [2011-5-4 25824]

R2 SeagateDashboardService;Seagate Dashboard Service;c:\program files\seagate\seagate dashboard\SeagateDashboardService.exe [2011-6-1 14088]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-3 135664]

S2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\logmein\x86\rainfo.sys --> c:\program files\logmein\x86\RaInfo.sys [?]

S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-11 253600]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-2-3 135664]

S4 LMIRfsClientNP;LMIRfsClientNP; [x]

.

=============== Created Last 30 ================

.

2012-04-18 17:19:05 -------- d-----w- c:\documents and settings\steve hill\local settings\application data\Threat Expert

2012-04-18 17:07:02 -------- d-----w- c:\program files\PC Tools

2012-04-18 16:53:44 185560 ----a-w- c:\windows\system32\drivers\PCTSD.sys

2012-04-18 16:53:44 -------- d-----w- c:\program files\common files\PC Tools

2012-04-18 16:53:09 -------- d-----w- c:\documents and settings\steve hill\application data\TestApp

2012-04-18 16:53:09 -------- d-----w- c:\documents and settings\all users\application data\PC Tools

.

==================== Find3M ====================

.

2012-04-11 17:54:14 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-04-11 17:54:14 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe

.

============= FINISH: 11:31:23.82 ===============

Attach.txt:

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_2011-08-26.01)

.

Microsoft Windows XP Professional

Boot Device: \Device\HarddiskVolume1

Install Date: 12/18/2007 7:40:03 PM

System Uptime: 5/2/2012 4:19:24 PM (331 hours ago)

.

Motherboard: | | P4i65G

Processor: Intel® Pentium® 4 CPU 3.00GHz | mPGA478 | 2999/200mhz

.

==== Disk Partitions =========================

.

A: is Removable

C: is FIXED (NTFS) - 149 GiB total, 96.825 GiB free.

D: is CDROM ()

F: is Removable

.

==== Disabled Device Manager Items =============

.

==== System Restore Points ===================

.

RP1523: 2/17/2012 3:26:38 AM - System Checkpoint

RP1524: 2/18/2012 4:26:38 AM - System Checkpoint

RP1525: 2/19/2012 5:26:39 AM - System Checkpoint

RP1526: 2/20/2012 6:26:38 AM - System Checkpoint

RP1527: 2/21/2012 7:26:38 AM - System Checkpoint

RP1528: 2/22/2012 8:26:39 AM - System Checkpoint

RP1529: 2/23/2012 10:07:54 AM - System Checkpoint

RP1530: 2/24/2012 10:26:38 AM - System Checkpoint

RP1531: 2/25/2012 11:26:38 AM - System Checkpoint

RP1532: 2/26/2012 12:26:39 PM - System Checkpoint

RP1533: 2/27/2012 1:40:49 PM - System Checkpoint

RP1534: 2/28/2012 2:27:35 PM - System Checkpoint

RP1535: 2/29/2012 3:26:39 PM - System Checkpoint

RP1536: 3/1/2012 4:26:38 PM - System Checkpoint

RP1537: 3/2/2012 5:26:38 PM - System Checkpoint

RP1538: 3/3/2012 6:26:39 PM - System Checkpoint

RP1539: 3/4/2012 7:26:38 PM - System Checkpoint

RP1540: 3/5/2012 8:26:38 PM - System Checkpoint

RP1541: 3/6/2012 9:26:39 PM - System Checkpoint

RP1542: 3/7/2012 10:26:38 PM - System Checkpoint

RP1543: 3/8/2012 11:26:39 PM - System Checkpoint

RP1544: 3/10/2012 12:26:40 AM - System Checkpoint

RP1545: 3/11/2012 2:26:40 AM - System Checkpoint

RP1546: 3/12/2012 3:26:38 AM - System Checkpoint

RP1547: 3/13/2012 4:26:38 AM - System Checkpoint

RP1548: 3/14/2012 4:48:36 AM - System Checkpoint

RP1549: 3/15/2012 5:48:36 AM - System Checkpoint

RP1550: 3/16/2012 6:48:36 AM - System Checkpoint

RP1551: 3/17/2012 7:48:36 AM - System Checkpoint

RP1552: 3/18/2012 8:48:36 AM - System Checkpoint

RP1553: 3/19/2012 9:28:11 AM - System Checkpoint

RP1554: 3/20/2012 11:36:38 AM - System Checkpoint

RP1555: 3/21/2012 11:49:41 AM - System Checkpoint

RP1556: 3/22/2012 12:06:58 PM - System Checkpoint

RP1557: 3/23/2012 2:39:43 PM - System Checkpoint

RP1558: 3/24/2012 2:48:36 PM - System Checkpoint

RP1559: 3/25/2012 3:48:36 PM - System Checkpoint

RP1560: 3/26/2012 4:11:22 PM - System Checkpoint

RP1561: 3/27/2012 4:40:04 PM - System Checkpoint

RP1562: 3/28/2012 4:51:01 PM - System Checkpoint

RP1563: 3/29/2012 5:08:50 PM - System Checkpoint

RP1564: 3/30/2012 6:08:50 PM - System Checkpoint

RP1565: 3/31/2012 7:08:50 PM - System Checkpoint

RP1566: 4/1/2012 8:08:51 PM - System Checkpoint

RP1567: 4/2/2012 12:26:18 PM - Installed Microsoft Visual C++ 2005 Redistributable

RP1568: 4/3/2012 1:46:18 PM - System Checkpoint

RP1569: 4/4/2012 2:08:52 PM - System Checkpoint

RP1570: 4/5/2012 3:08:51 PM - System Checkpoint

RP1571: 4/6/2012 4:08:52 PM - System Checkpoint

RP1572: 4/7/2012 5:08:51 PM - System Checkpoint

RP1573: 4/8/2012 6:08:52 PM - System Checkpoint

RP1574: 4/9/2012 7:08:52 PM - System Checkpoint

RP1575: 4/10/2012 8:08:52 PM - System Checkpoint

RP1576: 4/11/2012 8:56:44 PM - System Checkpoint

RP1577: 4/12/2012 10:15:15 PM - System Checkpoint

RP1578: 4/13/2012 10:56:41 PM - System Checkpoint

RP1579: 4/14/2012 11:56:41 PM - System Checkpoint

RP1580: 4/16/2012 12:56:41 AM - System Checkpoint

RP1581: 4/17/2012 1:56:42 AM - System Checkpoint

RP1582: 4/18/2012 2:56:42 AM - System Checkpoint

RP1583: 4/19/2012 3:02:59 AM - System Checkpoint

RP1584: 4/20/2012 3:38:46 AM - System Checkpoint

RP1585: 4/21/2012 4:38:45 AM - System Checkpoint

RP1586: 4/22/2012 5:38:45 AM - System Checkpoint

RP1587: 4/23/2012 7:14:51 AM - System Checkpoint

RP1588: 4/24/2012 7:38:46 AM - System Checkpoint

RP1589: 4/25/2012 12:11:31 PM - System Checkpoint

RP1590: 4/26/2012 12:50:01 PM - System Checkpoint

RP1591: 4/27/2012 2:17:03 PM - System Checkpoint

RP1592: 4/28/2012 2:38:45 PM - System Checkpoint

RP1593: 4/29/2012 3:38:45 PM - System Checkpoint

RP1594: 4/30/2012 4:38:46 PM - System Checkpoint

RP1595: 5/1/2012 5:38:45 PM - System Checkpoint

RP1596: 5/2/2012 6:23:28 PM - System Checkpoint

RP1597: 5/3/2012 7:23:28 PM - System Checkpoint

RP1598: 5/4/2012 8:23:28 PM - System Checkpoint

RP1599: 5/5/2012 9:23:28 PM - System Checkpoint

RP1600: 5/6/2012 10:23:28 PM - System Checkpoint

RP1601: 5/7/2012 11:23:28 PM - System Checkpoint

RP1602: 5/9/2012 12:23:28 AM - System Checkpoint

RP1603: 5/10/2012 1:23:28 AM - System Checkpoint

RP1604: 5/11/2012 2:23:28 AM - System Checkpoint

RP1605: 5/12/2012 3:23:28 AM - System Checkpoint

RP1606: 5/13/2012 4:23:28 AM - System Checkpoint

RP1607: 5/14/2012 5:23:28 AM - System Checkpoint

RP1608: 5/15/2012 6:23:28 AM - System Checkpoint

RP1609: 5/16/2012 7:23:28 AM - System Checkpoint

.

==== Installed Programs ======================

.

Acrobat.com

Adobe Acrobat 9 Standard - English, Français, Deutsch

Adobe AIR

Adobe Flash Player 11 ActiveX

Adobe Reader 9.2

Amazon Kindle

AnzioWin 12.4

Apple Application Support

Apple Software Update

C-Media 3D Audio

C-Media WDM Audio Driver

Camera Assistant Software for ViewSonic

CCleaner

Compatibility Pack for the 2007 Office system

DeskTopBinder - SmartDeviceMonitor for Client

DeskTopBinder Lite

Fonality HUD 3.0

Google Earth

Google Toolbar for Internet Explorer

Google Update Helper

HijackThis 2.0.2

Hotfix for Windows XP (KB2158563)

Hotfix for Windows XP (KB2443685)

Hotfix for Windows XP (KB2570791)

Hotfix for Windows XP (KB2633952)

Hotfix for Windows XP (KB970653-v3)

Hotfix for Windows XP (KB976098-v2)

Hotfix for Windows XP (KB979306)

Hotfix for Windows XP (KB981793)

Intel® Extreme Graphics 2 Driver

Java 6 Update 14

Java 6 Update 4

Malwarebytes' Anti-Malware

Memeo AutoSync

Memeo Instant Backup

Microsoft .NET Framework 2.0 Service Pack 2

Microsoft Baseline Security Analyzer 2.1

Microsoft Compression Client Pack 1.0 for Windows XP

Microsoft Office Professional Edition 2003

Microsoft Outlook Personal Folders Backup

Microsoft Silverlight

Microsoft User-Mode Driver Framework Feature Pack 1.0

Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053

Microsoft Visual C++ 2005 Redistributable

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17

Nero OEM

Picasa 3

PowerDVD

PrimoPDF -- by Nitro PDF Software

QuickTime

REALTEK Gigabit and Fast Ethernet NIC Driver

Seagate Dashboard

Security Update for Microsoft Windows (KB2564958)

Security Update for Windows Internet Explorer 8 (KB2183461)

Security Update for Windows Internet Explorer 8 (KB2360131)

Security Update for Windows Internet Explorer 8 (KB2416400)

Security Update for Windows Internet Explorer 8 (KB2482017)

Security Update for Windows Internet Explorer 8 (KB2497640)

Security Update for Windows Internet Explorer 8 (KB2510531)

Security Update for Windows Internet Explorer 8 (KB2530548)

Security Update for Windows Internet Explorer 8 (KB2544521)

Security Update for Windows Internet Explorer 8 (KB2559049)

Security Update for Windows Internet Explorer 8 (KB2586448)

