Jump to content


Photo

Fake antivirus malware


  • This topic is locked This topic is locked
30 replies to this topic

#1 ArthurOPlasty

ArthurOPlasty

    Advanced Member

  • Members
  • PipPipPip
  • 59 posts

Posted 04 March 2012 - 11:47 PM

Hi all,
I got infected with that fake antivirus malware (security shield) that keeps suggesting I have all these infections and tries to get me to authorize removal.
it happened a couple of days ago, but has not even popped up today at all. Just wondering whether it's lurking around in the background or still infecting my computer. Many thanks. Please find attached the requested logs. Attached File  adaware log1.txt   63.86KB   151 downloadsAttached File  DDS.txt   17.13KB   170 downloadsAttached File  Attach.txt   8.31KB   221 downloads

#2 CeciliaB

CeciliaB

    Volunteer

  • Moderator
  • 7781 posts

Posted 05 March 2012 - 11:06 PM

Hi ArthurOPlasty,

Please uninstall FileServeManager, reason: http://www.systemloo...rveBHO_dll.html

Upload this file to http://www.virustotal.com/ using the "Choose file" function (select reanalyze if asked) and post back the link to the scan report:
c:\users\roop\appdata\local\vilzst.exe

Which Symantec/Norton program is installed? In the logs it looks like Norton antivirus is many years old and an old antivirus program will not protect the computer from modern types of malware.

#3 ArthurOPlasty

ArthurOPlasty

    Advanced Member

  • Members
  • PipPipPip
  • 59 posts

Posted 06 March 2012 - 01:18 AM

Hi Cecilia,

Many thanks for getting back to me.

here is the link to the scan report:
https://www.virustot...sis/1330992534/

I have Norton protection center 2008, the three year subscription expired a couple of months ago. I want to uninstall norton but have heard you need to do it a special way to completely uninstall it and i'm not sure exactly how. I would like to get another antivirus. Are you aware of any good ones that are available for free and offer realtime protection?

#4 CeciliaB

CeciliaB

    Volunteer

  • Moderator
  • 7781 posts

Posted 06 March 2012 - 11:06 AM

Hi ArthurOPlasty,

Even when you buy a three year license and receive definition updates every day, you need to update to the latest version of the program itself every year since every new version contains new functions to be able to handle the latest types of malware. You have to clean the computer first, and when that is finished you can uninstall Norton and install something else.

Please, follow the instructions on http://www.bleepingc...to-use-combofix for installing and running ComboFix.

Read carefully and note the "Disclaimer of warranty"!

Paste the content of the log into your answer (don't attach it, just copy the content and paste into your answer).

#5 ArthurOPlasty

ArthurOPlasty

    Advanced Member

  • Members
  • PipPipPip
  • 59 posts

Posted 06 March 2012 - 01:42 PM

ComboFix Log

ComboFix 12-03-04.02 - Roop 06/03/2012 23:21:20.2.2 - x86
Microsoft® Windows Vista™ Business 6.0.6001.1.1252.61.1033.18.2038.1069 [GMT 11:00]
Running from: c:\users\Roop\Desktop\ComboFix.exe
SP: Lavasoft Ad-Watch Live! *Disabled/Updated* {24938260-56EE-C1E5-047B-DC2BDD234BAB}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\Roaming
c:\programdata\Roaming\Intel\Wireless\Settings\Settings.ini
c:\users\Roop\AppData\Local\vilzst.exe
c:\users\Roop\Documents\~WRL0010.tmp
c:\users\Roop\Documents\~WRL0857.tmp
c:\users\Roop\Documents\~WRL1774.tmp
c:\users\Roop\Documents\~WRL2546.tmp
c:\users\Roop\Documents\~WRL2632.tmp
c:\users\Roop\Documents\~WRL3409.tmp
c:\users\Roop\Documents\~WRL3693.tmp
.
.
((((((((((((((((((((((((( Files Created from 2012-02-06 to 2012-03-06 )))))))))))))))))))))))))))))))
.
.
2012-03-06 12:32 . 2012-03-06 12:32 -------- d-----w- c:\users\postgres\AppData\Local\temp
2012-03-06 12:32 . 2012-03-06 12:32 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-03-04 22:11 . 2012-03-04 12:29 16432 ----a-w- c:\windows\system32\lsdelete.exe
2012-03-04 12:18 . 2011-12-22 20:12 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys
2012-03-04 12:18 . 2012-03-04 12:18 -------- d-----w- c:\program files\Lavasoft
2012-02-21 07:27 . 2012-02-21 07:27 -------- d-----w- c:\users\Roop\AppData\Local\DDMSettings
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-04 00:48 . 2012-01-04 00:48 354176 ----a-w- c:\windows\system32\DivXControlPanelApplet.cpl
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlay]
@="{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}"
[HKEY_CLASSES_ROOT\CLSID\{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}]
2006-12-04 01:03 2854912 ----a-w- c:\program files\Protector Suite QL\farchns.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlayOpen]
@="{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}"
[HKEY_CLASSES_ROOT\CLSID\{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}]
2006-12-04 01:03 2854912 ----a-w- c:\program files\Protector Suite QL\farchns.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe" [2007-04-20 430080]
"Rainlendar2"="c:\program files\Rainlendar2\Rainlendar2.exe" [2007-04-15 1291264]
"MyTomTomSA.exe"="c:\program files\MyTomTom 3\MyTomTomSA.exe" [2011-04-26 375768]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-10-27 815104]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-04-27 138008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-04-27 154392]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-04-27 133912]
"NDSTray.exe"="NDSTray.exe" [BU]
"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2007-03-29 411192]
"HSON"="c:\program files\TOSHIBA\TBS\HSON.exe" [2006-12-07 55416]
"SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2007-03-22 448632]
"00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2007-04-27 538744]
"Camera Assistant Software"="c:\program files\Camera Assistant Software for Toshiba\traybar.exe" [2007-04-11 413696]
"PSQLLauncher"="c:\program files\Protector Suite QL\launcher.exe" [2006-12-04 49168]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
"RtHDVCpl"="RtHDVCpl.exe" [2007-05-19 4472832]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2007-2-28 2756608]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 1 (0x1)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2006-12-04 00:50 90112 ----a-w- c:\windows\System32\psqlpwd.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli psqlpwd
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^NETGEAR WG111v3 Smart Wizard.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\NETGEAR WG111v3 Smart Wizard.lnk
backup=c:\windows\pss\NETGEAR WG111v3 Smart Wizard.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^Users^Roop^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=c:\users\Roop\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=c:\windows\pss\HotSync Manager.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2008-10-14 10:38 623992 ----a-w- c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2011-06-06 01:55 937920 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
2009-06-20 16:51 2356088 ----a-w- c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe_ID0EYTHM]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2011-07-28 23:08 1259376 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-07-13 04:03 292128 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-09-04 14:54 417792 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-06-06 64952]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
bthsvcs REG_MULTI_SZ BthServ
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-06 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-12-08 17:35]
.
2012-03-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-09 10:38]
.
2012-03-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-09 10:38]
.
2012-03-05 c:\windows\Tasks\Norton AntiVirus - Run Full System Scan - Roop.job
- c:\program files\Norton AntiVirus\Navw32.exe [2007-08-26 19:49]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ninemsn.com.au/
uInternet Settings,ProxyOverride = *.local
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 10.0.0.138
DPF: {F7EDBBEA-1AD2-4EBF-AA07-D453CC29EE65} - hxxps://plugins.valueactive.eu/flashax/iefax.cab
FF - ProfilePath - c:\users\Roop\AppData\Roaming\Mozilla\Firefox\Profiles\b9r4obh8.default\
FF - prefs.js: browser.startup.homepage - hxxp://en.wikipedia.org/wiki/Main_Page
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: DivX Plus Web Player HTML5 <video>: {23fcfd51-4958-4f00-80a3-ae97e717ed8b} - c:\program files\DivX\DivX Plus Web Player\firefox\DivXHTML5
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: DownThemAll!: {DDC359D1-844A-42a7-9AA1-88A850A938A8} - %profile%\extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}
FF - Ext: Edit Cookies: {ea2b95c2-9be8-48ed-bdd1-5fcd2ad0ff99} - %profile%\extensions\{ea2b95c2-9be8-48ed-bdd1-5fcd2ad0ff99}
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-NWEReboot - (no file)
MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe
MSConfigStartUp-IDMan - c:\program files\Internet Download Manager\IDMan.exe
AddRemove-Mansion Poker - c:\poker\MansionPoker\_MansionPoker.exe
AddRemove-Titan Poker - c:\poker\Titan Poker\_SetupPoker[1].exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-03-06 23:32
Windows 6.0.6001 Service Pack 1 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
TOSCDSPD = c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe?/i???????|jp???@???h????????????
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-3184531960-3555862301-1856031694-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*,{*Nc[]*]
@Class="Shell"
.
[HKEY_USERS\S-1-5-21-3184531960-3555862301-1856031694-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*,{*Nc[]*\OpenWithList]
@Class="Shell"
.
[HKEY_USERS\S-1-5-21-3184531960-3555862301-1856031694-1000_Classes\CLSID\{2b72a2aa-d783-4f34-a337-3843e783ad63}]
@Denied: (Full) (Everyone)
@Allowed: (Read) (RestrictedCode)
"Model"=dword:0000002d
"Therad"=dword:00000020
"MData"=hex(0):2b,8f,78,29,5a,0c,ce,ec,48,d4,68,e5,9f,6a,96,3e,ab,de,c5,81,26,
38,95,44,85,b1,12,f9,90,dd,23,a1,a8,d7,e1,c9,cd,8a,a4,d8,f2,eb,74,d8,95,3b,\
.
[HKEY_USERS\S-1-5-21-3184531960-3555862301-1856031694-1000_Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]
@Denied: (Full) (Everyone)
@Allowed: (Read) (RestrictedCode)
"scansk"=hex(0):3a,8c,41,c2,3f,91,10,1f,72,db,2c,f3,39,45,ed,8a,6a,4e,7b,17,5d,
0d,7b,8f,7c,be,81,47,cd,5d,42,98,2f,f4,d2,45,f3,89,43,29,00,00,00,00,00,00,\
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(804)
c:\windows\system32\psqlpwd.dll
c:\program files\Protector Suite QL\homefus2.dll
c:\program files\Protector Suite QL\infra.dll
.
Completion time: 2012-03-06 23:37:04
ComboFix-quarantined-files.txt 2012-03-06 12:36
.
Pre-Run: 1,233,887,232 bytes free
Post-Run: 1,840,734,208 bytes free
.
- - End Of File - - 36556563203E16B3D679E488728828FC

#6 CeciliaB

CeciliaB

    Volunteer

  • Moderator
  • 7781 posts

Posted 06 March 2012 - 03:02 PM

Please, run an online scan with Eset http://www.eset.com/onlinescan/
To shorten the scanning time disable your antivirus program while scanning.

Un-check "Remove found threats"
Check "Scan Archives"

Click "Advanced Settings"
Check:
Scan for potentially unwanted applications
Scan for potentially unsafe applications
Enable Anti-Stealth Technology

Click Scan

When the scan completes the log file C:\Program\Eset\Eset Online Scanner\log.txt is created. Open it in Notepad and paste its content in your answer.

