Jump to content


 

Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I have a difficult recurring Alureon rootkit

Started by 2Campers , Jun 11 2012 08:28 PM

  • This topic is locked This topic is locked
56 replies to this topic

#1 2Campers

2Campers

    Member

  • Members
  • PipPip
  • 80 posts

Posted 11 June 2012 - 08:28 PM

I have an Alureon file that I cannot remove. Microsoft Security Essentials picks it up but when I reboot to remove it, it restarts again.

I tried the TDSS Killer Self Help for Alureon root kit on your website--that did not work. I also tried Kaspersky rescue disk--no help.

In addition, I ran a Bit Defender Rescue Disk with no change.

I recently ran into the Trojan Live Security Platinum which I was able to remove myself.

I'm enclosing two DDS logs and one GMER log as requested for my initial post.

Thank you in advance for your offer to help.

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 10.4.1
Run by Hollis at 19:53:43 on 2012-06-11
.
============== Running Processes ===============
.
.
============== Pseudo HJT Report ===============
.
uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=pavilion&pf=laptop
uURLSearchHooks: H - No File
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: CatcherBHO Class: {9b4df450-dcc7-4b07-935d-0cd757a64583} - c:\program files\moyea\youtube flv downloader\MoyeaCatcher.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [hpWirelessAssistant] c:\program files\hpq\hp wireless assistant\HP Wireless Assistant.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [MsmqIntCert] regsvr32 /s mqrt.dll
mRun: [Cpqset] c:\program files\hewlett-packard\default settings\cpqset.exe
mRun: [RecGuard] c:\windows\sminst\RecGuard.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [TrueImageMonitor.exe] c:\program files\acronis\trueimage\TrueImageMonitor.exe
mRun: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
mRun: [Acronis Scheduler2 Service] "c:\program files\common files\acronis\schedule2\schedhlp.exe"
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\secuni~1.lnk - c:\program files\secunia\psi\psi_tray.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBC} - c:\program files\java\jre7\bin\jp2iexp.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: mswsock.dll
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.2.0/GarminAxControl.CAB
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - hxxps://support.microsoft.com/Dcode/ActiveX/MSDcode.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6770.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1241989445343
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_04-windows-i586.cab
DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} - hxxp://www.superadblocker.com/activex/sabspx.cab
DPF: {CAFEEFAC-0017-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_04-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_04-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://cam.thesylvaherald.com/activex/AMC.cab
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{264765A9-B784-4177-98EF-7659D0F0D8B3} : DhcpNameServer = 192.168.0.1
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Notify: igfxcui - igfxdev.dll
Notify: NecUsb3Sevices - USB3Sw32.dll
Notify: USB3Sw32 - USB3Sw32.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Authentication Packages = msv1_0 relog_ap nwprovau
Hosts: 127.0.0.1 www.spywareinfo.com
.
============= SERVICES / DRIVERS ===============
.
.
=============== Created Last 30 ================
.
2012-06-11 20:49:08 6737808 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{c2e96af3-c566-40ef-8497-68997eac5a0d}\mpengine.dll
2012-06-11 18:34:20 -------- d-----w- c:\documents and settings\hollis\local settings\application data\Secunia PSI
2012-06-11 18:16:49 -------- d-----w- c:\program files\Secunia
2012-06-11 13:05:52 -------- d-----w- c:\program files\ESET
2012-06-10 21:44:56 388096 ----a-r- c:\documents and settings\hollis\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2012-06-10 21:44:55 -------- d-----w- c:\program files\Trend Micro
2012-06-10 21:37:27 -------- d-----w- c:\program files\VS Revo Group
2012-06-10 20:42:04 -------- d-----w- c:\documents and settings\hollis\local settings\application data\Sun
2012-06-10 20:07:04 -------- d-----w- c:\program files\Oracle
2012-06-10 20:06:47 772504 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-06-10 18:34:32 6737808 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2012-06-08 18:11:17 -------- d-----w- C:\_OTM
2012-06-08 00:13:45 14664 ----a-w- c:\windows\stinger.sys
2012-06-08 00:11:04 -------- d-----w- c:\program files\stinger
2012-06-07 17:34:20 32072 ----a-w- c:\windows\system32\drivers\48230029.sys
2012-06-05 15:49:41 272896 ----a-w- c:\documents and settings\hollis\application data\mutcpr.dll
2012-06-04 13:31:05 -------- d-----w- c:\program files\Microsoft Security Client
2012-06-03 11:00:34 -------- d-----w- c:\documents and settings\all users\application data\F4D55EFF00043AFD00245298D151FC4E
2012-05-29 14:34:56 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-05-19 15:44:49 -------- d-----w- C:\bd_logs
2012-05-19 11:43:57 -------- d-----w- c:\program files\Cobian Backup 11
2012-05-18 16:56:39 -------- d---a-w- C:\Kaspersky Rescue Disk 10.0
.
==================== Find3M ====================
.
2012-06-10 20:06:10 143872 ----a-w- c:\windows\system32\javacpl.cpl
2012-06-06 03:19:59 1027072 ----a-w- c:\windows\system32\AutoPartNt.exe
2012-06-04 16:26:44 72748 ----a-w- c:\windows\unins000.exe
2012-06-02 19:19:44 22040 ----a-w- c:\windows\system32\wucltui.dll.mui
2012-06-02 19:19:38 219160 ----a-w- c:\windows\system32\wuaucpl.cpl
2012-06-02 19:19:38 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2012-06-02 19:19:34 15384 ----a-w- c:\windows\system32\wuapi.dll.mui
2012-06-02 19:19:30 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui
2012-06-02 19:18:58 275696 ----a-w- c:\windows\system32\mucltui.dll
2012-06-02 19:18:58 214256 ----a-w- c:\windows\system32\muweb.dll
2012-06-02 19:18:58 17136 ----a-w- c:\windows\system32\mucltui.dll.mui
2012-05-31 13:22:09 599040 ----a-w- c:\windows\system32\crypt32.dll
2012-05-29 14:34:56 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-05-10 21:25:22 32072 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2012-05-07 15:17:09 0 --sha-w- c:\windows\system32\dds_trash_log.cmd
2012-04-11 13:14:41 2148352 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-04-11 13:12:06 1862272 ----a-w- c:\windows\system32\win32k.sys
2012-04-11 12:35:51 2026496 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-04-04 22:47:02 687504 ----a-w- c:\windows\system32\deployJava1.dll
2012-04-04 19:56:40 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-03-21 00:44:12 171064 ----a-w- c:\windows\system32\drivers\MpFilter.sys
.
============= FINISH: 19:54:32.76 ===============
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-06-11 19:20:02
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 WDC_WD32 rev.01.0
Running: 15xegl0d.exe; Driver: C:\DOCUME~1\Hollis\LOCALS~1\Temp\ugtcrpob.sys


---- Kernel code sections - GMER 1.0.15 ----

? C:\DOCUME~1\Hollis\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2936] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215505 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2936] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB14 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2936] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E53AF C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2936] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E52E1 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2936] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E534C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2936] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E51B2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2936] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E5214 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2936] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E5412 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2936] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E5276 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3644] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215505 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3644] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9AA5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3644] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD119 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3644] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB14 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3644] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E254686 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3644] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E53AF C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3644] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E52E1 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3644] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E534C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3644] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E51B2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3644] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E5214 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3644] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E5412 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3644] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E5276 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3644] ole32.dll!CoCreateInstance 774FF1BC 5 Bytes JMP 3E2EDB70 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3644] ole32.dll!OleLoadFromStream 7752983B 5 Bytes JMP 3E3E5717 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 eabfiltr.sys (QLB PS/2 Keyboard filter driver/Hewlett-Packard Development Company, L.P.)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\$NtUninstallKB4624$\1738831284 0 bytes
File C:\WINDOWS\$NtUninstallKB4624$\1738831284\@ 2048 bytes
File C:\WINDOWS\$NtUninstallKB4624$\1738831284\cfg.ini 282 bytes
File C:\WINDOWS\$NtUninstallKB4624$\1738831284\Desktop.ini 4608 bytes
File C:\WINDOWS\$NtUninstallKB4624$\1738831284\L 0 bytes
File C:\WINDOWS\$NtUninstallKB4624$\1738831284\L\trbssmgb 52480 bytes
File C:\WINDOWS\$NtUninstallKB4624$\1738831284\oemid 150 bytes
File C:\WINDOWS\$NtUninstallKB4624$\1738831284\U 0 bytes
File C:\WINDOWS\$NtUninstallKB4624$\1738831284\U\00000001.@ 2048 bytes
File C:\WINDOWS\$NtUninstallKB4624$\1738831284\U\00000002.@ 224768 bytes
File C:\WINDOWS\$NtUninstallKB4624$\1738831284\U\00000004.@ 1024 bytes
File C:\WINDOWS\$NtUninstallKB4624$\1738831284\U\80000000.@ 66560 bytes
File C:\WINDOWS\$NtUninstallKB4624$\1738831284\U\80000004.@ 1024 bytes
File C:\WINDOWS\$NtUninstallKB4624$\1738831284\U\80000032.@ 115712 bytes
File C:\WINDOWS\$NtUninstallKB4624$\1738831284\version 1265 bytes
File C:\WINDOWS\$NtUninstallKB4624$\3536206301 0 bytes

---- EOF - GMER 1.0.15 ----
Attached File  attach.txt.txt   16.09K   2 downloads

 

  • BC Ads
  • BleepingComputer.com

#2 gringo_pr

gringo_pr

    Bleepin Gringo

  • Malware Response Team
  • PipPipPipPipPipPip
  • 120,402 posts
  • Gender:Male
  • Location:Puerto rico

Posted 12 June 2012 - 07:05 AM

Greetings and Welcome to The Forums!!

My name is Gringo and I'll be glad to help you with your computer problems.

I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of us

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the Watch Topic Button, select Immediate Notification, and click on Proceed. This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of hartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

Security Check

  • Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.



Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

#3 2Campers

2Campers

    Member

  • Members
  • PipPip
  • 80 posts

Posted 12 June 2012 - 10:04 AM

Hi Gringo,

Thank you very much for helping me with this problem.

I ran Security Check and am enclosing the log.

I ran Combofix and it:

1. Discovered I did not have the Windows Recovery Console. So it went online and was successful in installing the console.

2. Combofix also found "Zero Access inserted into the tcp/ip stack a particularly difficult infection" as it said in the blue dialog box.
Combofix then completed the scan.

3. My computer is still acting the same. When it reboots the icons are all scattered on the desktop as they have been for the past week or more.
(I installed a small program "Icon Restore" last week which does a poor job.) This was installed weeks after the computer began to have a
problem.

4. The main problem still remains. Microsoft Security Essentials still reboots with infection present after reboot.
The primary infections present in quarantine are: Trojan:DOS/Alureon.E and Trojan:Win32/Sirefef.P

Again thanks for your assistance. Scans enclosed.

Results of screen317's Security Check version 0.99.41
Windows XP Service Pack 3 x86 (UAC is enabled)
Internet Explorer 8
``````````````Antivirus/Firewall Check:``````````````
Windows Security Center service is not running! This report may not be accurate!
WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````
SpywareBlaster 4.6
Spybot - Search & Destroy
Secunia PSI (2.0.0.4003)
Malwarebytes Anti-Malware version 1.61.0.1400
CCleaner
JavaFX 2.1.0
Java™ 7 Update 4
Adobe Reader X (10.1.3)
````````Process Check: objlist.exe by Laurent````````
`````````````````System Health check`````````````````
Total Fragmentation on Drive C:: 0%
````````````````````End of Log``````````````````````

ComboFix 12-06-12.01 - Hollis 06/12/2012 9:34.1.2 - x86
Running from: c:\documents and settings\Hollis\Desktop\ComboFix.exe
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\Hollis\Application Data\mutcpr.dll
c:\documents and settings\Hollis\Start Menu\Programs\System Check
c:\documents and settings\Hollis\WINDOWS
c:\documents and settings\Wanda Clark\WINDOWS
c:\windows\$NtUninstallKB4624$
c:\windows\$NtUninstallKB4624$\1738831284\@
c:\windows\$NtUninstallKB4624$\1738831284\cfg.ini
c:\windows\$NtUninstallKB4624$\1738831284\Desktop.ini
c:\windows\$NtUninstallKB4624$\1738831284\L\trbssmgb
c:\windows\$NtUninstallKB4624$\1738831284\oemid
c:\windows\$NtUninstallKB4624$\1738831284\U\00000001.@
c:\windows\$NtUninstallKB4624$\1738831284\U\00000002.@
c:\windows\$NtUninstallKB4624$\1738831284\U\00000004.@
c:\windows\$NtUninstallKB4624$\1738831284\U\80000000.@
c:\windows\$NtUninstallKB4624$\1738831284\U\80000004.@
c:\windows\$NtUninstallKB4624$\1738831284\U\80000032.@
c:\windows\$NtUninstallKB4624$\1738831284\version
c:\windows\$NtUninstallKB4624$\3536206301
c:\windows\system32\dds_trash_log.cmd
D:\Autorun.inf
.
.
((((((((((((((((((((((((( Files Created from 2012-05-12 to 2012-06-12 )))))))))))))))))))))))))))))))
.
.
2012-06-12 13:51 . 2012-06-12 13:51 56200 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{C2E96AF3-C566-40EF-8497-68997EAC5A0D}\offreg.dll
2012-06-11 20:49 . 2012-05-08 13:40 6737808 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{C2E96AF3-C566-40EF-8497-68997EAC5A0D}\mpengine.dll
2012-06-11 18:34 . 2012-06-11 18:34 -------- d-----w- c:\documents and settings\Hollis\Local Settings\Application Data\Secunia PSI
2012-06-11 18:16 . 2012-06-11 18:33 -------- d-----w- c:\program files\Secunia
2012-06-10 21:44 . 2012-06-10 21:44 388096 ----a-r- c:\documents and settings\Hollis\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2012-06-10 21:44 . 2012-06-10 21:44 -------- d-----w- c:\program files\Trend Micro
2012-06-10 21:37 . 2012-06-10 21:37 -------- d-----w- c:\program files\VS Revo Group
2012-06-10 20:42 . 2012-06-10 20:42 -------- d-----w- c:\documents and settings\Hollis\Local Settings\Application Data\Sun
2012-06-10 20:07 . 2012-06-10 20:07 -------- d-----w- c:\program files\Oracle
2012-06-10 20:06 . 2012-06-10 20:06 -------- d-----w- c:\documents and settings\Hollis\Application Data\Oracle
2012-06-10 20:06 . 2012-04-04 22:47 772504 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-06-10 18:34 . 2012-05-08 13:40 6737808 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-06-08 18:11 . 2012-06-08 18:11 -------- d-----w- C:\_OTM
2012-06-08 18:01 . 2012-06-08 18:02 -------- d-----w- c:\program files\ERUNT
2012-06-08 00:13 . 2012-06-08 00:13 14664 ----a-w- c:\windows\stinger.sys
2012-06-08 00:11 . 2012-06-08 00:34 -------- d-----w- c:\program files\stinger
2012-06-07 17:34 . 2012-06-07 20:25 32072 ----a-w- c:\windows\system32\drivers\48230029.sys
2012-06-04 13:31 . 2012-06-04 13:31 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\PCHealth
2012-06-04 13:31 . 2012-06-04 13:31 -------- d-----w- c:\program files\Microsoft Security Client
2012-06-03 11:00 . 2012-06-04 12:34 -------- d-----w- c:\documents and settings\All Users\Application Data\F4D55EFF00043AFD00245298D151FC4E
2012-05-29 14:34 . 2012-05-29 14:34 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-05-19 15:44 . 2012-06-03 18:46 -------- d-----w- C:\bd_logs
2012-05-19 11:43 . 2012-05-19 11:43 -------- d-----w- c:\program files\Cobian Backup 11
2012-05-18 16:56 . 2012-05-18 20:00 -------- d---a-w- C:\Kaspersky Rescue Disk 10.0
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-06-10 20:06 . 2010-06-27 10:33 143872 ----a-w- c:\windows\system32\javacpl.cpl
2012-06-06 03:19 . 2009-05-15 16:00 1027072 ----a-w- c:\windows\system32\AutoPartNt.exe
2012-06-04 16:26 . 2002-02-10 05:00 72748 ----a-w- c:\windows\unins000.exe
2012-06-02 19:19 . 2009-08-06 23:24 22040 ----a-w- c:\windows\system32\wucltui.dll.mui
2012-06-02 19:19 . 2009-08-06 23:24 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2012-06-02 19:19 . 2006-03-16 04:00 329240 ----a-w- c:\windows\system32\wucltui.dll
2012-06-02 19:19 . 2006-03-16 04:00 219160 ----a-w- c:\windows\system32\wuaucpl.cpl
2012-06-02 19:19 . 2006-03-16 04:00 210968 ----a-w- c:\windows\system32\wuweb.dll
2012-06-02 19:19 . 2009-08-06 23:24 15384 ----a-w- c:\windows\system32\wuapi.dll.mui
2012-06-02 19:19 . 2008-10-16 18:09 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 19:19 . 2006-03-16 04:00 97304 ----a-w- c:\windows\system32\cdm.dll
2012-06-02 19:19 . 2006-03-16 04:00 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 19:19 . 2006-03-16 04:00 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-02 19:19 . 2009-08-06 23:24 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui
2012-06-02 19:19 . 2006-03-16 04:00 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 19:19 . 2006-03-16 04:00 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 19:18 . 2009-05-11 12:05 275696 ----a-w- c:\windows\system32\mucltui.dll
2012-06-02 19:18 . 2009-05-11 12:05 17136 ----a-w- c:\windows\system32\mucltui.dll.mui
2012-06-02 19:18 . 2008-10-16 18:07 214256 ----a-w- c:\windows\system32\muweb.dll
2012-05-31 13:22 . 2006-03-16 04:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2012-05-29 14:34 . 2011-07-02 14:43 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-05-10 21:25 . 2012-05-10 21:25 32072 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2012-04-11 13:14 . 2006-03-16 04:00 2148352 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-04-11 13:12 . 2006-03-16 04:00 1862272 ----a-w- c:\windows\system32\win32k.sys
2012-04-11 12:35 . 2006-03-16 04:00 2026496 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-04-04 22:47 . 2010-06-27 10:33 687504 ----a-w- c:\windows\system32\deployJava1.dll
2012-04-04 19:56 . 2010-08-12 11:38 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-03-21 00:44 . 2012-03-21 00:44 171064 ----a-w- c:\windows\system32\drivers\MpFilter.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-05-04 458752]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-22 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-22 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-22 118784]
"MsmqIntCert"="mqrt.dll" [2008-04-14 177152]
"Cpqset"="c:\program files\Hewlett-Packard\Default Settings\cpqset.exe" [2006-06-19 40960]
"RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImage\TrueImageMonitor.exe" [2005-11-28 988701]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-06-19 163840]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-12 81920]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-12 249856]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 49152]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-06-02 61952]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2005-11-28 118784]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-03-28 1040384]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 931200]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-04-04 843712]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\
Vongo Tray.lnk - c:\program files\Vongo\Tray.exe [N/A]
.
c:\documents and settings\Wanda Clark\Start Menu\Programs\Startup\
OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-11 282624]
Secunia PSI Tray.lnk - c:\program files\Secunia\PSI\psi_tray.exe [2011-10-14 291896]
.
c:\documents and settings\Default User\Start Menu\Programs\Startup\
Vongo Tray.lnk - c:\program files\Vongo\Tray.exe [N/A]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 relog_ap nwprovau
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^DeLorme Serial Emulator.lnk]
backup=c:\windows\pss\DeLorme Serial Emulator.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SerEmul for DeLorme Serial Emulator.lnk]
backup=c:\windows\pss\SerEmul for DeLorme Serial Emulator.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:\Program Files
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\c:\program files\NetMeter
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\c:\program files\NetMeter\NetMeter.exe]
2009-08-09 19:08 293888 ----a-w- c:\program files\NetMeter\NetMeter.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
.
R0 SmartDefragDriver;SmartDefragDriver;c:\windows\system32\drivers\SmartDefragDriver.sys [12/10/2011 9:48 AM 14776]
R2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\Secunia\PSI\psia.exe [10/14/2011 2:01 AM 994360]
R2 SerEmulVsp;SerEmulVsp;c:\windows\system32\drivers\SerEmulVsp.sys [3/28/2007 11:59 AM 134560]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S1 tdx;@%SystemRoot%\system32\tcpipcfg.dll,-50004;c:\windows\system32\DRIVERS\tdx.sys --> c:\windows\system32\DRIVERS\tdx.sys [?]
S2 Ca533av;Icatch(IV) Video Camera Device;c:\windows\system32\drivers\Ca533av.sys [10/3/2010 12:41 PM 515803]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S2 gupdate1c9d10bfdbeb8b0;Google Update Service (gupdate1c9d10bfdbeb8b0);c:\program files\Google\Update\GoogleUpdate.exe [5/9/2009 9:09 PM 133104]
S2 iphlpsvc;@%SystemRoot%\system32\iphlpsvc.dll,-200;c:\windows\System32\svchost.exe -k NetSvcs [3/16/2006 14336]
S2 NecUsb3;USB3 Service;c:\windows\System32\svchost.exe -k NecUsb3Sevic [3/16/2006 14336]
S3 5U870CAP_VID_1262&PID_25FD;HP Pavilion Webcam ;c:\windows\system32\drivers\5U870CAP.sys [6/6/2006 4:39 PM 61952]
S3 AE1000;Linksys AE1000 Driver;c:\windows\system32\drivers\AE1000XP.sys [7/13/2011 1:34 PM 816672]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [5/9/2009 9:09 PM 133104]
S3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys [5/10/2012 5:25 PM 32072]
S3 MFE_RR;MFE_RR;\??\c:\docume~1\Hollis\LOCALS~1\Temp\mfe_rr.sys --> c:\docume~1\Hollis\LOCALS~1\Temp\mfe_rr.sys [?]
S3 OlCamudp;OLYMPUS Digital Camera;c:\windows\system32\drivers\olcamudp.sys [10/13/2010 2:25 PM 10379]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [9/1/2010 4:30 AM 15544]
S3 SMSIVZAM5;SMSIVZAM5 NDIS Protocol Driver;c:\progra~1\VERIZO~1\VZACCE~1\SMSIVZAM5.SYS [5/25/2009 4:43 PM 32408]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
NecUsb3Sevic REG_MULTI_SZ NecUsb3
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
usbatapi2000
rpcsvr4x
.
Contents of the 'Scheduled Tasks' folder
.
2012-06-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-10 01:09]
.
2012-06-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-10 01:09]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.0.1
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.2.0/GarminAxControl.CAB
DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://cam.thesylvaherald.com/activex/AMC.cab
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-SUPERAntiSpyware - c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe
Notify-NavLogon - (no file)
Notify-NecUsb3Sevices - USB3Sw32.dll
Notify-USB3Sw32 - USB3Sw32.dll
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-06-12 09:54
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\Hewlett-Packard\Default Settings\cpqset.exe????????????L?@? ??? ]??????`?@?????L?@
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(908)
c:\windows\system32\relog_ap.dll
.
- - - - - - - > 'explorer.exe'(3740)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Client\MsMpEng.exe
c:\windows\system32\msdtc.exe
c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Java\jre7\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Wireless-G Portable USB Adapter\WLService.exe
c:\program files\Wireless-G Portable USB Adapter\WUSB54GP.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dwwin.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\wscntfy.exe
c:\windows\eHome\ehmsas.exe
c:\\?\c:\windows\system32\WBEM\WMIADAP.EXE
.
**************************************************************************
.
Completion time: 2012-06-12 09:56:32 - machine was rebooted
ComboFix-quarantined-files.txt 2012-06-12 13:56
.
Pre-Run: 240,303,759,360 bytes free
Post-Run: 241,238,278,144 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 6716A723DE617CD7E937954EAC769F03