Security Update for Windows Internet Explorer 8 (KB2618444)

Security Update for Windows Internet Explorer 8 (KB2647516)

Security Update for Windows Internet Explorer 8 (KB969897)

Security Update for Windows Internet Explorer 8 (KB971961)

Security Update for Windows Internet Explorer 8 (KB972260)

Security Update for Windows Internet Explorer 8 (KB974455)

Security Update for Windows Internet Explorer 8 (KB976325)

Security Update for Windows Internet Explorer 8 (KB978207)

Security Update for Windows Internet Explorer 8 (KB981332)

Security Update for Windows Internet Explorer 8 (KB982381)

Security Update for Windows Media Player (KB2378111)

Security Update for Windows Media Player (KB911564)

Security Update for Windows Media Player (KB954155)

Security Update for Windows Media Player (KB968816)

Security Update for Windows Media Player (KB973540)

Security Update for Windows Media Player (KB975558)

Security Update for Windows Media Player (KB978695)

Security Update for Windows Media Player 6.4 (KB925398)

Security Update for Windows Media Player 9 (KB936782)

Security Update for Windows XP (KB2079403)

Security Update for Windows XP (KB2115168)

Security Update for Windows XP (KB2121546)

Security Update for Windows XP (KB2160329)

Security Update for Windows XP (KB2229593)

Security Update for Windows XP (KB2259922)

Security Update for Windows XP (KB2279986)

Security Update for Windows XP (KB2286198)

Security Update for Windows XP (KB2296011)

Security Update for Windows XP (KB2296199)

Security Update for Windows XP (KB2347290)

Security Update for Windows XP (KB2360937)

Security Update for Windows XP (KB2387149)

Security Update for Windows XP (KB2393802)

Security Update for Windows XP (KB2412687)

Security Update for Windows XP (KB2419632)

Security Update for Windows XP (KB2423089)

Security Update for Windows XP (KB2436673)

Security Update for Windows XP (KB2440591)

Security Update for Windows XP (KB2443105)

Security Update for Windows XP (KB2476490)

Security Update for Windows XP (KB2476687)

Security Update for Windows XP (KB2478960)

Security Update for Windows XP (KB2478971)

Security Update for Windows XP (KB2479628)

Security Update for Windows XP (KB2479943)

Security Update for Windows XP (KB2481109)

Security Update for Windows XP (KB2483185)

Security Update for Windows XP (KB2485376)

Security Update for Windows XP (KB2485663)

Security Update for Windows XP (KB2503658)

Security Update for Windows XP (KB2503665)

Security Update for Windows XP (KB2506212)

Security Update for Windows XP (KB2506223)

Security Update for Windows XP (KB2507618)

Security Update for Windows XP (KB2507938)

Security Update for Windows XP (KB2508272)

Security Update for Windows XP (KB2508429)

Security Update for Windows XP (KB2509553)

Security Update for Windows XP (KB2511455)

Security Update for Windows XP (KB2524375)

Security Update for Windows XP (KB2535512)

Security Update for Windows XP (KB2536276-v2)

Security Update for Windows XP (KB2536276)

Security Update for Windows XP (KB2544893-v2)

Security Update for Windows XP (KB2544893)

Security Update for Windows XP (KB2555917)

Security Update for Windows XP (KB2562937)

Security Update for Windows XP (KB2566454)

Security Update for Windows XP (KB2567053)

Security Update for Windows XP (KB2567680)

Security Update for Windows XP (KB2570222)

Security Update for Windows XP (KB2570947)

Security Update for Windows XP (KB2584146)

Security Update for Windows XP (KB2585542)

Security Update for Windows XP (KB2592799)

Security Update for Windows XP (KB2598479)

Security Update for Windows XP (KB2603381)

Security Update for Windows XP (KB2618451)

Security Update for Windows XP (KB2619339)

Security Update for Windows XP (KB2620712)

Security Update for Windows XP (KB2624667)

Security Update for Windows XP (KB2631813)

Security Update for Windows XP (KB2633171)

Security Update for Windows XP (KB2639417)

Security Update for Windows XP (KB2646524)

Security Update for Windows XP (KB2660465)

Security Update for Windows XP (KB2661637)

Security Update for Windows XP (KB923789)

Security Update for Windows XP (KB956744)

Security Update for Windows XP (KB956844)

Security Update for Windows XP (KB958869)

Security Update for Windows XP (KB960859)

Security Update for Windows XP (KB961371)

Security Update for Windows XP (KB961501)

Security Update for Windows XP (KB968537)

Security Update for Windows XP (KB969059)

Security Update for Windows XP (KB969897)

Security Update for Windows XP (KB969898)

Security Update for Windows XP (KB969947)

Security Update for Windows XP (KB970238)

Security Update for Windows XP (KB970430)

Security Update for Windows XP (KB971468)

Security Update for Windows XP (KB971486)

Security Update for Windows XP (KB971557)

Security Update for Windows XP (KB971633)

Security Update for Windows XP (KB971657)

Security Update for Windows XP (KB972270)

Security Update for Windows XP (KB973346)

Security Update for Windows XP (KB973354)

Security Update for Windows XP (KB973507)

Security Update for Windows XP (KB973525)

Security Update for Windows XP (KB973869)

Security Update for Windows XP (KB973904)

Security Update for Windows XP (KB974112)

Security Update for Windows XP (KB974318)

Security Update for Windows XP (KB974392)

Security Update for Windows XP (KB974571)

Security Update for Windows XP (KB975025)

Security Update for Windows XP (KB975467)

Security Update for Windows XP (KB975560)

Security Update for Windows XP (KB975561)

Security Update for Windows XP (KB975562)

Security Update for Windows XP (KB975713)

Security Update for Windows XP (KB977165)

Security Update for Windows XP (KB977816)

Security Update for Windows XP (KB977914)

Security Update for Windows XP (KB978037)

Security Update for Windows XP (KB978251)

Security Update for Windows XP (KB978262)

Security Update for Windows XP (KB978338)

Security Update for Windows XP (KB978542)

Security Update for Windows XP (KB978601)

Security Update for Windows XP (KB978706)

Security Update for Windows XP (KB979309)

Security Update for Windows XP (KB979482)

Security Update for Windows XP (KB979559)

Security Update for Windows XP (KB979683)

Security Update for Windows XP (KB979687)

Security Update for Windows XP (KB980195)

Security Update for Windows XP (KB980218)

Security Update for Windows XP (KB980232)

Security Update for Windows XP (KB980436)

Security Update for Windows XP (KB981322)

Security Update for Windows XP (KB981852)

Security Update for Windows XP (KB981957)

Security Update for Windows XP (KB981997)

Security Update for Windows XP (KB982132)

Security Update for Windows XP (KB982214)

Security Update for Windows XP (KB982665)

Security Update for Windows XP (KB982802)

Smart Fortress 2012

Type1515 TWAIN Driver Ver.3

Update for Windows Internet Explorer 8 (KB971930)

Update for Windows Internet Explorer 8 (KB976662)

Update for Windows Internet Explorer 8 (KB976749)

Update for Windows Internet Explorer 8 (KB980182)

Update for Windows XP (KB2141007)

Update for Windows XP (KB2345886)

Update for Windows XP (KB2467659)

Update for Windows XP (KB2541763)

Update for Windows XP (KB2607712)

Update for Windows XP (KB2616676)

Update for Windows XP (KB2641690)

Update for Windows XP (KB955759)

Update for Windows XP (KB968389)

Update for Windows XP (KB971029)

Update for Windows XP (KB971737)

Update for Windows XP (KB973687)

Update for Windows XP (KB973815)

WebFldrs XP

Windows Feature Pack for Storage (32-bit) - IMAPI update for Blu-Ray

Windows Genuine Advantage Notifications (KB905474)

Windows Genuine Advantage Validation Tool (KB892130)

Windows Internet Explorer 8

Windows Media Format 11 runtime

Windows Media Player 11

Windows XP Service Pack 3

.

==== End Of File ===========================

Link to post
Share on other sites

Welcome to the forum.

Your version of Malwarebytes is out of date, please go to your control panels add/remove programs and uninstall Malwarebytes.

Malwarebytes' Anti-Malware 1.36

Database version: 2130

Then.......

Please download Malwarebytes' Anti-Malware Free from Here

or Here

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.

If an update is found, it will download and install the latest version.

Once the program has loaded, select "Perform Quick Scan", then click Scan.

Note: -->Do not run a full scan with MBAM. It is not required or needed.

The scan may take some time to finish,so please be patient.

When the scan is complete, click OK, then Show Results to view the results.

Make sure that everything is checked, and click Remove Selected.

When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.

The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Copy&Paste the entire report in your next reply

Note:

If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediatly.

------------------------------------------------

Reboot and .......

Please remove any usb or external drives from the computer before you run this scan!

Please download and run RogueKiller.

For Windows XP, double-click to start.

For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system (don't run any other options, they're not all bad!)

Post back the report.

MrC

Link to post
Share on other sites

Malwarebytes Anti-Malware 1.61.0.1400

www.malwarebytes.org

Database version: v2012.05.17.06

Windows XP Service Pack 3 x86 NTFS (Safe Mode/Networking)

Internet Explorer 8.0.6001.18702

hilladmin :: STEVE [administrator]

5/17/2012 12:07:10 PM

mbam-log-2012-05-17 (12-07-10).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 230098

Time elapsed: 8 minute(s), 43 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 2

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|shacds (Trojan.Midhos) -> Data: rundll32.exe "C:\DOCUME~1\STEVEH~1\LOCALS~1\Temp\shacds.dll",CreateRenderToEnvMap -> Quarantined and deleted successfully.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|ntvmsi (Trojan.Agent.LTGen) -> Data: rundll32.exe "C:\DOCUME~1\STEVEH~1\LOCALS~1\Temp\ntvmsi.dll",EnumDriveModeReset -> Quarantined and deleted successfully.

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 5

C:\Documents and Settings\Steve Hill\Local Settings\Temp\shacds.dll (Trojan.Midhos) -> Quarantined and deleted successfully.

C:\Documents and Settings\Steve Hill\Local Settings\Temp\5F4.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\Documents and Settings\Steve Hill\Local Settings\Temp\ms0cfg32.exe (Trojan.Zbot.Gen) -> Quarantined and deleted successfully.

C:\Documents and Settings\Steve Hill\Local Settings\Temp\~!#5F2.tmp (Trojan.Midhos) -> Quarantined and deleted successfully.

C:\Documents and Settings\Steve Hill\Local Settings\Temp\ntvmsi.dll (Trojan.Agent.LTGen) -> Quarantined and deleted successfully.

