Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Potential FcsSas.exe impersonating Virus


  • This topic is locked This topic is locked
33 replies to this topic

#1 billiam864

billiam864

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Local time:04:13 AM

Posted 23 January 2013 - 08:37 AM

Need continued help with an old persistent problem. My computer is old (6 years), its an HP Tablet tc4200, I run Windows XP. 6 months ago it was working fine, i could stream videos via chrome/youtube, seemed to open programs normally. I started noticing slow down problems in the Fall, and in late Dec I noticed I had a major Virus. I used bleepingcomputer in Dec to eliminate what turned out to be a nasty Rootkit of some kind. The long forum can be seen below:

http://www.bleepingcomputer.com/forums/topic478451.html/page__st__30__p__2925763#entry2925763

Much of the time in my last effort, i complained of losing hard drive space, from 4 gigs to 70mbs...etc. This problem was for sure related to the rootkit, but doesn't appear fully gone.

I'm writing today in a new post to see if I may still be infected. My CPU, runs better than it did with the rootkit, but not much. In general it opens programs slowly, I struggle to stream even 240p videos, and a lot of times chrome takes 3-4 minutes just to even open. I am not running any extensions that I know of and I ran defrag recently.

I could be very wrong, but i believe it may still be a virus issue. (Using my task manager) I noticed that FcsSas.exe will occasionally take up 99% of the CPU usage for 10-15 minutes. This is odd as I have Micro Forefront turned totally off, disabled, etc. I then also quite often, have explorer.exe taking up 70%+ CPU usage even if i have only one tab open in chrome. When either or these happens obviously my cpu slows to a crawl. When they don't show up my cpu still doesn't perform well. I read that sometimes a virus will impersonate a windows file like FcsSas.exe... so perhaps that is the issue?

Lastly (may be unrelated) my System Volume Information consistently eats at my hard drive space...going from 400 mbs, to 1 gig, to now over 3 gigs, just by leaving my cpu on for a couple days. I know this is creating restore points, but i don't remember ever having this issue in the past to this extent.

I will mention that I as i only have 80gigs HD space, i know leaving only 3 gigs available isn't the best for speed, so while I'm waiting for a response I'm saving and backing up my photos/music on to a new external hard drive to see if that helps. If this is not malware, but a file corruption, or other problem I'll be pleased to change forums.

Here are the DDS logs.

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 10.9.2
Run by DerochaWS1 at 8:07:31 on 2013-01-23
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2039.1278 [GMT -5:00]
.
.
============== Running Processes ================
.
C:\Program Files\Common Files\Microsoft Shared\Ink\KeyboardSurrogate.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SYSTEM32\WISPTIS.EXE
C:\WINDOWS\System32\tabbtnu.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TCServer.exe
C:\Program Files\Microsoft Forefront\Client Security\Client\SSA\FcsSas.exe
C:\Program Files\LogMeIn Hamachi\hamachi-2.exe
C:\WINDOWS\system32\IFXSPMGT.exe
C:\WINDOWS\vsnpstd3.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Java\jre7\bin\jqs.exe
C:\Program Files\ProtectTools\Embedded Security Software\PSDsrvc.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Microsoft Forefront\Client Security\Client\Microsoft Operations Manager 2005\MOMService.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\ProtectTools\Embedded Security Software\PSDrt.exe
C:\Documents and Settings\DerochaWS1\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\DerochaWS1\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\DerochaWS1\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\DerochaWS1\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe
C:\Documents and Settings\DerochaWS1\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\DerochaWS1\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\DerochaWS1\Desktop\WinDirStat\windirstat.exe
C:\Documents and Settings\DerochaWS1\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\DerochaWS1\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\SearchFilterHost.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\svchost.exe -k netsvcs
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://xfinity.comcast.net/?cid=insDate08012012
mStart Page = hxxp://www.google.com
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: DivX Plus Web Player HTML5 <video>: {326E768D-4182-46FD-9C16-1449A49795F4} - c:\program files\divx\divx plus web player\ie\divxhtml5\DivXHTML5.dll
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [GCC_Settings] c:\gcc\tools\GCC_Settings.vbs
mRun: [snpstd3] c:\windows\vsnpstd3.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSCONFIG.EXE /auto
uPolicies-Explorer: NoDriveTypeAutoRun = dword:323
uPolicies-Explorer: NoDriveAutoRun = dword:67108863
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDrives = dword:0
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1265638856453
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1266413219979
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: Interfaces\{82E3FFBA-55CD-4CA8-AABD-1CCB7F0CFFDD} : DHCPNameServer = 75.75.76.76 75.75.75.75
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
Notify: IfxWlxEN - IfxWlxEN.dll
Notify: igfxcui - igfxsrvc.dll
Notify: LMIinit - LMIinit.dll
Notify: loginkey - c:\program files\common files\microsoft shared\ink\loginkey.dll
Notify: TabBtnWL - TabBtnWL.dll
Notify: tpgwlnotify - tpgwlnot.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: Windows Desktop Search Namespace Manager - {56F9679E-7826-4C84-81F3-532071A8BCC5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
.
============= SERVICES / DRIVERS ===============
.
R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\drivers\dtsoftbus01.sys [2012-12-23 242240]
R1 PersonalSecureDrive;PersonalSecureDrive;c:\windows\system32\drivers\psd.sys [2005-11-29 36768]
R2 FcsSas;Microsoft Forefront Client Security State Assessment Service;c:\program files\microsoft forefront\client security\client\ssa\FcsSas.exe [2007-4-6 73120]
R2 Hamachi2Svc;LogMeIn Hamachi Tunneling Engine;c:\program files\logmein hamachi\hamachi-2.exe [2012-12-10 1435568]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2012-10-30 47640]
R2 MOM;MOM;c:\program files\microsoft forefront\client security\client\microsoft operations manager 2005\MOMService.exe [2005-7-21 134656]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [2010-2-8 87936]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2005-10-21 36352]
R3 wisdpen;Wacom Penabled MiniDriver;c:\windows\system32\drivers\wisdpen.sys [2007-1-22 34736]
S2 FCSAM;Microsoft Forefront Client Security Antimalware Service;c:\program files\microsoft forefront\client security\client\antimalware\MsMpEng.exe [2011-1-8 16896]
S2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\logmein\x86\rainfo.sys --> c:\program files\logmein\x86\RaInfo.sys [?]
S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2012-7-13 160944]
S3 esgiguard;esgiguard;\??\c:\program files\enigma software group\spyhunter\esgiguard.sys --> c:\program files\enigma software group\spyhunter\esgiguard.sys [?]
S3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys [2012-12-17 35144]
S3 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-2-17 71296]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2005-1-6 14336]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
.
=============== Created Last 30 ================
.
2013-01-12 18:15:14 -------- d-----w- c:\program files\Dropbox
2013-01-05 21:02:52 -------- d-----w- c:\program files\Cisco Systems
2013-01-05 21:02:07 -------- d-----w- c:\documents and settings\all users\application data\Cisco Systems
.
==================== Find3M ====================
.
2012-12-23 17:32:42 242240 ----a-w- c:\windows\system32\drivers\dtsoftbus01.sys
2012-12-18 01:27:02 35144 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2012-12-15 17:57:42 57600 ----a-w- c:\windows\system32\drivers\redbook.sys
2012-12-14 17:27:04 43600 ----a-w- c:\windows\system32\drivers\dkzuusaq.sys
2012-12-14 17:26:30 57600 ----a-w- c:\windows\system32\drivers\xqqbwwmu.sys
2012-11-13 01:25:12 1866368 ----a-w- c:\windows\system32\win32k.sys
2012-11-06 00:41:17 290560 ----a-w- c:\windows\system32\atmfd.dll
2012-11-02 02:02:42 375296 ----a-w- c:\windows\system32\dpnet.dll
2012-11-01 12:17:54 916992 ----a-w- c:\windows\system32\wininet.dll
2012-11-01 12:17:54 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-11-01 12:17:54 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2012-11-01 00:35:34 385024 ----a-w- c:\windows\system32\html.iec
1999-06-01 06:23:00 571847688 ----a-w- c:\program files\INSTALL.EXE
1998-11-03 03:07:26 95232 ----a-w- c:\program files\SMACKW32.DLL
.
============= FINISH: 8:08:00.81 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 billiam864

billiam864
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Local time:04:13 AM

Posted 25 January 2013 - 02:18 PM

I have new information to report. Upon clearing out some HD to run a defrag...i noticed the following odd issue:

Help please?

In my C:, Docs and Settings, All Users, Application Data, Microsoft, Media Tools, plugins, media hash, downloads

I found 700gigs + of movies...loads and loads of movie files. My laptop only has an 80gig hd, so I'm assuming this is not actually on my hard drive. I have never seen or downloaded these movies, some of them are brand new (just came out). I tried to move one to my desktop to see if i could play it, see if it a genuine movie file. My cpu recognized it as an avi file, but VLC won't play it claiming it is undf.

I believe this to be a recent occurance, as I ran the same cpu scan in December and didn't find all these files, although it may have been starting then explaining my past issues. When running it yesterday suddenly there was an extra several hundred gigs of files i hadn't noticed. I believe this might be what has cause my cpu to run slowly recently.

#3 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 9,912 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:13 AM

Posted 28 January 2013 - 08:40 AM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/482740 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#4 billiam864

billiam864
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Local time:04:13 AM

Posted 28 January 2013 - 04:13 PM

I do still need help. Attached are my latest DDS logs. My main concerns are now in the 2nd post. I do not have any cds for windows XP or other microsoft applications, which is why I'd like to avoid formatting if at all possible.

