Sign in to follow this  
Followers 0
alexinc

trojan agents that won't go away

58 posts in this topic

Hi guys. I noticed that when I use Malwarebytes over and over, after restarting the trojans are still there and sometimes I have more infected files than when I scanned before!

This is my log. Thanks for any help with this headache:

---------------------------------------

Malwarebytes' Anti-Malware 1.51.1.1800

www.malwarebytes.org

Database version: 7538

Windows 5.1.2600 Service Pack 3

Internet Explorer 6.0.2900.5512

8/22/2011 14:21:29

mbam-log-2011-08-22 (14-21-29).txt

Scan type: Full scan (C:\|D:\|)

Objects scanned: 316329

Time elapsed: 28 minute(s), 18 second(s)

Memory Processes Infected: 1

Memory Modules Infected: 2

Registry Keys Infected: 6

Registry Values Infected: 1

Registry Data Items Infected: 1

Folders Infected: 0

Files Infected: 15

Memory Processes Infected:

c:\WINDOWS\system32\oleaccrc32.exe (Trojan.Tracur) -> 580 -> Unloaded process successfully.

Memory Modules Infected:

c:\WINDOWS\system32\usbmons.dll (Trojan.Downloader) -> Delete on reboot.

c:\WINDOWS\system32\mapi3232.dll (Trojan.Tracur.S) -> Delete on reboot.

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\usbmon (Trojan.Downloader) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{0E4CA718-2DB1-4E65-93C7-39B514C7025d} (IPH.GenericBHO) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0E4CA718-2DB1-4E65-93C7-39B514C7025D} (IPH.GenericBHO) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{0E4CA718-2DB1-4E65-93C7-39B514C7025D} (IPH.GenericBHO) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\.fsharproj (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_BITS32 (Trojan.Tracur) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer (PUM.Bad.Proxy) -> Value: ProxyServer -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Tracur.S) -> Bad: (C:\WINDOWS\system32\mapi3232.dll) Good: () -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

c:\WINDOWS\system32\usbmons.dll (Trojan.Downloader) -> Delete on reboot.

c:\WINDOWS\system32\mapi3232.dll (Trojan.Tracur.S) -> Delete on reboot.

c:\WINDOWS\system32\atipdlxx32.dll (IPH.GenericBHO) -> Quarantined and deleted successfully.

c:\documents and settings\administrator\local settings\Temp\tmph9041176854228795358.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

c:\WINDOWS\system32\kb2006a.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

c:\WINDOWS\system32\usbmons.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

c:\documents and settings\localservice\application data\02000000c27ec2a91406c.manifest (Malware.Trace) -> Quarantined and deleted successfully.

c:\documents and settings\localservice\application data\02000000c27ec2a91406o.manifest (Malware.Trace) -> Quarantined and deleted successfully.

c:\documents and settings\localservice\application data\02000000c27ec2a91406p.manifest (Malware.Trace) -> Quarantined and deleted successfully.

c:\documents and settings\localservice\application data\02000000c27ec2a91406s.manifest (Malware.Trace) -> Quarantined and deleted successfully.

c:\WINDOWS\system32\02000000c27ec2a91406c.manifest (Malware.Trace) -> Quarantined and deleted successfully.

c:\WINDOWS\system32\02000000c27ec2a91406o.manifest (Malware.Trace) -> Quarantined and deleted successfully.

c:\WINDOWS\system32\02000000c27ec2a91406p.manifest (Malware.Trace) -> Quarantined and deleted successfully.

c:\WINDOWS\system32\02000000c27ec2a91406s.manifest (Malware.Trace) -> Quarantined and deleted successfully.

c:\WINDOWS\system32\oleaccrc32.exe (Trojan.Tracur) -> Quarantined and deleted successfully.

Share this post


Link to post
Share on other sites

Welcome to the forum, please start at the link below:

http://forums.malwar...?showtopic=9573

Post back the 2 logs.....DDS.txt and Attach.txt

<====><====><====><====><====><====><====><====>

Next.......

Please remove any usb or external drives from the computer before you run this scan!

Please download and run RogueKiller.

For Windows XP, double-click to start.

For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system (don't run any other options, they're not all bad!)

Post back the report.

MrC

Share this post


Link to post
Share on other sites

Thanks MrC!

Here is the DDS.txt:

|-----------|

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 6.0.2900.5512

Run by Administrator at 14:14:17 on 2012-05-15

.

============== Running Processes ===============

.

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\atipdlxx32.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\odpdx3232.exe

C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\1.3.21.111\GoogleCrashHandler.exe

C:\WINDOWS\system32\wdfmgr.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Steinberg\Cubase Studio 4\Cubase Studio 4.exe

C:\PROGRA~1\SYNCRO~1\POS\SYNSOPOS.exe

C:\Program Files\Propellerhead\Reason\Reason.exe

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsz382.tmp\MBR.DAT

C:\Documents and Settings\Administrator\Desktop\dds.scr

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k NetworkService

C:\WINDOWS\system32\svchost.exe -k LocalService

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://gmail.com/

uInternet Settings,ProxyOverride = *.local

mWinlogon: SfcDisable=-99 (0xffffff9d)

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~1\office12\GRA8E1~1.DLL

BHO: Java Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\DTLite.exe" -autorun

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [Google Update] "c:\documents and settings\administrator\local settings\application data\google\update\GoogleUpdate.exe" /c

mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"

mRun: [startCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun

mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [Wondershare Helper Compact.exe] c:\program files\common files\wondershare\wondershare helper compact\WSHelper.exe

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

dRunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N

uPolicies-explorer: NoResolveTrack = 1 (0x1)

uPolicies-explorer: NoSMMyPictures = 1 (0x1)

uPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)

mPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)

mPolicies-system: DisableCAD = 1 (0x1)

dPolicies-explorer: NoSMHelp = 1 (0x1)

dPolicies-explorer: ForceClassicControlPanel = 1 (0x1)

dPolicies-explorer: NoResolveTrack = 1 (0x1)

dPolicies-explorer: NoSMMyPictures = 1 (0x1)

dPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)

IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office12\EXCEL.EXE/3000

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~1\office12\ONBttnIE.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office12\REFIEBAR.DLL

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_32-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0032-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_32-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_32-windows-i586.cab

TCP: DhcpNameServer = 192.168.0.1

TCP: Interfaces\{6DF6B719-B140-40B1-BA68-29991289C2F8} : DhcpNameServer = 192.168.0.1

Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~1\office12\GR99D3~1.DLL

Notify: AtiExtEvent - Ati2evxx.dll

Notify: LMIinit - LMIinit.dll

AppInit_DLLs: c:\windows\system32\atipdlxx32.dll

SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~1\office12\GRA8E1~1.DLL

Hosts: 127.0.0.1 www.spywareinfo.com

.

============= SERVICES / DRIVERS ===============

.

R? BITS32;Background Intelligent Transfer Service

R? LMIInfo;LogMeIn Kernel Information Provider

R? LMIRfsClientNP;LMIRfsClientNP

R? WsAudio_DeviceS(1);WsAudio_DeviceS(1)

R? WsAudio_DeviceS(2);WsAudio_DeviceS(2)

R? WsAudio_DeviceS(3);WsAudio_DeviceS(3)

R? WsAudio_DeviceS(4);WsAudio_DeviceS(4)

R? WsAudio_DeviceS(5);WsAudio_DeviceS(5)

S? iPod Service32;iPod Service

S? LMIRfsDriver;LogMeIn Remote File System Driver

S? LynxWDM;LynxWDM

S? mv614x;mv614x

S? SynasUSB;SynasUSB

.

=============== Created Last 30 ================

.

2012-05-14 23:57:48 -------- d-----w- C:\TDSSKiller_Quarantine

2012-05-14 23:22:33 270336 ----a-w- c:\windows\system32\atipdlxx32.dll

2012-05-14 23:17:35 -------- d-----w- c:\windows\SxsCaPendDel

2012-05-14 23:14:24 -------- d-----w- c:\windows\system32\syncdb

2012-04-29 23:40:56 73728 ----a-w- c:\windows\system32\javacpl.cpl

2012-04-29 23:40:56 476960 ----a-w- c:\windows\system32\npdeployJava1.dll

.

==================== Find3M ====================

.

2012-04-29 23:40:45 472864 -c--a-w- c:\windows\system32\deployJava1.dll

2012-04-04 22:56:40 22344 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-03-26 21:24:02 25704 ----a-w- c:\windows\system32\drivers\WsAudio_DeviceS(5).sys

2012-03-26 21:24:02 25704 ----a-w- c:\windows\system32\drivers\WsAudio_DeviceS(4).sys

2012-03-26 21:24:02 25704 ----a-w- c:\windows\system32\drivers\WsAudio_DeviceS(3).sys

2012-03-26 21:24:02 25704 ----a-w- c:\windows\system32\drivers\WsAudio_DeviceS(2).sys

2012-03-26 21:24:02 25704 ----a-w- c:\windows\system32\drivers\WsAudio_DeviceS(1).sys

.

============= FINISH: 14:15:17.64 ===============

And here is the Attach.txt:

|--------|

.

==== Installed Programs ======================

.

µTorrent

Adobe AIR

Adobe Flash Player 10 ActiveX

Adobe Flash Player 11 Plugin

Adobe Reader X (10.1.3)

Antares Tube VST v1.02

Apple Application Support

Apple Mobile Device Support

Apple Software Update

ArtsAcoustic Reverb 1.2.2

ASIO4ALL

ATI - Software Uninstall Utility

ATI Catalyst Control Center

ATI Display Driver

Bonjour

Catalyst Control Center - Branding

Catalyst Control Center Core Implementation

Catalyst Control Center Graphics Full Existing

Catalyst Control Center Graphics Full New

Catalyst Control Center Graphics Light

Catalyst Control Center Graphics Previews Common

Catalyst Control Center HydraVision Full

Catalyst Control Center Localization All

ccc-core-preinstall

ccc-core-static

ccc-utility

CCC Help Chinese Standard

CCC Help Chinese Traditional

CCC Help Czech

CCC Help Danish

CCC Help Dutch

CCC Help English

CCC Help Finnish

CCC Help French

CCC Help German

CCC Help Greek

CCC Help Hungarian

CCC Help Italian

CCC Help Japanese

CCC Help Korean

CCC Help Norwegian

CCC Help Polish

CCC Help Portuguese

CCC Help Russian

CCC Help Spanish

CCC Help Swedish

CCC Help Thai

CCC Help Turkish

Chinese (Traditional) Language Support

Dropbox

DVD Decrypter (Remove Only)

FileZilla Client 3.5.0

Google Chrome

HashCheck Shell Extension (x86-32)

Interlok driver setup x32

IrfanView (remove only)

iTunes

iZotope Ozone 4

Japanese Language Support

Java Auto Updater

Java 6 Update 32

Korean Language Support

Lynx Version 2 Driver (Remove Only)

Malwarebytes Anti-Malware version 1.61.0.1400

Marvell Miniport Driver

Microsoft .NET Framework 2.0

Microsoft Office Access MUI (English) 2007

Microsoft Office Access Setup Metadata MUI (English) 2007

Microsoft Office Enterprise 2007

Microsoft Office Excel MUI (English) 2007

Microsoft Office Groove MUI (English) 2007

Microsoft Office Groove Setup Metadata MUI (English) 2007

Microsoft Office InfoPath MUI (English) 2007

Microsoft Office OneNote MUI (English) 2007

Microsoft Office Outlook MUI (English) 2007

Microsoft Office PowerPoint MUI (English) 2007

Microsoft Office Proof (English) 2007

Microsoft Office Proof (French) 2007

Microsoft Office Proof (Spanish) 2007

Microsoft Office Proofing (English) 2007

Microsoft Office Publisher MUI (English) 2007

Microsoft Office Shared MUI (English) 2007

Microsoft Office Shared Setup Metadata MUI (English) 2007

Microsoft Office Word MUI (English) 2007

Microsoft Software Update for Web Folders (English) 12

Microsoft Visual C++ 2005 Redistributable

MSXML 6.0 Parser

Native Instruments Absynth 4

Native Instruments Akoustik Piano

Native Instruments B4 II

Native Instruments Battery 3

Native Instruments Elektrik Piano 1.5

Native Instruments FM8

Native Instruments Guitar Rig 3

Native Instruments Komplete 5

Native Instruments Kontakt 3

Native Instruments Massive

Native Instruments Pro-53

Native Instruments Reaktor 5

Ohmforce Ohmboyz PRO VST v1.42

PSP VintageWarmer 2.0.0

PSP.Audioware.Lexicon.PSP.42.DX.RTAS.VST.v1.4.1-DAC

QuickTime

Reason 5.0

Series II MIDI

Skins

Sonnox Oxford Inflator Native VST v1.5.1

Sonnox Oxford Limiter Native VST v1.1.1

Sonnox Oxford R3 Dynamics Native VST v1.3.1

Sonnox Oxford R3 EQ Native VST v1.6.1

Sonnox Oxford Reverb Native VST v1.0

Sonnox Oxford TransMod Native VST v1.3.1

Starcraft

StarCraft II

Steinberg Cubase Studio 4

Steinberg HALionOne

Steinberg HALionOne GM Drum Set

Steinberg HALionOne GM Set

Steinberg HALionOne Studio Drum Set

Steinberg HALionOne Studio Set

StudioDevil VGA 1.3

Syncrosoft License Control

Update for Windows XP (KB955839)

URS Classic Console Strip Pro VST RTAS v1.0

VLC media player 1.1.11

Waves Mercury Complete VST DX RTAS v1.01

Waves SSL Collection v1.2

Windows Media Format Runtime

WinRAR archiver

Yahoo! Detect

.