#4 gringo_pr

gringo_pr

    Bleepin Gringo

  • Malware Response Team
  • PipPipPipPipPipPip
  • 120,402 posts
  • Gender:Male
  • Location:Puerto rico

Posted 12 June 2012 - 10:09 AM

Greetings

I want you to run these next,

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • it will ask to download extra definitions - ALLOW IT
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

If you have any problems running either one come back and let me know

please reply with the reports from TDSSKiller and aswMBR

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

#5 2Campers

2Campers

    Member

  • Members
  • PipPip
  • 80 posts

Posted 12 June 2012 - 01:11 PM

Hi Gringo,

- ran TDSS Killer. It did not show any serious infection, however, I could not find a way to copy and paste.

- closed the program and found a copy of the log on C drive and copied it to the desk log.

- was able to download aswMBR and run it. It took a long time, but I produced two logs which I am enclosing.

The computer status remains the same, with the Microsoft Security Essentials still showing the orange color which indicates it has not removed the
malware.

Again, thank you for your help.

11:47:26.0640 3764 TDSS rootkit removing tool 2.7.36.0 May 21 2012 16:40:16
11:47:28.0640 3764 ============================================================
11:47:28.0640 3764 Current date / time: 2012/06/12 11:47:28.0640
11:47:28.0640 3764 SystemInfo:
11:47:28.0640 3764
11:47:28.0640 3764 OS Version: 5.1.2600 ServicePack: 3.0
11:47:28.0640 3764 Product type: Workstation
11:47:28.0640 3764 ComputerName: WANDA-154
11:47:28.0640 3764 UserName: Hollis
11:47:28.0640 3764 Windows directory: C:\WINDOWS
11:47:28.0640 3764 System windows directory: C:\WINDOWS
11:47:28.0640 3764 Processor architecture: Intel x86
11:47:28.0640 3764 Number of processors: 2
11:47:28.0640 3764 Page size: 0x1000
11:47:28.0640 3764 Boot type: Normal boot
11:47:28.0640 3764 ============================================================
11:47:30.0031 3764 Drive \Device\Harddisk0\DR0 - Size: 0x4A85D56000 (298.09 Gb), SectorSize: 0x200, Cylinders: 0x9801, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000050
11:47:30.0062 3764 ============================================================
11:47:30.0062 3764 \Device\Harddisk0\DR0:
11:47:30.0062 3764 MBR partitions:
11:47:30.0062 3764 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x22518BC1
11:47:30.0062 3764 \Device\Harddisk0\DR0\Partition1: MBR, Type 0xC, StartLBA 0x22518C00, BlocksNum 0x2F10C00
11:47:30.0062 3764 ============================================================
11:47:30.0062 3764 C: <-> \Device\Harddisk0\DR0\Partition0
11:47:30.0109 3764 D: <-> \Device\Harddisk0\DR0\Partition1
11:47:30.0109 3764 ============================================================
11:47:30.0109 3764 Initialize success
11:47:30.0109 3764 ============================================================
11:47:47.0750 2104 ============================================================
11:47:47.0750 2104 Scan started
11:47:47.0750 2104 Mode: Manual; SigCheck; TDLFS;
11:47:47.0750 2104 ============================================================
11:47:48.0140 2104 5U870CAP_VID_1262&PID_25FD (d2142fee659d97b2b05820f21594bfe2) C:\WINDOWS\system32\Drivers\5U870CAP.sys
11:47:48.0484 2104 5U870CAP_VID_1262&PID_25FD - ok
11:47:48.0484 2104 Abiosdsk - ok
11:47:48.0500 2104 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
11:47:48.0640 2104 abp480n5 - ok
11:47:48.0687 2104 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
11:47:48.0875 2104 ACPI - ok
11:47:48.0890 2104 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
11:47:48.0984 2104 ACPIEC - ok
11:47:49.0078 2104 AcrSch2Svc (d5a40b566b6bf947b2e643de621b1bde) C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
11:47:49.0078 2104 AcrSch2Svc ( UnsignedFile.Multi.Generic ) - warning
11:47:49.0078 2104 AcrSch2Svc - detected UnsignedFile.Multi.Generic (1)
11:47:49.0156 2104 AddFiltr (746742588c07db53731143229e2ee450) C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
11:47:49.0171 2104 AddFiltr ( UnsignedFile.Multi.Generic ) - warning
11:47:49.0171 2104 AddFiltr - detected UnsignedFile.Multi.Generic (1)
11:47:49.0203 2104 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
11:47:49.0328 2104 adpu160m - ok
11:47:49.0421 2104 AE1000 (678c8fdb9d6094d41f322b7159853c54) C:\WINDOWS\system32\DRIVERS\AE1000XP.sys
11:47:49.0468 2104 AE1000 - ok
11:47:49.0531 2104 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
11:47:49.0718 2104 aec - ok
11:47:49.0765 2104 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
11:47:49.0796 2104 AFD - ok
11:47:49.0828 2104 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
11:47:49.0953 2104 agp440 - ok
11:47:50.0000 2104 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
11:47:50.0125 2104 agpCPQ - ok
11:47:50.0140 2104 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
11:47:50.0187 2104 Aha154x - ok
11:47:50.0250 2104 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
11:47:50.0390 2104 aic78u2 - ok
11:47:50.0421 2104 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
11:47:50.0531 2104 aic78xx - ok
11:47:50.0546 2104 Alerter (a9a3daa780ca6c9671a19d52456705b4) C:\WINDOWS\system32\alrsvc.dll
11:47:50.0671 2104 Alerter - ok
11:47:50.0687 2104 ALG (8c515081584a38aa007909cd02020b3d) C:\WINDOWS\System32\alg.exe
11:47:50.0765 2104 ALG - ok
11:47:50.0781 2104 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
11:47:50.0890 2104 AliIde - ok
11:47:50.0906 2104 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys
11:47:51.0031 2104 alim1541 - ok
11:47:51.0062 2104 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys
11:47:51.0171 2104 amdagp - ok
11:47:51.0234 2104 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
11:47:51.0296 2104 amsint - ok
11:47:51.0343 2104 AppMgmt (d8849f77c0b66226335a59d26cb4edc6) C:\WINDOWS\System32\appmgmts.dll
11:47:51.0390 2104 AppMgmt - ok
11:47:51.0437 2104 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
11:47:51.0562 2104 Arp1394 - ok
11:47:51.0578 2104 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
11:47:51.0687 2104 asc - ok
11:47:51.0703 2104 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
11:47:51.0781 2104 asc3350p - ok
11:47:51.0796 2104 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
11:47:51.0953 2104 asc3550 - ok
11:47:52.0046 2104 aspnet_state (776acefa0ca9df0faa51a5fb2f435705) C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe
11:47:52.0062 2104 aspnet_state - ok
11:47:52.0093 2104 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
11:47:52.0218 2104 AsyncMac - ok
11:47:52.0281 2104 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
11:47:52.0406 2104 atapi - ok
11:47:52.0421 2104 Atdisk - ok
11:47:52.0437 2104 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
11:47:52.0578 2104 Atmarpc - ok
11:47:52.0609 2104 AudioSrv (def7a7882bec100fe0b2ce2549188f9d) C:\WINDOWS\System32\audiosrv.dll
11:47:52.0750 2104 AudioSrv - ok
11:47:52.0781 2104 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
11:47:52.0890 2104 audstub - ok
11:47:52.0937 2104 BANTExt (5d7be7b19e827125e016325334e58ff1) C:\WINDOWS\System32\Drivers\BANTExt.sys
11:47:52.0953 2104 BANTExt ( UnsignedFile.Multi.Generic ) - warning
11:47:52.0953 2104 BANTExt - detected UnsignedFile.Multi.Generic (1)
11:47:52.0984 2104 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
11:47:53.0109 2104 Beep - ok
11:47:53.0171 2104 BITS (574738f61fca2935f5265dc4e5691314) C:\WINDOWS\system32\qmgr.dll
11:47:53.0312 2104 BITS - ok
11:47:53.0343 2104 BridgeMP (f934d1b230f84e1d19dd00ac5a7a83ed) C:\WINDOWS\system32\DRIVERS\bridge.sys
11:47:53.0406 2104 BridgeMP - ok
11:47:53.0453 2104 Browser (a06ce3399d16db864f55faeb1f1927a9) C:\WINDOWS\System32\browser.dll
11:47:53.0640 2104 Browser - ok
11:47:53.0718 2104 Ca533av (a8eae8e358de3a21e6eb54f4fc7f65ec) C:\WINDOWS\system32\Drivers\Ca533av.sys
11:47:53.0734 2104 Ca533av - ok
11:47:53.0734 2104 catchme - ok
11:47:53.0781 2104 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
11:47:53.0890 2104 cbidf - ok
11:47:53.0890 2104 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
11:47:54.0000 2104 cbidf2k - ok
11:47:54.0046 2104 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
11:47:54.0156 2104 CCDECODE - ok
11:47:54.0171 2104 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
11:47:54.0234 2104 cd20xrnt - ok
11:47:54.0250 2104 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
11:47:54.0359 2104 Cdaudio - ok
11:47:54.0375 2104 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
11:47:54.0500 2104 Cdfs - ok
11:47:54.0546 2104 cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
11:47:54.0671 2104 cdrom - ok
11:47:54.0687 2104 Changer - ok
11:47:54.0718 2104 CiSvc (1cfe720eb8d93a7158a4ebc3ab178bde) C:\WINDOWS\system32\cisvc.exe
11:47:54.0828 2104 CiSvc - ok
11:47:54.0859 2104 ClipSrv (34cbe729f38138217f9c80212a2a0c82) C:\WINDOWS\system32\clipsrv.exe
11:47:54.0968 2104 ClipSrv - ok
11:47:55.0062 2104 clr_optimization_v2.0.50727_32 (d87acaed61e417bba546ced5e7e36d9c) c:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
11:47:55.0078 2104 clr_optimization_v2.0.50727_32 - ok
11:47:55.0140 2104 clr_optimization_v4.0.30319_32 (c5a75eb48e2344abdc162bda79e16841) C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
11:47:55.0156 2104 clr_optimization_v4.0.30319_32 - ok
11:47:55.0203 2104 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
11:47:55.0343 2104 CmBatt - ok
11:47:55.0406 2104 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
11:47:55.0531 2104 CmdIde - ok
11:47:55.0546 2104 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
11:47:55.0671 2104 Compbatt - ok
11:47:55.0687 2104 COMSysApp - ok
11:47:55.0703 2104 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
11:47:55.0828 2104 Cpqarray - ok
11:47:55.0890 2104 cpuz132 - ok
11:47:55.0953 2104 CryptSvc (3d4e199942e29207970e04315d02ad3b) C:\WINDOWS\System32\cryptsvc.dll
11:47:56.0062 2104 CryptSvc - ok
11:47:56.0109 2104 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
11:47:56.0218 2104 dac2w2k - ok
11:47:56.0265 2104 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
11:47:56.0390 2104 dac960nt - ok
11:47:56.0453 2104 DcomLaunch (6b27a5c03dfb94b4245739065431322c) C:\WINDOWS\system32\rpcss.dll
11:47:56.0468 2104 DcomLaunch - ok
11:47:56.0546 2104 Dhcp (5e38d7684a49cacfb752b046357e0589) C:\WINDOWS\System32\dhcpcsvc.dll
11:47:56.0656 2104 Dhcp - ok
11:47:56.0703 2104 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
11:47:56.0812 2104 Disk - ok
11:47:56.0828 2104 dmadmin - ok
11:47:56.0890 2104 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
11:47:57.0031 2104 dmboot - ok
11:47:57.0046 2104 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
11:47:57.0171 2104 dmio - ok
11:47:57.0203 2104 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
11:47:57.0328 2104 dmload - ok
11:47:57.0359 2104 dmserver (57edec2e5f59f0335e92f35184bc8631) C:\WINDOWS\System32\dmserver.dll
11:47:57.0468 2104 dmserver - ok
11:47:57.0500 2104 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
11:47:57.0609 2104 DMusic - ok
11:47:57.0656 2104 Dnscache (5f7e24fa9eab896051ffb87f840730d2) C:\WINDOWS\System32\dnsrslvr.dll
11:47:57.0671 2104 Dnscache - ok
11:47:57.0718 2104 Dot3svc (0f0f6e687e5e15579ef4da8dd6945814) C:\WINDOWS\System32\dot3svc.dll
11:47:57.0828 2104 Dot3svc - ok
11:47:57.0843 2104 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
11:47:57.0953 2104 dpti2o - ok
11:47:57.0953 2104 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
11:47:58.0078 2104 drmkaud - ok
11:47:58.0109 2104 E100B (83403675cab29e7a4b885b11e7c855d8) C:\WINDOWS\system32\DRIVERS\e100b325.sys
11:47:58.0109 2104 E100B ( UnsignedFile.Multi.Generic ) - warning
11:47:58.0109 2104 E100B - detected UnsignedFile.Multi.Generic (1)
11:47:58.0140 2104 eabfiltr (b5cb3084046146fd2587d8c9b219feb4) C:\WINDOWS\system32\DRIVERS\eabfiltr.sys
11:47:58.0156 2104 eabfiltr - ok
11:47:58.0171 2104 eabusb (231f4547ae1e4b3e60eca66c3a96d218) C:\WINDOWS\system32\DRIVERS\eabusb.sys
11:47:58.0203 2104 eabusb - ok
11:47:58.0265 2104 EapHost (2187855a7703adef0cef9ee4285182cc) C:\WINDOWS\System32\eapsvc.dll
11:47:58.0375 2104 EapHost - ok
11:47:58.0468 2104 ehRecvr (d039a0c347632622934906bd59a4e1ea) C:\WINDOWS\eHome\ehRecvr.exe
11:47:58.0484 2104 ehRecvr - ok
11:47:58.0500 2104 ehSched (a53243709439ac2a4c216b817f8d7411) C:\WINDOWS\eHome\ehSched.exe
11:47:58.0515 2104 ehSched - ok
11:47:58.0546 2104 ERSvc (bc93b4a066477954555966d77fec9ecb) C:\WINDOWS\System32\ersvc.dll
11:47:58.0703 2104 ERSvc - ok
11:47:58.0750 2104 Eventlog (65df52f5b8b6e9bbd183505225c37315) C:\WINDOWS\system32\services.exe
11:47:58.0781 2104 Eventlog - ok
11:47:58.0812 2104 EventSystem (d4991d98f2db73c60d042f1aef79efae) C:\WINDOWS\system32\es.dll
11:47:58.0843 2104 EventSystem - ok
11:47:58.0890 2104 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
11:47:59.0046 2104 Fastfat - ok
11:47:59.0078 2104 FastUserSwitchingCompatibility (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
11:47:59.0125 2104 FastUserSwitchingCompatibility - ok
11:47:59.0140 2104 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
11:47:59.0312 2104 Fdc - ok
11:47:59.0343 2104 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
11:47:59.0515 2104 Fips - ok
11:47:59.0531 2104 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
11:47:59.0640 2104 Flpydisk - ok
11:47:59.0640 2104 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
11:47:59.0765 2104 FltMgr - ok
11:47:59.0859 2104 FontCache3.0.0.0 (8ba7c024070f2b7fdd98ed8a4ba41789) c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
11:47:59.0875 2104 FontCache3.0.0.0 - ok
11:47:59.0906 2104 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
11:48:00.0015 2104 Fs_Rec - ok
11:48:00.0031 2104 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
11:48:00.0156 2104 Ftdisk - ok
11:48:00.0171 2104 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
11:48:00.0281 2104 Gpc - ok
11:48:00.0328 2104 grmnusb (6003bc70f1a8307262bd3c941bda0b7e) C:\WINDOWS\system32\drivers\grmnusb.sys
11:48:00.0343 2104 grmnusb - ok
11:48:00.0375 2104 GTNDIS5 (fc80052194d5708254a346568f0e77c0) C:\WINDOWS\system32\GTNDIS5.SYS
11:48:00.0406 2104 GTNDIS5 ( UnsignedFile.Multi.Generic ) - warning
11:48:00.0406 2104 GTNDIS5 - detected UnsignedFile.Multi.Generic (1)
11:48:00.0484 2104 gupdate1c9d10bfdbeb8b0 (626a24ed1228580b9518c01930936df9) C:\Program Files\Google\Update\GoogleUpdate.exe
11:48:00.0500 2104 gupdate1c9d10bfdbeb8b0 - ok
11:48:00.0500 2104 gupdatem (626a24ed1228580b9518c01930936df9) C:\Program Files\Google\Update\GoogleUpdate.exe
11:48:00.0515 2104 gupdatem - ok
11:48:00.0562 2104 HBtnKey (4d4d97671c63c3af869b3518e6054204) C:\WINDOWS\system32\DRIVERS\cpqbttn.sys
11:48:00.0593 2104 HBtnKey - ok
11:48:00.0671 2104 HdAudAddService (2a6e9a118da2dd0439551a7eb3a8f65e) C:\WINDOWS\system32\drivers\CHDAud.sys
11:48:00.0718 2104 HdAudAddService - ok
11:48:00.0765 2104 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
11:48:00.0937 2104 HDAudBus - ok
11:48:01.0015 2104 helpsvc (4fcca060dfe0c51a09dd5c3843888bcd) C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll
11:48:01.0187 2104 helpsvc - ok
11:48:01.0187 2104 HidServ - ok
11:48:01.0234 2104 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
11:48:01.0359 2104 HidUsb - ok
11:48:01.0390 2104 hkmsvc (8878bd685e490239777bfe51320b88e9) C:\WINDOWS\System32\kmsvc.dll
11:48:01.0515 2104 hkmsvc - ok
11:48:01.0546 2104 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
11:48:01.0656 2104 hpn - ok
11:48:01.0750 2104 hpqwmiex (04c1dcbb226c6ae647b794833ce3ceb6) C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
11:48:01.0750 2104 hpqwmiex ( UnsignedFile.Multi.Generic ) - warning
11:48:01.0750 2104 hpqwmiex - detected UnsignedFile.Multi.Generic (1)
11:48:01.0781 2104 HPZid412 (d03d10f7ded688fecf50f8fbf1ea9b8a) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
11:48:01.0812 2104 HPZid412 - ok
11:48:01.0828 2104 HPZipr12 (89f41658929393487b6b7d13c8528ce3) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
11:48:01.0859 2104 HPZipr12 - ok
11:48:01.0890 2104 HPZius12 (abcb05ccdbf03000354b9553820e39f8) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
11:48:01.0906 2104 HPZius12 - ok
11:48:01.0953 2104 HSFHWAZL (448c0fd272fe1b80046f4767db21eb8d) C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys
11:48:01.0953 2104 HSFHWAZL - ok
11:48:02.0078 2104 HSF_DPV (2715a27de9c17bdbaf6d6c79989a7b12) C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys
11:48:02.0156 2104 HSF_DPV - ok
11:48:02.0218 2104 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
11:48:02.0234 2104 HTTP - ok
11:48:02.0265 2104 HTTPFilter (6100a808600f44d999cebdef8841c7a3) C:\WINDOWS\System32\w3ssl.dll
11:48:02.0437 2104 HTTPFilter - ok
11:48:02.0468 2104 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
11:48:02.0562 2104 i2omgmt - ok
11:48:02.0593 2104 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys
11:48:02.0703 2104 i2omp - ok
11:48:02.0750 2104 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
11:48:02.0859 2104 i8042prt - ok
11:48:02.0984 2104 ialm (0f0194c4b635c10c3f785e4fee52d641) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
11:48:03.0031 2104 ialm ( UnsignedFile.Multi.Generic ) - warning
11:48:03.0031 2104 ialm - detected UnsignedFile.Multi.Generic (1)
