Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Still Infected With Ukash Virus?


  • This topic is locked This topic is locked
13 replies to this topic

#1 TenderBranson

TenderBranson

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:02:36 AM

Posted 07 July 2012 - 02:12 PM

Hi! :lol:

My Asus eeepc 1000h, with Windows XP SP3, as become infected with the Portuguese version of the Ukash Virus.

A "Policia de Segurança Publica", or PSP (Public Security Police) false warning, completely overtook the screen, making all keyboard shortcuts or software unavailable, unless payment of 100€!!

Luckily, there's another pc in the house, so after five minutes on Google, I managed to identify the problem and gained access once again to the normal operating system environment, after using the Safe Windows Mode.
I hard deleted a ctfmon.exe file, residing in the WINDOWS\SYSTEM32 folder, and subsequent entries in the startup menu, with Ccleaner.

That seems to have solved the problem for the moment...

But how can I be sure of the complete removal of the virus? I've read numerous entries, about a recurrence of the same, and therefore would like your help, in order to prevent the same thing happening.

I've attached the required logs from dds and gmer and the scan result from DDS is at the end of the post.

Thanks for all your time.

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 10.4.0
Run by Zombie at 17:29:48 on 2012-07-07
Microsoft Windows XP Professional 5.1.2600.3.1252.351.1033.18.2039.1376 [GMT 1:00]
.
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\EeePC\ACPI\AsTray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\AVAST Software\Avast\avastUI.exe
C:\Program Files\EeePC\ACPI\AsEPCMon.exe
C:\Program Files\EeePC\ACPI\AsAcpiSvr.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\igfxext.exe
C:\Program Files\CM93v3 SDK\System\cmapsvc.exe
C:\Program Files\Asus\EeePC\Super Hybrid Engine\SuperHybridEngine.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
D:\PORTABLE\PROCESSEXPLORER\PROCEXP.EXE
C:\Program Files\Java\jre7\bin\jqs.exe
C:\Program Files\Microsoft SQL Server\MSSQL10_50.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
C:\Cracked License Manager 10\lmgrd.exe
C:\Cracked License Manager 10\ARCGIS.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
D:\portable\Appetizer essential\Appetizer.exe
D:\portable\FirefoxPortable\FirefoxPortable.exe
D:\portable\FirefoxPortable\App\firefox\firefox.exe
.
============== Pseudo HJT Report ===============
.
uInternet Connection Wizard,ShellNext = hxxp://picasa.google.com/support/bin/answer.py?hl=pt_PT&answer=93773
uInternet Settings,ProxyServer = socks=127.0.0.1:38190
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre7\bin\jp2ssv.dll
mRun: [<NO NAME>]
mRun: [AsusTray] c:\program files\eeepc\acpi\AsTray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
mRun: [AsusEPCMonitor] c:\program files\eeepc\acpi\AsEPCMon.exe
mRun: [AsusACPIServer] c:\program files\eeepc\acpi\AsAcpiSvr.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SoundMan] SOUNDMAN.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\arcgis~1.lnk - c:\cracked license manager 10\start_lic_mgr_invisible.vbs
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\superh~1.lnk - c:\program files\asus\eeepc\super hybrid engine\SuperHybridEngine.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\arcgis~1.lnk - c:\cracked license manager 10\start_lic_mgr_invisible.vbs
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\superh~1.lnk - c:\program files\asus\eeepc\super hybrid engine\SuperHybridEngine.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: Transferir com Mipony - file://c:\program files\mipony\browser\IEContext.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
TCP: DhcpNameServer = 192.168.3.1
TCP: Interfaces\{333F58B2-BB92-4AD9-BD67-699C14392F92} : DhcpNameServer = 192.168.3.1
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\wpdshserviceobj.dll
IFEO: taskmgr.exe - "d:\portable\processexplorer\PROCEXP.EXE"
.
============= SERVICES / DRIVERS ===============
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2012-1-22 612184]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2012-1-22 337880]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2012-1-22 20696]
R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2012-1-22 44768]
R2 C-Map Service;C-Map Service;c:\program files\cm93v3 sdk\system\cmapsvc.exe [2010-3-23 544768]
R3 PROCEXP151;PROCEXP151;\??\c:\windows\system32\drivers\procexp151.sys --> c:\windows\system32\drivers\PROCEXP151.SYS [?]
R3 RT80x86;Ralink 802.11n Wireless Driver;c:\windows\system32\drivers\rt2860.sys [2012-1-22 704384]
S1 vcdrom;Virtual CD-ROM Device Driver;\??\c:\documents and settings\zombie\desktop\virtual\vcdrom.sys --> c:\documents and settings\zombie\desktop\virtual\VCdRom.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Serviço Google Update (gupdate);c:\program files\google\update\GoogleUpdate.exe [2012-4-27 116648]
S3 gupdatem;Serviço Google Update (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2012-4-27 116648]
S3 pwdrvio;pwdrvio;c:\windows\system32\pwdrvio.sys [2012-2-25 16472]
S3 pwdspio;pwdspio;c:\windows\system32\pwdspio.sys [2012-2-25 11104]
S3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\drivers\VBoxNetAdp.sys [2012-4-12 104752]
S3 VBoxNetFlt;VirtualBox Bridged Networking Service;c:\windows\system32\drivers\vboxnetflt.sys --> c:\windows\system32\drivers\VBoxNetFlt.sys [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\microsoft sql server\100\shared\sqladhlp.exe [2010-4-3 44896]
S4 RsFx0150;RsFx0150 Driver;c:\windows\system32\drivers\RsFx0150.sys [2010-4-3 240608]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\microsoft sql server\mssql10_50.sqlexpress\mssql\binn\SQLAGENT.EXE [2010-4-3 367456]
.
=============== Created Last 30 ================
.
2012-07-07 15:38:55 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2012-07-07 15:38:52 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-07-07 15:38:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-07-07 14:18:51 -------- d-----w- c:\documents and settings\zombie\application data\Guetd
2012-07-07 14:18:51 -------- d-----w- c:\documents and settings\zombie\application data\Eqqi
2012-07-07 00:33:26 -------- d-----w- c:\program files\Geosoft
2012-07-07 00:27:20 -------- d-----w- c:\windows\Geosoft_Installer
2012-07-05 15:22:44 -------- d-----w- c:\program files\G-Raster
2012-07-05 08:26:29 -------- d-----w- c:\documents and settings\zombie\application data\Mobile Atlas Creator
2012-06-26 15:46:46 -------- d-----w- c:\program files\common files\DataEast
2012-06-26 15:46:46 -------- d-----w- c:\documents and settings\zombie\application data\DataEast
2012-06-26 15:46:31 -------- d-----w- c:\program files\DataEast
2012-06-13 20:17:14 -------- d-----w- c:\program files\AZPR
2012-06-13 14:44:22 -------- d-----r- C:\Sandbox
2012-06-13 14:41:53 -------- d-----w- c:\program files\Sandboxie
2012-06-12 14:58:25 -------- d-----w- c:\program files\PDF24
2012-06-12 14:50:23 -------- d-----w- c:\documents and settings\zombie\local settings\application data\PDF24
2012-06-12 14:28:00 -------- d-----w- c:\documents and settings\zombie\local settings\application data\Tekmap_Consulting
2012-06-12 14:22:04 -------- d-----w- c:\program files\Tekmap
2012-06-12 14:00:21 -------- d-----w- c:\program files\DeepVision
2012-06-12 11:01:10 -------- d-----w- c:\program files\Ocean Ecology
2012-06-11 15:13:46 -------- d-----w- c:\documents and settings\all users\application data\TranscoordPro
2012-06-11 15:13:21 -------- d-----w- c:\program files\Transcoord Pro
2012-06-11 15:13:13 286720 ------w- c:\windows\Setup1.exe
2012-06-11 15:13:12 73216 ----a-w- c:\windows\ST6UNST.EXE
2012-06-11 06:20:46 -------- d-----w- c:\program files\Dropbox
.
==================== Find3M ====================
.
2012-04-27 17:20:59 143872 ----a-w- c:\windows\system32\javacpl.cpl
2012-04-27 17:20:58 772552 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-04-27 17:20:58 687560 ----a-w- c:\windows\system32\deployJava1.dll
2012-04-27 15:35:32 3993600 ----a-w- c:\program files\GUTC3.tmp
2012-04-12 17:21:14 104752 ----a-w- c:\windows\system32\drivers\VBoxNetAdp.sys
2012-04-12 17:21:12 91952 ----a-w- c:\windows\system32\drivers\VBoxUSBMon.sys
2012-04-12 17:21:12 158512 ----a-w- c:\windows\system32\drivers\VBoxDrv.sys
.
============= FINISH: 17:33:45,45 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 10,861 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:36 PM

Posted 12 July 2012 - 02:15 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/459672 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows, you should not bother creating a GMER log.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 Conspire

Conspire

  • Malware Response Team
  • 1,045 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:36 AM

Posted 14 July 2012 - 11:10 PM

Hi,

Please download TDSSKiller.zip and and extract it.
  • Run TDSSKiller.exe.
  • Click on Change Parameters
  • Put a check in the box of Detect TDLFS file system
  • Click Start scan.
  • When it is finished the utility outputs a list of detected objects with description.
    The utility automatically selects an action (Cure or Delete) for malicious objects.
    The utility prompts the user to select an action to apply to suspicious objects (Skip, by default). Let the options as it is and click Continue
  • Let reboot if needed and tell me if the tool needed a reboot.
  • Click on Report and post the contents of the text file that will open.