(end)

RogueKiller V7.4.4 [05/08/2012] by Tigzy

mail: tigzyRK<at>gmail<dot>com

Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/

Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version

Started in : Safe mode with network support

User: hilladmin [Admin rights]

Mode: Scan -- Date: 05/17/2012 12:21:42

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 2 ¤¤¤

[bLACKLIST DLL] HKLM\[...]\RunOnce : Malwarebytes Anti-Malware (cleanup) (rundll32.exe "C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\cleanup.dll",ProcessCleanupScript) -> FOUND

[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [NOT LOADED] ¤¤¤

¤¤¤ Infection : ZeroAccess ¤¤¤

[ZeroAccess] (LOCKED) windir\NtUpdateKBxxxx present!

¤¤¤ HOSTS File: ¤¤¤

127.0.0.1 localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: Promise 1X2 Mirror/RAID1 SCSI Disk Device +++++

--- User ---

[MBR] 0b15216fe5021d123fa3ff5a3629db25

[bSP] 8d5f8c01d346bf742ec956dc13aaa968 : Windows XP MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 152617 Mo

User = LL1 ... OK!

Error reading LL2 MBR!

Finished : << RKreport[1].txt >>

RKreport[1].txt

Link to post
Share on other sites

Please don't put the logs or your posts in "code"!!

--------------------------------------

¤¤¤ Infection : ZeroAccess ¤¤¤

[ZeroAccess] (LOCKED) windir\NtUpdateKBxxxx present!

Your computer is infected with a nasty rootkit. Please read the following information first.

You're infected with Rootkit.ZeroAccess, a BackDoor Trojan.

BACKDOOR WARNING

------------------------------

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

http://www.dslreports.com/faq/10451

When Should I Format, How Should I Reinstall

http://www.dslreports.com/faq/10063

I will try my best to clean this machine but I can't guarantee that it will be 100% secure afterwards and......

  • There's a possibility that you'll lose your internet connections which I may not be able to correct and will require a repair install.
  • There's also a possibility that during the cleaning procedure the computer will become unusable (won't boot) which will result in a repair install or complete format and install.
  • I strongly suggest you back up all of the important items on the system before we continue.

Please let me know you have read this and agree to it.

Let me know what you decide to do. MrC

Link to post
Share on other sites

Where did you see that RogueKiller said to run CF and TDSSKiller??

---------------------------------

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingc...to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Please include the C:\ComboFix.txt in your next reply for further review.

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

Link to post
Share on other sites

Please don't put the logs or your posts in "code"!!

Deal. My apologies.

Your computer is infected with a nasty rootkit. Please read the following information first.

You're infected with Rootkit.ZeroAccess, a BackDoor Trojan.

[...]

I will try my best to clean this machine but I can't guarantee that it will be 100% secure afterwards and......

  • There's a possibility that you'll lose your internet connections which I may not be able to correct and will require a repair install.
  • There's also a possibility that during the cleaning procedure the computer will become unusable (won't boot) which will result in a repair install or complete format and install.
  • I strongly suggest you back up all of the important items on the system before we continue.

Please let me know you have read this and agree to it.

Let me know what you decide to do. MrC

Alright. This is actually our president's computer and he is not here today. I will have to speak with him tonight/tomorrow to see which route he would like to go (we may be just replacing his computer altogether).

In the mean time I have disconnected the ethernet cable from the computer and have shut it down.

Where did you see that RogueKiller said to run CF and TDSSKiller??

Upon completion of the scan, it opened a webpage (tigzyrk's blogspot) with those instructions.

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingc...to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Please include the C:\ComboFix.txt in your next reply for further review.

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

I want to speak to the user before I take any further action on his computer.

If that's okay I'll reply to this thread tomorrow with an update...

Link to post
Share on other sites

MrC,

We have decided to replace the computer in question...

Between this rootkit and the computer's prior poor performance and age (it's an old XP rig), the user is due for an upgrade.

I would still, however, like to attempt cleaning the system if you're still willing to help.

I'm setting up the replacement right now, but I will move the infected system to my office and resume troubleshooting tomorrow.

I'll start with ComboFix and will post the log upon scan completion tomorrow morning.

Thank you again for your help!

Link to post
Share on other sites

<p>MrC,</p>

<p> </p>

<p>ComboFix has finished it's scan. Here are the contents of C:\ComboFix.txt:</p>

<p> </p>

<p> </p>

<div>ComboFix 12-05-18.02 - WSAdmin 05/18/2012   8:28.1.2 - x86</div>

<div>Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.991.723 [GMT -7:00]</div>

<div>Running from: c:\documents and settings\WSAdmin\Desktop\ComboFix.exe</div>

<div>.</div>

<div>.</div>

<div>(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))</div>

<div>.</div>

<div>.</div>

<div>c:\documents and settings\All Users\Application Data\TEMP</div>

<div>C:\LOG77.tmp</div>

<div>c:\windows\$NtUninstallKB14440$</div>

<div>c:\windows\$NtUninstallKB14440$\1385835267</div>

<div>c:\windows\system32\Cache</div>

<div>c:\windows\system32\Cache\101c1e1293b706d5.fb</div>

<div>c:\windows\system32\Cache\272512937d9e61a4.fb</div>

<div>c:\windows\system32\Cache\287204568329e189.fb</div>

<div>c:\windows\system32\Cache\28bc8f716fd76a47.fb</div>

<div>c:\windows\system32\Cache\2c53092c95605355.fb</div>

<div>c:\windows\system32\Cache\3917078cb68ec657.fb</div>

<div>c:\windows\system32\Cache\590ba23ce359fd0c.fb</div>

<div>c:\windows\system32\Cache\610289e025a3ee9a.fb</div>

<div>c:\windows\system32\Cache\651c5d3cdbfb8bd1.fb</div>

<div>c:\windows\system32\Cache\6c59ac5e7e7a3ad0.fb</div>

<div>c:\windows\system32\Cache\a6edf544de5c2f0f.fb</div>

<div>c:\windows\system32\Cache\a8556537add6dfc5.fb</div>

<div>c:\windows\system32\Cache\ad10a52aff5e038d.fb</div>

<div>c:\windows\system32\Cache\c4d28dca2e7648be.fb</div>

<div>c:\windows\system32\Cache\d201ef9910cd39de.fb</div>

<div>c:\windows\system32\Cache\d2e94710a5708128.fb</div>

<div>c:\windows\system32\Cache\d79b9dfe81484ec4.fb</div>

<div>c:\windows\system32\Cache\e0de16f883bea794.fb</div>

<div>.</div>

<div>.</div>

<div>(((((((((((((((((((((((((   Files Created from 2012-04-18 to 2012-05-18  )))))))))))))))))))))))))))))))</div>

<div>.</div>

<div>.</div>

<div>2012-05-18 15:01 . 2008-04-13 18:39<span class="Apple-tab-span" style="white-space:pre"> </span>14592<span class="Apple-tab-span" style="white-space:pre"> </span>-c--a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\dllcache\kbdhid.sys</div>

<div>2012-05-18 15:01 . 2008-04-13 18:39<span class="Apple-tab-span" style="white-space:pre"> </span>14592<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\drivers\kbdhid.sys</div>

<div>2012-05-17 21:53 . 2012-05-17 21:53<span class="Apple-tab-span" style="white-space:pre"> </span>--------<span class="Apple-tab-span" style="white-space:pre"> </span>d-----w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\documents and settings\WSAdmin</div>

<div>2012-05-17 19:21 . 2012-05-17 19:21<span class="Apple-tab-span" style="white-space:pre"> </span>--------<span class="Apple-tab-span" style="white-space:pre"> </span>d-sh--w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\documents and settings\Administrator\PrivacIE</div>

<div>2012-05-17 19:05 . 2012-05-17 19:05<span class="Apple-tab-span" style="white-space:pre"> </span>--------<span class="Apple-tab-span" style="white-space:pre"> </span>d-sh--w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\documents and settings\Administrator\IETldCache</div>

<div>2012-04-18 17:19 . 2012-04-18 17:19<span class="Apple-tab-span" style="white-space:pre"> </span>--------<span class="Apple-tab-span" style="white-space:pre"> </span>d-----w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\documents and settings\Steve Hill\Local Settings\Application Data\Threat Expert</div>

<div>2012-04-18 17:07 . 2012-04-18 22:01<span class="Apple-tab-span" style="white-space:pre"> </span>--------<span class="Apple-tab-span" style="white-space:pre"> </span>d-----w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\program files\PC Tools</div>

<div>2012-04-18 16:53 . 2012-04-18 22:01<span class="Apple-tab-span" style="white-space:pre"> </span>--------<span class="Apple-tab-span" style="white-space:pre"> </span>d-----w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\program files\Common Files\PC Tools</div>

<div>2012-04-18 16:53 . 2012-02-24 17:36<span class="Apple-tab-span" style="white-space:pre"> </span>185560<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\drivers\PCTSD.sys</div>

<div>2012-04-18 16:53 . 2012-04-18 17:39<span class="Apple-tab-span" style="white-space:pre"> </span>--------<span class="Apple-tab-span" style="white-space:pre"> </span>d-----w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\documents and settings\All Users\Application Data\PC Tools</div>

<div>2012-04-18 16:53 . 2012-04-18 16:53<span class="Apple-tab-span" style="white-space:pre"> </span>--------<span class="Apple-tab-span" style="white-space:pre"> </span>d-----w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\documents and settings\Steve Hill\Application Data\TestApp</div>

<div>.</div>

<div>.</div>

<div>.</div>

<div>((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))</div>

<div>.</div>

<div>.</div>

<div>.</div>

<div>(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))</div>

<div>.</div>

<div>.</div>

<div>*Note* empty entries & legit default entries are not shown </div>

<div>REGEDIT4</div>

<div>.</div>

<div>[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]</div>

<div>"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]</div>

<div>"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]</div>

<div>"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]</div>

<div>"Camera Assistant Software"="c:\program files\Camera Assistant Software for ViewSonic\traybar.exe" [2006-12-23 794688]</div>

<div>"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]</div>

<div>"JobHisInit"="c:\program files\RDS\RMClient\JobHisInit.exe" [2007-08-30 229481]</div>

<div>"MplSetUp"="c:\program files\RDS\RMClient\MplSetUp.exe" [2007-08-30 49254]</div>

<div>"Memeo Instant Backup"="c:\program files\Memeo\AutoBackup\MemeoLauncher2.exe" [2011-05-04 136416]</div>

<div>"Memeo AutoSync"="c:\program files\Memeo\AutoSync\MemeoLauncher2.exe" [2011-05-04 144608]</div>

<div>"Seagate Dashboard"="c:\program files\Seagate\Seagate Dashboard\MemeoLauncher.exe" [2011-06-01 79112]</div>

<div>"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-10-24 421888]</div>

<div>.</div>

<div>c:\documents and settings\Steve Hill\Start Menu\Programs\Startup\</div>

<div>HUD 3.0.lnk - c:\program files\Fonality\HUD3.0\HUD3.exe [N/A]</div>

<div>MyBackup.lnk - c:\windows\system32\bu.bat [2008-5-3 218]</div>

<div>.</div>

<div>c:\documents and settings\All Users\Start Menu\Programs\Startup\</div>

<div>Auto Document Link.lnk - c:\program files\RDS\PLDLnk.exe [2009-6-30 561152]</div>

