Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I think I have a Root Kit


  • This topic is locked This topic is locked
23 replies to this topic

#1 adamraff

adamraff

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:21 AM

Posted 24 February 2012 - 02:11 PM

Good Day,

I ran the following program MBR.exe and it gave me the following info

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.1.7601

device: opened successfully
user: error reading MBR
error: Read The handle is invalid.
kernel: error reading MBR

I ran a bunch of other programs for Root Kit including Symantec power Erase and Malwarebytes but nothing showed up.

When I ran the GMER scan program under Rookit/Malware it did not allow me to check mark the other options so the only options that were checked were the following (I ran this with admin privlage with antivirus turned off)

Services
Registry
Files
C:\
ADS

Per your document they should have been enabled or at least I should be able to check them but they were grayed out.

the log came up clean nothing found.

So the question that I have am I getting a false reading from the MBR.exe or is there something else happening here?

Thanks
Adam Raff

BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:21 AM

Posted 25 February 2012 - 02:58 AM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • Please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

In order for me to see the status of the infection I will need a new set of logs to start with.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

DeFogger:

  • Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger may ask you to reboot the machine, if it does - click OK
Do not re-enable these drivers until otherwise instructed.

Download DDS:

  • Please download DDS by sUBs from one of the links below and save it to your desktop:

    Posted Image
    Download DDS and save it to your desktop

    Link1
    Link2
    Link3

    Please disable any anti-malware program that will block scripts from running before running DDS.

    • Double-Click on dds.scr and a command window will appear. This is normal.
    • Shortly after two logs will appear:
    • DDS.txt
    • Attach.txt
  • A window will open instructing you save & post the logs
  • Save the logs to a convenient place such as your desktop
  • Copy the contents of both logs & post in your next reply

information and logs:

  • In your next post I need the following

  • .logs from DDS
  • let me know of any problems you may have had

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 adamraff

adamraff
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:21 AM

Posted 27 February 2012 - 10:45 AM

Gringo here is the info that you wanted sorry for the delay I do not have access to this system on Weekends. No issues while running these program that I can see.

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows 7 Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 9/19/2010 4:16:04 PM
System Uptime: 2/27/2012 8:29:11 AM (2 hours ago)
.
Motherboard: Dell Inc. | | 0D441T
Processor: Intel® Core™ i5 CPU 670 @ 3.47GHz | CPU | 3459/133mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 465 GiB total, 384.736 GiB free.
D: is CDROM (UDF)
E: is CDROM (UDF)
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP117: 2/6/2012 12:35:50 PM - Windows Update
RP118: 2/6/2012 1:06:58 PM - Windows Modules Installer
RP119: 2/6/2012 1:22:04 PM - Windows Modules Installer
RP120: 2/8/2012 11:09:13 AM - Windows Update
RP121: 2/16/2012 12:00:01 AM - Scheduled Checkpoint
RP122: 2/16/2012 12:05:01 PM - Windows Update
RP123: 2/22/2012 3:16:32 PM - Windows Update
.
==== Installed Programs ======================
.
Adobe Acrobat 9 Standard
Adobe Acrobat 9.5.0 - CPSID_83708
Adobe AIR
Adobe Community Help
Adobe Flash Player 10 Plugin
Adobe Photoshop Elements 9
Adobe Photoshop.com Inspiration Browser
Apple Application Support
Apple Software Update
ATI Catalyst Control Center
BCM Monitor
Catalyst Control Center - Branding
Catalyst Control Center Core Implementation
Catalyst Control Center Graphics Full Existing
Catalyst Control Center Graphics Full New
Catalyst Control Center Graphics Light
Catalyst Control Center Graphics Previews Common
Catalyst Control Center Graphics Previews Vista
Catalyst Control Center InstallProxy
Catalyst Control Center Localization All
ccc-core-static
CCC Help Chinese Standard
CCC Help Chinese Traditional
CCC Help Czech
CCC Help Danish
CCC Help Dutch
CCC Help English
CCC Help Finnish
CCC Help French
CCC Help German
CCC Help Greek
CCC Help Hungarian
CCC Help Italian
CCC Help Japanese
CCC Help Korean
CCC Help Norwegian
CCC Help Polish
CCC Help Portuguese
CCC Help Russian
CCC Help Spanish
CCC Help Swedish
CCC Help Thai
CCC Help Turkish
D3DX10
Delete as Spam Add-in
Dell ControlPoint Security Manager
Dell Security Device Driver Pack
Elements 9 Organizer
Elements STI Installer
EMBASSY Security Center Lite
EMBASSY Security Setup
ESC Home Page Plugin
Essentials Setup Installer Sample Update
GoToAssist Corporate
GoToMeeting 4.8.0.723
Intel® Control Center
Intel® Rapid Storage Technology
Interface Traffic Indicator 1.5.0.3
Java Auto Updater
Java™ 6 Update 26
Junk Mail filter update
LiveUpdate 3.3 (Symantec Corporation)
Malwarebytes Anti-Malware version 1.60.1.1000
Microsoft Easy Assist v2
Microsoft Office Live Meeting 2007
Microsoft Search Enhancement Pack
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Visual C++ 2005 Redistributable
Microsoft_VC80_CRT_x86
Microsoft_VC80_MFC_x86
Microsoft_VC80_MFCLOC_x86
Microsoft_VC90_CRT_x86
MSVCRT
MSVCRT_amd64
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Nortel Business Element Manager
PowerDVD DX
QuickTime
Realtek High Definition Audio Driver
Roxio Creator Audio
Roxio Creator Copy
Roxio Creator Data
Roxio Creator DE 10.3
Roxio Creator Tools
Roxio Express Labeler 3
Roxio Update Manager
Skins
SolarWinds IP Address Tracker
Trillian
Wave Support Software
WebEx
Windows Live Communications Platform
Windows Live Essentials
Windows Live Installer
Windows Live Mail
Windows Live Messenger
Windows Live Movie Maker
Windows Live Photo Common
Windows Live Photo Gallery
Windows Live PIMT Platform
Windows Live SOXE
Windows Live SOXE Definitions
Windows Live Sync
Windows Live UX Platform
Windows Live UX Platform Language Pack
Windows Live Writer
Windows Live Writer Resources
WinZip 14.5
.
==== Event Viewer Messages From Past Week ========
.
2/27/2012 8:29:53 AM, Error: Service Control Manager [7000] - The Virtual Assist service failed to start due to the following error: The system cannot find the file specified.
2/27/2012 8:29:50 AM, Error: Microsoft-Windows-GroupPolicy [1055] - The processing of Group Policy failed. Windows could not resolve the computer name. This could be caused by one of more of the following: a) Name Resolution failure on the current domain controller. B) Active Directory Replication Latency (an account created on another domain controller has not replicated to the current domain controller).
2/27/2012 8:29:48 AM, Error: Service Control Manager [7001] - The NTRU TSS v1.2.1.29 TCS service depends on the TPM Base Services service which failed to start because of the following error: The operation completed successfully.
2/27/2012 8:29:48 AM, Error: NETLOGON [5719] - This computer was not able to set up a secure session with a domain controller in domain HSPOP due to the following: There are currently no logon servers available to service the logon request. This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator. ADDITIONAL INFO If this computer is a domain controller for the specified domain, it sets up the secure session to the primary domain controller emulator in the specified domain. Otherwise, this computer sets up the secure session to any domain controller in the specified domain.
2/24/2012 8:43:12 AM, Error: Microsoft-Windows-DistributedCOM [10016] - The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {D3DCB472-7261-43CE-924B-0704BD730D5F} and APPID {D3DCB472-7261-43CE-924B-0704BD730D5F} to the user HSPOP\adamr SID (S-1-5-21-240672096-293818944-483988704-1112) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.
2/24/2012 8:43:12 AM, Error: Microsoft-Windows-DistributedCOM [10016] - The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {145B4335-FE2A-4927-A040-7C35AD3180EF} and APPID {145B4335-FE2A-4927-A040-7C35AD3180EF} to the user HSPOP\adamr SID (S-1-5-21-240672096-293818944-483988704-1112) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.
2/24/2012 1:14:58 PM, Error: Application Popup [1060] - \??\C:\Users\AdamR\AppData\Local\Temp\mbr.sys has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.
2/22/2012 3:14:45 PM, Error: Service Control Manager [7000] - The MEMSWEEP2 service failed to start due to the following error: This driver has been blocked from loading
2/22/2012 3:14:45 PM, Error: Application Popup [1060] - \??\C:\Windows\system32\C088.tmp has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.
2/22/2012 2:45:28 PM, Error: Application Popup [1060] - \??\C:\Windows\system32\F463.tmp has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.
.
==== End Of File ===========================


DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 8.0.7601.17514
Run by adamr at 10:35:56 on 2012-02-27
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.8182.5956 [GMT -5:00]
.
AV: Symantec Endpoint Protection *Enabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Symantec Endpoint Protection *Enabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
FW: Symantec Endpoint Protection *Enabled* {B0F2DB13-C654-2E74-30D4-99C9310F0F2E}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files (x86)\Common Files\Symantec Shared\ccSvcHst.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
C:\Program Files (x86)\Adobe\Elements 9 Organizer\PhotoshopElementsFileAgent.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Windows\system32\atieclxx.exe
C:\Windows\SysWOW64\atashost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\System Center Operations Manager 2007\HealthService.exe
C:\Windows\system32\inetsrv\inetinfo.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\System Center Operations Manager 2007\MonitoringHost.exe
C:\Program Files\System Center Operations Manager 2007\MonitoringHost.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Realtek\Audio\HDA\RtDCpl64.exe
C:\Program Files\Dell\Dell ControlPoint\Security Manager\BcmDeviceAndTaskStatusService.exe
C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
C:\Program Files (x86)\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files (x86)\Common Files\Symantec Shared\ccApp.exe
c:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\ProtectionUtilSurrogate.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmNotify.exe
C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
C:\Windows\system32\mmc.exe
C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashUtil11f_ActiveX.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Users\AdamR\Desktop\Defogger.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\DllHost.exe
.
============== Pseudo HJT Report ===============
.
uSearch Bar = Preserve
uInternet Settings,ProxyOverride = *.local
mWinlogon: Userinit=userinit.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - C:\PROGRA~2\MIF5BA~1\Office14\GROOVEEX.DLL
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - C:\PROGRA~2\MIF5BA~1\Office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background
mRun: [StartCCC] "c:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [IAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
mRun: [PDVDDXSrv] "C:\Program Files (x86)\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
mRun: [ccApp] "C:\Program Files (x86)\Common Files\Symantec Shared\ccApp.exe"
mRun: [Adobe Acrobat Speed Launcher] "C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
mRun: [<NO NAME>]
mRun: [Acrobat Assistant 8.0] "C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
StartupFolder: C:\Users\AdamR\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\ONENOT~1.LNK - C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE
StartupFolder: C:\Users\AdamR\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Trillian.lnk - C:\Program Files (x86)\Trillian\trillian.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\TDMNOT~1.LNK - C:\Program Files (x86)\Wave Systems Corp\Trusted Drive Manager\TdmNotify.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: SynchronousMachineGroupPolicy = 1 (0x1)
IE: Append Link Target to Existing PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
Trusted Zone: sonicwall.com\sslvpn.eng
DPF: {00000035-9593-4264-8B29-930B3E4EDCCD} - hxxps://www.rooms.hp.com/vRoom_Cab/WebHPVCInstall35.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {22945A69-1191-4DCF-9E6F-409BDE94D101} - hxxp://heva.solidworks.com/htdocs/pdownload/edrawings/e2011sp03/cab//eModelsStandard.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {9732FB42-C321-11D1-836F-00A0C993F125} - hxxp://www.pcpitstop.com/mhLbl.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://symantec.webex.com/client/T27L10NSP11EP14/support/ieatgpc1.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: Interfaces\{5C8BFE11-79A6-4F48-B6EC-CA9A22519B6C} : NameServer = 172.16.0.16,172.16.0.11
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - C:\PROGRA~2\MIF5BA~1\Office14\GROOVEEX.DLL
LSA: Authentication Packages = msv1_0 wvauth
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: Search Helper: {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
BHO-X64: Search Helper - No File
BHO-X64: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~2\MIF5BA~1\Office14\GROOVEEX.DLL
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Adobe PDF Conversion Toolbar Helper: {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
BHO-X64: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MIF5BA~1\Office14\URLREDIR.DLL
BHO-X64: URLRedirectionBHO - No File
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO-X64: SmartSelect Class: {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
BHO-X64: SmartSelect - No File
TB-X64: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
TB-X64: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
TB-X64: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
mRun-x64: [StartCCC] "c:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun-x64: [IAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
mRun-x64: [PDVDDXSrv] "C:\Program Files (x86)\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
mRun-x64: [ccApp] "C:\Program Files (x86)\Common Files\Symantec Shared\ccApp.exe"
mRun-x64: [Adobe Acrobat Speed Launcher] "C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
mRun-x64: [(Default)]
mRun-x64: [Acrobat Assistant 8.0] "C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun-x64: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun-x64: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
SEH-X64: Groove GFS Stub Execution Hook: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\PROGRA~2\MIF5BA~1\Office14\GROOVEEX.DLL
.
============= SERVICES / DRIVERS ===============
.
R0 PxHlpa64;PxHlpa64;C:\Windows\system32\Drivers\PxHlpa64.sys --> C:\Windows\system32\Drivers\PxHlpa64.sys [?]
R1 nm3;Microsoft Network Monitor 3 Driver;C:\Windows\system32\DRIVERS\nm3.sys --> C:\Windows\system32\DRIVERS\nm3.sys [?]
R2 AdobeActiveFileMonitor9.0;Adobe Active File Monitor V9;C:\Program Files (x86)\Adobe\Elements 9 Organizer\PhotoshopElementsFileAgent.exe [2010-9-6 169408]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe --> C:\Windows\system32\atiesrxx.exe [?]
R2 atashost;WebEx Service Host for Support Center;C:\Windows\SysWOW64\atashost.exe [2010-10-5 134456]
R2 HealthService;System Center Management;C:\Program Files\System Center Operations Manager 2007\HealthService.exe [2009-5-8 30592]
R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2010-9-2 13336]
R2 Symantec AntiVirus;Symantec Endpoint Protection;C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\Rtvscan.exe [2010-9-7 1832072]
R3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;C:\Windows\system32\DRIVERS\e1k62x64.sys --> C:\Windows\system32\DRIVERS\e1k62x64.sys [?]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2012-2-6 138360]
R3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]
S2 sw_va_service;Virtual Assist;"C:\Users\AdamR\AppData\Roaming\SonicWALL\VirtualAssist\VASAC.exe" -service --> C:\Users\AdamR\AppData\Roaming\SonicWALL\VirtualAssist\VASAC.exe [?]
S3 B-Service;B-Service;C:\Users\AdamR\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GI785Y0X\B-Service.exe --> C:\Users\AdamR\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GI785Y0X\B-Service.exe [?]
S3 IntcDAud;Intel® Display Audio;C:\Windows\system32\DRIVERS\IntcDAud.sys --> C:\Windows\system32\DRIVERS\IntcDAud.sys [?]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;C:\Program Files\Microsoft Office\Office14\GROOVE.EXE [2010-12-28 51727736]
S3 ose64;Office 64 Source Engine;C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2010-1-9 174440]
S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys --> C:\Windows\system32\Drivers\usbaapl64.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
S4 AdtAgent;Operations Manager Audit Forwarding Service;C:\Windows\system32\AdtAgent.exe --> C:\Windows\system32\AdtAgent.exe [?]
.
=============== Created Last 30 ================
.
2012-02-27 13:32:25 -------- d-----w- C:\Users\AdamR\AppData\Local\{018C0622-F34E-4F22-802A-499222D76CDD}
2012-02-23 22:31:35 -------- d-----w- C:\Users\AdamR\AppData\Local\{F6DC3296-5FF5-4188-884F-124C44D66D9D}
2012-02-23 22:27:18 -------- d-----w- C:\Users\AdamR\AppData\Roaming\SPE
2012-02-23 14:22:07 -------- d-----w- C:\ProgramData\Citrix
2012-02-22 20:37:37 -------- d-----w- C:\Users\AdamR\AppData\Local\{89E762F7-F9E6-4244-A448-FEEA31691B4B}
2012-02-22 20:33:47 -------- d-----w- C:\Users\AdamR\AppData\Local\NPE
2012-02-22 20:33:47 -------- d-----w- C:\ProgramData\Norton
2012-02-22 19:45:28 6144 ------w- C:\Windows\System32\F463.tmp
2012-02-22 19:41:26 -------- d-----w- C:\Program Files (x86)\Sophos
2012-02-16 17:14:35 -------- d-----w- C:\Users\AdamR\AppData\Local\{2F289480-90FA-4A85-BB63-1B80168E70CA}
2012-02-16 17:08:57 442880 ----a-w- C:\Windows\SysWow64\ntshrui.dll
2012-02-16 17:08:55 509952 ----a-w- C:\Windows\System32\ntshrui.dll
2012-02-16 17:08:42 515584 ----a-w- C:\Windows\System32\timedate.cpl
2012-02-16 17:08:42 478720 ----a-w- C:\Windows\SysWow64\timedate.cpl
2012-02-16 17:07:22 3145728 ----a-w- C:\Windows\System32\win32k.sys
2012-02-16 17:06:59 498688 ----a-w- C:\Windows\System32\drivers\afd.sys
2012-02-16 17:06:47 690688 ----a-w- C:\Windows\SysWow64\msvcrt.dll
2012-02-16 17:06:46 634880 ----a-w- C:\Windows\System32\msvcrt.dll
2012-02-08 16:23:53 -------- d-----w- C:\Users\AdamR\AppData\Local\{D8215DBB-8E90-4238-9AFA-DE5E3E4B9611}
2012-02-08 14:01:19 345800 ----a-w- C:\Windows\System32\PROUnstl.exe
2012-02-08 14:01:05 -------- d-----w- C:\drvrtmp
2012-02-07 13:39:08 -------- d-----w- C:\Users\AdamR\AppData\Local\{E153D0AC-245D-4863-AF0B-7257F92AB5F7}
2012-02-06 18:26:16 -------- d-----w- C:\Program Files\Hyper-V
2012-02-06 18:25:39 627712 ----a-w- C:\Windows\SysWow64\gpprefbr.dll
2012-02-06 18:25:38 2548736 ----a-w- C:\Windows\SysWow64\propshts.dll
2012-02-06 18:25:37 225280 ----a-w- C:\Windows\SysWow64\gpregistrybrowser.dll
2012-02-06 18:25:36 4342784 ----a-w- C:\Windows\SysWow64\gppref.dll
2012-02-06 18:25:36 166400 ----a-w- C:\Windows\SysWow64\gpprefcn.dll
2012-02-06 18:25:05 -------- d-----w- C:\Windows\System32\ja
2012-02-06 18:23:48 -------- d-----w- C:\Windows\Cluster
2012-02-06 18:23:47 -------- d-----w- C:\inetpub
2012-02-06 18:07:13 -------- d-----w- C:\Windows\System32\BestPractices
2012-02-06 17:14:35 -------- d-----w- C:\Windows\System32\SPReview
2012-02-06 17:13:18 -------- d-----w- C:\Windows\System32\EventProviders
.
==================== Find3M ====================
.
2012-02-23 14:21:31 103784 ----a-w- C:\Users\AdamR\GoToAssistDownloadHelper.exe
2012-02-22 20:45:30 414368 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2012-02-09 18:16:25 134456 ----a-w- C:\Windows\SysWow64\atashost.exe
2012-02-09 18:16:24 217400 ----a-w- C:\Windows\SysWow64\atsckernel.exe
2012-02-06 18:23:36 901632 ----a-w- C:\Windows\System32\gpprefbr.dll
2012-02-06 18:23:36 3787776 ----a-w- C:\Windows\System32\propshts.dll
2012-02-06 18:23:35 4889088 ----a-w- C:\Windows\System32\gppref.dll
2012-02-06 18:23:35 302080 ----a-w- C:\Windows\System32\gpregistrybrowser.dll
2012-02-06 18:23:35 236032 ----a-w- C:\Windows\System32\gpprefcn.dll
2012-02-06 17:19:01 175616 ----a-w- C:\Windows\System32\msclmd.dll
2012-02-06 17:19:01 152576 ----a-w- C:\Windows\SysWow64\msclmd.dll
2012-01-02 13:36:31 225328 ----a-w- C:\Windows\System32\drivers\wpshelper.sys
2011-12-16 08:47:38 1188864 ----a-w- C:\Windows\System32\wininet.dll
2011-12-16 07:54:22 981504 ----a-w- C:\Windows\SysWow64\wininet.dll
2011-12-16 06:44:38 1638912 ----a-w- C:\Windows\System32\mshtml.tlb
2011-12-16 06:09:17 1638912 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2011-12-10 20:24:08 23152 ----a-w- C:\Windows\System32\drivers\mbam.sys
.
============= FINISH: 10:36:19.21 ===============

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:21 AM

Posted 27 February 2012 - 01:12 PM

Hello

I Would like you to do the following.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 adamraff

adamraff
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:21 AM

Posted 27 February 2012 - 01:20 PM

Hi,

I would like to know before I do anything Why do you think I have a virus or root kit? I would like to have an explaintion before I run a program like that on my system. As I said before this System is 64bit your program MBR and GRE does not support 64bit so what did you see in the logs that you feel may be suspect of a root kit.