    Note: By default, the utility outputs the log into system disk (it is usually the disk with installed operating system, C:\) root folder. The Log have a name like: TDSSKiller.Version_Date_Time_log.txt.

Proud Graduate of the WTT Classroom
Member of UNITE
The help you receive here is always free. If you wish to show your appreciation, then you may btn_donate_SM.gif

#4 TenderBranson

TenderBranson
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:02:36 AM

Posted 15 July 2012 - 04:29 AM

Hi!

Thanks for your time and help.

Scan from TDSS went fast and with no threats found or reboot required.

The report:

10:22:40.0015 3432 TDSS rootkit removing tool 2.7.45.0 Jul 9 2012 12:46:35
10:22:40.0484 3432 ============================================================
10:22:40.0484 3432 Current date / time: 2012/07/15 10:22:40.0484
10:22:40.0484 3432 SystemInfo:
10:22:40.0484 3432
10:22:40.0484 3432 OS Version: 5.1.2600 ServicePack: 3.0
10:22:40.0484 3432 Product type: Workstation
10:22:40.0484 3432 ComputerName: HAL-9000
10:22:40.0500 3432 UserName: Zombie
10:22:40.0500 3432 Windows directory: C:\WINDOWS
10:22:40.0500 3432 System windows directory: C:\WINDOWS
10:22:40.0500 3432 Processor architecture: Intel x86
10:22:40.0500 3432 Number of processors: 2
10:22:40.0500 3432 Page size: 0x1000
10:22:40.0500 3432 Boot type: Normal boot
10:22:40.0500 3432 ============================================================
10:22:42.0281 3432 Drive \Device\Harddisk0\DR0 - Size: 0x7470C06000 (465.76 Gb), SectorSize: 0x200, Cylinders: 0xED81, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
10:22:42.0281 3432 ============================================================
10:22:42.0281 3432 \Device\Harddisk0\DR0:
10:22:42.0281 3432 MBR partitions:
10:22:42.0281 3432 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x286A88F
10:22:42.0296 3432 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x286A90D, BlocksNum 0x37B1A334
10:22:42.0296 3432 ============================================================
10:22:42.0312 3432 C: <-> \Device\Harddisk0\DR0\Partition0
10:22:42.0359 3432 D: <-> \Device\Harddisk0\DR0\Partition1
10:22:42.0359 3432 ============================================================
10:22:42.0359 3432 Initialize success
10:22:42.0359 3432 ============================================================
10:23:22.0953 3996 ============================================================
10:23:22.0953 3996 Scan started
10:23:22.0953 3996 Mode: Manual; TDLFS;
10:23:22.0953 3996 ============================================================
10:23:23.0640 3996 Aavmker4 (0b27ae82c113d3687024d18459440426) C:\WINDOWS\system32\drivers\Aavmker4.sys
10:23:23.0640 3996 Aavmker4 - ok
10:23:23.0671 3996 Abiosdsk - ok
10:23:23.0671 3996 abp480n5 - ok
10:23:23.0718 3996 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
10:23:23.0718 3996 ACPI - ok
10:23:23.0734 3996 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
10:23:23.0750 3996 ACPIEC - ok
10:23:23.0750 3996 adpu160m - ok
10:23:23.0796 3996 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
10:23:23.0796 3996 aec - ok
10:23:23.0828 3996 AFD (322d0e36693d6e24a2398bee62a268cd) C:\WINDOWS\System32\drivers\afd.sys
10:23:23.0828 3996 AFD - ok
10:23:23.0843 3996 Aha154x - ok
10:23:23.0843 3996 aic78u2 - ok
10:23:23.0859 3996 aic78xx - ok
10:23:23.0859 3996 AKSIFDH - ok
10:23:23.0890 3996 Alerter (a9a3daa780ca6c9671a19d52456705b4) C:\WINDOWS\system32\alrsvc.dll
10:23:23.0890 3996 Alerter - ok
10:23:23.0906 3996 ALG (8c515081584a38aa007909cd02020b3d) C:\WINDOWS\System32\alg.exe
10:23:23.0906 3996 ALG - ok
10:23:23.0921 3996 AliIde - ok
10:23:23.0921 3996 amsint - ok
10:23:23.0968 3996 AppMgmt (d8849f77c0b66226335a59d26cb4edc6) C:\WINDOWS\System32\appmgmts.dll
10:23:23.0984 3996 AppMgmt - ok
10:23:23.0984 3996 asc - ok
10:23:24.0000 3996 asc3350p - ok
10:23:24.0000 3996 asc3550 - ok
10:23:24.0109 3996 aspnet_state (776acefa0ca9df0faa51a5fb2f435705) C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe
10:23:24.0140 3996 aspnet_state - ok
10:23:24.0171 3996 AsusACPI (12415a4b61ded200fe9932b47a35fa42) C:\WINDOWS\system32\DRIVERS\ASUSACPI.sys
10:23:24.0171 3996 AsusACPI - ok
10:23:24.0203 3996 aswFsBlk (1c1f3d6dddc046c920c493a779649f66) C:\WINDOWS\system32\drivers\aswFsBlk.sys
10:23:24.0203 3996 aswFsBlk - ok
10:23:24.0234 3996 aswMon2 (9e912fe7b41650701ef2b227aca440f3) C:\WINDOWS\system32\drivers\aswMon2.sys
10:23:24.0234 3996 aswMon2 - ok
10:23:24.0250 3996 aswRdr (982e275d1c5801042fe94209fb0160fb) C:\WINDOWS\system32\drivers\aswRdr.sys
10:23:24.0250 3996 aswRdr - ok
10:23:24.0312 3996 aswSnx (73dbcf808e00580f2a47f93dd9b03876) C:\WINDOWS\system32\drivers\aswSnx.sys
10:23:24.0343 3996 aswSnx - ok
10:23:24.0390 3996 aswSP (6cbd7d3a33f498d09c831cdd732da2e0) C:\WINDOWS\system32\drivers\aswSP.sys
10:23:24.0390 3996 aswSP - ok
10:23:24.0421 3996 aswTdi (7109a9aa551f37cd168c02368465957e) C:\WINDOWS\system32\drivers\aswTdi.sys
10:23:24.0421 3996 aswTdi - ok
10:23:24.0453 3996 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
10:23:24.0453 3996 AsyncMac - ok
10:23:24.0468 3996 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
10:23:24.0484 3996 atapi - ok
10:23:24.0484 3996 Atdisk - ok
10:23:24.0515 3996 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
10:23:24.0515 3996 Atmarpc - ok
10:23:24.0562 3996 AudioSrv (def7a7882bec100fe0b2ce2549188f9d) C:\WINDOWS\System32\audiosrv.dll
10:23:24.0562 3996 AudioSrv - ok
10:23:24.0593 3996 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
10:23:24.0593 3996 audstub - ok
10:23:24.0687 3996 avast! Antivirus (2f7c0f3e39c45e0127fb78b2f18a41f3) C:\Program Files\AVAST Software\Avast\AvastSvc.exe
10:23:24.0687 3996 avast! Antivirus - ok
10:23:24.0734 3996 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
10:23:24.0734 3996 Beep - ok
10:23:24.0812 3996 BITS (574738f61fca2935f5265dc4e5691314) C:\WINDOWS\system32\qmgr.dll
10:23:24.0859 3996 BITS - ok
10:23:24.0906 3996 Browser (a06ce3399d16db864f55faeb1f1927a9) C:\WINDOWS\System32\browser.dll
10:23:24.0921 3996 Browser - ok
10:23:24.0921 3996 btaudio - ok
10:23:24.0937 3996 BTDriver - ok
10:23:24.0953 3996 BTWDNDIS - ok
10:23:24.0968 3996 btwhid - ok
10:23:24.0984 3996 BTWUSB - ok
10:23:25.0078 3996 C-Map Service (e002669574c7dd11adeac214190e8bb7) C:\Program Files\CM93v3 SDK\System\cmapsvc.exe
10:23:25.0093 3996 C-Map Service - ok
10:23:25.0140 3996 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
10:23:25.0140 3996 cbidf2k - ok
10:23:25.0171 3996 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
10:23:25.0171 3996 CCDECODE - ok
10:23:25.0187 3996 cd20xrnt - ok
10:23:25.0218 3996 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
10:23:25.0234 3996 Cdaudio - ok
10:23:25.0265 3996 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
10:23:25.0265 3996 Cdfs - ok
10:23:25.0296 3996 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\drivers\Cdrom.sys
10:23:25.0312 3996 Cdrom - ok
10:23:25.0312 3996 Changer - ok
10:23:25.0343 3996 cisvc (1cfe720eb8d93a7158a4ebc3ab178bde) C:\WINDOWS\system32\cisvc.exe
10:23:25.0343 3996 cisvc - ok
10:23:25.0375 3996 ClipSrv (34cbe729f38138217f9c80212a2a0c82) C:\WINDOWS\system32\clipsrv.exe
10:23:25.0375 3996 ClipSrv - ok