==== End Of File ===========================

And here is the RogueKiller:

|---------|

RogueKiller V7.4.4 [05/08/2012] by Tigzy

mail: tigzyRK<at>gmail<dot>com

Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/

Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version

Started in : Normal mode

User: Administrator [Admin rights]

Mode: Scan -- Date: 05/15/2012 14:19:26

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

[FAKED] cdfs.sys : c:\windows\system32\drivers\cdfs.sys --> CANNOT FIX

[FAKED] cdrom.sys : c:\windows\system32\drivers\cdrom.sys --> CANNOT FIX

[FAKED] fltMgr.sys : c:\windows\system32\drivers\fltMgr.sys --> CANNOT FIX

[FAKED] mf.sys : c:\windows\system32\drivers\mf.sys --> CANNOT FIX

[FAKED] mrxsmb.sys : c:\windows\system32\drivers\mrxsmb.sys --> CANNOT FIX

[FAKED] nic1394.sys : c:\windows\system32\drivers\nic1394.sys --> CANNOT FIX

[FAKED] ohci1394.sys : c:\windows\system32\drivers\ohci1394.sys --> CANNOT FIX

[FAKED] rdpdr.sys : c:\windows\system32\drivers\rdpdr.sys --> CANNOT FIX

[FAKED] serial.sys : c:\windows\system32\drivers\serial.sys --> CANNOT FIX

¤¤¤ Driver: [LOADED] ¤¤¤

IRP[iRP_MJ_CREATE] : Unknown -> HOOKED ([MAJOR] atapi.sys @ 0xF740BB40)

IRP[iRP_MJ_CLOSE] : Unknown -> HOOKED ([MAJOR] atapi.sys @ 0xF740BB40)

IRP[iRP_MJ_DEVICE_CONTROL] : Unknown -> HOOKED ([MAJOR] atapi.sys @ 0xF740BB40)

IRP[iRP_MJ_INTERNAL_DEVICE_CONTROL] : Unknown -> HOOKED ([MAJOR] atapi.sys @ 0xF740BB40)

IRP[iRP_MJ_SYSTEM_CONTROL] : Unknown -> HOOKED ([MAJOR] atapi.sys @ 0xF740BB40)

IRP[iRP_MJ_DEVICE_CHANGE] : Unknown -> HOOKED ([MAJOR] atapi.sys @ 0xF740BB40)

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

127.0.0.1 localhost

127.0.0.1 www.007guard.com

127.0.0.1 007guard.com

127.0.0.1 008i.com

127.0.0.1 www.008k.com

127.0.0.1 008k.com

127.0.0.1 www.00hq.com

127.0.0.1 00hq.com

127.0.0.1 010402.com

127.0.0.1 www.032439.com

127.0.0.1 032439.com

127.0.0.1 www.0scan.com

127.0.0.1 0scan.com

127.0.0.1 www.1000gratisproben.com

127.0.0.1 1000gratisproben.com

127.0.0.1 www.1001namen.com

127.0.0.1 1001namen.com

127.0.0.1 100888290cs.com

127.0.0.1 www.100888290cs.com

127.0.0.1 100sexlinks.com

[...]

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST3170123A! ! ! ! ! ! ! ! ! ! ! ! ! ! ! +++++

--- User ---

[MBR] NOT VALID

User = LL1 ... OK!

Error reading LL2 MBR!

+++++ PhysicalDrive1: WDC WD740GD-00FLC0 +++++

--- User ---

[MBR] bff7c1955401226b0282fcceeaa7e3ef

[bSP] bc37b26cf0acbb936e7065781dd0f111 : Windows XP MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 70896 Mo

User = LL1 ... OK!

User = LL2 ... OK!

+++++ PhysicalDrive2: Maxtor 6L300S0 +++++

--- User ---

[MBR] e493e629accd8d24b96cf14eb5aff2d5

[bSP] 8df59c9c16ada969f9cbae2b0148f679 : MBR Code unknown

Partition table:

0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 286181 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Finished : << RKreport[2].txt >>

RKreport[1].txt ; RKreport[2].txt

Share this post


Link to post
Share on other sites

Before we proceed further, please uninstall or disable uTorrent and any other peer-to-peer filesharing app.

Continued use of filesharing or ill-advised downloads will surely re-infect your system.

Risks of File-Sharing Technology.

P2P file sharing: Know the risks

It's also against our policy:

http://forums.malwar...showtopic=97700

MrC

Share this post


Link to post
Share on other sites

OK Good.

All those [FAKED] files found by RogueKiller are most likely OK.

-------------------------------------------------

Please make sure system restore is running and create a new restore point before continuing.

XP <===> Vista & W7

XP users > please back up the registry using ERUNT.

-----------------------------------------

Please download and run TDSSKiller to your desktop as outlined below:

Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

For Windows XP, double-click to start.

For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

tdss_1.jpg

-------------------------

Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

tdss_2.jpg

------------------------

Click the Start Scan button.

tdss_3.jpg

-----------------------

If a suspicious object is detected, the default action will be Skip, click on Continue

If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose

Skip and click on Continue

Any entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose delete.

tdss_4.jpg

----------------------

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

tdss_5.jpg

--------------------

A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.

-------------------

Here's a summary of what to do if you would like to print it out:

If a suspicious object is detected, the default action will be Skip, click on Continue

If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose

Skip and click on Continue

Any entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose delete.

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

MrC

Share this post


Link to post
Share on other sites

Here is the TDSSKILLER log:

14:17:22.0343 3748 TDSS rootkit removing tool 2.7.35.0 May 16 2012 07:37:57

14:17:22.0687 3748 ============================================================

14:17:22.0687 3748 Current date / time: 2012/05/16 14:17:22.0687

14:17:22.0687 3748 SystemInfo:

14:17:22.0687 3748

14:17:22.0687 3748 OS Version: 5.1.2600 ServicePack: 3.0

14:17:22.0687 3748 Product type: Workstation

14:17:22.0687 3748 ComputerName: ALEXXX-12E93458

14:17:22.0687 3748 UserName: Administrator

14:17:22.0687 3748 Windows directory: C:\WINDOWS

14:17:22.0687 3748 System windows directory: C:\WINDOWS

14:17:22.0687 3748 Processor architecture: Intel x86

14:17:22.0687 3748 Number of processors: 2

14:17:22.0687 3748 Page size: 0x1000

14:17:22.0687 3748 Boot type: Normal boot

14:17:22.0687 3748 ============================================================

14:17:23.0703 3748 Drive \Device\Harddisk0\DR0 - Size: 0x27433F6000 (157.05 Gb), SectorSize: 0x200, Cylinders: 0x5015, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054

14:17:23.0718 3748 Drive \Device\Harddisk1\DR1 - Size: 0x114FF30000 (69.25 Gb), SectorSize: 0x200, Cylinders: 0x234F, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054

14:17:23.0718 3748 Drive \Device\Harddisk2\DR2 - Size: 0x45DECD2000 (279.48 Gb), SectorSize: 0x200, Cylinders: 0x8E83, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054

14:17:23.0734 3748 ============================================================

14:17:23.0734 3748 \Device\Harddisk0\DR0:

14:17:23.0734 3748 Invalid mbr signature

14:17:23.0734 3748 \Device\Harddisk1\DR1:

14:17:23.0734 3748 MBR partitions:

14:17:23.0734 3748 \Device\Harddisk1\DR1\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x8A7818F

14:17:23.0734 3748 \Device\Harddisk2\DR2:

14:17:23.0734 3748 MBR partitions:

14:17:23.0734 3748 \Device\Harddisk2\DR2\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x22EF2A84

14:17:23.0734 3748 ============================================================

14:17:23.0750 3748 D: <-> \Device\Harddisk2\DR2\Partition0

14:17:23.0750 3748 C: <-> \Device\Harddisk1\DR1\Partition0

14:17:23.0750 3748 ============================================================

14:17:23.0750 3748 Initialize success

14:17:23.0750 3748 ============================================================

14:17:42.0921 2312 ============================================================

14:17:42.0921 2312 Scan started

14:17:42.0921 2312 Mode: Manual;

14:17:42.0921 2312 ============================================================

14:17:43.0093 2312 Abiosdsk - ok

14:17:43.0093 2312 abp480n5 - ok

14:17:43.0125 2312 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys

14:17:43.0125 2312 ACPI - ok

14:17:43.0140 2312 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys

14:17:43.0140 2312 ACPIEC - ok

14:17:43.0140 2312 adpu160m - ok

14:17:43.0171 2312 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys

14:17:43.0171 2312 aec - ok

14:17:43.0187 2312 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys

14:17:43.0203 2312 AFD - ok

14:17:43.0203 2312 Aha154x - ok

14:17:43.0203 2312 aic78u2 - ok

14:17:43.0218 2312 aic78xx - ok

14:17:43.0234 2312 Alerter (a9a3daa780ca6c9671a19d52456705b4) C:\WINDOWS\system32\alrsvc.dll

14:17:43.0234 2312 Alerter - ok

14:17:43.0250 2312 AliIde - ok

14:17:43.0250 2312 amsint - ok

14:17:43.0296 2312 Apple Mobile Device (7ef47644b74ebe721cc32211d3c35e76) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

14:17:43.0296 2312 Apple Mobile Device - ok

14:17:43.0312 2312 AppMgmt (d8849f77c0b66226335a59d26cb4edc6) C:\WINDOWS\System32\appmgmts.dll

14:17:43.0312 2312 AppMgmt - ok

14:17:43.0328 2312 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys

14:17:43.0328 2312 Arp1394 - ok

14:17:43.0343 2312 asc - ok

14:17:43.0343 2312 asc3350p - ok

14:17:43.0359 2312 asc3550 - ok

14:17:43.0406 2312 aspnet_state (d33c507942299753868204cc7642fa27) C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe

14:17:43.0406 2312 aspnet_state - ok

14:17:43.0406 2312 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

14:17:43.0406 2312 AsyncMac - ok

14:17:43.0437 2312 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys

14:17:43.0437 2312 atapi - ok

14:17:43.0437 2312 Atdisk - ok

14:17:43.0484 2312 Ati HotKey Poller (471087b5e1e01cc82604e81ea14781d8) C:\WINDOWS\system32\Ati2evxx.exe

14:17:43.0484 2312 Ati HotKey Poller - ok

14:17:43.0531 2312 ATI Smart (b979ba0120b6db757196a8e2e873fe3c) C:\WINDOWS\system32\ati2sgag.exe

14:17:43.0546 2312 ATI Smart - ok

14:17:43.0687 2312 ati2mtag (c0b86ecb324e50f6bbd529f9d5c6b24b) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys

14:17:43.0765 2312 ati2mtag - ok

14:17:43.0812 2312 AudioSrv (def7a7882bec100fe0b2ce2549188f9d) C:\WINDOWS\System32\audiosrv.dll

14:17:43.0812 2312 AudioSrv - ok

14:17:43.0843 2312 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

14:17:43.0843 2312 audstub - ok

14:17:43.0859 2312 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

14:17:43.0859 2312 Beep - ok

14:17:43.0890 2312 BITS (574738f61fca2935f5265dc4e5691314) C:\WINDOWS\system32\qmgr.dll

14:17:43.0906 2312 BITS - ok

14:17:43.0906 2312 BITS32 - ok

14:17:43.0968 2312 Bonjour Service (db5bea73edaf19ac68b2c0fad0f92b1a) C:\Program Files\Bonjour\mDNSResponder.exe

14:17:43.0968 2312 Bonjour Service - ok

14:17:43.0984 2312 Browser (a06ce3399d16db864f55faeb1f1927a9) C:\WINDOWS\System32\browser.dll

14:17:43.0984 2312 Browser - ok

14:17:44.0000 2312 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

14:17:44.0000 2312 cbidf2k - ok

14:17:44.0000 2312 cd20xrnt - ok

14:17:44.0015 2312 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

14:17:44.0015 2312 Cdaudio - ok

14:17:44.0015 2312 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys

14:17:44.0031 2312 Cdfs - ok

14:17:44.0046 2312 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys

14:17:44.0046 2312 Cdrom - ok

14:17:44.0046 2312 Changer - ok

14:17:44.0078 2312 clr_optimization_v2.0.50727_32 (3c4d595e7f9b747325aef28b4adcaae5) C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

14:17:44.0093 2312 clr_optimization_v2.0.50727_32 - ok

14:17:44.0093 2312 CmdIde - ok

14:17:44.0093 2312 COMSysApp - ok

14:17:44.0093 2312 Cpqarray - ok

14:17:44.0109 2312 CryptSvc (3d4e199942e29207970e04315d02ad3b) C:\WINDOWS\System32\cryptsvc.dll