#6 adamraff

adamraff
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:21 AM

Posted 27 February 2012 - 03:53 PM

Please answer the above also here is my log file as directed

Thanks
Adam


ComboFix 12-02-27.02 - adamr 02/27/2012 13:32:58.1.4 - x64
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.8182.6002 [GMT -5:00]
Running from: c:\users\AdamR\Desktop\ComboFix.exe
AV: Symantec Endpoint Protection *Disabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
FW: Symantec Endpoint Protection *Disabled* {B0F2DB13-C654-2E74-30D4-99C9310F0F2E}
SP: Symantec Endpoint Protection *Disabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\AdamR\AppData\Local\assembly\tmp
c:\users\AdamR\g2mdlhlpx.exe
c:\users\AdamR\GoToAssistDownloadHelper.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-01-27 to 2012-02-27 )))))))))))))))))))))))))))))))
.
.
2012-02-27 18:36 . 2012-02-27 18:36 -------- d-----w- c:\users\Itadmin\AppData\Local\temp
2012-02-27 18:36 . 2012-02-27 18:36 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-02-27 18:36 . 2012-02-27 18:36 -------- d-----w- c:\users\administrator\AppData\Local\temp
2012-02-27 18:30 . 2012-02-27 18:30 -------- d-----w- c:\users\AdamR\AppData\Local\CrashDumps
2012-02-23 22:27 . 2012-02-23 22:27 -------- d-----w- c:\users\AdamR\AppData\Roaming\SPE
2012-02-23 14:22 . 2012-02-23 14:22 -------- d-----w- c:\programdata\Citrix
2012-02-22 20:33 . 2012-02-22 20:44 -------- d-----w- c:\users\AdamR\AppData\Local\NPE
2012-02-22 20:33 . 2012-02-22 20:33 -------- d-----w- c:\programdata\Norton
2012-02-22 19:45 . 2011-08-25 14:33 6144 ------w- c:\windows\system32\F463.tmp
2012-02-22 19:41 . 2012-02-23 23:11 -------- d-----w- c:\program files (x86)\Sophos
2012-02-16 17:08 . 2012-01-04 08:58 442880 ----a-w- c:\windows\SysWow64\ntshrui.dll
2012-02-16 17:08 . 2012-01-04 10:44 509952 ----a-w- c:\windows\system32\ntshrui.dll
2012-02-16 17:08 . 2011-12-30 06:26 515584 ----a-w- c:\windows\system32\timedate.cpl
2012-02-16 17:08 . 2011-12-30 05:27 478720 ----a-w- c:\windows\SysWow64\timedate.cpl
2012-02-16 17:07 . 2012-01-14 04:06 3145728 ----a-w- c:\windows\system32\win32k.sys
2012-02-16 17:06 . 2011-12-28 03:59 498688 ----a-w- c:\windows\system32\drivers\afd.sys
2012-02-16 17:06 . 2011-12-16 07:52 690688 ----a-w- c:\windows\SysWow64\msvcrt.dll
2012-02-16 17:06 . 2011-12-16 08:46 634880 ----a-w- c:\windows\system32\msvcrt.dll
2012-02-08 16:12 . 2012-02-08 16:12 -------- d-----w- c:\users\Default\AppData\Local\Microsoft Help
2012-02-08 14:01 . 2010-02-23 16:00 345800 ----a-w- c:\windows\system32\PROUnstl.exe
2012-02-08 14:01 . 2012-02-08 14:01 -------- d-----w- C:\drvrtmp
2012-02-06 18:26 . 2012-02-06 18:26 -------- d-----w- c:\program files\Hyper-V
2012-02-06 18:25 . 2012-02-06 18:23 627712 ----a-w- c:\windows\SysWow64\gpprefbr.dll
2012-02-06 18:25 . 2012-02-06 18:23 2548736 ----a-w- c:\windows\SysWow64\propshts.dll
2012-02-06 18:25 . 2012-02-06 18:23 225280 ----a-w- c:\windows\SysWow64\gpregistrybrowser.dll
2012-02-06 18:25 . 2012-02-06 18:23 166400 ----a-w- c:\windows\SysWow64\gpprefcn.dll
2012-02-06 18:25 . 2012-02-06 18:23 4342784 ----a-w- c:\windows\SysWow64\gppref.dll
2012-02-06 18:25 . 2012-02-06 18:25 -------- d-----w- c:\windows\system32\ja
2012-02-06 18:23 . 2012-02-06 18:23 -------- d-----w- C:\inetpub
2012-02-06 18:07 . 2012-02-06 18:07 -------- d-----w- c:\windows\system32\BestPractices
2012-02-06 17:14 . 2012-02-06 17:14 -------- d-----w- c:\windows\system32\SPReview
2012-02-06 17:13 . 2012-02-06 17:13 -------- d-----w- c:\windows\system32\EventProviders
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-22 20:45 . 2011-05-22 17:18 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-02-09 18:16 . 2010-10-05 22:27 134456 ----a-w- c:\windows\SysWow64\atashost.exe
2012-02-09 18:16 . 2010-10-05 22:27 217400 ----a-w- c:\windows\SysWow64\atsckernel.exe
2012-02-06 17:19 . 2009-07-14 02:36 175616 ----a-w- c:\windows\system32\msclmd.dll
2012-02-06 17:19 . 2009-07-14 02:36 152576 ----a-w- c:\windows\SysWow64\msclmd.dll
2012-01-02 13:36 . 2010-09-26 19:28 225328 ----a-w- c:\windows\system32\drivers\wpshelper.sys
2011-12-10 20:24 . 2012-01-12 19:05 23152 ----a-w- c:\windows\system32\drivers\mbam.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-11-18 98304]
"IAStorIcon"="c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe" [2010-03-04 284696]
"PDVDDXSrv"="c:\program files (x86)\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2009-06-25 140520]
"ccApp"="c:\program files (x86)\Common Files\Symantec Shared\ccApp.exe" [2010-09-07 115560]
"Adobe Acrobat Speed Launcher"="c:\program files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2012-01-04 40376]
"Acrobat Assistant 8.0"="c:\program files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2012-01-03 640440]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2011-10-24 421888]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-01-16 421736]
.
c:\users\AdamR\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2010 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office14\ONENOTEM.EXE [2011-9-2 245120]
Trillian.lnk - c:\program files (x86)\Trillian\trillian.exe [2011-8-18 2068832]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
TdmNotify.lnk - c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmNotify.exe [2010-3-29 185192]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"SynchronousMachineGroupPolicy"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
R2 sw_va_service;Virtual Assist;c:\users\AdamR\AppData\Roaming\SonicWALL\VirtualAssist\VASAC.exe [x]
R3 B-Service;B-Service;c:\users\AdamR\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GI785Y0X\B-Service.exe [x]
R3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [x]
R3 MEMSWEEP2;MEMSWEEP2;c:\windows\system32\C088.tmp [x]
R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [2010-12-28 51727736]
R3 ose64;Office 64 Source Engine;c:\program files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2010-01-10 174440]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R4 AdtAgent;Operations Manager Audit Forwarding Service;c:\windows\system32\AdtAgent.exe [x]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [x]
S1 nm3;Microsoft Network Monitor 3 Driver;c:\windows\system32\DRIVERS\nm3.sys [x]
S2 AdobeActiveFileMonitor9.0;Adobe Active File Monitor V9;c:\program files (x86)\Adobe\Elements 9 Organizer\PhotoshopElementsFileAgent.exe [2010-09-06 169408]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
S2 atashost;WebEx Service Host for Support Center;c:\windows\SysWOW64\atashost.exe [2012-02-09 134456]
S2 HealthService;System Center Management;c:\program files\System Center Operations Manager 2007\HealthService.exe [2009-05-09 30592]
S2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2010-03-04 13336]
S3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\DRIVERS\e1k62x64.sys [x]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2012-02-06 138360]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\EnabledUnlockedFDEIconOverlay]
@="{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}"
[HKEY_CLASSES_ROOT\CLSID\{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}]
2010-03-29 18:00 60784 ----a-w- c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UninitializedFdeIconOverlay]
@="{CF08DA3E-C97D-4891-A66B-E39B28DD270F}"
[HKEY_CLASSES_ROOT\CLSID\{CF08DA3E-C97D-4891-A66B-E39B28DD270F}]
2010-03-29 18:00 60784 ----a-w- c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtDCpl64.exe" [2009-08-26 2900992]
"USCService"="c:\program files\Dell\Dell ControlPoint\Security Manager\BcmDeviceAndTaskStatusService.exe" [2010-06-22 34232]
"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 112512]
"AdobeAAMUpdater-1.0"="c:\program files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-07-29 497648]
"combofix"="c:\combofix\CF5971.3XE" [2010-11-20 345088]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: Append Link Target to Existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
Trusted Zone: sonicwall.com\sslvpn.eng
TCP: Interfaces\{5C8BFE11-79A6-4F48-B6EC-CA9A22519B6C}: NameServer = 172.16.0.16,172.16.0.11
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
SafeBoot-Symantec Antvirus
Toolbar-Locked - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\C088.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11f_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11f_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11f.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11f.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11f.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11f.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files (x86)\Symantec\Symantec Endpoint Protection\Rtvscan.exe
c:\program files (x86)\Symantec\Symantec Endpoint Protection\ProtectionUtilSurrogate.exe
.
**************************************************************************
.
Completion time: 2012-02-27 13:42:22 - machine was rebooted
ComboFix-quarantined-files.txt 2012-02-27 18:42
.
Pre-Run: 424,622,792,704 bytes free
Post-Run: 423,877,824,512 bytes free
.
- - End Of File - - 018D32619D68FCF0C116154CB9DFAEB5

#7 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:21 AM

Posted 27 February 2012 - 05:36 PM

Hello


Power went out before I had a chance to answer you.


There is nothing 100% in your reports to say that you have a rootkit, Just some signs that there may be one and need to check further.

This is one sign

device: opened successfully
user: error reading MBR
error: Read The handle is invalid.
kernel: error reading MBR


Oh and GMer does work on 64 bit computers just not all the selections can be checked - that is way some of the iteams could not be selected

c:\users\AdamR\AppData\Local\assembly\tmp - this is a location that is used allot by Zaccess rootkit also (does not mean you have IT) just means warrants further checking

At the very worst you are going to get your computer given a very good checkup and more secure and better optimized



I want you to run these next,

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • it will ask to download extra definitions - ALLOW IT
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

If you have any problems running either one come back and let me know

please reply with the reports from TDSSKiller and aswMBR

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#8 adamraff

adamraff
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:21 AM

Posted 27 February 2012 - 06:13 PM

Gringo,

Thanks for the info I want to let you know that upon downloading aswMBR and I gather downloading its update my AV which I did disable though the service was still running picked up a virus unp170138878.tmp Called Trojan.Gen.2. this file was locatated in Temp\_avast4\ I also ran defrogger too just in case.