10:23:25.0437 3996 clr_optimization_v2.0.50727_32 (d87acaed61e417bba546ced5e7e36d9c) C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
10:23:25.0484 3996 clr_optimization_v2.0.50727_32 - ok
10:23:25.0531 3996 clr_optimization_v4.0.30319_32 (c5a75eb48e2344abdc162bda79e16841) C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
10:23:25.0546 3996 clr_optimization_v4.0.30319_32 - ok
10:23:25.0578 3996 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
10:23:25.0578 3996 CmBatt - ok
10:23:25.0593 3996 CmdIde - ok
10:23:25.0609 3996 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
10:23:25.0609 3996 Compbatt - ok
10:23:25.0625 3996 COMSysApp - ok
10:23:25.0656 3996 Cpqarray - ok
10:23:25.0703 3996 CryptSvc (3d4e199942e29207970e04315d02ad3b) C:\WINDOWS\System32\cryptsvc.dll
10:23:25.0703 3996 CryptSvc - ok
10:23:25.0703 3996 dac2w2k - ok
10:23:25.0718 3996 dac960nt - ok
10:23:25.0796 3996 DcomLaunch (2589fe6015a316c0f5d5112b4da7b509) C:\WINDOWS\system32\rpcss.dll
10:23:25.0828 3996 DcomLaunch - ok
10:23:25.0859 3996 Dhcp (5e38d7684a49cacfb752b046357e0589) C:\WINDOWS\System32\dhcpcsvc.dll
10:23:25.0859 3996 Dhcp - ok
10:23:25.0890 3996 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
10:23:25.0890 3996 Disk - ok
10:23:25.0890 3996 dmadmin - ok
10:23:25.0984 3996 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
10:23:26.0015 3996 dmboot - ok
10:23:26.0031 3996 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
10:23:26.0046 3996 dmio - ok
10:23:26.0062 3996 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
10:23:26.0062 3996 dmload - ok
10:23:26.0093 3996 dmserver (57edec2e5f59f0335e92f35184bc8631) C:\WINDOWS\System32\dmserver.dll
10:23:26.0093 3996 dmserver - ok
10:23:26.0140 3996 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
10:23:26.0140 3996 DMusic - ok
10:23:26.0171 3996 Dnscache (474b4dc3983173e4b4c9740b0dac98a6) C:\WINDOWS\System32\dnsrslvr.dll
10:23:26.0171 3996 Dnscache - ok
10:23:26.0203 3996 Dot3svc (0f0f6e687e5e15579ef4da8dd6945814) C:\WINDOWS\System32\dot3svc.dll
10:23:26.0218 3996 Dot3svc - ok
10:23:26.0234 3996 dpti2o - ok
10:23:26.0250 3996 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
10:23:26.0250 3996 drmkaud - ok
10:23:26.0281 3996 EapHost (2187855a7703adef0cef9ee4285182cc) C:\WINDOWS\System32\eapsvc.dll
10:23:26.0281 3996 EapHost - ok
10:23:26.0312 3996 ERSvc (bc93b4a066477954555966d77fec9ecb) C:\WINDOWS\System32\ersvc.dll
10:23:26.0312 3996 ERSvc - ok
10:23:26.0343 3996 Eventlog (0e776ed5f7cc9f94299e70461b7b8185) C:\WINDOWS\system32\services.exe
10:23:26.0359 3996 Eventlog - ok
10:23:26.0406 3996 EventSystem (19a799805b24990867b00c120d300c3a) C:\WINDOWS\system32\es.dll
10:23:26.0421 3996 EventSystem - ok
10:23:26.0468 3996 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
10:23:26.0468 3996 Fastfat - ok
10:23:26.0500 3996 FastUserSwitchingCompatibility (1926899bf9ffe2602b63074971700412) C:\WINDOWS\System32\shsvcs.dll
10:23:26.0531 3996 FastUserSwitchingCompatibility - ok
10:23:26.0546 3996 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
10:23:26.0546 3996 Fdc - ok
10:23:26.0562 3996 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
10:23:26.0562 3996 Fips - ok
10:23:26.0687 3996 FLEXnet Licensing Service (abedfd48ac042c6aaad32452e77217a1) C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
10:23:26.0718 3996 FLEXnet Licensing Service - ok
10:23:26.0750 3996 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
10:23:26.0750 3996 Flpydisk - ok
10:23:26.0781 3996 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
10:23:26.0781 3996 FltMgr - ok
10:23:26.0875 3996 FontCache3.0.0.0 (8ba7c024070f2b7fdd98ed8a4ba41789) C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
10:23:26.0875 3996 FontCache3.0.0.0 - ok
10:23:26.0906 3996 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
10:23:26.0906 3996 Fs_Rec - ok
10:23:26.0937 3996 FTDIBUS (b7aa8283ec551d3a3b924e520e0621a7) C:\WINDOWS\system32\drivers\ftdibus.sys
10:23:26.0937 3996 FTDIBUS - ok
10:23:26.0984 3996 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
10:23:26.0984 3996 Ftdisk - ok
10:23:27.0015 3996 FTSER2K (596d31583ce332b5514520d74837f434) C:\WINDOWS\system32\drivers\ftser2k.sys
10:23:27.0031 3996 FTSER2K - ok
10:23:27.0031 3996 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
10:23:27.0031 3996 Gpc - ok
10:23:27.0062 3996 grmnusb (6003bc70f1a8307262bd3c941bda0b7e) C:\WINDOWS\system32\drivers\grmnusb.sys
10:23:27.0062 3996 grmnusb - ok
10:23:27.0125 3996 gupdate (506708142bc63daba64f2d3ad1dcd5bf) C:\Program Files\Google\Update\GoogleUpdate.exe
10:23:27.0140 3996 gupdate - ok
10:23:27.0140 3996 gupdatem (506708142bc63daba64f2d3ad1dcd5bf) C:\Program Files\Google\Update\GoogleUpdate.exe
10:23:27.0140 3996 gupdatem - ok
10:23:27.0187 3996 gusvc (c1b577b2169900f4cf7190c39f085794) C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
10:23:27.0187 3996 gusvc - ok
10:23:27.0234 3996 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
10:23:27.0234 3996 HDAudBus - ok
10:23:27.0296 3996 helpsvc (4fcca060dfe0c51a09dd5c3843888bcd) C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll
10:23:27.0312 3996 helpsvc - ok
10:23:27.0328 3996 HidServ (deb04da35cc871b6d309b77e1443c796) C:\WINDOWS\System32\hidserv.dll
10:23:27.0343 3996 HidServ - ok
10:23:27.0359 3996 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
10:23:27.0359 3996 hidusb - ok
10:23:27.0390 3996 hkmsvc (8878bd685e490239777bfe51320b88e9) C:\WINDOWS\System32\kmsvc.dll
10:23:27.0406 3996 hkmsvc - ok
10:23:27.0406 3996 hpn - ok
10:23:27.0468 3996 HTTP (f6aacf5bce2893e0c1754afeb672e5c9) C:\WINDOWS\system32\Drivers\HTTP.sys
10:23:27.0468 3996 HTTP - ok
10:23:27.0500 3996 HTTPFilter (6100a808600f44d999cebdef8841c7a3) C:\WINDOWS\System32\w3ssl.dll
10:23:27.0515 3996 HTTPFilter - ok
10:23:27.0531 3996 i2omgmt - ok
10:23:27.0531 3996 i2omp - ok
10:23:27.0578 3996 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
10:23:27.0578 3996 i8042prt - ok
10:23:28.0000 3996 ialm (0f68e2ec713f132ffb19e45415b09679) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
10:23:28.0140 3996 ialm - ok
10:23:28.0328 3996 idsvc (c01ac32dc5c03076cfb852cb5da5229c) C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
10:23:28.0359 3996 idsvc - ok
10:23:28.0453 3996 IISADMIN (db3c22745c0da4666f3be31f1af36b2f) C:\WINDOWS\system32\inetsrv\inetinfo.exe
10:23:28.0453 3996 IISADMIN - ok
10:23:28.0484 3996 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\drivers\Imapi.sys
10:23:28.0484 3996 Imapi - ok
10:23:28.0531 3996 ImapiService (30deaf54a9755bb8546168cfe8a6b5e1) C:\WINDOWS\system32\imapi.exe
10:23:28.0546 3996 ImapiService - ok
10:23:28.0562 3996 ini910u - ok
10:23:28.0937 3996 IntcAzAudAddService (45ffc97a47248550e799da5eb5dca6a1) C:\WINDOWS\system32\drivers\RtkHDAud.sys
10:23:29.0046 3996 IntcAzAudAddService - ok
10:23:29.0156 3996 IntelIde - ok
10:23:29.0171 3996 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
10:23:29.0171 3996 intelppm - ok
10:23:29.0187 3996 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
10:23:29.0203 3996 Ip6Fw - ok
10:23:29.0218 3996 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
10:23:29.0234 3996 IpFilterDriver - ok