#7 ArthurOPlasty

ArthurOPlasty

    Advanced Member

  • Members
  • PipPipPip
  • 59 posts

Posted 07 March 2012 - 12:47 AM

ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=6f2213c85aab7f42bebd958dde7fa495
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2012-03-06 05:51:23
# local_time=2012-03-07 04:51:23 (+1000, AUS Eastern Daylight Time)
# country="Australia"
# lang=1033
# osver=6.0.6001 NT Service Pack 1
# compatibility_mode=512 16777215 100 0 63633395 63633395 0 0
# compatibility_mode=3584 16777215 100 0 0 0 0 0
# compatibility_mode=5892 16776574 100 100 45848720 168573542 0 0
# compatibility_mode=8192 67108863 100 0 191 191 0 0
# scanned=313297
# found=22
# cleaned=0
# scan_time=11844
C:\Program Files\Red Kawa\Video Converter App\OpenCandy\OCSetupHlp.dll Win32/OpenCandy application (unable to clean) 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\Users\Roop\AppData\Local\vilzst.exe.vir a variant of Win32/Kryptik.ABWS trojan (unable to clean) 00000000000000000000000000000000 I
C:\Users\Roop\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\0\2ba7df00-6773314e Java/Exploit.CVE-2010-0844.A trojan (unable to clean) 00000000000000000000000000000000 I
C:\Users\Roop\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\11\3d726d4b-3d479d1c a variant of Java/Agent.BR trojan (unable to clean) 00000000000000000000000000000000 I
C:\Users\Roop\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\15\5f583a0f-42025bfa probably a variant of Java/Agent.BR trojan (unable to clean) 00000000000000000000000000000000 I
C:\Users\Roop\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\2\29a77082-4c038d5f Java/Exploit.CVE-2009-3867.AL trojan (unable to clean) 00000000000000000000000000000000 I
C:\Users\Roop\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\22\6e433856-2d1afae6 Java/Exploit.CVE-2009-3867.AL trojan (unable to clean) 00000000000000000000000000000000 I
C:\Users\Roop\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\24\63425c18-31e4031f probably a variant of Java/Agent.BR trojan (unable to clean) 00000000000000000000000000000000 I
C:\Users\Roop\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\25\1febdf59-2d00a741 Java/Exploit.CVE-2009-3867.AL trojan (unable to clean) 00000000000000000000000000000000 I
C:\Users\Roop\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\25\2b854b99-341bdfe9 a variant of Java/TrojanDownloader.OpenStream.NBF trojan (unable to clean) 00000000000000000000000000000000 I
C:\Users\Roop\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\3\10733803-6defd5f7 a variant of Java/Exploit.CVE-2011-3544.AW trojan (unable to clean) 00000000000000000000000000000000 I
C:\Users\Roop\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\32\31cee7a0-544c4368 probably a variant of Java/Agent.BR trojan (unable to clean) 00000000000000000000000000000000 I
C:\Users\Roop\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\39\6ccf05e7-77882dbb probably a variant of Java/Agent.BR trojan (unable to clean) 00000000000000000000000000000000 I
C:\Users\Roop\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\39\f0cf627-39572f6e multiple threats (unable to clean) 00000000000000000000000000000000 I
C:\Users\Roop\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\42\41925e2a-3a653f41 a variant of Java/Agent.BR trojan (unable to clean) 00000000000000000000000000000000 I
C:\Users\Roop\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\44\4ba1196c-668ccb1d a variant of Java/Agent.BR trojan (unable to clean) 00000000000000000000000000000000 I
C:\Users\Roop\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\59\1baeccbb-3888baeb Java/Exploit.CVE-2009-3867.AL trojan (unable to clean) 00000000000000000000000000000000 I
C:\Users\Roop\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\62\fea4bbe-3293e2cb a variant of Java/Agent.BR trojan (unable to clean) 00000000000000000000000000000000 I
C:\Users\Roop\Documents\Adobe CS3\ACS3MCD1.iso a variant of Win32/Keygen.BR application (unable to clean) 00000000000000000000000000000000 I
C:\Users\Roop\Downloads\SoftonicDownloader_for_sopcast.exe a variant of Win32/SoftonicDownloader.A application (unable to clean) 00000000000000000000000000000000 I
C:\Users\Roop\Downloads\Programs\ps3video9-408-setup.exe Win32/OpenCandy application (unable to clean) 00000000000000000000000000000000 I
C:\Windows\System32\mseuncermm.dll a variant of Win32/Spy.KeyLogger.NOB trojan (unable to clean) 00000000000000000000000000000000 I

#8 CeciliaB

CeciliaB

    Volunteer

  • Moderator
  • 7781 posts

Posted 07 March 2012 - 11:29 AM

C:\Program Files\Red Kawa\Video Converter App\OpenCandy\OCSetupHlp.dll Win32/OpenCandy application
OpenCandy is an advertising product, see http://en.wikipedia.org/wiki/OpenCandy and http://kb.eset.com/e...ent&id=SOLN2677

C:\Users\Roop\Downloads\SoftonicDownloader_for_sopcast.exe a variant of Win32/SoftonicDownloader.A application
Same here, see http://en.wikipedia....c.com#Downloads

C:\Users\Roop\Documents\Adobe CS3\ACS3MCD1.iso a variant of Win32/Keygen.BR application
It is always a risk that illegal programs contain malware.

Decide if you want to keep those programs.

Copy all lines in the box:
Killall::
ClearJavaCache::
File::
C:\Windows\System32\mseuncermm.dll
and paste into Notepad.
Save the file on the desktop with the name CFScript.

Prepare the computer according to the instructions for running ComboFix.
Drag CFScript with the mouse and drop it on top of the ComboFix icon on the Desktop, the program will start in a special way.
Paste the new ComboFix log into your answer and a new DDS.txt for a new check.

How is the computer behaving now?

#9 ArthurOPlasty

ArthurOPlasty

    Advanced Member

  • Members
  • PipPipPip
  • 59 posts

Posted 07 March 2012 - 12:22 PM

Doing the scan as we speak. Computer is behaving well, haven't seen that fake antivirus for a few days now. Just uninstalled the above programs, but will keep adobe. What about all of those other findings from the ESET scan, like the java things. I always suspected that may be something unusual, since it always asks me to update every time I restart. Also could you suggest a good free antivirus to install once the cleaning process is finished. Many thanks.

combofix at stage 32 atm

#10 CeciliaB

CeciliaB

    Volunteer

  • Moderator
  • 7781 posts

Posted 07 March 2012 - 12:39 PM

ComboFix is removing all the Java files that Eset's scan found. Those files show that you have visited web pages that have (tried to) infected the computer. It is very important to always update all programs, for example Java, Flash and Adobe Reader, to the latest version since old versions with known vulnerabilities are common ways for malicious web pages to infect the computer. You have Java 6 update 23 but the latest version is update 30. When we are finished I will give you more advice about this.

I would like to recommend you Ad-Aware as an antivirus program, but the free version of Ad-Aware 9 is not protecting the computer enough. But when Ad-Aware 10 is released it should be fine since it has full real-time protection etc. While waiting for the new version, the free versions of Avast, AVG and Avira Antivir are good options. But wait with installing it until we know for sure that it will not be necessary to run ComboFix again.

#11 ArthurOPlasty

ArthurOPlasty

    Advanced Member

  • Members
  • PipPipPip
  • 59 posts

Posted 07 March 2012 - 12:52 PM

got a problem now, combofix said it was restoring an infected system file and restarted the computer. I can't open mozilla now, it says an illegal operation attempted on a registry key that has been marked for deletion. Same for when I right click on the desktop to go to my graphics properties it says 'c:\windows\system32\igfxcfg.exe illegal operation attempted on reg key that has been marked for deletion' also.



ComboFix 12-03-04.02 - Roop 07/03/2012 22:15:29.3.2 - x86
Microsoft® Windows Vista™ Business 6.0.6001.1.1252.61.1033.18.2038.1092 [GMT 11:00]
Running from: c:\users\Roop\Desktop\ComboFix.exe
Command switches used :: c:\users\Roop\Desktop\CFScript.txt
SP: Lavasoft Ad-Watch Live! *Disabled/Updated* {24938260-56EE-C1E5-047B-DC2BDD234BAB}
* Created a new restore point
.
FILE ::
"c:\windows\System32\mseuncermm.dll"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\System32\mseuncermm.dll
.
Infected copy of c:\windows\system32\userinit.exe was found and disinfected
Restored copy from - c:\combofix\HarddiskVolumeShadowCopy5_!Windows!System32!userinit.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-02-07 to 2012-03-07 )))))))))))))))))))))))))))))))
.
.
2012-03-07 11:27 . 2012-03-07 11:27 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-03-07 11:27 . 2012-03-07 11:31 -------- d-----w- c:\users\Roop\AppData\Local\temp
2012-03-07 11:27 . 2012-03-07 11:27 -------- d-----w- c:\users\postgres\AppData\Local\temp
2012-03-06 14:30 . 2012-03-06 14:30 -------- d-----w- c:\program files\ESET
2012-03-04 22:11 . 2012-03-04 12:29 16432 ----a-w- c:\windows\system32\lsdelete.exe
2012-03-04 12:18 . 2011-12-22 20:12 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys
2012-03-04 12:18 . 2012-03-04 12:18 -------- d-----w- c:\program files\Lavasoft
2012-02-21 07:27 . 2012-02-21 07:27 -------- d-----w- c:\users\Roop\AppData\Local\DDMSettings
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-04 00:48 . 2012-01-04 00:48 354176 ----a-w- c:\windows\system32\DivXControlPanelApplet.cpl
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlay]
@="{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}"
[HKEY_CLASSES_ROOT\CLSID\{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}]
2006-12-04 01:03 2854912 ----a-w- c:\program files\Protector Suite QL\farchns.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlayOpen]
@="{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}"
[HKEY_CLASSES_ROOT\CLSID\{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}]
2006-12-04 01:03 2854912 ----a-w- c:\program files\Protector Suite QL\farchns.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe" [2007-04-20 430080]
"Rainlendar2"="c:\program files\Rainlendar2\Rainlendar2.exe" [2007-04-15 1291264]
"MyTomTomSA.exe"="c:\program files\MyTomTom 3\MyTomTomSA.exe" [2011-04-26 375768]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-10-27 815104]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-04-27 138008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-04-27 154392]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-04-27 133912]
"NDSTray.exe"="NDSTray.exe" [BU]
"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2007-03-29 411192]
"HSON"="c:\program files\TOSHIBA\TBS\HSON.exe" [2006-12-07 55416]
"SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2007-03-22 448632]
"00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2007-04-27 538744]
"Camera Assistant Software"="c:\program files\Camera Assistant Software for Toshiba\traybar.exe" [2007-04-11 413696]
"PSQLLauncher"="c:\program files\Protector Suite QL\launcher.exe" [2006-12-04 49168]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
"RtHDVCpl"="RtHDVCpl.exe" [2007-05-19 4472832]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2007-2-28 2756608]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 1 (0x1)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2006-12-04 00:50 90112 ----a-w- c:\windows\System32\psqlpwd.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli psqlpwd
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^NETGEAR WG111v3 Smart Wizard.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\NETGEAR WG111v3 Smart Wizard.lnk
backup=c:\windows\pss\NETGEAR WG111v3 Smart Wizard.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^Users^Roop^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=c:\users\Roop\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=c:\windows\pss\HotSync Manager.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2008-10-14 10:38 623992 ----a-w- c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2011-06-06 01:55 937920 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
2009-06-20 16:51 2356088 ----a-w- c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe_ID0EYTHM]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2011-07-28 23:08 1259376 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-07-13 04:03 292128 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-09-04 14:54 417792 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-06-06 64952]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
bthsvcs REG_MULTI_SZ BthServ
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-07 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2011-12-22 12:28]
.
2012-03-07 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-12-08 17:35]
.
2012-03-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-09 10:38]
.
2012-03-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-09 10:38]
.
2012-03-05 c:\windows\Tasks\Norton AntiVirus - Run Full System Scan - Roop.job
- c:\program files\Norton AntiVirus\Navw32.exe [2007-08-26 19:49]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ninemsn.com.au/
uInternet Settings,ProxyOverride = *.local
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 10.0.0.138
DPF: {F7EDBBEA-1AD2-4EBF-AA07-D453CC29EE65} - hxxps://plugins.valueactive.eu/flashax/iefax.cab
FF - ProfilePath - c:\users\Roop\AppData\Roaming\Mozilla\Firefox\Profiles\b9r4obh8.default\
FF - prefs.js: browser.startup.homepage - hxxp://en.wikipedia.org/wiki/Main_Page
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: DivX Plus Web Player HTML5 <video>: {23fcfd51-4958-4f00-80a3-ae97e717ed8b} - c:\program files\DivX\DivX Plus Web Player\firefox\DivXHTML5
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: DownThemAll!: {DDC359D1-844A-42a7-9AA1-88A850A938A8} - %profile%\extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}
FF - Ext: Edit Cookies: {ea2b95c2-9be8-48ed-bdd1-5fcd2ad0ff99} - %profile%\extensions\{ea2b95c2-9be8-48ed-bdd1-5fcd2ad0ff99}
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-03-07 22:34
Windows 6.0.6001 Service Pack 1 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
TOSCDSPD = c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe?/i???????|jp???@???h????????????
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-3184531960-3555862301-1856031694-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*,{*Nc[]*]
@Class="Shell"
.
[HKEY_USERS\S-1-5-21-3184531960-3555862301-1856031694-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*,{*Nc[]*\OpenWithList]
@Class="Shell"
.
[HKEY_USERS\S-1-5-21-3184531960-3555862301-1856031694-1000_Classes\CLSID\{2b72a2aa-d783-4f34-a337-3843e783ad63}]
@Denied: (Full) (Everyone)
@Allowed: (Read) (RestrictedCode)
"Model"=dword:0000002d
"Therad"=dword:00000020
"MData"=hex(0):2b,8f,78,29,5a,0c,ce,ec,48,d4,68,e5,9f,6a,96,3e,ab,de,c5,81,26,
38,95,44,85,b1,12,f9,90,dd,23,a1,a8,d7,e1,c9,cd,8a,a4,d8,f2,eb,74,d8,95,3b,\
.
[HKEY_USERS\S-1-5-21-3184531960-3555862301-1856031694-1000_Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]
@Denied: (Full) (Everyone)
@Allowed: (Read) (RestrictedCode)
"scansk"=hex(0):3a,8c,41,c2,3f,91,10,1f,72,db,2c,f3,39,45,ed,8a,6a,4e,7b,17,5d,
0d,7b,8f,7c,be,81,47,cd,5d,42,98,2f,f4,d2,45,f3,89,43,29,00,00,00,00,00,00,\
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(864)
c:\windows\system32\psqlpwd.dll
c:\program files\Protector Suite QL\homefus2.dll
c:\program files\Protector Suite QL\infra.dll
.
- - - - - - - > 'Explorer.exe'(4232)
c:\program files\Protector Suite QL\farchns.dll
c:\program files\Protector Suite QL\infra.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
c:\program files\Protector Suite QL\upeksvr.exe
c:\program files\Lavasoft\Ad-Aware\AAWService.exe
c:\windows\system32\WLANExt.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\windows\system32\agrsmsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\PostgreSQL\8.3\bin\pg_ctl.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe
c:\windows\system32\TODDSrv.exe
c:\program files\TOSHIBA\Power Saver\TosCoSrv.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\windows\system32\WUDFHost.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
c:\windows\system32\WerCon.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
.
**************************************************************************
.
Completion time: 2012-03-07 22:42:00 - machine was rebooted
ComboFix-quarantined-files.txt 2012-03-07 11:41
ComboFix2.txt 2012-03-06 12:37
.
Pre-Run: 2,385,973,248 bytes free
Post-Run: 1,224,634,368 bytes free
.
- - End Of File - - 9DDBB64F495D99B63922E418A5D69996

#12 CeciliaB

CeciliaB

    Volunteer

  • Moderator
  • 7781 posts

Posted 07 March 2012 - 01:06 PM

Please, restart the computer once, or twice if necessary.

