Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan.ZeroAccess Damage ?


  • This topic is locked This topic is locked
27 replies to this topic

#1 ZeeAcc

ZeeAcc

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:01:22 PM

Posted 27 August 2013 - 04:50 AM

Hi.  I have a WinXP Pro SP3 system that appears to have been damaged by an attempted Trojan.ZeroAccess infection at the user level.  WinXP has the latest updates installed.  The Symantec antivirus definitions are up to date.  I have the latest version of ZoneAlarm Free running on the PC.  The partial infection appeared to be as documented by SophosLabs on July 31 2013 on http://nakedsecurity.sophos.com/2013/07/31/zeroaccess-malware-revisited-new-version-yet-more-devious/.

When I logged in to the affected user, Symantec antivirus identified Trojan.ZeroAccess and quarantined / cleaned the infection several times. I take this to be the trojan trying repeatedly to install itself.  Symantec’s "Fix ZeroAccess" tool did not find any infection.  I removed the files and folders under C:\Documents and settings\username\local settings\application data\google\desktop\install\{....}\...\.  The folders were U and L. The programs were "@" and "GoogleUpdate.exe".  I did not find these files and folders in the "Program Files" folder.  When attempting to uninstall Google Earth (the only real Google product on the PC), the uninstall box included unprintable characters, so I cancelled the uninstall and attempted to remove as much as possible manually (assuming that the uninstall had been compromised).  Windows Security Centre reports that there is no firewall running (but ZoneAlarm allows me to stop all internet traffic and also appears to trap other outgoing requests). It also reports no antivirus protection running (but Symantec appears to have blocked the ZeroAccess installs and can still run system scans, scan emails, etc). I take these issues to be damage done by the ZeroAccess installation attempts.

I ran the Sophos Virus Removal Tool and it found Mal/Zbot-FG and removed the file 01374979340681.exe from C:\Documents and settings\username\local settings\temp\.

I ran sfc.exe with the Windows CD and then Windows Update to try and fix any damaged system files.

I ran Malwarebytes Anti-Malware and found nothing.

Windows Security Centre still tells me that I have no firewall or antivirus running (these were being detected prior to the infection), while these are both still running and appear to be fully active.  

I would appreciate it if someone could advise how to fix this problem (I believe that ZeroAccess attempts to defeat defensive applications such as firewalls and antivirus).

 

DDS.txt Log:

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702
Run by Admin at 19:27:03 on 2013-08-27
.
============== Running Processes ================
.
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Program Files\Adobe\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Browny02\Brother\BrStMonW.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Motorola Media Link\Lite\NServiceEntry.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\Nero\Nero8\InCD\InCDsrv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Motorola\MotoHelper\MotoHelperService.exe
C:\Program Files\Nero\Nero8\InCD\NBHRegInCDSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Motorola\MotoHelper\MotoHelperAgent.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\CheckPoint\ZoneAlarm\ZAPrivacyService.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Browny02\BrYNSvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://192.168.1.1:81/cgi-bin/index.cgi
mWinlogon: Userinit = c:\windows\system32\userinit.exe
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\nero\lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
mRun: [NVRTCLK] c:\windows\system32\nvrtclk\NVRTClk.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [NeroFilterCheck] c:\program files\common files\nero\lib\NeroCheck.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [ZoneAlarm] "c:\program files\checkpoint\zonealarm\zatray.exe"
mRun: [BrStsMon00] c:\program files\browny02\brother\BrStMonW.exe /AUTORUN
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office 2007\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1376300263703
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: Interfaces\{4C5DAD96-1AB7-4346-A011-690B945024D5} : NameServer = 192.168.1.1
TCP: Interfaces\{C0AF0CB0-2979-4930-80EB-0FBEAF4943BC} : NameServer = 192.168.1.1
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"
.
============= SERVICES / DRIVERS ===============
.
.
=============== Created Last 30 ================
.
2013-08-12 23:10:23 -------- d-----w- c:\documents and settings\admin\application data\Malwarebytes
2013-08-12 23:09:57 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2013-08-12 23:09:55 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-08-12 23:09:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2013-08-12 11:38:52 -------- d-----w- c:\documents and settings\admin\local settings\application data\ApplicationHistory
2013-08-12 10:56:48 -------- d-----w- c:\windows\system32\winrm
2013-08-12 10:56:48 -------- d-----w- c:\windows\system32\GroupPolicy
2013-08-12 10:56:44 -------- dc-h--w- c:\windows\$968930Uinstall_KB968930$
2013-08-12 10:56:16 221184 ----a-w- c:\windows\system32\wmpns.dll
2013-08-12 10:56:02 -------- d-----w- c:\program files\Windows Media Connect 2
2013-08-12 10:53:52 -------- d-----w- c:\windows\system32\LogFiles
2013-08-12 10:51:33 -------- d-----w- c:\windows\system32\URTTEMP
2013-08-12 08:16:29 116224 -c--a-w- c:\windows\system32\dllcache\xrxwiadr.dll
2013-08-12 08:16:26 23040 -c--a-w- c:\windows\system32\dllcache\xrxwbtmp.dll
2013-08-12 08:16:25 18944 -c--a-w- c:\windows\system32\dllcache\xrxscnui.dll
2013-08-12 08:16:22 27648 -c--a-w- c:\windows\system32\dllcache\xrxftplt.exe
2013-08-12 08:16:18 4608 -c--a-w- c:\windows\system32\dllcache\xrxflnch.exe
2013-08-12 08:15:55 99865 -c--a-w- c:\windows\system32\dllcache\xlog.exe
2013-08-12 08:15:51 16970 -c--a-w- c:\windows\system32\dllcache\xem336n5.sys
2013-08-12 08:15:50 19455 -c--a-w- c:\windows\system32\dllcache\wvchntxx.sys
2013-08-12 08:15:46 12063 -c--a-w- c:\windows\system32\dllcache\wsiintxx.sys
2013-08-12 08:15:32 8832 -c--a-w- c:\windows\system32\dllcache\wmiacpi.sys
2013-08-12 08:15:30 154624 -c--a-w- c:\windows\system32\dllcache\wlluc48.sys
2013-08-12 08:15:26 34890 -c--a-w- c:\windows\system32\dllcache\wlandrv2.sys
2013-08-12 08:15:16 771581 -c--a-w- c:\windows\system32\dllcache\winacisa.sys
2013-08-12 08:15:11 53760 -c--a-w- c:\windows\system32\dllcache\wiamsmud.dll
2013-08-12 08:15:06 87040 -c--a-w- c:\windows\system32\dllcache\wiafbdrv.dll
2013-08-12 08:15:00 701386 -c--a-w- c:\windows\system32\dllcache\wdhaalba.sys
2013-08-12 08:15:00 23615 -c--a-w- c:\windows\system32\dllcache\wch7xxnt.sys
2013-08-12 08:13:58 11325 -c--a-w- c:\windows\system32\dllcache\vchnt5.dll
2013-08-12 08:12:57 22912 -c--a-w- c:\windows\system32\dllcache\umaxpcls.sys
2013-08-12 08:11:59 31744 -c--a-w- c:\windows\system32\dllcache\tp4.dll
2013-08-12 08:10:54 32640 -c--a-w- c:\windows\system32\dllcache\symc8xx.sys
2013-08-12 08:09:56 99328 -c--a-w- c:\windows\system32\dllcache\srusd.dll
2013-08-12 08:08:59 25034 -c--a-w- c:\windows\system32\dllcache\smcpwr2n.sys
2013-08-12 08:07:59 40960 -c--a-w- c:\windows\system32\dllcache\sisagp.sys
2013-08-12 08:06:58 16640 -c--a-w- c:\windows\system32\dllcache\scmstcs.sys
2013-08-12 08:05:59 29696 -c--a-w- c:\windows\system32\dllcache\rw450ext.dll
2013-08-12 08:04:59 49024 -c--a-w- c:\windows\system32\dllcache\ql1280.sys
2013-08-12 08:03:57 92416 -c--a-w- c:\windows\system32\dllcache\phildec.sys
2013-08-12 08:02:58 20480 -c--a-w- c:\windows\system32\dllcache\ovcomc.dll
2013-08-12 08:01:59 7552 -c--a-w- c:\windows\system32\dllcache\nsmmc.sys
2013-08-12 08:00:57 19968 -c--a-w- c:\windows\system32\dllcache\mxnic.sys
2013-08-12 07:59:59 6016 -c--a-w- c:\windows\system32\dllcache\msfsio.sys
2013-08-12 07:59:51 17280 -c--a-w- c:\windows\system32\dllcache\mraid35x.sys
2013-08-12 07:59:43 12160 -c--a-w- c:\windows\system32\dllcache\mouhid.sys
2013-08-12 07:59:40 16128 -c--a-w- c:\windows\system32\dllcache\modemcsa.sys
2013-08-12 07:59:33 6528 -c--a-w- c:\windows\system32\dllcache\miniqic.sys
2013-08-12 07:59:27 320384 -c--a-w- c:\windows\system32\dllcache\mgaum.sys
2013-08-12 07:59:24 235648 -c--a-w- c:\windows\system32\dllcache\mgaud.dll
2013-08-12 07:59:22 26112 -c--a-w- c:\windows\system32\dllcache\memstpci.sys
2013-08-12 07:59:20 47616 -c--a-w- c:\windows\system32\dllcache\memgrp.dll
2013-08-12 07:59:16 8320 -c--a-w- c:\windows\system32\dllcache\memcard.sys
2013-08-12 07:59:11 164586 -c--a-w- c:\windows\system32\dllcache\mdgndis5.sys
2013-08-12 07:59:05 7424 -c--a-w- c:\windows\system32\dllcache\mammoth.sys
2013-08-12 07:59:01 48768 -c--a-w- c:\windows\system32\dllcache\maestro.sys
2013-08-12 07:57:45 8192 -c--a-w- c:\windows\system32\dllcache\kbdkor.dll
2013-08-12 07:57:41 8704 -c--a-w- c:\windows\system32\dllcache\kbdjpn.dll
2013-08-12 07:57:36 14592 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys
2013-08-12 07:57:26 6144 -c--a-w- c:\windows\system32\dllcache\kbd106.dll
2013-08-12 07:57:24 5632 -c--a-w- c:\windows\system32\dllcache\kbd103.dll
2013-08-12 07:57:21 6144 -c--a-w- c:\windows\system32\dllcache\kbd101c.dll
2013-08-12 07:57:18 6144 -c--a-w- c:\windows\system32\dllcache\kbd101b.dll
2013-08-12 07:57:12 26624 -c--a-w- c:\windows\system32\dllcache\irstusb.sys
2013-08-12 07:57:09 23552 -c--a-w- c:\windows\system32\dllcache\irmk7.sys
2013-08-12 07:57:07 46592 -c--a-w- c:\windows\system32\dllcache\irbus.sys
2013-08-12 07:57:01 45632 -c--a-w- c:\windows\system32\dllcache\ip5515.sys
2013-08-12 07:55:58 100936 -c--a-w- c:\windows\system32\dllcache\ibmtok.sys
2013-08-12 07:54:58 67167 -c--a-w- c:\windows\system32\dllcache\hsf_bsc2.sys
2013-08-12 07:53:59 82304 -c--a-w- c:\windows\system32\dllcache\grclass.sys
2013-08-12 07:52:59 22090 -c--a-w- c:\windows\system32\dllcache\fem556n5.sys
2013-08-12 07:51:56 19996 -c--a-w- c:\windows\system32\dllcache\em556n4.sys
2013-08-12 07:50:59 6729 -c--a-w- c:\windows\system32\dllcache\disrvci.dll
2013-08-12 07:49:57 175104 -c--a-w- c:\windows\system32\dllcache\csamsp.dll
2013-08-12 07:48:43 13824 -c--a-w- c:\windows\system32\dllcache\bulltlp3.sys
2013-08-12 07:47:59 70528 -c--a-w- c:\windows\system32\dllcache\atiragem.sys
2013-08-12 07:46:59 747392 -c--a-w- c:\windows\system32\dllcache\adm8830.sys
2013-08-12 01:14:58 -------- d-----w- c:\windows\system32\MRT
2013-08-08 01:40:13 -------- d-----w- c:\documents and settings\all users\application data\Sophos
2013-08-08 01:40:08 73728 ----a-r- c:\documents and settings\admin\application data\microsoft\installer\{b829e117-d072-41ea-9606-9826a38d34c1}\SVRTgui.exe1_810EDD9E2F0A4E2BACF86673C38D9F48.exe
2013-08-08 01:40:08 73728 ----a-r- c:\documents and settings\admin\application data\microsoft\installer\{b829e117-d072-41ea-9606-9826a38d34c1}\SVRTgui.exe_810EDD9E2F0A4E2BACF86673C38D9F48.exe
2013-08-08 01:40:08 73728 ----a-r- c:\documents and settings\admin\application data\microsoft\installer\{b829e117-d072-41ea-9606-9826a38d34c1}\ARPPRODUCTICON.exe
2013-08-08 01:39:54 -------- d-----w- c:\program files\Sophos
2013-08-05 07:45:32 -------- d--h--w- c:\windows\PIF
2013-08-05 07:02:38 -------- d-----w- c:\documents and settings\all users\application data\Norton
2013-08-05 07:02:38 -------- d-----w- c:\documents and settings\admin\local settings\application data\NPE
2013-08-03 03:28:41 -------- d-----w- c:\documents and settings\admin\application data\FixZeroAccess
.
==================== Find3M  ====================
.
2013-08-03 00:18:36 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-08-03 00:18:35 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-07-26 02:47:17 920064 ----a-w- c:\windows\system32\wininet.dll
2013-07-26 02:47:13 43520 ------w- c:\windows\system32\licmgr10.dll
2013-07-26 02:47:12 1469440 ------w- c:\windows\system32\inetcpl.cpl
2013-07-25 15:52:59 385024 ----a-w- c:\windows\system32\html.iec
2013-07-10 10:37:53 406016 ----a-w- c:\windows\system32\usp10.dll
2013-07-04 03:03:25 2149888 ------w- c:\windows\system32\ntoskrnl.exe
2013-07-04 02:08:30 2028544 ------w- c:\windows\system32\ntkrnlpa.exe
2013-06-04 07:23:02 562688 ------w- c:\windows\system32\qedit.dll
2013-06-04 01:40:45 1876736 ------w- c:\windows\system32\win32k.sys
.
============= FINISH: 19:28:10.00 ===============
 

 

Attached Files



BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 10,047 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:22 PM

Posted 01 September 2013 - 04:55 AM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

step1.gif In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/505770 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

step2.gifIf you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from the following link if you no longer have it available and save it to your destop.

    DDS.com Download Link
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control can be found HERE.

As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 ZeeAcc

ZeeAcc
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:01:22 PM

Posted 01 September 2013 - 11:11 PM

Hi, I've created new DDS logs and posted them here.  I do have the original WinXP Pro SP3 CD.

Thanks.