10:23:29.0250 3996 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
10:23:29.0250 3996 IpInIp - ok
10:23:29.0281 3996 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
10:23:29.0296 3996 IpNat - ok
10:23:29.0328 3996 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
10:23:29.0328 3996 IPSec - ok
10:23:29.0359 3996 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
10:23:29.0359 3996 IRENUM - ok
10:23:29.0406 3996 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
10:23:29.0406 3996 isapnp - ok
10:23:29.0500 3996 JavaQuickStarterService (8c5c59e1921eca3607390a1f641556df) C:\Program Files\Java\jre7\bin\jqs.exe
10:23:29.0515 3996 JavaQuickStarterService - ok
10:23:29.0546 3996 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
10:23:29.0546 3996 Kbdclass - ok
10:23:29.0578 3996 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
10:23:29.0593 3996 kmixer - ok
10:23:29.0640 3996 KSecDD (1705745d900dabf2d89f90ebaddc7517) C:\WINDOWS\system32\drivers\KSecDD.sys
10:23:29.0640 3996 KSecDD - ok
10:23:29.0671 3996 Ktp (85b6d85c044e3df77e92b5a7b265008f) C:\WINDOWS\system32\DRIVERS\ETD.sys
10:23:29.0671 3996 Ktp - ok
10:23:29.0703 3996 L1e (303627228dd739d98289679901a38c8f) C:\WINDOWS\system32\DRIVERS\l1e51x86.sys
10:23:29.0703 3996 L1e - ok
10:23:29.0734 3996 LanmanServer (f385f4b02c535bffe1d70cab80838123) C:\WINDOWS\System32\srvsvc.dll
10:23:29.0796 3996 LanmanServer - ok
10:23:29.0843 3996 lanmanworkstation (1b67b632786fef1c1bbaef46c2f3f2e6) C:\WINDOWS\System32\wkssvc.dll
10:23:29.0859 3996 lanmanworkstation - ok
10:23:29.0875 3996 lbrtfdc - ok
10:23:29.0906 3996 LmHosts (a7db739ae99a796d91580147e919cc59) C:\WINDOWS\System32\lmhsvc.dll
10:23:29.0906 3996 LmHosts - ok
10:23:29.0921 3996 Messenger (986b1ff5814366d71e0ac5755c88f2d3) C:\WINDOWS\System32\msgsvc.dll
10:23:29.0937 3996 Messenger - ok
10:23:29.0968 3996 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
10:23:29.0968 3996 mnmdd - ok
10:23:30.0000 3996 mnmsrvc (d18f1f0c101d06a1c1adf26eed16fcdd) C:\WINDOWS\system32\mnmsrvc.exe
10:23:30.0015 3996 mnmsrvc - ok
10:23:30.0031 3996 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
10:23:30.0031 3996 Modem - ok
10:23:30.0062 3996 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
10:23:30.0062 3996 Mouclass - ok
10:23:30.0078 3996 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
10:23:30.0078 3996 mouhid - ok
10:23:30.0093 3996 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
10:23:30.0093 3996 MountMgr - ok
10:23:30.0109 3996 mraid35x - ok
10:23:30.0125 3996 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
10:23:30.0140 3996 MRxDAV - ok
10:23:30.0171 3996 MRxSmb (68755f0ff16070178b54674fe5b847b0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
10:23:30.0187 3996 MRxSmb - ok
10:23:30.0203 3996 MSDTC (a137f1470499a205abbb9aafb3b6f2b1) C:\WINDOWS\system32\msdtc.exe
10:23:30.0218 3996 MSDTC - ok
10:23:30.0234 3996 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
10:23:30.0234 3996 Msfs - ok
10:23:30.0296 3996 MSFtpsvc (db3c22745c0da4666f3be31f1af36b2f) C:\WINDOWS\system32\inetsrv\inetinfo.exe
10:23:30.0296 3996 MSFtpsvc - ok
10:23:30.0312 3996 MSIServer - ok
10:23:30.0343 3996 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
10:23:30.0343 3996 MSKSSRV - ok
10:23:30.0375 3996 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
10:23:30.0375 3996 MSPCLOCK - ok
10:23:30.0390 3996 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
10:23:30.0390 3996 MSPQM - ok
10:23:30.0437 3996 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
10:23:30.0437 3996 mssmbios - ok
10:23:30.0515 3996 MSSQL$SQLEXPRESS - ok
10:23:30.0593 3996 MSSQLServerADHelper100 (8e8e74c953eb0c4f8828d99d6f27fd6f) C:\Program Files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE
10:23:30.0609 3996 MSSQLServerADHelper100 - ok
10:23:30.0625 3996 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
10:23:30.0625 3996 MSTEE - ok
10:23:30.0671 3996 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
10:23:30.0671 3996 Mup - ok
10:23:30.0718 3996 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
10:23:30.0734 3996 NABTSFEC - ok
10:23:30.0781 3996 napagent (0102140028fad045756796e1c685d695) C:\WINDOWS\System32\qagentrt.dll
10:23:30.0796 3996 napagent - ok
10:23:30.0828 3996 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
10:23:30.0843 3996 NDIS - ok
10:23:30.0859 3996 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
10:23:30.0859 3996 NdisIP - ok
10:23:30.0875 3996 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
10:23:30.0875 3996 NdisTapi - ok
10:23:30.0906 3996 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
10:23:30.0921 3996 Ndisuio - ok
10:23:30.0921 3996 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
10:23:30.0937 3996 NdisWan - ok
10:23:30.0953 3996 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
10:23:30.0953 3996 NDProxy - ok
10:23:30.0984 3996 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
10:23:30.0984 3996 NetBIOS - ok
10:23:31.0000 3996 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
10:23:31.0015 3996 NetBT - ok
10:23:31.0062 3996 NetDDE (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe
10:23:31.0078 3996 NetDDE - ok
10:23:31.0093 3996 NetDDEdsdm (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe
10:23:31.0109 3996 NetDDEdsdm - ok
10:23:31.0125 3996 Netlogon (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
10:23:31.0140 3996 Netlogon - ok
10:23:31.0203 3996 Netman (13e67b55b3abd7bf3fe7aae5a0f9a9de) C:\WINDOWS\System32\netman.dll
10:23:31.0234 3996 Netman - ok
10:23:31.0328 3996 NetTcpPortSharing (d22cd77d4f0d63d1169bb35911bff12d) C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe
10:23:31.0343 3996 NetTcpPortSharing - ok
10:23:31.0375 3996 nhcDriverDevice (9f967a6db0e6e0e01f898c26fedd418b) C:\WINDOWS\system32\drivers\nhcDriver.sys
10:23:31.0375 3996 nhcDriverDevice - ok
10:23:31.0421 3996 Nla (b4138e99236f0f57d4cf49bae98a0746) C:\WINDOWS\System32\mswsock.dll
10:23:31.0453 3996 Nla - ok
10:23:31.0468 3996 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
10:23:31.0468 3996 Npfs - ok
10:23:31.0531 3996 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
10:23:31.0546 3996 Ntfs - ok
10:23:31.0562 3996 NtLmSsp (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
10:23:31.0578 3996 NtLmSsp - ok
10:23:31.0625 3996 NtmsSvc (156f64a3345bd23c600655fb4d10bc08) C:\WINDOWS\system32\ntmssvc.dll
10:23:31.0656 3996 NtmsSvc - ok
10:23:31.0687 3996 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
10:23:31.0687 3996 Null - ok
10:23:31.0718 3996 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
10:23:31.0718 3996 NwlnkFlt - ok
10:23:31.0734 3996 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
10:23:31.0750 3996 NwlnkFwd - ok
10:23:31.0859 3996 odserv (84de1dd996b48b05ace31ad015fa108a) C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE
10:23:31.0890 3996 odserv - ok
10:23:31.0968 3996 ose (5a432a042dae460abe7199b758e8606c) C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
10:23:31.0984 3996 ose - ok
10:23:32.0015 3996 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
10:23:32.0031 3996 Parport - ok
10:23:32.0046 3996 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