If the problem still exists, do a system restore to a time before the last ComboFix run.
Start menu - All programs - Accessories - System Tools - System Restore

#13 ArthurOPlasty

ArthurOPlasty

    Advanced Member

  • Members
  • PipPipPip
  • 59 posts

Posted 07 March 2012 - 01:06 PM

I also can't run DDS because of similar messages

#14 ArthurOPlasty

ArthurOPlasty

    Advanced Member

  • Members
  • PipPipPip
  • 59 posts

Posted 07 March 2012 - 01:23 PM

Okay the restart worked. But the computer has gone back to being a bit sluggish and with a lot of items still in the start tray (18 items), as opposed to only the 3 or 4 that were there after the first combofix was run a couple of days ago.

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_23
Run by Roop at 23:15:42 on 2012-03-07
Microsoft® Windows Vista™ Business 6.0.6001.1.1252.61.1033.18.2038.748 [GMT 11:00]
.
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {9FF26384-70D4-CE6B-3ECB-E759A6A40116}
SP: Lavasoft Ad-Watch Live! *Disabled/Updated* {24938260-56EE-C1E5-047B-DC2BDD234BAB}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Protector Suite QL\upeksvr.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Windows\system32\agrsmsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\PostgreSQL\8.3\bin\pg_ctl.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\PostgreSQL\8.3\bin\postgres.exe
C:\Program Files\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe
C:\Windows\system32\TODDSrv.exe
C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\PostgreSQL\8.3\bin\postgres.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe
C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe
C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\HP\HP Software Update\hpwuschd2.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
C:\Program Files\Rainlendar2\Rainlendar2.exe
C:\Program Files\MyTomTom 3\MyTomTomSA.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\PostgreSQL\8.3\bin\postgres.exe
C:\Program Files\PostgreSQL\8.3\bin\postgres.exe
C:\Program Files\PostgreSQL\8.3\bin\postgres.exe
C:\Program Files\PostgreSQL\8.3\bin\postgres.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Protector Suite QL\psqltray.exe
C:\Program Files\Synaptics\SynTP\SynToshiba.exe
C:\Program Files\Camera Assistant Software for Toshiba\CEC_MAIN.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSwMgr.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosAVRC.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\TOSHIBA\Bluetooth Toshiba Stack\TosBtProc.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://ninemsn.com.au/
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\ie\divxhtml5\DivXHTML5.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\progra~1\common~1\symant~1\ids\IPSBHO.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.7227.1100\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\TOSCDSPD.exe
uRun: [Rainlendar2] c:\program files\rainlendar2\Rainlendar2.exe
uRun: [MyTomTomSA.exe] "c:\program files\mytomtom 3\MyTomTomSA.exe"
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [NDSTray.exe] NDSTray.exe
mRun: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
mRun: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
mRun: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
mRun: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
mRun: [Camera Assistant Software] "c:\program files\camera assistant software for toshiba\traybar.exe"
mRun: [PSQLLauncher] "c:\program files\protector suite ql\launcher.exe" /startup
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\toshiba\bluetooth toshiba stack\TosBtMng.exe
mPolicies-system: DisableCAD = 1 (0x1)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office11\EXCEL.EXE/3000
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {49783ED4-258D-4f9f-BE11-137C18D3E543} - c:\poker\titan poker\casino.exe
IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\programs\partypoker\partypoker\RunApp.exe
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office11\REFIEBAR.DLL
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/5/b/0/5b0d4654-aa20-495c-b89f-c1c34c691085/LegitCheckControl.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - hxxps://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
DPF: {44990B00-3C9D-426D-81DF-AAB636FA4345} - hxxps://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlcm.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {F7EDBBEA-1AD2-4EBF-AA07-D453CC29EE65} - hxxps://plugins.valueactive.eu/flashax/iefax.cab
TCP: DhcpNameServer = 10.0.0.138
TCP: Interfaces\{16847BB1-5FB8-4030-AE27-6C1650EAADD2} : DhcpNameServer = 10.1.1.1
TCP: Interfaces\{643C18ED-D32C-4164-B72A-E14C6CBBBC32} : DhcpNameServer = 10.0.0.138
TCP: Interfaces\{77368327-EAD8-44F4-B188-54C20067CC3E} : DhcpNameServer = 129.94.153.11
TCP: Interfaces\{BAC343C6-A813-4583-BF08-B66E0360DB7A} : DhcpNameServer = 172.16.1.42
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
Notify: psfus - c:\windows\system32\psqlpwd.dll
LSA: Notification Packages = scecli psqlpwd
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\roop\appdata\roaming\mozilla\firefox\profiles\b9r4obh8.default\
FF - prefs.js: browser.startup.homepage - hxxp://en.wikipedia.org/wiki/Main_Page
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.2432.1652\npCIDetect14.dll
FF - plugin: c:\program files\google\update\1.3.21.99\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\veetle\player\npvlc.dll
FF - plugin: c:\program files\veetle\plugins\npVeetle.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: DivX Plus Web Player HTML5 &lt;video&gt;: {23fcfd51-4958-4f00-80a3-ae97e717ed8b} - c:\program files\divx\divx plus web player\firefox\DivXHTML5
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: DownThemAll!: {DDC359D1-844A-42a7-9AA1-88A850A938A8} - %profile%\extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}
FF - Ext: Edit Cookies: {ea2b95c2-9be8-48ed-bdd1-5fcd2ad0ff99} - %profile%\extensions\{ea2b95c2-9be8-48ed-bdd1-5fcd2ad0ff99}
.
============= SERVICES / DRIVERS ===============
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2012-3-4 64512]
R1 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\symantec\defini~1\symcdata\ipsdefs\20110929.001\IDSvix86.sys [2011-9-30 287792]
R1 RtlProt;Realtke RtlProt WLAN Utility Protocol Driver;c:\windows\system32\drivers\RtlProt.sys [2007-4-23 25896]
R2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\common files\adobe\arm\1.0\armsvc.exe [2011-6-6 64952]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2011-12-23 2152152]
R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-12-4 149352]
R2 pgsql-8.3;PostgreSQL Database Server 8.3;c:\program files\postgresql\8.3\bin\pg_ctl.exe [2008-9-19 65536]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-7-30 105592]
R3 QIOMem;Generic IO & Memory Access;c:\windows\system32\drivers\QIOMem.sys [2007-4-9 8192]
R3 SYMNDISV;SYMNDISV;c:\windows\system32\drivers\symndisv.sys [2009-2-19 41008]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 athrusb;Atheros Wireless LAN USB device driver;c:\windows\system32\drivers\athrusb.sys [2009-5-25 451072]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-1-31 23888]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [2011-2-25 14216]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [2011-2-25 8456]
S3 RTL8187B;NETGEAR WG111v3 54Mbps Wireless USB 2.0 Adapter Vista Driver;c:\windows\system32\drivers\wg111v3.sys [2009-7-6 289280]
S3 Symantec Core LC;Symantec Core LC;c:\progra~1\common~1\symant~1\ccpd-lc\symlcsvc.exe [2008-10-6 1251720]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-9 135664]
S4 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-1-9 135664]
.
=============== Created Last 30 ================
.
2012-03-07 11:30:55 -------- d-sh--w- C:\$RECYCLE.BIN
2012-03-07 11:27:01 -------- d-----w- c:\users\roop\appdata\local\temp
2012-03-07 11:10:22 -------- d-----w- C:\ComboFix
2012-03-06 14:30:49 -------- d-----w- c:\program files\ESET
2012-03-06 12:17:44 98816 ----a-w- c:\windows\sed.exe
2012-03-06 12:17:44 518144 ----a-w- c:\windows\SWREG.exe
2012-03-04 22:11:12 16432 ----a-w- c:\windows\system32\lsdelete.exe
2012-03-04 12:18:29 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys
2012-03-04 12:18:12 -------- d-----w- c:\program files\Lavasoft
2012-02-21 07:27:14 -------- d-----w- c:\users\roop\appdata\local\DDMSettings
.
==================== Find3M ====================
.
2012-01-04 00:48:42 354176 ----a-w- c:\windows\system32\DivXControlPanelApplet.cpl
.
============= FINISH: 23:17:22.05 ===============

Edited by ArthurOPlasty, 07 March 2012 - 01:27 PM.


#15 ArthurOPlasty

ArthurOPlasty

    Advanced Member

  • Members
  • PipPipPip
  • 59 posts

Posted 07 March 2012 - 01:29 PM

here's the other log

Attached Files



#16 CeciliaB

CeciliaB

    Volunteer

  • Moderator
  • 7781 posts

Posted 07 March 2012 - 03:46 PM

Since a Windows file had been altered, it is best to run two more programs.

1.
Save TDSSKiller on the Desktop:
http://support.kaspe.../tdsskiller.zip

Right-click and select Extract all. Remember the location of the extracted file.
Turn off all programs.
Run the program TDSSKiller.exe which is the file you extracted.

Click on Start Scan.

If any threats are found select Cure and click Continue. If Cure isn't available select Skip. Do NOT select Quarantine or Delete.
The computer might need a restart.

Paste the content of the TDSSKiller log which is located in the folder C:\ with the name TDSSKiller followed by version and time.

2.
Please, download aswMBR to your desktop. http://public.avast....erek/aswMBR.exe

Double click it to start the program.
Allow it to download extra definitions.
Click the Scan button to start the scan.
When the scan has finished click the Save log button and save it to your desktop.
Post the log.

with a lot of items still in the start tray (18 items), as opposed to only the 3 or 4 that were there after the first combofix was run a couple of days ago.

Strange, I have never heard/seen that ComboFix is inactivating automatic start of programs.