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702
Run by Admin at 13:55:49 on 2013-09-02
.
============== Running Processes ================
.
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adobe\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Browny02\Brother\BrStMonW.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Motorola Media Link\Lite\NServiceEntry.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Nero\Nero8\InCD\InCDsrv.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Motorola\MotoHelper\MotoHelperService.exe
C:\Program Files\Nero\Nero8\InCD\NBHRegInCDSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Motorola\MotoHelper\MotoHelperAgent.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\CheckPoint\ZoneAlarm\ZAPrivacyService.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Browny02\BrYNSvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://192.168.1.1:81/cgi-bin/index.cgi
mWinlogon: Userinit = c:\windows\system32\userinit.exe
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\nero\lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
mRun: [NVRTCLK] c:\windows\system32\nvrtclk\NVRTClk.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [NeroFilterCheck] c:\program files\common files\nero\lib\NeroCheck.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [ZoneAlarm] "c:\program files\checkpoint\zonealarm\zatray.exe"
mRun: [BrStsMon00] c:\program files\browny02\brother\BrStMonW.exe /AUTORUN
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office 2007\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1376300263703
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: Interfaces\{4C5DAD96-1AB7-4346-A011-690B945024D5} : NameServer = 192.168.1.1
TCP: Interfaces\{C0AF0CB0-2979-4930-80EB-0FBEAF4943BC} : NameServer = 192.168.1.1
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"
.
============= SERVICES / DRIVERS ===============
.
.
=============== Created Last 30 ================
.
2013-08-12 23:10:23 -------- d-----w- c:\documents and settings\admin\application data\Malwarebytes
2013-08-12 23:09:57 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2013-08-12 23:09:55 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-08-12 23:09:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2013-08-12 11:38:52 -------- d-----w- c:\documents and settings\admin\local settings\application data\ApplicationHistory
2013-08-12 10:56:48 -------- d-----w- c:\windows\system32\winrm
2013-08-12 10:56:48 -------- d-----w- c:\windows\system32\GroupPolicy
2013-08-12 10:56:44 -------- dc-h--w- c:\windows\$968930Uinstall_KB968930$
2013-08-12 10:56:16 221184 ----a-w- c:\windows\system32\wmpns.dll
2013-08-12 10:56:02 -------- d-----w- c:\program files\Windows Media Connect 2
2013-08-12 10:53:52 -------- d-----w- c:\windows\system32\LogFiles
2013-08-12 10:51:33 -------- d-----w- c:\windows\system32\URTTEMP
2013-08-12 08:16:29 116224 -c--a-w- c:\windows\system32\dllcache\xrxwiadr.dll
2013-08-12 08:16:26 23040 -c--a-w- c:\windows\system32\dllcache\xrxwbtmp.dll
2013-08-12 08:16:25 18944 -c--a-w- c:\windows\system32\dllcache\xrxscnui.dll
2013-08-12 08:16:22 27648 -c--a-w- c:\windows\system32\dllcache\xrxftplt.exe
2013-08-12 08:16:18 4608 -c--a-w- c:\windows\system32\dllcache\xrxflnch.exe
2013-08-12 08:15:55 99865 -c--a-w- c:\windows\system32\dllcache\xlog.exe
2013-08-12 08:15:51 16970 -c--a-w- c:\windows\system32\dllcache\xem336n5.sys
2013-08-12 08:15:50 19455 -c--a-w- c:\windows\system32\dllcache\wvchntxx.sys
2013-08-12 08:15:46 12063 -c--a-w- c:\windows\system32\dllcache\wsiintxx.sys
2013-08-12 08:15:32 8832 -c--a-w- c:\windows\system32\dllcache\wmiacpi.sys
2013-08-12 08:15:30 154624 -c--a-w- c:\windows\system32\dllcache\wlluc48.sys
2013-08-12 08:15:26 34890 -c--a-w- c:\windows\system32\dllcache\wlandrv2.sys
2013-08-12 08:15:16 771581 -c--a-w- c:\windows\system32\dllcache\winacisa.sys
2013-08-12 08:15:11 53760 -c--a-w- c:\windows\system32\dllcache\wiamsmud.dll
2013-08-12 08:15:06 87040 -c--a-w- c:\windows\system32\dllcache\wiafbdrv.dll
2013-08-12 08:15:00 701386 -c--a-w- c:\windows\system32\dllcache\wdhaalba.sys
2013-08-12 08:15:00 23615 -c--a-w- c:\windows\system32\dllcache\wch7xxnt.sys
2013-08-12 08:13:58 11325 -c--a-w- c:\windows\system32\dllcache\vchnt5.dll
2013-08-12 08:12:57 22912 -c--a-w- c:\windows\system32\dllcache\umaxpcls.sys
2013-08-12 08:11:59 31744 -c--a-w- c:\windows\system32\dllcache\tp4.dll
2013-08-12 08:10:54 32640 -c--a-w- c:\windows\system32\dllcache\symc8xx.sys
2013-08-12 08:09:56 99328 -c--a-w- c:\windows\system32\dllcache\srusd.dll
2013-08-12 08:08:59 25034 -c--a-w- c:\windows\system32\dllcache\smcpwr2n.sys
2013-08-12 08:07:59 40960 -c--a-w- c:\windows\system32\dllcache\sisagp.sys
2013-08-12 08:06:58 16640 -c--a-w- c:\windows\system32\dllcache\scmstcs.sys
2013-08-12 08:05:59 29696 -c--a-w- c:\windows\system32\dllcache\rw450ext.dll
2013-08-12 08:04:59 49024 -c--a-w- c:\windows\system32\dllcache\ql1280.sys
2013-08-12 08:03:57 92416 -c--a-w- c:\windows\system32\dllcache\phildec.sys
2013-08-12 08:02:58 20480 -c--a-w- c:\windows\system32\dllcache\ovcomc.dll
2013-08-12 08:01:59 7552 -c--a-w- c:\windows\system32\dllcache\nsmmc.sys
2013-08-12 08:00:57 19968 -c--a-w- c:\windows\system32\dllcache\mxnic.sys
2013-08-12 07:59:59 6016 -c--a-w- c:\windows\system32\dllcache\msfsio.sys
2013-08-12 07:59:51 17280 -c--a-w- c:\windows\system32\dllcache\mraid35x.sys
2013-08-12 07:59:43 12160 -c--a-w- c:\windows\system32\dllcache\mouhid.sys
2013-08-12 07:59:40 16128 -c--a-w- c:\windows\system32\dllcache\modemcsa.sys
2013-08-12 07:59:33 6528 -c--a-w- c:\windows\system32\dllcache\miniqic.sys
2013-08-12 07:59:27 320384 -c--a-w- c:\windows\system32\dllcache\mgaum.sys
2013-08-12 07:59:24 235648 -c--a-w- c:\windows\system32\dllcache\mgaud.dll
2013-08-12 07:59:22 26112 -c--a-w- c:\windows\system32\dllcache\memstpci.sys
2013-08-12 07:59:20 47616 -c--a-w- c:\windows\system32\dllcache\memgrp.dll
2013-08-12 07:59:16 8320 -c--a-w- c:\windows\system32\dllcache\memcard.sys
2013-08-12 07:59:11 164586 -c--a-w- c:\windows\system32\dllcache\mdgndis5.sys
2013-08-12 07:59:05 7424 -c--a-w- c:\windows\system32\dllcache\mammoth.sys
2013-08-12 07:59:01 48768 -c--a-w- c:\windows\system32\dllcache\maestro.sys
2013-08-12 07:57:45 8192 -c--a-w- c:\windows\system32\dllcache\kbdkor.dll
2013-08-12 07:57:41 8704 -c--a-w- c:\windows\system32\dllcache\kbdjpn.dll
2013-08-12 07:57:36 14592 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys
2013-08-12 07:57:26 6144 -c--a-w- c:\windows\system32\dllcache\kbd106.dll
2013-08-12 07:57:24 5632 -c--a-w- c:\windows\system32\dllcache\kbd103.dll
2013-08-12 07:57:21 6144 -c--a-w- c:\windows\system32\dllcache\kbd101c.dll
2013-08-12 07:57:18 6144 -c--a-w- c:\windows\system32\dllcache\kbd101b.dll
2013-08-12 07:57:12 26624 -c--a-w- c:\windows\system32\dllcache\irstusb.sys
2013-08-12 07:57:09 23552 -c--a-w- c:\windows\system32\dllcache\irmk7.sys
2013-08-12 07:57:07 46592 -c--a-w- c:\windows\system32\dllcache\irbus.sys
2013-08-12 07:57:01 45632 -c--a-w- c:\windows\system32\dllcache\ip5515.sys
2013-08-12 07:55:58 100936 -c--a-w- c:\windows\system32\dllcache\ibmtok.sys
2013-08-12 07:54:58 67167 -c--a-w- c:\windows\system32\dllcache\hsf_bsc2.sys
2013-08-12 07:53:59 82304 -c--a-w- c:\windows\system32\dllcache\grclass.sys
2013-08-12 07:52:59 22090 -c--a-w- c:\windows\system32\dllcache\fem556n5.sys
2013-08-12 07:51:56 19996 -c--a-w- c:\windows\system32\dllcache\em556n4.sys
2013-08-12 07:50:59 6729 -c--a-w- c:\windows\system32\dllcache\disrvci.dll
2013-08-12 07:49:57 175104 -c--a-w- c:\windows\system32\dllcache\csamsp.dll
2013-08-12 07:48:43 13824 -c--a-w- c:\windows\system32\dllcache\bulltlp3.sys
2013-08-12 07:47:59 70528 -c--a-w- c:\windows\system32\dllcache\atiragem.sys
2013-08-12 07:46:59 747392 -c--a-w- c:\windows\system32\dllcache\adm8830.sys
2013-08-12 01:14:58 -------- d-----w- c:\windows\system32\MRT
2013-08-08 01:40:13 -------- d-----w- c:\documents and settings\all users\application data\Sophos
2013-08-08 01:40:08 73728 ----a-r- c:\documents and settings\admin\application data\microsoft\installer\{b829e117-d072-41ea-9606-9826a38d34c1}\SVRTgui.exe1_810EDD9E2F0A4E2BACF86673C38D9F48.exe
2013-08-08 01:40:08 73728 ----a-r- c:\documents and settings\admin\application data\microsoft\installer\{b829e117-d072-41ea-9606-9826a38d34c1}\SVRTgui.exe_810EDD9E2F0A4E2BACF86673C38D9F48.exe
2013-08-08 01:40:08 73728 ----a-r- c:\documents and settings\admin\application data\microsoft\installer\{b829e117-d072-41ea-9606-9826a38d34c1}\ARPPRODUCTICON.exe
2013-08-08 01:39:54 -------- d-----w- c:\program files\Sophos
2013-08-05 07:45:32 -------- d--h--w- c:\windows\PIF
2013-08-05 07:02:38 -------- d-----w- c:\documents and settings\all users\application data\Norton
2013-08-05 07:02:38 -------- d-----w- c:\documents and settings\admin\local settings\application data\NPE
.
==================== Find3M  ====================
.
2013-08-03 04:18:38 1543680 ------w- c:\windows\system32\wmvdecod.dll
2013-08-03 00:18:36 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-08-03 00:18:35 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-07-26 02:47:17 920064 ----a-w- c:\windows\system32\wininet.dll
2013-07-26 02:47:13 43520 ------w- c:\windows\system32\licmgr10.dll
2013-07-26 02:47:12 1469440 ------w- c:\windows\system32\inetcpl.cpl
2013-07-25 15:52:59 385024 ----a-w- c:\windows\system32\html.iec
2013-07-10 10:37:53 406016 ----a-w- c:\windows\system32\usp10.dll
2013-07-04 03:03:25 2149888 ------w- c:\windows\system32\ntoskrnl.exe
2013-07-04 02:08:30 2028544 ------w- c:\windows\system32\ntkrnlpa.exe
2013-06-04 07:23:02 562688 ------w- c:\windows\system32\qedit.dll
.
============= FINISH: 13:57:00.73 ===============
 

 

Attached Files



#4 nasdaq

nasdaq

  • Malware Response Team
  • 20,431 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:22 PM

Posted 02 September 2013 - 09:01 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

Lets start with these scans.

Read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • Double-click on TDSSKiller.exe to run the application.
    tdss1.png
  • Click Change parameters
    settings20121003115955.png
  • Check the boxes next to Verify Driver Digital Signature and Detect TDLFS file system, then click OK
    tdss3.png
  • Click on the Start Scan button to begin the scan and wait for it to finish.
    NOTE: Do not use the computer during the scan!
  • During the scan it will look similar to the image below:
    tdss4.jpg
  • When it finishes, you will either see a report that no threats were found like below:
    tdss5.jpg
    If no threats are found at this point, just click the Report selection on the top right of the form to generate a log. A log file report will pop which you can just close since the report file is already saved.
  • If any infection or suspected items are found, you will see a window similar to below:
    tdss7.jpg
    • If you have files that are shown to fail signature check do not take any action on these. Make sure you select Skip. I will tell you what to do with these later. They may not be issues at all.
    • If Suspicious objects are detected, the default action will be Skip. Leave the default set to Skip.
    • If Malicious objects are detected, they will show in the Scan results. TDSSKiller automatically selects an action (Cure or Delete) for malicious objects
    • Make sure that Cure is selected. Important! - If Cure is not available, please choose Skip instead. Do not choose Delete unless instructed to do so.
  • Click Continue to apply selected actions.
  • A reboot may be required to complete disinfection. A window like the below will appear:
    tdss6.jpg
    Reboot immediately if TDSSKiller states that one is needed.
  • Whether an infection is found or not, a log file should have already been created on your C: drive (or whatever drive you boot from) in the root folder named something like TDSSKiller.2.1.1_27.12.2009_14.17.04_log.txt which is based on the program version # and date and time run.
  • Paste the log to your next reply, DO NOT ATTACH IT.
===

Download http://public.avast.com/~gmerek/aswMBR.exe (aswMBR.exe) to your desktop. Double click the aswMBR.exe to run it.
  • Click the "Scan" button to start scan.
  • Upon completion of the scan, click Save log, and save it to your desktop. (Note - do not select any Fix at this time) <- IMPORTANT
  • Please paste the contents of that log in your next reply.
There shall also be a file on your desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) folder. Please attach that zipped file in your next reply.
===

#5 ZeeAcc

ZeeAcc
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:01:22 PM

Posted 02 September 2013 - 08:35 PM

Hi nasdaq and thank you for your help with this.

 

The zipped MBR.dat file is attached.  The TDSSKiller and aswMBR logs are below.

 

TDSSKiller log:

 