<div>Function Palette.lnk - c:\program files\RDS\PLTBar.exe [2009-6-30 163840]</div>

<div>SmartDeviceMonitor for Client.lnk - c:\program files\RDS\RMClient\PMClient.exe [2009-6-30 581731]</div>

<div>.</div>

<div>[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]</div>

<div>2009-10-01 15:08<span class="Apple-tab-span" style="white-space:pre"> </span>87352<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\LMIinit.dll</div>

<div>.</div>

<div>[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]</div>

<div>2011-09-27 14:22<span class="Apple-tab-span" style="white-space:pre"> </span>59240<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe</div>

<div>.</div>

<div>[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]</div>

<div>2001-07-09 19:50<span class="Apple-tab-span" style="white-space:pre"> </span>155648<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\NeroCheck.exe</div>

<div>.</div>

<div>[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]</div>

<div>2011-10-24 21:28<span class="Apple-tab-span" style="white-space:pre"> </span>421888<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\program files\QuickTime\QTTask.exe</div>

<div>.</div>

<div>[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]</div>

<div>2009-07-28 21:02<span class="Apple-tab-span" style="white-space:pre"> </span>39408<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe</div>

<div>.</div>

<div>[HKEY_LOCAL_MACHINE\software\microsoft\security center]</div>

<div>"FirewallOverride"=dword:00000001</div>

<div>.</div>

<div>[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]</div>

<div>"EnableFirewall"= 0 (0x0)</div>

<div>.</div>

<div>[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]</div>

<div>"c:\\WINDOWS\\system32\\sessmgr.exe"=</div>

<div>"%windir%\\Network Diagnostic\\xpnetdiag.exe"=</div>

<div>"%windir%\\system32\\sessmgr.exe"=</div>

<div>"c:\\Program Files\\RDS\\RView.exe"=</div>

<div>"c:\\Program Files\\Microsoft Office\\OFFICE11\\WINWORD.EXE"=</div>

<div>"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=</div>

<div>"c:\\Program Files\\Seagate\\Seagate Dashboard\\HipServAgent\\HipServAgent.exe"=</div>

<div>.</div>

<div>R0 Fasttrak;Fasttrak;c:\windows\system32\drivers\Fasttrak.sys [7/7/2003 4:20 AM 75520]</div>

<div>R2 MemeoBackgroundService;MemeoBackgroundService;c:\program files\Memeo\AutoBackup\MemeoBackgroundService.exe [5/4/2011 2:04 PM 25824]</div>

<div>R2 SeagateDashboardService;Seagate Dashboard Service;c:\program files\Seagate\Seagate Dashboard\SeagateDashboardService.exe [6/1/2011 9:42 AM 14088]</div>

<div>S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/3/2010 10:33 AM 135664]</div>

<div>S2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\LogMeIn\x86\RaInfo.sys --> c:\program files\LogMeIn\x86\RaInfo.sys [?]</div>

<div>S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2/3/2010 10:33 AM 135664]</div>

<div>.</div>

<div>Contents of the 'Scheduled Tasks' folder</div>

<div>.</div>

<div>2012-05-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job</div>

<div>- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-03 17:32]</div>

<div>.</div>

<div>2012-05-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job</div>

<div>- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-03 17:32]</div>

<div>.</div>

<div>2012-05-18 c:\windows\Tasks\User_Feed_Synchronization-{8196E1E1-C2A0-4112-8A49-CCA1A181EBBF}.job</div>

<div>- c:\windows\system32\msfeedssync.exe [2009-03-08 11:31]</div>

<div>.</div>

<div>.</div>

<div>------- Supplementary Scan -------</div>

<div>.</div>

<div>IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200</div>

<div>IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000</div>

<div>.</div>

<div>- - - - ORPHANS REMOVED - - - -</div>

<div>.</div>

<div>Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)</div>

<div>HKLM-Run-Cmaudio - cmicnfg.cpl</div>

<div>MSConfigStartUp-Acrobat Assistant 8 - c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe</div>

<div>MSConfigStartUp-Adobe Acrobat Speed Launcher - c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe</div>

<div>MSConfigStartUp-Adobe ARM - c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe</div>

<div>MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe</div>

<div>MSConfigStartUp-LogMeIn GUI - c:\program files\LogMeIn\x86\LogMeInSystray.exe</div>

<div>MSConfigStartUp-ROC_roc_dec12 - c:\program files\AVG Secure Search\ROC_roc_dec12.exe</div>

<div>.</div>

<div>.</div>

<div>.</div>

<div>**************************************************************************</div>

<div>.</div>

<div>catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net</div>

<div>Rootkit scan 2012-05-18 08:35</div>

<div>Windows 5.1.2600 Service Pack 3 NTFS</div>

<div>.</div>

<div>scanning hidden processes ...  </div>

<div>.</div>

<div>scanning hidden autostart entries ... </div>

<div>.</div>

<div>scanning hidden files ...  </div>

<div>.</div>

<div>scan completed successfully</div>

<div>hidden files: 0</div>

<div>.</div>

<div>**************************************************************************</div>

<div>.</div>

<div>[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\.avgtdix]</div>

<div>"ImagePath"="\?"</div>

<div>.</div>

<div>--------------------- DLLs Loaded Under Running Processes ---------------------</div>

<div>.</div>

<div>- - - - - - - > 'winlogon.exe'(648)</div>

<div>c:\windows\system32\LMIinit.dll</div>

<div>c:\windows\system32\adsldpc.dll</div>

<div>.</div>

<div>- - - - - - - > 'explorer.exe'(2036)</div>

<div>c:\windows\system32\WININET.dll</div>

<div>c:\windows\system32\ieframe.dll</div>

<div>c:\windows\system32\webcheck.dll</div>

<div>c:\windows\system32\WPDShServiceObj.dll</div>

<div>c:\windows\system32\PortableDeviceTypes.dll</div>

<div>c:\windows\system32\PortableDeviceApi.dll</div>

<div>.</div>

<div>------------------------ Other Running Processes ------------------------</div>

<div>.</div>

<div>c:\program files\Java\jre6\bin\jqs.exe</div>

<div>c:\windows\system32\RunDll32.exe</div>

<div>c:\program files\RDS\RMClient\PMCTray.exe</div>

<div>c:\program files\Memeo\AutoBackup\InstantBackup.exe</div>

<div>c:\program files\Camera Assistant Software for ViewSonic\CEC_MAIN.exe</div>

<div>.</div>

<div>**************************************************************************</div>

<div>.</div>

<div>Completion time: 2012-05-18  08:37:43 - machine was rebooted</div>

<div>ComboFix-quarantined-files.txt  2012-05-18 15:37</div>

<div>.</div>

<div>Pre-Run: 84,912,222,208 bytes free</div>

<div>Post-Run: 86,369,820,672 bytes free</div>

<div>.</div>

<div>WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe</div>

<div>[boot loader]</div>

<div>timeout=2</div>

<div>default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS</div>

<div>[operating systems]</div>

<div>c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons</div>

<div>UnsupportedDebug="do not select this" /debug</div>

<div>multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect</div>

<div>.</div>

<div>- - End Of File - - 3830F9148EF88DFBD0EFC89398503984</div>

Link to post
Share on other sites

Not sure why it posted each line in a div tag... here's a second copy:

ComboFix 12-05-18.02 - WSAdmin 05/18/2012 8:28.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.991.723 [GMT -7:00]

Running from: c:\documents and settings\WSAdmin\Desktop\ComboFix.exe

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\All Users\Application Data\TEMP

C:\LOG77.tmp

c:\windows\$NtUninstallKB14440$

c:\windows\$NtUninstallKB14440$\1385835267

c:\windows\system32\Cache

c:\windows\system32\Cache\101c1e1293b706d5.fb

c:\windows\system32\Cache\272512937d9e61a4.fb

c:\windows\system32\Cache\287204568329e189.fb

c:\windows\system32\Cache\28bc8f716fd76a47.fb

c:\windows\system32\Cache\2c53092c95605355.fb

c:\windows\system32\Cache\3917078cb68ec657.fb

c:\windows\system32\Cache\590ba23ce359fd0c.fb

c:\windows\system32\Cache\610289e025a3ee9a.fb

c:\windows\system32\Cache\651c5d3cdbfb8bd1.fb

c:\windows\system32\Cache\6c59ac5e7e7a3ad0.fb

c:\windows\system32\Cache\a6edf544de5c2f0f.fb

c:\windows\system32\Cache\a8556537add6dfc5.fb

c:\windows\system32\Cache\ad10a52aff5e038d.fb

c:\windows\system32\Cache\c4d28dca2e7648be.fb

c:\windows\system32\Cache\d201ef9910cd39de.fb

c:\windows\system32\Cache\d2e94710a5708128.fb

c:\windows\system32\Cache\d79b9dfe81484ec4.fb

c:\windows\system32\Cache\e0de16f883bea794.fb

.

.

((((((((((((((((((((((((( Files Created from 2012-04-18 to 2012-05-18 )))))))))))))))))))))))))))))))

.

.

2012-05-18 15:01 . 2008-04-13 18:39 14592 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys

2012-05-18 15:01 . 2008-04-13 18:39 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys

2012-05-17 21:53 . 2012-05-17 21:53 -------- d-----w- c:\documents and settings\WSAdmin

2012-05-17 19:21 . 2012-05-17 19:21 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE

2012-05-17 19:05 . 2012-05-17 19:05 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache

2012-04-18 17:19 . 2012-04-18 17:19 -------- d-----w- c:\documents and settings\Steve Hill\Local Settings\Application Data\Threat Expert

2012-04-18 17:07 . 2012-04-18 22:01 -------- d-----w- c:\program files\PC Tools

2012-04-18 16:53 . 2012-04-18 22:01 -------- d-----w- c:\program files\Common Files\PC Tools

2012-04-18 16:53 . 2012-02-24 17:36 185560 ----a-w- c:\windows\system32\drivers\PCTSD.sys

2012-04-18 16:53 . 2012-04-18 17:39 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools

2012-04-18 16:53 . 2012-04-18 16:53 -------- d-----w- c:\documents and settings\Steve Hill\Application Data\TestApp

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]

"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]

"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]

"Camera Assistant Software"="c:\program files\Camera Assistant Software for ViewSonic\traybar.exe" [2006-12-23 794688]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]

"JobHisInit"="c:\program files\RDS\RMClient\JobHisInit.exe" [2007-08-30 229481]

"MplSetUp"="c:\program files\RDS\RMClient\MplSetUp.exe" [2007-08-30 49254]

"Memeo Instant Backup"="c:\program files\Memeo\AutoBackup\MemeoLauncher2.exe" [2011-05-04 136416]

"Memeo AutoSync"="c:\program files\Memeo\AutoSync\MemeoLauncher2.exe" [2011-05-04 144608]

"Seagate Dashboard"="c:\program files\Seagate\Seagate Dashboard\MemeoLauncher.exe" [2011-06-01 79112]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-10-24 421888]

.

c:\documents and settings\Steve Hill\Start Menu\Programs\Startup\

HUD 3.0.lnk - c:\program files\Fonality\HUD3.0\HUD3.exe [N/A]

MyBackup.lnk - c:\windows\system32\bu.bat [2008-5-3 218]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Auto Document Link.lnk - c:\program files\RDS\PLDLnk.exe [2009-6-30 561152]

Function Palette.lnk - c:\program files\RDS\PLTBar.exe [2009-6-30 163840]

SmartDeviceMonitor for Client.lnk - c:\program files\RDS\RMClient\PMClient.exe [2009-6-30 581731]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]

2009-10-01 15:08 87352 ----a-w- c:\windows\system32\LMIinit.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]

2011-09-27 14:22 59240 ----a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

2001-07-09 19:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2011-10-24 21:28 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]

2009-07-28 21:02 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"FirewallOverride"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\RDS\\RView.exe"=

"c:\\Program Files\\Microsoft Office\\OFFICE11\\WINWORD.EXE"=

"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=

"c:\\Program Files\\Seagate\\Seagate Dashboard\\HipServAgent\\HipServAgent.exe"=

.