17:43:20.0211 6764 TDSS rootkit removing tool 2.7.15.0 Feb 27 2012 12:59:02
17:43:20.0616 6764 ============================================================
17:43:20.0616 6764 Current date / time: 2012/02/27 17:43:20.0616
17:43:20.0616 6764 SystemInfo:
17:43:20.0616 6764
17:43:20.0616 6764 OS Version: 6.1.7601 ServicePack: 1.0
17:43:20.0616 6764 Product type: Workstation
17:43:20.0616 6764 ComputerName: ADAMR64
17:43:20.0616 6764 UserName: adamr
17:43:20.0616 6764 Windows directory: C:\Windows
17:43:20.0616 6764 System windows directory: C:\Windows
17:43:20.0616 6764 Running under WOW64
17:43:20.0616 6764 Processor architecture: Intel x64
17:43:20.0616 6764 Number of processors: 4
17:43:20.0616 6764 Page size: 0x1000
17:43:20.0616 6764 Boot type: Normal boot
17:43:20.0616 6764 ============================================================
17:43:21.0022 6764 Drive \Device\Harddisk0\DR0 - Size: 0x7470C06000 (465.76 Gb), SectorSize: 0x200, Cylinders: 0xED81, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000040
17:43:21.0037 6764 \Device\Harddisk0\DR0:
17:43:21.0037 6764 MBR used
17:43:21.0037 6764 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x14000, BlocksNum 0x177000
17:43:21.0037 6764 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x18B000, BlocksNum 0x3A1FA800
17:43:21.0053 6764 Initialize success
17:43:21.0053 6764 ============================================================
17:43:23.0798 6248 ============================================================
17:43:23.0798 6248 Scan started
17:43:23.0798 6248 Mode: Manual;
17:43:23.0798 6248 ============================================================
17:43:24.0142 6248 1394ohci (a87d604aea360176311474c87a63bb88) C:\Windows\system32\drivers\1394ohci.sys
17:43:24.0142 6248 1394ohci - ok
17:43:24.0188 6248 ACPI (d81d9e70b8a6dd14d42d7b4efa65d5f2) C:\Windows\system32\drivers\ACPI.sys
17:43:24.0188 6248 ACPI - ok
17:43:24.0220 6248 AcpiPmi (99f8e788246d495ce3794d7e7821d2ca) C:\Windows\system32\drivers\acpipmi.sys
17:43:24.0220 6248 AcpiPmi - ok
17:43:24.0298 6248 adp94xx (2f6b34b83843f0c5118b63ac634f5bf4) C:\Windows\system32\DRIVERS\adp94xx.sys
17:43:24.0298 6248 adp94xx - ok
17:43:24.0329 6248 adpahci (597f78224ee9224ea1a13d6350ced962) C:\Windows\system32\DRIVERS\adpahci.sys
17:43:24.0329 6248 adpahci - ok
17:43:24.0360 6248 adpu320 (e109549c90f62fb570b9540c4b148e54) C:\Windows\system32\DRIVERS\adpu320.sys
17:43:24.0360 6248 adpu320 - ok
17:43:24.0422 6248 AFD (1c7857b62de5994a75b054a9fd4c3825) C:\Windows\system32\drivers\afd.sys
17:43:24.0438 6248 AFD - ok
17:43:24.0469 6248 agp440 (608c14dba7299d8cb6ed035a68a15799) C:\Windows\system32\drivers\agp440.sys
17:43:24.0469 6248 agp440 - ok
17:43:24.0500 6248 aliide (5812713a477a3ad7363c7438ca2ee038) C:\Windows\system32\drivers\aliide.sys
17:43:24.0500 6248 aliide - ok
17:43:24.0563 6248 amdide (1ff8b4431c353ce385c875f194924c0c) C:\Windows\system32\drivers\amdide.sys
17:43:24.0563 6248 amdide - ok
17:43:24.0610 6248 AmdK8 (7024f087cff1833a806193ef9d22cda9) C:\Windows\system32\DRIVERS\amdk8.sys
17:43:24.0610 6248 AmdK8 - ok
17:43:24.0656 6248 AmdPPM (1e56388b3fe0d031c44144eb8c4d6217) C:\Windows\system32\DRIVERS\amdppm.sys
17:43:24.0656 6248 AmdPPM - ok
17:43:24.0688 6248 amdsata (d4121ae6d0c0e7e13aa221aa57ef2d49) C:\Windows\system32\drivers\amdsata.sys
17:43:24.0688 6248 amdsata - ok
17:43:24.0734 6248 amdsbs (f67f933e79241ed32ff46a4f29b5120b) C:\Windows\system32\DRIVERS\amdsbs.sys
17:43:24.0734 6248 amdsbs - ok
17:43:24.0766 6248 amdxata (540daf1cea6094886d72126fd7c33048) C:\Windows\system32\drivers\amdxata.sys
17:43:24.0766 6248 amdxata - ok
17:43:24.0828 6248 AppID (89a69c3f2f319b43379399547526d952) C:\Windows\system32\drivers\appid.sys
17:43:24.0828 6248 AppID - ok
17:43:24.0906 6248 arc (c484f8ceb1717c540242531db7845c4e) C:\Windows\system32\DRIVERS\arc.sys
17:43:24.0906 6248 arc - ok
17:43:24.0937 6248 arcsas (019af6924aefe7839f61c830227fe79c) C:\Windows\system32\DRIVERS\arcsas.sys
17:43:24.0937 6248 arcsas - ok
17:43:24.0984 6248 AsyncMac (769765ce2cc62867468cea93969b2242) C:\Windows\system32\DRIVERS\asyncmac.sys
17:43:24.0984 6248 AsyncMac - ok
17:43:25.0031 6248 atapi (02062c0b390b7729edc9e69c680a6f3c) C:\Windows\system32\drivers\atapi.sys
17:43:25.0031 6248 atapi - ok
17:43:25.0171 6248 atikmdag (b5fb227a09a9ec28163fa4b45487c3c7) C:\Windows\system32\DRIVERS\atikmdag.sys
17:43:25.0249 6248 atikmdag - ok
17:43:25.0343 6248 b06bdrv (3e5b191307609f7514148c6832bb0842) C:\Windows\system32\DRIVERS\bxvbda.sys
17:43:25.0343 6248 b06bdrv - ok
17:43:25.0374 6248 b57nd60a (b5ace6968304a3900eeb1ebfd9622df2) C:\Windows\system32\DRIVERS\b57nd60a.sys
17:43:25.0390 6248 b57nd60a - ok
17:43:25.0421 6248 Beep (16a47ce2decc9b099349a5f840654746) C:\Windows\system32\drivers\Beep.sys
17:43:25.0421 6248 Beep - ok
17:43:25.0483 6248 blbdrive (61583ee3c3a17003c4acd0475646b4d3) C:\Windows\system32\DRIVERS\blbdrive.sys
17:43:25.0483 6248 blbdrive - ok
17:43:25.0530 6248 bowser (6c02a83164f5cc0a262f4199f0871cf5) C:\Windows\system32\DRIVERS\bowser.sys
17:43:25.0530 6248 bowser - ok
17:43:25.0546 6248 BrFiltLo (f09eee9edc320b5e1501f749fde686c8) C:\Windows\system32\DRIVERS\BrFiltLo.sys
17:43:25.0546 6248 BrFiltLo - ok
17:43:25.0561 6248 BrFiltUp (b114d3098e9bdb8bea8b053685831be6) C:\Windows\system32\DRIVERS\BrFiltUp.sys
17:43:25.0561 6248 BrFiltUp - ok
17:43:25.0608 6248 BridgeMP (5c2f352a4e961d72518261257aae204b) C:\Windows\system32\DRIVERS\bridge.sys
17:43:25.0608 6248 BridgeMP - ok
17:43:25.0686 6248 Brserid (43bea8d483bf1870f018e2d02e06a5bd) C:\Windows\System32\Drivers\Brserid.sys
17:43:25.0686 6248 Brserid - ok
17:43:25.0717 6248 BrSerWdm (a6eca2151b08a09caceca35c07f05b42) C:\Windows\System32\Drivers\BrSerWdm.sys
17:43:25.0717 6248 BrSerWdm - ok
17:43:25.0748 6248 BrUsbMdm (b79968002c277e869cf38bd22cd61524) C:\Windows\System32\Drivers\BrUsbMdm.sys
17:43:25.0748 6248 BrUsbMdm - ok
17:43:25.0780 6248 BrUsbSer (a87528880231c54e75ea7a44943b38bf) C:\Windows\System32\Drivers\BrUsbSer.sys
17:43:25.0780 6248 BrUsbSer - ok
17:43:25.0795 6248 BTHMODEM (9da669f11d1f894ab4eb69bf546a42e8) C:\Windows\system32\DRIVERS\bthmodem.sys
17:43:25.0795 6248 BTHMODEM - ok
17:43:25.0858 6248 catchme - ok
17:43:25.0920 6248 cdfs (b8bd2bb284668c84865658c77574381a) C:\Windows\system32\DRIVERS\cdfs.sys
17:43:25.0920 6248 cdfs - ok
17:43:25.0967 6248 cdrom (f036ce71586e93d94dab220d7bdf4416) C:\Windows\system32\DRIVERS\cdrom.sys
17:43:25.0967 6248 cdrom - ok
17:43:26.0014 6248 circlass (d7cd5c4e1b71fa62050515314cfb52cf) C:\Windows\system32\DRIVERS\circlass.sys
17:43:26.0014 6248 circlass - ok
17:43:26.0045 6248 CLFS (fe1ec06f2253f691fe36217c592a0206) C:\Windows\system32\CLFS.sys
17:43:26.0045 6248 CLFS - ok
17:43:26.0076 6248 CmBatt (0840155d0bddf1190f84a663c284bd33) C:\Windows\system32\DRIVERS\CmBatt.sys
17:43:26.0076 6248 CmBatt - ok
17:43:26.0107 6248 cmdide (e19d3f095812725d88f9001985b94edd) C:\Windows\system32\drivers\cmdide.sys
17:43:26.0107 6248 cmdide - ok
17:43:26.0154 6248 CNG (c4943b6c962e4b82197542447ad599f4) C:\Windows\system32\Drivers\cng.sys
17:43:26.0154 6248 CNG - ok
17:43:26.0170 6248 Compbatt (102de219c3f61415f964c88e9085ad14) C:\Windows\system32\DRIVERS\compbatt.sys