09:36:01.0406 3836  TDSS rootkit removing tool 2.8.16.0 Feb 11 2013 18:50:42
09:36:03.0421 3836  ============================================================
09:36:03.0421 3836  Current date / time: 2013/09/03 09:36:03.0421
09:36:03.0421 3836  SystemInfo:
09:36:03.0421 3836 
09:36:03.0421 3836  OS Version: 5.1.2600 ServicePack: 3.0
09:36:03.0421 3836  Product type: Workstation
09:36:03.0421 3836  ComputerName: NAMAT
09:36:03.0421 3836  UserName: Admin
09:36:03.0421 3836  Windows directory: C:\WINDOWS
09:36:03.0421 3836  System windows directory: C:\WINDOWS
09:36:03.0421 3836  Processor architecture: Intel x86
09:36:03.0421 3836  Number of processors: 2
09:36:03.0421 3836  Page size: 0x1000
09:36:03.0421 3836  Boot type: Normal boot
09:36:03.0421 3836  ============================================================
09:36:04.0500 3836  Drive \Device\Harddisk0\DR0 - Size: 0x5D2710DE00 (372.61 Gb), SectorSize: 0x200, Cylinders: 0xBE01, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
09:36:04.0500 3836  ============================================================
09:36:04.0500 3836  \Device\Harddisk0\DR0:
09:36:04.0500 3836  MBR partitions:
09:36:04.0500 3836  \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x61A7927
09:36:04.0500 3836  \Device\Harddisk0\DR0\Partition2: MBR, Type 0x7, StartLBA 0x61A7966, BlocksNum 0x61A7966
09:36:04.0500 3836  \Device\Harddisk0\DR0\Partition3: MBR, Type 0x7, StartLBA 0xC34F2CC, BlocksNum 0x927B619
09:36:04.0515 3836  \Device\Harddisk0\DR0\Partition4: MBR, Type 0x7, StartLBA 0x155CA924, BlocksNum 0xC34F28D
09:36:04.0515 3836  ============================================================
09:36:04.0531 3836  C: <-> \Device\Harddisk0\DR0\Partition1
09:36:04.0562 3836  F: <-> \Device\Harddisk0\DR0\Partition2
09:36:04.0593 3836  G: <-> \Device\Harddisk0\DR0\Partition3
09:36:04.0609 3836  H: <-> \Device\Harddisk0\DR0\Partition4
09:36:04.0609 3836  ============================================================
09:36:04.0609 3836  Initialize success
09:36:04.0609 3836  ============================================================
09:38:00.0109 3588  ============================================================
09:38:00.0109 3588  Scan started
09:38:00.0109 3588  Mode: Manual; SigCheck; TDLFS;
09:38:00.0109 3588  ============================================================
09:38:00.0359 3588  ================ Scan system memory ========================
09:38:00.0359 3588  System memory - ok
09:38:00.0359 3588  ================ Scan services =============================
09:38:00.0515 3588  Abiosdsk - ok
09:38:00.0515 3588  abp480n5 - ok
09:38:00.0546 3588  [ 8FD99680A539792A30E97944FDAECF17 ] ACPI            C:\WINDOWS\system32\DRIVERS\ACPI.sys
09:38:01.0406 3588  ACPI - ok
09:38:01.0437 3588  [ 9859C0F6936E723E4892D7141B1327D5 ] ACPIEC          C:\WINDOWS\system32\drivers\ACPIEC.sys
09:38:01.0609 3588  ACPIEC - ok
09:38:01.0687 3588  [ 34400005DE52842C4D6D4EE978B4D7CE ] AdobeActiveFileMonitor8.0 C:\Program Files\Adobe\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe
09:38:01.0734 3588  AdobeActiveFileMonitor8.0 - ok
09:38:01.0750 3588  adpu160m - ok
09:38:01.0781 3588  [ 8BED39E3C35D6A489438B8141717A557 ] aec             C:\WINDOWS\system32\drivers\aec.sys
09:38:01.0937 3588  aec - ok
09:38:01.0953 3588  [ 1E44BC1E83D8FD2305F8D452DB109CF9 ] AFD             C:\WINDOWS\System32\drivers\afd.sys
09:38:02.0015 3588  AFD - ok
09:38:02.0015 3588  Aha154x - ok
09:38:02.0031 3588  aic78u2 - ok
09:38:02.0046 3588  aic78xx - ok
09:38:02.0078 3588  [ A9A3DAA780CA6C9671A19D52456705B4 ] Alerter         C:\WINDOWS\system32\alrsvc.dll
09:38:02.0218 3588  Alerter - ok
09:38:02.0234 3588  [ 8C515081584A38AA007909CD02020B3D ] ALG             C:\WINDOWS\System32\alg.exe
09:38:02.0296 3588  ALG - ok
09:38:02.0312 3588  AliIde - ok
09:38:02.0312 3588  amsint - ok
09:38:02.0375 3588  [ F401929EE0CC92BFE7F15161CA535383 ] Apple Mobile Device C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
09:38:02.0421 3588  Apple Mobile Device - ok
09:38:02.0437 3588  [ D8849F77C0B66226335A59D26CB4EDC6 ] AppMgmt         C:\WINDOWS\System32\appmgmts.dll
09:38:02.0515 3588  AppMgmt - ok
09:38:02.0531 3588  [ B5B8A80875C1DEDEDA8B02765642C32F ] Arp1394         C:\WINDOWS\system32\DRIVERS\arp1394.sys
09:38:02.0671 3588  Arp1394 - ok
09:38:02.0671 3588  asc - ok
09:38:02.0687 3588  asc3350p - ok
09:38:02.0687 3588  asc3550 - ok
09:38:02.0765 3588  [ 0E5E4957549056E2BF2C49F4F6B601AD ] aspnet_state    C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
09:38:02.0843 3588  aspnet_state - ok
09:38:02.0859 3588  [ B153AFFAC761E7F5FCFA822B9C4E97BC ] AsyncMac        C:\WINDOWS\system32\DRIVERS\asyncmac.sys
09:38:03.0000 3588  AsyncMac - ok
09:38:03.0031 3588  [ 9F3A2F5AA6875C72BF062C712CFA2674 ] atapi           C:\WINDOWS\system32\DRIVERS\atapi.sys
09:38:03.0171 3588  atapi - ok
09:38:03.0187 3588  Atdisk - ok
09:38:03.0203 3588  [ 9916C1225104BA14794209CFA8012159 ] Atmarpc         C:\WINDOWS\system32\DRIVERS\atmarpc.sys
09:38:03.0343 3588  Atmarpc - ok
09:38:03.0343 3588  [ DEF7A7882BEC100FE0B2CE2549188F9D ] AudioSrv        C:\WINDOWS\System32\audiosrv.dll
09:38:03.0500 3588  AudioSrv - ok
09:38:03.0531 3588  [ D9F724AA26C010A217C97606B160ED68 ] audstub         C:\WINDOWS\system32\DRIVERS\audstub.sys
09:38:03.0656 3588  audstub - ok
09:38:03.0703 3588  [ 709FBE6ECED1C3259D2B50BB0520B765 ] bbcap           C:\WINDOWS\system32\DRIVERS\bbcap.sys
09:38:03.0750 3588  bbcap - ok
09:38:03.0765 3588  [ DA1F27D85E0D1525F6621372E7B685E9 ] Beep            C:\WINDOWS\system32\drivers\Beep.sys
09:38:03.0906 3588  Beep - ok
09:38:03.0937 3588  [ 574738F61FCA2935F5265DC4E5691314 ] BITS            C:\WINDOWS\system32\qmgr.dll
09:38:04.0125 3588  BITS - ok
09:38:04.0171 3588  [ DB5BEA73EDAF19AC68B2C0FAD0F92B1A ] Bonjour Service C:\Program Files\Bonjour\mDNSResponder.exe
09:38:04.0234 3588  Bonjour Service - ok
09:38:04.0265 3588  [ CFD4E51402DA9838B5A04AE680AF54A0 ] Browser         C:\WINDOWS\System32\browser.dll
09:38:04.0328 3588  Browser - ok
09:38:04.0343 3588  [ 2FE6D5BE0629F706197B30C0AA05DE30 ] BrPar           C:\WINDOWS\System32\drivers\BrPar.sys
09:38:04.0375 3588  BrPar ( UnsignedFile.Multi.Generic ) - warning
09:38:04.0375 3588  BrPar - detected UnsignedFile.Multi.Generic (1)
09:38:04.0437 3588  [ EA7E57F87D6FEE5FD6C5F813C04E8CD2 ] BrYNSvc         C:\Program Files\Browny02\BrYNSvc.exe
09:38:04.0437 3588  BrYNSvc ( UnsignedFile.Multi.Generic ) - warning
09:38:04.0437 3588  BrYNSvc - detected UnsignedFile.Multi.Generic (1)
09:38:04.0468 3588  [ 4813DF77EDE536A52E3737971F910BAA ] BTCFilterService C:\WINDOWS\system32\DRIVERS\motfilt.sys
09:38:04.0640 3588  BTCFilterService - ok
09:38:04.0656 3588  [ 90A673FC8E12A79AFBED2576F6A7AAF9 ] cbidf2k         C:\WINDOWS\system32\drivers\cbidf2k.sys
09:38:04.0812 3588  cbidf2k - ok
09:38:04.0875 3588  [ 8EF654045E518AC00E52E7A1E2D3AD70 ] CCALib8         C:\Program Files\Canon\CAL\CALMAIN.exe
09:38:04.0906 3588  CCALib8 ( UnsignedFile.Multi.Generic ) - warning
09:38:04.0906 3588  CCALib8 - detected UnsignedFile.Multi.Generic (1)
09:38:04.0953 3588  [ 0A6786C95A6F8715AA4285E3C27F201F ] ccEvtMgr        C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
09:38:04.0968 3588  ccEvtMgr - ok
09:38:05.0000 3588  [ 3B4898CF051BB04FB76E94361E336A83 ] ccSetMgr        C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
09:38:05.0015 3588  ccSetMgr - ok
09:38:05.0015 3588  cd20xrnt - ok
09:38:05.0046 3588  [ C1B486A7658353D33A10CC15211A873B ] Cdaudio         C:\WINDOWS\system32\drivers\Cdaudio.sys
09:38:05.0187 3588  Cdaudio - ok
09:38:05.0218 3588  [ C885B02847F5D2FD45A24E219ED93B32 ] Cdfs            C:\WINDOWS\system32\drivers\Cdfs.sys
09:38:05.0375 3588  Cdfs - ok
09:38:05.0390 3588  [ 1F4260CC5B42272D71F79E570A27A4FE ] Cdrom           C:\WINDOWS\system32\DRIVERS\cdrom.sys
09:38:05.0531 3588  Cdrom - ok
09:38:05.0546 3588  Changer - ok
09:38:05.0562 3588  [ 1CFE720EB8D93A7158A4EBC3AB178BDE ] CiSvc           C:\WINDOWS\system32\cisvc.exe
09:38:05.0703 3588  CiSvc - ok
09:38:05.0718 3588  [ 34CBE729F38138217F9C80212A2A0C82 ] ClipSrv         C:\WINDOWS\system32\clipsrv.exe
09:38:05.0875 3588  ClipSrv - ok
09:38:05.0906 3588  [ D87ACAED61E417BBA546CED5E7E36D9C ] clr_optimization_v2.0.50727_32 C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
09:38:05.0968 3588  clr_optimization_v2.0.50727_32 - ok
09:38:06.0031 3588  [ C5A75EB48E2344ABDC162BDA79E16841 ] clr_optimization_v4.0.30319_32 C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
09:38:06.0078 3588  clr_optimization_v4.0.30319_32 - ok
09:38:06.0078 3588  CmdIde - ok
09:38:06.0140 3588  [ A2C08CFE1D549283CDAFD3FD67F3ABEE ] cmudax          C:\WINDOWS\system32\drivers\cmudax.sys
09:38:06.0250 3588  cmudax - ok
09:38:06.0265 3588  COMSysApp - ok
09:38:06.0281 3588  Cpqarray - ok
09:38:06.0296 3588  [ 3D4E199942E29207970E04315D02AD3B ] CryptSvc        C:\WINDOWS\System32\cryptsvc.dll
09:38:06.0453 3588  CryptSvc - ok
09:38:06.0468 3588  dac2w2k - ok
09:38:06.0468 3588  dac960nt - ok
09:38:06.0500 3588  [ 6B27A5C03DFB94B4245739065431322C ] DcomLaunch      C:\WINDOWS\system32\rpcss.dll
09:38:06.0546 3588  DcomLaunch - ok
09:38:06.0593 3588  [ 1F709C66D8AADFF35530C56EE261C462 ] DefWatch        C:\Program Files\Symantec AntiVirus\DefWatch.exe
09:38:06.0625 3588  DefWatch - ok
09:38:06.0671 3588  [ 74C1305F6F784A725B0A40D693FF4A09 ] DeviceMonitorService C:\Program Files\Motorola Media Link\Lite\NServiceEntry.exe
09:38:06.0718 3588  DeviceMonitorService - ok
09:38:06.0750 3588  [ 5E38D7684A49CACFB752B046357E0589 ] Dhcp            C:\WINDOWS\System32\dhcpcsvc.dll
09:38:06.0906 3588  Dhcp - ok
09:38:06.0937 3588  [ 044452051F3E02E7963599FC8F4F3E25 ] Disk            C:\WINDOWS\system32\DRIVERS\disk.sys
09:38:07.0093 3588  Disk - ok
09:38:07.0093 3588  dmadmin - ok
09:38:07.0140 3588  [ D992FE1274BDE0F84AD826ACAE022A41 ] dmboot          C:\WINDOWS\system32\drivers\dmboot.sys
09:38:07.0328 3588  dmboot - ok
09:38:07.0328 3588  [ 7C824CF7BBDE77D95C08005717A95F6F ] dmio            C:\WINDOWS\system32\drivers\dmio.sys
09:38:07.0500 3588  dmio - ok
09:38:07.0515 3588  [ E9317282A63CA4D188C0DF5E09C6AC5F ] dmload          C:\WINDOWS\system32\drivers\dmload.sys
09:38:07.0656 3588  dmload - ok
09:38:07.0687 3588  [ 57EDEC2E5F59F0335E92F35184BC8631 ] dmserver        C:\WINDOWS\System32\dmserver.dll
09:38:07.0843 3588  dmserver - ok
09:38:07.0875 3588  [ 8A208DFCF89792A484E76C40E5F50B45 ] DMusic          C:\WINDOWS\system32\drivers\DMusic.sys
09:38:08.0015 3588  DMusic - ok
09:38:08.0031 3588  [ 5F7E24FA9EAB896051FFB87F840730D2 ] Dnscache        C:\WINDOWS\System32\dnsrslvr.dll
09:38:08.0093 3588  Dnscache - ok
09:38:08.0125 3588  [ 0F0F6E687E5E15579EF4DA8DD6945814 ] Dot3svc         C:\WINDOWS\System32\dot3svc.dll
09:38:08.0265 3588  Dot3svc - ok
09:38:08.0281 3588  dpti2o - ok
09:38:08.0312 3588  [ 8F5FCFF8E8848AFAC920905FBD9D33C8 ] drmkaud         C:\WINDOWS\system32\drivers\drmkaud.sys
09:38:08.0437 3588  drmkaud - ok
09:38:08.0437 3588  [ 2187855A7703ADEF0CEF9EE4285182CC ] EapHost         C:\WINDOWS\System32\eapsvc.dll
09:38:08.0578 3588  EapHost - ok
09:38:08.0609 3588  [ E1E3804F7C59EA3E14637C2A763F65E2 ] eeCtrl          C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
09:38:08.0687 3588  eeCtrl - ok
09:38:08.0718 3588  [ 6D84DFC3B5C5052881BF50470D0C03D1 ] EraserUtilRebootDrv C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
09:38:08.0750 3588  EraserUtilRebootDrv - ok
09:38:08.0781 3588  [ BC93B4A066477954555966D77FEC9ECB ] ERSvc           C:\WINDOWS\System32\ersvc.dll
09:38:08.0937 3588  ERSvc - ok
09:38:08.0968 3588  [ 65DF52F5B8B6E9BBD183505225C37315 ] Eventlog        C:\WINDOWS\system32\services.exe
09:38:09.0000 3588  Eventlog - ok
09:38:09.0031 3588  [ D4991D98F2DB73C60D042F1AEF79EFAE ] EventSystem     C:\WINDOWS\system32\es.dll
09:38:09.0062 3588  EventSystem - ok
09:38:09.0093 3588  [ 38D332A6D56AF32635675F132548343E ] Fastfat         C:\WINDOWS\system32\drivers\Fastfat.sys
09:38:09.0250 3588  Fastfat - ok
09:38:09.0265 3588  [ 99BC0B50F511924348BE19C7C7313BBF ] FastUserSwitchingCompatibility C:\WINDOWS\System32\shsvcs.dll
09:38:09.0328 3588  FastUserSwitchingCompatibility - ok
09:38:09.0359 3588  [ 92CDD60B6730B9F50F6A1A0C1F8CDC81 ] Fdc             C:\WINDOWS\system32\DRIVERS\fdc.sys
09:38:09.0515 3588  Fdc - ok
09:38:09.0531 3588  [ D45926117EB9FA946A6AF572FBE1CAA3 ] Fips            C:\WINDOWS\system32\drivers\Fips.sys
09:38:09.0687 3588  Fips - ok
09:38:09.0734 3588  [ ABEDFD48AC042C6AAAD32452E77217A1 ] FLEXnet Licensing Service C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
09:38:09.0828 3588  FLEXnet Licensing Service - ok
09:38:09.0859 3588  [ 9D27E7B80BFCDF1CDD9B555862D5E7F0 ] Flpydisk        C:\WINDOWS\system32\DRIVERS\flpydisk.sys
09:38:10.0000 3588  Flpydisk - ok
09:38:10.0031 3588  [ B2CF4B0786F8212CB92ED2B50C6DB6B0 ] FltMgr          C:\WINDOWS\system32\DRIVERS\fltMgr.sys
09:38:10.0171 3588  FltMgr - ok
09:38:10.0218 3588  [ 8BA7C024070F2B7FDD98ED8A4BA41789 ] FontCache3.0.0.0 c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
09:38:10.0250 3588  FontCache3.0.0.0 - ok
09:38:10.0265 3588  [ 3E1E2BD4F39B0E2B7DC4F4D2BCC2779A ] Fs_Rec          C:\WINDOWS\system32\drivers\Fs_Rec.sys
09:38:10.0406 3588  Fs_Rec - ok
09:38:10.0421 3588  [ 6AC26732762483366C3969C9E4D2259D ] Ftdisk          C:\WINDOWS\system32\DRIVERS\ftdisk.sys
09:38:10.0562 3588  Ftdisk - ok
09:38:10.0593 3588  [ 8182FF89C65E4D38B2DE4BB0FB18564E ] GEARAspiWDM     C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
09:38:10.0625 3588  GEARAspiWDM - ok
09:38:10.0656 3588  [ FD7E9ABA274DF75E08320420B8E9A1D5 ] getPlusHelper   C:\Program Files\NOS\bin\getPlus_Helper.dll
09:38:10.0687 3588  getPlusHelper - ok
09:38:10.0703 3588  [ 0A02C63C8B144BD8C86B103DEE7C86A2 ] Gpc             C:\WINDOWS\system32\DRIVERS\msgpc.sys
09:38:10.0859 3588  Gpc - ok
09:38:10.0875 3588  [ F22BF7F345DF95C09942951246AAA28D ] GVCplDrv        C:\WINDOWS\system32\drivers\GVCplDrv.sys
09:38:10.0890 3588  GVCplDrv ( UnsignedFile.Multi.Generic ) - warning
09:38:10.0890 3588  GVCplDrv - detected UnsignedFile.Multi.Generic (1)
09:38:10.0906 3588  [ 573C7D0A32852B48F3058CFD8026F511 ] HDAudBus        C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
09:38:11.0046 3588  HDAudBus - ok
09:38:11.0093 3588  [ 4FCCA060DFE0C51A09DD5C3843888BCD ] helpsvc         C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll
09:38:11.0250 3588  helpsvc - ok
09:38:11.0250 3588  HidServ - ok
09:38:11.0265 3588  [ 8878BD685E490239777BFE51320B88E9 ] hkmsvc          C:\WINDOWS\System32\kmsvc.dll
09:38:11.0421 3588  hkmsvc - ok
09:38:11.0421 3588  hpn - ok
09:38:11.0453 3588  [ F80A415EF82CD06FFAF0D971528EAD38 ] HTTP            C:\WINDOWS\system32\Drivers\HTTP.sys
09:38:11.0500 3588  HTTP - ok
09:38:11.0515 3588  [ 6100A808600F44D999CEBDEF8841C7A3 ] HTTPFilter      C:\WINDOWS\System32\w3ssl.dll
09:38:11.0671 3588  HTTPFilter - ok
09:38:11.0671 3588  i2omgmt - ok
09:38:11.0687 3588  i2omp - ok
09:38:11.0703 3588  [ 4A0B06AA8943C1E332520F7440C0AA30 ] i8042prt        C:\WINDOWS\system32\DRIVERS\i8042prt.sys
09:38:11.0859 3588  i8042prt - ok
09:38:11.0906 3588  [ 1CF03C69B49ACB70C722DF92755C0C8C ] IDriverT        C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
09:38:11.0937 3588  IDriverT ( UnsignedFile.Multi.Generic ) - warning
09:38:11.0937 3588  IDriverT - detected UnsignedFile.Multi.Generic (1)
09:38:11.0984 3588  [ C01AC32DC5C03076CFB852CB5DA5229C ] idsvc           c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
09:38:12.0062 3588  idsvc - ok
09:38:12.0093 3588  [ 083A052659F5310DD8B6A6CB05EDCF8E ] Imapi           C:\WINDOWS\system32\DRIVERS\imapi.sys
09:38:12.0234 3588  Imapi - ok
09:38:12.0265 3588  [ 30DEAF54A9755BB8546168CFE8A6B5E1 ] ImapiService    C:\WINDOWS\system32\imapi.exe
09:38:12.0406 3588  ImapiService - ok
09:38:12.0437 3588  [ 914B9BD741189335C1F8D0CCEDA8B639 ] InCDfs          C:\WINDOWS\system32\drivers\InCDFs.sys
09:38:12.0468 3588  InCDfs - ok
09:38:12.0484 3588  [ 4750CB7883952F873F778BDCF09E6C93 ] InCDPass        C:\WINDOWS\system32\drivers\InCDPass.sys
09:38:12.0515 3588  InCDPass - ok
09:38:12.0515 3588  [ 4FADCD138C649545BFA9DC3BBC8FEE0D ] InCDRec         C:\WINDOWS\system32\drivers\InCDRec.sys
09:38:12.0546 3588  InCDRec - ok
09:38:12.0562 3588  [ EFE97B244C8DC63600777207DF6AFAC1 ] incdrm          C:\WINDOWS\system32\drivers\InCDRm.sys
09:38:12.0593 3588  incdrm - ok
09:38:12.0671 3588  [ 32CD31A1262A577AB723DBB3894175F0 ] InCDsrv         C:\Program Files\Nero\Nero8\InCD\InCDsrv.exe
09:38:12.0781 3588  InCDsrv - ok
09:38:12.0796 3588  ini910u - ok
09:38:12.0828 3588  [ B5466A9250342A7AA0CD1FBA13420678 ] IntelIde        C:\WINDOWS\system32\DRIVERS\intelide.sys
09:38:12.0984 3588  IntelIde - ok
09:38:13.0015 3588  [ 8C953733D8F36EB2133F5BB58808B66B ] intelppm        C:\WINDOWS\system32\DRIVERS\intelppm.sys