14:17:44.0109 2312 CryptSvc - ok

14:17:44.0109 2312 dac2w2k - ok

14:17:44.0125 2312 dac960nt - ok

14:17:44.0140 2312 DcomLaunch (2589fe6015a316c0f5d5112b4da7b509) C:\WINDOWS\system32\rpcss.dll

14:17:44.0156 2312 DcomLaunch - ok

14:17:44.0156 2312 Dhcp (5e38d7684a49cacfb752b046357e0589) C:\WINDOWS\System32\dhcpcsvc.dll

14:17:44.0156 2312 Dhcp - ok

14:17:44.0171 2312 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys

14:17:44.0171 2312 Disk - ok

14:17:44.0171 2312 dmadmin - ok

14:17:44.0203 2312 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys

14:17:44.0218 2312 dmboot - ok

14:17:44.0218 2312 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys

14:17:44.0234 2312 dmio - ok

14:17:44.0250 2312 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

14:17:44.0250 2312 dmload - ok

14:17:44.0250 2312 dmserver (57edec2e5f59f0335e92f35184bc8631) C:\WINDOWS\System32\dmserver.dll

14:17:44.0250 2312 dmserver - ok

14:17:44.0265 2312 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys

14:17:44.0265 2312 DMusic - ok

14:17:44.0312 2312 Dnscache (474b4dc3983173e4b4c9740b0dac98a6) C:\WINDOWS\System32\dnsrslvr.dll

14:17:44.0312 2312 Dnscache - ok

14:17:44.0328 2312 Dot3svc (0f0f6e687e5e15579ef4da8dd6945814) C:\WINDOWS\System32\dot3svc.dll

14:17:44.0343 2312 Dot3svc - ok

14:17:44.0343 2312 dpti2o - ok

14:17:44.0359 2312 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys

14:17:44.0359 2312 drmkaud - ok

14:17:44.0390 2312 EapHost (2187855a7703adef0cef9ee4285182cc) C:\WINDOWS\System32\eapsvc.dll

14:17:44.0390 2312 EapHost - ok

14:17:44.0406 2312 Eventlog (0e776ed5f7cc9f94299e70461b7b8185) C:\WINDOWS\system32\services.exe

14:17:44.0406 2312 Eventlog - ok

14:17:44.0421 2312 EventSystem (d4991d98f2db73c60d042f1aef79efae) C:\WINDOWS\system32\es.dll

14:17:44.0437 2312 EventSystem - ok

14:17:44.0453 2312 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys

14:17:44.0453 2312 Fastfat - ok

14:17:44.0468 2312 FastUserSwitchingCompatibility (1926899bf9ffe2602b63074971700412) C:\WINDOWS\System32\shsvcs.dll

14:17:44.0468 2312 FastUserSwitchingCompatibility - ok

14:17:44.0484 2312 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys

14:17:44.0484 2312 Fdc - ok

14:17:44.0500 2312 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys

14:17:44.0500 2312 Fips - ok

14:17:44.0562 2312 FLEXnet Licensing Service (abedfd48ac042c6aaad32452e77217a1) C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

14:17:44.0578 2312 FLEXnet Licensing Service - ok

14:17:44.0578 2312 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys

14:17:44.0578 2312 Flpydisk - ok

14:17:44.0609 2312 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys

14:17:44.0609 2312 FltMgr - ok

14:17:44.0625 2312 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

14:17:44.0625 2312 Fs_Rec - ok

14:17:44.0640 2312 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

14:17:44.0640 2312 Ftdisk - ok

14:17:44.0656 2312 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys

14:17:44.0656 2312 GEARAspiWDM - ok

14:17:44.0671 2312 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys

14:17:44.0671 2312 Gpc - ok

14:17:44.0687 2312 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys

14:17:44.0687 2312 HDAudBus - ok

14:17:44.0718 2312 HidServ (deb04da35cc871b6d309b77e1443c796) C:\WINDOWS\System32\hidserv.dll

14:17:44.0718 2312 HidServ - ok

14:17:44.0718 2312 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys

14:17:44.0734 2312 hidusb - ok

14:17:44.0750 2312 hkmsvc (8878bd685e490239777bfe51320b88e9) C:\WINDOWS\System32\kmsvc.dll

14:17:44.0750 2312 hkmsvc - ok

14:17:44.0750 2312 hpn - ok

14:17:44.0781 2312 HTTP (f6aacf5bce2893e0c1754afeb672e5c9) C:\WINDOWS\system32\Drivers\HTTP.sys

14:17:44.0781 2312 HTTP - ok

14:17:44.0796 2312 HTTPFilter (6100a808600f44d999cebdef8841c7a3) C:\WINDOWS\System32\w3ssl.dll

14:17:44.0796 2312 HTTPFilter - ok

14:17:44.0796 2312 i2omgmt - ok

14:17:44.0812 2312 i2omp - ok

14:17:44.0828 2312 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\drivers\i8042prt.sys

14:17:44.0828 2312 i8042prt - ok

14:17:44.0828 2312 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys

14:17:44.0843 2312 Imapi - ok

14:17:44.0843 2312 ImapiService (30deaf54a9755bb8546168cfe8a6b5e1) C:\WINDOWS\system32\imapi.exe

14:17:44.0859 2312 ImapiService - ok

14:17:44.0859 2312 ini910u - ok

14:17:44.0859 2312 IntelIde - ok

14:17:44.0875 2312 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys

14:17:44.0875 2312 intelppm - ok

14:17:44.0875 2312 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys

14:17:44.0875 2312 Ip6Fw - ok

14:17:44.0890 2312 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

14:17:44.0890 2312 IpFilterDriver - ok

14:17:44.0890 2312 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys

14:17:44.0890 2312 IpInIp - ok

14:17:44.0921 2312 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys

14:17:44.0921 2312 IpNat - ok

14:17:44.0968 2312 iPod Service (57edb35ea2feca88f8b17c0c095c9a56) C:\Program Files\iPod\bin\iPodService.exe

14:17:44.0984 2312 iPod Service - ok

14:17:45.0031 2312 iPod Service32 (c49df1c63ddad21e17840832d772f8b0) C:\WINDOWS\system32\atipdlxx32.exe

14:17:45.0062 2312 iPod Service32 - ok

14:17:45.0093 2312 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys

14:17:45.0109 2312 IPSec - ok

14:17:45.0125 2312 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys

14:17:45.0125 2312 IRENUM - ok

14:17:45.0140 2312 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys

14:17:45.0140 2312 isapnp - ok

14:17:45.0234 2312 JavaQuickStarterService (a38441ed570f190cc041a7be49488fa7) C:\Program Files\Java\jre6\bin\jqs.exe

14:17:45.0234 2312 JavaQuickStarterService - ok

14:17:45.0250 2312 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

14:17:45.0250 2312 Kbdclass - ok

14:17:45.0250 2312 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys

14:17:45.0265 2312 kbdhid - ok

14:17:45.0281 2312 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys

14:17:45.0281 2312 kmixer - ok

14:17:45.0296 2312 KSecDD (1705745d900dabf2d89f90ebaddc7517) C:\WINDOWS\system32\drivers\KSecDD.sys

14:17:45.0296 2312 KSecDD - ok

14:17:45.0328 2312 LanmanServer (f385f4b02c535bffe1d70cab80838123) C:\WINDOWS\System32\srvsvc.dll

14:17:45.0328 2312 LanmanServer - ok

14:17:45.0343 2312 lanmanworkstation (1b67b632786fef1c1bbaef46c2f3f2e6) C:\WINDOWS\System32\wkssvc.dll

14:17:45.0343 2312 lanmanworkstation - ok

14:17:45.0343 2312 lbrtfdc - ok

14:17:45.0375 2312 LmHosts (a7db739ae99a796d91580147e919cc59) C:\WINDOWS\System32\lmhsvc.dll

14:17:45.0375 2312 LmHosts - ok

14:17:45.0375 2312 LMIInfo - ok

14:17:45.0390 2312 lmimirr (4477689e2d8ae6b78ba34c9af4cc1ed1) C:\WINDOWS\system32\DRIVERS\lmimirr.sys

14:17:45.0390 2312 lmimirr - ok

14:17:45.0390 2312 LMIRfsClientNP - ok

14:17:45.0406 2312 LMIRfsDriver (3faa563ddf853320f90259d455a01d79) C:\WINDOWS\system32\drivers\LMIRfsDriver.sys

14:17:45.0406 2312 LMIRfsDriver - ok

14:17:45.0421 2312 LynxWDM (0ff7e557d025ae5283d09ca44f30d1d6) C:\WINDOWS\system32\DRIVERS\LynxWDM.sys

14:17:45.0421 2312 LynxWDM - ok

14:17:45.0453 2312 MA_CMIDI (6b5d093711eadd77c789b0150dc4879c) C:\WINDOWS\system32\drivers\ma_cmidi.sys

14:17:45.0453 2312 MA_CMIDI - ok

14:17:45.0484 2312 Microsoft Office Groove Audit Service (fafe367d032ed82e9332b4c741a20216) C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe

14:17:45.0484 2312 Microsoft Office Groove Audit Service - ok

14:17:45.0500 2312 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys

14:17:45.0500 2312 Modem - ok

14:17:45.0515 2312 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys

14:17:45.0515 2312 Mouclass - ok

14:17:45.0546 2312 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys

14:17:45.0546 2312 mouhid - ok

14:17:45.0546 2312 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys

14:17:45.0546 2312 MountMgr - ok

14:17:45.0562 2312 mraid35x - ok

14:17:45.0578 2312 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

14:17:45.0578 2312 MRxDAV - ok

14:17:45.0609 2312 MRxSmb (60ae98742484e7ab80c3c1450e708148) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

14:17:45.0625 2312 MRxSmb - ok

14:17:45.0640 2312 MSDTC (a137f1470499a205abbb9aafb3b6f2b1) C:\WINDOWS\system32\msdtc.exe

14:17:45.0640 2312 MSDTC - ok

14:17:45.0656 2312 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys

14:17:45.0656 2312 Msfs - ok

14:17:45.0656 2312 MSIServer - ok

14:17:45.0671 2312 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys

14:17:45.0671 2312 MSKSSRV - ok

14:17:45.0687 2312 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

14:17:45.0687 2312 MSPCLOCK - ok

14:17:45.0703 2312 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys

14:17:45.0703 2312 MSPQM - ok

14:17:45.0718 2312 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

14:17:45.0718 2312 mssmbios - ok

14:17:45.0734 2312 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys

14:17:45.0734 2312 Mup - ok

14:17:45.0750 2312 mv614x (6eb1d27590d4bc040f105d2bf35a6c4f) C:\WINDOWS\system32\DRIVERS\mv614x.sys

14:17:45.0750 2312 mv614x - ok

14:17:45.0781 2312 napagent (0102140028fad045756796e1c685d695) C:\WINDOWS\System32\qagentrt.dll

14:17:45.0781 2312 napagent - ok

14:17:45.0812 2312 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys

14:17:45.0812 2312 NDIS - ok

14:17:45.0828 2312 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

14:17:45.0828 2312 NdisTapi - ok

14:17:45.0828 2312 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

14:17:45.0828 2312 Ndisuio - ok

14:17:45.0843 2312 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

14:17:45.0843 2312 NdisWan - ok

14:17:45.0859 2312 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys

14:17:45.0859 2312 NDProxy - ok

14:17:45.0875 2312 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys

14:17:45.0875 2312 NetBIOS - ok

14:17:45.0890 2312 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys

14:17:45.0890 2312 NetBT - ok

14:17:45.0906 2312 Netlogon (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe

14:17:45.0921 2312 Netlogon - ok

14:17:45.0921 2312 Netman (13e67b55b3abd7bf3fe7aae5a0f9a9de) C:\WINDOWS\System32\netman.dll

14:17:45.0937 2312 Netman - ok

14:17:45.0953 2312 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys

14:17:45.0953 2312 NIC1394 - ok

14:17:45.0968 2312 Nla (832e4dd8964ab7acc880b2837cb1ed20) C:\WINDOWS\System32\mswsock.dll

14:17:45.0968 2312 Nla - ok

14:17:45.0968 2312 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys

14:17:45.0968 2312 Npfs - ok

14:17:46.0015 2312 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys

14:17:46.0031 2312 Ntfs - ok

14:17:46.0031 2312 NtLmSsp (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe

14:17:46.0031 2312 NtLmSsp - ok

14:17:46.0046 2312 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

14:17:46.0046 2312 Null - ok

14:17:46.0125 2312 odserv (84de1dd996b48b05ace31ad015fa108a) C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE

14:17:46.0140 2312 odserv - ok

14:17:46.0156 2312 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys

14:17:46.0156 2312 ohci1394 - ok

14:17:46.0171 2312 ose (5a432a042dae460abe7199b758e8606c) C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE

14:17:46.0171 2312 ose - ok

14:17:46.0187 2312 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys

14:17:46.0187 2312 Parport - ok

14:17:46.0234 2312 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys

14:17:46.0234 2312 PartMgr - ok

14:17:46.0250 2312 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys

14:17:46.0250 2312 ParVdm - ok

14:17:46.0265 2312 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys

14:17:46.0265 2312 PCI - ok

14:17:46.0265 2312 PCIDump - ok

14:17:46.0281 2312 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys

14:17:46.0281 2312 PCIIde - ok

14:17:46.0296 2312 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys

14:17:46.0296 2312 Pcmcia - ok

14:17:46.0296 2312 PDCOMP - ok

14:17:46.0312 2312 PDFRAME - ok

14:17:46.0312 2312 PDRELI - ok

14:17:46.0312 2312 PDRFRAME - ok

14:17:46.0328 2312 perc2 - ok

14:17:46.0328 2312 perc2hib - ok

14:17:46.0375 2312 PlugPlay (0e776ed5f7cc9f94299e70461b7b8185) C:\WINDOWS\system32\services.exe

14:17:46.0375 2312 PlugPlay - ok

14:17:46.0375 2312 PolicyAgent (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe

14:17:46.0375 2312 PolicyAgent - ok

14:17:46.0390 2312 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys

14:17:46.0390 2312 PptpMiniport - ok

14:17:46.0390 2312 ProtectedStorage (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe

14:17:46.0390 2312 ProtectedStorage - ok

14:17:46.0421 2312 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys

14:17:46.0421 2312 PSched - ok

14:17:46.0437 2312 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

14:17:46.0437 2312 Ptilink - ok

14:17:46.0437 2312 ql1080 - ok

14:17:46.0437 2312 Ql10wnt - ok

14:17:46.0453 2312 ql12160 - ok

14:17:46.0453 2312 ql1240 - ok

14:17:46.0453 2312 ql1280 - ok

14:17:46.0468 2312 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

14:17:46.0468 2312 RasAcd - ok

14:17:46.0484 2312 RasAuto (ad188be7bdf94e8df4ca0a55c00a5073) C:\WINDOWS\System32\rasauto.dll

14:17:46.0484 2312 RasAuto - ok

14:17:46.0500 2312 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

14:17:46.0500 2312 Rasl2tp - ok

14:17:46.0515 2312 RasMan (76a9a3cbeadd68cc57cda5e1d7448235) C:\WINDOWS\System32\rasmans.dll

14:17:46.0531 2312 RasMan - ok

14:17:46.0546 2312 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

14:17:46.0546 2312 RasPppoe - ok

14:17:46.0546 2312 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

14:17:46.0546 2312 Raspti - ok

14:17:46.0562 2312 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys

14:17:46.0562 2312 Rdbss - ok

14:17:46.0562 2312 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

14:17:46.0562 2312 RDPCDD - ok

14:17:46.0593 2312 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys

14:17:46.0593 2312 rdpdr - ok

14:17:46.0609 2312 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys

14:17:46.0625 2312 RDPWD - ok

14:17:46.0625 2312 RDSessMgr (3c37bf86641bda977c3bf8a840f3b7fa) C:\WINDOWS\system32\sessmgr.exe

14:17:46.0625 2312 RDSessMgr - ok

14:17:46.0640 2312 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys

14:17:46.0656 2312 redbook - ok

14:17:46.0656 2312 Scan interrupted by user!

14:17:46.0656 2312 Scan interrupted by user!

14:17:46.0656 2312 Scan interrupted by user!

14:17:46.0656 2312 ============================================================

14:17:46.0656 2312 Scan finished

14:17:46.0656 2312 ============================================================

14:17:46.0656 2816 Detected object count: 0

14:17:46.0656 2816 Actual detected object count: 0

14:18:00.0015 1608 ============================================================

14:18:00.0015 1608 Scan started

14:18:00.0015 1608 Mode: Manual; SigCheck; TDLFS;

14:18:00.0015 1608 ============================================================

14:18:00.0156 1608 Abiosdsk - ok

14:18:00.0156 1608 abp480n5 - ok

14:18:00.0187 1608 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys

14:18:01.0000 1608 ACPI - ok

14:18:01.0015 1608 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys

14:18:01.0140 1608 ACPIEC - ok

14:18:01.0140 1608 adpu160m - ok

14:18:01.0171 1608 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys

14:18:01.0296 1608 aec - ok

14:18:01.0312 1608 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys

14:18:01.0343 1608 AFD - ok

14:18:01.0343 1608 Aha154x - ok

14:18:01.0343 1608 aic78u2 - ok

14:18:01.0359 1608 aic78xx - ok

14:18:01.0375 1608 Alerter (a9a3daa780ca6c9671a19d52456705b4) C:\WINDOWS\system32\alrsvc.dll

14:18:01.0500 1608 Alerter - ok

14:18:01.0500 1608 AliIde - ok

14:18:01.0500 1608 amsint - ok

14:18:01.0546 1608 Apple Mobile Device (7ef47644b74ebe721cc32211d3c35e76) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

14:18:01.0562 1608 Apple Mobile Device - ok

14:18:01.0578 1608 AppMgmt (d8849f77c0b66226335a59d26cb4edc6) C:\WINDOWS\System32\appmgmts.dll

14:18:01.0625 1608 AppMgmt - ok

14:18:01.0640 1608 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys

14:18:01.0765 1608 Arp1394 - ok

14:18:01.0781 1608 asc - ok

14:18:01.0781 1608 asc3350p - ok

14:18:01.0781 1608 asc3550 - ok

14:18:01.0828 1608 aspnet_state (d33c507942299753868204cc7642fa27) C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe

14:18:01.0843 1608 aspnet_state - ok

14:18:01.0859 1608 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

14:18:02.0015 1608 AsyncMac - ok

14:18:02.0046 1608 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys

14:18:02.0171 1608 atapi - ok

14:18:02.0171 1608 Atdisk - ok

14:18:02.0218 1608 Ati HotKey Poller (471087b5e1e01cc82604e81ea14781d8) C:\WINDOWS\system32\Ati2evxx.exe

14:18:02.0234 1608 Ati HotKey Poller ( UnsignedFile.Multi.Generic ) - warning

14:18:02.0234 1608 Ati HotKey Poller - detected UnsignedFile.Multi.Generic (1)

14:18:02.0281 1608 ATI Smart (b979ba0120b6db757196a8e2e873fe3c) C:\WINDOWS\system32\ati2sgag.exe

14:18:02.0312 1608 ATI Smart ( UnsignedFile.Multi.Generic ) - warning

14:18:02.0312 1608 ATI Smart - detected UnsignedFile.Multi.Generic (1)

14:18:02.0468 1608 ati2mtag (c0b86ecb324e50f6bbd529f9d5c6b24b) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys

14:18:02.0562 1608 ati2mtag ( UnsignedFile.Multi.Generic ) - warning

14:18:02.0562 1608 ati2mtag - detected UnsignedFile.Multi.Generic (1)

14:18:02.0609 1608 AudioSrv (def7a7882bec100fe0b2ce2549188f9d) C:\WINDOWS\System32\audiosrv.dll

14:18:02.0734 1608 AudioSrv - ok

14:18:02.0750 1608 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

14:18:02.0875 1608 audstub - ok

14:18:02.0906 1608 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

14:18:03.0031 1608 Beep - ok

14:18:03.0062 1608 BITS (574738f61fca2935f5265dc4e5691314) C:\WINDOWS\system32\qmgr.dll

14:18:03.0187 1608 BITS - ok

14:18:03.0203 1608 BITS32 - ok

14:18:03.0250 1608 Bonjour Service (db5bea73edaf19ac68b2c0fad0f92b1a) C:\Program Files\Bonjour\mDNSResponder.exe

14:18:03.0265 1608 Bonjour Service - ok

14:18:03.0281 1608 Browser (a06ce3399d16db864f55faeb1f1927a9) C:\WINDOWS\System32\browser.dll

14:18:03.0421 1608 Browser - ok

14:18:03.0437 1608 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

14:18:03.0562 1608 cbidf2k - ok

14:18:03.0562 1608 cd20xrnt - ok

14:18:03.0562 1608 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

14:18:03.0703 1608 Cdaudio - ok

14:18:03.0703 1608 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys

14:18:03.0828 1608 Cdfs - ok

14:18:03.0843 1608 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys

14:18:03.0968 1608 Cdrom - ok

14:18:03.0984 1608 Changer - ok

14:18:04.0046 1608 clr_optimization_v2.0.50727_32 (3c4d595e7f9b747325aef28b4adcaae5) C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

14:18:04.0046 1608 clr_optimization_v2.0.50727_32 - ok

14:18:04.0046 1608 CmdIde - ok

14:18:04.0062 1608 COMSysApp - ok

14:18:04.0062 1608 Cpqarray - ok

14:18:04.0078 1608 CryptSvc (3d4e199942e29207970e04315d02ad3b) C:\WINDOWS\System32\cryptsvc.dll

14:18:04.0203 1608 CryptSvc - ok

14:18:04.0203 1608 dac2w2k - ok

14:18:04.0203 1608 dac960nt - ok

14:18:04.0234 1608 DcomLaunch (2589fe6015a316c0f5d5112b4da7b509) C:\WINDOWS\system32\rpcss.dll

14:18:04.0359 1608 DcomLaunch - ok

14:18:04.0390 1608 Dhcp (5e38d7684a49cacfb752b046357e0589) C:\WINDOWS\System32\dhcpcsvc.dll

14:18:04.0515 1608 Dhcp - ok

14:18:04.0515 1608 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys

14:18:04.0640 1608 Disk - ok

14:18:04.0656 1608 dmadmin - ok

14:18:04.0671 1608 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys

14:18:04.0828 1608 dmboot - ok

14:18:04.0843 1608 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys

14:18:04.0968 1608 dmio - ok

14:18:04.0984 1608 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

14:18:05.0109 1608 dmload - ok

14:18:05.0125 1608 dmserver (57edec2e5f59f0335e92f35184bc8631) C:\WINDOWS\System32\dmserver.dll

14:18:05.0250 1608 dmserver - ok

14:18:05.0265 1608 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys

14:18:05.0390 1608 DMusic - ok

14:18:05.0390 1608 Dnscache (474b4dc3983173e4b4c9740b0dac98a6) C:\WINDOWS\System32\dnsrslvr.dll

14:18:05.0515 1608 Dnscache - ok

14:18:05.0546 1608 Dot3svc (0f0f6e687e5e15579ef4da8dd6945814) C:\WINDOWS\System32\dot3svc.dll

14:18:05.0671 1608 Dot3svc - ok

14:18:05.0671 1608 dpti2o - ok

14:18:05.0687 1608 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys

14:18:05.0796 1608 drmkaud - ok

14:18:05.0812 1608 EapHost (2187855a7703adef0cef9ee4285182cc) C:\WINDOWS\System32\eapsvc.dll

14:18:05.0937 1608 EapHost - ok

14:18:05.0953 1608 Eventlog (0e776ed5f7cc9f94299e70461b7b8185) C:\WINDOWS\system32\services.exe

14:18:06.0078 1608 Eventlog - ok

14:18:06.0093 1608 EventSystem (d4991d98f2db73c60d042f1aef79efae) C:\WINDOWS\system32\es.dll

14:18:06.0171 1608 EventSystem - ok

14:18:06.0187 1608 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys

14:18:06.0312 1608 Fastfat - ok

14:18:06.0328 1608 FastUserSwitchingCompatibility (1926899bf9ffe2602b63074971700412) C:\WINDOWS\System32\shsvcs.dll

14:18:06.0453 1608 FastUserSwitchingCompatibility - ok

14:18:06.0453 1608 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys

14:18:06.0578 1608 Fdc - ok

14:18:06.0593 1608 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys

14:18:06.0718 1608 Fips - ok

14:18:06.0796 1608 FLEXnet Licensing Service (abedfd48ac042c6aaad32452e77217a1) C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

14:18:06.0828 1608 FLEXnet Licensing Service - ok

14:18:06.0828 1608 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys

14:18:06.0968 1608 Flpydisk - ok

14:18:06.0984 1608 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys

14:18:07.0109 1608 FltMgr - ok

14:18:07.0140 1608 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

14:18:07.0265 1608 Fs_Rec - ok

14:18:07.0281 1608 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

14:18:07.0406 1608 Ftdisk - ok

14:18:07.0421 1608 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys

14:18:07.0421 1608 GEARAspiWDM - ok

14:18:07.0453 1608 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys

14:18:07.0562 1608 Gpc - ok

14:18:07.0593 1608 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys

14:18:07.0718 1608 HDAudBus - ok

14:18:07.0734 1608 HidServ (deb04da35cc871b6d309b77e1443c796) C:\WINDOWS\System32\hidserv.dll

14:18:07.0859 1608 HidServ - ok

14:18:07.0875 1608 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys

14:18:08.0000 1608 hidusb - ok

14:18:08.0015 1608 hkmsvc (8878bd685e490239777bfe51320b88e9) C:\WINDOWS\System32\kmsvc.dll

14:18:08.0140 1608 hkmsvc - ok

14:18:08.0140 1608 hpn - ok

14:18:08.0156 1608 HTTP (f6aacf5bce2893e0c1754afeb672e5c9) C:\WINDOWS\system32\Drivers\HTTP.sys

14:18:08.0296 1608 HTTP - ok

14:18:08.0312 1608 HTTPFilter (6100a808600f44d999cebdef8841c7a3) C:\WINDOWS\System32\w3ssl.dll