10:23:32.0046 3996 PartMgr - ok
10:23:32.0078 3996 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
10:23:32.0078 3996 ParVdm - ok
10:23:32.0093 3996 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
10:23:32.0093 3996 PCI - ok
10:23:32.0109 3996 PCIDump - ok
10:23:32.0125 3996 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
10:23:32.0125 3996 PCIIde - ok
10:23:32.0156 3996 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
10:23:32.0171 3996 Pcmcia - ok
10:23:32.0171 3996 PDCOMP - ok
10:23:32.0187 3996 PDFRAME - ok
10:23:32.0187 3996 PDRELI - ok
10:23:32.0203 3996 PDRFRAME - ok
10:23:32.0203 3996 perc2 - ok
10:23:32.0218 3996 perc2hib - ok
10:23:32.0265 3996 PlugPlay (0e776ed5f7cc9f94299e70461b7b8185) C:\WINDOWS\system32\services.exe
10:23:32.0281 3996 PlugPlay - ok
10:23:32.0281 3996 PolicyAgent (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
10:23:32.0296 3996 PolicyAgent - ok
10:23:32.0312 3996 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
10:23:32.0328 3996 PptpMiniport - ok
10:23:32.0328 3996 PROCEXP151 - ok
10:23:32.0328 3996 ProtectedStorage (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
10:23:32.0343 3996 ProtectedStorage - ok
10:23:32.0359 3996 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
10:23:32.0359 3996 PSched - ok
10:23:32.0375 3996 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
10:23:32.0375 3996 Ptilink - ok
10:23:32.0421 3996 pwdrvio (297e2746df41528a0950f3af80cedb2d) C:\WINDOWS\system32\pwdrvio.sys
10:23:32.0453 3996 pwdrvio - ok
10:23:32.0468 3996 pwdspio (bc7d54cdbe3bbfe52f09cb7b20c3d365) C:\WINDOWS\system32\pwdspio.sys
10:23:32.0484 3996 pwdspio - ok
10:23:32.0500 3996 ql1080 - ok
10:23:32.0500 3996 Ql10wnt - ok
10:23:32.0515 3996 ql12160 - ok
10:23:32.0531 3996 ql1240 - ok
10:23:32.0531 3996 ql1280 - ok
10:23:32.0562 3996 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
10:23:32.0562 3996 RasAcd - ok
10:23:32.0593 3996 RasAuto (ad188be7bdf94e8df4ca0a55c00a5073) C:\WINDOWS\System32\rasauto.dll
10:23:32.0625 3996 RasAuto - ok
10:23:32.0640 3996 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
10:23:32.0656 3996 Rasl2tp - ok
10:23:32.0687 3996 RasMan (76a9a3cbeadd68cc57cda5e1d7448235) C:\WINDOWS\System32\rasmans.dll
10:23:32.0718 3996 RasMan - ok
10:23:32.0734 3996 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
10:23:32.0734 3996 RasPppoe - ok
10:23:32.0750 3996 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
10:23:32.0750 3996 Raspti - ok
10:23:32.0796 3996 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
10:23:32.0812 3996 Rdbss - ok
10:23:32.0828 3996 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
10:23:32.0843 3996 RDPCDD - ok
10:23:32.0875 3996 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
10:23:32.0890 3996 rdpdr - ok
10:23:32.0937 3996 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
10:23:32.0984 3996 RDPWD - ok
10:23:33.0015 3996 RDSessMgr (3c37bf86641bda977c3bf8a840f3b7fa) C:\WINDOWS\system32\sessmgr.exe
10:23:33.0062 3996 RDSessMgr - ok
10:23:33.0109 3996 RemoteAccess (7e699ff5f59b5d9de5390e3c34c67cf5) C:\WINDOWS\System32\mprdim.dll
10:23:33.0125 3996 RemoteAccess - ok
10:23:33.0156 3996 RemoteRegistry (5b19b557b0c188210a56a6b699d90b8f) C:\WINDOWS\system32\regsvc.dll
10:23:33.0171 3996 RemoteRegistry - ok
10:23:33.0203 3996 RpcLocator (aaed593f84afa419bbae8572af87cf6a) C:\WINDOWS\system32\locator.exe
10:23:33.0218 3996 RpcLocator - ok
10:23:33.0281 3996 RpcSs (2589fe6015a316c0f5d5112b4da7b509) C:\WINDOWS\system32\rpcss.dll
10:23:33.0296 3996 RpcSs - ok
10:23:33.0343 3996 RsFx0150 (a95840a95a9ff74b0009e5d848cddb39) C:\WINDOWS\system32\DRIVERS\RsFx0150.sys
10:23:33.0359 3996 RsFx0150 - ok
10:23:33.0421 3996 RSVP (471b3f9741d762abe75e9deea4787e47) C:\WINDOWS\system32\rsvp.exe
10:23:33.0437 3996 RSVP - ok
10:23:33.0515 3996 RT80x86 (f591f71883424f5b31e3348ea4454466) C:\WINDOWS\system32\DRIVERS\RT2860.sys
10:23:33.0531 3996 RT80x86 - ok
10:23:33.0578 3996 SamSs (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
10:23:33.0578 3996 SamSs - ok
10:23:33.0625 3996 SCardSvr (86d007e7a654b9a71d1d7d856b104353) C:\WINDOWS\System32\SCardSvr.exe
10:23:33.0656 3996 SCardSvr - ok
10:23:33.0703 3996 Schedule (0a9a7365a1ca4319aa7c1d6cd8e4eafa) C:\WINDOWS\system32\schedsvc.dll
10:23:33.0750 3996 Schedule - ok
10:23:33.0781 3996 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
10:23:33.0781 3996 Secdrv - ok
10:23:33.0828 3996 seclogon (cbe612e2bb6a10e3563336191eda1250) C:\WINDOWS\System32\seclogon.dll
10:23:33.0875 3996 seclogon - ok
10:23:33.0921 3996 SENS (7fdd5d0684eca8c1f68b4d99d124dcd0) C:\WINDOWS\system32\sens.dll
10:23:33.0968 3996 SENS - ok
10:23:34.0015 3996 Ser2pl (b4664c1ee39a5b7fc112f4077f8d21a5) C:\WINDOWS\system32\DRIVERS\ser2pl.sys
10:23:34.0015 3996 Ser2pl - ok
10:23:34.0062 3996 Serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
10:23:34.0062 3996 Serenum - ok
10:23:34.0093 3996 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
10:23:34.0093 3996 Serial - ok
10:23:34.0125 3996 sermouse (1f16931c722c69e4a7866244796c66a0) C:\WINDOWS\system32\DRIVERS\sermouse.sys
10:23:34.0140 3996 sermouse - ok
10:23:34.0234 3996 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
10:23:34.0234 3996 Sfloppy - ok
10:23:34.0296 3996 SharedAccess (83f41d0d89645d7235c051ab1d9523ac) C:\WINDOWS\System32\ipnathlp.dll
10:23:34.0312 3996 SharedAccess - ok
10:23:34.0343 3996 ShellHWDetection (1926899bf9ffe2602b63074971700412) C:\WINDOWS\System32\shsvcs.dll
10:23:34.0359 3996 ShellHWDetection - ok
10:23:34.0359 3996 Simbad - ok
10:23:34.0375 3996 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
10:23:34.0390 3996 SLIP - ok
10:23:34.0468 3996 SMTPSVC (db3c22745c0da4666f3be31f1af36b2f) C:\WINDOWS\system32\inetsrv\inetinfo.exe
10:23:34.0468 3996 SMTPSVC - ok
10:23:34.0468 3996 Sparrow - ok
10:23:34.0515 3996 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
10:23:34.0515 3996 splitter - ok
10:23:34.0546 3996 Spooler (d8e14a61acc1d4a6cd0d38aebac7fa3b) C:\WINDOWS\system32\spoolsv.exe
10:23:34.0578 3996 Spooler - ok
10:23:34.0687 3996 SQLAgent$SQLEXPRESS (37761f6be2ebaed72cc0d43bd4c8c2a6) C:\Program Files\Microsoft SQL Server\MSSQL10_50.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE
10:23:34.0703 3996 SQLAgent$SQLEXPRESS - ok
10:23:34.0765 3996 SQLBrowser (7d67c07c63796775cc5492bcfeaff125) C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
10:23:34.0812 3996 SQLBrowser - ok
10:23:34.0875 3996 SQLWriter (8e6e5cfa06769a417b03fd6faa29e010) C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
10:23:34.0875 3996 SQLWriter - ok
10:23:34.0921 3996 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
10:23:34.0937 3996 sr - ok
10:23:34.0968 3996 srservice (3805df0ac4296a34ba4bf93b346cc378) C:\WINDOWS\system32\srsvc.dll
10:23:35.0031 3996 srservice - ok
10:23:35.0093 3996 Srv (5252605079810904e31c332e241cd59b) C:\WINDOWS\system32\DRIVERS\srv.sys
10:23:35.0109 3996 Srv - ok
10:23:35.0140 3996 SSDPSRV (0a5679b3714edab99e357057ee88fca6) C:\WINDOWS\System32\ssdpsrv.dll
10:23:35.0187 3996 SSDPSRV - ok
10:23:35.0250 3996 stisvc (8bad69cbac032d4bbacfce0306174c30) C:\WINDOWS\system32\wiaservc.dll
10:23:35.0343 3996 stisvc - ok