R0 Fasttrak;Fasttrak;c:\windows\system32\drivers\Fasttrak.sys [7/7/2003 4:20 AM 75520]

R2 MemeoBackgroundService;MemeoBackgroundService;c:\program files\Memeo\AutoBackup\MemeoBackgroundService.exe [5/4/2011 2:04 PM 25824]

R2 SeagateDashboardService;Seagate Dashboard Service;c:\program files\Seagate\Seagate Dashboard\SeagateDashboardService.exe [6/1/2011 9:42 AM 14088]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/3/2010 10:33 AM 135664]

S2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\LogMeIn\x86\RaInfo.sys --> c:\program files\LogMeIn\x86\RaInfo.sys [?]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2/3/2010 10:33 AM 135664]

.

Contents of the 'Scheduled Tasks' folder

.

2012-05-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-03 17:32]

.

2012-05-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-03 17:32]

.

2012-05-18 c:\windows\Tasks\User_Feed_Synchronization-{8196E1E1-C2A0-4112-8A49-CCA1A181EBBF}.job

- c:\windows\system32\msfeedssync.exe [2009-03-08 11:31]

.

.

------- Supplementary Scan -------

.

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

.

- - - - ORPHANS REMOVED - - - -

.

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)

HKLM-Run-Cmaudio - cmicnfg.cpl

MSConfigStartUp-Acrobat Assistant 8 - c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe

MSConfigStartUp-Adobe Acrobat Speed Launcher - c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe

MSConfigStartUp-Adobe ARM - c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe

MSConfigStartUp-LogMeIn GUI - c:\program files\LogMeIn\x86\LogMeInSystray.exe

MSConfigStartUp-ROC_roc_dec12 - c:\program files\AVG Secure Search\ROC_roc_dec12.exe

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2012-05-18 08:35

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\.avgtdix]

"ImagePath"="\?"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(648)

c:\windows\system32\LMIinit.dll

c:\windows\system32\adsldpc.dll

.

- - - - - - - > 'explorer.exe'(2036)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Java\jre6\bin\jqs.exe

c:\windows\system32\RunDll32.exe

c:\program files\RDS\RMClient\PMCTray.exe

c:\program files\Memeo\AutoBackup\InstantBackup.exe

c:\program files\Camera Assistant Software for ViewSonic\CEC_MAIN.exe

.

**************************************************************************

.

Completion time: 2012-05-18 08:37:43 - machine was rebooted

ComboFix-quarantined-files.txt 2012-05-18 15:37

.

Pre-Run: 84,912,222,208 bytes free

Post-Run: 86,369,820,672 bytes free

.

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

.

- - End Of File - - 3830F9148EF88DFBD0EFC89398503984

Link to post
Share on other sites

Looks Good...CF dealt with the infection, please do this next:

Please make sure system restore is running and create a new restore point before continuing.

XP <===> Vista & W7

XP users > please back up the registry using ERUNT.

-----------------------------------------

Please download and run TDSSKiller to your desktop as outlined below:

Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

For Windows XP, double-click to start.

For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

tdss_1.jpg

-------------------------

Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

tdss_2.jpg

------------------------

Click the Start Scan button.

tdss_3.jpg

-----------------------

If a suspicious object is detected, the default action will be Skip, click on Continue

If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose

Skip and click on Continue

Any entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose delete.

tdss_4.jpg

----------------------

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

tdss_5.jpg

--------------------

A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.

-------------------

Here's a summary of what to do if you would like to print it out:

If a suspicious object is detected, the default action will be Skip, click on Continue

If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose

Skip and click on Continue

Any entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose delete.

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

MrC

Link to post
Share on other sites

That's good news!

Here are the contents of TDSSKiller.2.7.35.0_18.05.2012_08.56.27_log.txt:

08:56:27.0015 0620 TDSS rootkit removing tool 2.7.35.0 May 16 2012 07:37:57

08:56:27.0031 0620 ============================================================

08:56:27.0031 0620 Current date / time: 2012/05/18 08:56:27.0031

08:56:27.0031 0620 SystemInfo:

08:56:27.0031 0620

08:56:27.0031 0620 OS Version: 5.1.2600 ServicePack: 3.0

08:56:27.0031 0620 Product type: Workstation

08:56:27.0031 0620 ComputerName: STEVE

08:56:27.0031 0620 UserName: WSAdmin

08:56:27.0031 0620 Windows directory: C:\WINDOWS

08:56:27.0031 0620 System windows directory: C:\WINDOWS

08:56:27.0031 0620 Processor architecture: Intel x86

08:56:27.0031 0620 Number of processors: 2

08:56:27.0031 0620 Page size: 0x1000

08:56:27.0031 0620 Boot type: Normal boot

08:56:27.0031 0620 ============================================================

08:56:28.0125 0620 Drive \Device\Harddisk0\DR0 - Size: 0x25433C0000 (149.05 Gb), SectorSize: 0x200, Cylinders: 0x4C01, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000058

08:56:28.0125 0620 Drive \Device\Harddisk1\DR4 - Size: 0x1D11B0000 (7.27 Gb), SectorSize: 0x200, Cylinders: 0x3B4, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'W'

08:56:28.0125 0620 ============================================================

08:56:28.0125 0620 \Device\Harddisk0\DR0:

08:56:28.0125 0620 MBR partitions:

08:56:28.0125 0620 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x12A14BC1

08:56:28.0125 0620 \Device\Harddisk1\DR4:

08:56:28.0125 0620 MBR partitions:

08:56:28.0125 0620 \Device\Harddisk1\DR4\Partition0: MBR, Type 0xB, StartLBA 0x3F, BlocksNum 0xE88D08

08:56:28.0125 0620 ============================================================

08:56:28.0156 0620 C: <-> \Device\Harddisk0\DR0\Partition0

08:56:28.0156 0620 ============================================================

08:56:28.0156 0620 Initialize success

08:56:28.0156 0620 ============================================================

08:57:00.0640 1672 ============================================================

08:57:00.0640 1672 Scan started

08:57:00.0640 1672 Mode: Manual; SigCheck; TDLFS;

08:57:00.0640 1672 ============================================================

08:57:00.0781 1672 .avgtdix - ok

08:57:00.0984 1672 Abiosdsk - ok

08:57:00.0984 1672 abp480n5 - ok

08:57:01.0062 1672 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys

08:57:01.0421 1672 ACPI - ok

08:57:01.0468 1672 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys

08:57:01.0609 1672 ACPIEC - ok

08:57:01.0609 1672 adpu160m - ok

08:57:01.0656 1672 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys

08:57:01.0812 1672 aec - ok

08:57:01.0859 1672 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys

08:57:01.0906 1672 AFD - ok

08:57:01.0921 1672 Aha154x - ok

08:57:01.0937 1672 aic78u2 - ok

08:57:01.0937 1672 aic78xx - ok

08:57:01.0984 1672 Alerter (a9a3daa780ca6c9671a19d52456705b4) C:\WINDOWS\system32\alrsvc.dll

08:57:02.0125 1672 Alerter - ok

08:57:02.0156 1672 ALG (8c515081584a38aa007909cd02020b3d) C:\WINDOWS\System32\alg.exe

08:57:02.0296 1672 ALG - ok

08:57:02.0312 1672 AliIde - ok

08:57:02.0328 1672 amsint - ok

08:57:02.0359 1672 AppMgmt (d8849f77c0b66226335a59d26cb4edc6) C:\WINDOWS\System32\appmgmts.dll

08:57:02.0500 1672 AppMgmt - ok

08:57:02.0500 1672 asc - ok

08:57:02.0515 1672 asc3350p - ok

08:57:02.0531 1672 asc3550 - ok

08:57:02.0593 1672 aspnet_state (0e5e4957549056e2bf2c49f4f6b601ad) C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe

08:57:02.0609 1672 aspnet_state - ok

08:57:02.0625 1672 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

08:57:02.0765 1672 AsyncMac - ok

08:57:02.0796 1672 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys

08:57:02.0921 1672 atapi - ok

08:57:02.0937 1672 Atdisk - ok

08:57:02.0968 1672 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

08:57:03.0093 1672 Atmarpc - ok

08:57:03.0156 1672 AudioSrv (def7a7882bec100fe0b2ce2549188f9d) C:\WINDOWS\System32\audiosrv.dll

08:57:03.0281 1672 AudioSrv - ok

08:57:03.0328 1672 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

08:57:03.0468 1672 audstub - ok

08:57:03.0500 1672 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

08:57:03.0656 1672 Beep - ok

08:57:03.0703 1672 BITS (574738f61fca2935f5265dc4e5691314) C:\WINDOWS\system32\qmgr.dll

08:57:03.0890 1672 BITS - ok

08:57:03.0921 1672 Browser (a06ce3399d16db864f55faeb1f1927a9) C:\WINDOWS\System32\browser.dll

08:57:04.0046 1672 Browser - ok

08:57:04.0062 1672 catchme - ok

08:57:04.0109 1672 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

08:57:04.0265 1672 cbidf2k - ok

08:57:04.0296 1672 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys

08:57:04.0421 1672 CCDECODE - ok

08:57:04.0437 1672 cd20xrnt - ok

08:57:04.0468 1672 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

08:57:04.0609 1672 Cdaudio - ok

08:57:04.0625 1672 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys

08:57:04.0750 1672 Cdfs - ok

08:57:04.0765 1672 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys

08:57:04.0921 1672 Cdrom - ok

08:57:04.0921 1672 Changer - ok

08:57:04.0953 1672 CiSvc (1cfe720eb8d93a7158a4ebc3ab178bde) C:\WINDOWS\system32\cisvc.exe

08:57:05.0078 1672 CiSvc - ok

08:57:05.0125 1672 ClipSrv (34cbe729f38138217f9c80212a2a0c82) C:\WINDOWS\system32\clipsrv.exe