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 10.9.2
Run by DerochaWS1 at 16:07:23 on 2013-01-28
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2039.1154 [GMT -5:00]
.
.
============== Running Processes ================
.
C:\Program Files\Common Files\Microsoft Shared\Ink\KeyboardSurrogate.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SYSTEM32\WISPTIS.EXE
C:\WINDOWS\System32\tabbtnu.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Forefront\Client Security\Client\SSA\FcsSas.exe
C:\Program Files\LogMeIn Hamachi\hamachi-2.exe
C:\WINDOWS\system32\IFXSPMGT.exe
C:\Program Files\Java\jre7\bin\jqs.exe
C:\Program Files\ProtectTools\Embedded Security Software\PSDsrvc.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TCServer.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Microsoft Forefront\Client Security\Client\Microsoft Operations Manager 2005\MOMService.exe
C:\WINDOWS\vsnpstd3.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\ProtectTools\Embedded Security Software\PSDrt.exe
C:\WINDOWS\System32\alg.exe
C:\Documents and Settings\DerochaWS1\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\DerochaWS1\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\DerochaWS1\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\DerochaWS1\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\DerochaWS1\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\DerochaWS1\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe
C:\Documents and Settings\DerochaWS1\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\DerochaWS1\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\DerochaWS1\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\svchost.exe -k netsvcs
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://xfinity.comcast.net/?cid=insDate08012012
mStart Page = hxxp://www.google.com
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: DivX Plus Web Player HTML5 <video>: {326E768D-4182-46FD-9C16-1449A49795F4} - c:\program files\divx\divx plus web player\ie\divxhtml5\DivXHTML5.dll
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [GCC_Settings] c:\gcc\tools\GCC_Settings.vbs
mRun: [snpstd3] c:\windows\vsnpstd3.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
uPolicies-Explorer: NoDriveTypeAutoRun = dword:323
uPolicies-Explorer: NoDriveAutoRun = dword:67108863
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDrives = dword:0
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1265638856453
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1266413219979
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: NameServer = 75.75.76.76 75.75.75.75
TCP: Interfaces\{82E3FFBA-55CD-4CA8-AABD-1CCB7F0CFFDD} : DHCPNameServer = 75.75.76.76 75.75.75.75
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
Notify: IfxWlxEN - IfxWlxEN.dll
Notify: igfxcui - igfxsrvc.dll
Notify: LMIinit - LMIinit.dll
Notify: loginkey - c:\program files\common files\microsoft shared\ink\loginkey.dll
Notify: TabBtnWL - TabBtnWL.dll
Notify: tpgwlnotify - tpgwlnot.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: Windows Desktop Search Namespace Manager - {56F9679E-7826-4C84-81F3-532071A8BCC5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
.
============= SERVICES / DRIVERS ===============
.
R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\drivers\dtsoftbus01.sys [2012-12-23 242240]
R1 PersonalSecureDrive;PersonalSecureDrive;c:\windows\system32\drivers\psd.sys [2005-11-29 36768]
R2 FcsSas;Microsoft Forefront Client Security State Assessment Service;c:\program files\microsoft forefront\client security\client\ssa\FcsSas.exe [2007-4-6 73120]
R2 Hamachi2Svc;LogMeIn Hamachi Tunneling Engine;c:\program files\logmein hamachi\hamachi-2.exe [2012-12-10 1435568]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2012-10-30 47640]
R2 MOM;MOM;c:\program files\microsoft forefront\client security\client\microsoft operations manager 2005\MOMService.exe [2005-7-21 134656]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [2010-2-8 87936]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2005-10-21 36352]
R3 wisdpen;Wacom Penabled MiniDriver;c:\windows\system32\drivers\wisdpen.sys [2007-1-22 34736]
S2 FCSAM;Microsoft Forefront Client Security Antimalware Service;c:\program files\microsoft forefront\client security\client\antimalware\MsMpEng.exe [2011-1-8 16896]
S2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\logmein\x86\rainfo.sys --> c:\program files\logmein\x86\RaInfo.sys [?]
S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2012-7-13 160944]
S3 esgiguard;esgiguard;\??\c:\program files\enigma software group\spyhunter\esgiguard.sys --> c:\program files\enigma software group\spyhunter\esgiguard.sys [?]
S3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys [2012-12-17 35144]
S3 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-2-17 71296]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2005-1-6 14336]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
.
=============== Created Last 30 ================
.
2013-01-12 18:15:14 -------- d-----w- c:\program files\Dropbox
2013-01-05 21:02:52 -------- d-----w- c:\program files\Cisco Systems
2013-01-05 21:02:07 -------- d-----w- c:\documents and settings\all users\application data\Cisco Systems
.
==================== Find3M ====================
.
2012-12-23 17:32:42 242240 ----a-w- c:\windows\system32\drivers\dtsoftbus01.sys
2012-12-18 01:27:02 35144 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2012-12-15 17:57:42 57600 ----a-w- c:\windows\system32\drivers\redbook.sys
2012-12-14 17:27:04 43600 ----a-w- c:\windows\system32\drivers\dkzuusaq.sys
2012-12-14 17:26:30 57600 ----a-w- c:\windows\system32\drivers\xqqbwwmu.sys
2012-11-13 01:25:12 1866368 ----a-w- c:\windows\system32\win32k.sys
2012-11-06 00:41:17 290560 ----a-w- c:\windows\system32\atmfd.dll
2012-11-02 02:02:42 375296 ----a-w- c:\windows\system32\dpnet.dll
2012-11-01 12:17:54 916992 ----a-w- c:\windows\system32\wininet.dll
2012-11-01 12:17:54 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-11-01 12:17:54 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2012-11-01 00:35:34 385024 ----a-w- c:\windows\system32\html.iec
1999-06-01 06:23:00 571847688 ----a-w- c:\program files\INSTALL.EXE
1998-11-03 03:07:26 95232 ----a-w- c:\program files\SMACKW32.DLL
.
============= FINISH: 16:09:51.62 ===============

Attached Files



#5 thisisu

thisisu

    U


  • Malware Response Team
  • 2,103 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:13 AM

Posted 30 January 2013 - 07:55 PM

Hello and welcome to BleepingComputer! :welcome:

My name is Thisisu and I will be helping you with your malware related computer problems.

I do have some basic rules while we are working together so please read and follow them:


  • Be specific!
    • If you come across a problem while performing any of the steps listed here, do not simply state "It did not work." Tell me the exact error you encountered if one was given to you. For example, this is a much better response: "When I ran the ____ tool, an error box appeared on my screen and said 'Illegal operation attempted on a registry key that has been marked for deletion.'. There is only an 'OK' button in the box."
  • Do not run any scans/fixes on your own!
    • If at any time you feel that you can handle the rest of your computer problems on your own, please let me know. Otherwise, only follow the steps I or another helper from this thread have provided.
  • I will close the topic if I have not heard a response from you within 72 hours.
    • If you are going to be away, just let me know and I will leave the topic open until you can return.

Let's begin:

  • Please download and install CCleaner Slim
  • Open CCleaner and click the Options button
  • Now choose Advanced
  • Uncheck everything here except for Skip User Account Control warning
  • Now click the Cleaner button and press the Run Cleaner button at the bottom right of the program.
  • If this is your first time running this program, a prompt may appear asking for confirmation to delete temporary files. Go ahead and proceed.

__

Posted Image Please download and run TDSSKiller
  • Click the Change parameters link/button.
  • In the new window, add a checkmark into "Detect TDLFS file system" and then press OK.
  • Now press the "Start scan" button.
  • In the event that threats are detected, allow TDSSKiller to perform the default action by simply pressing the "Continue" button.
  • After the scan / cure is complete, you can find the TDSSKiller log at the root of your C: drive.
    • Example: C:\TDSSKiller.2.8.10.0_29.09.2012_00.22.50_log.txt
  • Please post the contents of this file to your next message.

__

Posted Image Please download and install Malwarebytes Anti-Malware.
  • Open Malwarebytes Anti-Malware and click the Update tab.
    • Then press the Check for Updates button.
  • Once you have the latest database version, click the Settings tab.
    • Now click the Scanner Settings sub-tab.
    • In the sections that say:
      • Action for potentially unwanted programs (PUP)
      • Action for potentially unwanted modifications (PUM)
      • Action for peer-to-peer software (P2P)
    • .. click the down arrow next to each field and choose: Show in results list and check for removal.
  • Now go back to the main Scanner tab and perform a Quick Scan.
  • Wait for the scan to complete and follow the prompts provided.
  • A log file will appear when finished.
  • Post the contents of this log file into your next message.
    • You can also retrieve the log from the Logs tab incase you accidentally closed the report that popped up when the scan completed.

__

Posted Image Please download OTL.

  • Save it to your desktop.
  • Right mouse click on the OTL icon on your desktop and select Run as Administrator
  • Check the "Scan All Users" checkbox.
  • Check the "Standard Output".
  • Change the setting of "Drivers" and "Services" to "All"
  • Copy the text in the code box below and paste it into the Posted Image text-field.

    /md5start
    xqqbwwmu.sys
    dkzuusaq.sys
    FcsSas.exe
    /md5stop
    drives
    netsvcs
    
  • Now click the Posted Image button.
  • Two reports will be created:
    • OTL.txt <-- Will be opened
    • Extras.txt <-- Will be minimized
  • Paste the contents of OTL.txt here for me to review but attach Extras.txt


#6 billiam864

billiam864
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Local time:04:13 AM

Posted 31 January 2013 - 10:42 PM

Hi Thisisu, thank you for the help.

Prior to your response, I went ahead and updated Windows...there were 16+ updates. Upon rebooting my cpu today to respond to you, I had a new program Microsoft Security Essentials showing up. I also encoutered the following error upon startin chrome, as well as super slow loading speeds:

The certificate received has been flagged as erroneous. Please see http://support.google.com/chrome/?p=e_malware_Sirefef&hl=en-US for more details.

The certificate received indicates that this computer is infected with Sirefef.gen!C.

Sirefef.gen!C is a computer virus that intercepts secure web connections and can steal passwords and other sensitive data.

Chrome recognises this virus, but it affects all software on the computer. Other browsers and software may continue to work but they are also affected and rendered insecure.

Microsoft Security Essentials can reportedly remove this virus. When the virus is removed, the warnings in Chrome will stop.

Microsoft Security Essentials is freely available from Microsoft at http://windows.microsoft.com/en-US/windows/security-essentials-download

You should not proceed, especially if you have never seen this warning before for this site.



I only went to bleepingcomputer.com...I ran the CCleanerslim.
I then ran TDSSKiller, which found a threat and restarted my CPU...also it seems to help chrome quite a bit, as load speeds improved somewhat after the reboot. The log is posted below:

21:50:22.0109 3168 TDSS rootkit removing tool 2.8.15.0 Oct 31 2012 21:47:35
21:50:24.0109 3168 ============================================================
21:50:24.0109 3168 Current date / time: 2013/01/31 21:50:24.0109
21:50:24.0109 3168 SystemInfo:
21:50:24.0109 3168
21:50:24.0109 3168 OS Version: 5.1.2600 ServicePack: 3.0
21:50:24.0109 3168 Product type: Workstation
21:50:24.0109 3168 ComputerName: CND6220870
21:50:24.0109 3168 UserName: DerochaWS1
21:50:24.0109 3168 Windows directory: C:\WINDOWS
21:50:24.0109 3168 System windows directory: C:\WINDOWS
21:50:24.0109 3168 Processor architecture: Intel x86
21:50:24.0109 3168 Number of processors: 1
21:50:24.0109 3168 Page size: 0x1000
21:50:24.0109 3168 Boot type: Normal boot
21:50:24.0109 3168 ============================================================
21:50:26.0203 3168 Drive \Device\Harddisk0\DR0 - Size: 0x12A1F16000 (74.53 Gb), SectorSize: 0x200, Cylinders: 0x2861, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xF0, Type 'K0', Flags 0x00000054
21:50:26.0218 3168 ============================================================
21:50:26.0218 3168 \Device\Harddisk0\DR0:
21:50:26.0218 3168 MBR partitions:
21:50:26.0218 3168 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x800, BlocksNum 0x950E800
21:50:26.0218 3168 ============================================================
21:50:26.0250 3168 C: <-> \Device\Harddisk0\DR0\Partition1
21:50:26.0250 3168 ============================================================
21:50:26.0250 3168 Initialize success
21:50:26.0250 3168 ============================================================
21:50:42.0125 3612 ============================================================
21:50:42.0125 3612 Scan started
21:50:42.0125 3612 Mode: Manual; TDLFS;
21:50:42.0125 3612 ============================================================
21:50:43.0093 3612 ================ Scan system memory ========================
21:50:43.0093 3612 System memory - ok
21:50:43.0109 3612 ================ Scan services =============================
21:50:43.0328 3612 [ 914A9709FC3BF419AD2F85547F2A4832 ] 61883 C:\WINDOWS\system32\DRIVERS\61883.sys
21:50:43.0328 3612 61883 - ok
21:50:43.0343 3612 Abiosdsk - ok
21:50:43.0359 3612 abp480n5 - ok
21:50:43.0421 3612 [ 8FD99680A539792A30E97944FDAECF17 ] ACPI C:\WINDOWS\system32\DRIVERS\ACPI.sys
21:50:43.0437 3612 ACPI - ok
21:50:43.0453 3612 [ 9859C0F6936E723E4892D7141B1327D5 ] ACPIEC C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
21:50:43.0453 3612 ACPIEC - ok
21:50:43.0468 3612 adpu160m - ok
21:50:43.0546 3612 [ 9F59AE2DE835641FBB0C6AFD80D8FA9B ] aeaudio C:\WINDOWS\system32\drivers\aeaudio.sys
21:50:43.0546 3612 aeaudio - ok
21:50:43.0625 3612 [ 8BED39E3C35D6A489438B8141717A557 ] aec C:\WINDOWS\system32\drivers\aec.sys
21:50:43.0640 3612 aec - ok
21:50:43.0703 3612 [ 1E44BC1E83D8FD2305F8D452DB109CF9 ] AFD C:\WINDOWS\System32\drivers\afd.sys
21:50:43.0703 3612 AFD - ok
21:50:43.0796 3612 [ 029E01CB2938BEC5AF31BF47B6AF0159 ] AgereSoftModem C:\WINDOWS\system32\DRIVERS\AGRSM.sys
21:50:43.0859 3612 AgereSoftModem - ok
21:50:43.0890 3612 Aha154x - ok
21:50:43.0906 3612 aic78u2 - ok
21:50:43.0921 3612 aic78xx - ok
21:50:43.0953 3612 [ A9A3DAA780CA6C9671A19D52456705B4 ] Alerter C:\WINDOWS\system32\alrsvc.dll
21:50:43.0953 3612 Alerter - ok
21:50:44.0000 3612 [ 8C515081584A38AA007909CD02020B3D ] ALG C:\WINDOWS\System32\alg.exe
21:50:44.0000 3612 ALG - ok
21:50:44.0015 3612 AliIde - ok
21:50:44.0031 3612 amsint - ok
21:50:44.0078 3612 [ D8849F77C0B66226335A59D26CB4EDC6 ] AppMgmt C:\WINDOWS\System32\appmgmts.dll
21:50:44.0093 3612 AppMgmt - ok
21:50:44.0125 3612 [ B5B8A80875C1DEDEDA8B02765642C32F ] Arp1394 C:\WINDOWS\system32\DRIVERS\arp1394.sys
21:50:44.0140 3612 Arp1394 - ok
21:50:44.0156 3612 asc - ok
21:50:44.0171 3612 asc3350p - ok
21:50:44.0187 3612 asc3550 - ok
21:50:44.0328 3612 [ 0E5E4957549056E2BF2C49F4F6B601AD ] aspnet_state C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
21:50:44.0328 3612 aspnet_state - ok
21:50:44.0359 3612 [ B153AFFAC761E7F5FCFA822B9C4E97BC ] AsyncMac C:\WINDOWS\system32\DRIVERS\asyncmac.sys
21:50:44.0359 3612 AsyncMac - ok
21:50:44.0406 3612 [ 9F3A2F5AA6875C72BF062C712CFA2674 ] atapi C:\WINDOWS\system32\DRIVERS\atapi.sys
21:50:44.0406 3612 atapi - ok
21:50:44.0421 3612 Atdisk - ok
21:50:44.0468 3612 [ 9916C1225104BA14794209CFA8012159 ] Atmarpc C:\WINDOWS\system32\DRIVERS\atmarpc.sys
21:50:44.0468 3612 Atmarpc - ok
21:50:44.0515 3612 [ DEF7A7882BEC100FE0B2CE2549188F9D ] AudioSrv C:\WINDOWS\System32\audiosrv.dll
21:50:44.0531 3612 AudioSrv - ok
21:50:44.0546 3612 [ D9F724AA26C010A217C97606B160ED68 ] audstub C:\WINDOWS\system32\DRIVERS\audstub.sys
21:50:44.0546 3612 audstub - ok
21:50:44.0578 3612 [ F8E6956A614F15A0860474C5E2A7DE6B ] Avc C:\WINDOWS\system32\DRIVERS\avc.sys
21:50:44.0593 3612 Avc - ok
21:50:44.0640 3612 [ 2FA609C3411EC5F77F42D0B04D304AE5 ] b57w2k C:\WINDOWS\system32\DRIVERS\b57xp32.sys
21:50:44.0656 3612 b57w2k - ok
21:50:44.0703 3612 [ DA1F27D85E0D1525F6621372E7B685E9 ] Beep C:\WINDOWS\system32\drivers\Beep.sys
21:50:44.0703 3612 Beep - ok
21:50:44.0765 3612 [ CFD4E51402DA9838B5A04AE680AF54A0 ] Browser C:\WINDOWS\System32\browser.dll
21:50:44.0781 3612 Browser - ok
21:50:44.0812 3612 [ 90A673FC8E12A79AFBED2576F6A7AAF9 ] cbidf2k C:\WINDOWS\system32\drivers\cbidf2k.sys
21:50:44.0812 3612 cbidf2k - ok
21:50:44.0843 3612 [ 0BE5AEF125BE881C4F854C554F2B025C ] CCDECODE C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
21:50:44.0843 3612 CCDECODE - ok
21:50:44.0859 3612 cd20xrnt - ok
21:50:44.0906 3612 [ C1B486A7658353D33A10CC15211A873B ] Cdaudio C:\WINDOWS\system32\drivers\Cdaudio.sys
21:50:44.0906 3612 Cdaudio - ok
21:50:44.0968 3612 [ C885B02847F5D2FD45A24E219ED93B32 ] Cdfs C:\WINDOWS\system32\drivers\Cdfs.sys
21:50:44.0968 3612 Cdfs - ok
21:50:45.0000 3612 [ 1F4260CC5B42272D71F79E570A27A4FE ] Cdrom C:\WINDOWS\system32\DRIVERS\cdrom.sys
21:50:45.0000 3612 Cdrom - ok
21:50:45.0015 3612 Changer - ok
21:50:45.0078 3612 [ 1CFE720EB8D93A7158A4EBC3AB178BDE ] CiSvc C:\WINDOWS\system32\cisvc.exe
21:50:45.0078 3612 CiSvc - ok
21:50:45.0109 3612 [ 34CBE729F38138217F9C80212A2A0C82 ] ClipSrv C:\WINDOWS\system32\clipsrv.exe
21:50:45.0109 3612 ClipSrv - ok
21:50:45.0171 3612 [ D87ACAED61E417BBA546CED5E7E36D9C ] clr_optimization_v2.0.50727_32 c:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
21:50:45.0171 3612 clr_optimization_v2.0.50727_32 - ok
21:50:45.0203 3612 [ 0F6C187D38D98F8DF904589A5F94D411 ] CmBatt C:\WINDOWS\system32\DRIVERS\CmBatt.sys
21:50:45.0203 3612 CmBatt - ok
21:50:45.0218 3612 CmdIde - ok
21:50:45.0250 3612 [ 6E4C9F21F0FAE8940661144F41B13203 ] Compbatt C:\WINDOWS\system32\DRIVERS\compbatt.sys
21:50:45.0250 3612 Compbatt - ok
21:50:45.0281 3612 COMSysApp - ok
21:50:45.0312 3612 Cpqarray - ok
21:50:45.0375 3612 [ 3D4E199942E29207970E04315D02AD3B ] CryptSvc C:\WINDOWS\System32\cryptsvc.dll
21:50:45.0375 3612 CryptSvc - ok
21:50:45.0406 3612 dac2w2k - ok
21:50:45.0421 3612 dac960nt - ok
21:50:45.0531 3612 [ 6B27A5C03DFB94B4245739065431322C ] DcomLaunch C:\WINDOWS\system32\rpcss.dll
21:50:45.0609 3612 DcomLaunch - ok
21:50:45.0640 3612 [ 5E38D7684A49CACFB752B046357E0589 ] Dhcp C:\WINDOWS\System32\dhcpcsvc.dll
21:50:45.0656 3612 Dhcp - ok
21:50:45.0671 3612 [ 044452051F3E02E7963599FC8F4F3E25 ] Disk C:\WINDOWS\system32\DRIVERS\disk.sys
21:50:45.0671 3612 Disk - ok
21:50:45.0687 3612 dmadmin - ok
21:50:45.0765 3612 [ D992FE1274BDE0F84AD826ACAE022A41 ] dmboot C:\WINDOWS\system32\drivers\dmboot.sys
21:50:45.0812 3612 dmboot - ok
21:50:45.0843 3612 [ 7C824CF7BBDE77D95C08005717A95F6F ] dmio C:\WINDOWS\system32\drivers\dmio.sys
21:50:45.0843 3612 dmio - ok
21:50:45.0859 3612 [ E9317282A63CA4D188C0DF5E09C6AC5F ] dmload C:\WINDOWS\system32\drivers\dmload.sys
21:50:45.0875 3612 dmload - ok
21:50:45.0921 3612 [ 57EDEC2E5F59F0335E92F35184BC8631 ] dmserver C:\WINDOWS\System32\dmserver.dll
21:50:45.0921 3612 dmserver - ok
21:50:45.0953 3612 [ 8A208DFCF89792A484E76C40E5F50B45 ] DMusic C:\WINDOWS\system32\drivers\DMusic.sys
21:50:45.0953 3612 DMusic - ok
21:50:46.0031 3612 [ 5F7E24FA9EAB896051FFB87F840730D2 ] Dnscache C:\WINDOWS\System32\dnsrslvr.dll
21:50:46.0031 3612 Dnscache - ok
21:50:46.0078 3612 [ 0F0F6E687E5E15579EF4DA8DD6945814 ] Dot3svc C:\WINDOWS\System32\dot3svc.dll
21:50:46.0093 3612 Dot3svc - ok
21:50:46.0109 3612 dpti2o - ok
21:50:46.0156 3612 [ 8F5FCFF8E8848AFAC920905FBD9D33C8 ] drmkaud C:\WINDOWS\system32\drivers\drmkaud.sys
21:50:46.0156 3612 drmkaud - ok
21:50:46.0234 3612 [ 687AF6BB383885FF6A64071B189A7F3E ] dtsoftbus01 C:\WINDOWS\system32\DRIVERS\dtsoftbus01.sys
21:50:46.0234 3612 dtsoftbus01 - ok
21:50:46.0281 3612 [ 2187855A7703ADEF0CEF9EE4285182CC ] EapHost C:\WINDOWS\System32\eapsvc.dll
21:50:46.0281 3612 EapHost - ok
21:50:46.0328 3612 [ BC93B4A066477954555966D77FEC9ECB ] ERSvc C:\WINDOWS\System32\ersvc.dll
21:50:46.0328 3612 ERSvc - ok
21:50:46.0390 3612 esgiguard - ok
21:50:46.0453 3612 [ 65DF52F5B8B6E9BBD183505225C37315 ] Eventlog C:\WINDOWS\system32\services.exe
21:50:46.0453 3612 Eventlog - ok
21:50:46.0546 3612 [ D4991D98F2DB73C60D042F1AEF79EFAE ] EventSystem C:\WINDOWS\system32\es.dll
21:50:46.0546 3612 EventSystem - ok
21:50:46.0609 3612 [ 38D332A6D56AF32635675F132548343E ] Fastfat C:\WINDOWS\system32\drivers\Fastfat.sys
21:50:46.0609 3612 Fastfat - ok
21:50:46.0671 3612 [ 99BC0B50F511924348BE19C7C7313BBF ] FastUserSwitchingCompatibility C:\WINDOWS\System32\shsvcs.dll
21:50:46.0671 3612 FastUserSwitchingCompatibility - ok
21:50:46.0703 3612 [ 92CDD60B6730B9F50F6A1A0C1F8CDC81 ] Fdc C:\WINDOWS\system32\drivers\Fdc.sys
21:50:46.0703 3612 Fdc - ok
21:50:46.0734 3612 [ D45926117EB9FA946A6AF572FBE1CAA3 ] Fips C:\WINDOWS\system32\drivers\Fips.sys
21:50:46.0734 3612 Fips - ok
21:50:46.0765 3612 [ 9D27E7B80BFCDF1CDD9B555862D5E7F0 ] Flpydisk C:\WINDOWS\system32\drivers\Flpydisk.sys
21:50:46.0765 3612 Flpydisk - ok
21:50:46.0796 3612 [ B2CF4B0786F8212CB92ED2B50C6DB6B0 ] FltMgr C:\WINDOWS\system32\drivers\fltmgr.sys
21:50:46.0796 3612 FltMgr - ok
21:50:46.0875 3612 [ 8BA7C024070F2B7FDD98ED8A4BA41789 ] FontCache3.0.0.0 c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
21:50:46.0890 3612 FontCache3.0.0.0 - ok
21:50:46.0953 3612 [ 3E1E2BD4F39B0E2B7DC4F4D2BCC2779A ] Fs_Rec C:\WINDOWS\system32\drivers\Fs_Rec.sys
21:50:46.0953 3612 Fs_Rec - ok
21:50:46.0968 3612 [ 6AC26732762483366C3969C9E4D2259D ] Ftdisk C:\WINDOWS\system32\DRIVERS\ftdisk.sys
21:50:46.0984 3612 Ftdisk - ok
21:50:47.0046 3612 [ 0A02C63C8B144BD8C86B103DEE7C86A2 ] Gpc C:\WINDOWS\system32\DRIVERS\msgpc.sys
21:50:47.0062 3612 Gpc - ok
21:50:47.0109 3612 [ B6B1F53F585B41091EB3586F8297A379 ] GTIPCI21 C:\WINDOWS\system32\DRIVERS\gtipci21.sys
21:50:47.0125 3612 GTIPCI21 - ok
21:50:47.0187 3612 [ 506708142BC63DABA64F2D3AD1DCD5BF ] gupdate C:\Program Files\Google\Update\GoogleUpdate.exe
21:50:47.0203 3612 gupdate - ok
21:50:47.0218 3612 [ 506708142BC63DABA64F2D3AD1DCD5BF ] gupdatem C:\Program Files\Google\Update\GoogleUpdate.exe
21:50:47.0218 3612 gupdatem - ok