10:23:35.0375 3996 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
10:23:35.0390 3996 streamip - ok
10:23:35.0437 3996 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
10:23:35.0453 3996 swenum - ok
10:23:35.0500 3996 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
10:23:35.0500 3996 swmidi - ok
10:23:35.0515 3996 SwPrv - ok
10:23:35.0515 3996 symc810 - ok
10:23:35.0531 3996 symc8xx - ok
10:23:35.0531 3996 sym_hi - ok
10:23:35.0546 3996 sym_u3 - ok
10:23:35.0578 3996 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
10:23:35.0578 3996 sysaudio - ok
10:23:35.0609 3996 SysmonLog (c7abbc59b43274b1109df6b24d617051) C:\WINDOWS\system32\smlogsvc.exe
10:23:35.0640 3996 SysmonLog - ok
10:23:35.0671 3996 TapiSrv (3cb78c17bb664637787c9a1c98f79c38) C:\WINDOWS\System32\tapisrv.dll
10:23:35.0703 3996 TapiSrv - ok
10:23:35.0765 3996 Tcpip (93ea8d04ec73a85db02eb8805988f733) C:\WINDOWS\system32\DRIVERS\tcpip.sys
10:23:35.0781 3996 Tcpip - ok
10:23:35.0812 3996 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
10:23:35.0812 3996 TDPIPE - ok
10:23:35.0828 3996 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
10:23:35.0843 3996 TDTCP - ok
10:23:35.0859 3996 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
10:23:35.0875 3996 TermDD - ok
10:23:35.0921 3996 TermService (ff3477c03be7201c294c35f684b3479f) C:\WINDOWS\System32\termsrv.dll
10:23:35.0968 3996 TermService - ok
10:23:36.0031 3996 Themes (1926899bf9ffe2602b63074971700412) C:\WINDOWS\System32\shsvcs.dll
10:23:36.0046 3996 Themes - ok
10:23:36.0078 3996 TlntSvr (db7205804759ff62c34e3efd8a4cc76a) C:\WINDOWS\system32\tlntsvr.exe
10:23:36.0109 3996 TlntSvr - ok
10:23:36.0109 3996 TosIde - ok
10:23:36.0140 3996 TrkWks (55bca12f7f523d35ca3cb833c725f54e) C:\WINDOWS\system32\trkwks.dll
10:23:36.0187 3996 TrkWks - ok
10:23:36.0218 3996 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
10:23:36.0218 3996 Udfs - ok
10:23:36.0234 3996 ultra - ok
10:23:36.0312 3996 UnlockerDriver5 (bb879dcfd22926efbeb3298129898cbb) D:\portable\unlocker1.9.0-portable\UnlockerDriver5.sys
10:23:36.0312 3996 UnlockerDriver5 - ok
10:23:36.0375 3996 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
10:23:36.0406 3996 Update - ok
10:23:36.0437 3996 upnphost (1ebafeb9a3fbdc41b8d9c7f0f687ad91) C:\WINDOWS\System32\upnphost.dll
10:23:36.0500 3996 upnphost - ok
10:23:36.0531 3996 UPS (05365fb38fca1e98f7a566aaaf5d1815) C:\WINDOWS\System32\ups.exe
10:23:36.0562 3996 UPS - ok
10:23:36.0609 3996 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
10:23:36.0625 3996 usbaudio - ok
10:23:36.0656 3996 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
10:23:36.0656 3996 usbccgp - ok
10:23:36.0687 3996 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
10:23:36.0687 3996 usbehci - ok
10:23:36.0718 3996 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
10:23:36.0718 3996 usbhub - ok
10:23:36.0765 3996 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
10:23:36.0765 3996 usbscan - ok
10:23:36.0796 3996 usbstor (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
10:23:36.0812 3996 usbstor - ok
10:23:36.0859 3996 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
10:23:36.0875 3996 usbuhci - ok
10:23:36.0921 3996 usbvideo (63bbfca7f390f4c49ed4b96bfb1633e0) C:\WINDOWS\system32\Drivers\usbvideo.sys
10:23:36.0921 3996 usbvideo - ok
10:23:36.0968 3996 VBoxNetAdp (e4cf1701e74fd55b3ecd4e282a733495) C:\WINDOWS\system32\DRIVERS\VBoxNetAdp.sys
10:23:36.0968 3996 VBoxNetAdp - ok
10:23:36.0984 3996 VBoxNetFlt - ok
10:23:37.0046 3996 vcdrom - ok
10:23:37.0093 3996 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
10:23:37.0109 3996 VgaSave - ok
10:23:37.0109 3996 ViaIde - ok
10:23:37.0156 3996 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
10:23:37.0156 3996 VolSnap - ok
10:23:37.0218 3996 VSS (7a9db3a67c333bf0bd42e42b8596854b) C:\WINDOWS\System32\vssvc.exe
10:23:37.0250 3996 VSS - ok
10:23:37.0312 3996 W32Time (54af4b1d5459500ef0937f6d33b1914f) C:\WINDOWS\system32\w32time.dll
10:23:37.0343 3996 W32Time - ok
10:23:37.0406 3996 W3SVC (db3c22745c0da4666f3be31f1af36b2f) C:\WINDOWS\system32\inetsrv\inetinfo.exe
10:23:37.0406 3996 W3SVC - ok
10:23:37.0437 3996 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
10:23:37.0453 3996 Wanarp - ok
10:23:37.0453 3996 WDICA - ok
10:23:37.0515 3996 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
10:23:37.0515 3996 wdmaud - ok
10:23:37.0562 3996 WebClient (77a354e28153ad2d5e120a5a8687bc06) C:\WINDOWS\System32\webclnt.dll
10:23:37.0593 3996 WebClient - ok
10:23:37.0671 3996 winmgmt (2d0e4ed081963804ccc196a0929275b5) C:\WINDOWS\system32\wbem\WMIsvc.dll
10:23:37.0687 3996 winmgmt - ok
10:23:37.0718 3996 WmdmPmSN (c51b4a5c05a5475708e3c81c7765b71d) C:\WINDOWS\system32\mspmsnsv.dll
10:23:37.0750 3996 WmdmPmSN - ok
10:23:37.0812 3996 Wmi (bab489a5fe26f2d0c910cf7af7e4cf92) C:\WINDOWS\System32\advapi32.dll
10:23:37.0843 3996 Wmi - ok
10:23:37.0890 3996 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
10:23:37.0890 3996 WmiAcpi - ok
10:23:37.0921 3996 WmiApSrv (e0673f1106e62a68d2257e376079f821) C:\WINDOWS\system32\wbem\wmiapsrv.exe
10:23:37.0921 3996 WmiApSrv - ok
10:23:38.0078 3996 WMPNetworkSvc (f74e3d9a7fa9556c3bbb14d4e5e63d3b) C:\Program Files\Windows Media Player\WMPNetwk.exe
10:23:38.0093 3996 WMPNetworkSvc - ok
10:23:38.0156 3996 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys
10:23:38.0171 3996 WpdUsb - ok
10:23:38.0343 3996 WPFFontCache_v0400 (dcf3e3edf5109ee8bc02fe6e1f045795) C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe
10:23:38.0375 3996 WPFFontCache_v0400 - ok
10:23:38.0421 3996 wscsvc (7c278e6408d1dce642230c0585a854d5) C:\WINDOWS\system32\wscsvc.dll
10:23:38.0453 3996 wscsvc - ok
10:23:38.0468 3996 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
10:23:38.0468 3996 WSTCODEC - ok
10:23:38.0500 3996 wuauserv (35321fb577cdc98ce3eb3a3eb9e4610a) C:\WINDOWS\system32\wuauserv.dll
10:23:38.0531 3996 wuauserv - ok
10:23:38.0562 3996 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
10:23:38.0562 3996 WudfPf - ok
10:23:38.0593 3996 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
10:23:38.0609 3996 WudfRd - ok
10:23:38.0625 3996 WudfSvc (05231c04253c5bc30b26cbaae680ed89) C:\WINDOWS\System32\WUDFSvc.dll
10:23:38.0656 3996 WudfSvc - ok
10:23:38.0718 3996 WZCSVC (81dc3f549f44b1c1fff022dec9ecf30b) C:\WINDOWS\System32\wzcsvc.dll
10:23:38.0765 3996 WZCSVC - ok
10:23:38.0781 3996 xmlprov (295d21f14c335b53cb8154e5b1f892b9) C:\WINDOWS\System32\xmlprov.dll
10:23:38.0828 3996 xmlprov - ok
10:23:38.0859 3996 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
10:23:39.0703 3996 \Device\Harddisk0\DR0 - ok
10:23:39.0703 3996 Boot (0x1200) (9d7f34731c6148acbe5cd5bead322ccf) \Device\Harddisk0\DR0\Partition0
10:23:39.0718 3996 \Device\Harddisk0\DR0\Partition0 - ok
10:23:39.0718 3996 Boot (0x1200) (d1da039ba7ccf4b5646028f8a4975feb) \Device\Harddisk0\DR0\Partition1
10:23:39.0734 3996 \Device\Harddisk0\DR0\Partition1 - ok
10:23:39.0734 3996 ============================================================
10:23:39.0734 3996 Scan finished
10:23:39.0734 3996 ============================================================
10:23:39.0750 1428 Detected object count: 0
10:23:39.0750 1428 Actual detected object count: 0