09:38:13.0156 3588  intelppm - ok
09:38:13.0171 3588  [ 3BB22519A194418D5FEC05D800A19AD0 ] Ip6Fw           C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
09:38:13.0312 3588  Ip6Fw - ok
09:38:13.0343 3588  [ 731F22BA402EE4B62748ADAF6363C182 ] IpFilterDriver  C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
09:38:13.0500 3588  IpFilterDriver - ok
09:38:13.0500 3588  [ B87AB476DCF76E72010632B5550955F5 ] IpInIp          C:\WINDOWS\system32\DRIVERS\ipinip.sys
09:38:13.0656 3588  IpInIp - ok
09:38:13.0671 3588  [ CC748EA12C6EFFDE940EE98098BF96BB ] IpNat           C:\WINDOWS\system32\DRIVERS\ipnat.sys
09:38:13.0812 3588  IpNat - ok
09:38:13.0843 3588  [ E6BE7A41A28D8F2DB174957454D32448 ] iPod Service    C:\Program Files\iPod\bin\iPodService.exe
09:38:13.0890 3588  iPod Service - ok
09:38:13.0906 3588  [ 23C74D75E36E7158768DD63D92789A91 ] IPSec           C:\WINDOWS\system32\DRIVERS\ipsec.sys
09:38:14.0078 3588  IPSec - ok
09:38:14.0109 3588  [ ACA5E7B54409F9CB5EED97ED0C81120E ] irda            C:\WINDOWS\system32\DRIVERS\irda.sys
09:38:14.0187 3588  irda - ok
09:38:14.0218 3588  [ C93C9FF7B04D772627A3646D89F7BF89 ] IRENUM          C:\WINDOWS\system32\DRIVERS\irenum.sys
09:38:14.0296 3588  IRENUM - ok
09:38:14.0312 3588  [ 49CC4533CE897CB2E93C1E84A818FDE5 ] Irmon           C:\WINDOWS\System32\irmon.dll
09:38:14.0390 3588  Irmon - ok
09:38:14.0406 3588  [ 0501F0B9AB08425F8C0EACBDCC04AA32 ] irsir           C:\WINDOWS\system32\DRIVERS\irsir.sys
09:38:14.0484 3588  irsir - ok
09:38:14.0500 3588  [ 05A299EC56E52649B1CF2FC52D20F2D7 ] isapnp          C:\WINDOWS\system32\DRIVERS\isapnp.sys
09:38:14.0656 3588  isapnp - ok
09:38:14.0718 3588  [ 691B9B7C0CC1653732717D292D6B305D ] JavaQuickStarterService C:\Program Files\Java\jre6\bin\jqs.exe
09:38:14.0765 3588  JavaQuickStarterService - ok
09:38:14.0765 3588  [ 463C1EC80CD17420A542B7F36A36F128 ] Kbdclass        C:\WINDOWS\system32\DRIVERS\kbdclass.sys
09:38:14.0921 3588  Kbdclass - ok
09:38:14.0953 3588  [ 692BCF44383D056AED41B045A323D378 ] kmixer          C:\WINDOWS\system32\drivers\kmixer.sys
09:38:15.0093 3588  kmixer - ok
09:38:15.0125 3588  [ B467646C54CC746128904E1654C750C1 ] KSecDD          C:\WINDOWS\system32\drivers\KSecDD.sys
09:38:15.0203 3588  KSecDD - ok
09:38:15.0218 3588  [ 48A2209C4870437B7214574B5979D811 ] L8042Kbd        C:\WINDOWS\system32\DRIVERS\L8042Kbd.sys
09:38:15.0265 3588  L8042Kbd - ok
09:38:15.0281 3588  [ 2E7C2450D8E68A1578F58A9C6E64A4DC ] L8042mou        C:\WINDOWS\system32\DRIVERS\L8042mou.Sys
09:38:15.0359 3588  L8042mou - ok
09:38:15.0390 3588  [ 3A7C3CBE5D96B8AE96CE81F0B22FB527 ] LanmanServer    C:\WINDOWS\System32\srvsvc.dll
09:38:15.0437 3588  LanmanServer - ok
09:38:15.0468 3588  [ A8888A5327621856C0CEC4E385F69309 ] lanmanworkstation C:\WINDOWS\System32\wkssvc.dll
09:38:15.0531 3588  lanmanworkstation - ok
09:38:15.0625 3588  [ BB35C1500B546B534DEA0B758AAC2D25 ] Lavasoft Ad-Aware Service C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
09:38:15.0750 3588  Lavasoft Ad-Aware Service - ok
09:38:15.0781 3588  [ 6C4A3804510AD8E0F0C07B5BE3D44DDB ] Lavasoft Kernexplorer C:\Program Files\Lavasoft\Ad-Aware\KernExplorer.sys
09:38:15.0796 3588  Lavasoft Kernexplorer - ok
09:38:15.0828 3588  [ B7C19EC8B0DD7EFA58AD41FFEB8B8CDA ] Lbd             C:\WINDOWS\system32\DRIVERS\Lbd.sys
09:38:15.0859 3588  Lbd - ok
09:38:15.0875 3588  lbrtfdc - ok
09:38:15.0921 3588  [ 87D6731F70D017590E12735ECC746CDE ] LGDDCDevice     C:\Program Files\LG Soft India\forteManager\bin\I2CDriver.sys
09:38:15.0937 3588  LGDDCDevice ( UnsignedFile.Multi.Generic ) - warning
09:38:15.0937 3588  LGDDCDevice - detected UnsignedFile.Multi.Generic (1)
09:38:15.0953 3588  [ 089010666D9EA3BD17AFEDE301950B09 ] LGII2CDevice    C:\Program Files\LG Soft India\forteManager\bin\PII2CDriver.sys
09:38:15.0968 3588  LGII2CDevice ( UnsignedFile.Multi.Generic ) - warning
09:38:15.0968 3588  LGII2CDevice - detected UnsignedFile.Multi.Generic (1)
09:38:16.0000 3588  [ B280C4608AC389DA9515A35AC4CAB0FD ] libusb0         C:\WINDOWS\system32\drivers\libusb0.sys
09:38:16.0000 3588  libusb0 ( UnsignedFile.Multi.Generic ) - warning
09:38:16.0000 3588  libusb0 - detected UnsignedFile.Multi.Generic (1)
09:38:16.0078 3588  [ 984ECB68ED2A2B2E6A544E87E24FBA2D ] LightScribeService C:\Program Files\Common Files\LightScribe\LSSrvc.exe
09:38:16.0125 3588  LightScribeService ( UnsignedFile.Multi.Generic ) - warning
09:38:16.0125 3588  LightScribeService - detected UnsignedFile.Multi.Generic (1)
09:38:16.0296 3588  [ FC38B32BFC5F750FF3A5C527F946582B ] LiveUpdate      C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
09:38:16.0453 3588  LiveUpdate - ok
09:38:16.0484 3588  [ A7DB739AE99A796D91580147E919CC59 ] LmHosts         C:\WINDOWS\System32\lmhsvc.dll
09:38:16.0640 3588  LmHosts - ok
09:38:16.0656 3588  [ 56764E001F3938EEA9CB88496229790B ] LMouKE          C:\WINDOWS\system32\DRIVERS\LMouKE.Sys
09:38:16.0687 3588  LMouKE - ok
09:38:16.0718 3588  [ 986B1FF5814366D71E0AC5755C88F2D3 ] Messenger       C:\WINDOWS\System32\msgsvc.dll
09:38:16.0875 3588  Messenger - ok
09:38:16.0906 3588  [ 4AE068242760A1FB6E1A44BF4E16AFA6 ] mnmdd           C:\WINDOWS\system32\drivers\mnmdd.sys
09:38:17.0046 3588  mnmdd - ok
09:38:17.0062 3588  [ D18F1F0C101D06A1C1ADF26EED16FCDD ] mnmsrvc         C:\WINDOWS\system32\mnmsrvc.exe
09:38:17.0234 3588  mnmsrvc - ok
09:38:17.0250 3588  [ DFCBAD3CEC1C5F964962AE10E0BCC8E1 ] Modem           C:\WINDOWS\system32\drivers\Modem.sys
09:38:17.0390 3588  Modem - ok
09:38:17.0421 3588  [ F4EA1193A52C8FE4B8A135E210ABE546 ] motccgp         C:\WINDOWS\system32\DRIVERS\motccgp.sys
09:38:17.0468 3588  motccgp - ok
09:38:17.0484 3588  [ B812DA6605CAF02641312F1F65C75419 ] motccgpfl       C:\WINDOWS\system32\DRIVERS\motccgpfl.sys
09:38:17.0546 3588  motccgpfl - ok
09:38:17.0546 3588  [ 69814ACD50A9D6D28296050EF6215D46 ] motmodem        C:\WINDOWS\system32\DRIVERS\motmodem.sys
09:38:17.0640 3588  motmodem - ok
09:38:17.0671 3588  [ 9DFD34E6841C460B5D992A1C5327AE69 ] MotoHelper      C:\Program Files\Motorola\MotoHelper\MotoHelperService.exe
09:38:17.0734 3588  MotoHelper - ok
09:38:17.0750 3588  [ FD8C2CEF7AD8B23C6714103D621FAC1F ] MotoSwitchService C:\WINDOWS\system32\DRIVERS\motswch.sys
09:38:17.0812 3588  MotoSwitchService - ok
09:38:17.0812 3588  [ DDC489D40B49F443787E7FFA75373522 ] Motousbnet      C:\WINDOWS\system32\DRIVERS\Motousbnet.sys
09:38:17.0875 3588  Motousbnet - ok
09:38:17.0890 3588  [ F780C53D98A0AAD28F5B7403B184AEA1 ] motusbdevice    C:\WINDOWS\system32\DRIVERS\motusbdevice.sys
09:38:17.0953 3588  motusbdevice - ok
09:38:17.0984 3588  [ 35C9E97194C8CFB8430125F8DBC34D04 ] Mouclass        C:\WINDOWS\system32\DRIVERS\mouclass.sys
09:38:18.0140 3588  Mouclass - ok
09:38:18.0171 3588  [ A80B9A0BAD1B73637DBCBBA7DF72D3FD ] MountMgr        C:\WINDOWS\system32\drivers\MountMgr.sys
09:38:18.0312 3588  MountMgr - ok
09:38:18.0328 3588  mraid35x - ok
09:38:18.0328 3588  [ 11D42BB6206F33FBB3BA0288D3EF81BD ] MRxDAV          C:\WINDOWS\system32\DRIVERS\mrxdav.sys
09:38:18.0484 3588  MRxDAV - ok
09:38:18.0500 3588  [ 7D304A5EB4344EBEEAB53A2FE3FFB9F0 ] MRxSmb          C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
09:38:18.0578 3588  MRxSmb - ok
09:38:18.0593 3588  [ A137F1470499A205ABBB9AAFB3B6F2B1 ] MSDTC           C:\WINDOWS\system32\msdtc.exe
09:38:18.0750 3588  MSDTC - ok
09:38:18.0765 3588  [ C941EA2454BA8350021D774DAF0F1027 ] Msfs            C:\WINDOWS\system32\drivers\Msfs.sys
09:38:18.0906 3588  Msfs - ok
09:38:18.0906 3588  MSIServer - ok
09:38:18.0921 3588  [ D1575E71568F4D9E14CA56B7B0453BF1 ] MSKSSRV         C:\WINDOWS\system32\drivers\MSKSSRV.sys
09:38:19.0062 3588  MSKSSRV - ok
09:38:19.0093 3588  [ 325BB26842FC7CCC1FCCE2C457317F3E ] MSPCLOCK        C:\WINDOWS\system32\drivers\MSPCLOCK.sys
09:38:19.0250 3588  MSPCLOCK - ok
09:38:19.0265 3588  [ BAD59648BA099DA4A17680B39730CB3D ] MSPQM           C:\WINDOWS\system32\drivers\MSPQM.sys
09:38:19.0406 3588  MSPQM - ok
09:38:19.0437 3588  [ AF5F4F3F14A8EA2C26DE30F7A1E17136 ] mssmbios        C:\WINDOWS\system32\DRIVERS\mssmbios.sys
09:38:19.0593 3588  mssmbios - ok
09:38:19.0609 3588  [ DE6A75F5C270E756C5508D94B6CF68F5 ] Mup             C:\WINDOWS\system32\drivers\Mup.sys
09:38:19.0656 3588  Mup - ok
09:38:19.0671 3588  [ 0102140028FAD045756796E1C685D695 ] napagent        C:\WINDOWS\System32\qagentrt.dll
09:38:19.0828 3588  napagent - ok
09:38:19.0890 3588  [ 81E928EE3751FAF725C87CC17726C05D ] NAVENG          C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20130901.004\naveng.sys
09:38:19.0921 3588  NAVENG - ok
09:38:19.0968 3588  [ E0C39FA6C76AE8ED53ABF043F35ECDFF ] NAVEX15         C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20130901.004\navex15.sys
09:38:20.0031 3588  NAVEX15 - ok
09:38:20.0062 3588  [ 1DF7F42665C94B825322FAE71721130D ] NDIS            C:\WINDOWS\system32\drivers\NDIS.sys
09:38:20.0250 3588  NDIS - ok
09:38:20.0265 3588  [ 0109C4F3850DFBAB279542515386AE22 ] NdisTapi        C:\WINDOWS\system32\DRIVERS\ndistapi.sys
09:38:20.0296 3588  NdisTapi - ok
09:38:20.0328 3588  [ F927A4434C5028758A842943EF1A3849 ] Ndisuio         C:\WINDOWS\system32\DRIVERS\ndisuio.sys
09:38:20.0468 3588  Ndisuio - ok
09:38:20.0500 3588  [ EDC1531A49C80614B2CFDA43CA8659AB ] NdisWan         C:\WINDOWS\system32\DRIVERS\ndiswan.sys
09:38:20.0656 3588  NdisWan - ok
09:38:20.0671 3588  [ 9282BD12DFB069D3889EB3FCC1000A9B ] NDProxy         C:\WINDOWS\system32\drivers\NDProxy.sys
09:38:20.0718 3588  NDProxy - ok
09:38:20.0750 3588  [ BF11B59A84BC6237E90FA477A1432626 ] NeroRegInCDSrv  C:\Program Files\Nero\Nero8\InCD\NBHRegInCDSrv.exe
09:38:20.0781 3588  NeroRegInCDSrv - ok
09:38:20.0796 3588  [ 5D81CF9A2F1A3A756B66CF684911CDF0 ] NetBIOS         C:\WINDOWS\system32\DRIVERS\netbios.sys
09:38:20.0968 3588  NetBIOS - ok
09:38:20.0984 3588  [ 74B2B2F5BEA5E9A3DC021D685551BD3D ] NetBT           C:\WINDOWS\system32\DRIVERS\netbt.sys
09:38:21.0140 3588  NetBT - ok
09:38:21.0171 3588  [ B857BA82860D7FF85AE29B095645563B ] NetDDE          C:\WINDOWS\system32\netdde.exe
09:38:21.0328 3588  NetDDE - ok
09:38:21.0343 3588  [ B857BA82860D7FF85AE29B095645563B ] NetDDEdsdm      C:\WINDOWS\system32\netdde.exe
09:38:21.0484 3588  NetDDEdsdm - ok
09:38:21.0515 3588  [ BF2466B3E18E970D8A976FB95FC1CA85 ] Netlogon        C:\WINDOWS\system32\lsass.exe
09:38:21.0656 3588  Netlogon - ok
09:38:21.0671 3588  [ 13E67B55B3ABD7BF3FE7AAE5A0F9A9DE ] Netman          C:\WINDOWS\System32\netman.dll
09:38:21.0828 3588  Netman - ok
09:38:21.0859 3588  [ D34612C5D02D026535B3095D620626AE ] NetTcpPortSharing c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
09:38:21.0906 3588  NetTcpPortSharing - ok
09:38:21.0921 3588  [ E9E47CFB2D461FA0FC75B7A74C6383EA ] NIC1394         C:\WINDOWS\system32\DRIVERS\nic1394.sys
09:38:22.0062 3588  NIC1394 - ok
09:38:22.0093 3588  [ 943337D786A56729263071623BBB9DE5 ] Nla             C:\WINDOWS\System32\mswsock.dll
09:38:22.0125 3588  Nla - ok
09:38:22.0187 3588  [ 62F68443D244024845B875B44D76A92F ] NMIndexingService C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
09:38:22.0218 3588  NMIndexingService - ok
09:38:22.0234 3588  [ 3182D64AE053D6FB034F44B6DEF8034A ] Npfs            C:\WINDOWS\system32\drivers\Npfs.sys
09:38:22.0390 3588  Npfs - ok
09:38:22.0406 3588  [ 78A08DD6A8D65E697C18E1DB01C5CDCA ] Ntfs            C:\WINDOWS\system32\drivers\Ntfs.sys
09:38:22.0609 3588  Ntfs - ok
09:38:22.0625 3588  [ BF2466B3E18E970D8A976FB95FC1CA85 ] NtLmSsp         C:\WINDOWS\system32\lsass.exe
09:38:22.0765 3588  NtLmSsp - ok
09:38:22.0796 3588  [ 156F64A3345BD23C600655FB4D10BC08 ] NtmsSvc         C:\WINDOWS\system32\ntmssvc.dll
09:38:22.0968 3588  NtmsSvc - ok
09:38:22.0968 3588  [ 73C1E1F395918BC2C6DD67AF7591A3AD ] Null            C:\WINDOWS\system32\drivers\Null.sys
09:38:23.0125 3588  Null - ok
09:38:23.0218 3588  [ A28AB3B7E33467C65EE5858DA5CB166D ] nv              C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
09:38:23.0453 3588  nv - ok
09:38:23.0484 3588  [ 43B0A0774EA90BF699D267C45D2702F9 ] NVSvc           C:\WINDOWS\system32\nvsvc32.exe
09:38:23.0515 3588  NVSvc - ok
09:38:23.0546 3588  [ B305F3FAD35083837EF46A0BBCE2FC57 ] NwlnkFlt        C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
09:38:23.0703 3588  NwlnkFlt - ok
09:38:23.0718 3588  [ C99B3415198D1AAB7227F2C88FD664B9 ] NwlnkFwd        C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
09:38:23.0875 3588  NwlnkFwd - ok
09:38:23.0937 3588  [ 84DE1DD996B48B05ACE31AD015FA108A ] odserv          C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE
09:38:24.0031 3588  odserv - ok
09:38:24.0046 3588  [ CA33832DF41AFB202EE7AEB05145922F ] ohci1394        C:\WINDOWS\system32\DRIVERS\ohci1394.sys
09:38:24.0203 3588  ohci1394 - ok
09:38:24.0234 3588  [ 5A432A042DAE460ABE7199B758E8606C ] ose             C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
09:38:24.0328 3588  ose - ok
09:38:24.0328 3588  [ 5575FAF8F97CE5E713D108C2A58D7C7C ] Parport         C:\WINDOWS\system32\DRIVERS\parport.sys
09:38:24.0484 3588  Parport - ok
09:38:24.0515 3588  [ BEB3BA25197665D82EC7065B724171C6 ] PartMgr         C:\WINDOWS\system32\drivers\PartMgr.sys
09:38:24.0656 3588  PartMgr - ok
09:38:24.0687 3588  [ 70E98B3FD8E963A6A46A2E6247E0BEA1 ] ParVdm          C:\WINDOWS\system32\drivers\ParVdm.sys
09:38:24.0828 3588  ParVdm - ok
09:38:24.0843 3588  [ A219903CCF74233761D92BEF471A07B1 ] PCI             C:\WINDOWS\system32\DRIVERS\pci.sys
09:38:25.0000 3588  PCI - ok
09:38:25.0015 3588  PCIDump - ok
09:38:25.0046 3588  [ CCF5F451BB1A5A2A522A76E670000FF0 ] PCIIde          C:\WINDOWS\system32\DRIVERS\pciide.sys
09:38:25.0187 3588  PCIIde - ok
09:38:25.0203 3588  [ 9E89EF60E9EE05E3F2EEF2DA7397F1C1 ] Pcmcia          C:\WINDOWS\system32\drivers\Pcmcia.sys
09:38:25.0375 3588  Pcmcia - ok
09:38:25.0375 3588  PDCOMP - ok
09:38:25.0390 3588  PDFRAME - ok
09:38:25.0390 3588  PDRELI - ok
09:38:25.0406 3588  PDRFRAME - ok
09:38:25.0406 3588  perc2 - ok
09:38:25.0421 3588  perc2hib - ok
09:38:25.0437 3588  [ 65DF52F5B8B6E9BBD183505225C37315 ] PlugPlay        C:\WINDOWS\system32\services.exe
09:38:25.0468 3588  PlugPlay - ok
09:38:25.0500 3588  [ 2B85237F904C5BDF7AD386F0EDE19BD3 ] PMEM            C:\WINDOWS\system32\drivers\pmemnt.sys
09:38:25.0515 3588  PMEM ( UnsignedFile.Multi.Generic ) - warning
09:38:25.0515 3588  PMEM - detected UnsignedFile.Multi.Generic (1)
09:38:25.0531 3588  [ BF2466B3E18E970D8A976FB95FC1CA85 ] PolicyAgent     C:\WINDOWS\system32\lsass.exe
09:38:25.0656 3588  PolicyAgent - ok
09:38:25.0671 3588  [ EFEEC01B1D3CF84F16DDD24D9D9D8F99 ] PptpMiniport    C:\WINDOWS\system32\DRIVERS\raspptp.sys
09:38:25.0828 3588  PptpMiniport - ok
09:38:25.0828 3588  [ BF2466B3E18E970D8A976FB95FC1CA85 ] ProtectedStorage C:\WINDOWS\system32\lsass.exe
09:38:25.0968 3588  ProtectedStorage - ok
09:38:25.0984 3588  [ 09298EC810B07E5D582CB3A3F9255424 ] PSched          C:\WINDOWS\system32\DRIVERS\psched.sys
09:38:26.0140 3588  PSched - ok
09:38:26.0140 3588  [ 80D317BD1C3DBC5D4FE7B1678C60CADD ] Ptilink         C:\WINDOWS\system32\DRIVERS\ptilink.sys
09:38:26.0281 3588  Ptilink - ok
09:38:26.0312 3588  [ 153D02480A0A2F45785522E814C634B6 ] PxHelp20        C:\WINDOWS\system32\Drivers\PxHelp20.sys
09:38:26.0343 3588  PxHelp20 - ok
09:38:26.0359 3588  ql1080 - ok
09:38:26.0359 3588  Ql10wnt - ok
09:38:26.0375 3588  ql12160 - ok
09:38:26.0375 3588  ql1240 - ok
09:38:26.0390 3588  ql1280 - ok
09:38:26.0421 3588  [ FE0D99D6F31E4FAD8159F690D68DED9C ] RasAcd          C:\WINDOWS\system32\DRIVERS\rasacd.sys
09:38:26.0562 3588  RasAcd - ok
09:38:26.0671 3588  [ AD188BE7BDF94E8DF4CA0A55C00A5073 ] RasAuto         C:\WINDOWS\System32\rasauto.dll
09:38:26.0828 3588  RasAuto - ok
09:38:26.0843 3588  [ 0207D26DDF796A193CCD9F83047BB5FC ] Rasirda         C:\WINDOWS\system32\DRIVERS\rasirda.sys
09:38:26.0921 3588  Rasirda - ok
09:38:26.0937 3588  [ 11B4A627BC9614B885C4969BFA5FF8A6 ] Rasl2tp         C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
09:38:27.0062 3588  Rasl2tp - ok
09:38:27.0078 3588  [ 76A9A3CBEADD68CC57CDA5E1D7448235 ] RasMan          C:\WINDOWS\System32\rasmans.dll
09:38:27.0250 3588  RasMan - ok
09:38:27.0265 3588  [ 5BC962F2654137C9909C3D4603587DEE ] RasPppoe        C:\WINDOWS\system32\DRIVERS\raspppoe.sys
09:38:27.0421 3588  RasPppoe - ok
09:38:27.0437 3588  [ FDBB1D60066FCFBB7452FD8F9829B242 ] Raspti          C:\WINDOWS\system32\DRIVERS\raspti.sys
09:38:27.0578 3588  Raspti - ok
09:38:27.0593 3588  [ 7AD224AD1A1437FE28D89CF22B17780A ] Rdbss           C:\WINDOWS\system32\DRIVERS\rdbss.sys
09:38:27.0750 3588  Rdbss - ok
09:38:27.0765 3588  [ 4912D5B403614CE99C28420F75353332 ] RDPCDD          C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
09:38:27.0906 3588  RDPCDD - ok
09:38:27.0953 3588  [ 15CABD0F7C00C47C70124907916AF3F1 ] rdpdr           C:\WINDOWS\system32\DRIVERS\rdpdr.sys
09:38:28.0109 3588  rdpdr - ok