#17 ArthurOPlasty

ArthurOPlasty

    Advanced Member

  • Members
  • PipPipPip
  • 59 posts

Posted 08 March 2012 - 01:24 AM

09:41:58.0779 3532 TDSS rootkit removing tool 2.7.19.0 Mar 5 2012 11:23:39
09:41:59.0513 3532 ============================================================
09:41:59.0513 3532 Current date / time: 2012/03/08 09:41:59.0513
09:41:59.0513 3532 SystemInfo:
09:41:59.0513 3532
09:41:59.0513 3532 OS Version: 6.0.6001 ServicePack: 1.0
09:41:59.0513 3532 Product type: Workstation
09:41:59.0513 3532 ComputerName: COMMODORE64
09:41:59.0514 3532 UserName: Roop
09:41:59.0514 3532 Windows directory: C:\Windows
09:41:59.0514 3532 System windows directory: C:\Windows
09:41:59.0514 3532 Processor architecture: Intel x86
09:41:59.0514 3532 Number of processors: 2
09:41:59.0514 3532 Page size: 0x1000
09:41:59.0514 3532 Boot type: Normal boot
09:41:59.0514 3532 ============================================================
09:42:00.0095 3532 Drive \Device\Harddisk0\DR0 - Size: 0x3A38B2E000 (232.89 Gb), SectorSize: 0x200, Cylinders: 0x76C1, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000050
09:42:00.0097 3532 \Device\Harddisk0\DR0:
09:42:00.0098 3532 MBR used
09:42:00.0098 3532 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x2EE800, BlocksNum 0x1C4ED800
09:42:00.0134 3532 Initialize success
09:42:00.0134 3532 ============================================================
09:42:15.0862 4648 ============================================================
09:42:15.0862 4648 Scan started
09:42:15.0862 4648 Mode: Manual;
09:42:15.0862 4648 ============================================================
09:42:17.0148 4648 ACPI (fcb8c7210f0135e24c6580f7f649c73c) C:\Windows\system32\drivers\acpi.sys
09:42:17.0203 4648 ACPI - ok
09:42:17.0578 4648 adp94xx (2edc5bbac6c651ece337bde8ed97c9fb) C:\Windows\system32\drivers\adp94xx.sys
09:42:17.0601 4648 adp94xx - ok
09:42:17.0656 4648 adpahci (b84088ca3cdca97da44a984c6ce1ccad) C:\Windows\system32\drivers\adpahci.sys
09:42:17.0664 4648 adpahci - ok
09:42:17.0773 4648 adpu160m (7880c67bccc27c86fd05aa2afb5ea469) C:\Windows\system32\drivers\adpu160m.sys
09:42:17.0776 4648 adpu160m - ok
09:42:17.0878 4648 adpu320 (9ae713f8e30efc2abccd84904333df4d) C:\Windows\system32\drivers\adpu320.sys
09:42:17.0883 4648 adpu320 - ok
09:42:17.0974 4648 AFD (48eb99503533c27ac6135648e5474457) C:\Windows\system32\drivers\afd.sys
09:42:17.0982 4648 AFD - ok
09:42:18.0198 4648 AgereSoftModem (ce91b158fa490cf4c4d487a4130f4660) C:\Windows\system32\DRIVERS\AGRSM.sys
09:42:18.0244 4648 AgereSoftModem - ok
09:42:18.0325 4648 agp440 (ef23439cdd587f64c2c1b8825cead7d8) C:\Windows\system32\drivers\agp440.sys
09:42:18.0328 4648 agp440 - ok
09:42:18.0389 4648 aic78xx (ae1fdf7bf7bb6c6a70f67699d880592a) C:\Windows\system32\drivers\djsvs.sys
09:42:18.0394 4648 aic78xx - ok
09:42:18.0518 4648 aliide (90395b64600ebb4552e26e178c94b2e4) C:\Windows\system32\drivers\aliide.sys
09:42:18.0521 4648 aliide - ok
09:42:18.0577 4648 amdagp (2b13e304c9dfdfa5eb582f6a149fa2c7) C:\Windows\system32\drivers\amdagp.sys
09:42:18.0581 4648 amdagp - ok
09:42:18.0650 4648 amdide (0577df1d323fe75a739c787893d300ea) C:\Windows\system32\drivers\amdide.sys
09:42:18.0652 4648 amdide - ok
09:42:18.0713 4648 AmdK7 (dc487885bcef9f28eece6fac0e5ddfc5) C:\Windows\system32\drivers\amdk7.sys
09:42:18.0717 4648 AmdK7 - ok
09:42:18.0839 4648 AmdK8 (0ca0071da4315b00fc1328ca86b425da) C:\Windows\system32\drivers\amdk8.sys
09:42:18.0842 4648 AmdK8 - ok
09:42:18.0978 4648 arc (5f673180268bb1fdb69c99b6619fe379) C:\Windows\system32\drivers\arc.sys
09:42:18.0982 4648 arc - ok
09:42:19.0059 4648 arcsas (957f7540b5e7f602e44648c7de5a1c05) C:\Windows\system32\drivers\arcsas.sys
09:42:19.0063 4648 arcsas - ok
09:42:19.0226 4648 AsyncMac (53b202abee6455406254444303e87be1) C:\Windows\system32\DRIVERS\asyncmac.sys
09:42:19.0229 4648 AsyncMac - ok
09:42:19.0308 4648 atapi (2d9c903dc76a66813d350a562de40ed9) C:\Windows\system32\drivers\atapi.sys
09:42:19.0311 4648 atapi - ok
09:42:19.0401 4648 athrusb (9dab3b4d046d88d14c2aa3ba79ca0570) C:\Windows\system32\DRIVERS\athrusb.sys
09:42:19.0423 4648 athrusb - ok
09:42:19.0634 4648 Beep (67e506b75bd5326a3ec7b70bd014dfb6) C:\Windows\system32\drivers\Beep.sys
09:42:19.0636 4648 Beep - ok
09:42:19.0682 4648 blbdrive - ok
09:42:19.0768 4648 bowser (8153396d5551276227fa146900f734e6) C:\Windows\system32\DRIVERS\bowser.sys
09:42:19.0772 4648 bowser - ok
09:42:19.0858 4648 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\drivers\brfiltlo.sys
09:42:19.0862 4648 BrFiltLo - ok
09:42:19.0977 4648 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\drivers\brfiltup.sys
09:42:19.0980 4648 BrFiltUp - ok
09:42:20.0076 4648 Brserid (b304e75cff293029eddf094246747113) C:\Windows\system32\drivers\brserid.sys
09:42:20.0080 4648 Brserid - ok
09:42:20.0142 4648 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\system32\drivers\brserwdm.sys
09:42:20.0146 4648 BrSerWdm - ok
09:42:20.0232 4648 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\system32\drivers\brusbmdm.sys
09:42:20.0235 4648 BrUsbMdm - ok
09:42:20.0340 4648 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\system32\drivers\brusbser.sys
09:42:20.0343 4648 BrUsbSer - ok
09:42:20.0410 4648 BthEnum (a820438255f37ab8baa2bd59753a8d81) C:\Windows\system32\DRIVERS\BthEnum.sys
09:42:20.0412 4648 BthEnum - ok
09:42:20.0492 4648 BTHMODEM (ad07c1ec6665b8b35741ab91200c6b68) C:\Windows\system32\drivers\bthmodem.sys
09:42:20.0495 4648 BTHMODEM - ok
09:42:20.0554 4648 BthPan (b8c3d9ddf85fd197c3e5f849fef71144) C:\Windows\system32\DRIVERS\bthpan.sys
09:42:20.0559 4648 BthPan - ok
09:42:20.0672 4648 BTHPORT (4a74bbb2b6761789f42a6613479bdb1d) C:\Windows\system32\Drivers\BTHport.sys
09:42:20.0680 4648 BTHPORT - ok
09:42:20.0804 4648 BTHUSB (1a407f9b707a06f55aa150f9aa072b09) C:\Windows\system32\Drivers\BTHUSB.sys
09:42:20.0808 4648 BTHUSB - ok
09:42:20.0936 4648 catchme - ok
09:42:21.0121 4648 cdfs (7add03e75beb9e6dd102c3081d29840a) C:\Windows\system32\DRIVERS\cdfs.sys
09:42:21.0125 4648 cdfs - ok
09:42:21.0198 4648 cdrom (1ec25cea0de6ac4718bf89f9e1778b57) C:\Windows\system32\DRIVERS\cdrom.sys
09:42:21.0202 4648 cdrom - ok
09:42:21.0290 4648 circlass (da8e0afc7baa226c538ef53ac2f90897) C:\Windows\system32\drivers\circlass.sys
09:42:21.0293 4648 circlass - ok
09:42:21.0425 4648 CLFS (465745561c832b29f7c48b488aab3842) C:\Windows\system32\CLFS.sys
09:42:21.0434 4648 CLFS - ok
09:42:21.0560 4648 CmBatt (99afc3795b58cc478fbbbcdc658fcb56) C:\Windows\system32\DRIVERS\CmBatt.sys
09:42:21.0563 4648 CmBatt - ok
09:42:21.0629 4648 cmdide (45201046c776ffdaf3fc8a0029c581c8) C:\Windows\system32\drivers\cmdide.sys
09:42:21.0632 4648 cmdide - ok
09:42:21.0735 4648 COH_Mon (6186b6b953bdc884f0f379b84b3e3a98) C:\Windows\system32\Drivers\COH_Mon.sys
09:42:21.0737 4648 COH_Mon - ok
09:42:21.0842 4648 Compbatt (6afef0b60fa25de07c0968983ee4f60a) C:\Windows\system32\DRIVERS\compbatt.sys
09:42:21.0845 4648 Compbatt - ok
09:42:21.0899 4648 crcdisk (2a213ae086bbec5e937553c7d9a2b22c) C:\Windows\system32\drivers\crcdisk.sys
09:42:21.0902 4648 crcdisk - ok
09:42:21.0961 4648 Crusoe (22a7f883508176489f559ee745b5bf5d) C:\Windows\system32\drivers\crusoe.sys
09:42:21.0964 4648 Crusoe - ok
09:42:22.0149 4648 CSC (9a5434125c3dfe42393de4bbb791bd19) C:\Windows\system32\drivers\csc.sys
09:42:22.0161 4648 CSC - ok
09:42:22.0286 4648 DELL_A02 (8a87352d9fb9597511c34d0c8c0e7223) C:\Windows\system32\DRIVERS\PRISMA02.sys
09:42:22.0298 4648 DELL_A02 - ok
09:42:22.0381 4648 DfsC (a3e9fa213f443ac77c7746119d13feec) C:\Windows\system32\Drivers\dfsc.sys
09:42:22.0386 4648 DfsC - ok
09:42:22.0548 4648 disk (64109e623abd6955c8fb110b592e68b7) C:\Windows\system32\drivers\disk.sys
09:42:22.0551 4648 disk - ok
09:42:22.0617 4648 drmkaud (97fef831ab90bee128c9af390e243f80) C:\Windows\system32\drivers\drmkaud.sys
09:42:22.0619 4648 drmkaud - ok
09:42:22.0710 4648 DXGKrnl (85f33880b8cfb554bd3d9ccdb486845a) C:\Windows\System32\drivers\dxgkrnl.sys
09:42:22.0744 4648 DXGKrnl - ok
09:42:22.0878 4648 E1G60 (f88fb26547fd2ce6d0a5af2985892c48) C:\Windows\system32\DRIVERS\E1G60I32.sys
09:42:22.0886 4648 E1G60 - ok
09:42:22.0970 4648 Ecache (dd2cd259d83d8b72c02c5f2331ff9d68) C:\Windows\system32\drivers\ecache.sys
09:42:22.0976 4648 Ecache - ok
09:42:23.0172 4648 eeCtrl (8f7dbc4be48f5388a6fe1f285e7948ef) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
09:42:23.0195 4648 eeCtrl - ok
09:42:23.0331 4648 elxstor (e8f3f21a71720c84bcf423b80028359f) C:\Windows\system32\drivers\elxstor.sys
09:42:23.0354 4648 elxstor - ok
09:42:23.0436 4648 epmntdrv (539ca34fbc74ec366a0d751028c32a08) C:\Windows\system32\epmntdrv.sys
09:42:23.0440 4648 epmntdrv - ok
09:42:23.0607 4648 EraserUtilRebootDrv (3ee14d400e0fdd0d214275a4a20b7022) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
09:42:23.0609 4648 EraserUtilRebootDrv - ok
09:42:23.0704 4648 EuGdiDrv (1f2f4ab15ce03ecc257feb2f6dc5a013) C:\Windows\system32\EuGdiDrv.sys
09:42:23.0706 4648 EuGdiDrv - ok
09:42:23.0843 4648 exfat (0d858eb20589a34efb25695acaa6aa2d) C:\Windows\system32\drivers\exfat.sys
09:42:23.0846 4648 exfat - ok
09:42:23.0933 4648 fastfat (3c489390c2e2064563727752af8eab9e) C:\Windows\system32\drivers\fastfat.sys
09:42:23.0937 4648 fastfat - ok
09:42:24.0032 4648 fdc (63bdada84951b9c03e641800e176898a) C:\Windows\system32\DRIVERS\fdc.sys
09:42:24.0033 4648 fdc - ok
09:42:24.0183 4648 FileInfo (a8c0139a884861e3aae9cfe73b208a9f) C:\Windows\system32\drivers\fileinfo.sys
09:42:24.0186 4648 FileInfo - ok
09:42:24.0258 4648 Filetrace (0ae429a696aecbc5970e3cf2c62635ae) C:\Windows\system32\drivers\filetrace.sys
09:42:24.0260 4648 Filetrace - ok
09:42:24.0318 4648 flpydisk (6603957eff5ec62d25075ea8ac27de68) C:\Windows\system32\DRIVERS\flpydisk.sys
09:42:24.0319 4648 flpydisk - ok
09:42:24.0440 4648 FltMgr (05ea53afe985443011e36dab07343b46) C:\Windows\system32\drivers\fltmgr.sys
09:42:24.0445 4648 FltMgr - ok
09:42:24.0513 4648 Fs_Rec (65ea8b77b5851854f0c55c43fa51a198) C:\Windows\system32\drivers\Fs_Rec.sys
09:42:24.0515 4648 Fs_Rec - ok
09:42:24.0567 4648 gagp30kx (4e1cd0a45c50a8882616cae5bf82f3c5) C:\Windows\system32\drivers\gagp30kx.sys
09:42:24.0570 4648 gagp30kx - ok
09:42:24.0631 4648 GEARAspiWDM (f2f431d1573ee632975c524418655b84) C:\Windows\system32\Drivers\GEARAspiWDM.sys
09:42:24.0633 4648 GEARAspiWDM - ok
09:42:24.0822 4648 HdAudAddService (cb04c744be0a61b1d648faed182c3b59) C:\Windows\system32\drivers\HdAudio.sys
09:42:24.0829 4648 HdAudAddService - ok
09:42:24.0883 4648 HDAudBus (c87b1ee051c0464491c1a7b03fa0bc99) C:\Windows\system32\DRIVERS\HDAudBus.sys
09:42:24.0886 4648 HDAudBus - ok
09:42:24.0934 4648 HidBth (1338520e78d90154ed6be8f84de5fceb) C:\Windows\system32\drivers\hidbth.sys
09:42:24.0937 4648 HidBth - ok
09:42:24.0986 4648 HidIr (ff3160c3a2445128c5a6d9b076da519e) C:\Windows\system32\drivers\hidir.sys
09:42:24.0989 4648 HidIr - ok
09:42:25.0116 4648 HidUsb (854ca287ab7faf949617a788306d967e) C:\Windows\system32\DRIVERS\hidusb.sys
09:42:25.0119 4648 HidUsb - ok
09:42:25.0197 4648 HpCISSs (df353b401001246853763c4b7aaa6f50) C:\Windows\system32\drivers\hpcisss.sys
09:42:25.0200 4648 HpCISSs - ok
09:42:25.0292 4648 HTTP (96e241624c71211a79c84f50a8e71cab) C:\Windows\system32\drivers\HTTP.sys
09:42:25.0315 4648 HTTP - ok
09:42:25.0460 4648 hwdatacard (19e6885a061011d8dabe8f64498423fa) C:\Windows\system32\DRIVERS\ewusbmdm.sys
09:42:25.0465 4648 hwdatacard - ok
09:42:25.0551 4648 i2omp (324c2152ff2c61abae92d09f3cca4d63) C:\Windows\system32\drivers\i2omp.sys
09:42:25.0555 4648 i2omp - ok
09:42:25.0636 4648 i8042prt (22d56c8184586b7a1f6fa60be5f5a2bd) C:\Windows\system32\DRIVERS\i8042prt.sys
09:42:25.0639 4648 i8042prt - ok
09:42:25.0771 4648 iaStor (fd7f9d74c2b35dbda400804a3f5ed5d8) C:\Windows\system32\DRIVERS\iaStor.sys
09:42:25.0776 4648 iaStor - ok
09:42:25.0832 4648 iaStorV (c957bf4b5d80b46c5017bf0101e6c906) C:\Windows\system32\drivers\iastorv.sys
09:42:25.0841 4648 iaStorV - ok
09:42:25.0995 4648 IDSvix86 (b147ccf3b7a42b64af8ec0520b4b15e3) C:\PROGRA~2\Symantec\DEFINI~1\SymcData\ipsdefs\20110929.001\IDSvix86.sys
09:42:26.0005 4648 IDSvix86 - ok
09:42:26.0182 4648 igfx (75577d903d8f90e7985f5cddd7dd1e2d) C:\Windows\system32\DRIVERS\igdkmd32.sys
09:42:26.0250 4648 igfx - ok
09:42:26.0327 4648 iirsp (2d077bf86e843f901d8db709c95b49a5) C:\Windows\system32\drivers\iirsp.sys
09:42:26.0330 4648 iirsp - ok
09:42:26.0496 4648 IntcAzAudAddService (76c7728ae966ec10da79df69e284910f) C:\Windows\system32\drivers\RTKVHDA.sys
09:42:26.0565 4648 IntcAzAudAddService - ok
09:42:26.0701 4648 intelide (83aa759f3189e6370c30de5dc5590718) C:\Windows\system32\drivers\intelide.sys
09:42:26.0704 4648 intelide - ok
09:42:26.0798 4648 intelppm (224191001e78c89dfa78924c3ea595ff) C:\Windows\system32\DRIVERS\intelppm.sys
09:42:26.0801 4648 intelppm - ok
09:42:26.0883 4648 IpFilterDriver (62c265c38769b864cb25b4bcf62df6c3) C:\Windows\system32\DRIVERS\ipfltdrv.sys
09:42:26.0887 4648 IpFilterDriver - ok
09:42:26.0927 4648 IpInIp - ok