14:18:08.0437 1608 HTTPFilter - ok

14:18:08.0437 1608 i2omgmt - ok

14:18:08.0437 1608 i2omp - ok

14:18:08.0453 1608 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\drivers\i8042prt.sys

14:18:08.0593 1608 i8042prt - ok

14:18:08.0609 1608 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys

14:18:08.0734 1608 Imapi - ok

14:18:08.0750 1608 ImapiService (30deaf54a9755bb8546168cfe8a6b5e1) C:\WINDOWS\system32\imapi.exe

14:18:08.0875 1608 ImapiService - ok

14:18:08.0875 1608 ini910u - ok

14:18:08.0890 1608 IntelIde - ok

14:18:08.0906 1608 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys

14:18:09.0031 1608 intelppm - ok

14:18:09.0046 1608 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys

14:18:09.0171 1608 Ip6Fw - ok

14:18:09.0187 1608 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

14:18:09.0312 1608 IpFilterDriver - ok

14:18:09.0343 1608 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys

14:18:09.0468 1608 IpInIp - ok

14:18:09.0484 1608 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys

14:18:09.0593 1608 IpNat - ok

14:18:09.0656 1608 iPod Service (57edb35ea2feca88f8b17c0c095c9a56) C:\Program Files\iPod\bin\iPodService.exe

14:18:09.0671 1608 iPod Service - ok

14:18:09.0734 1608 iPod Service32 (c49df1c63ddad21e17840832d772f8b0) C:\WINDOWS\system32\atipdlxx32.exe

14:18:09.0765 1608 iPod Service32 ( UnsignedFile.Multi.Generic ) - warning

14:18:09.0765 1608 iPod Service32 - detected UnsignedFile.Multi.Generic (1)

14:18:09.0812 1608 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys

14:18:09.0968 1608 IPSec - ok

14:18:09.0984 1608 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys

14:18:10.0031 1608 IRENUM - ok

14:18:10.0046 1608 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys

14:18:10.0156 1608 isapnp - ok

14:18:10.0218 1608 JavaQuickStarterService (a38441ed570f190cc041a7be49488fa7) C:\Program Files\Java\jre6\bin\jqs.exe

14:18:10.0234 1608 JavaQuickStarterService - ok

14:18:10.0250 1608 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

14:18:10.0375 1608 Kbdclass - ok

14:18:10.0390 1608 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys

14:18:10.0500 1608 kbdhid - ok

14:18:10.0531 1608 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys

14:18:10.0640 1608 kmixer - ok

14:18:10.0656 1608 KSecDD (1705745d900dabf2d89f90ebaddc7517) C:\WINDOWS\system32\drivers\KSecDD.sys

14:18:10.0781 1608 KSecDD - ok

14:18:10.0812 1608 LanmanServer (f385f4b02c535bffe1d70cab80838123) C:\WINDOWS\System32\srvsvc.dll

14:18:10.0921 1608 LanmanServer - ok

14:18:10.0937 1608 lanmanworkstation (1b67b632786fef1c1bbaef46c2f3f2e6) C:\WINDOWS\System32\wkssvc.dll

14:18:11.0062 1608 lanmanworkstation - ok

14:18:11.0062 1608 lbrtfdc - ok

14:18:11.0078 1608 LmHosts (a7db739ae99a796d91580147e919cc59) C:\WINDOWS\System32\lmhsvc.dll

14:18:11.0203 1608 LmHosts - ok

14:18:11.0203 1608 LMIInfo - ok

14:18:11.0234 1608 lmimirr (4477689e2d8ae6b78ba34c9af4cc1ed1) C:\WINDOWS\system32\DRIVERS\lmimirr.sys

14:18:11.0265 1608 lmimirr - ok

14:18:11.0265 1608 LMIRfsClientNP - ok

14:18:11.0281 1608 LMIRfsDriver (3faa563ddf853320f90259d455a01d79) C:\WINDOWS\system32\drivers\LMIRfsDriver.sys

14:18:11.0296 1608 LMIRfsDriver - ok

14:18:11.0312 1608 LynxWDM (0ff7e557d025ae5283d09ca44f30d1d6) C:\WINDOWS\system32\DRIVERS\LynxWDM.sys

14:18:11.0312 1608 LynxWDM - ok

14:18:11.0343 1608 MA_CMIDI (6b5d093711eadd77c789b0150dc4879c) C:\WINDOWS\system32\drivers\ma_cmidi.sys

14:18:11.0343 1608 MA_CMIDI - ok

14:18:11.0406 1608 Microsoft Office Groove Audit Service (fafe367d032ed82e9332b4c741a20216) C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe

14:18:11.0421 1608 Microsoft Office Groove Audit Service - ok

14:18:11.0437 1608 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys

14:18:11.0562 1608 Modem - ok

14:18:11.0578 1608 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys

14:18:11.0703 1608 Mouclass - ok

14:18:11.0734 1608 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys

14:18:11.0828 1608 mouhid - ok

14:18:11.0843 1608 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys

14:18:11.0968 1608 MountMgr - ok

14:18:11.0968 1608 mraid35x - ok

14:18:11.0984 1608 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

14:18:12.0093 1608 MRxDAV - ok

14:18:12.0125 1608 MRxSmb (60ae98742484e7ab80c3c1450e708148) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

14:18:12.0156 1608 MRxSmb - ok

14:18:12.0171 1608 MSDTC (a137f1470499a205abbb9aafb3b6f2b1) C:\WINDOWS\system32\msdtc.exe

14:18:12.0296 1608 MSDTC - ok

14:18:12.0328 1608 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys

14:18:12.0468 1608 Msfs - ok

14:18:12.0468 1608 MSIServer - ok

14:18:12.0484 1608 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys

14:18:12.0609 1608 MSKSSRV - ok

14:18:12.0609 1608 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

14:18:12.0734 1608 MSPCLOCK - ok

14:18:12.0750 1608 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys

14:18:12.0859 1608 MSPQM - ok

14:18:12.0875 1608 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

14:18:12.0984 1608 mssmbios - ok

14:18:13.0000 1608 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys

14:18:13.0125 1608 Mup - ok

14:18:13.0140 1608 mv614x (6eb1d27590d4bc040f105d2bf35a6c4f) C:\WINDOWS\system32\DRIVERS\mv614x.sys

14:18:13.0140 1608 mv614x ( UnsignedFile.Multi.Generic ) - warning

14:18:13.0140 1608 mv614x - detected UnsignedFile.Multi.Generic (1)

14:18:13.0171 1608 napagent (0102140028fad045756796e1c685d695) C:\WINDOWS\System32\qagentrt.dll

14:18:13.0281 1608 napagent - ok

14:18:13.0296 1608 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys

14:18:13.0421 1608 NDIS - ok

14:18:13.0437 1608 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

14:18:13.0546 1608 NdisTapi - ok

14:18:13.0546 1608 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

14:18:13.0671 1608 Ndisuio - ok

14:18:13.0687 1608 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

14:18:13.0796 1608 NdisWan - ok

14:18:13.0796 1608 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys

14:18:13.0921 1608 NDProxy - ok

14:18:13.0937 1608 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys

14:18:14.0046 1608 NetBIOS - ok

14:18:14.0062 1608 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys

14:18:14.0171 1608 NetBT - ok

14:18:14.0187 1608 Netlogon (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe

14:18:14.0312 1608 Netlogon - ok

14:18:14.0328 1608 Netman (13e67b55b3abd7bf3fe7aae5a0f9a9de) C:\WINDOWS\System32\netman.dll

14:18:14.0437 1608 Netman - ok

14:18:14.0437 1608 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys

14:18:14.0546 1608 NIC1394 - ok

14:18:14.0578 1608 Nla (832e4dd8964ab7acc880b2837cb1ed20) C:\WINDOWS\System32\mswsock.dll

14:18:14.0593 1608 Nla - ok

14:18:14.0609 1608 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys

14:18:14.0718 1608 Npfs - ok

14:18:14.0750 1608 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys

14:18:14.0875 1608 Ntfs - ok

14:18:14.0875 1608 NtLmSsp (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe

14:18:14.0984 1608 NtLmSsp - ok

14:18:15.0000 1608 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

14:18:15.0109 1608 Null - ok

14:18:15.0187 1608 odserv (84de1dd996b48b05ace31ad015fa108a) C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE

14:18:15.0203 1608 odserv - ok

14:18:15.0234 1608 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys

14:18:15.0343 1608 ohci1394 - ok

14:18:15.0359 1608 ose (5a432a042dae460abe7199b758e8606c) C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE

14:18:15.0359 1608 ose - ok

14:18:15.0390 1608 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys

14:18:15.0500 1608 Parport - ok

14:18:15.0515 1608 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys

14:18:15.0625 1608 PartMgr - ok

14:18:15.0640 1608 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys

14:18:15.0734 1608 ParVdm - ok

14:18:15.0765 1608 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys

14:18:15.0890 1608 PCI - ok

14:18:15.0890 1608 PCIDump - ok

14:18:15.0906 1608 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys

14:18:16.0015 1608 PCIIde - ok

14:18:16.0031 1608 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys

14:18:16.0140 1608 Pcmcia - ok

14:18:16.0156 1608 PDCOMP - ok

14:18:16.0156 1608 PDFRAME - ok

14:18:16.0156 1608 PDRELI - ok

14:18:16.0171 1608 PDRFRAME - ok

14:18:16.0171 1608 perc2 - ok

14:18:16.0187 1608 perc2hib - ok

14:18:16.0218 1608 PlugPlay (0e776ed5f7cc9f94299e70461b7b8185) C:\WINDOWS\system32\services.exe

14:18:16.0328 1608 PlugPlay - ok

14:18:16.0343 1608 PolicyAgent (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe

14:18:16.0453 1608 PolicyAgent - ok

14:18:16.0468 1608 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys

14:18:16.0578 1608 PptpMiniport - ok

14:18:16.0593 1608 ProtectedStorage (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe

14:18:16.0687 1608 ProtectedStorage - ok

14:18:16.0703 1608 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys

14:18:16.0812 1608 PSched - ok

14:18:16.0828 1608 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

14:18:16.0953 1608 Ptilink - ok

14:18:16.0953 1608 ql1080 - ok

14:18:16.0953 1608 Ql10wnt - ok

14:18:16.0968 1608 ql12160 - ok

14:18:16.0968 1608 ql1240 - ok

14:18:16.0968 1608 ql1280 - ok

14:18:16.0984 1608 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

14:18:17.0093 1608 RasAcd - ok

14:18:17.0109 1608 RasAuto (ad188be7bdf94e8df4ca0a55c00a5073) C:\WINDOWS\System32\rasauto.dll

14:18:17.0218 1608 RasAuto - ok

14:18:17.0234 1608 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

14:18:17.0343 1608 Rasl2tp - ok

14:18:17.0359 1608 RasMan (76a9a3cbeadd68cc57cda5e1d7448235) C:\WINDOWS\System32\rasmans.dll

14:18:17.0468 1608 RasMan - ok

14:18:17.0484 1608 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

14:18:17.0578 1608 RasPppoe - ok

14:18:17.0593 1608 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

14:18:17.0703 1608 Raspti - ok

14:18:17.0718 1608 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys

14:18:17.0828 1608 Rdbss - ok

14:18:17.0828 1608 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

14:18:17.0937 1608 RDPCDD - ok

14:18:17.0953 1608 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys

14:18:18.0062 1608 rdpdr - ok

14:18:18.0093 1608 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys

14:18:18.0203 1608 RDPWD - ok

14:18:18.0218 1608 RDSessMgr (3c37bf86641bda977c3bf8a840f3b7fa) C:\WINDOWS\system32\sessmgr.exe

14:18:18.0328 1608 RDSessMgr - ok

14:18:18.0328 1608 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys

14:18:18.0437 1608 redbook - ok

14:18:18.0453 1608 RemoteAccess (7e699ff5f59b5d9de5390e3c34c67cf5) C:\WINDOWS\System32\mprdim.dll

14:18:18.0562 1608 RemoteAccess - ok

14:18:18.0593 1608 RpcSs (2589fe6015a316c0f5d5112b4da7b509) C:\WINDOWS\system32\rpcss.dll

14:18:18.0718 1608 RpcSs - ok

14:18:18.0734 1608 RSVP (471b3f9741d762abe75e9deea4787e47) C:\WINDOWS\system32\rsvp.exe

14:18:18.0843 1608 RSVP - ok

14:18:18.0843 1608 SamSs (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe

14:18:18.0937 1608 SamSs - ok

14:18:18.0968 1608 SCardSvr (86d007e7a654b9a71d1d7d856b104353) C:\WINDOWS\System32\SCardSvr.exe

14:18:19.0062 1608 SCardSvr - ok

14:18:19.0093 1608 Schedule (0a9a7365a1ca4319aa7c1d6cd8e4eafa) C:\WINDOWS\system32\schedsvc.dll

14:18:19.0203 1608 Schedule - ok

14:18:19.0218 1608 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys

14:18:19.0250 1608 Secdrv - ok

14:18:19.0265 1608 seclogon (cbe612e2bb6a10e3563336191eda1250) C:\WINDOWS\System32\seclogon.dll