08:57:05.0250 1672 ClipSrv - ok

08:57:05.0265 1672 clr_optimization_v2.0.50727_32 (d87acaed61e417bba546ced5e7e36d9c) C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

08:57:05.0281 1672 clr_optimization_v2.0.50727_32 - ok

08:57:05.0296 1672 CmdIde - ok

08:57:05.0406 1672 cmuda (53f4cc55f3c255439c5973e31f0adce7) C:\WINDOWS\system32\drivers\cmuda.sys

08:57:05.0593 1672 cmuda - ok

08:57:05.0609 1672 COMSysApp - ok

08:57:05.0640 1672 Cpqarray - ok

08:57:05.0671 1672 CryptSvc (3d4e199942e29207970e04315d02ad3b) C:\WINDOWS\System32\cryptsvc.dll

08:57:05.0796 1672 CryptSvc - ok

08:57:05.0796 1672 dac2w2k - ok

08:57:05.0812 1672 dac960nt - ok

08:57:05.0875 1672 DcomLaunch (6b27a5c03dfb94b4245739065431322c) C:\WINDOWS\system32\rpcss.dll

08:57:05.0953 1672 DcomLaunch - ok

08:57:05.0984 1672 Dhcp (5e38d7684a49cacfb752b046357e0589) C:\WINDOWS\System32\dhcpcsvc.dll

08:57:06.0125 1672 Dhcp - ok

08:57:06.0171 1672 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys

08:57:06.0296 1672 Disk - ok

08:57:06.0312 1672 dmadmin - ok

08:57:06.0390 1672 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys

08:57:06.0593 1672 dmboot - ok

08:57:06.0625 1672 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys

08:57:06.0765 1672 dmio - ok

08:57:06.0781 1672 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

08:57:06.0937 1672 dmload - ok

08:57:06.0968 1672 dmserver (57edec2e5f59f0335e92f35184bc8631) C:\WINDOWS\System32\dmserver.dll

08:57:07.0093 1672 dmserver - ok

08:57:07.0156 1672 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys

08:57:07.0281 1672 DMusic - ok

08:57:07.0296 1672 Dnscache (5f7e24fa9eab896051ffb87f840730d2) C:\WINDOWS\System32\dnsrslvr.dll

08:57:07.0312 1672 Dnscache - ok

08:57:07.0359 1672 Dot3svc (0f0f6e687e5e15579ef4da8dd6945814) C:\WINDOWS\System32\dot3svc.dll

08:57:07.0500 1672 Dot3svc - ok

08:57:07.0500 1672 dpti2o - ok

08:57:07.0515 1672 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys

08:57:07.0656 1672 drmkaud - ok

08:57:07.0687 1672 EapHost (2187855a7703adef0cef9ee4285182cc) C:\WINDOWS\System32\eapsvc.dll

08:57:07.0812 1672 EapHost - ok

08:57:07.0828 1672 ERSvc (bc93b4a066477954555966d77fec9ecb) C:\WINDOWS\System32\ersvc.dll

08:57:07.0953 1672 ERSvc - ok

08:57:07.0984 1672 Eventlog (65df52f5b8b6e9bbd183505225c37315) C:\WINDOWS\system32\services.exe

08:57:08.0046 1672 Eventlog - ok

08:57:08.0093 1672 EventSystem (d4991d98f2db73c60d042f1aef79efae) C:\WINDOWS\system32\es.dll

08:57:08.0125 1672 EventSystem - ok

08:57:08.0171 1672 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys

08:57:08.0328 1672 Fastfat - ok

08:57:08.0375 1672 Fasttrak (eb1c078d99cc081c1d2ae3a19e2284cc) C:\WINDOWS\system32\drivers\Fasttrak.sys

08:57:08.0375 1672 Fasttrak ( UnsignedFile.Multi.Generic ) - warning

08:57:08.0375 1672 Fasttrak - detected UnsignedFile.Multi.Generic (1)

08:57:08.0406 1672 FastUserSwitchingCompatibility (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll

08:57:08.0421 1672 FastUserSwitchingCompatibility - ok

08:57:08.0453 1672 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys

08:57:08.0593 1672 Fdc - ok

08:57:08.0609 1672 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys

08:57:08.0750 1672 Fips - ok

08:57:08.0781 1672 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys

08:57:08.0906 1672 Flpydisk - ok

08:57:08.0921 1672 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys

08:57:09.0062 1672 FltMgr - ok

08:57:09.0093 1672 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

08:57:09.0234 1672 Fs_Rec - ok

08:57:09.0250 1672 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

08:57:09.0406 1672 Ftdisk - ok

08:57:09.0437 1672 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys

08:57:09.0562 1672 Gpc - ok

08:57:09.0625 1672 gupdate (8f0de4fef8201e306f9938b0905ac96a) C:\Program Files\Google\Update\GoogleUpdate.exe

08:57:09.0640 1672 gupdate - ok

08:57:09.0656 1672 gupdatem (8f0de4fef8201e306f9938b0905ac96a) C:\Program Files\Google\Update\GoogleUpdate.exe

08:57:09.0671 1672 gupdatem - ok

08:57:09.0703 1672 helpsvc (4fcca060dfe0c51a09dd5c3843888bcd) C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll

08:57:09.0843 1672 helpsvc - ok

08:57:09.0859 1672 HidServ - ok

08:57:09.0890 1672 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys

08:57:10.0031 1672 HidUsb - ok

08:57:10.0062 1672 hkmsvc (8878bd685e490239777bfe51320b88e9) C:\WINDOWS\System32\kmsvc.dll

08:57:10.0203 1672 hkmsvc - ok

08:57:10.0218 1672 hpn - ok

08:57:10.0265 1672 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys

08:57:10.0296 1672 HTTP - ok

08:57:10.0328 1672 HTTPFilter (6100a808600f44d999cebdef8841c7a3) C:\WINDOWS\System32\w3ssl.dll

08:57:10.0468 1672 HTTPFilter - ok

08:57:10.0484 1672 i2omgmt - ok

08:57:10.0500 1672 i2omp - ok

08:57:10.0531 1672 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys

08:57:10.0656 1672 i8042prt - ok

08:57:10.0750 1672 ialm (9a883c3c4d91292c0d09de7c728e781c) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys

08:57:10.0890 1672 ialm - ok

08:57:10.0906 1672 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys

08:57:11.0046 1672 Imapi - ok

08:57:11.0140 1672 ImapiService (30deaf54a9755bb8546168cfe8a6b5e1) C:\WINDOWS\system32\imapi.exe

08:57:11.0281 1672 ImapiService - ok

08:57:11.0296 1672 ini910u - ok

08:57:11.0328 1672 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys

08:57:11.0468 1672 IntelIde - ok

08:57:11.0484 1672 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys

08:57:11.0609 1672 intelppm - ok

08:57:11.0625 1672 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys

08:57:11.0765 1672 Ip6Fw - ok

08:57:11.0781 1672 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

08:57:11.0937 1672 IpFilterDriver - ok

08:57:11.0953 1672 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys

08:57:12.0078 1672 IpInIp - ok

08:57:12.0140 1672 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys

08:57:12.0296 1672 IpNat - ok

08:57:12.0328 1672 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys

08:57:12.0468 1672 IPSec - ok

08:57:12.0484 1672 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys

08:57:12.0609 1672 IRENUM - ok

08:57:12.0625 1672 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys

08:57:12.0750 1672 isapnp - ok

08:57:12.0812 1672 JavaQuickStarterService (44ffba62f0f426b581759c49aafec2e2) C:\Program Files\Java\jre6\bin\jqs.exe

08:57:12.0843 1672 JavaQuickStarterService - ok

08:57:12.0843 1672 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

08:57:12.0984 1672 Kbdclass - ok

08:57:13.0000 1672 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys

08:57:13.0156 1672 kbdhid - ok

08:57:13.0187 1672 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys

08:57:13.0312 1672 kmixer - ok

08:57:13.0343 1672 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys

08:57:13.0390 1672 KSecDD - ok

08:57:13.0421 1672 lanmanserver (3a7c3cbe5d96b8ae96ce81f0b22fb527) C:\WINDOWS\System32\srvsvc.dll

08:57:13.0453 1672 lanmanserver - ok

08:57:13.0468 1672 lanmanworkstation (a8888a5327621856c0cec4e385f69309) C:\WINDOWS\System32\wkssvc.dll

08:57:13.0500 1672 lanmanworkstation - ok

08:57:13.0515 1672 lbrtfdc - ok

08:57:13.0546 1672 LmHosts (a7db739ae99a796d91580147e919cc59) C:\WINDOWS\System32\lmhsvc.dll

08:57:13.0687 1672 LmHosts - ok

08:57:13.0687 1672 LMIInfo - ok

08:57:13.0734 1672 lmimirr (4477689e2d8ae6b78ba34c9af4cc1ed1) C:\WINDOWS\system32\DRIVERS\lmimirr.sys

08:57:13.0750 1672 lmimirr - ok

08:57:13.0750 1672 LMIRfsClientNP - ok

08:57:13.0765 1672 LMIRfsDriver (3faa563ddf853320f90259d455a01d79) C:\WINDOWS\system32\drivers\LMIRfsDriver.sys

08:57:13.0781 1672 LMIRfsDriver - ok

08:57:13.0812 1672 Messenger (986b1ff5814366d71e0ac5755c88f2d3) C:\WINDOWS\System32\msgsvc.dll

08:57:13.0953 1672 Messenger - ok

08:57:13.0984 1672 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

08:57:14.0125 1672 mnmdd - ok

08:57:14.0156 1672 mnmsrvc (d18f1f0c101d06a1c1adf26eed16fcdd) C:\WINDOWS\system32\mnmsrvc.exe

08:57:14.0281 1672 mnmsrvc - ok

08:57:14.0296 1672 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys

08:57:14.0421 1672 Modem - ok

08:57:14.0453 1672 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys

08:57:14.0593 1672 Mouclass - ok

08:57:14.0640 1672 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys

08:57:14.0781 1672 mouhid - ok

08:57:14.0781 1672 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys

08:57:14.0921 1672 MountMgr - ok

08:57:14.0921 1672 mraid35x - ok

08:57:14.0968 1672 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

08:57:15.0093 1672 MRxDAV - ok

08:57:15.0156 1672 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

08:57:15.0218 1672 MRxSmb - ok

08:57:15.0250 1672 MSDTC (a137f1470499a205abbb9aafb3b6f2b1) C:\WINDOWS\system32\msdtc.exe