21:50:47.0265 3612 [ 833051C6C6C42117191935F734CFBD97 ] hamachi C:\WINDOWS\system32\DRIVERS\hamachi.sys
21:50:47.0265 3612 hamachi - ok
21:50:47.0421 3612 [ 616399E27A55C97AE859230EB13984D8 ] Hamachi2Svc C:\Program Files\LogMeIn Hamachi\hamachi-2.exe
21:50:47.0500 3612 Hamachi2Svc - ok
21:50:47.0562 3612 [ 407E41DDB2BFECE109132AEC296E0D98 ] HBtnKey C:\WINDOWS\system32\DRIVERS\cpqbttn.sys
21:50:47.0562 3612 HBtnKey - ok
21:50:47.0656 3612 [ 4FCCA060DFE0C51A09DD5C3843888BCD ] helpsvc C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll
21:50:47.0656 3612 helpsvc - ok
21:50:47.0671 3612 HidServ - ok
21:50:47.0734 3612 [ CCF82C5EC8A7326C3066DE870C06DAF1 ] HidUsb C:\WINDOWS\system32\DRIVERS\hidusb.sys
21:50:47.0734 3612 HidUsb - ok
21:50:47.0765 3612 [ 8878BD685E490239777BFE51320B88E9 ] hkmsvc C:\WINDOWS\System32\kmsvc.dll
21:50:47.0781 3612 hkmsvc - ok
21:50:47.0796 3612 hpn - ok
21:50:47.0843 3612 [ 35956140E686D53BF676CF0C778880FC ] HpqKbFiltr C:\WINDOWS\system32\DRIVERS\HpqKbFiltr.sys
21:50:47.0859 3612 HpqKbFiltr - ok
21:50:47.0953 3612 [ 04C1DCBB226C6AE647B794833CE3CEB6 ] hpqwmiex C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
21:50:47.0953 3612 hpqwmiex - ok
21:50:48.0000 3612 [ 9F1D80908658EB7F1BF70809E0B51470 ] HPZid412 C:\WINDOWS\system32\DRIVERS\HPZid412.sys
21:50:48.0015 3612 HPZid412 - ok
21:50:48.0062 3612 [ F7E3E9D50F9CD3DE28085A8FDAA0A1C3 ] HPZipr12 C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
21:50:48.0062 3612 HPZipr12 - ok
21:50:48.0109 3612 [ CF1B7951B4EC8D13F3C93B74BB2B461B ] HPZius12 C:\WINDOWS\system32\DRIVERS\HPZius12.sys
21:50:48.0109 3612 HPZius12 - ok
21:50:48.0171 3612 [ F80A415EF82CD06FFAF0D971528EAD38 ] HTTP C:\WINDOWS\system32\Drivers\HTTP.sys
21:50:48.0187 3612 HTTP - ok
21:50:48.0234 3612 [ 6100A808600F44D999CEBDEF8841C7A3 ] HTTPFilter C:\WINDOWS\System32\w3ssl.dll
21:50:48.0234 3612 HTTPFilter - ok
21:50:48.0250 3612 i2omgmt - ok
21:50:48.0281 3612 i2omp - ok
21:50:48.0343 3612 [ 4A0B06AA8943C1E332520F7440C0AA30 ] i8042prt C:\WINDOWS\system32\DRIVERS\i8042prt.sys
21:50:48.0343 3612 i8042prt - ok
21:50:48.0437 3612 [ C600649CA5BA2A7C9B280E9F90C5DB25 ] ialm C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
21:50:48.0484 3612 ialm - ok
21:50:48.0593 3612 [ 1CF03C69B49ACB70C722DF92755C0C8C ] IDriverT c:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
21:50:48.0593 3612 IDriverT - ok
21:50:48.0687 3612 [ C01AC32DC5C03076CFB852CB5DA5229C ] idsvc c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
21:50:48.0734 3612 idsvc - ok
21:50:48.0812 3612 [ 1988575194189863932F73B43D9A0AD9 ] IFXSpMgtSrv C:\WINDOWS\system32\IFXSPMGT.exe
21:50:48.0828 3612 IFXSpMgtSrv - ok
21:50:48.0843 3612 [ 0A359837E021BC04A04A6FD189492C65 ] IFXTPM C:\WINDOWS\system32\DRIVERS\IFXTPM.SYS
21:50:48.0843 3612 IFXTPM - ok
21:50:48.0906 3612 [ 083A052659F5310DD8B6A6CB05EDCF8E ] Imapi C:\WINDOWS\system32\DRIVERS\imapi.sys
21:50:48.0906 3612 Imapi - ok
21:50:48.0968 3612 [ 30DEAF54A9755BB8546168CFE8A6B5E1 ] ImapiService C:\WINDOWS\system32\imapi.exe
21:50:48.0968 3612 ImapiService - ok
21:50:49.0000 3612 ini910u - ok
21:50:49.0046 3612 [ B5466A9250342A7AA0CD1FBA13420678 ] IntelIde C:\WINDOWS\system32\DRIVERS\intelide.sys
21:50:49.0046 3612 IntelIde - ok
21:50:49.0078 3612 [ 8C953733D8F36EB2133F5BB58808B66B ] intelppm C:\WINDOWS\system32\DRIVERS\intelppm.sys
21:50:49.0078 3612 intelppm - ok
21:50:49.0109 3612 [ 3BB22519A194418D5FEC05D800A19AD0 ] Ip6Fw C:\WINDOWS\system32\drivers\ip6fw.sys
21:50:49.0109 3612 Ip6Fw - ok
21:50:49.0156 3612 [ 731F22BA402EE4B62748ADAF6363C182 ] IpFilterDriver C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
21:50:49.0171 3612 IpFilterDriver - ok
21:50:49.0187 3612 [ B87AB476DCF76E72010632B5550955F5 ] IpInIp C:\WINDOWS\system32\DRIVERS\ipinip.sys
21:50:49.0187 3612 IpInIp - ok
21:50:49.0234 3612 [ CC748EA12C6EFFDE940EE98098BF96BB ] IpNat C:\WINDOWS\system32\DRIVERS\ipnat.sys
21:50:49.0234 3612 IpNat - ok
21:50:49.0265 3612 [ 23C74D75E36E7158768DD63D92789A91 ] IPSec C:\WINDOWS\system32\DRIVERS\ipsec.sys
21:50:49.0265 3612 IPSec - ok
21:50:49.0296 3612 [ ACA5E7B54409F9CB5EED97ED0C81120E ] irda C:\WINDOWS\system32\DRIVERS\irda.sys
21:50:49.0296 3612 irda - ok
21:50:49.0328 3612 [ C93C9FF7B04D772627A3646D89F7BF89 ] IRENUM C:\WINDOWS\system32\DRIVERS\irenum.sys
21:50:49.0328 3612 IRENUM - ok
21:50:49.0343 3612 [ 49CC4533CE897CB2E93C1E84A818FDE5 ] Irmon C:\WINDOWS\System32\irmon.dll
21:50:49.0359 3612 Irmon - ok
21:50:49.0390 3612 [ 05A299EC56E52649B1CF2FC52D20F2D7 ] isapnp C:\WINDOWS\system32\DRIVERS\isapnp.sys
21:50:49.0406 3612 isapnp - ok
21:50:49.0500 3612 [ B591E761161D1EF547D76EF236EAA6A5 ] JavaQuickStarterService C:\Program Files\Java\jre7\bin\jqs.exe
21:50:49.0500 3612 JavaQuickStarterService - ok
21:50:49.0546 3612 [ 463C1EC80CD17420A542B7F36A36F128 ] Kbdclass C:\WINDOWS\system32\DRIVERS\kbdclass.sys
21:50:49.0546 3612 Kbdclass - ok
21:50:49.0578 3612 [ 9EF487A186DEA361AA06913A75B3FA99 ] kbdhid C:\WINDOWS\system32\DRIVERS\kbdhid.sys
21:50:49.0578 3612 kbdhid - ok
21:50:49.0640 3612 [ 692BCF44383D056AED41B045A323D378 ] kmixer C:\WINDOWS\system32\drivers\kmixer.sys
21:50:49.0656 3612 kmixer - ok
21:50:49.0687 3612 [ B467646C54CC746128904E1654C750C1 ] KSecDD C:\WINDOWS\system32\drivers\KSecDD.sys
21:50:49.0703 3612 KSecDD - ok
21:50:49.0750 3612 [ 3A7C3CBE5D96B8AE96CE81F0B22FB527 ] lanmanserver C:\WINDOWS\System32\srvsvc.dll
21:50:49.0765 3612 lanmanserver - ok
21:50:49.0828 3612 [ A8888A5327621856C0CEC4E385F69309 ] lanmanworkstation C:\WINDOWS\System32\wkssvc.dll
21:50:49.0859 3612 lanmanworkstation - ok
21:50:49.0875 3612 lbrtfdc - ok
21:50:49.0984 3612 [ A7DB739AE99A796D91580147E919CC59 ] LmHosts C:\WINDOWS\System32\lmhsvc.dll
21:50:49.0984 3612 LmHosts - ok
21:50:50.0000 3612 LMIInfo - ok
21:50:50.0062 3612 [ 4477689E2D8AE6B78BA34C9AF4CC1ED1 ] lmimirr C:\WINDOWS\system32\DRIVERS\lmimirr.sys
21:50:50.0062 3612 lmimirr - ok
21:50:50.0078 3612 LMIRfsClientNP - ok
21:50:50.0125 3612 [ 3FAA563DDF853320F90259D455A01D79 ] LMIRfsDriver C:\WINDOWS\system32\drivers\LMIRfsDriver.sys
21:50:50.0125 3612 LMIRfsDriver - ok
21:50:50.0187 3612 [ 4A5FFDF0FE830C448830BD4B02B02B4B ] mbamchameleon C:\WINDOWS\system32\drivers\mbamchameleon.sys
21:50:50.0187 3612 mbamchameleon - ok
21:50:50.0234 3612 [ 986B1FF5814366D71E0AC5755C88F2D3 ] Messenger C:\WINDOWS\System32\msgsvc.dll
21:50:50.0234 3612 Messenger - ok
21:50:50.0328 3612 [ 123271BD5237AB991DC5C21FDF8835EB ] Microsoft Office Groove Audit Service C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe
21:50:50.0328 3612 Microsoft Office Groove Audit Service - ok
21:50:50.0359 3612 [ 4AE068242760A1FB6E1A44BF4E16AFA6 ] mnmdd C:\WINDOWS\system32\drivers\mnmdd.sys
21:50:50.0359 3612 mnmdd - ok
21:50:50.0406 3612 [ D18F1F0C101D06A1C1ADF26EED16FCDD ] mnmsrvc C:\WINDOWS\system32\mnmsrvc.exe
21:50:50.0421 3612 mnmsrvc - ok
21:50:50.0453 3612 [ DFCBAD3CEC1C5F964962AE10E0BCC8E1 ] Modem C:\WINDOWS\system32\drivers\Modem.sys
21:50:50.0453 3612 Modem - ok
21:50:50.0531 3612 [ F3C2E6441348A7FC20F21FE2F5EB28E6 ] MOM C:\Program Files\Microsoft Forefront\Client Security\Client\Microsoft Operations Manager 2005\MOMService.exe
21:50:50.0531 3612 MOM - ok
21:50:50.0609 3612 [ 35C9E97194C8CFB8430125F8DBC34D04 ] Mouclass C:\WINDOWS\system32\DRIVERS\mouclass.sys
21:50:50.0609 3612 Mouclass - ok
21:50:50.0656 3612 [ B1C303E17FB9D46E87A98E4BA6769685 ] mouhid C:\WINDOWS\system32\DRIVERS\mouhid.sys
21:50:50.0656 3612 mouhid - ok
21:50:50.0687 3612 [ A80B9A0BAD1B73637DBCBBA7DF72D3FD ] MountMgr C:\WINDOWS\system32\drivers\MountMgr.sys
21:50:50.0687 3612 MountMgr - ok
21:50:50.0734 3612 [ EE728AF83850DDAD9A3FCAC0AAB3AD97 ] MpFilter C:\WINDOWS\system32\DRIVERS\MpFilter.sys
21:50:50.0734 3612 MpFilter - ok
21:50:50.0750 3612 mraid35x - ok
21:50:50.0796 3612 [ 11D42BB6206F33FBB3BA0288D3EF81BD ] MRxDAV C:\WINDOWS\system32\DRIVERS\mrxdav.sys
21:50:50.0796 3612 MRxDAV - ok
21:50:50.0859 3612 [ 7D304A5EB4344EBEEAB53A2FE3FFB9F0 ] MRxSmb C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
21:50:50.0875 3612 MRxSmb - ok
21:50:50.0906 3612 [ A137F1470499A205ABBB9AAFB3B6F2B1 ] MSDTC C:\WINDOWS\system32\msdtc.exe
21:50:50.0906 3612 MSDTC - ok
21:50:50.0968 3612 [ 1477849772712BAC69C144DCF2C9CE81 ] MSDV C:\WINDOWS\system32\DRIVERS\msdv.sys
21:50:50.0968 3612 MSDV - ok
21:50:51.0031 3612 [ C941EA2454BA8350021D774DAF0F1027 ] Msfs C:\WINDOWS\system32\drivers\Msfs.sys
21:50:51.0031 3612 Msfs - ok
21:50:51.0062 3612 MSIServer - ok
21:50:51.0093 3612 [ D1575E71568F4D9E14CA56B7B0453BF1 ] MSKSSRV C:\WINDOWS\system32\drivers\MSKSSRV.sys
21:50:51.0093 3612 MSKSSRV - ok
21:50:51.0125 3612 [ 325BB26842FC7CCC1FCCE2C457317F3E ] MSPCLOCK C:\WINDOWS\system32\drivers\MSPCLOCK.sys
21:50:51.0125 3612 MSPCLOCK - ok
21:50:51.0156 3612 [ BAD59648BA099DA4A17680B39730CB3D ] MSPQM C:\WINDOWS\system32\drivers\MSPQM.sys
21:50:51.0156 3612 MSPQM - ok
21:50:51.0203 3612 [ AF5F4F3F14A8EA2C26DE30F7A1E17136 ] mssmbios C:\WINDOWS\system32\DRIVERS\mssmbios.sys
21:50:51.0203 3612 mssmbios - ok
21:50:51.0234 3612 [ E53736A9E30C45FA9E7B5EAC55056D1D ] MSTEE C:\WINDOWS\system32\drivers\MSTEE.sys
21:50:51.0234 3612 MSTEE - ok
21:50:51.0265 3612 [ DE6A75F5C270E756C5508D94B6CF68F5 ] Mup C:\WINDOWS\system32\drivers\Mup.sys
21:50:51.0265 3612 Mup - ok
21:50:51.0312 3612 [ 5B50F1B2A2ED47D560577B221DA734DB ] NABTSFEC C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
21:50:51.0312 3612 NABTSFEC - ok
21:50:51.0375 3612 [ 0102140028FAD045756796E1C685D695 ] napagent C:\WINDOWS\System32\qagentrt.dll
21:50:51.0390 3612 napagent - ok
21:50:51.0468 3612 [ 1DF7F42665C94B825322FAE71721130D ] NDIS C:\WINDOWS\system32\drivers\NDIS.sys
21:50:51.0468 3612 NDIS - ok
21:50:51.0515 3612 [ 7FF1F1FD8609C149AA432F95A8163D97 ] NdisIP C:\WINDOWS\system32\DRIVERS\NdisIP.sys
21:50:51.0515 3612 NdisIP - ok
21:50:51.0578 3612 [ 0109C4F3850DFBAB279542515386AE22 ] NdisTapi C:\WINDOWS\system32\DRIVERS\ndistapi.sys
21:50:51.0578 3612 NdisTapi - ok
21:50:51.0640 3612 [ F927A4434C5028758A842943EF1A3849 ] Ndisuio C:\WINDOWS\system32\DRIVERS\ndisuio.sys
21:50:51.0640 3612 Ndisuio - ok
21:50:51.0671 3612 [ EDC1531A49C80614B2CFDA43CA8659AB ] NdisWan C:\WINDOWS\system32\DRIVERS\ndiswan.sys
21:50:51.0671 3612 NdisWan - ok
21:50:51.0734 3612 [ 9282BD12DFB069D3889EB3FCC1000A9B ] NDProxy C:\WINDOWS\system32\drivers\NDProxy.sys
21:50:51.0734 3612 NDProxy - ok
21:50:51.0765 3612 [ 5D81CF9A2F1A3A756B66CF684911CDF0 ] NetBIOS C:\WINDOWS\system32\DRIVERS\netbios.sys
21:50:51.0765 3612 NetBIOS - ok
21:50:51.0796 3612 [ 74B2B2F5BEA5E9A3DC021D685551BD3D ] NetBT C:\WINDOWS\system32\DRIVERS\netbt.sys
21:50:51.0796 3612 NetBT - ok
21:50:51.0843 3612 [ B857BA82860D7FF85AE29B095645563B ] NetDDE C:\WINDOWS\system32\netdde.exe
21:50:51.0843 3612 NetDDE - ok
21:50:51.0859 3612 [ B857BA82860D7FF85AE29B095645563B ] NetDDEdsdm C:\WINDOWS\system32\netdde.exe
21:50:51.0875 3612 NetDDEdsdm - ok
21:50:51.0921 3612 [ BF2466B3E18E970D8A976FB95FC1CA85 ] Netlogon C:\WINDOWS\system32\lsass.exe
21:50:51.0937 3612 Netlogon - ok