17:43:26.0170 6248 Compbatt - ok
17:43:26.0248 6248 CompositeBus (03edb043586cceba243d689bdda370a8) C:\Windows\system32\drivers\CompositeBus.sys
17:43:26.0248 6248 CompositeBus - ok
17:43:26.0294 6248 crcdisk (1c827878a998c18847245fe1f34ee597) C:\Windows\system32\DRIVERS\crcdisk.sys
17:43:26.0294 6248 crcdisk - ok
17:43:26.0357 6248 CSC (54da3dfd29ed9f1619b6f53f3ce55e49) C:\Windows\system32\drivers\csc.sys
17:43:26.0357 6248 CSC - ok
17:43:26.0419 6248 DfsC (9bb2ef44eaa163b29c4a4587887a0fe4) C:\Windows\system32\Drivers\dfsc.sys
17:43:26.0419 6248 DfsC - ok
17:43:26.0435 6248 discache (13096b05847ec78f0977f2c0f79e9ab3) C:\Windows\system32\drivers\discache.sys
17:43:26.0435 6248 discache - ok
17:43:26.0482 6248 Disk (9819eee8b5ea3784ec4af3b137a5244c) C:\Windows\system32\DRIVERS\disk.sys
17:43:26.0482 6248 Disk - ok
17:43:26.0544 6248 drmkaud (9b19f34400d24df84c858a421c205754) C:\Windows\system32\drivers\drmkaud.sys
17:43:26.0544 6248 drmkaud - ok
17:43:26.0591 6248 DXGKrnl (f5bee30450e18e6b83a5012c100616fd) C:\Windows\System32\drivers\dxgkrnl.sys
17:43:26.0591 6248 DXGKrnl - ok
17:43:26.0638 6248 e1kexpress (60c5b36e07be8b3af3911c3d10303cfe) C:\Windows\system32\DRIVERS\e1k62x64.sys
17:43:26.0653 6248 e1kexpress - ok
17:43:26.0731 6248 ebdrv (dc5d737f51be844d8c82c695eb17372f) C:\Windows\system32\DRIVERS\evbda.sys
17:43:26.0778 6248 ebdrv - ok
17:43:26.0872 6248 eeCtrl (0c3f9eff8ddd9f9eb56d754b4620155f) C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys
17:43:26.0872 6248 eeCtrl - ok
17:43:26.0934 6248 elxstor (0e5da5369a0fcaea12456dd852545184) C:\Windows\system32\DRIVERS\elxstor.sys
17:43:26.0934 6248 elxstor - ok
17:43:26.0981 6248 EraserUtilRebootDrv (8c0f9b877bc0b7ffd327ef55f9efb642) C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
17:43:26.0981 6248 EraserUtilRebootDrv - ok
17:43:27.0012 6248 ErrDev (34a3c54752046e79a126e15c51db409b) C:\Windows\system32\drivers\errdev.sys
17:43:27.0012 6248 ErrDev - ok
17:43:27.0028 6248 exfat (a510c654ec00c1e9bdd91eeb3a59823b) C:\Windows\system32\drivers\exfat.sys
17:43:27.0043 6248 exfat - ok
17:43:27.0059 6248 fastfat (0adc83218b66a6db380c330836f3e36d) C:\Windows\system32\drivers\fastfat.sys
17:43:27.0059 6248 fastfat - ok
17:43:27.0090 6248 fdc (d765d19cd8ef61f650c384f62fac00ab) C:\Windows\system32\DRIVERS\fdc.sys
17:43:27.0090 6248 fdc - ok
17:43:27.0168 6248 FileInfo (655661be46b5f5f3fd454e2c3095b930) C:\Windows\system32\drivers\fileinfo.sys
17:43:27.0168 6248 FileInfo - ok
17:43:27.0184 6248 Filetrace (5f671ab5bc87eea04ec38a6cd5962a47) C:\Windows\system32\drivers\filetrace.sys
17:43:27.0184 6248 Filetrace - ok
17:43:27.0246 6248 flpydisk (c172a0f53008eaeb8ea33fe10e177af5) C:\Windows\system32\DRIVERS\flpydisk.sys
17:43:27.0246 6248 flpydisk - ok
17:43:27.0277 6248 FltMgr (da6b67270fd9db3697b20fce94950741) C:\Windows\system32\drivers\fltmgr.sys
17:43:27.0277 6248 FltMgr - ok
17:43:27.0293 6248 FsDepends (d43703496149971890703b4b1b723eac) C:\Windows\system32\drivers\FsDepends.sys
17:43:27.0293 6248 FsDepends - ok
17:43:27.0340 6248 Fs_Rec (e95ef8547de20cf0603557c0cf7a9462) C:\Windows\system32\drivers\Fs_Rec.sys
17:43:27.0340 6248 Fs_Rec - ok
17:43:27.0386 6248 fvevol (1f7b25b858fa27015169fe95e54108ed) C:\Windows\system32\DRIVERS\fvevol.sys
17:43:27.0386 6248 fvevol - ok
17:43:27.0402 6248 gagp30kx (8c778d335c9d272cfd3298ab02abe3b6) C:\Windows\system32\DRIVERS\gagp30kx.sys
17:43:27.0402 6248 gagp30kx - ok
17:43:27.0449 6248 GEARAspiWDM (e403aacf8c7bb11375122d2464560311) C:\Windows\system32\DRIVERS\GEARAspiWDM.sys
17:43:27.0449 6248 GEARAspiWDM - ok
17:43:27.0480 6248 hcw85cir (f2523ef6460fc42405b12248338ab2f0) C:\Windows\system32\drivers\hcw85cir.sys
17:43:27.0480 6248 hcw85cir - ok
17:43:27.0527 6248 HDAudBus (97bfed39b6b79eb12cddbfeed51f56bb) C:\Windows\system32\drivers\HDAudBus.sys
17:43:27.0527 6248 HDAudBus - ok
17:43:27.0558 6248 HidBatt (78e86380454a7b10a5eb255dc44a355f) C:\Windows\system32\DRIVERS\HidBatt.sys
17:43:27.0558 6248 HidBatt - ok
17:43:27.0574 6248 HidBth (7fd2a313f7afe5c4dab14798c48dd104) C:\Windows\system32\DRIVERS\hidbth.sys
17:43:27.0574 6248 HidBth - ok
17:43:27.0589 6248 HidIr (0a77d29f311b88cfae3b13f9c1a73825) C:\Windows\system32\DRIVERS\hidir.sys
17:43:27.0589 6248 HidIr - ok
17:43:27.0667 6248 HidUsb (9592090a7e2b61cd582b612b6df70536) C:\Windows\system32\drivers\hidusb.sys
17:43:27.0667 6248 HidUsb - ok
17:43:27.0714 6248 HpSAMD (39d2abcd392f3d8a6dce7b60ae7b8efc) C:\Windows\system32\drivers\HpSAMD.sys
17:43:27.0714 6248 HpSAMD - ok
17:43:27.0761 6248 HTTP (0ea7de1acb728dd5a369fd742d6eee28) C:\Windows\system32\drivers\HTTP.sys
17:43:27.0761 6248 HTTP - ok
17:43:27.0792 6248 hwpolicy (a5462bd6884960c9dc85ed49d34ff392) C:\Windows\system32\drivers\hwpolicy.sys
17:43:27.0792 6248 hwpolicy - ok
17:43:27.0823 6248 i8042prt (fa55c73d4affa7ee23ac4be53b4592d3) C:\Windows\system32\drivers\i8042prt.sys
17:43:27.0823 6248 i8042prt - ok
17:43:27.0870 6248 iaStor (abbf174cb394f5c437410a788b7e404a) C:\Windows\system32\DRIVERS\iaStor.sys
17:43:27.0870 6248 iaStor - ok
17:43:27.0932 6248 iaStorV (aaaf44db3bd0b9d1fb6969b23ecc8366) C:\Windows\system32\drivers\iaStorV.sys
17:43:27.0932 6248 iaStorV - ok
17:43:27.0979 6248 iirsp (5c18831c61933628f5bb0ea2675b9d21) C:\Windows\system32\DRIVERS\iirsp.sys
17:43:27.0979 6248 iirsp - ok
17:43:28.0088 6248 IntcAzAudAddService (9f61c293284a2435badb78a4e287ae88) C:\Windows\system32\drivers\RTDVHD64.sys
17:43:28.0104 6248 IntcAzAudAddService - ok
17:43:28.0151 6248 IntcDAud (408b401cd7cdb075c7470b0ff7ba8d0b) C:\Windows\system32\DRIVERS\IntcDAud.sys
17:43:28.0151 6248 IntcDAud - ok
17:43:28.0182 6248 intelide (f00f20e70c6ec3aa366910083a0518aa) C:\Windows\system32\drivers\intelide.sys
17:43:28.0182 6248 intelide - ok
17:43:28.0213 6248 intelppm (ada036632c664caa754079041cf1f8c1) C:\Windows\system32\DRIVERS\intelppm.sys
17:43:28.0213 6248 intelppm - ok
17:43:28.0307 6248 IpFilterDriver (c9f0e1bd74365a8771590e9008d22ab6) C:\Windows\system32\DRIVERS\ipfltdrv.sys
17:43:28.0307 6248 IpFilterDriver - ok
17:43:28.0338 6248 IPMIDRV (0fc1aea580957aa8817b8f305d18ca3a) C:\Windows\system32\drivers\IPMIDrv.sys
17:43:28.0354 6248 IPMIDRV - ok
17:43:28.0369 6248 IPNAT (af9b39a7e7b6caa203b3862582e9f2d0) C:\Windows\system32\drivers\ipnat.sys
17:43:28.0369 6248 IPNAT - ok
17:43:28.0463 6248 IRENUM (3abf5e7213eb28966d55d58b515d5ce9) C:\Windows\system32\drivers\irenum.sys
17:43:28.0463 6248 IRENUM - ok
17:43:28.0478 6248 isapnp (2f7b28dc3e1183e5eb418df55c204f38) C:\Windows\system32\drivers\isapnp.sys
17:43:28.0478 6248 isapnp - ok
17:43:28.0541 6248 iScsiPrt (d931d7309deb2317035b07c9f9e6b0bd) C:\Windows\system32\drivers\msiscsi.sys
17:43:28.0541 6248 iScsiPrt - ok
17:43:28.0572 6248 kbdclass (bc02336f1cba7dcc7d1213bb588a68a5) C:\Windows\system32\drivers\kbdclass.sys
17:43:28.0572 6248 kbdclass - ok
17:43:28.0603 6248 kbdhid (0705eff5b42a9db58548eec3b26bb484) C:\Windows\system32\drivers\kbdhid.sys
17:43:28.0603 6248 kbdhid - ok
17:43:28.0650 6248 KSecDD (da1e991a61cfdd755a589e206b97644b) C:\Windows\system32\Drivers\ksecdd.sys
17:43:28.0650 6248 KSecDD - ok
17:43:28.0681 6248 KSecPkg (7e33198d956943a4f11a5474c1e9106f) C:\Windows\system32\Drivers\ksecpkg.sys