09:42:27.0062 4648 IPMIDRV (40f34f8aba2a015d780e4b09138b6c17) C:\Windows\system32\drivers\ipmidrv.sys
09:42:27.0066 4648 IPMIDRV - ok
09:42:27.0151 4648 IPNAT (8793643a67b42cec66490b2a0cf92d68) C:\Windows\system32\DRIVERS\ipnat.sys
09:42:27.0156 4648 IPNAT - ok
09:42:27.0244 4648 IRENUM (109c0dfb82c3632fbd11949b73aeeac9) C:\Windows\system32\drivers\irenum.sys
09:42:27.0248 4648 IRENUM - ok
09:42:27.0299 4648 isapnp (350fca7e73cf65bcef43fae1e4e91293) C:\Windows\system32\drivers\isapnp.sys
09:42:27.0302 4648 isapnp - ok
09:42:27.0443 4648 iScsiPrt (f247eec28317f6c739c16de420097301) C:\Windows\system32\DRIVERS\msiscsi.sys
09:42:27.0449 4648 iScsiPrt - ok
09:42:27.0513 4648 iteatapi (bced60d16156e428f8df8cf27b0df150) C:\Windows\system32\drivers\iteatapi.sys
09:42:27.0517 4648 iteatapi - ok
09:42:27.0565 4648 iteraid (06fa654504a498c30adca8bec4e87e7e) C:\Windows\system32\drivers\iteraid.sys
09:42:27.0569 4648 iteraid - ok
09:42:27.0631 4648 kbdclass (37605e0a8cf00cbba538e753e4344c6e) C:\Windows\system32\DRIVERS\kbdclass.sys
09:42:27.0635 4648 kbdclass - ok
09:42:27.0749 4648 kbdhid (18247836959ba67e3511b62846b9c2e0) C:\Windows\system32\DRIVERS\kbdhid.sys
09:42:27.0752 4648 kbdhid - ok
09:42:27.0858 4648 KSecDD (7a0cf7908b6824d6a2a1d313e5ae3dca) C:\Windows\system32\Drivers\ksecdd.sys
09:42:27.0881 4648 KSecDD - ok
09:42:27.0970 4648 Lbd (336abe8721cbc3110f1c6426da633417) C:\Windows\system32\DRIVERS\Lbd.sys
09:42:27.0972 4648 Lbd - ok
09:42:28.0107 4648 lltdio (d1c5883087a0c3f1344d9d55a44901f6) C:\Windows\system32\DRIVERS\lltdio.sys
09:42:28.0109 4648 lltdio - ok
09:42:28.0163 4648 LSI_FC (a2262fb9f28935e862b4db46438c80d2) C:\Windows\system32\drivers\lsi_fc.sys
09:42:28.0166 4648 LSI_FC - ok
09:42:28.0224 4648 LSI_SAS (30d73327d390f72a62f32c103daf1d6d) C:\Windows\system32\drivers\lsi_sas.sys
09:42:28.0226 4648 LSI_SAS - ok
09:42:28.0281 4648 LSI_SCSI (e1e36fefd45849a95f1ab81de0159fe3) C:\Windows\system32\drivers\lsi_scsi.sys
09:42:28.0283 4648 LSI_SCSI - ok
09:42:28.0368 4648 luafv (8f5c7426567798e62a3b3614965d62cc) C:\Windows\system32\drivers\luafv.sys
09:42:28.0370 4648 luafv - ok
09:42:28.0501 4648 megasas (d153b14fc6598eae8422a2037553adce) C:\Windows\system32\drivers\megasas.sys
09:42:28.0503 4648 megasas - ok
09:42:28.0590 4648 mod7700 (f37a8070f1e6d0a1feac34ebb846fd05) C:\Windows\system32\Drivers\dvb7700all.sys
09:42:28.0613 4648 mod7700 - ok
09:42:28.0689 4648 Modem (e13b5ea0f51ba5b1512ec671393d09ba) C:\Windows\system32\drivers\modem.sys
09:42:28.0691 4648 Modem - ok
09:42:28.0754 4648 monitor (0a9bb33b56e294f686abb7c1e4e2d8a8) C:\Windows\system32\DRIVERS\monitor.sys
09:42:28.0756 4648 monitor - ok
09:42:28.0863 4648 mouclass (5bf6a1326a335c5298477754a506d263) C:\Windows\system32\DRIVERS\mouclass.sys
09:42:28.0865 4648 mouclass - ok
09:42:28.0902 4648 mouhid (93b8d4869e12cfbe663915502900876f) C:\Windows\system32\DRIVERS\mouhid.sys
09:42:28.0904 4648 mouhid - ok
09:42:28.0978 4648 MountMgr (bdafc88aa6b92f7842416ea6a48e1600) C:\Windows\system32\drivers\mountmgr.sys
09:42:28.0981 4648 MountMgr - ok
09:42:29.0069 4648 mpio (583a41f26278d9e0ea548163d6139397) C:\Windows\system32\drivers\mpio.sys
09:42:29.0073 4648 mpio - ok
09:42:29.0217 4648 mpsdrv (22241feba9b2defa669c8cb0a8dd7d2e) C:\Windows\system32\drivers\mpsdrv.sys
09:42:29.0219 4648 mpsdrv - ok
09:42:29.0272 4648 Mraid35x (4fbbb70d30fd20ec51f80061703b001e) C:\Windows\system32\drivers\mraid35x.sys
09:42:29.0275 4648 Mraid35x - ok
09:42:29.0355 4648 MRxDAV (ae3de84536b6799d2267443cec8edbb9) C:\Windows\system32\drivers\mrxdav.sys
09:42:29.0359 4648 MRxDAV - ok
09:42:29.0423 4648 mrxsmb (5734a0f2be7e495f7d3ed6efd4b9f5a1) C:\Windows\system32\DRIVERS\mrxsmb.sys
09:42:29.0427 4648 mrxsmb - ok
09:42:29.0552 4648 mrxsmb10 (6b5fa5adfacac9dbbe0991f4566d7d55) C:\Windows\system32\DRIVERS\mrxsmb10.sys
09:42:29.0559 4648 mrxsmb10 - ok
09:42:29.0610 4648 mrxsmb20 (5c80d8159181c7abf1b14ba703b01e0b) C:\Windows\system32\DRIVERS\mrxsmb20.sys
09:42:29.0613 4648 mrxsmb20 - ok
09:42:29.0667 4648 msahci (742aed7939e734c36b7e8d6228ce26b7) C:\Windows\system32\drivers\msahci.sys
09:42:29.0670 4648 msahci - ok
09:42:29.0725 4648 msdsm (3fc82a2ae4cc149165a94699183d3028) C:\Windows\system32\drivers\msdsm.sys
09:42:29.0728 4648 msdsm - ok
09:42:29.0854 4648 Msfs (a9927f4a46b816c92f461acb90cf8515) C:\Windows\system32\drivers\Msfs.sys
09:42:29.0857 4648 Msfs - ok
09:42:30.0006 4648 msisadrv (0f400e306f385c56317357d6dea56f62) C:\Windows\system32\drivers\msisadrv.sys
09:42:30.0008 4648 msisadrv - ok
09:42:30.0082 4648 MSKSSRV (d8c63d34d9c9e56c059e24ec7185cc07) C:\Windows\system32\drivers\MSKSSRV.sys
09:42:30.0085 4648 MSKSSRV - ok
09:42:30.0177 4648 MSPCLOCK (1d373c90d62ddb641d50e55b9e78d65e) C:\Windows\system32\drivers\MSPCLOCK.sys
09:42:30.0180 4648 MSPCLOCK - ok
09:42:30.0274 4648 MSPQM (b572da05bf4e098d4bba3a4734fb505b) C:\Windows\system32\drivers\MSPQM.sys
09:42:30.0276 4648 MSPQM - ok
09:42:30.0358 4648 MsRPC (b5614aecb05a9340aa0fb55bf561cc63) C:\Windows\system32\drivers\MsRPC.sys
09:42:30.0365 4648 MsRPC - ok
09:42:30.0450 4648 mssmbios (e384487cb84be41d09711c30ca79646c) C:\Windows\system32\DRIVERS\mssmbios.sys
09:42:30.0452 4648 mssmbios - ok
09:42:30.0534 4648 MSTEE (7199c1eec1e4993caf96b8c0a26bd58a) C:\Windows\system32\drivers\MSTEE.sys
09:42:30.0537 4648 MSTEE - ok
09:42:30.0615 4648 Mup (6dfd1d322de55b0b7db7d21b90bec49c) C:\Windows\system32\Drivers\mup.sys
09:42:30.0619 4648 Mup - ok
09:42:30.0757 4648 NativeWifiP (3c21ce48ff529bb73dadb98770b54025) C:\Windows\system32\DRIVERS\nwifi.sys
09:42:30.0764 4648 NativeWifiP - ok
09:42:30.0851 4648 NAVENG (862f55824ac81295837b0ab63f91071f) C:\PROGRA~2\Symantec\DEFINI~1\VIRUSD~1\20111002.004\NAVENG.SYS
09:42:30.0856 4648 NAVENG - ok
09:42:30.0942 4648 NAVEX15 (529d571b551cb9da44237389b936f1ae) C:\PROGRA~2\Symantec\DEFINI~1\VIRUSD~1\20111002.004\NAVEX15.SYS
09:42:31.0000 4648 NAVEX15 - ok
09:42:31.0118 4648 NDIS (9bdc71790fa08f0a0b5f10462b1bd0b1) C:\Windows\system32\drivers\ndis.sys
09:42:31.0142 4648 NDIS - ok
09:42:31.0285 4648 NdisTapi (0e186e90404980569fb449ba7519ae61) C:\Windows\system32\DRIVERS\ndistapi.sys
09:42:31.0288 4648 NdisTapi - ok
09:42:31.0361 4648 Ndisuio (d6973aa34c4d5d76c0430b181c3cd389) C:\Windows\system32\DRIVERS\ndisuio.sys
09:42:31.0364 4648 Ndisuio - ok
09:42:31.0440 4648 NdisWan (3d14c3b3496f88890d431e8aa022a411) C:\Windows\system32\DRIVERS\ndiswan.sys
09:42:31.0445 4648 NdisWan - ok
09:42:31.0513 4648 NDProxy (71dab552b41936358f3b541ae5997fb3) C:\Windows\system32\drivers\NDProxy.sys
09:42:31.0516 4648 NDProxy - ok
09:42:31.0614 4648 NetBIOS (bcd093a5a6777cf626434568dc7dba78) C:\Windows\system32\DRIVERS\netbios.sys
09:42:31.0617 4648 NetBIOS - ok
09:42:31.0698 4648 netbt (7c5fee5b1c5728507cd96fb4a13e7a02) C:\Windows\system32\DRIVERS\netbt.sys
09:42:31.0705 4648 netbt - ok
09:42:31.0885 4648 NETw3v32 (a15f219208843a5a210c8cb391384453) C:\Windows\system32\DRIVERS\NETw3v32.sys
09:42:31.0955 4648 NETw3v32 - ok
09:42:32.0154 4648 NETw4v32 (1d73499a6664b4da05d750ff83fdb274) C:\Windows\system32\DRIVERS\NETw4v32.sys
09:42:32.0234 4648 NETw4v32 - ok
09:42:32.0280 4648 nfrd960 (2e7fb731d4790a1bc6270accefacb36e) C:\Windows\system32\drivers\nfrd960.sys
09:42:32.0284 4648 nfrd960 - ok
09:42:32.0382 4648 Npfs (ecb5003f484f9ed6c608d6d6c7886cbb) C:\Windows\system32\drivers\Npfs.sys
09:42:32.0385 4648 Npfs - ok
09:42:32.0474 4648 nsiproxy (609773e344a97410ce4ebf74a8914fcf) C:\Windows\system32\drivers\nsiproxy.sys
09:42:32.0477 4648 nsiproxy - ok
09:42:32.0636 4648 Ntfs (b4effe29eb4f15538fd8a9681108492d) C:\Windows\system32\drivers\Ntfs.sys
09:42:32.0682 4648 Ntfs - ok
09:42:32.0740 4648 ntrigdigi (e875c093aec0c978a90f30c9e0dfbb72) C:\Windows\system32\drivers\ntrigdigi.sys
09:42:32.0743 4648 ntrigdigi - ok
09:42:32.0789 4648 Null (c5dbbcda07d780bda9b685df333bb41e) C:\Windows\system32\drivers\Null.sys
09:42:32.0791 4648 Null - ok
09:42:32.0833 4648 nvraid (e69e946f80c1c31c53003bfbf50cbb7c) C:\Windows\system32\drivers\nvraid.sys
09:42:32.0837 4648 nvraid - ok
09:42:32.0892 4648 nvstor (9e0ba19a28c498a6d323d065db76dffc) C:\Windows\system32\drivers\nvstor.sys
09:42:32.0895 4648 nvstor - ok
09:42:33.0003 4648 nv_agp (07c186427eb8fcc3d8d7927187f260f7) C:\Windows\system32\drivers\nv_agp.sys
09:42:33.0009 4648 nv_agp - ok
09:42:33.0050 4648 NwlnkFlt - ok
09:42:33.0084 4648 NwlnkFwd - ok
09:42:33.0149 4648 ohci1394 (790e27c3db53410b40ff9ef2fd10a1d9) C:\Windows\system32\DRIVERS\ohci1394.sys
09:42:33.0152 4648 ohci1394 - ok
09:42:33.0326 4648 PalmUSBD (945da25e897eeb2c64861c3cada00d3a) C:\Windows\system32\drivers\PalmUSBD.sys
09:42:33.0329 4648 PalmUSBD - ok
09:42:33.0393 4648 Parport (0fa9b5055484649d63c303fe404e5f4d) C:\Windows\system32\drivers\parport.sys
09:42:33.0398 4648 Parport - ok
09:42:33.0475 4648 partmgr (3b38467e7c3daed009dfe359e17f139f) C:\Windows\system32\drivers\partmgr.sys
09:42:33.0478 4648 partmgr - ok
09:42:33.0528 4648 Parvdm (4f9a6a8a31413180d0fcb279ad5d8112) C:\Windows\system32\drivers\parvdm.sys
09:42:33.0531 4648 Parvdm - ok
09:42:33.0672 4648 pci (01b94418deb235dff777cc80076354b4) C:\Windows\system32\drivers\pci.sys
09:42:33.0679 4648 pci - ok
09:42:33.0737 4648 pciide (3b1901e401473e03eb8c874271e50c26) C:\Windows\system32\drivers\pciide.sys
09:42:33.0740 4648 pciide - ok
09:42:33.0798 4648 pcmcia (e6f3fb1b86aa519e7698ad05e58b04e5) C:\Windows\system32\drivers\pcmcia.sys
09:42:33.0805 4648 pcmcia - ok
09:42:33.0916 4648 PEAUTH (6349f6ed9c623b44b52ea3c63c831a92) C:\Windows\system32\drivers\peauth.sys
09:42:33.0951 4648 PEAUTH - ok
09:42:34.0167 4648 PptpMiniport (ecfffaec0c1ecd8dbc77f39070ea1db1) C:\Windows\system32\DRIVERS\raspptp.sys
09:42:34.0171 4648 PptpMiniport - ok
09:42:34.0238 4648 Processor (0e3cef5d28b40cf273281d620c50700a) C:\Windows\system32\drivers\processr.sys
09:42:34.0242 4648 Processor - ok
09:42:34.0337 4648 PSched (bfef604508a0ed1eae2a73e872555ffb) C:\Windows\system32\DRIVERS\pacer.sys
09:42:34.0341 4648 PSched - ok
09:42:34.0444 4648 QIOMem (674eba70a52c02696e503b0a57ae6372) C:\Windows\system32\DRIVERS\QIOMem.sys
09:42:34.0446 4648 QIOMem - ok
09:42:34.0543 4648 ql2300 (ccdac889326317792480c0a67156a1ec) C:\Windows\system32\drivers\ql2300.sys
09:42:34.0578 4648 ql2300 - ok
09:42:34.0672 4648 ql40xx (81a7e5c076e59995d54bc1ed3a16e60b) C:\Windows\system32\drivers\ql40xx.sys
09:42:34.0677 4648 ql40xx - ok
09:42:34.0821 4648 QWAVEdrv (9f5e0e1926014d17486901c88eca2db7) C:\Windows\system32\drivers\qwavedrv.sys
09:42:34.0825 4648 QWAVEdrv - ok
09:42:34.0873 4648 RasAcd (147d7f9c556d259924351feb0de606c3) C:\Windows\system32\DRIVERS\rasacd.sys
09:42:34.0876 4648 RasAcd - ok
09:42:34.0974 4648 Rasl2tp (a214adbaf4cb47dd2728859ef31f26b0) C:\Windows\system32\DRIVERS\rasl2tp.sys
09:42:34.0979 4648 Rasl2tp - ok
09:42:35.0109 4648 RasPppoe (3e9d9b048107b40d87b97df2e48e0744) C:\Windows\system32\DRIVERS\raspppoe.sys
09:42:35.0110 4648 RasPppoe - ok
09:42:35.0272 4648 RasSstp (a7d141684e9500ac928a772ed8e6b671) C:\Windows\system32\DRIVERS\rassstp.sys
09:42:35.0313 4648 RasSstp - ok
09:42:35.0518 4648 rdbss (6e1c5d0457622f9ee35f683110e93d14) C:\Windows\system32\DRIVERS\rdbss.sys
09:42:35.0541 4648 rdbss - ok
09:42:35.0835 4648 RDPCDD (89e59be9a564262a3fb6c4f4f1cd9899) C:\Windows\system32\DRIVERS\RDPCDD.sys
09:42:35.0837 4648 RDPCDD - ok
09:42:35.0937 4648 rdpdr (fbc0bacd9c3d7f6956853f64a66e252d) C:\Windows\system32\DRIVERS\rdpdr.sys
09:42:35.0959 4648 rdpdr - ok
09:42:36.0124 4648 RDPENCDD (9d91fe5286f748862ecffa05f8a0710c) C:\Windows\system32\drivers\rdpencdd.sys
09:42:36.0126 4648 RDPENCDD - ok
09:42:36.0215 4648 RDPWD (e1c18f4097a5abcec941dc4b2f99db7e) C:\Windows\system32\drivers\RDPWD.sys
09:42:36.0228 4648 RDPWD - ok
09:42:36.0331 4648 RFCOMM (7ec90c316177ba3f1bce92005264b447) C:\Windows\system32\DRIVERS\rfcomm.sys
09:42:36.0347 4648 RFCOMM - ok
09:42:36.0747 4648 rimmptsk (355aac141b214bef1dbc1483afd9bd50) C:\Windows\system32\DRIVERS\rimmptsk.sys
09:42:36.0777 4648 rimmptsk - ok
09:42:36.0985 4648 rimsptsk (a4216c71dd4f60b26418ccfd99cd0815) C:\Windows\system32\DRIVERS\rimsptsk.sys
09:42:36.0988 4648 rimsptsk - ok
09:42:37.0025 4648 rismxdp (d231b577024aa324af13a42f3a807d10) C:\Windows\system32\DRIVERS\rixdptsk.sys
09:42:37.0028 4648 rismxdp - ok
09:42:37.0106 4648 ROOTMODEM (75e8a6bfa7374aba833ae92bf41ae4e6) C:\Windows\system32\Drivers\RootMdm.sys
09:42:37.0109 4648 ROOTMODEM - ok
09:42:37.0281 4648 rspndr (9c508f4074a39e8b4b31d27198146fad) C:\Windows\system32\DRIVERS\rspndr.sys
09:42:37.0308 4648 rspndr - ok
09:42:37.0666 4648 RTL8169 (71b7026d61293c1e91145bdad11c53bf) C:\Windows\system32\DRIVERS\Rtlh86.sys
09:42:37.0709 4648 RTL8169 - ok
09:42:37.0980 4648 RTL8187B (318f4f327190b2aee7aae9cafd19bb19) C:\Windows\system32\DRIVERS\wg111v3.sys
09:42:37.0991 4648 RTL8187B - ok
09:42:38.0036 4648 RtlProt (0d60b8c10a2c5e8dd620b3fdeb1cda64) C:\Windows\system32\DRIVERS\rtlprot.sys
09:42:38.0039 4648 RtlProt - ok
09:42:38.0111 4648 sbp2port (3ce8f073a557e172b330109436984e30) C:\Windows\system32\drivers\sbp2port.sys
09:42:38.0115 4648 sbp2port - ok
09:42:38.0340 4648 sdbus (126ea89bcc413ee45e3004fb0764888f) C:\Windows\system32\DRIVERS\sdbus.sys