21:50:51.0984 3612 [ 13E67B55B3ABD7BF3FE7AAE5A0F9A9DE ] Netman C:\WINDOWS\System32\netman.dll
21:50:51.0984 3612 Netman - ok
21:50:52.0046 3612 [ D34612C5D02D026535B3095D620626AE ] NetTcpPortSharing c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
21:50:52.0062 3612 NetTcpPortSharing - ok
21:50:52.0109 3612 [ E9E47CFB2D461FA0FC75B7A74C6383EA ] NIC1394 C:\WINDOWS\system32\DRIVERS\nic1394.sys
21:50:52.0109 3612 NIC1394 - ok
21:50:52.0171 3612 [ 943337D786A56729263071623BBB9DE5 ] Nla C:\WINDOWS\System32\mswsock.dll
21:50:52.0187 3612 Nla - ok
21:50:52.0234 3612 [ 3182D64AE053D6FB034F44B6DEF8034A ] Npfs C:\WINDOWS\system32\drivers\Npfs.sys
21:50:52.0234 3612 Npfs - ok
21:50:52.0296 3612 [ 78A08DD6A8D65E697C18E1DB01C5CDCA ] Ntfs C:\WINDOWS\system32\drivers\Ntfs.sys
21:50:52.0328 3612 Ntfs - ok
21:50:52.0359 3612 [ BF2466B3E18E970D8A976FB95FC1CA85 ] NtLmSsp C:\WINDOWS\system32\lsass.exe
21:50:52.0359 3612 NtLmSsp - ok
21:50:52.0421 3612 [ 156F64A3345BD23C600655FB4D10BC08 ] NtmsSvc C:\WINDOWS\system32\ntmssvc.dll
21:50:52.0453 3612 NtmsSvc - ok
21:50:52.0484 3612 [ 73C1E1F395918BC2C6DD67AF7591A3AD ] Null C:\WINDOWS\system32\drivers\Null.sys
21:50:52.0484 3612 Null - ok
21:50:52.0531 3612 [ B305F3FAD35083837EF46A0BBCE2FC57 ] NwlnkFlt C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
21:50:52.0531 3612 NwlnkFlt - ok
21:50:52.0562 3612 [ C99B3415198D1AAB7227F2C88FD664B9 ] NwlnkFwd C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
21:50:52.0562 3612 NwlnkFwd - ok
21:50:52.0625 3612 [ 8B8B1BE2DBA4025DA6786C645F77F123 ] NwlnkIpx C:\WINDOWS\system32\DRIVERS\nwlnkipx.sys
21:50:52.0625 3612 NwlnkIpx - ok
21:50:52.0656 3612 [ 56D34A67C05E94E16377C60609741FF8 ] NwlnkNb C:\WINDOWS\system32\DRIVERS\nwlnknb.sys
21:50:52.0656 3612 NwlnkNb - ok
21:50:52.0718 3612 [ C0BB7D1615E1ACBDC99757F6CEAF8CF0 ] NwlnkSpx C:\WINDOWS\system32\DRIVERS\nwlnkspx.sys
21:50:52.0718 3612 NwlnkSpx - ok
21:50:52.0828 3612 [ 785F487A64950F3CB8E9F16253BA3B7B ] odserv C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE
21:50:52.0843 3612 odserv - ok
21:50:52.0890 3612 [ CA33832DF41AFB202EE7AEB05145922F ] ohci1394 C:\WINDOWS\system32\DRIVERS\ohci1394.sys
21:50:52.0890 3612 ohci1394 - ok
21:50:52.0953 3612 [ 5A432A042DAE460ABE7199B758E8606C ] ose C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
21:50:52.0968 3612 ose - ok
21:50:53.0015 3612 [ 5575FAF8F97CE5E713D108C2A58D7C7C ] Parport C:\WINDOWS\system32\DRIVERS\parport.sys
21:50:53.0031 3612 Parport - ok
21:50:53.0078 3612 [ BEB3BA25197665D82EC7065B724171C6 ] PartMgr C:\WINDOWS\system32\drivers\PartMgr.sys
21:50:53.0078 3612 PartMgr - ok
21:50:53.0140 3612 [ 70E98B3FD8E963A6A46A2E6247E0BEA1 ] ParVdm C:\WINDOWS\system32\drivers\ParVdm.sys
21:50:53.0140 3612 ParVdm - ok
21:50:53.0187 3612 [ A219903CCF74233761D92BEF471A07B1 ] PCI C:\WINDOWS\system32\DRIVERS\pci.sys
21:50:53.0203 3612 PCI - ok
21:50:53.0218 3612 PCIDump - ok
21:50:53.0250 3612 [ CCF5F451BB1A5A2A522A76E670000FF0 ] PCIIde C:\WINDOWS\system32\drivers\PCIIde.sys
21:50:53.0250 3612 PCIIde - ok
21:50:53.0281 3612 [ 9E89EF60E9EE05E3F2EEF2DA7397F1C1 ] Pcmcia C:\WINDOWS\system32\DRIVERS\pcmcia.sys
21:50:53.0296 3612 Pcmcia - ok
21:50:53.0312 3612 PDCOMP - ok
21:50:53.0328 3612 PDFRAME - ok
21:50:53.0359 3612 PDRELI - ok
21:50:53.0375 3612 PDRFRAME - ok
21:50:53.0390 3612 perc2 - ok
21:50:53.0421 3612 perc2hib - ok
21:50:53.0515 3612 [ E1653A632F878E353399B96F2CEF6570 ] PersonalSecureDrive C:\WINDOWS\System32\drivers\psd.sys
21:50:53.0515 3612 PersonalSecureDrive - ok
21:50:53.0625 3612 [ 2705BD86D5A1FA46755BCC48C5BE0F18 ] PersonalSecureDriveService C:\Program Files\ProtectTools\Embedded Security Software\PSDsrvc.EXE
21:50:53.0625 3612 PersonalSecureDriveService - ok
21:50:53.0671 3612 [ 65DF52F5B8B6E9BBD183505225C37315 ] PlugPlay C:\WINDOWS\system32\services.exe
21:50:53.0671 3612 PlugPlay - ok
21:50:53.0734 3612 [ 9D84376931440F3679BEEF2A414FA493 ] Pml Driver HPZ12 C:\WINDOWS\system32\HPZipm12.exe
21:50:53.0734 3612 Pml Driver HPZ12 - ok
21:50:53.0765 3612 [ BF2466B3E18E970D8A976FB95FC1CA85 ] PolicyAgent C:\WINDOWS\system32\lsass.exe
21:50:53.0765 3612 PolicyAgent - ok
21:50:53.0828 3612 [ EFEEC01B1D3CF84F16DDD24D9D9D8F99 ] PptpMiniport C:\WINDOWS\system32\DRIVERS\raspptp.sys
21:50:53.0828 3612 PptpMiniport - ok
21:50:53.0859 3612 [ BF2466B3E18E970D8A976FB95FC1CA85 ] ProtectedStorage C:\WINDOWS\system32\lsass.exe
21:50:53.0859 3612 ProtectedStorage - ok
21:50:53.0890 3612 [ 09298EC810B07E5D582CB3A3F9255424 ] PSched C:\WINDOWS\system32\DRIVERS\psched.sys
21:50:53.0890 3612 PSched - ok
21:50:53.0937 3612 [ 80D317BD1C3DBC5D4FE7B1678C60CADD ] Ptilink C:\WINDOWS\system32\DRIVERS\ptilink.sys
21:50:53.0937 3612 Ptilink - ok
21:50:53.0968 3612 [ 153D02480A0A2F45785522E814C634B6 ] PxHelp20 C:\WINDOWS\system32\Drivers\PxHelp20.sys
21:50:53.0968 3612 PxHelp20 - ok
21:50:54.0000 3612 ql1080 - ok
21:50:54.0015 3612 Ql10wnt - ok
21:50:54.0046 3612 ql12160 - ok
21:50:54.0062 3612 ql1240 - ok
21:50:54.0093 3612 ql1280 - ok
21:50:54.0109 3612 [ FE0D99D6F31E4FAD8159F690D68DED9C ] RasAcd C:\WINDOWS\system32\DRIVERS\rasacd.sys
21:50:54.0109 3612 RasAcd - ok
21:50:54.0156 3612 [ AD188BE7BDF94E8DF4CA0A55C00A5073 ] RasAuto C:\WINDOWS\System32\rasauto.dll
21:50:54.0156 3612 RasAuto - ok
21:50:54.0234 3612 [ 0207D26DDF796A193CCD9F83047BB5FC ] Rasirda C:\WINDOWS\system32\DRIVERS\rasirda.sys
21:50:54.0234 3612 Rasirda - ok
21:50:54.0265 3612 [ 11B4A627BC9614B885C4969BFA5FF8A6 ] Rasl2tp C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
21:50:54.0265 3612 Rasl2tp - ok
21:50:54.0296 3612 [ 76A9A3CBEADD68CC57CDA5E1D7448235 ] RasMan C:\WINDOWS\System32\rasmans.dll
21:50:54.0312 3612 RasMan - ok
21:50:54.0328 3612 [ 5BC962F2654137C9909C3D4603587DEE ] RasPppoe C:\WINDOWS\system32\DRIVERS\raspppoe.sys
21:50:54.0343 3612 RasPppoe - ok
21:50:54.0359 3612 [ FDBB1D60066FCFBB7452FD8F9829B242 ] Raspti C:\WINDOWS\system32\DRIVERS\raspti.sys
21:50:54.0359 3612 Raspti - ok
21:50:54.0453 3612 [ 7AD224AD1A1437FE28D89CF22B17780A ] Rdbss C:\WINDOWS\system32\DRIVERS\rdbss.sys
21:50:54.0468 3612 Rdbss - ok
21:50:54.0531 3612 [ 4912D5B403614CE99C28420F75353332 ] RDPCDD C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
21:50:54.0531 3612 RDPCDD - ok
21:50:54.0593 3612 [ 15CABD0F7C00C47C70124907916AF3F1 ] rdpdr C:\WINDOWS\system32\DRIVERS\rdpdr.sys
21:50:54.0609 3612 rdpdr - ok
21:50:54.0703 3612 [ 43AF5212BD8FB5BA6EED9754358BD8F7 ] RDPWD C:\WINDOWS\system32\drivers\RDPWD.sys
21:50:54.0703 3612 RDPWD - ok
21:50:54.0765 3612 [ 3C37BF86641BDA977C3BF8A840F3B7FA ] RDSessMgr C:\WINDOWS\system32\sessmgr.exe
21:50:54.0781 3612 RDSessMgr - ok
21:50:54.0812 3612 [ B2B72A56945312EE15A047ED44801090 ] redbook C:\WINDOWS\system32\DRIVERS\redbook.sys
21:50:54.0812 3612 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\redbook.sys. Real md5: B2B72A56945312EE15A047ED44801090, Fake md5: F828DD7E1419B6653894A8F97A0094C5
21:50:54.0828 3612 redbook ( Virus.Win32.ZAccess.aml ) - infected
21:50:54.0828 3612 redbook - detected Virus.Win32.ZAccess.aml (0)
21:50:54.0890 3612 [ 7E699FF5F59B5D9DE5390E3C34C67CF5 ] RemoteAccess C:\WINDOWS\System32\mprdim.dll
21:50:54.0890 3612 RemoteAccess - ok
21:50:54.0921 3612 [ 5B19B557B0C188210A56A6B699D90B8F ] RemoteRegistry C:\WINDOWS\system32\regsvc.dll
21:50:54.0937 3612 RemoteRegistry - ok
21:50:54.0984 3612 [ AAED593F84AFA419BBAE8572AF87CF6A ] RpcLocator C:\WINDOWS\system32\locator.exe
21:50:55.0000 3612 RpcLocator - ok
21:50:55.0046 3612 [ 6B27A5C03DFB94B4245739065431322C ] RpcSs C:\WINDOWS\System32\rpcss.dll
21:50:55.0062 3612 RpcSs - ok
21:50:55.0109 3612 [ 471B3F9741D762ABE75E9DEEA4787E47 ] RSVP C:\WINDOWS\system32\rsvp.exe
21:50:55.0125 3612 RSVP - ok
21:50:55.0156 3612 [ BF2466B3E18E970D8A976FB95FC1CA85 ] SamSs C:\WINDOWS\system32\lsass.exe
21:50:55.0156 3612 SamSs - ok
21:50:55.0203 3612 [ 86D007E7A654B9A71D1D7D856B104353 ] SCardSvr C:\WINDOWS\System32\SCardSvr.exe
21:50:55.0203 3612 SCardSvr - ok
21:50:55.0234 3612 [ 0A9A7365A1CA4319AA7C1D6CD8E4EAFA ] Schedule C:\WINDOWS\system32\schedsvc.dll
21:50:55.0250 3612 Schedule - ok
21:50:55.0312 3612 [ 8D04819A3CE51B9EB47E5689B44D43C4 ] sdbus C:\WINDOWS\system32\DRIVERS\sdbus.sys
21:50:55.0312 3612 sdbus - ok
21:50:55.0359 3612 [ 90A3935D05B494A5A39D37E71F09A677 ] Secdrv C:\WINDOWS\system32\DRIVERS\secdrv.sys
21:50:55.0375 3612 Secdrv - ok
21:50:55.0406 3612 [ CBE612E2BB6A10E3563336191EDA1250 ] seclogon C:\WINDOWS\System32\seclogon.dll
21:50:55.0421 3612 seclogon - ok
21:50:55.0500 3612 [ 7FDD5D0684ECA8C1F68B4D99D124DCD0 ] SENS C:\WINDOWS\system32\sens.dll
21:50:55.0531 3612 SENS - ok
21:50:55.0578 3612 [ 0F29512CCD6BEAD730039FB4BD2C85CE ] Serenum C:\WINDOWS\system32\DRIVERS\serenum.sys
21:50:55.0609 3612 Serenum - ok
21:50:55.0656 3612 [ CCA207A8896D4C6A0C9CE29A4AE411A7 ] Serial C:\WINDOWS\system32\DRIVERS\serial.sys
21:50:55.0687 3612 Serial - ok
21:50:55.0765 3612 [ 8E6B8C671615D126FDC553D1E2DE5562 ] Sfloppy C:\WINDOWS\system32\drivers\Sfloppy.sys
21:50:55.0765 3612 Sfloppy - ok
21:50:55.0828 3612 [ 99BC0B50F511924348BE19C7C7313BBF ] ShellHWDetection C:\WINDOWS\System32\shsvcs.dll
21:50:55.0828 3612 ShellHWDetection - ok
21:50:55.0859 3612 Simbad - ok
21:50:55.0968 3612 [ F07AF60B152221472FBDB2FECEC4896D ] SkypeUpdate C:\Program Files\Skype\Updater\Updater.exe
21:50:55.0984 3612 SkypeUpdate - ok
21:50:56.0062 3612 [ 866D538EBE33709A5C9F5C62B73B7D14 ] SLIP C:\WINDOWS\system32\DRIVERS\SLIP.sys
21:50:56.0062 3612 SLIP - ok
21:50:56.0093 3612 [ 707647A1AA0EDB6CBEF61B0C75C28ED3 ] SMCIRDA C:\WINDOWS\system32\DRIVERS\smcirda.sys
21:50:56.0093 3612 SMCIRDA - ok
21:50:56.0171 3612 [ 1319EA66A96250D59665D133C0FF7CD0 ] smwdm C:\WINDOWS\system32\drivers\smwdm.sys
21:50:56.0187 3612 smwdm - ok
21:50:56.0843 3612 [ 11BB0E11D42CC3A43D741D9B30839BE1 ] SNPSTD3 C:\WINDOWS\system32\DRIVERS\snpstd3.sys
21:50:57.0390 3612 SNPSTD3 - ok
21:50:57.0484 3612 [ 3978F082274F723AD5A0A8058C2417DD ] SoundMAX Agent Service (default) C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
21:50:57.0484 3612 SoundMAX Agent Service (default) - ok
21:50:57.0500 3612 Sparrow - ok
21:50:57.0562 3612 [ AB8B92451ECB048A4D1DE7C3FFCB4A9F ] splitter C:\WINDOWS\system32\drivers\splitter.sys
21:50:57.0562 3612 splitter - ok
21:50:57.0640 3612 [ 60784F891563FB1B767F70117FC2428F ] Spooler C:\WINDOWS\system32\spoolsv.exe
21:50:57.0640 3612 Spooler - ok
21:50:57.0687 3612 [ 76BB022C2FB6902FD5BDD4F78FC13A5D ] sr C:\WINDOWS\system32\DRIVERS\sr.sys
21:50:57.0687 3612 sr - ok
21:50:57.0750 3612 [ 3805DF0AC4296A34BA4BF93B346CC378 ] srservice C:\WINDOWS\system32\srsvc.dll
21:50:57.0750 3612 srservice - ok
21:50:57.0843 3612 [ 47DDFC2F003F7F9F0592C6874962A2E7 ] Srv C:\WINDOWS\system32\DRIVERS\srv.sys
21:50:57.0859 3612 Srv - ok
21:50:57.0890 3612 [ 0A5679B3714EDAB99E357057EE88FCA6 ] SSDPSRV C:\WINDOWS\System32\ssdpsrv.dll
21:50:57.0906 3612 SSDPSRV - ok
21:50:57.0984 3612 [ A9573045BAA16EAB9B1085205B82F1ED ] StillCam C:\WINDOWS\system32\DRIVERS\serscan.sys
21:50:57.0984 3612 StillCam - ok
21:50:58.0062 3612 [ 8BAD69CBAC032D4BBACFCE0306174C30 ] stisvc C:\WINDOWS\system32\wiaservc.dll