11:48:03.0125 2104 iaStor (309c4d86d989fb1fcf64bd30dc81c51b) C:\WINDOWS\system32\DRIVERS\iaStor.sys
11:48:03.0156 2104 iaStor ( UnsignedFile.Multi.Generic ) - warning
11:48:03.0156 2104 iaStor - detected UnsignedFile.Multi.Generic (1)
11:48:03.0281 2104 IDriverT (1cf03c69b49acb70c722df92755c0c8c) C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
11:48:03.0296 2104 IDriverT ( UnsignedFile.Multi.Generic ) - warning
11:48:03.0296 2104 IDriverT - detected UnsignedFile.Multi.Generic (1)
11:48:03.0453 2104 idsvc (c01ac32dc5c03076cfb852cb5da5229c) c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
11:48:03.0515 2104 idsvc - ok
11:48:03.0687 2104 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
11:48:03.0859 2104 Imapi - ok
11:48:03.0921 2104 ImapiService (30deaf54a9755bb8546168cfe8a6b5e1) C:\WINDOWS\system32\imapi.exe
11:48:04.0031 2104 ImapiService - ok
11:48:04.0062 2104 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
11:48:04.0171 2104 ini910u - ok
11:48:04.0218 2104 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
11:48:04.0343 2104 IntelIde - ok
11:48:04.0375 2104 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
11:48:04.0484 2104 intelppm - ok
11:48:04.0500 2104 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
11:48:04.0609 2104 Ip6Fw - ok
11:48:04.0640 2104 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
11:48:04.0734 2104 IpFilterDriver - ok
11:48:04.0750 2104 iphlpsvc - ok
11:48:04.0765 2104 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
11:48:04.0875 2104 IpInIp - ok
11:48:04.0906 2104 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
11:48:05.0015 2104 IpNat - ok
11:48:05.0046 2104 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
11:48:05.0156 2104 IPSec - ok
11:48:05.0187 2104 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
11:48:05.0234 2104 IRENUM - ok
11:48:05.0312 2104 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
11:48:05.0406 2104 isapnp - ok
11:48:05.0562 2104 JavaQuickStarterService (1fdb89b860eb7ba96a45e749a784227e) C:\Program Files\Java\jre7\bin\jqs.exe
11:48:05.0578 2104 JavaQuickStarterService - ok
11:48:05.0578 2104 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
11:48:05.0718 2104 Kbdclass - ok
11:48:05.0734 2104 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
11:48:05.0843 2104 kbdhid - ok
11:48:05.0890 2104 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
11:48:06.0015 2104 kmixer - ok
11:48:06.0046 2104 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
11:48:06.0093 2104 KSecDD - ok
11:48:06.0140 2104 lanmanserver (3a7c3cbe5d96b8ae96ce81f0b22fb527) C:\WINDOWS\System32\srvsvc.dll
11:48:06.0156 2104 lanmanserver - ok
11:48:06.0218 2104 lanmanworkstation (a8888a5327621856c0cec4e385f69309) C:\WINDOWS\System32\wkssvc.dll
11:48:06.0234 2104 lanmanworkstation - ok
11:48:06.0234 2104 Lbd - ok
11:48:06.0234 2104 lbrtfdc - ok
11:48:06.0390 2104 LightScribeService (86e8bcaa91fc2acfacd99cf2bf9f1f47) C:\Program Files\Common Files\LightScribe\LSSrvc.exe
11:48:06.0406 2104 LightScribeService ( UnsignedFile.Multi.Generic ) - warning
11:48:06.0406 2104 LightScribeService - detected UnsignedFile.Multi.Generic (1)
11:48:06.0640 2104 LiveUpdate (fb3a35318ca7f6a10fa3c3826a69affe) C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
11:48:06.0796 2104 LiveUpdate - ok
11:48:06.0953 2104 LmHosts (a7db739ae99a796d91580147e919cc59) C:\WINDOWS\System32\lmhsvc.dll
11:48:07.0140 2104 LmHosts - ok
11:48:07.0187 2104 mbamchameleon (e0e22c8a2c5528919c45b834ca68e5ef) C:\WINDOWS\system32\drivers\mbamchameleon.sys
11:48:07.0234 2104 mbamchameleon - ok
11:48:07.0281 2104 McrdSvc (df0a511f38f16016bf658fca0090cb87) C:\WINDOWS\ehome\mcrdsvc.exe
11:48:07.0312 2104 McrdSvc - ok
11:48:07.0343 2104 mdmxsdk (74f4372af97a587ecec527ec34955712) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
11:48:07.0359 2104 mdmxsdk - ok
11:48:07.0437 2104 MFE_RR - ok
11:48:07.0484 2104 MHN (b7521f69c0a9b29d356157229376fb21) C:\WINDOWS\System32\mhn.dll
11:48:07.0484 2104 MHN ( UnsignedFile.Multi.Generic ) - warning
11:48:07.0484 2104 MHN - detected UnsignedFile.Multi.Generic (1)
11:48:07.0500 2104 MHNDRV (7f2f1d2815a6449d346fcccbc569fbd6) C:\WINDOWS\system32\DRIVERS\mhndrv.sys
11:48:07.0515 2104 MHNDRV ( UnsignedFile.Multi.Generic ) - warning
11:48:07.0515 2104 MHNDRV - detected UnsignedFile.Multi.Generic (1)
11:48:07.0546 2104 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
11:48:07.0656 2104 mnmdd - ok
11:48:07.0687 2104 mnmsrvc (d18f1f0c101d06a1c1adf26eed16fcdd) C:\WINDOWS\system32\mnmsrvc.exe
11:48:07.0859 2104 mnmsrvc - ok
11:48:07.0890 2104 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
11:48:08.0015 2104 Modem - ok
11:48:08.0046 2104 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
11:48:08.0156 2104 Mouclass - ok
11:48:08.0203 2104 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
11:48:08.0328 2104 mouhid - ok
11:48:08.0375 2104 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
11:48:08.0500 2104 MountMgr - ok
11:48:08.0515 2104 MpFilter (d993bea500e7382dc4e760bf4f35efcb) C:\WINDOWS\system32\DRIVERS\MpFilter.sys
11:48:08.0546 2104 MpFilter - ok
11:48:08.0640 2104 MpKsld0b4b8e1 (a69630d039c38018689190234f866d77) c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{30B9FD88-269B-41F4-85AE-2272A4EA02A0}\MpKsld0b4b8e1.sys
11:48:08.0656 2104 MpKsld0b4b8e1 - ok
11:48:08.0703 2104 MQAC (70c14f5cca5cf73f8a645c73a01d8726) C:\WINDOWS\system32\drivers\mqac.sys
11:48:08.0765 2104 MQAC - ok
11:48:08.0781 2104 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
11:48:08.0890 2104 mraid35x - ok
11:48:08.0937 2104 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
11:48:09.0078 2104 MRxDAV - ok
11:48:09.0125 2104 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
11:48:09.0171 2104 MRxSmb - ok
11:48:09.0203 2104 MSDTC (a137f1470499a205abbb9aafb3b6f2b1) C:\WINDOWS\system32\msdtc.exe
11:48:09.0328 2104 MSDTC - ok
11:48:09.0359 2104 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
11:48:09.0484 2104 Msfs - ok
11:48:09.0484 2104 MSIServer - ok
11:48:09.0500 2104 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
11:48:09.0609 2104 MSKSSRV - ok
11:48:09.0687 2104 MsMpSvc (24516bf4e12a46cb67302e2cdcb8cddf) c:\Program Files\Microsoft Security Client\MsMpEng.exe
11:48:09.0703 2104 MsMpSvc - ok
11:48:09.0734 2104 MSMQ (afb909b537aae1beae7bbdb6a36d40b0) C:\WINDOWS\system32\mqsvc.exe
11:48:09.0796 2104 MSMQ - ok
11:48:09.0843 2104 MSMQTriggers (7f955ff3b1bb93376ebe75d5accdc6db) C:\WINDOWS\system32\mqtgsvc.exe
11:48:09.0906 2104 MSMQTriggers - ok
11:48:09.0921 2104 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
11:48:10.0031 2104 MSPCLOCK - ok
11:48:10.0046 2104 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
11:48:10.0171 2104 MSPQM - ok
11:48:10.0218 2104 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
11:48:10.0312 2104 mssmbios - ok
11:48:10.0343 2104 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
11:48:10.0453 2104 MSTEE - ok
11:48:10.0500 2104 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
11:48:10.0515 2104 Mup - ok
11:48:10.0546 2104 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
11:48:10.0671 2104 NABTSFEC - ok
11:48:10.0718 2104 napagent (0102140028fad045756796e1c685d695) C:\WINDOWS\System32\qagentrt.dll
11:48:10.0843 2104 napagent - ok
11:48:10.0875 2104 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
11:48:10.0984 2104 NDIS - ok
11:48:11.0015 2104 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
11:48:11.0109 2104 NdisIP - ok
11:48:11.0156 2104 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
11:48:11.0187 2104 NdisTapi - ok
11:48:11.0250 2104 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
11:48:11.0375 2104 Ndisuio - ok
11:48:11.0390 2104 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
11:48:11.0484 2104 NdisWan - ok
11:48:11.0546 2104 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
11:48:11.0578 2104 NDProxy - ok
11:48:11.0578 2104 NecUsb3 - ok
11:48:11.0609 2104 Net Driver HPZ12 (51c6d8bfbd4ea5b62a1ba7f4469250d3) C:\WINDOWS\system32\HPZinw12.dll
11:48:11.0625 2104 Net Driver HPZ12 ( UnsignedFile.Multi.Generic ) - warning
11:48:11.0625 2104 Net Driver HPZ12 - detected UnsignedFile.Multi.Generic (1)
11:48:11.0640 2104 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
11:48:11.0796 2104 NetBIOS - ok
11:48:11.0843 2104 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
11:48:11.0953 2104 NetBT - ok
11:48:12.0000 2104 NetDDE (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe
11:48:12.0093 2104 NetDDE - ok
11:48:12.0109 2104 NetDDEdsdm (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe
11:48:12.0203 2104 NetDDEdsdm - ok
11:48:12.0281 2104 Netlogon (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
11:48:12.0390 2104 Netlogon - ok
11:48:12.0437 2104 Netman (13e67b55b3abd7bf3fe7aae5a0f9a9de) C:\WINDOWS\System32\netman.dll
11:48:12.0546 2104 Netman - ok
11:48:12.0625 2104 NetTcpPortSharing (d34612c5d02d026535b3095d620626ae) c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
11:48:12.0640 2104 NetTcpPortSharing - ok
11:48:12.0671 2104 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
11:48:12.0781 2104 NIC1394 - ok
11:48:12.0843 2104 Nla (943337d786a56729263071623bbb9de5) C:\WINDOWS\System32\mswsock.dll
11:48:12.0875 2104 Nla - ok
11:48:12.0906 2104 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
11:48:13.0031 2104 Npfs - ok
11:48:13.0062 2104 NSNDIS5 (53f7546e8daefb3a0813f5e19c4613c9) C:\WINDOWS\system32\NSNDIS5.SYS
11:48:13.0062 2104 NSNDIS5 ( UnsignedFile.Multi.Generic ) - warning
11:48:13.0062 2104 NSNDIS5 - detected UnsignedFile.Multi.Generic (1)
11:48:13.0109 2104 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
11:48:13.0234 2104 Ntfs - ok
11:48:13.0234 2104 NtLmSsp (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
11:48:13.0343 2104 NtLmSsp - ok
11:48:13.0390 2104 NtmsSvc (156f64a3345bd23c600655fb4d10bc08) C:\WINDOWS\system32\ntmssvc.dll
11:48:13.0515 2104 NtmsSvc - ok
11:48:13.0562 2104 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
11:48:13.0687 2104 Null - ok
11:48:13.0734 2104 NWADI (8261ca50939f83b87c0e474c51c8ef67) C:\WINDOWS\system32\DRIVERS\NWADIenum.sys
11:48:13.0765 2104 NWADI - ok
11:48:13.0812 2104 NWCWorkstation (2c2fd0e6b0180f94c260dd26706aa5f4) C:\WINDOWS\System32\nwwks.dll
11:48:13.0875 2104 NWCWorkstation - ok
11:48:13.0890 2104 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
11:48:14.0000 2104 NwlnkFlt - ok
11:48:14.0031 2104 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
11:48:14.0140 2104 NwlnkFwd - ok
11:48:14.0203 2104 NwlnkIpx (8b8b1be2dba4025da6786c645f77f123) C:\WINDOWS\system32\DRIVERS\nwlnkipx.sys
11:48:14.0328 2104 NwlnkIpx - ok
11:48:14.0343 2104 NwlnkNb (56d34a67c05e94e16377c60609741ff8) C:\WINDOWS\system32\DRIVERS\nwlnknb.sys
11:48:14.0484 2104 NwlnkNb - ok
11:48:14.0500 2104 NwlnkSpx (c0bb7d1615e1acbdc99757f6ceaf8cf0) C:\WINDOWS\system32\DRIVERS\nwlnkspx.sys
11:48:14.0640 2104 NwlnkSpx - ok
11:48:14.0703 2104 NWRDR (36b9b950e3d2e100970a48d8bad86740) C:\WINDOWS\system32\DRIVERS\nwrdr.sys
11:48:14.0765 2104 NWRDR - ok
11:48:14.0812 2104 NWUSBModem (b7112f30d7eff4b5052eba879f46228f) C:\WINDOWS\system32\DRIVERS\nwusbmdm.sys
11:48:14.0843 2104 NWUSBModem - ok
11:48:14.0875 2104 NWUSBPort (b7112f30d7eff4b5052eba879f46228f) C:\WINDOWS\system32\DRIVERS\nwusbser.sys
11:48:14.0890 2104 NWUSBPort - ok
11:48:14.0906 2104 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
11:48:15.0031 2104 ohci1394 - ok
11:48:15.0062 2104 OlCamudp (23f6b9e6d3a6f27571885d27f292fd91) C:\WINDOWS\system32\Drivers\olcamudp.sys
11:48:15.0078 2104 OlCamudp ( UnsignedFile.Multi.Generic ) - warning
11:48:15.0078 2104 OlCamudp - detected UnsignedFile.Multi.Generic (1)
11:48:15.0171 2104 ose (9d10f99a6712e28f8acd5641e3a7ea6b) C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
11:48:15.0187 2104 ose - ok
11:48:15.0250 2104 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
11:48:15.0390 2104 Parport - ok
11:48:15.0406 2104 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
11:48:15.0531 2104 PartMgr - ok
11:48:15.0562 2104 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
11:48:15.0703 2104 ParVdm - ok
11:48:15.0718 2104 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
11:48:15.0812 2104 PCI - ok
11:48:15.0828 2104 PCIDump - ok
11:48:15.0828 2104 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
11:48:15.0937 2104 PCIIde - ok
11:48:15.0953 2104 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
11:48:16.0046 2104 Pcmcia - ok
11:48:16.0062 2104 PDCOMP - ok
11:48:16.0062 2104 PDFRAME - ok
11:48:16.0062 2104 PDRELI - ok
11:48:16.0078 2104 PDRFRAME - ok
11:48:16.0093 2104 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
11:48:16.0203 2104 perc2 - ok
11:48:16.0265 2104 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
11:48:16.0390 2104 perc2hib - ok
11:48:16.0453 2104 PlugPlay (65df52f5b8b6e9bbd183505225c37315) C:\WINDOWS\system32\services.exe
11:48:16.0468 2104 PlugPlay - ok
11:48:16.0515 2104 Pml Driver HPZ12 (79834aa2fbf9fe81eebb229024f6f7fc) C:\WINDOWS\system32\HPZipm12.dll
11:48:16.0531 2104 Pml Driver HPZ12 ( UnsignedFile.Multi.Generic ) - warning
11:48:16.0531 2104 Pml Driver HPZ12 - detected UnsignedFile.Multi.Generic (1)
11:48:16.0546 2104 PolicyAgent (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
11:48:16.0656 2104 PolicyAgent - ok
11:48:16.0703 2104 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
11:48:16.0828 2104 PptpMiniport - ok
11:48:16.0890 2104 PRISM_A02 (57e95881e5f014816a8a53ad94ee0c48) C:\WINDOWS\system32\DRIVERS\WUSB20XP.sys
11:48:16.0921 2104 PRISM_A02 - ok
11:48:16.0937 2104 ProtectedStorage (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
11:48:17.0062 2104 ProtectedStorage - ok
11:48:17.0062 2104 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
11:48:17.0203 2104 PSched - ok
11:48:17.0250 2104 PSI (d24dfd16a1e2a76034df5aa18125c35d) C:\WINDOWS\system32\DRIVERS\psi_mf.sys
11:48:17.0265 2104 PSI - ok
11:48:17.0296 2104 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
11:48:17.0437 2104 Ptilink - ok
11:48:17.0468 2104 PxHelp20 (86724469cd077901706854974cd13c3e) C:\WINDOWS\system32\Drivers\PxHelp20.sys
11:48:17.0468 2104 PxHelp20 ( UnsignedFile.Multi.Generic ) - warning
11:48:17.0468 2104 PxHelp20 - detected UnsignedFile.Multi.Generic (1)
11:48:17.0500 2104 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
11:48:17.0640 2104 ql1080 - ok
11:48:17.0671 2104 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
11:48:17.0781 2104 Ql10wnt - ok
11:48:17.0812 2104 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
11:48:17.0937 2104 ql12160 - ok
11:48:17.0953 2104 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
11:48:18.0078 2104 ql1240 - ok
11:48:18.0093 2104 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
11:48:18.0218 2104 ql1280 - ok
11:48:18.0281 2104 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
11:48:18.0406 2104 RasAcd - ok
11:48:18.0453 2104 RasAuto (ad188be7bdf94e8df4ca0a55c00a5073) C:\WINDOWS\System32\rasauto.dll
11:48:18.0593 2104 RasAuto - ok
11:48:18.0625 2104 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
11:48:18.0765 2104 Rasl2tp - ok
11:48:18.0812 2104 RasMan (76a9a3cbeadd68cc57cda5e1d7448235) C:\WINDOWS\System32\rasmans.dll
11:48:18.0921 2104 RasMan - ok
11:48:18.0953 2104 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
11:48:19.0062 2104 RasPppoe - ok
11:48:19.0093 2104 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
11:48:19.0203 2104 Raspti - ok
11:48:19.0265 2104 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
11:48:19.0375 2104 Rdbss - ok
11:48:19.0406 2104 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
11:48:19.0500 2104 RDPCDD - ok
11:48:19.0546 2104 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
11:48:19.0656 2104 rdpdr - ok
11:48:19.0703 2104 RDPWD (5b3055daa788bd688594d2f5981f2a83) C:\WINDOWS\system32\drivers\RDPWD.sys
11:48:19.0718 2104 RDPWD - ok
11:48:19.0750 2104 RDSessMgr (3c37bf86641bda977c3bf8a840f3b7fa) C:\WINDOWS\system32\sessmgr.exe
11:48:19.0859 2104 RDSessMgr - ok
11:48:19.0906 2104 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
11:48:20.0015 2104 redbook - ok
11:48:20.0062 2104 RemoteAccess (7e699ff5f59b5d9de5390e3c34c67cf5) C:\WINDOWS\System32\mprdim.dll
11:48:20.0187 2104 RemoteAccess - ok
11:48:20.0218 2104 RemoteRegistry (5b19b557b0c188210a56a6b699d90b8f) C:\WINDOWS\system32\regsvc.dll
11:48:20.0328 2104 RemoteRegistry - ok
11:48:20.0375 2104 rimmptsk (7a6648b61661b1421ffab762e391e33f) C:\WINDOWS\system32\DRIVERS\rimmptsk.sys
11:48:20.0375 2104 rimmptsk ( UnsignedFile.Multi.Generic ) - warning
11:48:20.0375 2104 rimmptsk - detected UnsignedFile.Multi.Generic (1)
11:48:20.0390 2104 rimsptsk (d0a35b7670aa3558eaab483f64446496) C:\WINDOWS\system32\DRIVERS\rimsptsk.sys
11:48:20.0390 2104 rimsptsk ( UnsignedFile.Multi.Generic ) - warning
11:48:20.0390 2104 rimsptsk - detected UnsignedFile.Multi.Generic (1)
11:48:20.0421 2104 rismxdp (3ac17802740c3a4764dc9750e92e6233) C:\WINDOWS\system32\DRIVERS\rixdptsk.sys
11:48:20.0421 2104 rismxdp ( UnsignedFile.Multi.Generic ) - warning
11:48:20.0421 2104 rismxdp - detected UnsignedFile.Multi.Generic (1)
11:48:20.0484 2104 RMCAST (96f7a9a7bf0c9c0440a967440065d33c) C:\WINDOWS\system32\drivers\RMCast.sys
11:48:20.0500 2104 RMCAST - ok