09:42:38.0397 4648 sdbus - ok
09:42:38.0552 4648 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys
09:42:38.0556 4648 secdrv - ok
09:42:38.0704 4648 Serenum (68e44e331d46f0fb38f0863a84cd1a31) C:\Windows\system32\drivers\serenum.sys
09:42:38.0706 4648 Serenum - ok
09:42:38.0765 4648 Serial (c70d69a918b178d3c3b06339b40c2e1b) C:\Windows\system32\drivers\serial.sys
09:42:38.0767 4648 Serial - ok
09:42:38.0826 4648 sermouse (8af3d28a879bf75db53a0ee7a4289624) C:\Windows\system32\drivers\sermouse.sys
09:42:38.0828 4648 sermouse - ok
09:42:38.0910 4648 sffdisk (103b79418da647736ee95645f305f68a) C:\Windows\system32\drivers\sffdisk.sys
09:42:38.0912 4648 sffdisk - ok
09:42:39.0015 4648 sffp_mmc (8fd08a310645fe872eeec6e08c6bf3ee) C:\Windows\system32\drivers\sffp_mmc.sys
09:42:39.0016 4648 sffp_mmc - ok
09:42:39.0062 4648 sffp_sd (9cfa05fcfcb7124e69cfc812b72f9614) C:\Windows\system32\drivers\sffp_sd.sys
09:42:39.0064 4648 sffp_sd - ok
09:42:39.0106 4648 sfloppy (46ed8e91793b2e6f848015445a0ac188) C:\Windows\system32\drivers\sfloppy.sys
09:42:39.0107 4648 sfloppy - ok
09:42:39.0165 4648 sisagp (d2a595d6eebeeaf4334f8e50efbc9931) C:\Windows\system32\drivers\sisagp.sys
09:42:39.0166 4648 sisagp - ok
09:42:39.0224 4648 SiSRaid2 (cedd6f4e7d84e9f98b34b3fe988373aa) C:\Windows\system32\drivers\sisraid2.sys
09:42:39.0226 4648 SiSRaid2 - ok
09:42:39.0275 4648 SiSRaid4 (df843c528c4f69d12ce41ce462e973a7) C:\Windows\system32\drivers\sisraid4.sys
09:42:39.0278 4648 SiSRaid4 - ok
09:42:39.0414 4648 Smb (031e6bcd53c9b2b9ace111eafec347b6) C:\Windows\system32\DRIVERS\smb.sys
09:42:39.0417 4648 Smb - ok
09:42:39.0531 4648 SPBBCDrv (dc4dc886d3779c446f9b0e9d6b006e72) C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys
09:42:39.0553 4648 SPBBCDrv - ok
09:42:39.0697 4648 spldr (7aebdeef071fe28b0eef2cdd69102bff) C:\Windows\system32\drivers\spldr.sys
09:42:39.0699 4648 spldr - ok
09:42:39.0810 4648 SRTSP (655773f2f1a3730c6cf20280a49f4ee1) C:\Windows\system32\Drivers\SRTSP.SYS
09:42:39.0818 4648 SRTSP - ok
09:42:39.0889 4648 SRTSPL (2a0aaf370d4c6574a34ae2f4a0709cae) C:\Windows\system32\Drivers\SRTSPL.SYS
09:42:39.0898 4648 SRTSPL - ok
09:42:40.0033 4648 SRTSPX (3104bdceace2d5710776dd05e6a286c1) C:\Windows\system32\Drivers\SRTSPX.SYS
09:42:40.0035 4648 SRTSPX - ok
09:42:40.0134 4648 srv (2252aef839b1093d16761189f45af885) C:\Windows\system32\DRIVERS\srv.sys
09:42:40.0157 4648 srv - ok
09:42:40.0232 4648 srv2 (b7ff59408034119476b00a81bb53d5d1) C:\Windows\system32\DRIVERS\srv2.sys
09:42:40.0236 4648 srv2 - ok
09:42:40.0274 4648 srvnet (2accc9b12af02030f531e6cca6f8b76e) C:\Windows\system32\DRIVERS\srvnet.sys
09:42:40.0277 4648 srvnet - ok
09:42:40.0411 4648 swenum (7ba58ecf0c0a9a69d44b3dca62becf56) C:\Windows\system32\DRIVERS\swenum.sys
09:42:40.0414 4648 swenum - ok
09:42:40.0475 4648 Symc8xx (192aa3ac01df071b541094f251deed10) C:\Windows\system32\drivers\symc8xx.sys
09:42:40.0477 4648 Symc8xx - ok
09:42:40.0540 4648 SYMDNS (fe9f8b3a8bc22d85332b42e92308ddf9) C:\Windows\System32\Drivers\SYMDNS.SYS
09:42:40.0542 4648 SYMDNS - ok
09:42:40.0625 4648 SymEvent (06b95820df51502099a8a15c93e87986) C:\Windows\system32\Drivers\SYMEVENT.SYS
09:42:40.0628 4648 SymEvent - ok
09:42:40.0724 4648 SYMFW (a0ea9d273889e53cfaabf2444692ccbf) C:\Windows\System32\Drivers\SYMFW.SYS
09:42:40.0727 4648 SYMFW - ok
09:42:40.0782 4648 SymIM (8eab28dd6cd25355b951ae460fa86b48) C:\Windows\system32\DRIVERS\SymIMv.sys
09:42:40.0783 4648 SymIM - ok
09:42:40.0816 4648 SymIMMP - ok
09:42:40.0882 4648 SYMNDISV (c94eaca4b522012ee0691f1e79c42a7d) C:\Windows\System32\Drivers\SYMNDISV.SYS
09:42:40.0884 4648 SYMNDISV - ok
09:42:40.0930 4648 SYMREDRV (7c6505ea598e58099d3b7e1f70426864) C:\Windows\System32\Drivers\SYMREDRV.SYS
09:42:40.0932 4648 SYMREDRV - ok
09:42:40.0973 4648 SYMTDI (e6ff7ace71d07ca90119f2c6ab592ba4) C:\Windows\System32\Drivers\SYMTDI.SYS
09:42:40.0977 4648 SYMTDI - ok
09:42:41.0104 4648 Sym_hi (8c8eb8c76736ebaf3b13b633b2e64125) C:\Windows\system32\drivers\sym_hi.sys
09:42:41.0105 4648 Sym_hi - ok
09:42:41.0157 4648 Sym_u3 (8072af52b5fd103bbba387a1e49f62cb) C:\Windows\system32\drivers\sym_u3.sys
09:42:41.0159 4648 Sym_u3 - ok
09:42:41.0242 4648 SynTP (2d2c815364a878c7e358d5f549711197) C:\Windows\system32\DRIVERS\SynTP.sys
09:42:41.0247 4648 SynTP - ok
09:42:41.0343 4648 Tcpip (782568ab6a43160a159b6215b70bcce9) C:\Windows\system32\drivers\tcpip.sys
09:42:41.0378 4648 Tcpip - ok
09:42:41.0510 4648 Tcpip6 (782568ab6a43160a159b6215b70bcce9) C:\Windows\system32\DRIVERS\tcpip.sys
09:42:41.0520 4648 Tcpip6 - ok
09:42:41.0580 4648 tcpipreg (d4a2e4a4b011f3a883af77315a5ae76b) C:\Windows\system32\drivers\tcpipreg.sys
09:42:41.0583 4648 tcpipreg - ok
09:42:41.0626 4648 TcUsb (009aede9fe870c247014450dc1e01d5d) C:\Windows\system32\Drivers\tcusb.sys
09:42:41.0629 4648 TcUsb - ok
09:42:41.0686 4648 tdcmdpst (1825bceb47bf41c5a9f0e44de82fc27a) C:\Windows\system32\DRIVERS\tdcmdpst.sys
09:42:41.0688 4648 tdcmdpst - ok
09:42:41.0760 4648 TDPIPE (5dcf5e267be67a1ae926f2df77fbcc56) C:\Windows\system32\drivers\tdpipe.sys
09:42:41.0762 4648 TDPIPE - ok
09:42:41.0883 4648 TDTCP (389c63e32b3cefed425b61ed92d3f021) C:\Windows\system32\drivers\tdtcp.sys
09:42:41.0885 4648 TDTCP - ok
09:42:41.0963 4648 tdx (d09276b1fab033ce1d40dcbdf303d10f) C:\Windows\system32\DRIVERS\tdx.sys
09:42:41.0967 4648 tdx - ok
09:42:42.0035 4648 TermDD (a048056f5e1a96a9bf3071b91741a5aa) C:\Windows\system32\DRIVERS\termdd.sys
09:42:42.0037 4648 TermDD - ok
09:42:42.0196 4648 tosporte (8d624d3bd1f2d78bd1c01a2d4e954b4e) C:\Windows\system32\DRIVERS\tosporte.sys
09:42:42.0198 4648 tosporte - ok
09:42:42.0264 4648 tosrfbd (266df087a8c24da34ff40cf3df86ccfb) C:\Windows\system32\DRIVERS\tosrfbd.sys
09:42:42.0267 4648 tosrfbd - ok
09:42:42.0305 4648 tosrfbnp (90c8525bc578aaffe87c2d0ed4379e9e) C:\Windows\system32\Drivers\tosrfbnp.sys
09:42:42.0307 4648 tosrfbnp - ok
09:42:42.0409 4648 Tosrfcom (5ba1ca3b3cddb1ddc67df473f05d1ec2) C:\Windows\system32\Drivers\tosrfcom.sys
09:42:42.0411 4648 Tosrfcom - ok
09:42:42.0466 4648 tosrfec (5c4103544612e5011ef46301b93d1aa6) C:\Windows\system32\DRIVERS\tosrfec.sys
09:42:42.0468 4648 tosrfec - ok
09:42:42.0560 4648 Tosrfhid (7c807ba9660e2995cc0217a14a24094c) C:\Windows\system32\DRIVERS\Tosrfhid.sys
09:42:42.0562 4648 Tosrfhid - ok
09:42:42.0627 4648 tosrfnds (c52fd27b9adf3a1f22cb90e6bcf9b0cb) C:\Windows\system32\DRIVERS\tosrfnds.sys
09:42:42.0628 4648 tosrfnds - ok
09:42:42.0757 4648 TosRfSnd (a4ce9572bc4ac8d329455059b43c5bea) C:\Windows\system32\drivers\tosrfsnd.sys
09:42:42.0759 4648 TosRfSnd - ok
09:42:42.0830 4648 Tosrfusb (cdda265c7617a2745b48e0de572012a6) C:\Windows\system32\DRIVERS\tosrfusb.sys
09:42:42.0832 4648 Tosrfusb - ok
09:42:42.0884 4648 tos_sps32 (1ea5f27c29405bf49799feca77186da9) C:\Windows\system32\DRIVERS\tos_sps32.sys
09:42:42.0891 4648 tos_sps32 - ok
09:42:42.0966 4648 tssecsrv (dcf0f056a2e4f52287264f5ab29cf206) C:\Windows\system32\DRIVERS\tssecsrv.sys
09:42:42.0968 4648 tssecsrv - ok
09:42:43.0090 4648 tunmp (caecc0120ac49e3d2f758b9169872d38) C:\Windows\system32\DRIVERS\tunmp.sys
09:42:43.0092 4648 tunmp - ok
09:42:43.0142 4648 tunnel (6042505ff6fa9ac1ef7684d0e03b6940) C:\Windows\system32\DRIVERS\tunnel.sys
09:42:43.0144 4648 tunnel - ok
09:42:43.0197 4648 TVALZ (521c5f39829875adf5466dd94c6282c7) C:\Windows\system32\DRIVERS\TVALZ_O.SYS
09:42:43.0199 4648 TVALZ - ok
09:42:43.0256 4648 uagp35 (c3ade15414120033a36c0f293d4a4121) C:\Windows\system32\drivers\uagp35.sys
09:42:43.0259 4648 uagp35 - ok
09:42:43.0415 4648 udfs (8b5088058fa1d1cd897a2113ccff6c58) C:\Windows\system32\DRIVERS\udfs.sys
09:42:43.0422 4648 udfs - ok
09:42:43.0472 4648 uliagpkx (75e6890ebfce0841d3291b02e7a8bdb0) C:\Windows\system32\drivers\uliagpkx.sys
09:42:43.0475 4648 uliagpkx - ok
09:42:43.0537 4648 uliahci (3cd4ea35a6221b85dcc25daa46313f8d) C:\Windows\system32\drivers\uliahci.sys
09:42:43.0543 4648 uliahci - ok
09:42:43.0610 4648 UlSata (8514d0e5cd0534467c5fc61be94a569f) C:\Windows\system32\drivers\ulsata.sys
09:42:43.0614 4648 UlSata - ok
09:42:43.0737 4648 ulsata2 (38c3c6e62b157a6bc46594fada45c62b) C:\Windows\system32\drivers\ulsata2.sys
09:42:43.0742 4648 ulsata2 - ok
09:42:43.0791 4648 umbus (32cff9f809ae9aed85464492bf3e32d2) C:\Windows\system32\DRIVERS\umbus.sys
09:42:43.0794 4648 umbus - ok
09:42:43.0896 4648 USBAAPL (60a68a5ea173a97971ee9f1ff49eb2b3) C:\Windows\system32\Drivers\usbaapl.sys
09:42:43.0898 4648 USBAAPL - ok
09:42:43.0960 4648 usbccgp (caf811ae4c147ffcd5b51750c7f09142) C:\Windows\system32\DRIVERS\usbccgp.sys
09:42:43.0964 4648 usbccgp - ok
09:42:44.0084 4648 usbcir (e9476e6c486e76bc4898074768fb7131) C:\Windows\system32\drivers\usbcir.sys
09:42:44.0088 4648 usbcir - ok
09:42:44.0159 4648 usbehci (cebe90821810e76320155beba722fcf9) C:\Windows\system32\DRIVERS\usbehci.sys
09:42:44.0162 4648 usbehci - ok
09:42:44.0226 4648 usbhub (cc6b28e4ce39951357963119ce47b143) C:\Windows\system32\DRIVERS\usbhub.sys
09:42:44.0249 4648 usbhub - ok
09:42:44.0293 4648 usbohci (38dbc7dd6cc5a72011f187425384388b) C:\Windows\system32\drivers\usbohci.sys
09:42:44.0295 4648 usbohci - ok
09:42:44.0428 4648 usbprint (e75c4b5269091d15a2e7dc0b6d35f2f5) C:\Windows\system32\DRIVERS\usbprint.sys
09:42:44.0430 4648 usbprint - ok
09:42:44.0519 4648 usbscan (a508c9bd8724980512136b039bba65e9) C:\Windows\system32\DRIVERS\usbscan.sys
09:42:44.0523 4648 usbscan - ok
09:42:44.0585 4648 USBSTOR (87ba6b83c5d19b69160968d07d6e2982) C:\Windows\system32\DRIVERS\USBSTOR.SYS
09:42:44.0589 4648 USBSTOR - ok
09:42:44.0650 4648 usbuhci (814d653efc4d48be3b04a307eceff56f) C:\Windows\system32\DRIVERS\usbuhci.sys
09:42:44.0654 4648 usbuhci - ok
09:42:44.0804 4648 usbvideo (e67998e8f14cb0627a769f6530bcb352) C:\Windows\system32\Drivers\usbvideo.sys
09:42:44.0810 4648 usbvideo - ok
09:42:44.0890 4648 usb_rndisx (ee181a08e09db23cf4a49b46a1e66bb8) C:\Windows\system32\DRIVERS\usb8023x.sys
09:42:44.0894 4648 usb_rndisx - ok
09:42:44.0971 4648 UVCFTR (3b929a72aaea96dc0150d3a6da268c89) C:\Windows\system32\Drivers\UVCFTR_S.SYS
09:42:44.0974 4648 UVCFTR - ok
09:42:45.0111 4648 vga (7d92be0028ecdedec74617009084b5ef) C:\Windows\system32\DRIVERS\vgapnp.sys
09:42:45.0114 4648 vga - ok
09:42:45.0194 4648 VgaSave (2e93ac0a1d8c79d019db6c51f036636c) C:\Windows\System32\drivers\vga.sys
09:42:45.0198 4648 VgaSave - ok
09:42:45.0259 4648 viaagp (045d9961e591cf0674a920b6ba3ba5cb) C:\Windows\system32\drivers\viaagp.sys
09:42:45.0263 4648 viaagp - ok
09:42:45.0308 4648 ViaC7 (56a4de5f02f2e88182b0981119b4dd98) C:\Windows\system32\drivers\viac7.sys
09:42:45.0310 4648 ViaC7 - ok
09:42:45.0351 4648 viaide (fd2e3175fcada350c7ab4521dca187ec) C:\Windows\system32\drivers\viaide.sys
09:42:45.0353 4648 viaide - ok
09:42:45.0491 4648 volmgr (69503668ac66c77c6cd7af86fbdf8c43) C:\Windows\system32\drivers\volmgr.sys
09:42:45.0493 4648 volmgr - ok
09:42:45.0578 4648 volmgrx (98f5ffe6316bd74e9e2c97206c190196) C:\Windows\system32\drivers\volmgrx.sys
09:42:45.0584 4648 volmgrx - ok
09:42:45.0649 4648 volsnap (d8b4a53dd2769f226b3eb374374987c9) C:\Windows\system32\drivers\volsnap.sys
09:42:45.0654 4648 volsnap - ok
09:42:45.0766 4648 vsmraid (d984439746d42b30fc65a4c3546c6829) C:\Windows\system32\drivers\vsmraid.sys
09:42:45.0769 4648 vsmraid - ok
09:42:45.0845 4648 WacomPen (48dfee8f1af7c8235d4e626f0c4fe031) C:\Windows\system32\drivers\wacompen.sys
09:42:45.0846 4648 WacomPen - ok
09:42:45.0931 4648 Wanarp (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
09:42:45.0933 4648 Wanarp - ok
09:42:45.0943 4648 Wanarpv6 (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
09:42:45.0945 4648 Wanarpv6 - ok
09:42:45.0994 4648 Wd (afc5ad65b991c1e205cf25cfdbf7a6f4) C:\Windows\system32\drivers\wd.sys
09:42:45.0996 4648 Wd - ok
09:42:46.0135 4648 Wdf01000 (b6f0a7ad6d4bd325fbcd8bac96cd8d96) C:\Windows\system32\drivers\Wdf01000.sys
09:42:46.0146 4648 Wdf01000 - ok
09:42:46.0278 4648 WmiAcpi (2e7255d172df0b8283cdfb7b433b864e) C:\Windows\system32\DRIVERS\wmiacpi.sys
09:42:46.0279 4648 WmiAcpi - ok
09:42:46.0367 4648 WpdUsb (0cec23084b51b8288099eb710224e955) C:\Windows\system32\DRIVERS\wpdusb.sys
09:42:46.0369 4648 WpdUsb - ok
09:42:46.0491 4648 ws2ifsl (e3a3cb253c0ec2494d4a61f5e43a389c) C:\Windows\system32\drivers\ws2ifsl.sys
09:42:46.0493 4648 ws2ifsl - ok
09:42:46.0609 4648 WUDFRd (ac13cb789d93412106b0fb6c7eb2bcb6) C:\Windows\system32\DRIVERS\WUDFRd.sys
09:42:46.0612 4648 WUDFRd - ok
09:42:46.0700 4648 MBR (0x1B8) (5b5e648d12fcadc244c1ec30318e1eb9) \Device\Harddisk0\DR0
09:42:46.0755 4648 \Device\Harddisk0\DR0 - ok
09:42:46.0760 4648 Boot (0x1200) (042313d59330c218f82a98681bde1d1c) \Device\Harddisk0\DR0\Partition0
09:42:46.0761 4648 \Device\Harddisk0\DR0\Partition0 - ok
09:42:46.0762 4648 ============================================================
09:42:46.0763 4648 Scan finished
09:42:46.0763 4648 ============================================================
09:42:46.0776 0964 Detected object count: 0
09:42:46.0776 0964 Actual detected object count: 0
09:47:06.0477 5960 Deinitialize success