08:57:15.0375 1672 MSDTC - ok

08:57:15.0390 1672 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys

08:57:15.0531 1672 Msfs - ok

08:57:15.0546 1672 MSIServer - ok

08:57:15.0562 1672 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys

08:57:15.0687 1672 MSKSSRV - ok

08:57:15.0718 1672 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

08:57:15.0828 1672 MSPCLOCK - ok

08:57:15.0843 1672 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys

08:57:15.0984 1672 MSPQM - ok

08:57:16.0000 1672 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

08:57:16.0140 1672 mssmbios - ok

08:57:16.0171 1672 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys

08:57:16.0296 1672 MSTEE - ok

08:57:16.0328 1672 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys

08:57:16.0375 1672 Mup - ok

08:57:16.0406 1672 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys

08:57:16.0546 1672 NABTSFEC - ok

08:57:16.0578 1672 napagent (0102140028fad045756796e1c685d695) C:\WINDOWS\System32\qagentrt.dll

08:57:16.0734 1672 napagent - ok

08:57:16.0765 1672 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys

08:57:16.0890 1672 NDIS - ok

08:57:16.0921 1672 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys

08:57:17.0046 1672 NdisIP - ok

08:57:17.0062 1672 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

08:57:17.0109 1672 NdisTapi - ok

08:57:17.0171 1672 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

08:57:17.0312 1672 Ndisuio - ok

08:57:17.0343 1672 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

08:57:17.0468 1672 NdisWan - ok

08:57:17.0500 1672 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys

08:57:17.0546 1672 NDProxy - ok

08:57:17.0562 1672 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys

08:57:17.0718 1672 NetBIOS - ok

08:57:17.0750 1672 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys

08:57:17.0906 1672 NetBT - ok

08:57:17.0937 1672 NetDDE (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe

08:57:18.0062 1672 NetDDE - ok

08:57:18.0062 1672 NetDDEdsdm (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe

08:57:18.0203 1672 NetDDEdsdm - ok

08:57:18.0234 1672 Netlogon (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe

08:57:18.0375 1672 Netlogon - ok

08:57:18.0421 1672 Netman (13e67b55b3abd7bf3fe7aae5a0f9a9de) C:\WINDOWS\System32\netman.dll

08:57:18.0562 1672 Netman - ok

08:57:18.0609 1672 Nla (943337d786a56729263071623bbb9de5) C:\WINDOWS\System32\mswsock.dll

08:57:18.0640 1672 Nla - ok

08:57:18.0656 1672 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys

08:57:18.0781 1672 Npfs - ok

08:57:18.0859 1672 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys

08:57:19.0015 1672 Ntfs - ok

08:57:19.0031 1672 NtLmSsp (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe

08:57:19.0156 1672 NtLmSsp - ok

08:57:19.0218 1672 NtmsSvc (156f64a3345bd23c600655fb4d10bc08) C:\WINDOWS\system32\ntmssvc.dll

08:57:19.0359 1672 NtmsSvc - ok

08:57:19.0406 1672 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

08:57:19.0562 1672 Null - ok

08:57:19.0578 1672 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

08:57:19.0718 1672 NwlnkFlt - ok

08:57:19.0734 1672 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

08:57:19.0890 1672 NwlnkFwd - ok

08:57:19.0937 1672 ose (7a56cf3e3f12e8af599963b16f50fb6a) C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE

08:57:19.0953 1672 ose - ok

08:57:19.0968 1672 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys

08:57:20.0093 1672 Parport - ok

08:57:20.0109 1672 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys

08:57:20.0250 1672 PartMgr - ok

08:57:20.0265 1672 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys

08:57:20.0406 1672 ParVdm - ok

08:57:20.0406 1672 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys

08:57:20.0531 1672 PCI - ok

08:57:20.0546 1672 PCIDump - ok

08:57:20.0578 1672 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys

08:57:20.0718 1672 PCIIde - ok

08:57:20.0734 1672 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys

08:57:20.0859 1672 Pcmcia - ok

08:57:20.0875 1672 PDCOMP - ok

08:57:20.0890 1672 PDFRAME - ok

08:57:20.0890 1672 PDRELI - ok

08:57:20.0906 1672 PDRFRAME - ok

08:57:20.0921 1672 perc2 - ok

08:57:20.0937 1672 perc2hib - ok

08:57:21.0000 1672 PlugPlay (65df52f5b8b6e9bbd183505225c37315) C:\WINDOWS\system32\services.exe

08:57:21.0031 1672 PlugPlay - ok

08:57:21.0046 1672 PolicyAgent (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe

08:57:21.0171 1672 PolicyAgent - ok

08:57:21.0218 1672 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys

08:57:21.0359 1672 PptpMiniport - ok

08:57:21.0375 1672 ProtectedStorage (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe

08:57:21.0500 1672 ProtectedStorage - ok

08:57:21.0515 1672 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys

08:57:21.0640 1672 PSched - ok

08:57:21.0656 1672 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

08:57:21.0796 1672 Ptilink - ok

08:57:21.0812 1672 ql1080 - ok

08:57:21.0828 1672 Ql10wnt - ok

08:57:21.0828 1672 ql12160 - ok

08:57:21.0843 1672 ql1240 - ok

08:57:21.0859 1672 ql1280 - ok

08:57:21.0890 1672 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

08:57:22.0015 1672 RasAcd - ok

08:57:22.0046 1672 RasAuto (ad188be7bdf94e8df4ca0a55c00a5073) C:\WINDOWS\System32\rasauto.dll

08:57:22.0187 1672 RasAuto - ok

08:57:22.0218 1672 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

08:57:22.0359 1672 Rasl2tp - ok

08:57:22.0390 1672 RasMan (76a9a3cbeadd68cc57cda5e1d7448235) C:\WINDOWS\System32\rasmans.dll

08:57:22.0531 1672 RasMan - ok

08:57:22.0546 1672 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

08:57:22.0671 1672 RasPppoe - ok

08:57:22.0703 1672 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

08:57:22.0843 1672 Raspti - ok

08:57:22.0875 1672 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys

08:57:23.0015 1672 Rdbss - ok

08:57:23.0031 1672 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

08:57:23.0187 1672 RDPCDD - ok

08:57:23.0218 1672 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys

08:57:23.0359 1672 rdpdr - ok

08:57:23.0406 1672 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys

08:57:23.0421 1672 RDPWD - ok

08:57:23.0468 1672 RDSessMgr (3c37bf86641bda977c3bf8a840f3b7fa) C:\WINDOWS\system32\sessmgr.exe

08:57:23.0593 1672 RDSessMgr - ok

08:57:23.0625 1672 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys

08:57:23.0750 1672 redbook - ok

08:57:23.0765 1672 RemoteAccess (7e699ff5f59b5d9de5390e3c34c67cf5) C:\WINDOWS\System32\mprdim.dll

08:57:23.0906 1672 RemoteAccess - ok

08:57:23.0921 1672 RemoteRegistry (5b19b557b0c188210a56a6b699d90b8f) C:\WINDOWS\system32\regsvc.dll

08:57:24.0046 1672 RemoteRegistry - ok

08:57:24.0062 1672 RpcLocator (aaed593f84afa419bbae8572af87cf6a) C:\WINDOWS\system32\locator.exe

08:57:24.0203 1672 RpcLocator - ok

08:57:24.0250 1672 RpcSs (6b27a5c03dfb94b4245739065431322c) C:\WINDOWS\System32\rpcss.dll

08:57:24.0296 1672 RpcSs - ok

08:57:24.0343 1672 RSVP (471b3f9741d762abe75e9deea4787e47) C:\WINDOWS\system32\rsvp.exe

08:57:24.0484 1672 RSVP - ok

08:57:24.0515 1672 RTL8023xp (69ee1e8dc0c750a5d03739e6e9429959) C:\WINDOWS\system32\DRIVERS\Rtnicxp.sys

08:57:24.0609 1672 RTL8023xp - ok

08:57:24.0640 1672 rtl8139 (d507c1400284176573224903819ffda3) C:\WINDOWS\system32\DRIVERS\RTL8139.SYS

08:57:24.0734 1672 rtl8139 - ok

08:57:24.0765 1672 SamSs (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe

08:57:24.0906 1672 SamSs - ok

08:57:24.0921 1672 SCardSvr (86d007e7a654b9a71d1d7d856b104353) C:\WINDOWS\System32\SCardSvr.exe

08:57:25.0046 1672 SCardSvr - ok

08:57:25.0093 1672 Schedule (0a9a7365a1ca4319aa7c1d6cd8e4eafa) C:\WINDOWS\system32\schedsvc.dll

08:57:25.0234 1672 Schedule - ok

08:57:25.0250 1672 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys

08:57:25.0375 1672 Secdrv - ok

08:57:25.0421 1672 seclogon (cbe612e2bb6a10e3563336191eda1250) C:\WINDOWS\System32\seclogon.dll

08:57:25.0562 1672 seclogon - ok

08:57:25.0562 1672 SENS (7fdd5d0684eca8c1f68b4d99d124dcd0) C:\WINDOWS\system32\sens.dll

08:57:25.0703 1672 SENS - ok

08:57:25.0734 1672 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys

08:57:25.0875 1672 serenum - ok

08:57:25.0921 1672 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys

08:57:26.0046 1672 Serial - ok

08:57:26.0078 1672 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys

08:57:26.0218 1672 Sfloppy - ok

08:57:26.0265 1672 SharedAccess (83f41d0d89645d7235c051ab1d9523ac) C:\WINDOWS\System32\ipnathlp.dll

08:57:26.0453 1672 SharedAccess - ok

08:57:26.0500 1672 ShellHWDetection (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll

08:57:26.0515 1672 ShellHWDetection - ok

08:57:26.0515 1672 Simbad - ok

08:57:26.0546 1672 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys

08:57:26.0687 1672 SLIP - ok

08:57:26.0687 1672 Sparrow - ok

08:57:26.0718 1672 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys

08:57:26.0859 1672 splitter - ok

08:57:26.0875 1672 Spooler (60784f891563fb1b767f70117fc2428f) C:\WINDOWS\system32\spoolsv.exe

08:57:26.0890 1672 Spooler - ok

08:57:26.0921 1672 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys

08:57:27.0046 1672 sr - ok

08:57:27.0062 1672 srservice (3805df0ac4296a34ba4bf93b346cc378) C:\WINDOWS\system32\srsvc.dll

08:57:27.0187 1672 srservice - ok

08:57:27.0218 1672 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys

08:57:27.0296 1672 Srv - ok

08:57:27.0359 1672 SSDPSRV (0a5679b3714edab99e357057ee88fca6) C:\WINDOWS\System32\ssdpsrv.dll

08:57:27.0500 1672 SSDPSRV - ok

08:57:27.0562 1672 stisvc (8bad69cbac032d4bbacfce0306174c30) C:\WINDOWS\system32\wiaservc.dll

08:57:27.0750 1672 stisvc - ok

08:57:27.0765 1672 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys

08:57:27.0906 1672 streamip - ok

08:57:27.0937 1672 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys

08:57:28.0078 1672 swenum - ok

08:57:28.0125 1672 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys

08:57:28.0265 1672 swmidi - ok

08:57:28.0281 1672 SwPrv - ok

08:57:28.0296 1672 symc810 - ok

08:57:28.0312 1672 symc8xx - ok

08:57:28.0312 1672 sym_hi - ok

08:57:28.0328 1672 sym_u3 - ok

08:57:28.0375 1672 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys

08:57:28.0515 1672 sysaudio - ok

08:57:28.0531 1672 SysmonLog (c7abbc59b43274b1109df6b24d617051) C:\WINDOWS\system32\smlogsvc.exe