11:48:20.0546 2104 RpcLocator (aaed593f84afa419bbae8572af87cf6a) C:\WINDOWS\system32\locator.exe
11:48:20.0687 2104 RpcLocator - ok
11:48:20.0750 2104 RpcSs (6b27a5c03dfb94b4245739065431322c) C:\WINDOWS\System32\rpcss.dll
11:48:20.0781 2104 RpcSs - ok
11:48:20.0781 2104 rpcsvr4x - ok
11:48:20.0828 2104 RSVP (471b3f9741d762abe75e9deea4787e47) C:\WINDOWS\system32\rsvp.exe
11:48:21.0000 2104 RSVP - ok
11:48:21.0031 2104 rtl8139 (d507c1400284176573224903819ffda3) C:\WINDOWS\system32\DRIVERS\RTL8139.SYS
11:48:21.0156 2104 rtl8139 - ok
11:48:21.0203 2104 SABProcEnum - ok
11:48:21.0234 2104 SamSs (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
11:48:21.0343 2104 SamSs - ok
11:48:21.0406 2104 SCardSvr (86d007e7a654b9a71d1d7d856b104353) C:\WINDOWS\System32\SCardSvr.exe
11:48:21.0515 2104 SCardSvr - ok
11:48:21.0562 2104 Schedule (0a9a7365a1ca4319aa7c1d6cd8e4eafa) C:\WINDOWS\system32\schedsvc.dll
11:48:21.0718 2104 Schedule - ok
11:48:21.0765 2104 sdbus (8d04819a3ce51b9eb47e5689b44d43c4) C:\WINDOWS\system32\DRIVERS\sdbus.sys
11:48:21.0890 2104 sdbus - ok
11:48:21.0921 2104 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
11:48:22.0000 2104 Secdrv - ok
11:48:22.0031 2104 seclogon (cbe612e2bb6a10e3563336191eda1250) C:\WINDOWS\System32\seclogon.dll
11:48:22.0187 2104 seclogon - ok
11:48:22.0421 2104 Secunia PSI Agent (5b66db4877bbac9f7493aa8d84421e49) C:\Program Files\Secunia\PSI\PSIA.exe
11:48:22.0468 2104 Secunia PSI Agent - ok
11:48:22.0515 2104 SENS (7fdd5d0684eca8c1f68b4d99d124dcd0) C:\WINDOWS\system32\sens.dll
11:48:22.0656 2104 SENS - ok
11:48:22.0703 2104 Ser2pl (b490ad520257dda26c1d587a71e527b5) C:\WINDOWS\system32\DRIVERS\ser2pl.sys
11:48:22.0734 2104 Ser2pl - ok
11:48:22.0781 2104 SerEmulVsp (9934401436fb596357187ae68ec3dada) C:\WINDOWS\system32\drivers\SerEmulVsp.sys
11:48:22.0796 2104 SerEmulVsp ( UnsignedFile.Multi.Generic ) - warning
11:48:22.0796 2104 SerEmulVsp - detected UnsignedFile.Multi.Generic (1)
11:48:22.0828 2104 Serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
11:48:23.0000 2104 Serenum - ok
11:48:23.0062 2104 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
11:48:23.0171 2104 Serial - ok
11:48:23.0234 2104 sermouse (1f16931c722c69e4a7866244796c66a0) C:\WINDOWS\system32\DRIVERS\sermouse.sys
11:48:23.0343 2104 sermouse - ok
11:48:23.0375 2104 sffdisk (0fa803c64df0914b41f807ea276bf2a6) C:\WINDOWS\system32\DRIVERS\sffdisk.sys
11:48:23.0484 2104 sffdisk - ok
11:48:23.0515 2104 sffp_sd (c17c331e435ed8737525c86a7557b3ac) C:\WINDOWS\system32\DRIVERS\sffp_sd.sys
11:48:23.0609 2104 sffp_sd - ok
11:48:23.0640 2104 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
11:48:23.0750 2104 Sfloppy - ok
11:48:23.0812 2104 SharedAccess (83f41d0d89645d7235c051ab1d9523ac) C:\WINDOWS\System32\ipnathlp.dll
11:48:23.0937 2104 SharedAccess - ok
11:48:23.0984 2104 ShellHWDetection (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
11:48:24.0000 2104 ShellHWDetection - ok
11:48:24.0000 2104 Simbad - ok
11:48:24.0031 2104 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys
11:48:24.0140 2104 sisagp - ok
11:48:24.0156 2104 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
11:48:24.0265 2104 SLIP - ok
11:48:24.0296 2104 SmartDefragDriver (14bb60a4f1c5291217a05d5728c403e6) C:\WINDOWS\system32\Drivers\SmartDefragDriver.sys
11:48:24.0312 2104 SmartDefragDriver - ok
11:48:24.0421 2104 SMSIVZAM5 (1e715247efffdda938c085913045d599) C:\PROGRA~1\VERIZO~1\VZACCE~1\SMSIVZAM5.SYS
11:48:24.0421 2104 SMSIVZAM5 - ok
11:48:24.0453 2104 snapman (90257773f4b4065bd0c6cc2164fd52e5) C:\WINDOWS\system32\DRIVERS\snapman.sys
11:48:24.0484 2104 snapman ( UnsignedFile.Multi.Generic ) - warning
11:48:24.0484 2104 snapman - detected UnsignedFile.Multi.Generic (1)
11:48:24.0515 2104 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
11:48:24.0578 2104 Sparrow - ok
11:48:24.0609 2104 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
11:48:24.0734 2104 splitter - ok
11:48:24.0781 2104 Spooler (60784f891563fb1b767f70117fc2428f) C:\WINDOWS\system32\spoolsv.exe
11:48:24.0796 2104 Spooler - ok
11:48:24.0812 2104 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
11:48:24.0921 2104 sr - ok
11:48:24.0968 2104 srservice (3805df0ac4296a34ba4bf93b346cc378) C:\WINDOWS\system32\srsvc.dll
11:48:25.0062 2104 srservice - ok
11:48:25.0109 2104 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
11:48:25.0140 2104 Srv - ok
11:48:25.0171 2104 SSDPSRV (0a5679b3714edab99e357057ee88fca6) C:\WINDOWS\System32\ssdpsrv.dll
11:48:25.0265 2104 SSDPSRV - ok
11:48:25.0312 2104 stisvc (8bad69cbac032d4bbacfce0306174c30) C:\WINDOWS\system32\wiaservc.dll
11:48:25.0468 2104 stisvc - ok
11:48:25.0484 2104 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
11:48:25.0609 2104 streamip - ok
11:48:25.0625 2104 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
11:48:25.0734 2104 swenum - ok
11:48:25.0796 2104 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
11:48:25.0921 2104 swmidi - ok
11:48:25.0921 2104 SwPrv - ok
11:48:25.0953 2104 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
11:48:26.0078 2104 symc810 - ok
11:48:26.0093 2104 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
11:48:26.0187 2104 symc8xx - ok
11:48:26.0265 2104 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
11:48:26.0359 2104 sym_hi - ok
11:48:26.0390 2104 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
11:48:26.0484 2104 sym_u3 - ok
11:48:26.0546 2104 SynTP (926e0bb4cac05d9a0c3b59dc16fe2f1c) C:\WINDOWS\system32\DRIVERS\SynTP.sys
11:48:26.0578 2104 SynTP - ok
11:48:26.0609 2104 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
11:48:26.0718 2104 sysaudio - ok
11:48:26.0765 2104 SysmonLog (c7abbc59b43274b1109df6b24d617051) C:\WINDOWS\system32\smlogsvc.exe
11:48:26.0859 2104 SysmonLog - ok
11:48:26.0921 2104 TapiSrv (3cb78c17bb664637787c9a1c98f79c38) C:\WINDOWS\System32\tapisrv.dll
11:48:27.0062 2104 TapiSrv - ok
11:48:27.0125 2104 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
11:48:27.0156 2104 Tcpip - ok
11:48:27.0187 2104 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
11:48:27.0312 2104 TDPIPE - ok
11:48:27.0328 2104 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
11:48:27.0468 2104 TDTCP - ok
11:48:27.0468 2104 tdx - ok
11:48:27.0500 2104 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
11:48:27.0625 2104 TermDD - ok
11:48:27.0703 2104 TermService (ff3477c03be7201c294c35f684b3479f) C:\WINDOWS\System32\termsrv.dll
11:48:27.0828 2104 TermService - ok
11:48:27.0875 2104 Themes (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
11:48:27.0906 2104 Themes - ok
11:48:27.0937 2104 tifsfilter (7369f74dd9172c6527a8aceb010e28f1) C:\WINDOWS\system32\DRIVERS\tifsfilt.sys
11:48:27.0953 2104 tifsfilter ( UnsignedFile.Multi.Generic ) - warning
11:48:27.0953 2104 tifsfilter - detected UnsignedFile.Multi.Generic (1)
11:48:27.0968 2104 timounter (53fec95b844c46489f6683dc0a606e01) C:\WINDOWS\system32\DRIVERS\timntr.sys
11:48:27.0984 2104 timounter ( UnsignedFile.Multi.Generic ) - warning
11:48:27.0984 2104 timounter - detected UnsignedFile.Multi.Generic (1)
11:48:28.0031 2104 TlntSvr (db7205804759ff62c34e3efd8a4cc76a) C:\WINDOWS\system32\tlntsvr.exe
11:48:28.0109 2104 TlntSvr - ok
11:48:28.0125 2104 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys
11:48:28.0250 2104 TosIde - ok
11:48:28.0343 2104 TrkWks (55bca12f7f523d35ca3cb833c725f54e) C:\WINDOWS\system32\trkwks.dll
11:48:28.0515 2104 TrkWks - ok
11:48:28.0546 2104 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
11:48:28.0671 2104 Udfs - ok
11:48:28.0671 2104 UIUSys - ok
11:48:28.0703 2104 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
11:48:28.0765 2104 ultra - ok
11:48:28.0828 2104 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
11:48:28.0953 2104 Update - ok
11:48:29.0000 2104 upnphost (1ebafeb9a3fbdc41b8d9c7f0f687ad91) C:\WINDOWS\System32\upnphost.dll
11:48:29.0046 2104 upnphost - ok
11:48:29.0062 2104 UPS (05365fb38fca1e98f7a566aaaf5d1815) C:\WINDOWS\System32\ups.exe
11:48:29.0187 2104 UPS - ok
11:48:29.0187 2104 usbatapi2000 - ok
11:48:29.0250 2104 USBCamera (0c28dd9ec68ccb6e95d49bfd24fd2c11) C:\WINDOWS\system32\Drivers\Bulk533.sys
11:48:29.0265 2104 USBCamera - ok
11:48:29.0296 2104 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
11:48:29.0406 2104 usbccgp - ok
11:48:29.0453 2104 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
11:48:29.0562 2104 usbehci - ok
11:48:29.0609 2104 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
11:48:29.0734 2104 usbhub - ok
11:48:29.0765 2104 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
11:48:29.0875 2104 usbprint - ok
11:48:29.0890 2104 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
11:48:30.0000 2104 usbscan - ok
11:48:30.0031 2104 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
11:48:30.0140 2104 USBSTOR - ok
11:48:30.0187 2104 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
11:48:30.0312 2104 usbuhci - ok
11:48:30.0312 2104 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
11:48:30.0421 2104 VgaSave - ok
11:48:30.0453 2104 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys
11:48:30.0546 2104 viaagp - ok
11:48:30.0593 2104 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
11:48:30.0703 2104 ViaIde - ok
11:48:30.0734 2104 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
11:48:30.0843 2104 VolSnap - ok
11:48:30.0906 2104 VSS (7a9db3a67c333bf0bd42e42b8596854b) C:\WINDOWS\System32\vssvc.exe
11:48:30.0953 2104 VSS - ok
11:48:31.0000 2104 W32Time (54af4b1d5459500ef0937f6d33b1914f) C:\WINDOWS\system32\w32time.dll
11:48:31.0125 2104 W32Time - ok
11:48:31.0296 2104 w39n51 (c79918a5bd269035f3a34d157401b9df) C:\WINDOWS\system32\DRIVERS\w39n51.sys
11:48:31.0343 2104 w39n51 - ok
11:48:31.0625 2104 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
11:48:31.0796 2104 Wanarp - ok
11:48:31.0796 2104 WDICA - ok
11:48:31.0859 2104 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
11:48:31.0968 2104 wdmaud - ok
11:48:32.0015 2104 WebClient (77a354e28153ad2d5e120a5a8687bc06) C:\WINDOWS\System32\webclnt.dll
11:48:32.0125 2104 WebClient - ok
11:48:32.0203 2104 winachsf (7fe372b1ab60736cc67e8eb6f1fb1f5b) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
11:48:32.0250 2104 winachsf - ok
11:48:32.0281 2104 WinDefend - ok
11:48:32.0296 2104 WinHttpAutoProxySvc - ok
11:48:32.0437 2104 winmgmt (2d0e4ed081963804ccc196a0929275b5) C:\WINDOWS\system32\wbem\WMIsvc.dll
11:48:32.0531 2104 winmgmt - ok
11:48:32.0656 2104 WMConnectCDS (cd99c9feae87c1963273f6b150251e33) C:\Program Files\Windows Media Connect 2\wmccds.exe
11:48:32.0765 2104 WMConnectCDS ( UnsignedFile.Multi.Generic ) - warning
11:48:32.0765 2104 WMConnectCDS - detected UnsignedFile.Multi.Generic (1)
11:48:32.0796 2104 WmdmPmSN (c51b4a5c05a5475708e3c81c7765b71d) C:\WINDOWS\system32\MsPMSNSv.dll
11:48:32.0812 2104 WmdmPmSN - ok
11:48:32.0921 2104 Wmi (e76f8807070ed04e7408a86d6d3a6137) C:\WINDOWS\System32\advapi32.dll
11:48:32.0968 2104 Wmi - ok
11:48:33.0093 2104 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
11:48:33.0265 2104 WmiAcpi - ok
11:48:33.0312 2104 WmiApSrv (e0673f1106e62a68d2257e376079f821) C:\WINDOWS\system32\wbem\wmiapsrv.exe
11:48:33.0437 2104 WmiApSrv - ok
11:48:33.0609 2104 WPFFontCache_v0400 (dcf3e3edf5109ee8bc02fe6e1f045795) C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe
11:48:33.0640 2104 WPFFontCache_v0400 - ok
11:48:33.0703 2104 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
11:48:33.0812 2104 WS2IFSL - ok
11:48:33.0859 2104 wscsvc (7c278e6408d1dce642230c0585a854d5) C:\WINDOWS\system32\wscsvc.dll
11:48:34.0046 2104 wscsvc - ok
11:48:34.0078 2104 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
11:48:34.0203 2104 WSTCODEC - ok
11:48:34.0265 2104 wuauserv (35321fb577cdc98ce3eb3a3eb9e4610a) C:\WINDOWS\system32\wuauserv.dll
11:48:34.0390 2104 wuauserv - ok
11:48:34.0468 2104 WUSB54GPSVC (e8c30ef9bbc6ddb71f0f77fa3a96515f) C:\Program Files\Wireless-G Portable USB Adapter\WLService.exe
11:48:34.0484 2104 WUSB54GPSVC ( UnsignedFile.Multi.Generic ) - warning
11:48:34.0484 2104 WUSB54GPSVC - detected UnsignedFile.Multi.Generic (1)
11:48:34.0546 2104 WZCSVC (81dc3f549f44b1c1fff022dec9ecf30b) C:\WINDOWS\System32\wzcsvc.dll
11:48:34.0671 2104 WZCSVC - ok
11:48:34.0734 2104 xmlprov (295d21f14c335b53cb8154e5b1f892b9) C:\WINDOWS\System32\xmlprov.dll
11:48:34.0859 2104 xmlprov - ok
11:48:34.0906 2104 MBR (0x1B8) (665277635dc8ba83deae12eadedb75a0) \Device\Harddisk0\DR0
11:48:35.0078 2104 \Device\Harddisk0\DR0 - ok
11:48:35.0078 2104 Boot (0x1200) (0dfeff17d63f875658ed5776cca1728a) \Device\Harddisk0\DR0\Partition0
11:48:35.0078 2104 \Device\Harddisk0\DR0\Partition0 - ok
11:48:35.0093 2104 Boot (0x1200) (868ce062807cade2fa9212479e02861e) \Device\Harddisk0\DR0\Partition1
11:48:35.0093 2104 \Device\Harddisk0\DR0\Partition1 - ok
11:48:35.0093 2104 ============================================================
11:48:35.0093 2104 Scan finished
11:48:35.0093 2104 ============================================================
11:48:35.0203 1200 Detected object count: 26
11:48:35.0203 1200 Actual detected object count: 26
11:48:44.0984 1200 AcrSch2Svc ( UnsignedFile.Multi.Generic ) - skipped by user
11:48:44.0984 1200 AcrSch2Svc ( UnsignedFile.Multi.Generic ) - User select action: Skip
11:48:44.0984 1200 AddFiltr ( UnsignedFile.Multi.Generic ) - skipped by user
11:48:44.0984 1200 AddFiltr ( UnsignedFile.Multi.Generic ) - User select action: Skip
11:48:44.0984 1200 BANTExt ( UnsignedFile.Multi.Generic ) - skipped by user
11:48:44.0984 1200 BANTExt ( UnsignedFile.Multi.Generic ) - User select action: Skip
11:48:44.0984 1200 E100B ( UnsignedFile.Multi.Generic ) - skipped by user
11:48:44.0984 1200 E100B ( UnsignedFile.Multi.Generic ) - User select action: Skip
11:48:44.0984 1200 GTNDIS5 ( UnsignedFile.Multi.Generic ) - skipped by user
11:48:44.0984 1200 GTNDIS5 ( UnsignedFile.Multi.Generic ) - User select action: Skip
11:48:45.0000 1200 hpqwmiex ( UnsignedFile.Multi.Generic ) - skipped by user
11:48:45.0000 1200 hpqwmiex ( UnsignedFile.Multi.Generic ) - User select action: Skip
11:48:45.0000 1200 ialm ( UnsignedFile.Multi.Generic ) - skipped by user
11:48:45.0000 1200 ialm ( UnsignedFile.Multi.Generic ) - User select action: Skip
11:48:45.0000 1200 iaStor ( UnsignedFile.Multi.Generic ) - skipped by user
11:48:45.0000 1200 iaStor ( UnsignedFile.Multi.Generic ) - User select action: Skip
11:48:45.0000 1200 IDriverT ( UnsignedFile.Multi.Generic ) - skipped by user
11:48:45.0000 1200 IDriverT ( UnsignedFile.Multi.Generic ) - User select action: Skip
11:48:45.0000 1200 LightScribeService ( UnsignedFile.Multi.Generic ) - skipped by user
11:48:45.0000 1200 LightScribeService ( UnsignedFile.Multi.Generic ) - User select action: Skip
11:48:45.0000 1200 MHN ( UnsignedFile.Multi.Generic ) - skipped by user
11:48:45.0000 1200 MHN ( UnsignedFile.Multi.Generic ) - User select action: Skip
11:48:45.0015 1200 MHNDRV ( UnsignedFile.Multi.Generic ) - skipped by user
11:48:45.0015 1200 MHNDRV ( UnsignedFile.Multi.Generic ) - User select action: Skip
11:48:45.0015 1200 Net Driver HPZ12 ( UnsignedFile.Multi.Generic ) - skipped by user
11:48:45.0015 1200 Net Driver HPZ12 ( UnsignedFile.Multi.Generic ) - User select action: Skip
11:48:45.0015 1200 NSNDIS5 ( UnsignedFile.Multi.Generic ) - skipped by user
11:48:45.0015 1200 NSNDIS5 ( UnsignedFile.Multi.Generic ) - User select action: Skip
11:48:45.0015 1200 OlCamudp ( UnsignedFile.Multi.Generic ) - skipped by user
11:48:45.0015 1200 OlCamudp ( UnsignedFile.Multi.Generic ) - User select action: Skip
11:48:45.0015 1200 Pml Driver HPZ12 ( UnsignedFile.Multi.Generic ) - skipped by user
11:48:45.0015 1200 Pml Driver HPZ12 ( UnsignedFile.Multi.Generic ) - User select action: Skip
11:48:45.0015 1200 PxHelp20 ( UnsignedFile.Multi.Generic ) - skipped by user
11:48:45.0015 1200 PxHelp20 ( UnsignedFile.Multi.Generic ) - User select action: Skip
11:48:45.0031 1200 rimmptsk ( UnsignedFile.Multi.Generic ) - skipped by user
11:48:45.0031 1200 rimmptsk ( UnsignedFile.Multi.Generic ) - User select action: Skip
11:48:45.0031 1200 rimsptsk ( UnsignedFile.Multi.Generic ) - skipped by user
11:48:45.0031 1200 rimsptsk ( UnsignedFile.Multi.Generic ) - User select action: Skip
11:48:45.0031 1200 rismxdp ( UnsignedFile.Multi.Generic ) - skipped by user
11:48:45.0031 1200 rismxdp ( UnsignedFile.Multi.Generic ) - User select action: Skip
11:48:45.0031 1200 SerEmulVsp ( UnsignedFile.Multi.Generic ) - skipped by user
11:48:45.0031 1200 SerEmulVsp ( UnsignedFile.Multi.Generic ) - User select action: Skip
11:48:45.0031 1200 snapman ( UnsignedFile.Multi.Generic ) - skipped by user
11:48:45.0031 1200 snapman ( UnsignedFile.Multi.Generic ) - User select action: Skip
11:48:45.0031 1200 tifsfilter ( UnsignedFile.Multi.Generic ) - skipped by user
11:48:45.0031 1200 tifsfilter ( UnsignedFile.Multi.Generic ) - User select action: Skip
11:48:45.0046 1200 timounter ( UnsignedFile.Multi.Generic ) - skipped by user
11:48:45.0046 1200 timounter ( UnsignedFile.Multi.Generic ) - User select action: Skip
11:48:45.0046 1200 WMConnectCDS ( UnsignedFile.Multi.Generic ) - skipped by user
11:48:45.0046 1200 WMConnectCDS ( UnsignedFile.Multi.Generic ) - User select action: Skip
11:48:45.0046 1200 WUSB54GPSVC ( UnsignedFile.Multi.Generic ) - skipped by user
11:48:45.0046 1200 WUSB54GPSVC ( UnsignedFile.Multi.Generic ) - User select action: Skip
11:50:14.0312 0496 Deinitialize success