14:18:19.0375 1608 seclogon - ok

14:18:19.0375 1608 SENS (7fdd5d0684eca8c1f68b4d99d124dcd0) C:\WINDOWS\system32\sens.dll

14:18:19.0484 1608 SENS - ok

14:18:19.0500 1608 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys

14:18:19.0609 1608 serenum - ok

14:18:19.0609 1608 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys

14:18:19.0718 1608 Serial - ok

14:18:19.0718 1608 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys

14:18:19.0812 1608 Sfloppy - ok

14:18:19.0859 1608 SharedAccess (83f41d0d89645d7235c051ab1d9523ac) C:\WINDOWS\System32\ipnathlp.dll

14:18:19.0968 1608 SharedAccess - ok

14:18:19.0984 1608 ShellHWDetection (1926899bf9ffe2602b63074971700412) C:\WINDOWS\System32\shsvcs.dll

14:18:20.0093 1608 ShellHWDetection - ok

14:18:20.0093 1608 Simbad - ok

14:18:20.0093 1608 Sparrow - ok

14:18:20.0125 1608 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys

14:18:20.0218 1608 splitter - ok

14:18:20.0234 1608 Spooler (d8e14a61acc1d4a6cd0d38aebac7fa3b) C:\WINDOWS\system32\spoolsv.exe

14:18:20.0343 1608 Spooler - ok

14:18:20.0390 1608 sptd (cdddec541bc3c96f91ecb48759673505) C:\WINDOWS\system32\Drivers\sptd.sys

14:18:20.0390 1608 Suspicious file (NoAccess): C:\WINDOWS\system32\Drivers\sptd.sys. md5: cdddec541bc3c96f91ecb48759673505

14:18:20.0390 1608 sptd ( LockedFile.Multi.Generic ) - warning

14:18:20.0390 1608 sptd - detected LockedFile.Multi.Generic (1)

14:18:20.0421 1608 Sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys

14:18:20.0468 1608 Sr - ok

14:18:20.0484 1608 srservice (3805df0ac4296a34ba4bf93b346cc378) C:\WINDOWS\system32\srsvc.dll

14:18:20.0531 1608 srservice - ok

14:18:20.0562 1608 Srv (3bb03f2ba89d2be417206c373d2af17c) C:\WINDOWS\system32\DRIVERS\srv.sys

14:18:20.0609 1608 Srv - ok

14:18:20.0625 1608 SSDPSRV (0a5679b3714edab99e357057ee88fca6) C:\WINDOWS\System32\ssdpsrv.dll

14:18:20.0671 1608 SSDPSRV - ok

14:18:20.0703 1608 stisvc (8bad69cbac032d4bbacfce0306174c30) C:\WINDOWS\system32\wiaservc.dll

14:18:20.0843 1608 stisvc - ok

14:18:20.0859 1608 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys

14:18:20.0953 1608 swenum - ok

14:18:20.0968 1608 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys

14:18:21.0078 1608 swmidi - ok

14:18:21.0078 1608 SwPrv - ok

14:18:21.0093 1608 symc810 - ok

14:18:21.0093 1608 symc8xx - ok

14:18:21.0109 1608 sym_hi - ok

14:18:21.0109 1608 sym_u3 - ok

14:18:21.0125 1608 SynasUSB (e46088b882e6315518630e249ddf958c) C:\WINDOWS\system32\drivers\SynasUSB.sys

14:18:21.0140 1608 SynasUSB - ok

14:18:21.0140 1608 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys

14:18:21.0265 1608 sysaudio - ok

14:18:21.0281 1608 SysmonLog (c7abbc59b43274b1109df6b24d617051) C:\WINDOWS\system32\smlogsvc.exe

14:18:21.0390 1608 SysmonLog - ok

14:18:21.0406 1608 TapiSrv (3cb78c17bb664637787c9a1c98f79c38) C:\WINDOWS\System32\tapisrv.dll

14:18:21.0515 1608 TapiSrv - ok

14:18:21.0546 1608 Tcpip (a29e1209f925a0e9b330e11da5fc7bab) C:\WINDOWS\system32\DRIVERS\tcpip.sys

14:18:21.0562 1608 Tcpip ( UnsignedFile.Multi.Generic ) - warning

14:18:21.0562 1608 Tcpip - detected UnsignedFile.Multi.Generic (1)

14:18:21.0593 1608 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys

14:18:21.0703 1608 TDPIPE - ok

14:18:21.0718 1608 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys

14:18:21.0828 1608 TDTCP - ok

14:18:21.0843 1608 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys

14:18:21.0953 1608 TermDD - ok

14:18:21.0984 1608 TermService (ff3477c03be7201c294c35f684b3479f) C:\WINDOWS\System32\termsrv.dll

14:18:22.0093 1608 TermService - ok

14:18:22.0109 1608 Themes (1926899bf9ffe2602b63074971700412) C:\WINDOWS\System32\shsvcs.dll

14:18:22.0218 1608 Themes - ok

14:18:22.0218 1608 TosIde - ok

14:18:22.0234 1608 TPkd (5815ae5ef8519066f19e575d67f6f191) C:\WINDOWS\system32\drivers\TPkd.sys

14:18:22.0281 1608 TPkd ( UnsignedFile.Multi.Generic ) - warning

14:18:22.0281 1608 TPkd - detected UnsignedFile.Multi.Generic (1)

14:18:22.0312 1608 TrkWks (55bca12f7f523d35ca3cb833c725f54e) C:\WINDOWS\system32\trkwks.dll

14:18:22.0421 1608 TrkWks - ok

14:18:22.0437 1608 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys

14:18:22.0546 1608 Udfs - ok

14:18:22.0562 1608 ultra - ok

14:18:22.0578 1608 UMWdf (c81b8635dee0d3ef5f64b3dd643023a5) C:\WINDOWS\system32\wdfmgr.exe

14:18:22.0593 1608 UMWdf - ok

14:18:22.0625 1608 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys

14:18:22.0734 1608 Update - ok

14:18:22.0750 1608 upnphost (1ebafeb9a3fbdc41b8d9c7f0f687ad91) C:\WINDOWS\System32\upnphost.dll

14:18:22.0796 1608 upnphost - ok

14:18:22.0796 1608 UPS (05365fb38fca1e98f7a566aaaf5d1815) C:\WINDOWS\System32\ups.exe

14:18:22.0937 1608 UPS - ok

14:18:22.0953 1608 USB11LDR (57af81fbaa297c254541cddfbe8d2cb4) C:\WINDOWS\system32\drivers\usb11ldr.sys

14:18:22.0968 1608 USB11LDR - ok

14:18:22.0984 1608 USBAAPL (83cafcb53201bbac04d822f32438e244) C:\WINDOWS\system32\Drivers\usbaapl.sys

14:18:22.0984 1608 USBAAPL ( UnsignedFile.Multi.Generic ) - warning

14:18:22.0984 1608 USBAAPL - detected UnsignedFile.Multi.Generic (1)

14:18:23.0000 1608 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys

14:18:23.0093 1608 usbccgp - ok

14:18:23.0125 1608 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys

14:18:23.0218 1608 usbehci - ok

14:18:23.0234 1608 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys

14:18:23.0343 1608 usbhub - ok

14:18:23.0359 1608 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys

14:18:23.0453 1608 usbprint - ok

14:18:23.0468 1608 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys

14:18:23.0578 1608 usbscan - ok

14:18:23.0593 1608 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

14:18:23.0687 1608 USBSTOR - ok

14:18:23.0703 1608 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys

14:18:23.0796 1608 usbuhci - ok

14:18:23.0812 1608 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys

14:18:23.0921 1608 VgaSave - ok

14:18:23.0921 1608 ViaIde - ok

14:18:23.0937 1608 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys

14:18:24.0031 1608 VolSnap - ok

14:18:24.0046 1608 VSS (7a9db3a67c333bf0bd42e42b8596854b) C:\WINDOWS\System32\vssvc.exe

14:18:24.0109 1608 VSS - ok

14:18:24.0125 1608 W32Time (54af4b1d5459500ef0937f6d33b1914f) C:\WINDOWS\system32\w32time.dll

14:18:24.0234 1608 W32Time - ok

14:18:24.0250 1608 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys

14:18:24.0343 1608 Wanarp - ok

14:18:24.0359 1608 WDICA - ok

14:18:24.0375 1608 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys

14:18:24.0484 1608 wdmaud - ok

14:18:24.0500 1608 WebClient (77a354e28153ad2d5e120a5a8687bc06) C:\WINDOWS\System32\webclnt.dll

14:18:24.0593 1608 WebClient - ok

14:18:24.0625 1608 winmgmt (2d0e4ed081963804ccc196a0929275b5) C:\WINDOWS\system32\wbem\WMIsvc.dll

14:18:24.0734 1608 winmgmt - ok

14:18:24.0765 1608 WmdmPmSN (a477391b7a8b0a0daabadb17cf533a4b) C:\WINDOWS\system32\MsPMSNSv.dll

14:18:24.0781 1608 WmdmPmSN - ok

14:18:24.0812 1608 Wmi (bab489a5fe26f2d0c910cf7af7e4cf92) C:\WINDOWS\System32\advapi32.dll

14:18:24.0921 1608 Wmi - ok

14:18:24.0968 1608 WmiApSrv (e0673f1106e62a68d2257e376079f821) C:\WINDOWS\system32\wbem\wmiapsrv.exe

14:18:25.0078 1608 WmiApSrv - ok

14:18:25.0093 1608 WsAudio_DeviceS(1) (4160cbe59d9b5be22e4c3897e8db9d56) C:\WINDOWS\system32\drivers\WsAudio_DeviceS(1).sys

14:18:25.0109 1608 WsAudio_DeviceS(1) - ok

14:18:25.0125 1608 WsAudio_DeviceS(2) (4160cbe59d9b5be22e4c3897e8db9d56) C:\WINDOWS\system32\drivers\WsAudio_DeviceS(2).sys

14:18:25.0125 1608 WsAudio_DeviceS(2) - ok

14:18:25.0140 1608 WsAudio_DeviceS(3) (4160cbe59d9b5be22e4c3897e8db9d56) C:\WINDOWS\system32\drivers\WsAudio_DeviceS(3).sys

14:18:25.0156 1608 WsAudio_DeviceS(3) - ok

14:18:25.0156 1608 WsAudio_DeviceS(4) (4160cbe59d9b5be22e4c3897e8db9d56) C:\WINDOWS\system32\drivers\WsAudio_DeviceS(4).sys

14:18:25.0171 1608 WsAudio_DeviceS(4) - ok

14:18:25.0171 1608 WsAudio_DeviceS(5) (4160cbe59d9b5be22e4c3897e8db9d56) C:\WINDOWS\system32\drivers\WsAudio_DeviceS(5).sys

14:18:25.0187 1608 WsAudio_DeviceS(5) - ok

14:18:25.0203 1608 wuauserv (35321fb577cdc98ce3eb3a3eb9e4610a) C:\WINDOWS\system32\wuauserv.dll

14:18:25.0296 1608 wuauserv - ok

14:18:25.0343 1608 WZCSVC (81dc3f549f44b1c1fff022dec9ecf30b) C:\WINDOWS\System32\wzcsvc.dll

14:18:25.0468 1608 WZCSVC - ok

14:18:25.0484 1608 xmlprov (295d21f14c335b53cb8154e5b1f892b9) C:\WINDOWS\System32\xmlprov.dll

14:18:25.0578 1608 xmlprov - ok

14:18:25.0609 1608 yukonwxp (89f8c4875e19c7081cf9c37539242ae3) C:\WINDOWS\system32\DRIVERS\yk51x86.sys

14:18:25.0656 1608 yukonwxp - ok

14:18:25.0703 1608 MBR (0x1B8) (ff31c288c3816ef847fb6e7788ce8d72) \Device\Harddisk0\DR0

14:18:26.0812 1608 \Device\Harddisk0\DR0 - ok

14:18:26.0828 1608 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk1\DR1

14:18:27.0250 1608 \Device\Harddisk1\DR1 - ok

14:18:27.0250 1608 MBR (0x1B8) (5fb38429d5d77768867c76dcbdb35194) \Device\Harddisk2\DR2

14:18:27.0296 1608 \Device\Harddisk2\DR2 - ok

14:18:27.0296 1608 Boot (0x1200) (a6dcf807b564c7b40ab07cd0b0a77228) \Device\Harddisk1\DR1\Partition0

14:18:27.0296 1608 \Device\Harddisk1\DR1\Partition0 - ok

14:18:27.0296 1608 Boot (0x1200) (bbe87415c59dd940bfafd94716464936) \Device\Harddisk2\DR2\Partition0

14:18:27.0296 1608 \Device\Harddisk2\DR2\Partition0 - ok

14:18:27.0296 1608 ============================================================

14:18:27.0296 1608 Scan finished

14:18:27.0296 1608 ============================================================

14:18:27.0421 0688 Detected object count: 9

14:18:27.0421 0688 Actual detected object count: 9

14:20:31.0750 0688 Ati HotKey Poller ( UnsignedFile.Multi.Generic ) - skipped by user

14:20:31.0750 0688 Ati HotKey Poller ( UnsignedFile.Multi.Generic ) - User select action: Skip

14:20:31.0750 0688 ATI Smart ( UnsignedFile.Multi.Generic ) - skipped by user

14:20:31.0750 0688 ATI Smart ( UnsignedFile.Multi.Generic ) - User select action: Skip

14:20:31.0750 0688 ati2mtag ( UnsignedFile.Multi.Generic ) - skipped by user

14:20:31.0750 0688 ati2mtag ( UnsignedFile.Multi.Generic ) - User select action: Skip

14:20:31.0750 0688 iPod Service32 ( UnsignedFile.Multi.Generic ) - skipped by user

14:20:31.0750 0688 iPod Service32 ( UnsignedFile.Multi.Generic ) - User select action: Skip

14:20:31.0750 0688 mv614x ( UnsignedFile.Multi.Generic ) - skipped by user

14:20:31.0750 0688 mv614x ( UnsignedFile.Multi.Generic ) - User select action: Skip

14:20:31.0750 0688 sptd ( LockedFile.Multi.Generic ) - skipped by user

14:20:31.0750 0688 sptd ( LockedFile.Multi.Generic ) - User select action: Skip

14:20:31.0750 0688 Tcpip ( UnsignedFile.Multi.Generic ) - skipped by user

14:20:31.0750 0688 Tcpip ( UnsignedFile.Multi.Generic ) - User select action: Skip

14:20:31.0765 0688 TPkd ( UnsignedFile.Multi.Generic ) - skipped by user

14:20:31.0765 0688 TPkd ( UnsignedFile.Multi.Generic ) - User select action: Skip

14:20:31.0765 0688 USBAAPL ( UnsignedFile.Multi.Generic ) - skipped by user

14:20:31.0765 0688 USBAAPL ( UnsignedFile.Multi.Generic ) - User select action: Skip

Share this post


Link to post
Share on other sites

That scan was clean, please do this.......