#5 Conspire

Conspire

  • Malware Response Team
  • 1,045 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:36 AM

Posted 15 July 2012 - 08:23 AM

You're welcome

Please read through these instructions to familiarize yourself with what to expect when this tool runs

Refer to the ComboFix User's Guide

Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT- Save ComboFix.exe to your Desktop

====================================================

Disable your AntiVirus and AntiSpyware applications as they will interfere with our tools and the removal. If you are unsure how to do this, please refer to our sticky topic How to disable your security applications

====================================================


Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply for further review.
Proud Graduate of the WTT Classroom
Member of UNITE
The help you receive here is always free. If you wish to show your appreciation, then you may btn_donate_SM.gif

#6 TenderBranson

TenderBranson
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:02:36 AM

Posted 15 July 2012 - 10:02 AM

Here's the log from Combofix.

It had to download and install the Windows Recovery Console.

ComboFix 12-07-14.01 - Zombie 15-07-2012 15:45:50.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.351.1033.18.2039.979 [GMT 1:00]
Executando de: c:\documents and settings\Zombie\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\Zombie\Application Data\Eqqi
c:\documents and settings\Zombie\Application Data\Eqqi\otxao.tmp
c:\documents and settings\Zombie\Application Data\Eqqi\otxao.usi
c:\documents and settings\Zombie\Application Data\Guetd
c:\documents and settings\Zombie\Application Data\Guetd\wuudb.exe
c:\documents and settings\Zombie\WINDOWS
c:\windows\system32\Cache
c:\windows\system32\win.ini
.
.
(((((((((((((((( Arquivos/Ficheiros criados de 2012-06-15 to 2012-07-15 ))))))))))))))))))))))))))))
.
.
2012-07-12 11:05 . 2012-07-12 11:05 -------- d-----w- c:\program files\umd
2012-07-11 14:26 . 2012-07-11 16:11 -------- d-----w- C:\KAG
2012-07-11 13:37 . 2012-07-11 13:37 -------- d-----w- c:\documents and settings\Zombie\Local Settings\Application Data\CrashRpt
2012-07-11 13:36 . 2012-07-11 14:05 -------- d-----w- c:\program files\KAG
2012-07-10 14:04 . 2012-07-11 09:22 -------- d-----w- c:\program files\Games
2012-07-09 14:38 . 2012-07-09 14:38 -------- d-----w- c:\program files\Eye4Software
2012-07-09 12:17 . 2012-07-09 12:17 -------- d-----w- c:\program files\Garmin
2012-07-07 15:39 . 2012-07-07 15:39 -------- d-----w- c:\documents and settings\klein.HAL-9000\Application Data\Malwarebytes
2012-07-07 15:39 . 2012-07-07 15:39 -------- d-----w- c:\documents and settings\klein.HAL-9000\Local Settings\Application Data\Mozilla
2012-07-07 15:38 . 2012-07-07 15:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-07-07 15:38 . 2012-07-07 15:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-07-07 15:38 . 2012-04-04 14:56 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-07-07 14:25 . 2012-07-07 14:30 -------- d-----w- c:\documents and settings\Administrator
2012-07-07 00:33 . 2012-07-07 00:33 -------- d-----w- c:\program files\Geosoft
2012-07-07 00:27 . 2012-07-07 00:31 -------- d-----w- c:\windows\Geosoft_Installer
2012-07-05 15:22 . 2012-07-05 15:23 -------- d-----w- c:\program files\G-Raster
2012-07-05 08:26 . 2012-07-05 08:26 -------- d-----w- c:\documents and settings\Zombie\Application Data\Mobile Atlas Creator
2012-06-26 15:46 . 2012-06-26 15:46 -------- d-----w- c:\program files\Common Files\DataEast
2012-06-26 15:46 . 2012-06-26 15:46 -------- d-----w- c:\documents and settings\Zombie\Application Data\DataEast
.
.
.
((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-03 16:21 . 2012-01-22 14:21 54232 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2012-07-03 16:21 . 2012-01-22 14:21 21256 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2012-07-03 16:21 . 2012-01-22 14:21 353688 ----a-w- c:\windows\system32\drivers\aswSP.sys
2012-07-03 16:21 . 2012-01-22 14:21 35928 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2012-07-03 16:21 . 2012-01-22 14:21 721000 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-07-03 16:21 . 2012-01-22 14:21 97608 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2012-07-03 16:21 . 2012-01-22 14:21 89624 ----a-w- c:\windows\system32\drivers\aswmon.sys
2012-07-03 16:21 . 2012-01-22 14:21 25256 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2012-07-03 16:21 . 2012-01-22 14:21 41224 ----a-w- c:\windows\avastSS.scr
2012-07-03 16:21 . 2012-01-22 14:21 227648 ----a-w- c:\windows\system32\aswBoot.exe
2012-06-11 15:13 . 2012-06-11 15:13 286720 ------w- c:\windows\Setup1.exe
2012-06-11 15:13 . 2012-06-11 15:13 73216 ----a-w- c:\windows\ST6UNST.EXE
2012-04-27 17:20 . 2012-04-27 17:21 143872 ----a-w- c:\windows\system32\javacpl.cpl
2012-04-27 17:20 . 2012-04-11 13:16 772552 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-04-27 17:20 . 2012-01-26 15:07 687560 ----a-w- c:\windows\system32\deployJava1.dll
2012-04-27 15:35 . 2012-04-27 15:22 3993600 ----a-w- c:\program files\GUTC3.tmp
.
.
(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))
.
.
*Nota* entradas vazias e legítimas por padrão não são apresentadas.
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-07-03 16:21 121528 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2012-01-18 18:49 94208 ----a-w- c:\documents and settings\Zombie\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2012-01-18 18:49 94208 ----a-w- c:\documents and settings\Zombie\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2012-01-18 18:49 94208 ----a-w- c:\documents and settings\Zombie\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2012-01-18 18:49 94208 ----a-w- c:\documents and settings\Zombie\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveBlacklistedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}]
2012-06-20 18:02 556056 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}]
2012-06-20 18:02 556056 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}]
2012-06-20 18:02 556056 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncingOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}]
2012-06-20 18:02 556056 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AsusTray"="c:\program files\EeePC\ACPI\AsTray.exe" [2008-12-04 114688]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-12-19 159744]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-12-19 131072]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-07-03 4273976]
"AsusEPCMonitor"="c:\program files\EeePC\ACPI\AsEPCMon.exe" [2008-05-21 94208]
"AsusACPIServer"="c:\program files\EeePC\ACPI\AsAcpiSvr.exe" [2008-12-17 622592]
"RTHDCPL"="RTHDCPL.EXE" [2008-04-28 16861696]
"SoundMan"="SOUNDMAN.EXE" [2006-07-22 86016]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
ArcGIS License Manager 10 CRACKED.lnk - c:\cracked license manager 10\start_lic_mgr_invisible.vbs [2012-3-11 174]
SuperHybridEngine.lnk - c:\program files\Asus\EeePC\Super Hybrid Engine\SuperHybridEngine.exe [2012-1-22 294912]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Dropbox.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Dropbox.lnk
backup=c:\windows\pss\Dropbox.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2005-05-04 02:43 69632 ----a-w- c:\windows\Alcmtr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcWzrd]
2006-05-05 00:26 2808832 ----a-w- c:\windows\alcwzrd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2007-12-19 19:08 135168 ----a-w- c:\windows\system32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDFPrint]
2012-05-22 07:38 160872 ----a-w- c:\program files\PDF24\pdf24.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2012-01-17 10:07 252296 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"d:\\portable\\SkypePortable\\App\\Skype\\Phone\\Skype.exe"=
"c:\\Documents and Settings\\Zombie\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
"d:\\portable\\uTorrent\\uTorrent.exe"=
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [1/22/2012 3:21 PM 721000]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [1/22/2012 3:21 PM 353688]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [1/22/2012 3:21 PM 21256]
R2 C-Map Service;C-Map Service;c:\program files\CM93v3 SDK\System\cmapsvc.exe [3/23/2010 4:36 PM 544768]
R3 PROCEXP151;PROCEXP151;\??\c:\windows\system32\Drivers\PROCEXP151.SYS --> c:\windows\system32\Drivers\PROCEXP151.SYS [?]
R3 RT80x86;Ralink 802.11n Wireless Driver;c:\windows\system32\drivers\rt2860.sys [1/22/2012 3:06 PM 704384]
S1 vcdrom;Virtual CD-ROM Device Driver;\??\c:\documents and settings\Zombie\Desktop\Virtual\VCdRom.sys --> c:\documents and settings\Zombie\Desktop\Virtual\VCdRom.sys [?]
S2 gupdate;Serviço Google Update (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [4/27/2012 4:22 PM 116648]
S3 gupdatem;Serviço Google Update (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [4/27/2012 4:22 PM 116648]
S3 pwdrvio;pwdrvio;c:\windows\system32\pwdrvio.sys [2/25/2012 11:03 AM 16472]
S3 pwdspio;pwdspio;c:\windows\system32\pwdspio.sys [2/25/2012 11:03 AM 11104]
S3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\drivers\VBoxNetAdp.sys [4/12/2012 6:21 PM 104752]
S3 VBoxNetFlt;VirtualBox Bridged Networking Service;c:\windows\system32\DRIVERS\VBoxNetFlt.sys --> c:\windows\system32\DRIVERS\VBoxNetFlt.sys [?]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe [4/3/2010 7:56 PM 44896]
S4 RsFx0150;RsFx0150 Driver;c:\windows\system32\drivers\RsFx0150.sys [4/3/2010 11:02 AM 240608]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10_50.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [4/3/2010 7:56 PM 367456]
.
--- =Outros Serviços/Drivers Na Memória ---
.
*NewlyCreated* - 55627733
*Deregistered* - 55627733
.
Conteúdo da pasta 'Tarefas Agendadas'
.
2012-07-13 c:\windows\Tasks\avast! Emergency Update.job
- c:\program files\AVAST Software\Avast\AvastEmUpdate.exe [2012-07-09 16:21]
.
2012-07-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-04-27 15:22]
.
2012-07-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-04-27 15:22]
.
.
------- Scan Suplementar -------
.
uInternet Connection Wizard,ShellNext = hxxp://picasa.google.com/support/bin/answer.py?hl=pt_PT&answer=93773
uInternet Settings,ProxyServer = socks=127.0.0.1:38190
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Transferir com Mipony - file://c:\program files\MiPony\Browser\IEContext.htm
TCP: DhcpNameServer = 168.192.1.1 168.95.1.1
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-07-15 15:55
Windows 5.1.2600 Service Pack 3 NTFS
.
Procurando processos ocultos ...
.
Procurando entradas auto inicializáveis ocultas ...
.
Procurando ficheiros/arquivos ocultos ...
.
Varredura completada com sucesso
arquivos/ficheiros ocultos: 0
.
**************************************************************************
.
--------------------- DLLs Carregadas Sob os Processos em Execução ---------------------
.
- - - - - - - > 'winlogon.exe'(600)
c:\windows\system32\igfxdev.dll
.
Tempo para conclusão: 2012-07-15 15:59:31
ComboFix-quarantined-files.txt 2012-07-15 14:59
.
Pré-execução: 2.673.430.528 bytes free
Pós execução: 2.609.467.392 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-PTB.exe
[Boot Loader]
Timeout=2
Default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[Operating Systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows" /noexecute=optin /fastdetect
.
- - End Of File - - BA4C8EC73FB5480AD8329BA8799B2C2E

#7 Conspire

Conspire

  • Malware Response Team
  • 1,045 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:36 AM

Posted 15 July 2012 - 11:04 AM

Hi,

You have ( uTorrent ), a P2P/file sharing programs installed on your computer. P2P applications like it are the largest source of malware we see. You'll be doing yourself a favor by removing it.