09:38:28.0156 3588  [ 43AF5212BD8FB5BA6EED9754358BD8F7 ] RDPWD           C:\WINDOWS\system32\drivers\RDPWD.sys
09:38:28.0218 3588  RDPWD - ok
09:38:28.0250 3588  [ 3C37BF86641BDA977C3BF8A840F3B7FA ] RDSessMgr       C:\WINDOWS\system32\sessmgr.exe
09:38:28.0406 3588  RDSessMgr - ok
09:38:28.0437 3588  [ F828DD7E1419B6653894A8F97A0094C5 ] redbook         C:\WINDOWS\system32\DRIVERS\redbook.sys
09:38:28.0578 3588  redbook - ok
09:38:28.0593 3588  [ 7E699FF5F59B5D9DE5390E3C34C67CF5 ] RemoteAccess    C:\WINDOWS\System32\mprdim.dll
09:38:28.0765 3588  RemoteAccess - ok
09:38:28.0796 3588  [ 5B19B557B0C188210A56A6B699D90B8F ] RemoteRegistry  C:\WINDOWS\system32\regsvc.dll
09:38:28.0953 3588  RemoteRegistry - ok
09:38:28.0984 3588  [ AAED593F84AFA419BBAE8572AF87CF6A ] RpcLocator      C:\WINDOWS\system32\locator.exe
09:38:29.0140 3588  RpcLocator - ok
09:38:29.0156 3588  [ 6B27A5C03DFB94B4245739065431322C ] RpcSs           C:\WINDOWS\system32\rpcss.dll
09:38:29.0187 3588  RpcSs - ok
09:38:29.0218 3588  [ 91DD80198204B6CB640BC24659254AF3 ] RSUSBSTOR       C:\WINDOWS\system32\Drivers\RTS5121.sys
09:38:29.0234 3588  RSUSBSTOR ( UnsignedFile.Multi.Generic ) - warning
09:38:29.0234 3588  RSUSBSTOR - detected UnsignedFile.Multi.Generic (1)
09:38:29.0250 3588  [ 471B3F9741D762ABE75E9DEEA4787E47 ] RSVP            C:\WINDOWS\system32\rsvp.exe
09:38:29.0390 3588  RSVP - ok
09:38:29.0406 3588  Rts516xIR - ok
09:38:29.0421 3588  [ BF2466B3E18E970D8A976FB95FC1CA85 ] SamSs           C:\WINDOWS\system32\lsass.exe
09:38:29.0562 3588  SamSs - ok
09:38:29.0578 3588  [ 3525FDCFC567E807A337C61AFF366BE8 ] SavRoam         C:\Program Files\Symantec AntiVirus\SavRoam.exe
09:38:29.0609 3588  SavRoam - ok
09:38:29.0640 3588  [ 12B6E269EF8AC8EA36122544C8A1B6D8 ] SAVRT           C:\Program Files\Symantec AntiVirus\savrt.sys
09:38:29.0671 3588  SAVRT - ok
09:38:29.0671 3588  [ 97E5B6F3F95465E1F59360B59D8EC64E ] SAVRTPEL        C:\Program Files\Symantec AntiVirus\Savrtpel.sys
09:38:29.0703 3588  SAVRTPEL - ok
09:38:29.0734 3588  [ 86D007E7A654B9A71D1D7D856B104353 ] SCardSvr        C:\WINDOWS\System32\SCardSvr.exe
09:38:29.0875 3588  SCardSvr - ok
09:38:29.0906 3588  [ 0A9A7365A1CA4319AA7C1D6CD8E4EAFA ] Schedule        C:\WINDOWS\system32\schedsvc.dll
09:38:30.0078 3588  Schedule - ok
09:38:30.0093 3588  [ 90A3935D05B494A5A39D37E71F09A677 ] Secdrv          C:\WINDOWS\system32\DRIVERS\secdrv.sys
09:38:30.0187 3588  Secdrv - ok
09:38:30.0203 3588  [ CBE612E2BB6A10E3563336191EDA1250 ] seclogon        C:\WINDOWS\System32\seclogon.dll
09:38:30.0343 3588  seclogon - ok
09:38:30.0359 3588  [ 7FDD5D0684ECA8C1F68B4D99D124DCD0 ] SENS            C:\WINDOWS\system32\sens.dll
09:38:30.0500 3588  SENS - ok
09:38:30.0515 3588  [ 0F29512CCD6BEAD730039FB4BD2C85CE ] serenum         C:\WINDOWS\system32\DRIVERS\serenum.sys
09:38:30.0656 3588  serenum - ok
09:38:30.0671 3588  [ CCA207A8896D4C6A0C9CE29A4AE411A7 ] Serial          C:\WINDOWS\system32\DRIVERS\serial.sys
09:38:30.0828 3588  Serial - ok
09:38:30.0859 3588  [ 8E6B8C671615D126FDC553D1E2DE5562 ] Sfloppy         C:\WINDOWS\system32\drivers\Sfloppy.sys
09:38:31.0015 3588  Sfloppy - ok
09:38:31.0046 3588  [ 83F41D0D89645D7235C051AB1D9523AC ] SharedAccess    C:\WINDOWS\System32\ipnathlp.dll
09:38:31.0203 3588  SharedAccess - ok
09:38:31.0218 3588  [ 99BC0B50F511924348BE19C7C7313BBF ] ShellHWDetection C:\WINDOWS\System32\shsvcs.dll
09:38:31.0250 3588  ShellHWDetection - ok
09:38:31.0265 3588  Simbad - ok
09:38:31.0296 3588  [ 0D411EEA92751C1ECD8453892F41E726 ] SNDSrvc         C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
09:38:31.0343 3588  SNDSrvc - ok
09:38:31.0343 3588  Sparrow - ok
09:38:31.0390 3588  [ 677B10906838D3BFB1C07AC9087E4BF7 ] SPBBCDrv        C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys
09:38:31.0421 3588  SPBBCDrv - ok
09:38:31.0453 3588  [ C830007369E18A54AED23B5BB3AFA2BA ] SPBBCSvc        C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
09:38:31.0531 3588  SPBBCSvc - ok
09:38:31.0546 3588  [ AB8B92451ECB048A4D1DE7C3FFCB4A9F ] splitter        C:\WINDOWS\system32\drivers\splitter.sys
09:38:31.0703 3588  splitter - ok
09:38:31.0734 3588  [ 60784F891563FB1B767F70117FC2428F ] Spooler         C:\WINDOWS\system32\spoolsv.exe
09:38:31.0765 3588  Spooler - ok
09:38:31.0796 3588  [ 76BB022C2FB6902FD5BDD4F78FC13A5D ] sr              C:\WINDOWS\system32\DRIVERS\sr.sys
09:38:31.0875 3588  sr - ok
09:38:31.0890 3588  srescan - ok
09:38:31.0906 3588  [ 3805DF0AC4296A34BA4BF93B346CC378 ] srservice       C:\WINDOWS\system32\srsvc.dll
09:38:31.0984 3588  srservice - ok
09:38:32.0000 3588  [ 47DDFC2F003F7F9F0592C6874962A2E7 ] Srv             C:\WINDOWS\system32\DRIVERS\srv.sys
09:38:32.0062 3588  Srv - ok
09:38:32.0093 3588  [ 0A5679B3714EDAB99E357057EE88FCA6 ] SSDPSRV         C:\WINDOWS\System32\ssdpsrv.dll
09:38:32.0171 3588  SSDPSRV - ok
09:38:32.0203 3588  [ 8BAD69CBAC032D4BBACFCE0306174C30 ] stisvc          C:\WINDOWS\system32\wiaservc.dll
09:38:32.0359 3588  stisvc - ok
09:38:32.0375 3588  [ 3941D127AEF12E93ADDF6FE6EE027E0F ] swenum          C:\WINDOWS\system32\DRIVERS\swenum.sys
09:38:32.0531 3588  swenum - ok
09:38:32.0546 3588  [ 8CE882BCC6CF8A62F2B2323D95CB3D01 ] swmidi          C:\WINDOWS\system32\drivers\swmidi.sys
09:38:32.0687 3588  swmidi - ok
09:38:32.0687 3588  SwPrv - ok
09:38:32.0750 3588  [ 8FDAADF204A4F29214DA1B03342E2735 ] Symantec AntiVirus C:\Program Files\Symantec AntiVirus\Rtvscan.exe
09:38:32.0812 3588  Symantec AntiVirus - ok
09:38:32.0812 3588  symc810 - ok
09:38:32.0828 3588  symc8xx - ok
09:38:32.0843 3588  [ DE6D1102D55926354171AE4E73936725 ] SymEvent        C:\Program Files\Symantec\SYMEVENT.SYS
09:38:32.0875 3588  SymEvent - ok
09:38:32.0875 3588  [ 6C0A85982F4E0D672B85A2BFB50A24B5 ] SYMREDRV        C:\WINDOWS\System32\Drivers\SYMREDRV.SYS
09:38:32.0890 3588  SYMREDRV - ok
09:38:32.0921 3588  [ CDDA3BA3F7D5B63FF9F85CB478C11473 ] SYMTDI          C:\WINDOWS\System32\Drivers\SYMTDI.SYS
09:38:32.0953 3588  SYMTDI - ok
09:38:32.0953 3588  sym_hi - ok
09:38:32.0968 3588  sym_u3 - ok
09:38:32.0968 3588  [ 8B83F3ED0F1688B4958F77CD6D2BF290 ] sysaudio        C:\WINDOWS\system32\drivers\sysaudio.sys
09:38:33.0109 3588  sysaudio - ok
09:38:33.0140 3588  [ C7ABBC59B43274B1109DF6B24D617051 ] SysmonLog       C:\WINDOWS\system32\smlogsvc.exe
09:38:33.0296 3588  SysmonLog - ok
09:38:33.0328 3588  [ 3CB78C17BB664637787C9A1C98F79C38 ] TapiSrv         C:\WINDOWS\System32\tapisrv.dll
09:38:33.0468 3588  TapiSrv - ok
09:38:33.0500 3588  [ 9AEFA14BD6B182D61E3119FA5F436D3D ] Tcpip           C:\WINDOWS\system32\DRIVERS\tcpip.sys
09:38:33.0562 3588  Tcpip - ok
09:38:33.0593 3588  [ 6471A66807F5E104E4885F5B67349397 ] TDPIPE          C:\WINDOWS\system32\drivers\TDPIPE.sys
09:38:33.0750 3588  TDPIPE - ok
09:38:33.0765 3588  [ C56B6D0402371CF3700EB322EF3AAF61 ] TDTCP           C:\WINDOWS\system32\drivers\TDTCP.sys
09:38:33.0921 3588  TDTCP - ok
09:38:33.0937 3588  [ 88155247177638048422893737429D9E ] TermDD          C:\WINDOWS\system32\DRIVERS\termdd.sys
09:38:34.0093 3588  TermDD - ok
09:38:34.0109 3588  [ FF3477C03BE7201C294C35F684B3479F ] TermService     C:\WINDOWS\System32\termsrv.dll
09:38:34.0281 3588  TermService - ok
09:38:34.0296 3588  [ 99BC0B50F511924348BE19C7C7313BBF ] Themes          C:\WINDOWS\System32\shsvcs.dll
09:38:34.0328 3588  Themes - ok
09:38:34.0343 3588  [ DB7205804759FF62C34E3EFD8A4CC76A ] TlntSvr         C:\WINDOWS\system32\tlntsvr.exe
09:38:34.0437 3588  TlntSvr - ok
09:38:34.0437 3588  TosIde - ok
09:38:34.0453 3588  [ 55BCA12F7F523D35CA3CB833C725F54E ] TrkWks          C:\WINDOWS\system32\trkwks.dll
09:38:34.0625 3588  TrkWks - ok
09:38:34.0640 3588  [ 5787B80C2E3C5E2F56C2A233D91FA2C9 ] Udfs            C:\WINDOWS\system32\drivers\Udfs.sys
09:38:34.0796 3588  Udfs - ok
09:38:34.0796 3588  ultra - ok
09:38:34.0828 3588  [ 402DDC88356B1BAC0EE3DD1580C76A31 ] Update          C:\WINDOWS\system32\DRIVERS\update.sys
09:38:35.0000 3588  Update - ok
09:38:35.0031 3588  [ 1EBAFEB9A3FBDC41B8D9C7F0F687AD91 ] upnphost        C:\WINDOWS\System32\upnphost.dll
09:38:35.0125 3588  upnphost - ok
09:38:35.0140 3588  [ 05365FB38FCA1E98F7A566AAAF5D1815 ] UPS             C:\WINDOWS\System32\ups.exe
09:38:35.0265 3588  UPS - ok
09:38:35.0296 3588  [ EAFE1E00739AFE6C51487A050E772E17 ] USBAAPL         C:\WINDOWS\system32\Drivers\usbaapl.sys
09:38:35.0359 3588  USBAAPL - ok
09:38:35.0375 3588  [ 173F317CE0DB8E21322E71B7E60A27E8 ] usbccgp         C:\WINDOWS\system32\DRIVERS\usbccgp.sys
09:38:35.0546 3588  usbccgp - ok
09:38:35.0562 3588  [ A33A923231AAF8B13F5911B328100FEE ] USBCCID         C:\WINDOWS\system32\DRIVERS\Rts5161ccid.sys
09:38:35.0625 3588  USBCCID - ok
09:38:35.0656 3588  [ 65DCF09D0E37D4C6B11B5B0B76D470A7 ] usbehci         C:\WINDOWS\system32\DRIVERS\usbehci.sys
09:38:35.0796 3588  usbehci - ok
09:38:35.0812 3588  [ 1AB3CDDE553B6E064D2E754EFE20285C ] usbhub          C:\WINDOWS\system32\DRIVERS\usbhub.sys
09:38:35.0968 3588  usbhub - ok
09:38:36.0000 3588  [ A717C8721046828520C9EDF31288FC00 ] usbprint        C:\WINDOWS\system32\DRIVERS\usbprint.sys
09:38:36.0156 3588  usbprint - ok
09:38:36.0187 3588  [ A0B8CF9DEB1184FBDD20784A58FA75D4 ] usbscan         C:\WINDOWS\system32\DRIVERS\usbscan.sys
09:38:36.0328 3588  usbscan - ok
09:38:36.0359 3588  [ A32426D9B14A089EAA1D922E0C5801A9 ] USBSTOR         C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
09:38:36.0515 3588  USBSTOR - ok
09:38:36.0546 3588  [ 26496F9DEE2D787FC3E61AD54821FFE6 ] usbuhci         C:\WINDOWS\system32\DRIVERS\usbuhci.sys
09:38:36.0687 3588  usbuhci - ok
09:38:36.0687 3588  [ 0D3A8FAFCEACD8B7625CD549757A7DF1 ] VgaSave         C:\WINDOWS\System32\drivers\vga.sys
09:38:36.0828 3588  VgaSave - ok
09:38:36.0843 3588  ViaIde - ok
09:38:36.0859 3588  [ 4C8FCB5CC53AAB716D810740FE59D025 ] VolSnap         C:\WINDOWS\system32\drivers\VolSnap.sys
09:38:37.0015 3588  VolSnap - ok
09:38:37.0046 3588  [ D8350E1DEF14602FAAFB849005287368 ] Vsdatant        C:\WINDOWS\system32\vsdatant.sys
09:38:37.0093 3588  Vsdatant - ok
09:38:37.0125 3588  vsmon - ok
09:38:37.0140 3588  [ 7A9DB3A67C333BF0BD42E42B8596854B ] VSS             C:\WINDOWS\System32\vssvc.exe
09:38:37.0250 3588  VSS - ok
09:38:37.0265 3588  [ 54AF4B1D5459500EF0937F6D33B1914F ] W32Time         C:\WINDOWS\system32\w32time.dll
09:38:37.0406 3588  W32Time - ok
09:38:37.0421 3588  [ E20B95BAEDB550F32DD489265C1DA1F6 ] Wanarp          C:\WINDOWS\system32\DRIVERS\wanarp.sys
09:38:37.0578 3588  Wanarp - ok
09:38:37.0609 3588  [ BBCFEAB7E871CDDAC2D397EE7FA91FDC ] Wdf01000        C:\WINDOWS\system32\Drivers\wdf01000.sys
09:38:37.0671 3588  Wdf01000 - ok
09:38:37.0671 3588  WDICA - ok
09:38:37.0703 3588  [ 6768ACF64B18196494413695F0C3A00F ] wdmaud          C:\WINDOWS\system32\drivers\wdmaud.sys
09:38:37.0843 3588  wdmaud - ok
09:38:37.0859 3588  [ 77A354E28153AD2D5E120A5A8687BC06 ] WebClient       C:\WINDOWS\System32\webclnt.dll
09:38:38.0031 3588  WebClient - ok
09:38:38.0093 3588  [ 2D0E4ED081963804CCC196A0929275B5 ] winmgmt         C:\WINDOWS\system32\wbem\WMIsvc.dll
09:38:38.0250 3588  winmgmt - ok
09:38:38.0296 3588  [ 18F347402DA544A780949B8FDF83351B ] WinRM           C:\WINDOWS\system32\WsmSvc.dll
09:38:38.0406 3588  WinRM - ok
09:38:38.0437 3588  [ C51B4A5C05A5475708E3C81C7765B71D ] WmdmPmSN        C:\WINDOWS\system32\MsPMSNSv.dll
09:38:38.0500 3588  WmdmPmSN - ok
09:38:38.0531 3588  [ E76F8807070ED04E7408A86D6D3A6137 ] Wmi             C:\WINDOWS\System32\advapi32.dll
09:38:38.0593 3588  Wmi - ok
09:38:38.0625 3588  [ E0673F1106E62A68D2257E376079F821 ] WmiApSrv        C:\WINDOWS\system32\wbem\wmiapsrv.exe
09:38:38.0796 3588  WmiApSrv - ok
09:38:38.0859 3588  [ F74E3D9A7FA9556C3BBB14D4E5E63D3B ] WMPNetworkSvc   C:\Program Files\Windows Media Player\WMPNetwk.exe
09:38:38.0953 3588  WMPNetworkSvc - ok
09:38:38.0968 3588  [ CF4DEF1BF66F06964DC0D91844239104 ] WpdUsb          C:\WINDOWS\system32\Drivers\wpdusb.sys
09:38:39.0000 3588  WpdUsb - ok
09:38:39.0062 3588  [ B800EEC15851597405784126C407188C ] WPFFontCache_v0400 C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe
09:38:39.0187 3588  WPFFontCache_v0400 - ok
09:38:39.0218 3588  [ 7C278E6408D1DCE642230C0585A854D5 ] wscsvc          C:\WINDOWS\system32\wscsvc.dll
09:38:39.0390 3588  wscsvc - ok
09:38:39.0406 3588  [ 35321FB577CDC98CE3EB3A3EB9E4610A ] wuauserv        C:\WINDOWS\system32\wuauserv.dll
09:38:39.0562 3588  wuauserv - ok
09:38:39.0593 3588  [ F15FEAFFFBB3644CCC80C5DA584E6311 ] WudfPf          C:\WINDOWS\system32\DRIVERS\WudfPf.sys
09:38:39.0656 3588  WudfPf - ok
09:38:39.0671 3588  [ 28B524262BCE6DE1F7EF9F510BA3985B ] WudfRd          C:\WINDOWS\system32\DRIVERS\wudfrd.sys
09:38:39.0718 3588  WudfRd - ok
09:38:39.0734 3588  [ 05231C04253C5BC30B26CBAAE680ED89 ] WudfSvc         C:\WINDOWS\System32\WUDFSvc.dll
09:38:39.0765 3588  WudfSvc - ok
09:38:39.0812 3588  [ 81DC3F549F44B1C1FFF022DEC9ECF30B ] WZCSVC          C:\WINDOWS\System32\wzcsvc.dll
09:38:39.0984 3588  WZCSVC - ok
09:38:40.0000 3588  [ 295D21F14C335B53CB8154E5B1F892B9 ] xmlprov         C:\WINDOWS\System32\xmlprov.dll
09:38:40.0140 3588  xmlprov - ok
09:38:40.0171 3588  [ A5D4EAE27E68625296D685A786897491 ] yukonwxp        C:\WINDOWS\system32\DRIVERS\yk51x86.sys
09:38:40.0218 3588  yukonwxp - ok
09:38:40.0250 3588  [ EBD35BDCE49B94EB247213610094F399 ] ZAPrivacyService C:\Program Files\CheckPoint\ZoneAlarm\ZAPrivacyService.exe
09:38:40.0281 3588  ZAPrivacyService - ok
09:38:40.0281 3588  ================ Scan global ===============================
09:38:40.0312 3588  [ 42F1F4C0AFB08410E5F02D4B13EBB623 ] C:\WINDOWS\system32\basesrv.dll
09:38:40.0359 3588  [ 69AE2B2E6968C316536E5B10B9702E63 ] C:\WINDOWS\system32\winsrv.dll
09:38:40.0390 3588  [ 69AE2B2E6968C316536E5B10B9702E63 ] C:\WINDOWS\system32\winsrv.dll
09:38:40.0406 3588  [ 65DF52F5B8B6E9BBD183505225C37315 ] C:\WINDOWS\system32\services.exe
09:38:40.0421 3588  [Global] - ok
09:38:40.0421 3588  ================ Scan MBR ==================================
09:38:40.0421 3588  [ 8F558EB6672622401DA993E1E865C861 ] \Device\Harddisk0\DR0
09:38:40.0718 3588  \Device\Harddisk0\DR0 - ok
09:38:40.0718 3588  ================ Scan VBR ==================================
09:38:40.0734 3588  [ 4ED04C4C9831E52C73225A7F9D380005 ] \Device\Harddisk0\DR0\Partition1
09:38:40.0734 3588  \Device\Harddisk0\DR0\Partition1 - ok
09:38:40.0750 3588  [ 3241139D02F9CC9F911957FF86FE90F6 ] \Device\Harddisk0\DR0\Partition2
09:38:40.0750 3588  \Device\Harddisk0\DR0\Partition2 - ok
09:38:40.0765 3588  [ 19368B7B553DA4C4F7F5A70CA110C0F2 ] \Device\Harddisk0\DR0\Partition3
09:38:40.0765 3588  \Device\Harddisk0\DR0\Partition3 - ok
09:38:40.0781 3588  [ CAFB1D0ABD7C44FB0AF9479E3451C508 ] \Device\Harddisk0\DR0\Partition4
09:38:40.0781 3588  \Device\Harddisk0\DR0\Partition4 - ok
09:38:40.0781 3588  ============================================================
09:38:40.0781 3588  Scan finished
09:38:40.0781 3588  ============================================================
09:38:40.0906 2924  Detected object count: 11
09:38:40.0906 2924  Actual detected object count: 11
09:51:01.0265 2924  BrPar ( UnsignedFile.Multi.Generic ) - skipped by user
09:51:01.0265 2924  BrPar ( UnsignedFile.Multi.Generic ) - User select action: Skip
09:51:01.0265 2924  BrYNSvc ( UnsignedFile.Multi.Generic ) - skipped by user
09:51:01.0265 2924  BrYNSvc ( UnsignedFile.Multi.Generic ) - User select action: Skip
09:51:01.0281 2924  CCALib8 ( UnsignedFile.Multi.Generic ) - skipped by user
09:51:01.0281 2924  CCALib8 ( UnsignedFile.Multi.Generic ) - User select action: Skip
09:51:01.0281 2924  GVCplDrv ( UnsignedFile.Multi.Generic ) - skipped by user
09:51:01.0281 2924  GVCplDrv ( UnsignedFile.Multi.Generic ) - User select action: Skip
09:51:01.0281 2924  IDriverT ( UnsignedFile.Multi.Generic ) - skipped by user
09:51:01.0281 2924  IDriverT ( UnsignedFile.Multi.Generic ) - User select action: Skip
09:51:01.0281 2924  LGDDCDevice ( UnsignedFile.Multi.Generic ) - skipped by user
09:51:01.0281 2924  LGDDCDevice ( UnsignedFile.Multi.Generic ) - User select action: Skip
09:51:01.0281 2924  LGII2CDevice ( UnsignedFile.Multi.Generic ) - skipped by user
09:51:01.0281 2924  LGII2CDevice ( UnsignedFile.Multi.Generic ) - User select action: Skip
09:51:01.0281 2924  libusb0 ( UnsignedFile.Multi.Generic ) - skipped by user
09:51:01.0281 2924  libusb0 ( UnsignedFile.Multi.Generic ) - User select action: Skip
09:51:01.0296 2924  LightScribeService ( UnsignedFile.Multi.Generic ) - skipped by user
09:51:01.0296 2924  LightScribeService ( UnsignedFile.Multi.Generic ) - User select action: Skip
09:51:01.0296 2924  PMEM ( UnsignedFile.Multi.Generic ) - skipped by user
09:51:01.0296 2924  PMEM ( UnsignedFile.Multi.Generic ) - User select action: Skip
09:51:01.0296 2924  RSUSBSTOR ( UnsignedFile.Multi.Generic ) - skipped by user
09:51:01.0296 2924  RSUSBSTOR ( UnsignedFile.Multi.Generic ) - User select action: Skip
09:55:05.0656 2436  Deinitialize success
 