21:50:58.0093 3612 stisvc - ok
21:50:58.0125 3612 [ 77813007BA6265C4B6098187E6ED79D2 ] streamip C:\WINDOWS\system32\DRIVERS\StreamIP.sys
21:50:58.0125 3612 streamip - ok
21:50:58.0171 3612 [ 3941D127AEF12E93ADDF6FE6EE027E0F ] swenum C:\WINDOWS\system32\DRIVERS\swenum.sys
21:50:58.0171 3612 swenum - ok
21:50:58.0203 3612 [ 8CE882BCC6CF8A62F2B2323D95CB3D01 ] swmidi C:\WINDOWS\system32\drivers\swmidi.sys
21:50:58.0203 3612 swmidi - ok
21:50:58.0250 3612 SwPrv - ok
21:50:58.0281 3612 symc810 - ok
21:50:58.0312 3612 symc8xx - ok
21:50:58.0328 3612 sym_hi - ok
21:50:58.0359 3612 sym_u3 - ok
21:50:58.0437 3612 [ 0F332C0BA9B968EBC8CBB906416F8597 ] SynTP C:\WINDOWS\system32\DRIVERS\SynTP.sys
21:50:58.0546 3612 SynTP - ok
21:50:58.0578 3612 [ 8B83F3ED0F1688B4958F77CD6D2BF290 ] sysaudio C:\WINDOWS\system32\drivers\sysaudio.sys
21:50:58.0593 3612 sysaudio - ok
21:50:58.0656 3612 [ C7ABBC59B43274B1109DF6B24D617051 ] SysmonLog C:\WINDOWS\system32\smlogsvc.exe
21:50:58.0671 3612 SysmonLog - ok
21:50:58.0750 3612 [ 3CB78C17BB664637787C9A1C98F79C38 ] TapiSrv C:\WINDOWS\System32\tapisrv.dll
21:50:58.0781 3612 TapiSrv - ok
21:50:58.0843 3612 [ 9AEFA14BD6B182D61E3119FA5F436D3D ] Tcpip C:\WINDOWS\system32\DRIVERS\tcpip.sys
21:50:58.0859 3612 Tcpip - ok
21:50:58.0890 3612 [ 6471A66807F5E104E4885F5B67349397 ] TDPIPE C:\WINDOWS\system32\drivers\TDPIPE.sys
21:50:58.0890 3612 TDPIPE - ok
21:50:58.0921 3612 [ C56B6D0402371CF3700EB322EF3AAF61 ] TDTCP C:\WINDOWS\system32\drivers\TDTCP.sys
21:50:58.0921 3612 TDTCP - ok
21:50:58.0968 3612 [ 88155247177638048422893737429D9E ] TermDD C:\WINDOWS\system32\DRIVERS\termdd.sys
21:50:58.0968 3612 TermDD - ok
21:50:59.0062 3612 [ FF3477C03BE7201C294C35F684B3479F ] TermService C:\WINDOWS\System32\termsrv.dll
21:50:59.0078 3612 TermService - ok
21:50:59.0109 3612 [ 99BC0B50F511924348BE19C7C7313BBF ] Themes C:\WINDOWS\System32\shsvcs.dll
21:50:59.0125 3612 Themes - ok
21:50:59.0187 3612 [ 0EDC3CF7B38F4260EB006C38E4A44DE4 ] tifm21 C:\WINDOWS\system32\drivers\tifm21.sys
21:50:59.0203 3612 tifm21 - ok
21:50:59.0234 3612 [ DB7205804759FF62C34E3EFD8A4CC76A ] TlntSvr C:\WINDOWS\system32\tlntsvr.exe
21:50:59.0250 3612 TlntSvr - ok
21:50:59.0265 3612 TosIde - ok
21:50:59.0312 3612 [ 55BCA12F7F523D35CA3CB833C725F54E ] TrkWks C:\WINDOWS\system32\trkwks.dll
21:50:59.0312 3612 TrkWks - ok
21:50:59.0359 3612 [ 5787B80C2E3C5E2F56C2A233D91FA2C9 ] Udfs C:\WINDOWS\system32\drivers\Udfs.sys
21:50:59.0390 3612 Udfs - ok
21:50:59.0421 3612 ultra - ok
21:50:59.0484 3612 [ 402DDC88356B1BAC0EE3DD1580C76A31 ] Update C:\WINDOWS\system32\DRIVERS\update.sys
21:50:59.0515 3612 Update - ok
21:50:59.0562 3612 [ 1EBAFEB9A3FBDC41B8D9C7F0F687AD91 ] upnphost C:\WINDOWS\System32\upnphost.dll
21:50:59.0578 3612 upnphost - ok
21:50:59.0609 3612 [ 05365FB38FCA1E98F7A566AAAF5D1815 ] UPS C:\WINDOWS\System32\ups.exe
21:50:59.0609 3612 UPS - ok
21:50:59.0656 3612 [ E919708DB44ED8543A7C017953148330 ] usbaudio C:\WINDOWS\system32\drivers\usbaudio.sys
21:50:59.0656 3612 usbaudio - ok
21:50:59.0703 3612 [ 173F317CE0DB8E21322E71B7E60A27E8 ] usbccgp C:\WINDOWS\system32\DRIVERS\usbccgp.sys
21:50:59.0718 3612 usbccgp - ok
21:50:59.0765 3612 [ 65DCF09D0E37D4C6B11B5B0B76D470A7 ] usbehci C:\WINDOWS\system32\DRIVERS\usbehci.sys
21:50:59.0765 3612 usbehci - ok
21:50:59.0796 3612 [ 1AB3CDDE553B6E064D2E754EFE20285C ] usbhub C:\WINDOWS\system32\DRIVERS\usbhub.sys
21:50:59.0796 3612 usbhub - ok
21:50:59.0843 3612 [ A717C8721046828520C9EDF31288FC00 ] usbprint C:\WINDOWS\system32\DRIVERS\usbprint.sys
21:50:59.0843 3612 usbprint - ok
21:50:59.0875 3612 [ A0B8CF9DEB1184FBDD20784A58FA75D4 ] usbscan C:\WINDOWS\system32\DRIVERS\usbscan.sys
21:50:59.0875 3612 usbscan - ok
21:50:59.0906 3612 [ A32426D9B14A089EAA1D922E0C5801A9 ] usbstor C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
21:50:59.0921 3612 usbstor - ok
21:50:59.0953 3612 [ 26496F9DEE2D787FC3E61AD54821FFE6 ] usbuhci C:\WINDOWS\system32\DRIVERS\usbuhci.sys
21:50:59.0953 3612 usbuhci - ok
21:51:00.0015 3612 [ 63BBFCA7F390F4C49ED4B96BFB1633E0 ] usbvideo C:\WINDOWS\system32\Drivers\usbvideo.sys
21:51:00.0031 3612 usbvideo - ok
21:51:00.0093 3612 [ 0D3A8FAFCEACD8B7625CD549757A7DF1 ] VgaSave C:\WINDOWS\System32\drivers\vga.sys
21:51:00.0093 3612 VgaSave - ok
21:51:00.0125 3612 ViaIde - ok
21:51:00.0171 3612 [ 4C8FCB5CC53AAB716D810740FE59D025 ] VolSnap C:\WINDOWS\system32\drivers\VolSnap.sys
21:51:00.0171 3612 VolSnap - ok
21:51:00.0218 3612 [ 7A9DB3A67C333BF0BD42E42B8596854B ] VSS C:\WINDOWS\System32\vssvc.exe
21:51:00.0234 3612 VSS - ok
21:51:00.0390 3612 [ A22ABD73E0D6BA666CBA4E86EEB001B3 ] w29n51 C:\WINDOWS\system32\DRIVERS\w29n51.sys
21:51:00.0500 3612 w29n51 - ok
21:51:00.0546 3612 [ 54AF4B1D5459500EF0937F6D33B1914F ] W32Time C:\WINDOWS\system32\w32time.dll
21:51:00.0562 3612 W32Time - ok
21:51:00.0609 3612 [ E20B95BAEDB550F32DD489265C1DA1F6 ] Wanarp C:\WINDOWS\system32\DRIVERS\wanarp.sys
21:51:00.0609 3612 Wanarp - ok
21:51:00.0656 3612 [ FD47474BD21794508AF449D9D91AF6E6 ] Wdf01000 C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
21:51:00.0703 3612 Wdf01000 - ok
21:51:00.0718 3612 WDICA - ok
21:51:00.0796 3612 [ 6768ACF64B18196494413695F0C3A00F ] wdmaud C:\WINDOWS\system32\drivers\wdmaud.sys
21:51:00.0796 3612 wdmaud - ok
21:51:00.0828 3612 [ 77A354E28153AD2D5E120A5A8687BC06 ] WebClient C:\WINDOWS\System32\webclnt.dll
21:51:00.0828 3612 WebClient - ok
21:51:00.0937 3612 [ 2D0E4ED081963804CCC196A0929275B5 ] winmgmt C:\WINDOWS\system32\wbem\WMIsvc.dll
21:51:00.0937 3612 winmgmt - ok
21:51:01.0046 3612 [ 18F347402DA544A780949B8FDF83351B ] WinRM C:\WINDOWS\system32\WsmSvc.dll
21:51:01.0125 3612 WinRM - ok
21:51:01.0218 3612 [ DC2111B884AC9E942939E70869511526 ] wisdpen C:\WINDOWS\system32\DRIVERS\wisdpen.sys
21:51:01.0234 3612 wisdpen - ok
21:51:01.0390 3612 [ D9250B31B353EE3322C1CAD411997E38 ] wlidsvc C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
21:51:01.0500 3612 wlidsvc - ok
21:51:01.0593 3612 [ C51B4A5C05A5475708E3C81C7765B71D ] WmdmPmSN C:\WINDOWS\system32\MsPMSNSv.dll
21:51:01.0593 3612 WmdmPmSN - ok
21:51:01.0671 3612 [ E76F8807070ED04E7408A86D6D3A6137 ] Wmi C:\WINDOWS\System32\advapi32.dll
21:51:01.0718 3612 Wmi - ok
21:51:01.0781 3612 [ C42584FD66CE9E17403AEBCA199F7BDB ] WmiAcpi C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
21:51:01.0781 3612 WmiAcpi - ok
21:51:01.0843 3612 [ E0673F1106E62A68D2257E376079F821 ] WmiApSrv C:\WINDOWS\system32\wbem\wmiapsrv.exe
21:51:01.0859 3612 WmiApSrv - ok
21:51:01.0953 3612 [ F74E3D9A7FA9556C3BBB14D4E5E63D3B ] WMPNetworkSvc C:\Program Files\Windows Media Player\WMPNetwk.exe
21:51:02.0000 3612 WMPNetworkSvc - ok
21:51:02.0093 3612 [ CF4DEF1BF66F06964DC0D91844239104 ] WpdUsb C:\WINDOWS\system32\DRIVERS\wpdusb.sys
21:51:02.0093 3612 WpdUsb - ok
21:51:02.0156 3612 [ 6ABE6E225ADB5A751622A9CC3BC19CE8 ] WS2IFSL C:\WINDOWS\System32\drivers\ws2ifsl.sys
21:51:02.0156 3612 WS2IFSL - ok
21:51:02.0171 3612 WSearch - ok
21:51:02.0234 3612 [ C98B39829C2BBD34E454150633C62C78 ] WSTCODEC C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
21:51:02.0234 3612 WSTCODEC - ok
21:51:02.0296 3612 [ F15FEAFFFBB3644CCC80C5DA584E6311 ] WudfPf C:\WINDOWS\system32\DRIVERS\WudfPf.sys
21:51:02.0296 3612 WudfPf - ok
21:51:02.0375 3612 [ 28B524262BCE6DE1F7EF9F510BA3985B ] WudfRd C:\WINDOWS\system32\DRIVERS\wudfrd.sys
21:51:02.0375 3612 WudfRd - ok
21:51:02.0406 3612 [ 05231C04253C5BC30B26CBAAE680ED89 ] WudfSvc C:\WINDOWS\System32\WUDFSvc.dll
21:51:02.0421 3612 WudfSvc - ok
21:51:02.0500 3612 [ 81DC3F549F44B1C1FFF022DEC9ECF30B ] WZCSVC C:\WINDOWS\System32\wzcsvc.dll
21:51:02.0531 3612 WZCSVC - ok
21:51:02.0593 3612 [ 295D21F14C335B53CB8154E5B1F892B9 ] xmlprov C:\WINDOWS\System32\xmlprov.dll
21:51:02.0609 3612 xmlprov - ok
21:51:02.0656 3612 ================ Scan global ===============================
21:51:02.0718 3612 [ 42F1F4C0AFB08410E5F02D4B13EBB623 ] C:\WINDOWS\system32\basesrv.dll
21:51:02.0796 3612 [ 8C7DCA4B158BF16894120786A7A5F366 ] C:\WINDOWS\system32\winsrv.dll
21:51:02.0843 3612 [ 8C7DCA4B158BF16894120786A7A5F366 ] C:\WINDOWS\system32\winsrv.dll
21:51:02.0875 3612 [ 65DF52F5B8B6E9BBD183505225C37315 ] C:\WINDOWS\system32\services.exe
21:51:02.0875 3612 [Global] - ok
21:51:02.0890 3612 ================ Scan MBR ==================================
21:51:02.0906 3612 [ A36C5E4F47E84449FF07ED3517B43A31 ] \Device\Harddisk0\DR0
21:51:03.0328 3612 \Device\Harddisk0\DR0 - ok
21:51:03.0328 3612 ================ Scan VBR ==================================
21:51:03.0343 3612 [ ABDFD526BAA23B87BFB5BE57E6952AAC ] \Device\Harddisk0\DR0\Partition1
21:51:03.0343 3612 \Device\Harddisk0\DR0\Partition1 - ok
21:51:03.0359 3612 ============================================================
21:51:03.0359 3612 Scan finished
21:51:03.0359 3612 ============================================================
21:51:03.0390 3676 Detected object count: 1
21:51:03.0390 3676 Actual detected object count: 1
21:51:11.0890 3676 C:\WINDOWS\system32\DRIVERS\redbook.sys - copied to quarantine
21:51:13.0390 3676 C:\WINDOWS\$NtUninstallKB10446$\3833121974\@ - copied to quarantine
21:51:13.0390 3676 C:\WINDOWS\$NtUninstallKB10446$\3833121974\Desktop.ini - copied to quarantine
21:51:13.0406 3676 C:\WINDOWS\$NtUninstallKB10446$\3833121974\L\00000004.@ - copied to quarantine
21:51:13.0406 3676 C:\WINDOWS\$NtUninstallKB10446$\3833121974\L\201d3dde - copied to quarantine
21:51:13.0406 3676 C:\WINDOWS\$NtUninstallKB10446$\3833121974\L\kzmvsnom - copied to quarantine
21:51:13.0406 3676 C:\WINDOWS\$NtUninstallKB10446$\3833121974\U\00000004.@ - copied to quarantine
21:51:13.0406 3676 C:\WINDOWS\$NtUninstallKB10446$\3833121974\U\00000008.@ - copied to quarantine
21:51:13.0406 3676 C:\WINDOWS\$NtUninstallKB10446$\3833121974\U\000000cb.@ - copied to quarantine
21:51:13.0421 3676 C:\WINDOWS\$NtUninstallKB10446$\3833121974\U\80000000.@ - copied to quarantine
21:51:13.0421 3676 C:\WINDOWS\$NtUninstallKB10446$\3833121974\U\80000032.@ - copied to quarantine
21:51:16.0687 3676 Backup copy found, using it..
21:51:16.0687 3676 C:\WINDOWS\system32\DRIVERS\redbook.sys - will be cured on reboot
21:51:16.0796 3676 C:\WINDOWS\$NtUninstallKB10446$\3833121974\@ - will be deleted on reboot
21:51:16.0796 3676 C:\WINDOWS\$NtUninstallKB10446$\3833121974\Desktop.ini - will be deleted on reboot
21:51:16.0812 3676 C:\WINDOWS\$NtUninstallKB10446$\3833121974\U\00000004.@ - will be deleted on reboot
21:51:16.0812 3676 C:\WINDOWS\$NtUninstallKB10446$\3833121974\U\00000008.@ - will be deleted on reboot
21:51:16.0812 3676 C:\WINDOWS\$NtUninstallKB10446$\3833121974\U\000000cb.@ - will be deleted on reboot
21:51:16.0812 3676 C:\WINDOWS\$NtUninstallKB10446$\3833121974\U\80000000.@ - will be deleted on reboot
21:51:16.0812 3676 C:\WINDOWS\$NtUninstallKB10446$\3833121974\U\80000032.@ - will be deleted on reboot
21:51:16.0812 3676 C:\WINDOWS\$NtUninstallKB10446$\4066220319 - will be deleted on reboot
21:51:16.0812 3676 redbook ( Virus.Win32.ZAccess.aml ) - User select action: Cure
21:51:45.0718 4084 Deinitialize success