08:57:28.0656 1672 SysmonLog - ok

08:57:28.0687 1672 TapiSrv (3cb78c17bb664637787c9a1c98f79c38) C:\WINDOWS\System32\tapisrv.dll

08:57:28.0828 1672 TapiSrv - ok

08:57:28.0890 1672 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys

08:57:28.0921 1672 Tcpip - ok

08:57:28.0953 1672 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys

08:57:29.0093 1672 TDPIPE - ok

08:57:29.0109 1672 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys

08:57:29.0250 1672 TDTCP - ok

08:57:29.0281 1672 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys

08:57:29.0421 1672 TermDD - ok

08:57:29.0468 1672 TermService (ff3477c03be7201c294c35f684b3479f) C:\WINDOWS\System32\termsrv.dll

08:57:29.0593 1672 TermService - ok

08:57:29.0640 1672 Themes (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll

08:57:29.0656 1672 Themes - ok

08:57:29.0687 1672 TlntSvr (db7205804759ff62c34e3efd8a4cc76a) C:\WINDOWS\system32\tlntsvr.exe

08:57:29.0828 1672 TlntSvr - ok

08:57:29.0828 1672 TosIde - ok

08:57:29.0875 1672 TrkWks (55bca12f7f523d35ca3cb833c725f54e) C:\WINDOWS\system32\trkwks.dll

08:57:30.0015 1672 TrkWks - ok

08:57:30.0046 1672 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys

08:57:30.0187 1672 Udfs - ok

08:57:30.0187 1672 ultra - ok

08:57:30.0265 1672 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys

08:57:30.0421 1672 Update - ok

08:57:30.0468 1672 upnphost (1ebafeb9a3fbdc41b8d9c7f0f687ad91) C:\WINDOWS\System32\upnphost.dll

08:57:30.0593 1672 upnphost - ok

08:57:30.0609 1672 UPS (05365fb38fca1e98f7a566aaaf5d1815) C:\WINDOWS\System32\ups.exe

08:57:30.0750 1672 UPS - ok

08:57:30.0765 1672 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys

08:57:30.0890 1672 usbccgp - ok

08:57:30.0937 1672 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys

08:57:31.0062 1672 usbehci - ok

08:57:31.0078 1672 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys

08:57:31.0218 1672 usbhub - ok

08:57:31.0265 1672 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys

08:57:31.0406 1672 usbscan - ok

08:57:31.0437 1672 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

08:57:31.0546 1672 USBSTOR - ok

08:57:31.0562 1672 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys

08:57:31.0703 1672 usbuhci - ok

08:57:31.0718 1672 usbvideo (63bbfca7f390f4c49ed4b96bfb1633e0) C:\WINDOWS\system32\Drivers\usbvideo.sys

08:57:31.0843 1672 usbvideo - ok

08:57:31.0875 1672 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys

08:57:32.0015 1672 VgaSave - ok

08:57:32.0031 1672 ViaIde - ok

08:57:32.0062 1672 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys

08:57:32.0187 1672 VolSnap - ok

08:57:32.0234 1672 VSS (7a9db3a67c333bf0bd42e42b8596854b) C:\WINDOWS\System32\vssvc.exe

08:57:32.0359 1672 VSS - ok

08:57:32.0406 1672 W32Time (54af4b1d5459500ef0937f6d33b1914f) C:\WINDOWS\system32\w32time.dll

08:57:32.0546 1672 W32Time - ok

08:57:32.0578 1672 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys

08:57:32.0718 1672 Wanarp - ok

08:57:32.0734 1672 WDICA - ok

08:57:32.0765 1672 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys

08:57:32.0890 1672 wdmaud - ok

08:57:32.0906 1672 WebClient (77a354e28153ad2d5e120a5a8687bc06) C:\WINDOWS\System32\webclnt.dll

08:57:33.0046 1672 WebClient - ok

08:57:33.0093 1672 winmgmt (2d0e4ed081963804ccc196a0929275b5) C:\WINDOWS\system32\wbem\WMIsvc.dll

08:57:33.0234 1672 winmgmt - ok

08:57:33.0281 1672 WmdmPmSN (c51b4a5c05a5475708e3c81c7765b71d) C:\WINDOWS\system32\MsPMSNSv.dll

08:57:33.0296 1672 WmdmPmSN - ok

08:57:33.0359 1672 Wmi (e76f8807070ed04e7408a86d6d3a6137) C:\WINDOWS\System32\advapi32.dll

08:57:33.0468 1672 Wmi - ok

08:57:33.0515 1672 WmiApSrv (e0673f1106e62a68d2257e376079f821) C:\WINDOWS\system32\wbem\wmiapsrv.exe

08:57:33.0640 1672 WmiApSrv - ok

08:57:33.0765 1672 WMPNetworkSvc (f74e3d9a7fa9556c3bbb14d4e5e63d3b) C:\Program Files\Windows Media Player\WMPNetwk.exe

08:57:33.0843 1672 WMPNetworkSvc - ok

08:57:33.0921 1672 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys

08:57:34.0078 1672 WS2IFSL - ok

08:57:34.0125 1672 wscsvc (7c278e6408d1dce642230c0585a854d5) C:\WINDOWS\system32\wscsvc.dll

08:57:34.0265 1672 wscsvc - ok

08:57:34.0281 1672 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS

08:57:34.0421 1672 WSTCODEC - ok

08:57:34.0437 1672 wuauserv (35321fb577cdc98ce3eb3a3eb9e4610a) C:\WINDOWS\system32\wuauserv.dll

08:57:34.0578 1672 wuauserv - ok

08:57:34.0609 1672 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys

08:57:34.0656 1672 WudfPf - ok

08:57:34.0671 1672 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys

08:57:34.0703 1672 WudfRd - ok

08:57:34.0718 1672 WudfSvc (05231c04253c5bc30b26cbaae680ed89) C:\WINDOWS\System32\WUDFSvc.dll

08:57:34.0734 1672 WudfSvc - ok

08:57:34.0796 1672 WZCSVC (81dc3f549f44b1c1fff022dec9ecf30b) C:\WINDOWS\System32\wzcsvc.dll

08:57:34.0953 1672 WZCSVC - ok

08:57:34.0984 1672 xmlprov (295d21f14c335b53cb8154e5b1f892b9) C:\WINDOWS\System32\xmlprov.dll

08:57:35.0093 1672 xmlprov - ok

08:57:35.0125 1672 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0

08:57:35.0609 1672 \Device\Harddisk0\DR0 - ok

08:57:35.0625 1672 MBR (0x1B8) (5fb38429d5d77768867c76dcbdb35194) \Device\Harddisk1\DR4

08:57:35.0734 1672 \Device\Harddisk1\DR4 - ok

08:57:35.0750 1672 Boot (0x1200) (e0e07ad61cf13cb9ce013f7cd8fd4650) \Device\Harddisk0\DR0\Partition0

08:57:35.0750 1672 \Device\Harddisk0\DR0\Partition0 - ok

08:57:35.0765 1672 Boot (0x1200) (192579358b90abc2259fe7b269d6bd9f) \Device\Harddisk1\DR4\Partition0

08:57:35.0765 1672 \Device\Harddisk1\DR4\Partition0 - ok

08:57:35.0765 1672 ============================================================

08:57:35.0765 1672 Scan finished

08:57:35.0765 1672 ============================================================

08:57:35.0890 3872 Detected object count: 1

08:57:35.0890 3872 Actual detected object count: 1

08:58:11.0781 3872 Fasttrak ( UnsignedFile.Multi.Generic ) - skipped by user

08:58:11.0781 3872 Fasttrak ( UnsignedFile.Multi.Generic ) - User select action: Skip

Link to post
Share on other sites

That scan was clean....Good :)

Fantastic! Thank you again for all your help.

I don't see an anti-virus on this computer????

I removed many of the installed programs after disconnecting the workstation from the internet.

We typically run MS Sec. Essentials on every single computer in the company.

Please install Microsoft Security Essentials and run a scan, let me know if it finds anything:

http://windows.micro...rity-essentials

MrC

"Scan completed on 41225 items. No threats were detected on your PC during this scan."

Link to post
Share on other sites

Yes, everything appears to be in order.

I no longer see a 'Smart Fortress 2012' directory.

The only other symptom was occasional redirection of search queries (via Google)-- it was extremely intermittent and unpredictable, but I have yet to encounter it.

I will continue to monitor the workstation's network traffic via our firewall.

Thank you so much!

Link to post
Share on other sites

OK....a little clean up to do..........

Please Uninstall ComboFix:

Press the Windows logo key + R to bring up the "run box"

Copy and paste next command in the field:

ComboFix /uninstall

Make sure there's a space between Combofix and /

cf2.jpg

Then hit enter.

This will uninstall Combofix, delete its related folders and files, hide file extensions, hide the system/hidden files and clears System Restore cache and create new Restore point

---------------------------------

Please download OTL from one of the links below:

http://oldtimer.geekstogo.com/OTL.exe

http://oldtimer.geekstogo.com/OTL.com

Save it to your desktop.

Run OTL and hit the CleanUp button. (This will cleanup the tools and logs used including itself)

Any other programs or logs you can manually delete.

-------------------------------

You have out date Java on the system, older versions are vulnerable to malware.

Please go to your control panels add/remove programs and uninstall these:

Java™ 6 Update 14

Java™ 6 Update 4

Then download and install the latest version Java™ 7 Update 4.

http://www.java.com/...load/manual.jsp <---latest version

http://www.java.com/...d/installed.jsp <---verify your Java

-----------------------------------

Any questions...please post back.

If you think I've helped you, please leave a comment > click on my avatar picture > click Profile Feed.

Take a look at My Preventive Maintenance to avoid being infected again.

Good Luck and Thanks for using the forum, MrC

Link to post
Share on other sites

OK....a little clean up to do..........

Please Uninstall ComboFix:

Press the Windows logo key + R to bring up the "run box"

Copy and paste next command in the field:

ComboFix /uninstall

Done.

Please download OTL from one of the links below:

http://oldtimer.geekstogo.com/OTL.exe

http://oldtimer.geekstogo.com/OTL.com

Save it to your desktop.

Run OTL and hit the CleanUp button. (This will cleanup the tools and logs used including itself)

Done.

You have out date Java on the system, older versions are vulnerable to malware.

Please go to your control panels add/remove programs and uninstall these:

Java™ 6 Update 14

Java™ 6 Update 4

Then download and install the latest version Java™ 7 Update 4.

Done!

Good Luck and Thanks for using the forum, MrC

No, sir, thank you.

Link to post
Share on other sites

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.