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-06-12 12:55:46
-----------------------------
12:55:46.687 OS Version: Windows 5.1.2600 Service Pack 3
12:55:46.687 Number of processors: 2 586 0xF06
12:55:46.687 ComputerName: WANDA-154 UserName: Hollis
12:55:48.750 Initialize success
12:56:00.953 AVAST engine defs: 12061200
12:56:07.000 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
12:56:07.015 Disk 0 Vendor: WDC_WD32 01.0 Size: 305245MB BusType: 3
12:56:07.046 Disk 0 MBR read successfully
12:56:07.062 Disk 0 MBR scan
12:56:07.140 Disk 0 unknown MBR code
12:56:07.140 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 281137 MB offset 63
12:56:07.203 Disk 0 Partition 2 00 0C FAT32 LBA RECOVERY 24097 MB offset 575769600
12:56:08.500 Disk 0 Partition 3 00 17 Hidd HPFS/NTFS NTFS 7 MB offset 625121280
12:56:08.671 Disk 0 scanning sectors +625137345
12:56:08.875 Disk 0 scanning C:\WINDOWS\system32\drivers
12:56:53.296 Service scanning
12:57:09.593 Service MpKsld0b4b8e1 c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{30B9FD88-269B-41F4-85AE-2272A4EA02A0}\MpKsld0b4b8e1.sys **LOCKED** 32
12:57:29.015 Modules scanning
12:57:53.250 Disk 0 trace - called modules:
12:57:53.312 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll iaStor.sys
12:57:53.343 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a748030]
12:57:53.359 3 CLASSPNP.SYS[f74e7fd7] -> nt!IofCallDriver -> \Device\0000008f[0x8a6c6a38]
12:57:53.375 5 ACPI.sys[f735e620] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-0[0x8a749030]
12:57:55.203 AVAST engine scan C:\WINDOWS
12:58:52.140 AVAST engine scan C:\WINDOWS\system32
13:08:07.578 AVAST engine scan C:\WINDOWS\system32\drivers
13:09:51.703 AVAST engine scan C:\Documents and Settings\Hollis
13:44:27.921 AVAST engine scan C:\Documents and Settings\All Users
13:46:25.140 Scan finished successfully
13:50:36.890 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Hollis\Desktop\MBR.dat"
13:50:36.921 The log file has been saved successfully to "C:\Documents and Settings\Hollis\Desktop\aswMBR.txt"