21:54:06.0171 2452 TDSS rootkit removing tool 2.8.15.0 Oct 31 2012 21:47:35
21:54:06.0859 2452 ============================================================
21:54:06.0859 2452 Current date / time: 2013/01/31 21:54:06.0859
21:54:06.0859 2452 SystemInfo:
21:54:06.0859 2452
21:54:06.0859 2452 OS Version: 5.1.2600 ServicePack: 3.0
21:54:06.0859 2452 Product type: Workstation
21:54:06.0859 2452 ComputerName: CND6220870
21:54:06.0859 2452 UserName: DerochaWS1
21:54:06.0859 2452 Windows directory: C:\WINDOWS
21:54:06.0859 2452 System windows directory: C:\WINDOWS
21:54:06.0859 2452 Processor architecture: Intel x86
21:54:06.0859 2452 Number of processors: 1
21:54:06.0859 2452 Page size: 0x1000
21:54:06.0859 2452 Boot type: Normal boot
21:54:06.0859 2452 ============================================================
21:54:13.0171 2452 BG loaded
21:54:14.0484 2452 Drive \Device\Harddisk0\DR0 - Size: 0x12A1F16000 (74.53 Gb), SectorSize: 0x200, Cylinders: 0x2861, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xF0, Type 'K0', Flags 0x00000054
21:54:14.0578 2452 ============================================================
21:54:14.0593 2452 \Device\Harddisk0\DR0:
21:54:14.0593 2452 MBR partitions:
21:54:14.0609 2452 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x800, BlocksNum 0x950E800
21:54:14.0609 2452 ============================================================
21:54:15.0218 2452 C: <-> \Device\Harddisk0\DR0\Partition1
21:54:15.0234 2452 ============================================================
21:54:15.0234 2452 Initialize success
21:54:15.0234 2452 ============================================================
21:54:44.0953 2368 Deinitialize success