17:43:28.0681 6248 KSecPkg - ok
17:43:28.0697 6248 ksthunk (6869281e78cb31a43e969f06b57347c4) C:\Windows\system32\drivers\ksthunk.sys
17:43:28.0697 6248 ksthunk - ok
17:43:28.0790 6248 lltdio (1538831cf8ad2979a04c423779465827) C:\Windows\system32\DRIVERS\lltdio.sys
17:43:28.0790 6248 lltdio - ok
17:43:28.0822 6248 LSI_FC (1a93e54eb0ece102495a51266dcdb6a6) C:\Windows\system32\DRIVERS\lsi_fc.sys
17:43:28.0822 6248 LSI_FC - ok
17:43:28.0868 6248 LSI_SAS (1047184a9fdc8bdbff857175875ee810) C:\Windows\system32\DRIVERS\lsi_sas.sys
17:43:28.0868 6248 LSI_SAS - ok
17:43:28.0884 6248 LSI_SAS2 (30f5c0de1ee8b5bc9306c1f0e4a75f93) C:\Windows\system32\DRIVERS\lsi_sas2.sys
17:43:28.0884 6248 LSI_SAS2 - ok
17:43:28.0946 6248 LSI_SCSI (0504eacaff0d3c8aed161c4b0d369d4a) C:\Windows\system32\DRIVERS\lsi_scsi.sys
17:43:28.0946 6248 LSI_SCSI - ok
17:43:28.0993 6248 luafv (43d0f98e1d56ccddb0d5254cff7b356e) C:\Windows\system32\drivers\luafv.sys
17:43:28.0993 6248 luafv - ok
17:43:29.0024 6248 megasas (a55805f747c6edb6a9080d7c633bd0f4) C:\Windows\system32\DRIVERS\megasas.sys
17:43:29.0024 6248 megasas - ok
17:43:29.0056 6248 MegaSR (baf74ce0072480c3b6b7c13b2a94d6b3) C:\Windows\system32\DRIVERS\MegaSR.sys
17:43:29.0071 6248 MegaSR - ok
17:43:29.0087 6248 MEMSWEEP2 - ok
17:43:29.0134 6248 Modem (800ba92f7010378b09f9ed9270f07137) C:\Windows\system32\drivers\modem.sys
17:43:29.0134 6248 Modem - ok
17:43:29.0180 6248 monitor (b03d591dc7da45ece20b3b467e6aadaa) C:\Windows\system32\DRIVERS\monitor.sys
17:43:29.0180 6248 monitor - ok
17:43:29.0212 6248 mouclass (7d27ea49f3c1f687d357e77a470aea99) C:\Windows\system32\drivers\mouclass.sys
17:43:29.0212 6248 mouclass - ok
17:43:29.0258 6248 mouhid (d3bf052c40b0c4166d9fd86a4288c1e6) C:\Windows\system32\DRIVERS\mouhid.sys
17:43:29.0274 6248 mouhid - ok
17:43:29.0305 6248 mountmgr (32e7a3d591d671a6df2db515a5cbe0fa) C:\Windows\system32\drivers\mountmgr.sys
17:43:29.0305 6248 mountmgr - ok
17:43:29.0321 6248 mpio (a44b420d30bd56e145d6a2bc8768ec58) C:\Windows\system32\drivers\mpio.sys
17:43:29.0336 6248 mpio - ok
17:43:29.0352 6248 mpsdrv (6c38c9e45ae0ea2fa5e551f2ed5e978f) C:\Windows\system32\drivers\mpsdrv.sys
17:43:29.0352 6248 mpsdrv - ok
17:43:29.0399 6248 MRxDAV (dc722758b8261e1abafd31a3c0a66380) C:\Windows\system32\drivers\mrxdav.sys
17:43:29.0399 6248 MRxDAV - ok
17:43:29.0430 6248 mrxsmb (a5d9106a73dc88564c825d317cac68ac) C:\Windows\system32\DRIVERS\mrxsmb.sys
17:43:29.0446 6248 mrxsmb - ok
17:43:29.0477 6248 mrxsmb10 (d711b3c1d5f42c0c2415687be09fc163) C:\Windows\system32\DRIVERS\mrxsmb10.sys
17:43:29.0477 6248 mrxsmb10 - ok
17:43:29.0492 6248 mrxsmb20 (9423e9d355c8d303e76b8cfbd8a5c30c) C:\Windows\system32\DRIVERS\mrxsmb20.sys
17:43:29.0492 6248 mrxsmb20 - ok
17:43:29.0524 6248 msahci (c25f0bafa182cbca2dd3c851c2e75796) C:\Windows\system32\drivers\msahci.sys
17:43:29.0524 6248 msahci - ok
17:43:29.0555 6248 msdsm (db801a638d011b9633829eb6f663c900) C:\Windows\system32\drivers\msdsm.sys
17:43:29.0555 6248 msdsm - ok
17:43:29.0570 6248 Msfs (aa3fb40e17ce1388fa1bedab50ea8f96) C:\Windows\system32\drivers\Msfs.sys
17:43:29.0570 6248 Msfs - ok
17:43:29.0617 6248 mshidkmdf (f9d215a46a8b9753f61767fa72a20326) C:\Windows\System32\drivers\mshidkmdf.sys
17:43:29.0617 6248 mshidkmdf - ok
17:43:29.0648 6248 msisadrv (d916874bbd4f8b07bfb7fa9b3ccae29d) C:\Windows\system32\drivers\msisadrv.sys
17:43:29.0648 6248 msisadrv - ok
17:43:29.0695 6248 MSKSSRV (49ccf2c4fea34ffad8b1b59d49439366) C:\Windows\system32\drivers\MSKSSRV.sys
17:43:29.0695 6248 MSKSSRV - ok
17:43:29.0711 6248 MSPCLOCK (bdd71ace35a232104ddd349ee70e1ab3) C:\Windows\system32\drivers\MSPCLOCK.sys
17:43:29.0711 6248 MSPCLOCK - ok
17:43:29.0742 6248 MSPQM (4ed981241db27c3383d72092b618a1d0) C:\Windows\system32\drivers\MSPQM.sys
17:43:29.0742 6248 MSPQM - ok
17:43:29.0773 6248 MsRPC (759a9eeb0fa9ed79da1fb7d4ef78866d) C:\Windows\system32\drivers\MsRPC.sys
17:43:29.0789 6248 MsRPC - ok
17:43:29.0804 6248 mssmbios (0eed230e37515a0eaee3c2e1bc97b288) C:\Windows\system32\drivers\mssmbios.sys
17:43:29.0804 6248 mssmbios - ok
17:43:29.0836 6248 MSTEE (2e66f9ecb30b4221a318c92ac2250779) C:\Windows\system32\drivers\MSTEE.sys
17:43:29.0836 6248 MSTEE - ok
17:43:29.0882 6248 MTConfig (7ea404308934e675bffde8edf0757bcd) C:\Windows\system32\DRIVERS\MTConfig.sys
17:43:29.0882 6248 MTConfig - ok
17:43:29.0914 6248 Mup (f9a18612fd3526fe473c1bda678d61c8) C:\Windows\system32\Drivers\mup.sys
17:43:29.0914 6248 Mup - ok
17:43:29.0976 6248 NativeWifiP (1ea3749c4114db3e3161156ffffa6b33) C:\Windows\system32\DRIVERS\nwifi.sys
17:43:29.0992 6248 NativeWifiP - ok
17:43:30.0116 6248 NAVENG (2dbe90210de76be6e1653bb20ec70ec2) C:\PROGRA~3\Symantec\DEFINI~1\VIRUSD~1\20120227.002\ENG64.SYS
17:43:30.0116 6248 NAVENG - ok
17:43:30.0179 6248 NAVEX15 (346da70e203b8e2c850277713de8f71b) C:\PROGRA~3\Symantec\DEFINI~1\VIRUSD~1\20120227.002\EX64.SYS
17:43:30.0194 6248 NAVEX15 - ok
17:43:30.0304 6248 NDIS (79b47fd40d9a817e932f9d26fac0a81c) C:\Windows\system32\drivers\ndis.sys
17:43:30.0304 6248 NDIS - ok
17:43:30.0350 6248 NdisCap (9f9a1f53aad7da4d6fef5bb73ab811ac) C:\Windows\system32\DRIVERS\ndiscap.sys
17:43:30.0350 6248 NdisCap - ok
17:43:30.0397 6248 NdisTapi (30639c932d9fef22b31268fe25a1b6e5) C:\Windows\system32\DRIVERS\ndistapi.sys
17:43:30.0397 6248 NdisTapi - ok
17:43:30.0413 6248 Ndisuio (136185f9fb2cc61e573e676aa5402356) C:\Windows\system32\DRIVERS\ndisuio.sys
17:43:30.0413 6248 Ndisuio - ok
17:43:30.0444 6248 NdisWan (53f7305169863f0a2bddc49e116c2e11) C:\Windows\system32\DRIVERS\ndiswan.sys
17:43:30.0460 6248 NdisWan - ok
17:43:30.0506 6248 NDProxy (015c0d8e0e0421b4cfd48cffe2825879) C:\Windows\system32\drivers\NDProxy.sys
17:43:30.0506 6248 NDProxy - ok
17:43:30.0553 6248 NetBIOS (86743d9f5d2b1048062b14b1d84501c4) C:\Windows\system32\DRIVERS\netbios.sys
17:43:30.0553 6248 NetBIOS - ok
17:43:30.0600 6248 NetBT (09594d1089c523423b32a4229263f068) C:\Windows\system32\DRIVERS\netbt.sys
17:43:30.0600 6248 NetBT - ok
17:43:30.0647 6248 nfrd960 (77889813be4d166cdab78ddba990da92) C:\Windows\system32\DRIVERS\nfrd960.sys
17:43:30.0647 6248 nfrd960 - ok
17:43:30.0756 6248 nm3 (f554c5fd7bd1efa4da5cfe2eed86391f) C:\Windows\system32\DRIVERS\nm3.sys
17:43:30.0756 6248 nm3 - ok
17:43:30.0772 6248 Npfs (1e4c4ab5c9b8dd13179bbdc75a2a01f7) C:\Windows\system32\drivers\Npfs.sys
17:43:30.0772 6248 Npfs - ok
17:43:30.0803 6248 nsiproxy (e7f5ae18af4168178a642a9247c63001) C:\Windows\system32\drivers\nsiproxy.sys
17:43:30.0803 6248 nsiproxy - ok
17:43:30.0896 6248 Ntfs (a2f74975097f52a00745f9637451fdd8) C:\Windows\system32\drivers\Ntfs.sys
17:43:30.0928 6248 Ntfs - ok
17:43:30.0943 6248 Null (9899284589f75fa8724ff3d16aed75c1) C:\Windows\system32\drivers\Null.sys
17:43:30.0943 6248 Null - ok
17:43:30.0990 6248 nvraid (0a92cb65770442ed0dc44834632f66ad) C:\Windows\system32\drivers\nvraid.sys
17:43:30.0990 6248 nvraid - ok
17:43:31.0021 6248 nvstor (dab0e87525c10052bf65f06152f37e4a) C:\Windows\system32\drivers\nvstor.sys
17:43:31.0021 6248 nvstor - ok
17:43:31.0052 6248 nv_agp (270d7cd42d6e3979f6dd0146650f0e05) C:\Windows\system32\drivers\nv_agp.sys
17:43:31.0052 6248 nv_agp - ok