aswMBR log:

 

aswMBR version 0.9.9.1771 Copyright© 2011 AVAST Software
Run date: 2013-09-03 11:17:52
-----------------------------
11:17:52.625    OS Version: Windows 5.1.2600 Service Pack 3
11:17:52.625    Number of processors: 2 586 0x401
11:17:52.625    ComputerName: NAMAT  UserName: Admin
11:17:53.265    Initialize success
11:18:53.734    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-5
11:18:53.734    Disk 0 Vendor: ST3400620AS 3.AAK Size: 381553MB BusType: 3
11:18:53.828    Disk 0 MBR read successfully
11:18:53.828    Disk 0 MBR scan
11:18:53.828    Disk 0 Windows XP default MBR code
11:18:53.828    Disk 0 Partition 1 80 (A) 07    HPFS/NTFS NTFS        49999 MB offset 63
11:18:53.843    Disk 0 Partition 2 00     07    HPFS/NTFS NTFS        49999 MB offset 102398310
11:18:53.843    Disk 0 Partition 3 00     07    HPFS/NTFS NTFS        74998 MB offset 204796620
11:18:53.843    Disk 0 Partition - 00     0F Extended LBA            206554 MB offset 358394085
11:18:53.859    Disk 0 Partition 4 00     07    HPFS/NTFS NTFS        99998 MB offset 358394148
11:18:53.875    Disk 0 scanning sectors +781417665
11:18:53.890    Disk 0 scanning C:\WINDOWS\system32\drivers
11:18:58.687    Service scanning
11:19:06.421    Modules scanning
11:19:21.500    Disk 0 trace - called modules:
11:19:21.515    ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
11:19:21.515    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x89dc4ab8]
11:19:21.515    3 CLASSPNP.SYS[ba108fd7] -> nt!IofCallDriver -> \Device\00000074[0x89dd6f18]
11:19:21.515    5 ACPI.sys[b9f7f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-5[0x89dd1d98]
11:19:21.515    Scan finished successfully
11:20:00.671    Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Admin\Desktop\MBR.dat"
11:20:00.671    The log file has been saved successfully to "C:\Documents and Settings\Admin\Desktop\aswMBR.txt"

 

Attached Files

  • Attached File  MBR.zip   526bytes   0 downloads


#6 nasdaq

nasdaq

  • Malware Response Team
  • 20,431 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:22 PM

Posted 03 September 2013 - 08:18 AM

The logs are clean. You can not execute these scans.

Search and delete the AdWare, PUP (Potentially Unwanted Program) installed on your computer.

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the Report button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Sn].txt (n is a number).
===

thisisujrt.gif Please download
Junkware Removal Tool to your Desktop.
  • Please close your security software to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista or 7, right-mouse click it and select Run as administrator.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete, depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your Desktop and will automatically open.
  • Please post the contents of JRT.txt into your reply.
===

Please download ComboFix from one of these locations:
Link 1
Link 2
IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your Anti-Virus and Anti-Spyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Some Rookit infection may damage your boot sector. The Windows Recovery Console may be needed to restore it. Do not bypass this installation. You may regret it.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
RcAuto1.gif
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
whatnext.png
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Note: If you have difficulty properly disabling your protection programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html

Do not mouse click ComboFix's window while it's running. That may cause it to stall

Note: If after running ComboFix you get this error message "Illegal operation attempted on a registry key that has been marked for deletion." when attempting to run a program all you need to do is restart the computer to reset the registry.
===

Please paste the logs in your next reply, DO NOT ATTACH THEM
Let me know what problem persists.