I next ran the Malwarebytes software...nothing was found. Here is the log:

Malwarebytes Anti-Malware 1.70.0.1100
www.malwarebytes.org

Database version: v2013.02.01.01

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
DerochaWS1 :: CND6220870 [administrator]

1/31/2013 10:02:38 PM
mbam-log-2013-01-31 (22-02-38).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled:
Objects scanned: 226889
Time elapsed: 6 minute(s), 20 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)


I then ran OTL, but encountered a problem... when attempting to run as an administrator i didn't know the password. This cpu was set up via my school, was passed on to me upon graduating, but i never receieved the admin password. I believe though that my normal non-password account has full rights like an admin, so i ran OTL as directed via that. Upon completion of the scan, OTL said they couldn't locate the OTL.txt or Extras.txt files on my desktop and asked if i wanted to make new ones. I selected yes, but then it brought up to "unknown" notepad windows, and both were blank. Therefore I don't have the reports/logs for OTL...sorry.

Thank you again for the help. My cpu is running okay at the moment between screens, chrome is better although still slow. I await the next step.

#7 thisisu

thisisu

    U


  • Malware Response Team
  • 2,103 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:13 AM

Posted 01 February 2013 - 04:09 PM

Posted Image Please download RogueKiller to your desktop.
  • Double-click RogueKiller.exe to run.
  • When it opens, press the Scan button.
  • Now you can exit out of RogueKiller without making any changes.
  • Please post the contents of the new log created on your desktop.
  • It should be named similar to: RKreport[1]_S_02012013_02d1508.txt

__

Posted Image Please download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.

Edited by thisisu, 01 February 2013 - 04:10 PM.


#8 billiam864

billiam864
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Local time:04:13 AM

Posted 03 February 2013 - 12:40 PM

My apologizes, for taking so long to respond...I have been travelling.

Here is the logs of the two scans. RogueKiller found a couple things:

RogueKiller V8.4.4 [Feb 3 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : DerochaWS1 [Admin rights]
Mode : Scan -- Date : 02/03/2013 12:19:05
| ARK || MBR |

¤¤¤ Bad processes : 2 ¤¤¤
[DLL] explorer.exe -- C:\WINDOWS\explorer.exe : C:\Documents and Settings\All Users\Application Data\Microsoft\Media Tools\plugins\pl-6abb558852cc7fbf9b33022fe7d68612.dll -> UNLOADED
[DLL] explorer.exe -- C:\WINDOWS\explorer.exe : C:\Documents and Settings\All Users\Application Data\Microsoft\Media Tools\plugins\pl-6abb558852cc7fbf9b33022fe7d68612.dll -> UNLOADED

¤¤¤ Registry Entries : 3 ¤¤¤
[HJPOL] HKCU\[...]\System : disableregistrytools (0) -> FOUND
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ] HKLM\[...]\SystemRestore : DisableSR (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\WINDOWS\system32\drivers\etc\hosts

’ž1

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: FUJITSU MHV2080AH +++++
--- User ---
[MBR] 3ffaae901a9ea3aabcec5073d7e80f60
[BSP] a727796630ae0bb76de34e6b196a4fb0 : Windows 7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 76317 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[1]_S_02032013_02d1219.txt >>
RKreport[1]_S_02032013_02d1219.txt



~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 4.6.2 (02.02.2013:2)
OS: Microsoft Windows XP x86
Ran by DerochaWS1 on Sun 02/03/2013 at 12:22:42.60
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values



~~~ Registry Keys



~~~ Files



~~~ Folders





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Sun 02/03/2013 at 12:35:35.87
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

#9 thisisu

thisisu

    U


  • Malware Response Team
  • 2,103 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:13 AM

Posted 04 February 2013 - 03:36 PM

Posted Image Download SystemLook from one of the links below and save it to your desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy and Paste the content of the following code box into the main text-field:
:file
C:\Program Files\Microsoft Forefront\Client Security\Client\SSA\FcsSas.exe
c:\windows\system32\drivers\dkzuusaq.sys
c:\windows\system32\drivers\xqqbwwmu.sys
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan and a file entitled SystemLook.txt will be created on your desktop.
  • Post the contents of SystemLook.txt into your next message.


#10 billiam864

billiam864
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Local time:04:13 AM

Posted 04 February 2013 - 04:53 PM

Here is the log, thanks:

SystemLook 30.07.11 by jpshortstuff
Log created at 16:51 on 04/02/2013 by DerochaWS1
Administrator - Elevation successful

========== file ==========

C:\Program Files\Microsoft Forefront\Client Security\Client\SSA\FcsSas.exe - Unable to find/read file.

c:\windows\system32\drivers\dkzuusaq.sys - File found and opened.
MD5: 4ADB3D6DF9EFA43B88AA2B001BBC4D5B
Created at 17:27 on 14/12/2012
Modified at 17:27 on 14/12/2012
Size: 43600 bytes
Attributes: --a----
FileDescription: Boot Time Removal Tool
FileVersion: 1.1.0020.0
ProductVersion: 1.1.0020.0
OriginalFilename: BTR.sys
InternalName: BootTimeRemoval
ProductName: Microsoft Malware Protection
CompanyName: Microsoft Corporation
LegalCopyright: © Microsoft Corporation. All rights reserved.

c:\windows\system32\drivers\xqqbwwmu.sys - File found and opened.
MD5: F828DD7E1419B6653894A8F97A0094C5
Created at 17:26 on 14/12/2012
Modified at 17:26 on 14/12/2012
Size: 57600 bytes
Attributes: --a----
FileDescription: Redbook Audio Filter Driver
FileVersion: 5.1.2600.5512 (xpsp.080413-2108)
ProductVersion: 5.1.2600.5512
OriginalFilename: redbook.sys
InternalName: redbook.sys
ProductName: Microsoft® Windows® Operating System
CompanyName: Microsoft Corporation
LegalCopyright: © Microsoft Corporation. All rights reserved.

-= EOF =-

#11 thisisu

thisisu

    U


  • Malware Response Team
  • 2,103 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:13 AM

Posted 04 February 2013 - 04:55 PM

Hi,

Your system appears clean to me. Are there any problems are your end that you are experiencing?

Please rescan with DDS and post the contents of the latest DDS.txt for review.

Edited by thisisu, 04 February 2013 - 04:57 PM.


#12 billiam864

billiam864
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Local time:04:13 AM

Posted 04 February 2013 - 05:10 PM

Well, it appears my computer is running better than before. However, I still have all those movie files...fooling my cpu to thinking there is now at over 780 gigs being taken up on my 80gig HD. I thus far have not been able to delete these files. I an concerned that the 780 gig # has increased since before... Suggestions?

#13 thisisu

thisisu

    U


  • Malware Response Team
  • 2,103 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:13 AM

Posted 04 February 2013 - 05:44 PM

What's the folder / path of the movie files?

#14 billiam864

billiam864
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Local time:04:13 AM

Posted 05 February 2013 - 01:15 AM

From my 2nd post, here is the info:

"In my C:, Docs and Settings, All Users, Application Data, Microsoft, Media Tools, plugins, media hash, downloads

I found 700gigs + of movies...loads and loads of movie files. My laptop only has an 80gig hd, so I'm assuming this is not actually on my hard drive. I have never seen or downloaded these movies, some of them are brand new (just came out). I tried to move one to my desktop to see if i could play it, see if it a genuine movie file. My cpu recognized it as an avi file, but VLC won't play it claiming it is undf.

I believe this to be a recent occurance, as I ran the same cpu scan in December and didn't find all these files, although it may have been starting then explaining my past issues. When running it yesterday suddenly there was an extra several hundred gigs of files i hadn't noticed. I believe this might be what has cause my cpu to run slowly recently."

#15 thisisu

thisisu

    U


  • Malware Response Team
  • 2,103 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:13 AM

Posted 05 February 2013 - 03:17 PM

Posted Image Open SystemLook

  • Double-click SystemLook.exe to run it.
  • Copy and Paste the content of the following code box into the main text-field:
:dir
C:\Documents and Settings\All Users\Application Data\Microsoft\Media Tools\plugins\media hash\downloads /s 
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan and a file entitled SystemLook.txt will be created on your desktop.
  • Attach the SystemLook.txt file into your next message.

Edited by thisisu, 05 February 2013 - 03:18 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users