aswMBR version 0.9.9.1649 Copyright© 2011 AVAST Software
Run date: 2012-03-08 09:47:25
-----------------------------
09:47:25.720 OS Version: Windows 6.0.6001 Service Pack 1
09:47:25.721 Number of processors: 2 586 0xF0B
09:47:25.722 ComputerName: COMMODORE64 UserName: Roop
09:48:00.747 Initialize success
09:49:55.338 AVAST engine defs: 12030701
09:50:42.257 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
09:50:42.261 Disk 0 Vendor: FUJITSU_ 0040 Size: 238475MB BusType: 3
09:50:42.283 Disk 0 MBR read successfully
09:50:42.289 Disk 0 MBR scan
09:50:42.303 Disk 0 Windows VISTA default MBR code
09:50:42.310 Disk 0 Partition 1 00 27 Hidden NTFS WinRE NTFS 1500 MB offset 2048
09:50:42.337 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 231899 MB offset 3074048
09:50:42.376 Disk 0 Partition 3 00 17 Hidd HPFS/NTFS NTFS 5075 MB offset 478003200
09:50:42.394 Disk 0 scanning sectors +488396800
09:50:42.458 Disk 0 scanning C:\Windows\system32\drivers
09:50:58.139 Service scanning
09:51:36.418 Modules scanning
09:51:49.013 Disk 0 trace - called modules:
09:51:49.398 ntoskrnl.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll iaStor.sys
09:51:49.406 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8614a140]
09:51:49.413 3 CLASSPNP.SYS[88afe745] -> nt!IofCallDriver -> [0x85b42b18]
09:51:49.420 5 acpi.sys[836366a0] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-0[0x8562b030]
09:51:51.103 AVAST engine scan C:\Windows
09:51:56.067 AVAST engine scan C:\Windows\system32
09:55:56.474 AVAST engine scan C:\Windows\system32\drivers
09:56:20.055 AVAST engine scan C:\Users\Roop
10:52:16.840 AVAST engine scan C:\ProgramData
11:07:53.847 Scan finished successfully
11:17:36.633 Disk 0 MBR has been saved successfully to "C:\Users\Roop\Desktop\MBR.dat"
11:17:36.644 The log file has been saved successfully to "C:\Users\Roop\Desktop\aswMBR.txt"