#6 gringo_pr

gringo_pr

    Bleepin Gringo

  • Malware Response Team
  • PipPipPipPipPipPip
  • 120,402 posts
  • Gender:Male
  • Location:Puerto rico

Posted 12 June 2012 - 01:41 PM

Greetings

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

#7 2Campers

2Campers

    Member

  • Members
  • PipPip
  • 80 posts

Posted 12 June 2012 - 02:33 PM

Hi Gringo,

I ran the CF Script as requested and the log file is enclosed. There were no problems.

However, the computer remains the same with Microsoft Security Essentials showing malware.

Question: What about the infection "Zero Access" we noted on the first combofix scan you requested previously--it did not show in this scan

Thanks, Hollis

ComboFix 12-06-12.01 - Hollis 06/12/2012 14:58:33.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1362 [GMT -4:00]
Running from: c:\documents and settings\Hollis\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\windows\system32\drivers\etc\hosts.ics
.
Infected copy of c:\windows\system32\Services.exe was found and disinfected
Restored copy from - c:\windows\ERDNT\cache\services.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-05-12 to 2012-06-12 )))))))))))))))))))))))))))))))
.
.
2012-06-12 19:07 . 2012-06-12 19:07 56200 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{30B9FD88-269B-41F4-85AE-2272A4EA02A0}\offreg.dll
2012-06-12 14:13 . 2012-05-08 13:40 6737808 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{30B9FD88-269B-41F4-85AE-2272A4EA02A0}\mpengine.dll
2012-06-11 18:34 . 2012-06-11 18:34 -------- d-----w- c:\documents and settings\Hollis\Local Settings\Application Data\Secunia PSI
2012-06-11 18:16 . 2012-06-11 18:33 -------- d-----w- c:\program files\Secunia
2012-06-10 21:44 . 2012-06-10 21:44 388096 ----a-r- c:\documents and settings\Hollis\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2012-06-10 21:44 . 2012-06-10 21:44 -------- d-----w- c:\program files\Trend Micro
2012-06-10 21:37 . 2012-06-10 21:37 -------- d-----w- c:\program files\VS Revo Group
2012-06-10 20:42 . 2012-06-10 20:42 -------- d-----w- c:\documents and settings\Hollis\Local Settings\Application Data\Sun
2012-06-10 20:07 . 2012-06-10 20:07 -------- d-----w- c:\program files\Oracle
2012-06-10 20:06 . 2012-06-10 20:06 -------- d-----w- c:\documents and settings\Hollis\Application Data\Oracle
2012-06-10 20:06 . 2012-04-04 22:47 772504 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-06-10 18:34 . 2012-05-08 13:40 6737808 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-06-08 18:11 . 2012-06-08 18:11 -------- d-----w- C:\_OTM
2012-06-08 18:01 . 2012-06-08 18:02 -------- d-----w- c:\program files\ERUNT
2012-06-08 00:13 . 2012-06-08 00:13 14664 ----a-w- c:\windows\stinger.sys
2012-06-08 00:11 . 2012-06-08 00:34 -------- d-----w- c:\program files\stinger
2012-06-07 17:34 . 2012-06-07 20:25 32072 ----a-w- c:\windows\system32\drivers\48230029.sys
2012-06-04 13:31 . 2012-06-04 13:31 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\PCHealth
2012-06-04 13:31 . 2012-06-04 13:31 -------- d-----w- c:\program files\Microsoft Security Client
2012-06-03 11:00 . 2012-06-04 12:34 -------- d-----w- c:\documents and settings\All Users\Application Data\F4D55EFF00043AFD00245298D151FC4E
2012-05-29 14:34 . 2012-05-29 14:34 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-05-19 15:44 . 2012-06-03 18:46 -------- d-----w- C:\bd_logs
2012-05-19 11:43 . 2012-05-19 11:43 -------- d-----w- c:\program files\Cobian Backup 11
2012-05-18 16:56 . 2012-05-18 20:00 -------- d---a-w- C:\Kaspersky Rescue Disk 10.0
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-06-10 20:06 . 2010-06-27 10:33 143872 ----a-w- c:\windows\system32\javacpl.cpl
2012-06-06 03:19 . 2009-05-15 16:00 1027072 ----a-w- c:\windows\system32\AutoPartNt.exe
2012-06-04 16:26 . 2002-02-10 05:00 72748 ----a-w- c:\windows\unins000.exe
2012-06-02 19:19 . 2009-08-06 23:24 22040 ----a-w- c:\windows\system32\wucltui.dll.mui
2012-06-02 19:19 . 2009-08-06 23:24 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2012-06-02 19:19 . 2006-03-16 04:00 329240 ----a-w- c:\windows\system32\wucltui.dll
2012-06-02 19:19 . 2006-03-16 04:00 219160 ----a-w- c:\windows\system32\wuaucpl.cpl
2012-06-02 19:19 . 2006-03-16 04:00 210968 ----a-w- c:\windows\system32\wuweb.dll
2012-06-02 19:19 . 2009-08-06 23:24 15384 ----a-w- c:\windows\system32\wuapi.dll.mui
2012-06-02 19:19 . 2008-10-16 18:09 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 19:19 . 2006-03-16 04:00 97304 ----a-w- c:\windows\system32\cdm.dll
2012-06-02 19:19 . 2006-03-16 04:00 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 19:19 . 2006-03-16 04:00 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-02 19:19 . 2009-08-06 23:24 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui
2012-06-02 19:19 . 2006-03-16 04:00 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 19:19 . 2006-03-16 04:00 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 19:18 . 2009-05-11 12:05 275696 ----a-w- c:\windows\system32\mucltui.dll
2012-06-02 19:18 . 2009-05-11 12:05 17136 ----a-w- c:\windows\system32\mucltui.dll.mui
2012-06-02 19:18 . 2008-10-16 18:07 214256 ----a-w- c:\windows\system32\muweb.dll
2012-05-31 13:22 . 2006-03-16 04:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2012-05-29 14:34 . 2011-07-02 14:43 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-05-10 21:25 . 2012-05-10 21:25 32072 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2012-04-11 13:14 . 2006-03-16 04:00 2148352 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-04-11 13:12 . 2006-03-16 04:00 1862272 ----a-w- c:\windows\system32\win32k.sys
2012-04-11 12:35 . 2006-03-16 04:00 2026496 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-04-04 22:47 . 2010-06-27 10:33 687504 ----a-w- c:\windows\system32\deployJava1.dll
2012-04-04 19:56 . 2010-08-12 11:38 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-03-21 00:44 . 2012-03-21 00:44 171064 ----a-w- c:\windows\system32\drivers\MpFilter.sys
.
.
((((((((((((((((((((((((((((( SnapShot@2012-06-12_13.52.00 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-06-12 19:08 . 2012-06-12 19:08 16384 c:\windows\temp\Perflib_Perfdata_328.dat
+ 2006-06-29 18:27 . 2012-06-12 13:56 93254 c:\windows\system32\perfc009.dat
- 2006-06-29 18:27 . 2012-06-12 13:38 93254 c:\windows\system32\perfc009.dat
+ 2006-06-29 18:27 . 2012-06-12 13:56 516732 c:\windows\system32\perfh009.dat
- 2006-06-29 18:27 . 2012-06-12 13:38 516732 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-05-04 458752]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-22 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-22 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-22 118784]
"MsmqIntCert"="mqrt.dll" [2008-04-14 177152]
"Cpqset"="c:\program files\Hewlett-Packard\Default Settings\cpqset.exe" [2006-06-19 40960]
"RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImage\TrueImageMonitor.exe" [2005-11-28 988701]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-06-19 163840]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-12 81920]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-12 249856]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 49152]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-06-02 61952]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2005-11-28 118784]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-03-28 1040384]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 931200]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-04-04 843712]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\
Vongo Tray.lnk - c:\program files\Vongo\Tray.exe [N/A]
.
c:\documents and settings\Wanda Clark\Start Menu\Programs\Startup\
OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-11 282624]
Secunia PSI Tray.lnk - c:\program files\Secunia\PSI\psi_tray.exe [2011-10-14 291896]
.
c:\documents and settings\Default User\Start Menu\Programs\Startup\
Vongo Tray.lnk - c:\program files\Vongo\Tray.exe [N/A]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 relog_ap nwprovau
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^DeLorme Serial Emulator.lnk]
backup=c:\windows\pss\DeLorme Serial Emulator.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SerEmul for DeLorme Serial Emulator.lnk]
backup=c:\windows\pss\SerEmul for DeLorme Serial Emulator.lnkCommon Startup
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
.
R0 SmartDefragDriver;SmartDefragDriver;c:\windows\system32\drivers\SmartDefragDriver.sys [12/10/2011 9:48 AM 14776]
R2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\Secunia\PSI\psia.exe [10/14/2011 2:01 AM 994360]
R2 SerEmulVsp;SerEmulVsp;c:\windows\system32\drivers\SerEmulVsp.sys [3/28/2007 11:59 AM 134560]
R2 WUSB54GPSVC;WUSB54GPSVC;c:\program files\Wireless-G Portable USB Adapter\WLService.exe [7/13/2011 12:33 PM 41025]
R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [9/1/2010 4:30 AM 15544]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S1 tdx;@%SystemRoot%\system32\tcpipcfg.dll,-50004;c:\windows\system32\DRIVERS\tdx.sys --> c:\windows\system32\DRIVERS\tdx.sys [?]
S2 Ca533av;Icatch(IV) Video Camera Device;c:\windows\system32\drivers\Ca533av.sys [10/3/2010 12:41 PM 515803]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S2 gupdate1c9d10bfdbeb8b0;Google Update Service (gupdate1c9d10bfdbeb8b0);c:\program files\Google\Update\GoogleUpdate.exe [5/9/2009 9:09 PM 133104]
S2 iphlpsvc;@%SystemRoot%\system32\iphlpsvc.dll,-200;c:\windows\System32\svchost.exe -k NetSvcs [3/16/2006 14336]
S2 NecUsb3;USB3 Service;c:\windows\System32\svchost.exe -k NecUsb3Sevic [3/16/2006 14336]
S3 5U870CAP_VID_1262&PID_25FD;HP Pavilion Webcam ;c:\windows\system32\drivers\5U870CAP.sys [6/6/2006 4:39 PM 61952]
S3 AE1000;Linksys AE1000 Driver;c:\windows\system32\drivers\AE1000XP.sys [7/13/2011 1:34 PM 816672]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [5/9/2009 9:09 PM 133104]
S3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys [5/10/2012 5:25 PM 32072]
S3 MFE_RR;MFE_RR;\??\c:\docume~1\Hollis\LOCALS~1\Temp\mfe_rr.sys --> c:\docume~1\Hollis\LOCALS~1\Temp\mfe_rr.sys [?]
S3 OlCamudp;OLYMPUS Digital Camera;c:\windows\system32\drivers\olcamudp.sys [10/13/2010 2:25 PM 10379]
S3 SMSIVZAM5;SMSIVZAM5 NDIS Protocol Driver;c:\progra~1\VERIZO~1\VZACCE~1\SMSIVZAM5.SYS [5/25/2009 4:43 PM 32408]
S3 WinDefend;Windows Defender;c:\windows\System32\svchost.exe -k secsvcs [3/16/2006 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
NecUsb3Sevic REG_MULTI_SZ NecUsb3
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
usbatapi2000
rpcsvr4x
.
Contents of the 'Scheduled Tasks' folder
.
2012-06-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-10 01:09]
.
2012-06-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-10 01:09]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.0.1
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.2.0/GarminAxControl.CAB
DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://cam.thesylvaherald.com/activex/AMC.cab
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-06-12 15:08
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\Hewlett-Packard\Default Settings\cpqset.exe????????????L?@? ??? ]??????`?@?????L?@
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(912)
c:\windows\system32\relog_ap.dll
.
- - - - - - - > 'explorer.exe'(1272)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Client\MsMpEng.exe
c:\windows\system32\msdtc.exe
c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Java\jre7\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Wireless-G Portable USB Adapter\WUSB54GP.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\windows\eHome\ehmsas.exe
c:\\?\c:\windows\system32\WBEM\WMIADAP.EXE
.
**************************************************************************
.
Completion time: 2012-06-12 15:12:31 - machine was rebooted
ComboFix-quarantined-files.txt 2012-06-12 19:12
ComboFix2.txt 2012-06-12 13:56
.
Pre-Run: 241,102,852,096 bytes free
Post-Run: 241,214,877,696 bytes free
.
- - End Of File - - 3C3723DBEFFB1E50B22EC9CF66F62241

#8 gringo_pr

gringo_pr

    Bleepin Gringo

  • Malware Response Team
  • PipPipPipPipPipPip
  • 120,402 posts
  • Gender:Male
  • Location:Puerto rico

Posted 12 June 2012 - 09:41 PM

Hello

Lets get a deeper look into the system and see if something shows up.

Download and run OTL

Download OTL by Old Timer and save it to your Desktop.
  • Double click on OTL.exe to run it.
  • Under Output, ensure that Minimal Output is selected.
  • Under Extra Registry section, select Use SafeList.
  • Click the Scan All Users checkbox.
  • Click on Run Scan at the top left hand corner.
  • When done, two Notepad files will open.
    • OTL.txt <-- Will be opened and the that I need posted back here
    • Extra.txt <-- Will be minimized - save this one on your desktop in case I ask for it later
  • Please post the contents of OTL.txt in your next reply.

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

#9 2Campers

2Campers

    Member

  • Members
  • PipPip
  • 80 posts

Posted 12 June 2012 - 10:19 PM

Hi Gringo,

Enclosed is the OTL file you requested in order to go deeper and see if anything shows up.

Thanks, Hollis

OTL logfile created on: 6/12/2012 10:57:38 PM - Run 1
OTL by OldTimer - Version 3.2.48.0 Folder = C:\Documents and Settings\Hollis\Desktop
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.99 Gb Total Physical Memory | 1.17 Gb Available Physical Memory | 59.03% Memory free
3.84 Gb Paging File | 3.22 Gb Available in Paging File | 84.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 274.55 Gb Total Space | 224.61 Gb Free Space | 81.81% Space Free | Partition Type: NTFS
Drive D: | 23.52 Gb Total Space | 13.19 Gb Free Space | 56.08% Space Free | Partition Type: FAT32

Computer Name: WANDA-154 | User Name: Hollis | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Hollis\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Java\jre7\bin\jqs.exe (Oracle Corporation)
PRC - C:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
PRC - c:\Program Files\Microsoft Security Client\MsMpEng.exe (Microsoft Corporation)
PRC - C:\Program Files\Secunia\PSI\psia.exe (Secunia)
PRC - C:\Program Files\Secunia\PSI\psi_tray.exe (Secunia)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe (Acronis)
PRC - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe (Acronis)
PRC - C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe (Acronis)
PRC - C:\Program Files\Wireless-G Portable USB Adapter\WUSB54GP.exe (Cisco Linksys Corporation)
PRC - C:\Program Files\Wireless-G Portable USB Adapter\WLService.exe (GEMTEKS)


========== Modules (No Company Name) ==========

MOD - C:\WINDOWS\system32\quartz.dll ()
MOD - C:\WINDOWS\system32\sbe.dll ()
MOD - C:\WINDOWS\system32\msdmo.dll ()
MOD - C:\WINDOWS\system32\devenum.dll ()
MOD - C:\WINDOWS\system32\GTW32N50.dll ()
MOD - C:\Program Files\Wireless-G Portable USB Adapter\GEMWEP.DLL ()


========== Win32 Services (SafeList) ==========

SRV - (WUSB54GPSVC) -- C:\Program Files\Wireless-G Portable USB Adapter\WLService.exe WUSB54GP.exe File not found
SRV - (WinDefend) -- %ProgramFiles%\Windows Defender\mpsvc.dll File not found
SRV - (usbatapi2000) -- %systemroot%\system32\SE27mdfl.dll File not found
SRV - (rpcsvr4x) -- %systemroot%\system32\wceusbsh.dll File not found
SRV - (NecUsb3) -- C:\WINDOWS\system32\NCUSBw32.dll File not found
SRV - (iphlpsvc) -- %SystemRoot%\System32\iphlpsvc.dll File not found
SRV - (HidServ) -- %SystemRoot%\System32\hidserv.dll File not found
SRV - (JavaQuickStarterService) -- C:\Program Files\Java\jre7\bin\jqs.exe (Oracle Corporation)
SRV - (MsMpSvc) -- c:\Program Files\Microsoft Security Client\MsMpEng.exe (Microsoft Corporation)
SRV - (Secunia PSI Agent) -- C:\Program Files\Secunia\PSI\psia.exe (Secunia)
SRV - (LiveUpdate) -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_1.EXE (Symantec Corporation)
SRV - (AddFiltr) -- C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe (Hewlett-Packard Development Company, L.P.)
SRV - (AcrSch2Svc) -- C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe (Acronis)
SRV - (WMConnectCDS) -- C:\Program Files\Windows Media Connect 2\wmccds.exe (Microsoft Corporation)


========== Driver Services (SafeList) ==========

DRV - (WDICA) -- File not found
DRV - (UIUSys) -- system32\DRIVERS\UIUSYS.SYS File not found
DRV - (tdx) -- system32\DRIVERS\tdx.sys File not found
DRV - (SABProcEnum) -- C:\Program Files\Internet Explorer\SABProcEnum.sys File not found
DRV - (PDRFRAME) -- File not found
DRV - (PDRELI) -- File not found
DRV - (PDFRAME) -- File not found
DRV - (PDCOMP) -- File not found
DRV - (PCIDump) -- File not found
DRV - (MFE_RR) -- C:\DOCUME~1\Hollis\LOCALS~1\Temp\mfe_rr.sys File not found
DRV - (mbr) -- C:\DOCUME~1\Hollis\LOCALS~1\Temp\mbr.sys File not found
DRV - (lbrtfdc) -- File not found
DRV - (Lbd) -- system32\DRIVERS\Lbd.sys File not found
DRV - (cpuz132) -- C:\DOCUME~1\Hollis\LOCALS~1\Temp\cpuz132\cpuz132_x32.sys File not found
DRV - (Changer) -- File not found
DRV - (catchme) -- C:\ComboFix\catchme.sys File not found
DRV - (mbamchameleon) -- C:\WINDOWS\system32\drivers\mbamchameleon.sys ()
DRV - (SmartDefragDriver) -- C:\WINDOWS\system32\drivers\SmartDefragDriver.sys ()
DRV - (PSI) -- C:\WINDOWS\system32\drivers\psi_mf.sys (Secunia)
DRV - (AE1000) -- C:\WINDOWS\system32\drivers\AE1000XP.sys (Ralink Technology, Corp.)
DRV - (NWADI) -- C:\WINDOWS\system32\drivers\NWADIenum.sys (Novatel Wireless Inc)
DRV - (NWUSBPort) -- C:\WINDOWS\system32\drivers\nwusbser.sys (Novatel Wireless Inc.)
DRV - (NWUSBModem) -- C:\WINDOWS\system32\drivers\nwusbmdm.sys (Novatel Wireless Inc.)
DRV - (SMSIVZAM5) -- C:\Program Files\Verizon Wireless\VZAccess Manager\SMSIVZAM5.sys (Smith Micro Inc.)
DRV - (timounter) -- C:\WINDOWS\system32\drivers\timntr.sys (Acronis)
DRV - (tifsfilter) -- C:\WINDOWS\system32\drivers\tifsfilt.sys (Acronis)
DRV - (snapman) -- C:\WINDOWS\system32\drivers\snapman.sys (Acronis)
DRV - (RMCAST) -- C:\WINDOWS\system32\drivers\rmcast.sys (Microsoft Corporation)
DRV - (NwlnkIpx) -- C:\WINDOWS\system32\drivers\nwlnkipx.sys (Microsoft Corporation)
DRV - (MQAC) -- C:\WINDOWS\system32\drivers\mqac.sys (Microsoft Corporation)
DRV - (BANTExt) -- C:\WINDOWS\system32\drivers\BANTExt.sys ()
DRV - (SerEmulVsp) -- C:\WINDOWS\System32\drivers\SerEmulVsp.sys ()
DRV - (5U870CAP_VID_1262&PID_25FD) -- C:\WINDOWS\system32\drivers\5U870CAP.sys (Ricoh)
DRV - (HdAudAddService) -- C:\WINDOWS\system32\drivers\CHDAud.sys (Conexant Systems Inc.)
DRV - (w39n51) Intel® -- C:\WINDOWS\system32\drivers\w39n51.sys (Intel® Corporation)
DRV - (HSF_DPV) -- C:\WINDOWS\system32\drivers\HSF_DPV.sys (Conexant Systems, Inc.)
DRV - (HSFHWAZL) -- C:\WINDOWS\system32\drivers\HSFHWAZL.sys (Conexant Systems, Inc.)
DRV - (winachsf) -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys (Conexant Systems, Inc.)
DRV - (NwlnkNb) -- C:\WINDOWS\system32\drivers\nwlnknb.sys (Microsoft Corporation)
DRV - (NwlnkSpx) -- C:\WINDOWS\system32\drivers\nwlnkspx.sys (Microsoft Corporation)
DRV - (rimsptsk) -- C:\WINDOWS\system32\drivers\rimsptsk.sys (REDC)
DRV - (rimmptsk) -- C:\WINDOWS\system32\drivers\rimmptsk.sys (REDC)
DRV - (rismxdp) -- C:\WINDOWS\system32\drivers\rixdptsk.sys (REDC)
DRV - (eabusb) -- C:\WINDOWS\system32\drivers\EabUsb.sys (Hewlett-Packard Development Company, L.P.)
DRV - (HBtnKey) -- C:\WINDOWS\system32\drivers\CPQBttn.sys (Hewlett-Packard Development Company, L.P.)
DRV - (eabfiltr) -- C:\WINDOWS\system32\drivers\eabfiltr.sys (Hewlett-Packard Development Company, L.P.)
DRV - (rtl8139) Realtek RTL8139(A/B/C) -- C:\WINDOWS\system32\drivers\RTL8139.sys (Realtek Semiconductor Corporation)
DRV - (NSNDIS5) -- C:\WINDOWS\system32\nsndis5.sys (Printing Communications Assoc., Inc. (PCAUSA))
DRV - (PRISM_A02) -- C:\WINDOWS\system32\drivers\WUSB20XP.sys (Cisco-Linksys, LLC.)
DRV - (GTNDIS5) -- C:\WINDOWS\system32\GTNDIS5.sys (Printing Communications Assoc., Inc. (PCAUSA))
DRV - (Ser2pl) -- C:\WINDOWS\system32\drivers\ser2pl.sys (Prolific Technology Inc.)
DRV - (Ca533av) Icatch(IV) -- C:\WINDOWS\system32\drivers\Ca533av.sys (Digital Camera)
DRV - (USBCamera) Icatch(IV) -- C:\WINDOWS\system32\drivers\Bulk533.sys (USB BULK)
DRV - (OlCamudp) -- C:\WINDOWS\system32\drivers\olcamudp.sys (OLYMPUS Optical Co.,Ltd.)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-1369428427-519700811-52094108-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msnbc.msn.com/
IE - HKU\S-1-5-21-1369428427-519700811-52094108-1006\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found
IE - HKU\S-1-5-21-1369428427-519700811-52094108-1006\..\SearchScopes,DefaultScope = {73E4D393-DA16-43A6-9CEE-213C8DC1BEF3}
IE - HKU\S-1-5-21-1369428427-519700811-52094108-1006\..\SearchScopes\{1359F30F-1B40-4209-BBB7-823C74A8FDCA}: "URL" = http://www.bing.com/search?q={searchTerms}&form=IE8SRC&src=IE-SearchBox
IE - HKU\S-1-5-21-1369428427-519700811-52094108-1006\..\SearchScopes\{73E4D393-DA16-43A6-9CEE-213C8DC1BEF3}: "URL" = http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:{language}:{referrer:source}&ie={inputEncoding?}&oe={outputEncoding?}
IE - HKU\S-1-5-21-1369428427-519700811-52094108-1006\..\SearchScopes\{B68B6922-362C-40BC-80BA-4F70E69AB3EB}: "URL" = http://www.followtopia.com/index.php
IE - HKU\S-1-5-21-1369428427-519700811-52094108-1006\..\SearchScopes\{FB3B2BD5-2BFB-4EA2-B9BD-87B1795488CB}: "URL" = http://search.yahoo.com/search?p={searchterms}&ei=UTF-8&fr=w3i&type=W3i_DS,136,0_0,Search,20120101,6901,0,8,0
IE - HKU\S-1-5-21-1369428427-519700811-52094108-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