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingc...to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Please include the C:\ComboFix.txt in your next reply for further review.

Note:

If you get the message Illegal operation attempted on registry key that has been marked for deletion. after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

Share this post


Link to post
Share on other sites

Combofix.txt:

ComboFix 12-05-16.02 - Administrator 05/16/2012 15:33:33.2.2 - x86

Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe

c:\windows\system32\vbscript.dll is missing

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\Administrator\Application Data\PriceGong

c:\documents and settings\Administrator\Application Data\PriceGong\Data\1.xml

c:\documents and settings\Administrator\Application Data\PriceGong\Data\a.xml

c:\documents and settings\Administrator\Application Data\PriceGong\Data\b.xml

c:\documents and settings\Administrator\Application Data\PriceGong\Data\c.xml

c:\documents and settings\Administrator\Application Data\PriceGong\Data\d.xml

c:\documents and settings\Administrator\Application Data\PriceGong\Data\e.xml

c:\documents and settings\Administrator\Application Data\PriceGong\Data\f.xml

c:\documents and settings\Administrator\Application Data\PriceGong\Data\g.xml

c:\documents and settings\Administrator\Application Data\PriceGong\Data\h.xml

c:\documents and settings\Administrator\Application Data\PriceGong\Data\i.xml

c:\documents and settings\Administrator\Application Data\PriceGong\Data\J.xml

c:\documents and settings\Administrator\Application Data\PriceGong\Data\k.xml

c:\documents and settings\Administrator\Application Data\PriceGong\Data\l.xml

c:\documents and settings\Administrator\Application Data\PriceGong\Data\m.xml

c:\documents and settings\Administrator\Application Data\PriceGong\Data\mru.xml

c:\documents and settings\Administrator\Application Data\PriceGong\Data\n.xml

c:\documents and settings\Administrator\Application Data\PriceGong\Data\o.xml

c:\documents and settings\Administrator\Application Data\PriceGong\Data\p.xml

c:\documents and settings\Administrator\Application Data\PriceGong\Data\q.xml

c:\documents and settings\Administrator\Application Data\PriceGong\Data\r.xml

c:\documents and settings\Administrator\Application Data\PriceGong\Data\s.xml

c:\documents and settings\Administrator\Application Data\PriceGong\Data\t.xml

c:\documents and settings\Administrator\Application Data\PriceGong\Data\u.xml

c:\documents and settings\Administrator\Application Data\PriceGong\Data\v.xml

c:\documents and settings\Administrator\Application Data\PriceGong\Data\w.xml

c:\documents and settings\Administrator\Application Data\PriceGong\Data\x.xml

c:\documents and settings\Administrator\Application Data\PriceGong\Data\y.xml

c:\documents and settings\Administrator\Application Data\PriceGong\Data\z.xml

c:\documents and settings\Administrator\bfoaupwyzj.tmp

c:\documents and settings\Administrator\WINDOWS

c:\windows\system32\msconfig.exe

.

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

-------\Legacy_BITS32

-------\Service_BITS32

.

.

((((((((((((((((((((((((( Files Created from 2012-04-16 to 2012-05-16 )))))))))))))))))))))))))))))))

.

.

2012-05-16 22:38 . 2012-05-16 22:38 -------- d-----w- c:\windows\system32\wbem\snmp

2012-05-14 23:57 . 2012-05-14 23:57 -------- d-----w- C:\TDSSKiller_Quarantine

2012-05-14 23:22 . 2012-05-14 23:22 270336 ----a-w- c:\windows\system32\atipdlxx32.dll

2012-05-14 23:17 . 2012-05-14 23:22 -------- d-----w- c:\windows\SxsCaPendDel

2012-05-14 23:14 . 2012-05-14 23:14 -------- d-----w- c:\windows\system32\syncdb

2012-04-29 23:41 . 2012-04-29 23:41 -------- d-----w- c:\program files\Common Files\Java

2012-04-29 23:40 . 2012-04-29 23:40 73728 ----a-w- c:\windows\system32\javacpl.cpl

2012-04-29 23:40 . 2012-04-29 23:40 476960 ----a-w- c:\windows\system32\npdeployJava1.dll

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-04-29 23:40 . 2010-08-02 04:07 472864 -c--a-w- c:\windows\system32\deployJava1.dll

2012-04-04 22:56 . 2010-02-08 23:45 22344 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-03-26 21:24 . 2012-03-30 21:48 25704 ----a-w- c:\windows\system32\drivers\WsAudio_DeviceS(5).sys

2012-03-26 21:24 . 2012-03-30 21:48 25704 ----a-w- c:\windows\system32\drivers\WsAudio_DeviceS(4).sys

2012-03-26 21:24 . 2012-03-30 21:48 25704 ----a-w- c:\windows\system32\drivers\WsAudio_DeviceS(3).sys

2012-03-26 21:24 . 2012-03-30 21:48 25704 ----a-w- c:\windows\system32\drivers\WsAudio_DeviceS(2).sys

2012-03-26 21:24 . 2012-03-30 21:47 25704 ----a-w- c:\windows\system32\drivers\WsAudio_DeviceS(1).sys

.

.

------- Sigcheck -------

Note: Unsigned files aren't necessarily malware.

.

[-] 2009-03-03 . A29E1209F925A0E9B330E11DA5FC7BAB . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\tcpip.sys

.

.

.

c:\windows\System32\wscntfy.exe ... is missing !!

c:\windows\System32\regsvc.dll ... is missing !!

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]

@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]

2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Administrator\Application Data\Dropbox\bin\DropboxExt.14.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]

@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]

2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Administrator\Application Data\Dropbox\bin\DropboxExt.14.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]

@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]

2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Administrator\Application Data\Dropbox\bin\DropboxExt.14.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]

@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]

2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Administrator\Application Data\Dropbox\bin\DropboxExt.14.dll

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2010-04-01 357696]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-02-11 61440]

"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]

"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-03-27 421736]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"_nltide_3"="advpack.dll" [2008-04-14 99840]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"DisableCAD"= 1 (0x1)

.

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoResolveTrack"= 1 (0x1)

"NoSMMyPictures"= 1 (0x1)

"NoSMConfigurePrograms"= 1 (0x1)

.

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"NoSMHelp"= 1 (0x1)

"ForceClassicControlPanel"= 1 (0x1)

"NoResolveTrack"= 1 (0x1)

"NoSMMyPictures"= 1 (0x1)

"NoSMConfigurePrograms"= 1 (0x1)

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]

2008-10-17 03:35 87352 ----a-w- c:\windows\system32\LMIinit.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"midi1"=ma_cmidn.dll

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Documents and Settings\\Administrator\\Application Data\\Dropbox\\bin\\Dropbox.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

.

R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\RaInfo.sys [x]

R3 WsAudio_DeviceS(1);WsAudio_DeviceS(1);c:\windows\system32\drivers\WsAudio_DeviceS(1).sys [2012-03-26 25704]

R3 WsAudio_DeviceS(2);WsAudio_DeviceS(2);c:\windows\system32\drivers\WsAudio_DeviceS(2).sys [2012-03-26 25704]

R3 WsAudio_DeviceS(3);WsAudio_DeviceS(3);c:\windows\system32\drivers\WsAudio_DeviceS(3).sys [2012-03-26 25704]

R3 WsAudio_DeviceS(4);WsAudio_DeviceS(4);c:\windows\system32\drivers\WsAudio_DeviceS(4).sys [2012-03-26 25704]

R3 WsAudio_DeviceS(5);WsAudio_DeviceS(5);c:\windows\system32\drivers\WsAudio_DeviceS(5).sys [2012-03-26 25704]

S0 mv614x;mv614x;c:\windows\system32\DRIVERS\mv614x.sys [2006-01-06 34432]

S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-09-30 691696]

S2 iPod Service32;iPod Service ;c:\windows\system32\atipdlxx32.exe [2011-08-16 1208832]

S3 LynxWDM;LynxWDM;c:\windows\system32\DRIVERS\LynxWDM.sys [2008-06-27 196744]

S3 SynasUSB;SynasUSB;c:\windows\system32\drivers\SynasUSB.sys [2007-10-24 23288]

.

.

Contents of the 'Scheduled Tasks' folder

.

2012-05-13 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-02 00:57]

.

2012-05-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1708537768-1425521274-1177238915-500Core.job

- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-08-22 21:52]

.

2012-05-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1708537768-1425521274-1177238915-500UA.job

- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-08-22 21:52]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://gmail.com/

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000

TCP: DhcpNameServer = 192.168.0.1

.

- - - - ORPHANS REMOVED - - - -

.

HKLM-Run-LogMeIn GUI - c:\program files\LogMeIn\x86\LogMeInSystray.exe

HKLM-Run-Wondershare Helper Compact.exe - c:\program files\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe

AddRemove-Ohmforce Ohmboyz PRO VST v1.42 - c:\progra~1\VSTPLU~1\OHMFOR~1\OHMBOY~1\UNINST~1\UNWISE.EXE

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2012-05-16 15:38

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(892)

c:\windows\system32\Ati2evxx.dll

c:\windows\system32\LMIinit.dll

.

- - - - - - - > 'explorer.exe'(672)

c:\documents and settings\Administrator\Application Data\Dropbox\bin\DropboxExt.14.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\Ati2evxx.exe

c:\windows\system32\Ati2evxx.exe

c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\windows\system32\odpdx3232.exe

c:\windows\system32\wdfmgr.exe

c:\program files\iPod\bin\iPodService.exe

c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe

.

**************************************************************************

.

Completion time: 2012-05-16 15:40:26 - machine was rebooted

ComboFix-quarantined-files.txt 2012-05-16 22:40

.

Pre-Run: 35,128,258,560 bytes free

Post-Run: 35,130,068,992 bytes free

.

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /noexecute=optin

.

- - End Of File - - 9676481F634D9498C59B99DCED762BA1

Share this post


Link to post
Share on other sites

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1

Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:

    :Filefind
    wscntfy.exe
    regsvc.dll


  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

---------------------------------

Please find this file and upload it to VirusTotal for a free scan, let me know the results (Just post the url)

C:\WINDOWS\system32\odpdx3232.exe

http://www.virustotal.com/

MrC

Share this post


Link to post
Share on other sites

Systemlook.txt:

SystemLook 30.07.11 by jpshortstuff

Log created at 16:42 on 16/05/2012 by Administrator

Administrator - Elevation successful

========== Filefind ==========

Searching for "wscntfy.exe"

No files found.

Searching for "regsvc.dll"

No files found.

-= EOF =-

Share this post


Link to post
Share on other sites

Did you upload and scan that file??

You're missing 3 files, do you have a Windows cd that we can get them off of?

vbscript.dll

wscntfy.exe

regsvc.dll

MrC

Share this post


Link to post
Share on other sites

I did do a scan and that is what came up. Hmm, I do not have a Windows cd to get these files??

Share this post


Link to post
Share on other sites

I don't see the results of the scan!

Please find this file and upload it to VirusTotal for a free scan, let me know the results (Just copy back the url)

C:\WINDOWS\system32\odpdx3232.exe

http://www.virustotal.com/

MrC

Share this post


Link to post
Share on other sites

That website is under maintenance. I'll report back once it is back and running. Thanks MrCharlie for your help.