We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It likely contributed to your current situation. This page will give you further information.
Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.
Please see this topic for more information:
Perils of P2P File Sharing.

I would recommend that you uninstall it, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.

If you wish to keep it, please do not use it until your computer is cleaned.


===================================================

Go to My Computer-> Tools-> Folder Options-> View tab:
  • Under the Hidden files and folders heading:
  • Select - Show hidden files and folders.
  • Uncheck- Hide protected operating system files (recommended) option.
  • Also, make sure there is no checkmark beside Hide file extensions for known file types.
  • Click OK. (Remember to Hide files and folders once done)

Please go to one of the below sites to scan the following files:
Virus Total (Recommended)
jotti.org
VirScan


click on Browse, and upload the following file for analysis:
c:\windows\system32\Drivers\PROCEXP151.SYS
c:\windows\Setup1.exe
c:\windows\ST6UNST.EXE


Then click Submit. Allow the file to be scanned, and then please copy and paste the results link(for Virus Total) here for me to see.
If it says already scanned -- click "reanalyze now"
Please post the results in your next reply.
Proud Graduate of the WTT Classroom
Member of UNITE
The help you receive here is always free. If you wish to show your appreciation, then you may btn_donate_SM.gif

#8 TenderBranson

TenderBranson
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:02:36 AM

Posted 15 July 2012 - 11:19 AM

Hi,

Thanks about the advice on utorrent.
Unfortunately, sometimes I need to use it, as part of my job.

Here's the links for two of the three files you requested.
Couldn't find the c:\windows\system32\Drivers\PROCEXP151.SYS. Why? Is this normal?

https://www.virustotal.com/file/6a15b76e1526e1fd6ebaecacc59c3e954d0feb0b566c81538ea6dad2edcffe16/analysis/1342368746/

https://www.virustotal.com/file/7e60c894a8cead6880fd3ed040504d02304a0b961304e40741340e31f5fa973d/analysis/1342368987/

#9 Conspire

Conspire

  • Malware Response Team
  • 1,045 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:36 AM

Posted 15 July 2012 - 11:42 AM

Hi,

I just want to confirm its legitimacy. Do you recognize PROCEXP151.SYS? :)

Download TFC to your desktop
  • Close any open windows.
  • Double click the TFC icon to run the program
  • TFC will close all open programs itself in order to run,
  • Click the Start button to begin the process.
  • Allow TFC to run uninterrupted.
  • The program should not take long to finish it's job
  • Once its finished it should automatically reboot your machine,
  • if it doesn't, manually reboot to ensure a complete clean
===================================================

ESET Online Scanner
I'd like us to scan your machine with ESET OnlineScan

Note: If you are using Windows Vista/7, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your antivirus along with your antispyware programs.



  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Make sure that the option "Remove found threats" is Unchecked
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin
    scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as MyEsetScan. Alternatively, look for report in C:\Program Files\ESET\ESET Online Scanner\log.txt. Include the contents of this report in your next reply.
  • Push the Back button.
  • Select Uninstall application on close check box and push Posted Image
===================================================

Malwarebytes' Anti-Malware
Download Malwarebytes' Anti-Malware here and save to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program. (Note to Vista users, please right-click and select Run as Administrator.)
  • At the end, be sure a checkmark is placed next to:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please copy and paste the log back into your next reply
Note:
  • The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
  • Or via the Logs tab when Malwarebytes' Anti-Malware is started.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so. Failure to reboot will prevent MBAM from removing all the malware.


===================================================

On your next reply please post :
ESET log
MBAM log


Please STOP and let me know if you have any problems in performing with the steps above or any questions you may have.

Good Day!

Edited by Conspire, 15 July 2012 - 11:43 AM.

Proud Graduate of the WTT Classroom
Member of UNITE
The help you receive here is always free. If you wish to show your appreciation, then you may btn_donate_SM.gif

#10 TenderBranson

TenderBranson
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:02:36 AM

Posted 16 July 2012 - 03:11 AM

Hello,

The ESET Scan did find something.
The first entry, I don't know what it is. The last two, are software I was meaning to try...
The Malware, also, but it's only the windows security alerts

ESET log:

C:\Qoobox\Quarantine\C\Documents and Settings\Zombie\Application Data\Guetd\wuudb.exe.vir a variant of Win32/Injector.TTG trojan
D:\ARRUMAR - URGENTE\Try me\rpg-setup.exe a variant of Win32/Toolbar.Widgi application
D:\ARRUMAR - URGENTE\Try me\unlocker-setup.exe a variant of Win32/Toolbar.Widgi application

Malware Log:

Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Database version: v2012.07.15.10

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 6.0.2900.5512
Zombie :: HAL-9000 [administrator]

15-07-2012 23:03:07
mbam-log-2012-07-16 (07-46-49).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 260881
Time elapsed: 8 minute(s), 10 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 3
HKLM\SOFTWARE\Microsoft\Security Center|AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKLM\SOFTWARE\Microsoft\Security Center|FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKLM\SOFTWARE\Microsoft\Security Center|UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

#11 Conspire

Conspire

  • Malware Response Team
  • 1,045 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:36 AM

Posted 16 July 2012 - 04:30 AM

The Qoobox is ComboFix quarantine folder. Nothing to worry about.

Follow these steps to uninstall Combofix
  • Click START then RUN
  • Now copy/paste the code into the runbox and click OK. Note the space between the ..X and the /U, it needs to be there.
Combofix /Uninstall
Posted Image

===================================================

Thank you for your patience, and performing all of the procedures requested. I would also like to take this opportunity to apologize for any delay that may have occurred.

--------------------------------------------------------------------------------------------------------------

MICROSOFT UPDATES
It is very important that you get all of the critical updates for your Operating System and Internet Explorer. Keeping your OS and browser up to date will help make you less susceptible to attacks by Trojans and viruses. Please go to Microsoft and download all the critical updates to help prevent possible re-infection.


Passwords
It is good security practice to change your passwords to all your online accounts on a fairly regular basis, this is especially true after an infection. Refer to this Microsoft article
Strong passwords: How to create and use them and consider a password keeper, to keep all your passwords safe.


SPYWARE PREVENTION
This is a good time to set up protection against further attacks. In light of your recent problem, I'm sure you'd like to avoid any future infections. Please read these well written articles:
To help protect your computer in the future I recommend that you get the following free programs if you do not already have them:
  • WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
  • Green to go
  • Yellow for caution
  • Red to stop

WOT has an add-on available for both Firefox and IE.

  • SpywareBlaster prevents the installation of ActiveX-based malware, blocks cookies, and restricts the actions of "bad" sites. See tutorial here
  • MVPS HOSTS FILE replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. It basically prevents your computer from connecting to those sites by redirecting the attempted connections to 127.0.0.1, which is the IP of your local computer. See guide here and for Windows Vista here
  • Download Host.zip and Save it to your Desktop.
  • Right-click hosts.zip and select 'Extract all files' or 'Extract files...'.
  • Follow the prompts and click 'Finish'.
  • This will open the newly created hosts folder on your Desktop.
  • Double-click on the included mvps.bat file, this will rename the existing HOSTS file to HOSTS.MVP, then it will copy the included updated HOSTS file to the correct location on your machine.
  • Once updated you should see another prompt that the task was completed.
Follow this list and keep your antivirus program and antispyware programs updated and scan with them on a regular basis. By doing so, your potential for being infected again will reduce dramatically.

Hopefully this should take care of your problems! Good luck.

Do you have any questions or problems to ask? Please do not hesitate to do so.

**Please respond this one more time to ensure it is resolved and close this topic.
Proud Graduate of the WTT Classroom
Member of UNITE
The help you receive here is always free. If you wish to show your appreciation, then you may btn_donate_SM.gif

#12 TenderBranson

TenderBranson
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:02:36 AM

Posted 16 July 2012 - 04:52 AM

ComboFix, uninstalled with no problems.

I'll definitely be looking into your Spyware Prevention tips.

Thanks Conspire, for all your time and help.

Bleeping Computer Rocks!! :)

#13 Conspire

Conspire

  • Malware Response Team
  • 1,045 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:36 AM

Posted 16 July 2012 - 07:00 AM

You're welcome :)
Proud Graduate of the WTT Classroom
Member of UNITE
The help you receive here is always free. If you wish to show your appreciation, then you may btn_donate_SM.gif

#14 Conspire

Conspire

  • Malware Response Team
  • 1,045 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:36 AM

Posted 16 July 2012 - 07:00 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
Proud Graduate of the WTT Classroom
Member of UNITE
The help you receive here is always free. If you wish to show your appreciation, then you may btn_donate_SM.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users