========== FireFox ==========

FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.4.1: C:\WINDOWS\system32\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre7\bin\new_plugin\npjp2.dll File not found
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.4.1: C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\plugin2\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\5.1.10411.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\{D71DD730-2359-4C64-B32D-08F54B061984}: C:\Documents and Settings\Hollis\Local Settings\Application Data\{D71DD730-2359-4C64-B32D-08F54B061984}\ [2011/07/08 17:06:46 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\{747E69DB-80DF-4DB0-8597-43E2709BD53B}: C:\Documents and Settings\Hollis\Local Settings\Application Data\{747E69DB-80DF-4DB0-8597-43E2709BD53B}\ [2011/07/09 07:22:38 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\{D920E063-F502-4EEA-8CAC-3E32B770F692}: C:\Documents and Settings\Hollis\Local Settings\Application Data\{D920E063-F502-4EEA-8CAC-3E32B770F692}\ [2011/07/09 15:18:50 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\{319ADB0B-05B2-4FA5-B0A8-65BDDF8D9BCC}: C:\Documents and Settings\Hollis\Local Settings\Application Data\{319ADB0B-05B2-4FA5-B0A8-65BDDF8D9BCC}\ [2011/07/09 15:26:58 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\{AD9896DF-07BC-4E8A-A005-A6B5E8225FF9}: C:\Documents and Settings\Hollis\Local Settings\Application Data\{AD9896DF-07BC-4E8A-A005-A6B5E8225FF9}\ [2011/07/09 21:36:22 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\{B249BAD8-56C5-40F9-9246-1B43061FF47F}: C:\Documents and Settings\Hollis\Local Settings\Application Data\{B249BAD8-56C5-40F9-9246-1B43061FF47F}\ [2011/07/09 21:40:45 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\{48296676-0098-4CA4-958A-15CD68A40358}: C:\Documents and Settings\Hollis\Local Settings\Application Data\{48296676-0098-4CA4-958A-15CD68A40358}\ [2011/07/10 06:33:47 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\{A8D003FD-2360-41A8-B57C-45A0DDCC0171}: C:\Documents and Settings\Hollis\Local Settings\Application Data\{A8D003FD-2360-41A8-B57C-45A0DDCC0171}\ [2011/07/11 08:40:41 | 000,000,000 | ---D | M]


O1 HOSTS File: ([2012/06/12 15:07:46 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (CatcherBHO Class) - {9B4DF450-DCC7-4B07-935D-0CD757A64583} - C:\Program Files\Moyea\YouTube FLV Downloader\MoyeaCatcher.dll (Moyea Software Co., Ltd.)
O3 - HKU\S-1-5-21-1369428427-519700811-52094108-1006\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found.
O4 - HKLM..\Run: [Acronis Scheduler2 Service] C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe (Acronis)
O4 - HKLM..\Run: [Cpqset] C:\Program Files\Hewlett-Packard\Default Settings\Cpqset.exe ()
O4 - HKLM..\Run: [High Definition Audio Property Page Shortcut] C:\WINDOWS\System32\CHDAudPropShortcut.exe (Windows ® Server 2003 DDK provider)
O4 - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [MsmqIntCert] C:\WINDOWS\System32\mqrt.dll (Microsoft Corporation)
O4 - HKLM..\Run: [RecGuard] C:\WINDOWS\SMINST\Recguard.exe ()
O4 - HKLM..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe (Acronis)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\StartUp\Secunia PSI Tray.lnk = C:\Program Files\Secunia\PSI\psi_tray.exe (Secunia)
O4 - Startup: C:\Documents and Settings\Default User\Start Menu\Programs\StartUp\Vongo Tray.lnk = File not found
O4 - Startup: C:\Documents and Settings\Wanda Clark\Start Menu\Programs\StartUp\OpenOffice.org 3.1.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallVisualStyle = C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles (Microsoft)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallTheme = C:\WINDOWS\Resources\Themes\Royale.theme ()
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1369428427-519700811-52094108-1006\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1369428427-519700811-52094108-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-1369428427-519700811-52094108-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 0
O7 - HKU\S-1-5-21-1369428427-519700811-52094108-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-1369428427-519700811-52094108-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000 File not found
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - Reg Error: Key error. File not found
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\WINDOWS\system32\nwprovau.dll (Microsoft Corporation)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab (QuickTime Object)
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} https://support.microsoft.com/Dcode/ActiveX/MSDcode.cab (Microsoft Data Collection Control)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6770.cab (Windows Live Safety Center Base Module)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1241989445343 (MUWebControl Class)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (Reg Error: Key error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.7.0/jinstall-1_7_0_04-windows-i586.cab (Java Plug-in 1.7.0_04)
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} http://www.superadblocker.com/activex/sabspx.cab (SABScanProcesses Class)
O16 - DPF: {CAFEEFAC-0017-0000-0004-ABCDEFFEDCBA} http://java.sun.com/update/1.7.0/jinstall-1_7_0_04-windows-i586.cab (Java Plug-in 1.7.0_04)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.7.0/jinstall-1_7_0_04-windows-i586.cab (Java Plug-in 1.7.0_04)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} http://cam.thesylvaherald.com/activex/AMC.cab (AxisMediaControlEmb Class)
O16 - DPF: Garmin Communicator Plug-In https://static.garmincdn.com/gcp/ie/2.9.2.0/GarminAxControl.CAB (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{264765A9-B784-4177-98EF-7659D0F0D8B3}: DhcpNameServer = 192.168.0.1
O18 - Protocol\Handler\belarc {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files\Belarc\Advisor\System\BAVoilaX.dll (Belarc, Inc.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Hollis\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Hollis\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O30 - LSA: Authentication Packages - (relog_ap) - C:\WINDOWS\System32\relog_ap.dll (Acronis)
O30 - LSA: Authentication Packages - (nwprovau) - C:\WINDOWS\System32\nwprovau.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2001/07/28 03:07:38 | 000,000,000 | -HS- | M] () - D:\AUTOEXEC.BAT -- [ FAT32 ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O35 - HKU\S-1-5-21-1369428427-519700811-52094108-1006..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2012/06/12 22:53:55 | 000,596,480 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Hollis\Desktop\OTL.exe
[2012/06/12 22:52:45 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2012/06/12 22:31:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2012/06/12 11:46:07 | 002,127,960 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Hollis\Desktop\tdsskiller.exe
[2012/06/12 09:27:21 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2012/06/12 09:24:51 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2012/06/12 09:24:51 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2012/06/12 09:24:51 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2012/06/12 09:24:51 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2012/06/12 09:24:40 | 000,000,000 | ---D | C] -- C:\Qoobox
[2012/06/12 08:47:14 | 004,556,029 | R--- | C] (Swearware) -- C:\Documents and Settings\Hollis\Desktop\ComboFix.exe
[2012/06/11 15:27:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Hollis\Desktop\New Malware Removal Posts Folder (1)
[2012/06/11 14:34:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Hollis\Local Settings\Application Data\Secunia PSI
[2012/06/11 14:16:49 | 000,000,000 | ---D | C] -- C:\Program Files\Secunia
[2012/06/10 17:44:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Hollis\Start Menu\Programs\HiJackThis
[2012/06/10 17:44:55 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2012/06/10 17:37:27 | 000,000,000 | ---D | C] -- C:\Program Files\VS Revo Group
[2012/06/10 17:37:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Hollis\Start Menu\Programs\Revo Uninstaller
[2012/06/10 16:42:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Hollis\Local Settings\Application Data\Sun
[2012/06/10 16:07:04 | 000,000,000 | ---D | C] -- C:\Program Files\Oracle
[2012/06/10 16:06:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Hollis\Application Data\Oracle
[2012/06/10 16:06:47 | 000,772,504 | ---- | C] (Oracle Corporation) -- C:\WINDOWS\System32\npDeployJava1.dll
[2012/06/10 16:06:47 | 000,227,784 | ---- | C] (Oracle Corporation) -- C:\WINDOWS\System32\javaws.exe
[2012/06/10 16:06:39 | 000,174,024 | ---- | C] (Oracle Corporation) -- C:\WINDOWS\System32\javaw.exe
[2012/06/10 16:06:39 | 000,174,024 | ---- | C] (Oracle Corporation) -- C:\WINDOWS\System32\java.exe
[2012/06/08 15:27:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Hollis\Desktop\GooredFix Backups
[2012/06/08 15:25:29 | 000,071,398 | ---- | C] (jpshortstuff) -- C:\Documents and Settings\Hollis\Desktop\GooredFix.exe
[2012/06/08 14:11:17 | 000,000,000 | ---D | C] -- C:\_OTM
[2012/06/08 14:07:38 | 000,523,264 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Hollis\Desktop\OTM.exe
[2012/06/08 14:03:24 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2012/06/08 14:01:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\ERUNT
[2012/06/08 14:01:36 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2012/06/08 12:42:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Hollis\Desktop\What The Tech
[2012/06/08 12:10:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Hollis\Desktop\Malware Removal
[2012/06/07 20:13:45 | 000,014,664 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\stinger.sys
[2012/06/07 20:11:04 | 000,000,000 | ---D | C] -- C:\Program Files\stinger
[2012/06/07 18:47:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Hollis\Desktop\Macafee Spyware Removal
[2012/06/07 14:14:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Hollis\Desktop\New Folder
[2012/06/06 15:07:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Hollis\Desktop\Geeks To Go Malware Removal
[2012/06/06 15:06:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Hollis\Desktop\Daniweb Malware Cleanup
[2012/06/06 15:03:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Hollis\Desktop\DSL Malware Cleanup
[2012/06/06 15:00:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Hollis\Desktop\Microsoft Spyware Removal
[2012/06/06 14:59:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Hollis\Desktop\Virtual Doctor Malware Removal
[2012/06/06 14:47:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Hollis\Desktop\Spyware Hammer Info
[2012/06/06 07:23:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Hollis\Desktop\NC Cabin Solo Sprayer
[2012/06/05 15:47:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Hollis\Desktop\Bleep Preparation Guide Programs
[2012/06/05 15:37:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Hollis\Desktop\Computer How To Burn Iso File CD
[2012/06/05 11:47:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Hollis\Desktop\Windows Firewall Repair Info
[2012/06/04 20:14:20 | 004,731,392 | ---- | C] (AVAST Software) -- C:\Documents and Settings\Hollis\Desktop\aswMBR.exe
[2012/06/04 15:05:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Hollis\Desktop\Kaspersky Info
[2012/06/04 09:31:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\PCHealth
[2012/06/04 09:31:05 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Security Client
[2012/06/03 07:00:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\F4D55EFF00043AFD00245298D151FC4E
[2012/05/31 13:15:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Hollis\Desktop\Alaska pdf info
[2012/05/29 10:34:56 | 000,419,488 | ---- | C] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerApp.exe
[2012/05/27 06:08:44 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Hollis\Recent
[2012/05/19 11:44:49 | 000,000,000 | ---D | C] -- C:\bd_logs
[2012/05/19 09:25:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Hollis\Desktop\Computer Discovered Malware
[2012/05/19 07:43:57 | 000,000,000 | ---D | C] -- C:\Program Files\Cobian Backup 11
[2012/05/18 12:56:39 | 000,000,000 | ---D | C] -- C:\Kaspersky Rescue Disk 10.0
[2012/05/17 22:40:39 | 019,585,536 | ---- | C] (Luis Cobian, CobianSoft) -- C:\Documents and Settings\Hollis\Desktop\cbSetup.exe
[2012/05/17 22:36:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Hollis\My Documents\GPS NC Cabin Master Trails

========== Files - Modified Within 30 Days ==========

[2012/06/12 22:54:00 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2012/06/12 22:54:00 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2012/06/12 22:53:53 | 000,596,480 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Hollis\Desktop\OTL.exe
[2012/06/12 22:34:25 | 000,559,444 | ---- | M] () -- C:\Documents and Settings\Hollis\Desktop\How do I remove ZeroAccess (Sirefef) rootkit - ESET Knowledgebase.mht
[2012/06/12 15:12:32 | 000,516,732 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2012/06/12 15:12:32 | 000,093,254 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2012/06/12 15:07:46 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2012/06/12 15:07:32 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/06/12 15:07:30 | 2137,051,136 | -HS- | M] () -- C:\hiberfil.sys
[2012/06/12 13:50:36 | 000,000,512 | ---- | M] () -- C:\Documents and Settings\Hollis\Desktop\MBR.dat
[2012/06/12 11:46:07 | 002,127,960 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Hollis\Desktop\tdsskiller.exe
[2012/06/12 09:27:29 | 000,000,325 | RHS- | M] () -- C:\boot.ini
[2012/06/12 08:47:14 | 004,556,029 | R--- | M] (Swearware) -- C:\Documents and Settings\Hollis\Desktop\ComboFix.exe
[2012/06/11 15:05:11 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Hollis\defogger_reenable
[2012/06/11 14:34:02 | 000,000,753 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Secunia PSI Tray.lnk
[2012/06/11 09:02:02 | 000,984,985 | ---- | M] () -- C:\Documents and Settings\Hollis\Desktop\ESET Get a FREE Online Virus Scan.mht
[2012/06/10 17:47:00 | 000,002,449 | ---- | M] () -- C:\Documents and Settings\Hollis\Desktop\HiJackThis Trend Micro.lnk
[2012/06/10 17:37:27 | 000,000,917 | ---- | M] () -- C:\Documents and Settings\Hollis\Desktop\Revo Uninstaller.lnk
[2012/06/10 16:34:13 | 000,675,918 | ---- | M] () -- C:\Documents and Settings\Hollis\Desktop\How to remove Google Redirects or the TDSS, TDL3, or Alureon rootkit using TDSSKiller.mht
[2012/06/10 16:29:54 | 000,001,734 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader X.lnk
[2012/06/10 16:06:10 | 000,227,784 | ---- | M] (Oracle Corporation) -- C:\WINDOWS\System32\javaws.exe
[2012/06/10 16:06:10 | 000,174,024 | ---- | M] (Oracle Corporation) -- C:\WINDOWS\System32\javaw.exe
[2012/06/10 16:06:10 | 000,143,872 | ---- | M] (Oracle Corporation) -- C:\WINDOWS\System32\javacpl.cpl
[2012/06/10 16:06:09 | 000,174,024 | ---- | M] (Oracle Corporation) -- C:\WINDOWS\System32\java.exe
[2012/06/08 19:23:24 | 000,853,862 | ---- | M] () -- C:\Documents and Settings\Hollis\Desktop\SecurityCheck.exe
[2012/06/08 18:44:07 | 000,649,414 | ---- | M] () -- C:\Documents and Settings\Hollis\Desktop\Bleep Virus, Trojan, Spyware, and Malware Removal Logs - BleepingComputer_com.mht
[2012/06/08 18:30:50 | 000,088,007 | ---- | M] () -- C:\Documents and Settings\Hollis\Desktop\KeePass Password Safe.mht
[2012/06/08 15:25:30 | 000,071,398 | ---- | M] (jpshortstuff) -- C:\Documents and Settings\Hollis\Desktop\GooredFix.exe
[2012/06/08 14:11:20 | 000,000,098 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20120608-152313.backup
[2012/06/08 14:07:51 | 000,523,264 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Hollis\Desktop\OTM.exe
[2012/06/08 14:01:38 | 000,000,592 | ---- | M] () -- C:\Documents and Settings\Hollis\Desktop\ERUNT.lnk
[2012/06/08 13:53:21 | 000,001,519 | ---- | M] () -- C:\Documents and Settings\Hollis\Desktop\Notepad.lnk
[2012/06/07 20:34:54 | 000,000,057 | RH-- | M] () -- C:\Documents and Settings\Hollis\Desktop\stinger.opt
[2012/06/07 20:13:45 | 000,014,664 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\stinger.sys
[2012/06/07 16:25:49 | 000,032,072 | ---- | M] () -- C:\WINDOWS\System32\drivers\48230029.sys
[2012/06/05 23:19:59 | 001,027,072 | ---- | M] (Acronis) -- C:\WINDOWS\System32\AutoPartNt.exe
[2012/06/05 11:40:09 | 000,196,044 | ---- | M] () -- C:\Documents and Settings\Hollis\Desktop\GFI Backup 2009 Home Edition - a worthy alternative to the Backup and Restore Center Windows 7, Windows 8, Windows Vista and XP Tutorials.mht
[2012/06/04 20:14:20 | 004,731,392 | ---- | M] (AVAST Software) -- C:\Documents and Settings\Hollis\Desktop\aswMBR.exe
[2012/06/04 16:12:30 | 000,302,391 | ---- | M] () -- C:\Documents and Settings\Hollis\Desktop\Kaspersky Lab Forum - Virus-related issues.mht
[2012/06/04 12:26:44 | 000,072,748 | ---- | M] (Jordan Russell) -- C:\WINDOWS\unins000.exe
[2012/06/04 12:26:44 | 000,000,659 | ---- | M] () -- C:\WINDOWS\unins000.dat
[2012/06/04 12:25:26 | 000,288,093 | ---- | M] () -- C:\Documents and Settings\Hollis\Desktop\icon_restore.exe
[2012/06/04 11:12:36 | 000,000,041 | ---- | M] () -- C:\WINDOWS\loc2.INI
[2012/06/04 11:12:25 | 000,000,041 | ---- | M] () -- C:\WINDOWS\FindServ.INI
[2012/06/04 10:34:31 | 000,001,698 | ---- | M] () -- C:\Documents and Settings\Hollis\Desktop\Microsoft Security Essentials.lnk
[2012/06/04 10:33:52 | 000,001,917 | ---- | M] () -- C:\WINDOWS\epplauncher.mif
[2012/06/04 09:30:45 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/06/02 15:19:44 | 000,022,040 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\wucltui.dll.mui
[2012/06/02 15:19:38 | 000,329,240 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\wucltui.dll
[2012/06/02 15:19:38 | 000,329,240 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wucltui.dll
[2012/06/02 15:19:38 | 000,219,160 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wuaucpl.cpl
[2012/06/02 15:19:38 | 000,210,968 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wuweb.dll
[2012/06/02 15:19:34 | 000,097,304 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cdm.dll
[2012/06/02 15:19:34 | 000,097,304 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\cdm.dll
[2012/06/02 15:19:34 | 000,053,784 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wuauclt.exe
[2012/06/02 15:19:34 | 000,045,080 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\wups2.dll
[2012/06/02 15:19:34 | 000,035,864 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\wups.dll
[2012/06/02 15:19:34 | 000,035,864 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wups.dll
[2012/06/02 15:19:34 | 000,015,384 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\wuapi.dll.mui
[2012/06/02 15:19:24 | 000,577,048 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\wuapi.dll
[2012/06/02 15:19:24 | 000,577,048 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wuapi.dll
[2012/06/02 15:19:18 | 001,933,848 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wuaueng.dll
[2012/06/02 15:18:58 | 000,275,696 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\mucltui.dll
[2012/06/02 15:18:58 | 000,017,136 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\mucltui.dll.mui
[2012/05/31 09:22:09 | 000,599,040 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\crypt32.dll
[2012/05/29 14:34:17 | 002,017,658 | ---- | M] () -- C:\Documents and Settings\Hollis\Desktop\Wrangler Power Products.pdf
[2012/05/29 10:34:56 | 000,419,488 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerApp.exe
[2012/05/29 10:34:56 | 000,070,304 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl
[2012/05/17 23:11:31 | 000,297,629 | ---- | M] () -- C:\Documents and Settings\Hollis\Desktop\how to save address book in outlook express - Google Search.mht
[2012/05/17 23:11:14 | 001,218,134 | ---- | M] () -- C:\Documents and Settings\Hollis\Desktop\How to back up and to restore Outlook Express data.mht
[2012/05/17 22:28:19 | 163,238,912 | ---- | M] () -- C:\Documents and Settings\Hollis\Desktop\Backup.bkf
[2012/05/17 17:35:22 | 019,585,536 | ---- | M] (Luis Cobian, CobianSoft) -- C:\Documents and Settings\Hollis\Desktop\cbSetup.exe