Share this post


Link to post
Share on other sites

OK...lets delete that...it's malware.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

4. If ComboFix wants to update.....please allow it to.

File::

C:\WINDOWS\system32\odpdx3232.exe

Save this as CFScript.txt, in the same location as ComboFix.exe

CFScript.gif

Refering to the picture above, drag CFScript into ComboFix.exe

CAUTION: Do not mouse-click ComboFix while it is running. It may cause it to stall.

After reboot, (in case it asks to reboot)......

Please provide the contents of the ComboFix log (C:\ComboFix.txt) in your next reply.

MrC

Share this post


Link to post
Share on other sites

ComboFix.txt:

----------------------------------

ComboFix 12-05-18.03 - Administrator 05/18/2012 15:29:07.3.2 - x86

Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt

.

FILE ::

"c:\windows\system32\odpdx3232.exe"

c:\windows\system32\vbscript.dll is missing

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\LocalService\Application Data\02000000c27ec2a91406C.manifest

c:\documents and settings\LocalService\Application Data\02000000c27ec2a91406O.manifest

c:\documents and settings\LocalService\Application Data\02000000c27ec2a91406P.manifest

c:\documents and settings\LocalService\Application Data\02000000c27ec2a91406S.manifest

c:\windows\system32\odpdx3232.exe

.

.

((((((((((((((((((((((((( Files Created from 2012-04-18 to 2012-05-18 )))))))))))))))))))))))))))))))

.

.

2012-05-16 22:38 . 2012-05-16 22:38 -------- d-----w- c:\windows\system32\wbem\snmp

2012-05-16 22:38 . 2012-05-16 22:38 -------- d-----w- c:\windows\system32\xircom

2012-05-16 22:38 . 2012-05-16 22:38 -------- d-----w- c:\windows\system32\oobe

2012-05-16 22:38 . 2012-05-16 22:38 -------- d-----w- c:\windows\srchasst

2012-05-16 22:38 . 2012-05-16 22:38 -------- d-----w- c:\windows\msagent

2012-05-16 22:38 . 2012-05-16 22:38 -------- d-----w- c:\program files\microsoft frontpage

2012-05-14 23:57 . 2012-05-14 23:57 -------- d-----w- C:\TDSSKiller_Quarantine

2012-05-14 23:22 . 2012-05-14 23:22 270336 ----a-w- c:\windows\system32\atipdlxx32.dll

2012-05-14 23:17 . 2012-05-14 23:22 -------- d-----w- c:\windows\SxsCaPendDel

2012-05-14 23:14 . 2012-05-14 23:14 -------- d-----w- c:\windows\system32\syncdb

2012-04-29 23:41 . 2012-04-29 23:41 -------- d-----w- c:\program files\Common Files\Java

2012-04-29 23:40 . 2012-04-29 23:40 73728 ----a-w- c:\windows\system32\javacpl.cpl

2012-04-29 23:40 . 2012-04-29 23:40 476960 ----a-w- c:\windows\system32\npdeployJava1.dll

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-04-29 23:40 . 2010-08-02 04:07 472864 -c--a-w- c:\windows\system32\deployJava1.dll

2012-04-04 22:56 . 2010-02-08 23:45 22344 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-03-26 21:24 . 2012-03-30 21:48 25704 ----a-w- c:\windows\system32\drivers\WsAudio_DeviceS(5).sys

2012-03-26 21:24 . 2012-03-30 21:48 25704 ----a-w- c:\windows\system32\drivers\WsAudio_DeviceS(4).sys

2012-03-26 21:24 . 2012-03-30 21:48 25704 ----a-w- c:\windows\system32\drivers\WsAudio_DeviceS(3).sys

2012-03-26 21:24 . 2012-03-30 21:48 25704 ----a-w- c:\windows\system32\drivers\WsAudio_DeviceS(2).sys

2012-03-26 21:24 . 2012-03-30 21:47 25704 ----a-w- c:\windows\system32\drivers\WsAudio_DeviceS(1).sys

.

.

------- Sigcheck -------

Note: Unsigned files aren't necessarily malware.

.

[-] 2009-03-03 . A29E1209F925A0E9B330E11DA5FC7BAB . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\tcpip.sys

.

((((((((((((((((((((((((((((( SnapShot@2012-05-16_22.38.27 )))))))))))))))))))))))))))))))))))))))))

.

+ 2012-05-18 22:33 . 2012-05-18 22:33 16384 c:\windows\Temp\Perflib_Perfdata_7a0.dat

+ 2001-08-23 13:00 . 2012-05-16 22:42 58170 c:\windows\system32\perfc009.dat

- 2001-08-23 13:00 . 2012-05-16 22:29 58170 c:\windows\system32\perfc009.dat

+ 2001-08-23 13:00 . 2012-05-16 22:42 392690 c:\windows\system32\perfh009.dat

- 2001-08-23 13:00 . 2012-05-16 22:29 392690 c:\windows\system32\perfh009.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]

@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]

2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Administrator\Application Data\Dropbox\bin\DropboxExt.14.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]

@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]

2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Administrator\Application Data\Dropbox\bin\DropboxExt.14.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]

@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]

2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Administrator\Application Data\Dropbox\bin\DropboxExt.14.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]

@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]

2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Administrator\Application Data\Dropbox\bin\DropboxExt.14.dll

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2010-04-01 357696]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-02-11 61440]

"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]

"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-03-27 421736]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"_nltide_3"="advpack.dll" [2008-04-14 99840]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"DisableCAD"= 1 (0x1)

.

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoResolveTrack"= 1 (0x1)

"NoSMMyPictures"= 1 (0x1)

"NoSMConfigurePrograms"= 1 (0x1)

.

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"NoSMHelp"= 1 (0x1)

"ForceClassicControlPanel"= 1 (0x1)

"NoResolveTrack"= 1 (0x1)

"NoSMMyPictures"= 1 (0x1)

"NoSMConfigurePrograms"= 1 (0x1)

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]

2008-10-17 03:35 87352 ----a-w- c:\windows\system32\LMIinit.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"midi1"=ma_cmidn.dll

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Documents and Settings\\Administrator\\Application Data\\Dropbox\\bin\\Dropbox.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

.

R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\RaInfo.sys [x]

R3 WsAudio_DeviceS(1);WsAudio_DeviceS(1);c:\windows\system32\drivers\WsAudio_DeviceS(1).sys [2012-03-26 25704]

R3 WsAudio_DeviceS(2);WsAudio_DeviceS(2);c:\windows\system32\drivers\WsAudio_DeviceS(2).sys [2012-03-26 25704]

R3 WsAudio_DeviceS(3);WsAudio_DeviceS(3);c:\windows\system32\drivers\WsAudio_DeviceS(3).sys [2012-03-26 25704]

R3 WsAudio_DeviceS(4);WsAudio_DeviceS(4);c:\windows\system32\drivers\WsAudio_DeviceS(4).sys [2012-03-26 25704]

R3 WsAudio_DeviceS(5);WsAudio_DeviceS(5);c:\windows\system32\drivers\WsAudio_DeviceS(5).sys [2012-03-26 25704]

S0 mv614x;mv614x;c:\windows\system32\DRIVERS\mv614x.sys [2006-01-06 34432]

S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-09-30 691696]

S2 iPod Service32;iPod Service ;c:\windows\system32\atipdlxx32.exe [2011-08-16 1208832]

S3 LynxWDM;LynxWDM;c:\windows\system32\DRIVERS\LynxWDM.sys [2008-06-27 196744]

S3 SynasUSB;SynasUSB;c:\windows\system32\drivers\SynasUSB.sys [2007-10-24 23288]

.

.

Contents of the 'Scheduled Tasks' folder

.

2012-05-13 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-02 00:57]

.

2012-05-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1708537768-1425521274-1177238915-500Core.job

- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-08-22 21:52]

.

2012-05-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1708537768-1425521274-1177238915-500UA.job

- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-08-22 21:52]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://gmail.com/

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000

TCP: DhcpNameServer = 192.168.0.1

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2012-05-18 15:33

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(892)

c:\windows\system32\Ati2evxx.dll

c:\windows\system32\LMIinit.dll

.

- - - - - - - > 'explorer.exe'(2344)

c:\documents and settings\Administrator\Application Data\Dropbox\bin\DropboxExt.14.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\Ati2evxx.exe

c:\windows\system32\Ati2evxx.exe

c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\windows\system32\odpdx3232.exe

c:\windows\system32\wdfmgr.exe

c:\program files\iPod\bin\iPodService.exe

c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe

.

**************************************************************************

.

Completion time: 2012-05-18 15:34:39 - machine was rebooted

ComboFix-quarantined-files.txt 2012-05-18 22:34

ComboFix2.txt 2012-05-16 22:40

.

Pre-Run: 34,908,196,864 bytes free

Post-Run: 35,001,540,608 bytes free

.

- - End Of File - - E3E7F8622C5443D47E3A2E1621108154

Share this post


Link to post
Share on other sites

Please Update and run a Quick Scan with MBAM, post the report.

Make sure that everything is checked, and click Remove Selected.

Please let me know how it is, MrC

Share this post


Link to post
Share on other sites

MBAMLOG:

Malwarebytes Anti-Malware 1.61.0.1400

www.malwarebytes.org

Database version: v2012.05.18.08

Windows XP Service Pack 3 x86 NTFS

Internet Explorer 6.0.2900.5512

Administrator :: ALEXXX-12E93458 [administrator]

5/18/2012 15:42:33

mbam-log-2012-05-18 (15-42-33).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 202422

Time elapsed: 1 minute(s), 41 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 1

C:\WINDOWS\system32\atipdlxx32.dll (Trojan.Tracur.S) -> Delete on reboot.

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 5

C:\WINDOWS\system32\atipdlxx32.dll (Trojan.Tracur.S) -> Delete on reboot.

C:\WINDOWS\system32\02000000c27ec2a91406C.manifest (Malware.Trace) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\02000000c27ec2a91406O.manifest (Malware.Trace) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\02000000c27ec2a91406P.manifest (Malware.Trace) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\02000000c27ec2a91406S.manifest (Malware.Trace) -> Quarantined and deleted successfully.

(end)

Share this post


Link to post
Share on other sites

Malwarebytes Anti-Malware 1.61.0.1400

www.malwarebytes.org

Database version: v2012.05.18.08

Windows XP Service Pack 3 x86 NTFS

Internet Explorer 6.0.2900.5512

Administrator :: ALEXXX-12E93458 [administrator]

5/18/2012 15:42:33

mbam-log-2012-05-18 (15-42-33).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 202422

Time elapsed: 1 minute(s), 41 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 1

C:\WINDOWS\system32\atipdlxx32.dll (Trojan.Tracur.S) -> Delete on reboot.

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 5

C:\WINDOWS\system32\atipdlxx32.dll (Trojan.Tracur.S) -> Delete on reboot.

C:\WINDOWS\system32\02000000c27ec2a91406C.manifest (Malware.Trace) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\02000000c27ec2a91406O.manifest (Malware.Trace) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\02000000c27ec2a91406P.manifest (Malware.Trace) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\02000000c27ec2a91406S.manifest (Malware.Trace) -> Quarantined and deleted successfully.

(end)

Share this post


Link to post
Share on other sites

Looks like you posted the same log twice.

Run MB again and lets see if it comes up clean, MrC

Share this post


Link to post
Share on other sites

Malwarebytes Anti-Malware 1.61.0.1400

www.malwarebytes.org

Database version: v2012.05.18.08

Windows XP Service Pack 3 x86 NTFS

Internet Explorer 6.0.2900.5512

Administrator :: ALEXXX-12E93458 [administrator]

5/18/2012 16:04:37

mbam-log-2012-05-18 (16-04-37).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 202454

Time elapsed: 1 minute(s), 49 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 1

C:\WINDOWS\system32\atipdlxx32.dll (Trojan.Tracur.S) -> Delete on reboot.

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 5

C:\WINDOWS\system32\atipdlxx32.dll (Trojan.Tracur.S) -> Delete on reboot.

C:\WINDOWS\system32\02000000c27ec2a91406C.manifest (Malware.Trace) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\02000000c27ec2a91406O.manifest (Malware.Trace) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\02000000c27ec2a91406P.manifest (Malware.Trace) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\02000000c27ec2a91406S.manifest (Malware.Trace) -> Quarantined and deleted successfully.

(end)

Share this post


Link to post
Share on other sites

Lets use ComboFix to delete those files......

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

4. If ComboFix wants to update.....please allow it to.

File::

C:\WINDOWS\system32\atipdlxx32.dll

C:\WINDOWS\system32\02000000c27ec2a91406C.manifest

C:\WINDOWS\system32\02000000c27ec2a91406P.manifest

C:\WINDOWS\system32\02000000c27ec2a91406S.manifest

C:\WINDOWS\system32\02000000c27ec2a91406O.manifest

Save this as CFScript.txt, in the same location as ComboFix.exe

CFScript.gif

Refering to the picture above, drag CFScript into ComboFix.exe

CAUTION: Do not mouse-click ComboFix while it is running. It may cause it to stall.

After reboot, (in case it asks to reboot)......

Please provide the contents of the ComboFix log (C:\ComboFix.txt) in your next reply.

MrC

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0

  • Recently Browsing   0 members

    No registered users viewing this page.