#18 CeciliaB

CeciliaB

    Volunteer

  • Moderator
  • 7781 posts

Posted 08 March 2012 - 11:38 AM

with a lot of items still in the start tray (18 items), as opposed to only the 3 or 4 that were there after the first combofix was run a couple of days ago.

Maybe it was because of the infected userinit file that ComboFix fixed the last time.

All logs looks clean. :)

Time for final clean-up.

1. Removal of ComboFix and all system restore points since they might be infected.
Press Windows-key + R
Copy and paste this line:
ComboFix /Uninstall

Note the space before /
Click on OK.

2. Removal of tools
Download OTC http://oldtimer.geekstogo.com/OTC.exe
Close all programs.
Start OTC program.
Click the CleanUp! button.
Select Yes when asked "Begin cleanup process".
If you are asked to reboot, select Yes.
If any logs remain on the computer you can remove them.
Any tools left?

3. Improve the security in the computer
Uninstall Norton: https://www-secure.s...redirect_pubweb Step 2
Install an antivirus program.

It is very important to keep Windows and all programs updated. To help you with keeping everything updated you can use the program Secunia Personal Software Inspector (PSI). Please, ask if you don't understand what to do.

Read what Blade81 writes in the post http://www.lavasofts...ndpost&p=124337 from the header "Make your Internet Explorer more secure" and downwards.

You can search for the file names on the uRun and mRun lines in DDS.txt on http://www.systemloo...ists.php?list=2 If there is a U or N in Status column read the description and decide if you want the program to start automatically. If not, it is best to find a setting in the program that stops it from starting automatic, but it is also possible to remove the checkmark from the corresponding line in Start - Search field: msconfig - Autostart.

Your hard disk seems to be very full, Windows works best if there is at least 10% free space. Are there any programs installed that you no longer use and can uninstall? You can, for example, uninstall HijackThis.

#19 ArthurOPlasty

ArthurOPlasty

    Advanced Member

  • Members
  • PipPipPip
  • 59 posts

Posted 09 March 2012 - 08:53 AM

I've uninstalled a few programs that are no longer used, but there's some I'm unable to get rid of because it says the uninstaller has been moved. I can't find a listing of those programs in the add/remove programs in control panel either.

I just ran the combofix removal and updated mozilla, but now every time I right click on on icon it says windows explorer is restarting, then it closes everything.

#20 CeciliaB

CeciliaB

    Volunteer

  • Moderator
  • 7781 posts

Posted 09 March 2012 - 03:17 PM

You can try to use Revo Uninstaller to get rid of the programs. http://www.revouninstaller.com/

Maybe it is one of the uninstalled programs that didn't clean up the registry properly, since this usually occurs when there is a registry item telling Windows to display something in the right-click menu but the program responsible for that action doesn't exist. Please, see if anything is entered in the Event Viewer (Control Panel - Administration Tools) at the same time as you right-click on an icon and Windows Explorer restarts.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users