#7 ZeeAcc

ZeeAcc
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:01:22 PM

Posted 04 September 2013 - 01:04 AM

Hi nasdaq.  Thank you for your reply.  The logs are pasted below as requested.

 

Windows Security Centre still tells me that I have no firewall or antivirus running.  Both ZoneAlarm Free and Symantec antivirus were being detected prior to the infection and both are still running and appear to be fully active.

 

AdwCleaner log:

 

# AdwCleaner v3.002 - Report created 04/09/2013 at 09:16:31
# Updated 01/09/2013 by Xplode
# Operating System : Microsoft Windows XP Service Pack 3 (32 bits)
# Username : Admin - NAMAT
# Running from : C:\Documents and Settings\Admin\Desktop\adwcleaner.exe
# Option : Clean

***** [ Services ] *****

***** [ Files / Folders ] *****

Folder Deleted : C:\Documents and Settings\Admin\IECompatCache
Folder Deleted : C:\Documents and Settings\Admin\Application Data\CheckPoint\ZoneAlarm LTD Toolbar
Folder Deleted : C:\Documents and Settings\Karen\IECompatCache
Folder Deleted : C:\Documents and Settings\Karen\Application Data\CheckPoint\ZoneAlarm LTD Toolbar
Folder Deleted : C:\Documents and Settings\Jon\Application Data\CheckPoint\ZoneAlarm LTD Toolbar

***** [ Shortcuts ] *****

***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\MozillaPlugins\@checkpoint.com/FFApi
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{2CE4D4CF-B278-4126-AD1E-B622DA2E8339}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{2CE4D4CF-B278-4126-AD1E-B622DA2E8339}
Key Deleted : HKCU\Software\YahooPartnerToolbar
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\conduitEngine
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ZoneAlarm LTD Toolbar
Product Deleted : Google Update Helper

***** [ Browsers ] *****

-\\ Internet Explorer v8.0.6001.18702

*************************

AdwCleaner[R0].txt - [1544 octets] - [04/09/2013 08:58:55]
AdwCleaner[R1].txt - [1604 octets] - [04/09/2013 09:13:05]
AdwCleaner[S0].txt - [1559 octets] - [04/09/2013 09:16:31]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [1619 octets] ##########

 

Junkware Removal Tool log:

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 5.5.7 (09.01.2013:1)
OS: Microsoft Windows XP x86
Ran by Admin on Wed 04/09/2013 at  9:29:15.04
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

~~~ Services

 

~~~ Registry Values

Successfully repaired: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\DisplayName
Successfully repaired: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\URL