17:43:31.0084 6248 ohci1394 (3589478e4b22ce21b41fa1bfc0b8b8a0) C:\Windows\system32\drivers\ohci1394.sys
17:43:31.0084 6248 ohci1394 - ok
17:43:31.0130 6248 Parport (0086431c29c35be1dbc43f52cc273887) C:\Windows\system32\DRIVERS\parport.sys
17:43:31.0130 6248 Parport - ok
17:43:31.0193 6248 partmgr (871eadac56b0a4c6512bbe32753ccf79) C:\Windows\system32\drivers\partmgr.sys
17:43:31.0193 6248 partmgr - ok
17:43:31.0224 6248 PBADRV (363b3f857abee85767e01e3044c539cd) C:\Windows\system32\DRIVERS\PBADRV.sys
17:43:31.0224 6248 PBADRV - ok
17:43:31.0271 6248 pci (94575c0571d1462a0f70bde6bd6ee6b3) C:\Windows\system32\drivers\pci.sys
17:43:31.0271 6248 pci - ok
17:43:31.0302 6248 pciide (b5b8b5ef2e5cb34df8dcf8831e3534fa) C:\Windows\system32\drivers\pciide.sys
17:43:31.0302 6248 pciide - ok
17:43:31.0333 6248 pcmcia (b2e81d4e87ce48589f98cb8c05b01f2f) C:\Windows\system32\DRIVERS\pcmcia.sys
17:43:31.0333 6248 pcmcia - ok
17:43:31.0349 6248 pcw (d6b9c2e1a11a3a4b26a182ffef18f603) C:\Windows\system32\drivers\pcw.sys
17:43:31.0349 6248 pcw - ok
17:43:31.0380 6248 PEAUTH (68769c3356b3be5d1c732c97b9a80d6e) C:\Windows\system32\drivers\peauth.sys
17:43:31.0380 6248 PEAUTH - ok
17:43:31.0505 6248 PptpMiniport (f92a2c41117a11a00be01ca01a7fcde9) C:\Windows\system32\DRIVERS\raspptp.sys
17:43:31.0505 6248 PptpMiniport - ok
17:43:31.0520 6248 Processor (0d922e23c041efb1c3fac2a6f943c9bf) C:\Windows\system32\DRIVERS\processr.sys
17:43:31.0520 6248 Processor - ok
17:43:31.0567 6248 Psched (0557cf5a2556bd58e26384169d72438d) C:\Windows\system32\DRIVERS\pacer.sys
17:43:31.0567 6248 Psched - ok
17:43:31.0614 6248 PxHlpa64 (87b04878a6d59d6c79251dc960c674c1) C:\Windows\system32\Drivers\PxHlpa64.sys
17:43:31.0614 6248 PxHlpa64 - ok
17:43:31.0676 6248 ql2300 (a53a15a11ebfd21077463ee2c7afeef0) C:\Windows\system32\DRIVERS\ql2300.sys
17:43:31.0708 6248 ql2300 - ok
17:43:31.0723 6248 ql40xx (4f6d12b51de1aaeff7dc58c4d75423c8) C:\Windows\system32\DRIVERS\ql40xx.sys
17:43:31.0723 6248 ql40xx - ok
17:43:31.0754 6248 QWAVEdrv (76707bb36430888d9ce9d705398adb6c) C:\Windows\system32\drivers\qwavedrv.sys
17:43:31.0754 6248 QWAVEdrv - ok
17:43:31.0786 6248 RasAcd (5a0da8ad5762fa2d91678a8a01311704) C:\Windows\system32\DRIVERS\rasacd.sys
17:43:31.0786 6248 RasAcd - ok
17:43:31.0832 6248 RasAgileVpn (7ecff9b22276b73f43a99a15a6094e90) C:\Windows\system32\DRIVERS\AgileVpn.sys
17:43:31.0832 6248 RasAgileVpn - ok
17:43:31.0879 6248 Rasl2tp (471815800ae33e6f1c32fb1b97c490ca) C:\Windows\system32\DRIVERS\rasl2tp.sys
17:43:31.0879 6248 Rasl2tp - ok
17:43:31.0910 6248 RasPppoe (855c9b1cd4756c5e9a2aa58a15f58c25) C:\Windows\system32\DRIVERS\raspppoe.sys
17:43:31.0910 6248 RasPppoe - ok
17:43:31.0942 6248 RasSstp (e8b1e447b008d07ff47d016c2b0eeecb) C:\Windows\system32\DRIVERS\rassstp.sys
17:43:31.0942 6248 RasSstp - ok
17:43:32.0597 6248 rdbss (77f665941019a1594d887a74f301fa2f) C:\Windows\system32\DRIVERS\rdbss.sys
17:43:32.0597 6248 rdbss - ok
17:43:32.0644 6248 rdpbus (302da2a0539f2cf54d7c6cc30c1f2d8d) C:\Windows\system32\DRIVERS\rdpbus.sys
17:43:32.0644 6248 rdpbus - ok
17:43:32.0659 6248 RDPCDD (cea6cc257fc9b7715f1c2b4849286d24) C:\Windows\system32\DRIVERS\RDPCDD.sys
17:43:32.0659 6248 RDPCDD - ok
17:43:32.0690 6248 RDPDR (1b6163c503398b23ff8b939c67747683) C:\Windows\system32\drivers\rdpdr.sys
17:43:32.0690 6248 RDPDR - ok
17:43:32.0722 6248 RDPENCDD (bb5971a4f00659529a5c44831af22365) C:\Windows\system32\drivers\rdpencdd.sys
17:43:32.0722 6248 RDPENCDD - ok
17:43:32.0768 6248 RDPREFMP (216f3fa57533d98e1f74ded70113177a) C:\Windows\system32\drivers\rdprefmp.sys
17:43:32.0768 6248 RDPREFMP - ok
17:43:32.0800 6248 RDPWD (15b66c206b5cb095bab980553f38ed23) C:\Windows\system32\drivers\RDPWD.sys
17:43:32.0800 6248 RDPWD - ok
17:43:32.0846 6248 rdyboost (34ed295fa0121c241bfef24764fc4520) C:\Windows\system32\drivers\rdyboost.sys
17:43:32.0846 6248 rdyboost - ok
17:43:32.0893 6248 rspndr (ddc86e4f8e7456261e637e3552e804ff) C:\Windows\system32\DRIVERS\rspndr.sys
17:43:32.0893 6248 rspndr - ok
17:43:32.0940 6248 s3cap (e60c0a09f997826c7627b244195ab581) C:\Windows\system32\drivers\vms3cap.sys
17:43:32.0940 6248 s3cap - ok
17:43:32.0971 6248 sbp2port (ac03af3329579fffb455aa2daabbe22b) C:\Windows\system32\drivers\sbp2port.sys
17:43:32.0971 6248 sbp2port - ok
17:43:33.0002 6248 scfilter (253f38d0d7074c02ff8deb9836c97d2b) C:\Windows\system32\DRIVERS\scfilter.sys
17:43:33.0002 6248 scfilter - ok
17:43:33.0049 6248 secdrv (3ea8a16169c26afbeb544e0e48421186) C:\Windows\system32\drivers\secdrv.sys
17:43:33.0049 6248 secdrv - ok
17:43:33.0127 6248 Serenum (cb624c0035412af0debec78c41f5ca1b) C:\Windows\system32\DRIVERS\serenum.sys
17:43:33.0127 6248 Serenum - ok
17:43:33.0143 6248 Serial (c1d8e28b2c2adfaec4ba89e9fda69bd6) C:\Windows\system32\DRIVERS\serial.sys
17:43:33.0143 6248 Serial - ok
17:43:33.0221 6248 sermouse (1c545a7d0691cc4a027396535691c3e3) C:\Windows\system32\DRIVERS\sermouse.sys
17:43:33.0221 6248 sermouse - ok
17:43:33.0268 6248 sffdisk (a554811bcd09279536440c964ae35bbf) C:\Windows\system32\drivers\sffdisk.sys
17:43:33.0268 6248 sffdisk - ok
17:43:33.0283 6248 sffp_mmc (ff414f0baefeba59bc6c04b3db0b87bf) C:\Windows\system32\drivers\sffp_mmc.sys
17:43:33.0283 6248 sffp_mmc - ok
17:43:33.0299 6248 sffp_sd (dd85b78243a19b59f0637dcf284da63c) C:\Windows\system32\drivers\sffp_sd.sys
17:43:33.0299 6248 sffp_sd - ok
17:43:33.0346 6248 sfloppy (a9d601643a1647211a1ee2ec4e433ff4) C:\Windows\system32\DRIVERS\sfloppy.sys
17:43:33.0346 6248 sfloppy - ok
17:43:33.0377 6248 SiSRaid2 (843caf1e5fde1ffd5ff768f23a51e2e1) C:\Windows\system32\DRIVERS\SiSRaid2.sys
17:43:33.0377 6248 SiSRaid2 - ok
17:43:33.0392 6248 SiSRaid4 (6a6c106d42e9ffff8b9fcb4f754f6da4) C:\Windows\system32\DRIVERS\sisraid4.sys
17:43:33.0392 6248 SiSRaid4 - ok
17:43:33.0424 6248 Smb (548260a7b8654e024dc30bf8a7c5baa4) C:\Windows\system32\DRIVERS\smb.sys
17:43:33.0439 6248 Smb - ok
17:43:33.0517 6248 spldr (b9e31e5cacdfe584f34f730a677803f9) C:\Windows\system32\drivers\spldr.sys
17:43:33.0517 6248 spldr - ok
17:43:33.0548 6248 SRTSP (b531fc8918dcdaae638511a123c3465e) C:\Windows\system32\Drivers\SRTSP64.SYS
17:43:33.0564 6248 SRTSP - ok
17:43:33.0580 6248 SRTSPL (2bd3a73d0601320b72486fc3ebc2544f) C:\Windows\system32\Drivers\SRTSPL64.SYS
17:43:33.0595 6248 SRTSPL - ok
17:43:33.0611 6248 SRTSPX (529b337c1aeeb289f0b502eb0ee6a8f5) C:\Windows\system32\Drivers\SRTSPX64.SYS
17:43:33.0611 6248 SRTSPX - ok
17:43:33.0642 6248 srv (441fba48bff01fdb9d5969ebc1838f0b) C:\Windows\system32\DRIVERS\srv.sys
17:43:33.0658 6248 srv - ok
17:43:33.0673 6248 srv2 (b4adebbf5e3677cce9651e0f01f7cc28) C:\Windows\system32\DRIVERS\srv2.sys
17:43:33.0689 6248 srv2 - ok
17:43:33.0720 6248 srvnet (27e461f0be5bff5fc737328f749538c3) C:\Windows\system32\DRIVERS\srvnet.sys
17:43:33.0736 6248 srvnet - ok
17:43:33.0782 6248 stexstor (f3817967ed533d08327dc73bc4d5542a) C:\Windows\system32\DRIVERS\stexstor.sys
17:43:33.0782 6248 stexstor - ok
17:43:33.0814 6248 storflt (7785dc213270d2fc066538daf94087e7) C:\Windows\system32\drivers\vmstorfl.sys
17:43:33.0814 6248 storflt - ok
17:43:33.0860 6248 storvsc (d34e4943d5ac096c8edeebfd80d76e23) C:\Windows\system32\drivers\storvsc.sys
17:43:33.0860 6248 storvsc - ok