========== Files Created - No Company Name ==========

[2012/06/12 22:34:21 | 000,559,444 | ---- | C] () -- C:\Documents and Settings\Hollis\Desktop\How do I remove ZeroAccess (Sirefef) rootkit - ESET Knowledgebase.mht
[2012/06/12 13:50:36 | 000,000,512 | ---- | C] () -- C:\Documents and Settings\Hollis\Desktop\MBR.dat
[2012/06/12 09:27:29 | 000,000,209 | ---- | C] () -- C:\Boot.bak
[2012/06/12 09:27:22 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2012/06/12 09:24:51 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2012/06/12 09:24:51 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2012/06/12 09:24:51 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2012/06/12 09:24:51 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2012/06/12 09:24:51 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2012/06/11 15:05:11 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Hollis\defogger_reenable
[2012/06/11 14:34:02 | 000,000,753 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Secunia PSI Tray.lnk
[2012/06/11 14:34:02 | 000,000,716 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Secunia PSI.lnk
[2012/06/11 09:01:54 | 000,984,985 | ---- | C] () -- C:\Documents and Settings\Hollis\Desktop\ESET Get a FREE Online Virus Scan.mht
[2012/06/10 17:37:27 | 000,000,917 | ---- | C] () -- C:\Documents and Settings\Hollis\Desktop\Revo Uninstaller.lnk
[2012/06/10 16:34:13 | 000,675,918 | ---- | C] () -- C:\Documents and Settings\Hollis\Desktop\How to remove Google Redirects or the TDSS, TDL3, or Alureon rootkit using TDSSKiller.mht
[2012/06/10 16:29:54 | 000,001,804 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Adobe Reader X.lnk
[2012/06/10 16:29:54 | 000,001,734 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader X.lnk
[2012/06/08 19:23:24 | 000,853,862 | ---- | C] () -- C:\Documents and Settings\Hollis\Desktop\SecurityCheck.exe
[2012/06/08 18:44:01 | 000,649,414 | ---- | C] () -- C:\Documents and Settings\Hollis\Desktop\Bleep Virus, Trojan, Spyware, and Malware Removal Logs - BleepingComputer_com.mht
[2012/06/08 18:30:44 | 000,088,007 | ---- | C] () -- C:\Documents and Settings\Hollis\Desktop\KeePass Password Safe.mht
[2012/06/08 14:01:38 | 000,000,592 | ---- | C] () -- C:\Documents and Settings\Hollis\Desktop\ERUNT.lnk
[2012/06/08 13:53:21 | 000,001,519 | ---- | C] () -- C:\Documents and Settings\Hollis\Desktop\Notepad.lnk
[2012/06/07 20:34:54 | 000,000,057 | RH-- | C] () -- C:\Documents and Settings\Hollis\Desktop\stinger.opt
[2012/06/07 13:34:20 | 000,032,072 | ---- | C] () -- C:\WINDOWS\System32\drivers\48230029.sys
[2012/06/05 11:40:06 | 000,196,044 | ---- | C] () -- C:\Documents and Settings\Hollis\Desktop\GFI Backup 2009 Home Edition - a worthy alternative to the Backup and Restore Center Windows 7, Windows 8, Windows Vista and XP Tutorials.mht
[2012/06/04 16:17:42 | 2137,051,136 | -HS- | C] () -- C:\hiberfil.sys
[2012/06/04 16:12:28 | 000,302,391 | ---- | C] () -- C:\Documents and Settings\Hollis\Desktop\Kaspersky Lab Forum - Virus-related issues.mht
[2012/06/04 12:26:44 | 000,000,659 | ---- | C] () -- C:\WINDOWS\unins000.dat
[2012/06/04 12:25:23 | 000,288,093 | ---- | C] () -- C:\Documents and Settings\Hollis\Desktop\icon_restore.exe
[2012/06/04 10:34:31 | 000,001,698 | ---- | C] () -- C:\Documents and Settings\Hollis\Desktop\Microsoft Security Essentials.lnk
[2012/06/04 09:31:22 | 000,001,698 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Security Essentials.lnk
[2012/05/29 14:34:01 | 002,017,658 | ---- | C] () -- C:\Documents and Settings\Hollis\Desktop\Wrangler Power Products.pdf
[2012/05/17 23:11:27 | 000,297,629 | ---- | C] () -- C:\Documents and Settings\Hollis\Desktop\how to save address book in outlook express - Google Search.mht
[2012/05/17 23:11:06 | 001,218,134 | ---- | C] () -- C:\Documents and Settings\Hollis\Desktop\How to back up and to restore Outlook Express data.mht
[2012/05/17 22:26:36 | 163,238,912 | ---- | C] () -- C:\Documents and Settings\Hollis\Desktop\Backup.bkf
[2012/05/10 17:25:22 | 000,032,072 | ---- | C] () -- C:\WINDOWS\System32\drivers\mbamchameleon.sys
[2012/05/07 19:59:41 | 000,000,129 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2012/05/07 17:53:31 | 000,219,481 | ---- | C] () -- C:\Documents and Settings\Hollis\Local Settings\Application Data\census.cache
[2012/05/07 17:53:13 | 000,211,123 | ---- | C] () -- C:\Documents and Settings\Hollis\Local Settings\Application Data\ars.cache
[2012/05/07 17:11:01 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2012/02/08 05:13:44 | 000,103,733 | ---- | C] () -- C:\WINDOWS\System32\itusbcore.dat
[2012/02/08 05:13:44 | 000,000,197 | ---- | C] () -- C:\WINDOWS\System32\itlsvc.dat
[2012/02/07 16:54:46 | 000,000,192 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\~J9JMTydFW7L72lr
[2012/02/07 16:54:45 | 000,000,280 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\~J9JMTydFW7L72l
[2012/02/07 16:47:40 | 000,000,336 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\J9JMTydFW7L72l
[2012/01/05 12:18:45 | 000,165,376 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
[2011/12/10 09:48:03 | 000,025,944 | ---- | C] () -- C:\WINDOWS\System32\SmartDefragBootTime.exe
[2011/12/10 09:48:03 | 000,014,776 | ---- | C] () -- C:\WINDOWS\System32\drivers\SmartDefragDriver.sys
[2011/07/13 13:34:16 | 000,013,931 | R--- | C] () -- C:\WINDOWS\System32\RaCoInst.dat
[2011/07/10 17:35:05 | 000,000,036 | ---- | C] () -- C:\Documents and Settings\Hollis\Local Settings\Application Data\housecall.guid.cache
[2011/07/08 12:19:16 | 000,000,120 | ---- | C] () -- C:\WINDOWS\Lxixezezoc.dat
[2011/07/08 12:19:16 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Ttubusefubemob.bin
[2010/11/13 11:51:09 | 000,000,286 | ---- | C] () -- C:\WINDOWS\reimage.ini
[2010/10/24 23:04:04 | 000,045,568 | ---- | C] () -- C:\Documents and Settings\Hollis\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/10/03 12:41:44 | 000,001,888 | ---- | C] () -- C:\WINDOWS\CA533A.INI
[2010/10/03 12:41:43 | 000,118,784 | ---- | C] () -- C:\WINDOWS\ShowBmp.exe
[2010/10/03 12:41:43 | 000,001,325 | ---- | C] () -- C:\WINDOWS\Remove.ini
[2010/07/13 14:20:40 | 000,086,016 | ---- | C] () -- C:\WINDOWS\System32\qtXLS.dll
[2010/06/22 16:08:48 | 000,000,577 | ---- | C] () -- C:\WINDOWS\System32\gmsblist.dll
[2006/03/16 00:00:00 | 000,002,048 | -HS- | C] () -- C:\WINDOWS\Installer\{cd1cb43e-227b-d6c0-0e06-a6a1ffe5dedd}\@
[2006/03/16 00:00:00 | 000,002,048 | -HS- | C] () -- C:\Documents and Settings\Hollis\Local Settings\Application Data\{cd1cb43e-227b-d6c0-0e06-a6a1ffe5dedd}\@

========== Alternate Data Streams ==========

@Alternate Data Stream - 105 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34

< End of report >

#10 gringo_pr

gringo_pr

    Bleepin Gringo

  • Malware Response Team
  • PipPipPipPipPipPip
  • 120,402 posts
  • Gender:Male
  • Location:Puerto rico

Posted 13 June 2012 - 08:00 AM

Hello

Run this custom script and when it is complete I need to know how the computer is doing

Run OTL Script

  • Double-click OTL.exe to start the program.
  • Copy and Paste the following code into the Posted Image textbox. Do not include the word Code
    :OTL
IE - HKU\S-1-5-21-1369428427-519700811-52094108-1006\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre7\bin\new_plugin\npjp2.dll File not found
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O3 - HKU\S-1-5-21-1369428427-519700811-52094108-1006\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found.
O4 - Startup: C:\Documents and Settings\Default User\Start Menu\Programs\StartUp\Vongo Tray.lnk = File not found
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000 File not found
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - Reg Error: Key error. File not found
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (Reg Error: Key error.)
O16 - DPF: Garmin Communicator Plug-In https://static.garmincdn.com/gcp/ie/2.9.2.0/GarminAxControl.CAB (Reg Error: Key error.)
@Alternate Data Stream - 105 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34  
[2012/02/07 16:54:46 | 000,000,192 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\~J9JMTydFW7L72lr
[2012/02/07 16:54:45 | 000,000,280 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\~J9JMTydFW7L72l
[2012/02/07 16:47:40 | 000,000,336 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\J9JMTydFW7L72l
[2011/07/08 12:19:16 | 000,000,120 | ---- | C] () -- C:\WINDOWS\Lxixezezoc.dat
[2011/07/08 12:19:16 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Ttubusefubemob.bin
[2006/03/16 00:00:00 | 000,002,048 | -HS- | C] () -- C:\WINDOWS\Installer\{cd1cb43e-227b-d6c0-0e06-a6a1ffe5dedd}\@
[2006/03/16 00:00:00 | 000,002,048 | -HS- | C] () -- C:\Documents and Settings\Hollis\Local Settings\Application Data\{cd1cb43e-227b-d6c0-0e06-a6a1ffe5dedd}\@
:Files
C:\WINDOWS\Installer\{cd1cb43e-227b-d6c0-0e06-a6a1ffe5dedd}
C:\Documents and Settings\Hollis\Local Settings\Application Data\{cd1cb43e-227b-d6c0-0e06-a6a1ffe5dedd}
ipconfig /flushdns /c
:Commands
[PURITY]
[emptyjava]
[EMPTYFLASH]
  • Then click the Run Fix button at the top.
  • Click Posted Image.
  • OTL may ask to reboot the machine. Please do so if asked.
  • The report should appear in Notepad after the reboot.Copy and Paste that report in your next reply.

Let me know How things are doing

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

#11 2Campers

2Campers

    Member

  • Members
  • PipPip
  • 80 posts

Posted 13 June 2012 - 10:14 AM

Hi Gringo,

-ran the custom script in OTL as you requested

-no change except that cannot now update Windows or Microsoft Security Essentials

-this problem was present before running the OTL Script today

-the last update of MSE was on 6/11/2012 at 4:49 PM -- the MS update problem has occurred since then

-the Windows update says "problem cannot display page" error code 0x8007050A

-also MSE says "virus and spyware failed" error code 0x8007050A

-the problem with Alureon rootkit still remains and comes back into MSE everytime the computer reboots

Thanks for your patience and help

Hollis

========== OTL ==========
Registry value HKEY_USERS\S-1-5-21-1369428427-519700811-52094108-1006\Software\Microsoft\Internet Explorer\URLSearchHooks\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\MozillaPlugins\@java.com/JavaPlugin\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4efb-9B51-7695ECA05670}\ not found.
Registry value HKEY_USERS\S-1-5-21-1369428427-519700811-52094108-1006\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}\ not found.
C:\Documents and Settings\Default User\Start Menu\Programs\StartUp\Vongo Tray.lnk moved successfully.
Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ deleted successfully.
Starting removal of ActiveX control {7530BFB8-7293-4D34-9923-61A11451AFC5}
C:\WINDOWS\Downloaded Program Files\OnlineScanner.inf moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{7530BFB8-7293-4D34-9923-61A11451AFC5}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7530BFB8-7293-4D34-9923-61A11451AFC5}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{7530BFB8-7293-4D34-9923-61A11451AFC5}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7530BFB8-7293-4D34-9923-61A11451AFC5}\ not found.
Starting removal of ActiveX control Garmin Communicator Plug-In
Registry error reading value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\Garmin Communicator Plug-In\DownloadInformation\\INF .
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\Garmin Communicator Plug-In\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\Garmin Communicator Plug-In\ not found.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34 deleted successfully.
C:\Documents and Settings\All Users\Application Data\~J9JMTydFW7L72lr moved successfully.
C:\Documents and Settings\All Users\Application Data\~J9JMTydFW7L72l moved successfully.
C:\Documents and Settings\All Users\Application Data\J9JMTydFW7L72l moved successfully.
C:\WINDOWS\Lxixezezoc.dat moved successfully.
C:\WINDOWS\Ttubusefubemob.bin moved successfully.
C:\WINDOWS\Installer\{cd1cb43e-227b-d6c0-0e06-a6a1ffe5dedd}\@ moved successfully.
C:\Documents and Settings\Hollis\Local Settings\Application Data\{cd1cb43e-227b-d6c0-0e06-a6a1ffe5dedd}\@ moved successfully.
========== FILES ==========
C:\WINDOWS\Installer\{cd1cb43e-227b-d6c0-0e06-a6a1ffe5dedd}\U folder moved successfully.
C:\WINDOWS\Installer\{cd1cb43e-227b-d6c0-0e06-a6a1ffe5dedd}\L folder moved successfully.
C:\WINDOWS\Installer\{cd1cb43e-227b-d6c0-0e06-a6a1ffe5dedd} folder moved successfully.
C:\Documents and Settings\Hollis\Local Settings\Application Data\{cd1cb43e-227b-d6c0-0e06-a6a1ffe5dedd}\U folder moved successfully.
C:\Documents and Settings\Hollis\Local Settings\Application Data\{cd1cb43e-227b-d6c0-0e06-a6a1ffe5dedd}\L folder moved successfully.
C:\Documents and Settings\Hollis\Local Settings\Application Data\{cd1cb43e-227b-d6c0-0e06-a6a1ffe5dedd} folder moved successfully.
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Documents and Settings\Hollis\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Hollis\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========

[EMPTYJAVA]

User: Administrator

User: All Users

User: Default User

User: Hollis
->Java cache emptied: 0 bytes

User: LocalService

User: NetworkService
->Java cache emptied: 0 bytes

User: Wanda Clark
->Java cache emptied: 0 bytes

Total Java Files Cleaned = 0.00 mb


[EMPTYFLASH]

User: Administrator

User: All Users

User: Default User
->Flash cache emptied: 0 bytes

User: Hollis
->Flash cache emptied: 1836 bytes

User: LocalService

User: NetworkService
->Flash cache emptied: 0 bytes

User: Wanda Clark
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.48.0 log created on 06132012_103136

#12 gringo_pr

gringo_pr

    Bleepin Gringo

  • Malware Response Team
  • PipPipPipPipPipPip
  • 120,402 posts
  • Gender:Male
  • Location:Puerto rico

Posted 13 June 2012 - 02:00 PM

Download Windows Repair (all in one) from this site

Install the program then run

Go to step 2 and allow it to run Disc check
Posted Image

Once that is done then go to step 3 and allow it to run SFC
Posted Image

On the start repairs tab select advanced mode and click start
Posted Image

Select the items below (remove the ticks from the rest ) and tick restart system when finished
Reset Registry permisions
reset File permisions
repair WMI
repair windows firewall
repair internet explorer
remove policies set by infection
repair winsock & DNS cache
remove temp files
repair proxy settings
repair windows update

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

#13 2Campers

2Campers

    Member

  • Members
  • PipPip
  • 80 posts

Posted 13 June 2012 - 11:20 PM

Hi Gringo,

-I ran all requested steps at tweaking.com

-on the windows repair in step three it said "files requested for windows to run properly must be copied to the DLL cache". Insert your XP Professional Service Pack 3 CD now.

-I do not have a Service Pack 3 disk. I chose cancel and skipped to the next spot in the scan.

-This occurred several times especially at the end of the scan.

-The repair process seemed to go well and the computer booted with my icons remaining in place.

-however, I still cannot update Windows or Microsoft Security Essentials (MSE)

-I ran an MSE scan and it immediately picked up the Alureon rootkit trojan. I deleted and then rebooted as requested and the Alureon returned immediately.

-so basically we are now left with three issues: 1-the Alureon rootkit is still present, 2-MSE will not update (present since 6/11/2012), 3-Windows will not update

Again thanks for your help, will await your instructions,

Hollis

#14 gringo_pr

gringo_pr

    Bleepin Gringo

  • Malware Response Team
  • PipPipPipPipPipPip
  • 120,402 posts
  • Gender:Male
  • Location:Puerto rico

Posted 14 June 2012 - 02:22 AM

Hello

I would like you to download an updated version of combofix.

update combofix

Delete the version of combofix you have now on your desktop and download a new one from here

Link 1
Link 2
Link 3
**Note: It is important that it is saved directly to your desktop**

1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note:Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer
[/list]
"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

#15 2Campers

2Campers

    Member

  • Members
  • PipPip
  • 80 posts

Posted 14 June 2012 - 07:26 AM

Hi Gringo,

-had no problem downloading and running the new Combofix

-during its run, it said it found one infection, and repaired it

-the problems still persist, when the computer is rebooted the Trojan :DOS/Alureon.E recurrs in MSE

-both Windows update and Microsoft Security Essentials will not update

-the problem I have now is that the log from Combofix is evidently too long, and when I try to post it says, shortened the post, too long

-problem, I do not know how to shorten and/or divide the log

Will await your instructions, Hollis
Back to Virus, Trojan, Spyware, and Malware Removal Logs


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users


  1. BleepingComputer.com
  2. Security
  3. Virus, Trojan, Spyware, and Malware Removal Logs
  4. Privacy Policy
  5. Rules ·