 

~~~ Registry Keys

 

~~~ Files

 

~~~ Folders

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Wed 04/09/2013 at  9:39:17.26
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

ComboFix log:

 

ComboFix 13-09-02.02 - Admin 04/09/2013  10:39:40.1.2 - x86
Running from: c:\documents and settings\Admin\Desktop\ComboFix.exe
 * Created a new restore point
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Admin\WINDOWS
c:\windows\tmp
c:\windows\tmp\dd_vcredistMSI4205.txt
c:\windows\tmp\dd_vcredistMSI7F86.txt
c:\windows\tmp\dd_vcredistUI4205.txt
c:\windows\tmp\dd_vcredistUI7F86.txt
c:\windows\tmp\qtsingleapp-koboex-f4a6-0-lockfile
.
.
(((((((((((((((((((((((((   Files Created from 2013-08-04 to 2013-09-04  )))))))))))))))))))))))))))))))
.
.
2013-09-03 23:29 . 2013-09-03 23:29 -------- d-----w- c:\windows\ERUNT
2013-09-03 23:21 . 2013-09-03 23:21 -------- d-sh--w- c:\documents and settings\Admin\IECompatCache
2013-09-03 22:58 . 2013-09-03 23:16 -------- d-----w- C:\AdwCleaner
2013-08-22 07:25 . 2013-08-22 07:25 -------- d-----w- c:\documents and settings\Karen\Application Data\Malwarebytes
2013-08-12 23:10 . 2013-08-12 23:10 -------- d-----w- c:\documents and settings\Admin\Application Data\Malwarebytes
2013-08-12 23:09 . 2013-08-12 23:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2013-08-12 23:09 . 2013-08-12 23:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2013-08-12 23:09 . 2013-04-04 04:50 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-08-12 11:38 . 2013-08-12 22:37 -------- d-----w- c:\documents and settings\Admin\Local Settings\Application Data\ApplicationHistory
2013-08-12 10:56 . 2013-08-12 10:56 -------- d-----w- c:\windows\system32\winrm
2013-08-12 10:56 . 2013-08-12 10:56 -------- d-----w- c:\windows\system32\GroupPolicy
2013-08-12 10:56 . 2013-08-12 10:56 -------- dc-h--w- c:\windows\$968930Uinstall_KB968930$
2013-08-12 10:56 . 2008-04-14 12:00 221184 ----a-w- c:\windows\system32\wmpns.dll
2013-08-12 10:56 . 2013-08-12 10:56 -------- d-----w- c:\program files\Windows Media Connect 2
2013-08-12 10:53 . 2013-08-12 10:54 -------- d-----w- c:\windows\system32\drivers\UMDF
2013-08-12 10:53 . 2013-08-12 10:53 -------- d-----w- c:\windows\system32\LogFiles
2013-08-12 10:51 . 2013-08-12 10:51 -------- d-----w- c:\windows\system32\URTTEMP
2013-08-12 08:16 . 2008-04-13 19:42 116224 -c--a-w- c:\windows\system32\dllcache\xrxwiadr.dll
2013-08-12 08:16 . 2001-08-17 12:36 23040 -c--a-w- c:\windows\system32\dllcache\xrxwbtmp.dll
2013-08-12 08:16 . 2008-04-13 19:42 18944 -c--a-w- c:\windows\system32\dllcache\xrxscnui.dll
2013-08-12 08:16 . 2001-08-17 12:37 27648 -c--a-w- c:\windows\system32\dllcache\xrxftplt.exe
2013-08-12 08:16 . 2001-08-17 12:37 4608 -c--a-w- c:\windows\system32\dllcache\xrxflnch.exe
2013-08-12 08:15 . 2001-08-17 12:37 99865 -c--a-w- c:\windows\system32\dllcache\xlog.exe
2013-08-12 08:15 . 2001-08-17 02:11 16970 -c--a-w- c:\windows\system32\dllcache\xem336n5.sys
2013-08-12 08:15 . 2008-04-13 12:04 19455 -c--a-w- c:\windows\system32\dllcache\wvchntxx.sys
2013-08-12 08:15 . 2008-04-13 12:04 12063 -c--a-w- c:\windows\system32\dllcache\wsiintxx.sys
2013-08-12 08:15 . 2008-04-13 14:06 8832 -c--a-w- c:\windows\system32\dllcache\wmiacpi.sys
2013-08-12 08:15 . 2008-04-13 12:05 154624 -c--a-w- c:\windows\system32\dllcache\wlluc48.sys
2013-08-12 08:15 . 2001-08-17 02:12 34890 -c--a-w- c:\windows\system32\dllcache\wlandrv2.sys
2013-08-12 08:15 . 2001-08-17 03:28 771581 -c--a-w- c:\windows\system32\dllcache\winacisa.sys
2013-08-12 08:15 . 2001-08-17 12:36 53760 -c--a-w- c:\windows\system32\dllcache\wiamsmud.dll
2013-08-12 08:15 . 2001-08-17 12:36 87040 -c--a-w- c:\windows\system32\dllcache\wiafbdrv.dll
2013-08-12 08:15 . 2008-04-13 12:04 23615 -c--a-w- c:\windows\system32\dllcache\wch7xxnt.sys
2013-08-12 08:15 . 2001-08-17 03:28 701386 -c--a-w- c:\windows\system32\dllcache\wdhaalba.sys
2013-08-12 08:13 . 2008-04-13 19:42 11325 -c--a-w- c:\windows\system32\dllcache\vchnt5.dll
2013-08-12 08:12 . 2001-08-17 03:58 22912 -c--a-w- c:\windows\system32\dllcache\umaxpcls.sys
2013-08-12 08:11 . 2001-08-17 12:36 31744 -c--a-w- c:\windows\system32\dllcache\tp4.dll
2013-08-12 08:10 . 2001-08-17 04:07 32640 -c--a-w- c:\windows\system32\dllcache\symc8xx.sys
2013-08-12 08:09 . 2001-08-17 12:36 99328 -c--a-w- c:\windows\system32\dllcache\srusd.dll
2013-08-12 08:08 . 2001-08-17 02:12 25034 -c--a-w- c:\windows\system32\dllcache\smcpwr2n.sys
2013-08-12 08:07 . 2008-04-13 14:06 40960 -c--a-w- c:\windows\system32\dllcache\sisagp.sys
2013-08-12 08:06 . 2001-08-17 03:51 16640 -c--a-w- c:\windows\system32\dllcache\scmstcs.sys
2013-08-12 08:05 . 2008-04-13 19:42 29696 -c--a-w- c:\windows\system32\dllcache\rw450ext.dll
2013-08-12 08:04 . 2001-08-17 03:52 49024 -c--a-w- c:\windows\system32\dllcache\ql1280.sys
2013-08-12 08:03 . 2001-08-17 04:04 92416 -c--a-w- c:\windows\system32\dllcache\phildec.sys
2013-08-12 08:02 . 2001-08-17 12:36 20480 -c--a-w- c:\windows\system32\dllcache\ovcomc.dll
2013-08-12 08:01 . 2001-08-17 03:53 7552 -c--a-w- c:\windows\system32\dllcache\nsmmc.sys
2013-08-12 08:00 . 2001-08-17 03:49 19968 -c--a-w- c:\windows\system32\dllcache\mxnic.sys
2013-08-12 07:59 . 2001-08-17 03:48 6016 -c--a-w- c:\windows\system32\dllcache\msfsio.sys
2013-08-12 07:59 . 2001-08-17 03:52 17280 -c--a-w- c:\windows\system32\dllcache\mraid35x.sys
2013-08-12 07:59 . 2001-08-17 03:48 12160 -c--a-w- c:\windows\system32\dllcache\mouhid.sys
2013-08-12 07:59 . 2001-08-17 03:57 16128 -c--a-w- c:\windows\system32\dllcache\modemcsa.sys
2013-08-12 07:59 . 2001-08-17 03:52 6528 -c--a-w- c:\windows\system32\dllcache\miniqic.sys
2013-08-12 07:59 . 2001-08-17 02:50 320384 -c--a-w- c:\windows\system32\dllcache\mgaum.sys
2013-08-12 07:59 . 2001-08-17 04:56 235648 -c--a-w- c:\windows\system32\dllcache\mgaud.dll
2013-08-12 07:59 . 2008-04-13 14:11 26112 -c--a-w- c:\windows\system32\dllcache\memstpci.sys
2013-08-12 07:59 . 2001-08-17 12:36 47616 -c--a-w- c:\windows\system32\dllcache\memgrp.dll
2013-08-12 07:59 . 2001-08-17 03:58 8320 -c--a-w- c:\windows\system32\dllcache\memcard.sys
2013-08-12 07:59 . 2001-08-17 02:12 164586 -c--a-w- c:\windows\system32\dllcache\mdgndis5.sys
2013-08-12 07:59 . 2001-08-17 03:52 7424 -c--a-w- c:\windows\system32\dllcache\mammoth.sys
2013-08-12 07:59 . 2001-08-17 02:19 48768 -c--a-w- c:\windows\system32\dllcache\maestro.sys
2013-08-12 07:57 . 2001-08-17 12:36 8192 -c--a-w- c:\windows\system32\dllcache\kbdkor.dll
2013-08-12 07:57 . 2001-08-17 12:36 8704 -c--a-w- c:\windows\system32\dllcache\kbdjpn.dll
2013-08-12 07:57 . 2008-04-13 14:09 14592 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys
2013-08-12 07:57 . 2008-04-13 19:39 6144 -c--a-w- c:\windows\system32\dllcache\kbd106.dll
2013-08-12 07:57 . 2001-08-17 04:55 5632 -c--a-w- c:\windows\system32\dllcache\kbd103.dll
2013-08-12 07:57 . 2001-08-17 04:55 6144 -c--a-w- c:\windows\system32\dllcache\kbd101c.dll
2013-08-12 07:57 . 2001-08-17 04:55 6144 -c--a-w- c:\windows\system32\dllcache\kbd101b.dll
2013-08-12 07:57 . 2001-08-17 03:49 26624 -c--a-w- c:\windows\system32\dllcache\irstusb.sys
2013-08-12 07:57 . 2001-08-17 03:49 23552 -c--a-w- c:\windows\system32\dllcache\irmk7.sys
2013-08-12 07:57 . 2008-04-13 14:15 46592 -c--a-w- c:\windows\system32\dllcache\irbus.sys
2013-08-12 07:57 . 2001-08-17 02:12 45632 -c--a-w- c:\windows\system32\dllcache\ip5515.sys
2013-08-12 07:55 . 2001-08-17 02:12 100936 -c--a-w- c:\windows\system32\dllcache\ibmtok.sys
2013-08-12 07:54 . 2001-08-17 03:28 67167 -c--a-w- c:\windows\system32\dllcache\hsf_bsc2.sys
2013-08-12 07:53 . 2001-08-17 03:51 82304 -c--a-w- c:\windows\system32\dllcache\grclass.sys
2013-08-12 07:52 . 2001-08-17 02:10 22090 -c--a-w- c:\windows\system32\dllcache\fem556n5.sys
2013-08-12 07:51 . 2001-08-17 02:10 19996 -c--a-w- c:\windows\system32\dllcache\em556n4.sys
2013-08-12 07:50 . 2001-08-17 12:36 6729 -c--a-w- c:\windows\system32\dllcache\disrvci.dll
2013-08-12 07:49 . 2001-08-17 12:36 175104 -c--a-w- c:\windows\system32\dllcache\csamsp.dll
2013-08-12 07:48 . 2001-08-17 03:51 13824 -c--a-w- c:\windows\system32\dllcache\bulltlp3.sys
2013-08-12 07:47 . 2001-08-17 02:49 49920 -c--a-w- c:\windows\system32\dllcache\atirtcap.sys
2013-08-12 07:46 . 2001-08-17 02:19 747392 -c--a-w- c:\windows\system32\dllcache\adm8830.sys
2013-08-12 01:14 . 2013-08-27 09:07 -------- d-----w- c:\windows\system32\MRT
2013-08-08 01:40 . 2013-08-08 01:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Sophos
2013-08-08 01:40 . 2013-08-08 01:40 73728 ----a-r- c:\documents and settings\Admin\Application Data\Microsoft\Installer\{B829E117-D072-41EA-9606-9826A38D34C1}\SVRTgui.exe1_810EDD9E2F0A4E2BACF86673C38D9F48.exe
2013-08-08 01:40 . 2013-08-08 01:40 73728 ----a-r- c:\documents and settings\Admin\Application Data\Microsoft\Installer\{B829E117-D072-41EA-9606-9826A38D34C1}\SVRTgui.exe_810EDD9E2F0A4E2BACF86673C38D9F48.exe
2013-08-08 01:40 . 2013-08-08 01:40 73728 ----a-r- c:\documents and settings\Admin\Application Data\Microsoft\Installer\{B829E117-D072-41EA-9606-9826A38D34C1}\ARPPRODUCTICON.exe
2013-08-08 01:39 . 2013-08-08 01:39 -------- d-----w- c:\program files\Sophos
2013-08-05 08:10 . 2013-08-05 08:10 -------- d-----w- c:\documents and settings\Karen\Local Settings\Application Data\NPE
2013-08-05 07:45 . 2013-08-05 07:45 -------- d--h--w- c:\windows\PIF
2013-08-05 07:02 . 2013-08-05 08:05 -------- d-----w- c:\documents and settings\Admin\Local Settings\Application Data\NPE
2013-08-05 07:02 . 2013-08-05 07:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-08-31 10:51 . 2011-01-26 21:42 664 ----a-w- c:\documents and settings\Karen\Local Settings\Application Data\d3d9caps.tmp
2013-08-03 04:18 . 2006-10-18 11:47 1543680 ------w- c:\windows\system32\wmvdecod.dll
2013-08-03 00:18 . 2012-08-23 00:56 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-08-03 00:18 . 2011-06-29 04:40 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-07-26 02:47 . 2008-04-14 12:00 920064 ----a-w- c:\windows\system32\wininet.dll
2013-07-26 02:47 . 2008-04-14 12:00 43520 ------w- c:\windows\system32\licmgr10.dll
2013-07-26 02:47 . 2008-04-14 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2013-07-25 15:52 . 2008-04-14 12:00 385024 ----a-w- c:\windows\system32\html.iec
2013-07-10 10:37 . 2008-04-14 12:00 406016 ----a-w- c:\windows\system32\usp10.dll
2013-07-04 03:03 . 2008-04-14 12:00 2149888 ------w- c:\windows\system32\ntoskrnl.exe
2013-07-04 02:08 . 2008-04-14 00:01 2028544 ------w- c:\windows\system32\ntkrnlpa.exe
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\NBHShellExt]
@="{8D2223A2-B3C6-4e32-B096-CDD11F628C60}"
[HKEY_CLASSES_ROOT\CLSID\{8D2223A2-B3C6-4e32-B096-CDD11F628C60}]
2008-08-08 01:28 97064 ----a-w- c:\program files\Nero\Nero8\InCD\NBHShx.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2008-12-11 1840424]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVRTCLK"="c:\windows\system32\NVRTCLK\NVRTClk.exe" [2003-12-30 24576]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 52896]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2008-11-05 570664]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-02-23 5537792]
"nwiz"="nwiz.exe" [2005-02-23 1495040]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-02-23 86016]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-05-30 59280]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]
"ZoneAlarm"="c:\program files\CheckPoint\ZoneAlarm\zatray.exe" [2013-06-19 73832]
"BrStsMon00"="c:\program files\Browny02\Brother\BrStMonW.exe" [2010-06-10 2621440]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-06-07 421776]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-09-17 254896]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]
"vptray"="c:\progra~1\SYMANT~1\\vptray.exe" [2006-09-27 125168]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]
.
c:\documents and settings\Visitor\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office 2007\Office12\ONENOTEM.EXE /tsr [2006-10-26 98632]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-10-11 113664]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-10-13 598016]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office 2007\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Documents and Settings\\Karen\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
.
R3 BTCFilterService;USB Networking Driver Filter Service;c:\windows\system32\DRIVERS\motfilt.sys [2009-01-29 6016]
R3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2011-08-12 2151640]
R3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys [2011-08-12 15232]
R3 LGDDCDevice;LGDDCDevice;c:\program files\LG Soft India\forteManager\bin\I2CDriver.sys [2009-04-24 14336]
R3 LGII2CDevice;LGII2CDevice;c:\program files\LG Soft India\forteManager\bin\PII2CDriver.sys [2009-04-24 18432]
R3 libusb0;libusb-win32 - Kernel Driver, Version 1.2.4.0;c:\windows\system32\drivers\libusb0.sys [2012-03-02 21504]
R3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\DRIVERS\motccgp.sys [2011-04-04 20480]
R3 motccgpfl;MotCcgpFlService;c:\windows\system32\DRIVERS\motccgpfl.sys [2009-01-29 8320]
R3 Motousbnet;Motorola USB Networking Driver Service;c:\windows\system32\DRIVERS\Motousbnet.sys [2010-04-01 23424]
R3 motusbdevice;Motorola USB Dev Driver;c:\windows\system32\DRIVERS\motusbdevice.sys [2011-11-08 11008]
R3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RTS5121.sys [2008-02-15 152576]
R3 Rts516xIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys [x]
R3 SavRoam;SavRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2006-09-27 116464]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2010-07-12 64288]
S2 AdobeActiveFileMonitor8.0;Adobe Active File Monitor V8;c:\program files\Adobe\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe [2009-10-08 169312]
S2 DeviceMonitorService;DeviceMonitorService;c:\program files\Motorola Media Link\Lite\NServiceEntry.exe [2011-09-19 87368]
S2 MotoHelper;MotoHelper Service;c:\program files\Motorola\MotoHelper\MotoHelperService.exe [2011-12-06 214896]
S2 NeroRegInCDSrv;Nero Registry InCD Service;c:\program files\Nero\Nero8\InCD\NBHRegInCDSrv.exe [2008-08-08 53032]
S2 ZAPrivacyService;ZoneAlarm Privacy Service;c:\program files\CheckPoint\ZoneAlarm\ZAPrivacyService.exe [2013-06-17 54160]
S3 bbcap;bbcap;c:\windows\system32\DRIVERS\bbcap.sys [2009-10-11 4096]
S3 BrYNSvc;BrYNSvc;c:\program files\Browny02\BrYNSvc.exe [2010-01-24 245760]
S3 cmudax;C-Media High Definition Audio Interface;c:\windows\system32\drivers\cmudax.sys [2004-10-21 1275584]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2013-08-31 108120]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ    getPlusHelper
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2008-02-26 03:06 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-09-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 01:34]
.
2013-08-29 c:\windows\Tasks\BackupStart.job
- c:\auto backup\BackupStart.bat [2011-06-05 06:34]
.
2013-08-29 c:\windows\Tasks\Jira-Wakeup.job
- c:\auto backup\Jira-Wakeup.bat [2011-06-09 23:14]
.
2013-08-07 c:\windows\Tasks\MotoHelper MUM.job
- c:\program files\Motorola\MotoHelper\MotoHelperUpdate.exe [2011-12-06 21:00]
.
2013-09-03 c:\windows\Tasks\MotoHelper Routing.job
- c:\program files\Motorola\MotoHelper\MotoHelperUpdate.exe [2011-12-06 21:00]
.
2013-08-07 c:\windows\Tasks\MotoHelper Update.job
- c:\program files\Motorola\MotoHelper\MotoHelperUpdate.exe [2011-12-06 21:00]
.
2013-08-29 c:\windows\Tasks\Offsite-Shutdown.job
- c:\auto backup\Offsite-Shutdown.bat [2011-06-04 23:35]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://192.168.1.1:81/cgi-bin/index.cgi
uInternet Settings,ProxyOverride = *.local;192.168.*.*
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
TCP: Interfaces\{4C5DAD96-1AB7-4346-A011-690B945024D5}: NameServer = 192.168.1.1
TCP: Interfaces\{C0AF0CB0-2979-4930-80EB-0FBEAF4943BC}: NameServer = 192.168.1.1
.
- - - - ORPHANS REMOVED - - - -
.
ShellIconOverlayIdentifiers-{FB314ED9-A251-47B7-93E1-CDD82E34AF8B} - (no file)
ShellIconOverlayIdentifiers-{FB314EDA-A251-47B7-93E1-CDD82E34AF8B} - (no file)
ShellIconOverlayIdentifiers-{FB314EDB-A251-47B7-93E1-CDD82E34AF8B} - (no file)
SafeBoot-Wdf01000.sys
AddRemove-WZCLINE - c:\program files\WinZip\winzip32
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-09-04 10:51
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_8_800_94_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_8_800_94_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2013-09-04  10:54:04
ComboFix-quarantined-files.txt  2013-09-04 00:54
.
Pre-Run: 14,052,106,240 bytes free
Post-Run: 15,032,942,592 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 3DEC2C97FB63D0DCED0A7968BEC153B4
8F558EB6672622401DA993E1E865C861
 



#8 nasdaq

nasdaq

  • Malware Response Team
  • 20,431 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:22 PM

Posted 04 September 2013 - 10:04 AM

Normally I would see what Anti Virus or Firewall is installed in your DDS and ComboFix.
I do not see any of them in your logs.

Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center/Action Center
    • Windows Update
    • Windows Defender
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.
===

Please run also this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===

#9 ZeeAcc

ZeeAcc
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:01:22 PM

Posted 04 September 2013 - 11:35 PM

Hi nasdaq.  Thank you for your continuing support.  As requested, FSS and Security Check logs are pasted below.

 

After running the previous set of scans (JRT and ComboFix), when I opened Internet Explorer it told me that it was not currently the default browser (which it had been - I had not installed any other browser on this PC).  I then noticed an icon for Internet Explorer on the desktop (it is not a shortcut) for user Admin (it does not appear for other users).  A rIght click on this icon for properties brings up the usual IE "Internet Options" dialogue box but with the title of "Internet Properties".  It does not appear in the folders "C:\Documents and Settings\All Users\Desktop" or "C:\Documents and Settings\Admin\Desktop", but it does appear in "Desktop" for Admin when logged in as such.  Searching for iexplore.exe shows it to exist in C:\Program Files, C:\Windows\erdnt\cache, and C:\Program Files\Malwarebytes' Anti-Malware\Chameleon.  I am not sure if this is an issue or just some sort of finger trouble on my part.

 

When running Security Check, it reported some errors.  After displaying the message "Preparing", it brought up an error dialogue with the title "AutoIt Error" with the message "Line -1:  Error: Variable must be of type "Object" ".  Three times it reported "Error Code: 0x80004002 Description: No such interface supported. Facility  = <Null>".  It also reported "File not found: HKLMRUN.TXT".

 

FSS log:

 

Farbar Service Scanner Version: 05-09-2013
Ran by Admin (administrator) on 05-09-2013 at 09:14:48
Running from "C:\Documents and Settings\Admin\Desktop"
Microsoft Windows XP Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.

Windows Firewall:
=============

Firewall Disabled Policy:
==================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=DWORD:0

System Restore:
============

System Restore Disabled Policy:
========================

Security Center:
============

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================

Other Services:
==============

File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
Gpc(4) IPSec(6) irda(3) NetBT(7) PSched(8) SYMTDI(9) Tcpip(5)
0x09000000060000000100000002000000030000000400000005000000090000000700000008000000
IpSec Tag value is correct.

**** End of log ****

 

Security Check log:

 

 Results of screen317's Security Check version 0.99.73 
 Windows XP Service Pack 3 x86  
 Internet Explorer 8 
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Disabled! 
 WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````
 Ad-Aware
 Spybot - Search & Destroy
 Malwarebytes Anti-Malware version 1.75.0.1300 
 Java™ 6 Update 37 
 Java version out of Date!
 Adobe Reader XI 
````````Process Check: objlist.exe by Laurent```````` 
 Ad-Aware AAWService.exe is disabled!
 Ad-Aware AAWTray.exe is disabled!
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C:: 10%
````````````````````End of Log``````````````````````
 



#10 nasdaq

nasdaq

  • Malware Response Team
  • 20,431 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:22 PM

Posted 05 September 2013 - 08:19 AM


After running the previous set of scans (JRT and ComboFix), when I opened Internet Explorer it told me that it was not currently the default browser (which it had been - I had not installed any other browser on this PC).

ComboFix uses it's copy of IE as the default browser. When you started your copy it was no longer the default. Nothing to worry about.
===

As to the Icons, I would delete them to the Recycle bin.
Keep them for a week or so. If all is well you can can flush them.
===

Searching for iexplore.exe shows it to exist in C:\Program Files, C:\Windows\erdnt\cache, and C:\Program Files\Malwarebytes' Anti-Malware\Chameleon. I am not sure if this is an issue or just some sort of finger trouble on my part.

No problem here ComboFix and MBAM added these.
===

Under normal circumstance the DDS and ComboFix logs would report the Antivirus and Firewall installed.
I do not see any of it in your logs.

That may explain why the SecurityCeck tool reported the error.

How ever the log from SecurityCheck reported these. Do you have any other Antivirus programs installed at the moment.
Did you have any other programs previously and they were removed?

From the Securitycheck log.

Windows Firewall Disabled!
WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````
Ad-Aware
Spybot - Search & Destroy
Malwarebytes Anti-Malware version 1.75.0.1300

===


Secure your system by updating 3rd party programs.

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.

Be careful not to install malware posing as Java update!
Important read this blog.
http://blog.trendmicro.com/trendlabs-security-intelligence/malware-poses-as-an-update-for-java-0-day-fix/

Quoted from the page.
"In light of the recent events surrounding Java, users must seriously consider their use of Java. Do they really need it? If yes, make sure that users follow the steps we recommended and get the security update directly from the official oracle website." at:
http://www.oracle.com/technetwork/java/javase/downloads/index.html

How to disable Java in your browsers
http://www.infoworld.com/t/web-browsers/how-disable-java-in-your-browsers-210882

You can manually check your present version and update as recommended.
https://www.java.com/en/download/installed.jsp

If present remove the old version(s) of Java using the Add/Remove Programs applet.

Java™ 6 Update 37

Note
Java security update installs Ask Toolbar by default -- a single click in a multi-step installer.
http://www.benedelman.org/images/iac-jan13/ask-iac-011613-small.png
I suggest that your un-check the box "Install the Ask Toolbar" before proceeding.
===

#11 ZeeAcc

ZeeAcc
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:01:22 PM

Posted 06 September 2013 - 02:07 AM

Hi nasdaq,  Thanks for your assurance regarding the IE matters.

 

I've updated Java to v7.25 via the Java CP applet (excluding the Ask toolbar).  It uninstalled the previous version in the process.

 

This PC has not had any antivirus programs other than Symantec AV nor any firewall programs other than ZoneAlarm Free (updated as required), although I have turned the Windows firewall on and off several times over the past couple of weeks to see if it clears the problem (it didn't).

 

I have been wondering if the non-detection of the firewall and antivirus is related to the ZeroAccess defensive measures.  This Sophos technical paper http://nakedsecurity.sophos.com/zeroaccess4/ refers to the injection of shell code that terminates a process.  I don't know if this capability was in the version that hit me.  Could this problem be cleared by removing and re-installing the firewall and AV programs ?



#12 nasdaq

nasdaq

  • Malware Response Team
  • 20,431 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:22 PM

Posted 06 September 2013 - 07:47 AM

Could this problem be cleared by removing and re-installing the firewall and AV programs ?


That is the suggestion I was going to suggest.

Remove the Firewall using the Add/Remove programs.
Restart the computer to reset the registry.

Re-install the application.
===

If still an issue, remove the AV, restart the computer and re-install.

===

#13 ZeeAcc

ZeeAcc
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:01:22 PM

Posted 07 September 2013 - 05:26 AM

Hi nasdaq,

 

I uninstalled ZoneAlarm free, did a restart, and then installed it from scratch.  Windows Security Centre (WSC) still reports no firewall or AV running.  I decided not to re-install the AV for now as the firewall problem was not fixed by this procedure.

 

I had a look in the event log and found two errors that appear to relate to this problem.  These errors started appearing in the event log after the attempted infection and seem to occur at logon.  They are Source: WinMgmt, Event number 28; and Source: SecurityCenter, Event number 1802.

 

The WinMgmt error details are: 

 

Event Type: Error
Event Source: WinMgmt
Event Category: None
Event ID: 28
Date:  7/09/2013
Time:  10:08:10 AM
User:  N/A
Computer: NAMAT
Description:
WinMgmt could not initialize the core parts.  This could be due to a badly installed version of WinMgmt, WinMgmt repository upgrade failure, insufficient disk space or insufficient memory.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

 

The SecurityCenter details are:

  

Event Type: Error
Event Source: SecurityCenter
Event Category: None
Event ID: 1802
Date:  7/09/2013
Time:  10:08:10 AM
User:  N/A
Computer: NAMAT
Description:
The Windows Security Center Service was unable to establish event queries with WMI to monitor third party AntiVirus and Firewall.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 02 40 00 80               .@.   

 

The WinMgmt URL link provides the following advice:

 

 

User Action

To determine why WMI could not start

 

  1. Open the log located at %windir%\system32\wbem\logs\wbemcore.log.
  2. In the log, look for messages containing the word “error” and examine these messages for information about failures in CoCreateInstance (when constructing a COM object), missing registry keys for COM objects, and so forth.

 

If the problem is with a COM component, reregister the DLLs.

To reregister the DLLs

 

  • At the command prompt, type:
for /f %s in ('dir /b /s %windir%\system32\wbem\*.dll') do regsvr32 /s %s

If the problem is insufficient memory, close some programs.

To close programs while WMI is running

 

  1. At the command prompt, type net stop winmgmt, and then press ENTER.
  2. Confirm that you want to stop WMI and any dependent services.
  3. Close any unnecessary programs.
  4. At the command prompt, type net start winmgmt, and then press ENTER.
  5. Restart any dependent service that you stopped in Step 2.

 

If the problem is insufficient hard disk space, free up some space on the system drive.

If you have tried the preceding solutions and WMI still does not start, some files in the %SystemRoot%\System32\Wbem\Repository folder might be corrupted. Correct this condition by restoring the WMI repository. Possible ways to restore the repository are:

 

  • If you have a good backup of the WMI repository, restore the repository from that backup. This is the preferred method.
  • Force WMI to rebuild the WMI repository from the original Managed Object Format (MOF) file. To see this procedure, go to the Microsoft Knowledge Base search page and search for a KB article by ID number 319101.

 

Note: If you force WMI to rebuild the repository, all static data or other changes to the repository that are not captured in the original MOF file will be lost. You should keep a copy of the corrupted file in case you need to either restore it or have Microsoft Product Support Services evaluate the corrupted files.

 

The wbemcore.log file has the following 3 entries:

 

(Sat Sep 07 10:08:10 2013.152890) : Unable to load Event Subsystem: 0x80004002
(Sat Sep 07 10:08:10 2013.152890) : Event Subsystem initialization returned failure <0x80004002>!
(Sat Sep 07 10:08:10 2013.152906) : Failure to initialize WinMgmt (hRes = 0x80004002)

 

The error appears to not be related to the DLL registration, insufficient memory, or insufficient disk space.

 

According to the Services listing, the WMI service is started (it's automatic), but the the WMI Driver Extensions service is not started (it's manual).

 

I haven't yet tried to force the rebuild of the WMI repository as I am unsure of the consequences.

 

Any thoughts on the above ?

 

Thanks, ZeeAcc.



#14 ZeeAcc

ZeeAcc
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:01:22 PM

Posted 07 September 2013 - 05:37 AM

A bit more to add to the above.

 

The wbemcore.log error code 0x80004002 is the same error code returned by Security Check (see my comments above).

 

In the Services (Local) listing, when I open the Properties dialog and click on the Dependencies tab for both WMI and WMI Driver Extensions services, I get the error "<Null>:No such interface supported" in a dialog box with the title "Service Dependencies".  This appears to be the same error that was reported by Security Check.



#15 nasdaq

nasdaq

  • Malware Response Team
  • 20,431 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:22 PM

Posted 07 September 2013 - 08:54 AM


Lets check the WMI service.

Please download Farbar Service Scanner and run it on the computer with the issue.
  • Make sure the following options are checked:
  • Internet Services
  • Windows Firewall
  • System Restore
  • Security Center/Action center
  • Windows Update
  • Windows Defender
Press Scan.
This will create a log (FSS.txt) in the same directory the tool is run.
Please copy and paste the log to your reply.
===




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users