17:43:33.0892 6248 swenum (d01ec09b6711a5f8e7e6564a4d0fbc90) C:\Windows\system32\drivers\swenum.sys
17:43:33.0892 6248 swenum - ok
17:43:33.0938 6248 SymEvent (d1f1a5e72e33d6be449f5f1f4a513dd1) C:\Windows\system32\Drivers\SYMEVENT64x86.SYS
17:43:33.0954 6248 SymEvent - ok
17:43:34.0032 6248 Tcpip (fc62769e7bff2896035aeed399108162) C:\Windows\system32\drivers\tcpip.sys
17:43:34.0048 6248 Tcpip - ok
17:43:34.0079 6248 TCPIP6 (fc62769e7bff2896035aeed399108162) C:\Windows\system32\DRIVERS\tcpip.sys
17:43:34.0094 6248 TCPIP6 - ok
17:43:34.0126 6248 tcpipreg (df687e3d8836bfb04fcc0615bf15a519) C:\Windows\system32\drivers\tcpipreg.sys
17:43:34.0126 6248 tcpipreg - ok
17:43:34.0188 6248 TDPIPE (3371d21011695b16333a3934340c4e7c) C:\Windows\system32\drivers\tdpipe.sys
17:43:34.0188 6248 TDPIPE - ok
17:43:34.0188 6248 TDTCP (e4245bda3190a582d55ed09e137401a9) C:\Windows\system32\drivers\tdtcp.sys
17:43:34.0204 6248 TDTCP - ok
17:43:34.0235 6248 tdx (ddad5a7ab24d8b65f8d724f5c20fd806) C:\Windows\system32\DRIVERS\tdx.sys
17:43:34.0235 6248 tdx - ok
17:43:34.0282 6248 Teefer2 (ef6ccf8b483201f7196d83fc136fa43a) C:\Windows\system32\DRIVERS\teefer2.sys
17:43:34.0282 6248 Teefer2 - ok
17:43:34.0313 6248 TermDD (561e7e1f06895d78de991e01dd0fb6e5) C:\Windows\system32\drivers\termdd.sys
17:43:34.0313 6248 TermDD - ok
17:43:34.0360 6248 tssecsrv (ce18b2cdfc837c99e5fae9ca6cba5d30) C:\Windows\system32\DRIVERS\tssecsrv.sys
17:43:34.0360 6248 tssecsrv - ok
17:43:34.0391 6248 TsUsbFlt (d11c783e3ef9a3c52c0ebe83cc5000e9) C:\Windows\system32\drivers\tsusbflt.sys
17:43:34.0391 6248 TsUsbFlt - ok
17:43:34.0438 6248 tunnel (3566a8daafa27af944f5d705eaa64894) C:\Windows\system32\DRIVERS\tunnel.sys
17:43:34.0438 6248 tunnel - ok
17:43:34.0469 6248 uagp35 (b4dd609bd7e282bfc683cec7eaaaad67) C:\Windows\system32\DRIVERS\uagp35.sys
17:43:34.0469 6248 uagp35 - ok
17:43:34.0500 6248 udfs (ff4232a1a64012baa1fd97c7b67df593) C:\Windows\system32\DRIVERS\udfs.sys
17:43:34.0516 6248 udfs - ok
17:43:34.0547 6248 uliagpkx (4bfe1bc28391222894cbf1e7d0e42320) C:\Windows\system32\drivers\uliagpkx.sys
17:43:34.0547 6248 uliagpkx - ok
17:43:34.0594 6248 umbus (dc54a574663a895c8763af0fa1ff7561) C:\Windows\system32\drivers\umbus.sys
17:43:34.0594 6248 umbus - ok
17:43:34.0625 6248 UmPass (b2e8e8cb557b156da5493bbddcc1474d) C:\Windows\system32\DRIVERS\umpass.sys
17:43:34.0625 6248 UmPass - ok
17:43:34.0687 6248 USBAAPL64 (aa33fc47ed58c34e6e9261e4f850b7eb) C:\Windows\system32\Drivers\usbaapl64.sys
17:43:34.0687 6248 USBAAPL64 - ok
17:43:34.0703 6248 usbccgp (6f1a3157a1c89435352ceb543cdb359c) C:\Windows\system32\DRIVERS\usbccgp.sys
17:43:34.0703 6248 usbccgp - ok
17:43:34.0750 6248 usbcir (af0892a803fdda7492f595368e3b68e7) C:\Windows\system32\drivers\usbcir.sys
17:43:34.0750 6248 usbcir - ok
17:43:34.0765 6248 usbehci (c025055fe7b87701eb042095df1a2d7b) C:\Windows\system32\DRIVERS\usbehci.sys
17:43:34.0765 6248 usbehci - ok
17:43:34.0812 6248 usbhub (287c6c9410b111b68b52ca298f7b8c24) C:\Windows\system32\DRIVERS\usbhub.sys
17:43:34.0812 6248 usbhub - ok
17:43:34.0828 6248 usbohci (9840fc418b4cbd632d3d0a667a725c31) C:\Windows\system32\drivers\usbohci.sys
17:43:34.0828 6248 usbohci - ok
17:43:34.0859 6248 usbprint (73188f58fb384e75c4063d29413cee3d) C:\Windows\system32\DRIVERS\usbprint.sys
17:43:34.0859 6248 usbprint - ok
17:43:34.0874 6248 USBSTOR (fed648b01349a3c8395a5169db5fb7d6) C:\Windows\system32\drivers\USBSTOR.SYS
17:43:34.0890 6248 USBSTOR - ok
17:43:34.0906 6248 usbuhci (62069a34518bcf9c1fd9e74b3f6db7cd) C:\Windows\system32\drivers\usbuhci.sys
17:43:34.0906 6248 usbuhci - ok
17:43:34.0937 6248 vdrvroot (c5c876ccfc083ff3b128f933823e87bd) C:\Windows\system32\drivers\vdrvroot.sys
17:43:34.0937 6248 vdrvroot - ok
17:43:34.0952 6248 vga (da4da3f5e02943c2dc8c6ed875de68dd) C:\Windows\system32\DRIVERS\vgapnp.sys
17:43:34.0968 6248 vga - ok
17:43:34.0968 6248 VgaSave (53e92a310193cb3c03bea963de7d9cfc) C:\Windows\System32\drivers\vga.sys
17:43:34.0968 6248 VgaSave - ok
17:43:34.0999 6248 vhdmp (2ce2df28c83aeaf30084e1b1eb253cbb) C:\Windows\system32\drivers\vhdmp.sys
17:43:34.0999 6248 vhdmp - ok
17:43:35.0030 6248 viaide (e5689d93ffe4e5d66c0178761240dd54) C:\Windows\system32\drivers\viaide.sys
17:43:35.0030 6248 viaide - ok
17:43:35.0046 6248 vmbus (86ea3e79ae350fea5331a1303054005f) C:\Windows\system32\drivers\vmbus.sys
17:43:35.0046 6248 vmbus - ok
17:43:35.0077 6248 VMBusHID (7de90b48f210d29649380545db45a187) C:\Windows\system32\drivers\VMBusHID.sys
17:43:35.0077 6248 VMBusHID - ok
17:43:35.0124 6248 volmgr (d2aafd421940f640b407aefaaebd91b0) C:\Windows\system32\drivers\volmgr.sys
17:43:35.0124 6248 volmgr - ok
17:43:35.0155 6248 volmgrx (a255814907c89be58b79ef2f189b843b) C:\Windows\system32\drivers\volmgrx.sys
17:43:35.0155 6248 volmgrx - ok
17:43:35.0186 6248 volsnap (0d08d2f3b3ff84e433346669b5e0f639) C:\Windows\system32\drivers\volsnap.sys
17:43:35.0186 6248 volsnap - ok
17:43:35.0233 6248 vsmraid (5e2016ea6ebaca03c04feac5f330d997) C:\Windows\system32\DRIVERS\vsmraid.sys
17:43:35.0233 6248 vsmraid - ok
17:43:35.0264 6248 vwifibus (36d4720b72b5c5d9cb2b9c29e9df67a1) C:\Windows\System32\drivers\vwifibus.sys
17:43:35.0264 6248 vwifibus - ok
17:43:35.0296 6248 WacomPen (4e9440f4f152a7b944cb1663d3935a3e) C:\Windows\system32\DRIVERS\wacompen.sys
17:43:35.0296 6248 WacomPen - ok
17:43:35.0327 6248 WANARP (356afd78a6ed4457169241ac3965230c) C:\Windows\system32\DRIVERS\wanarp.sys
17:43:35.0327 6248 WANARP - ok
17:43:35.0342 6248 Wanarpv6 (356afd78a6ed4457169241ac3965230c) C:\Windows\system32\DRIVERS\wanarp.sys
17:43:35.0342 6248 Wanarpv6 - ok
17:43:35.0389 6248 Wd (72889e16ff12ba0f235467d6091b17dc) C:\Windows\system32\DRIVERS\wd.sys
17:43:35.0389 6248 Wd - ok
17:43:35.0420 6248 Wdf01000 (441bd2d7b4f98134c3a4f9fa570fd250) C:\Windows\system32\drivers\Wdf01000.sys
17:43:35.0420 6248 Wdf01000 - ok
17:43:35.0467 6248 WfpLwf (611b23304bf067451a9fdee01fbdd725) C:\Windows\system32\DRIVERS\wfplwf.sys
17:43:35.0467 6248 WfpLwf - ok
17:43:35.0483 6248 WIMMount (05ecaec3e4529a7153b3136ceb49f0ec) C:\Windows\system32\drivers\wimmount.sys
17:43:35.0483 6248 WIMMount - ok
17:43:35.0545 6248 WinUsb (fe88b288356e7b47b74b13372add906d) C:\Windows\system32\DRIVERS\WinUsb.sys
17:43:35.0545 6248 WinUsb - ok
17:43:35.0592 6248 WmiAcpi (f6ff8944478594d0e414d3f048f0d778) C:\Windows\system32\drivers\wmiacpi.sys
17:43:35.0592 6248 WmiAcpi - ok
17:43:35.0654 6248 WPS (37725ebe2f8972809903a10599c365a2) C:\Windows\system32\drivers\wpsdrvnt.sys
17:43:35.0654 6248 WPS - ok
17:43:35.0686 6248 WpsHelper (d9b5a13804b7d97770c42da484a9d86e) C:\Windows\system32\drivers\WpsHelper.sys
17:43:35.0686 6248 WpsHelper - ok
17:43:35.0701 6248 ws2ifsl (6bcc1d7d2fd2453957c5479a32364e52) C:\Windows\system32\drivers\ws2ifsl.sys
17:43:35.0701 6248 ws2ifsl - ok
17:43:35.0748 6248 WudfPf (d3381dc54c34d79b22cee0d65ba91b7c) C:\Windows\system32\drivers\WudfPf.sys
17:43:35.0748 6248 WudfPf - ok
17:43:35.0795 6248 WUDFRd (cf8d590be3373029d57af80914190682) C:\Windows\system32\DRIVERS\WUDFRd.sys
17:43:35.0795 6248 WUDFRd - ok
17:43:35.0810 6248 MBR (0x1B8) (cdb4de4bbd714f152979da2dcbef57eb) \Device\Harddisk0\DR0
17:43:35.0873 6248 \Device\Harddisk0\DR0 - ok
17:43:35.0873 6248 Boot (0x1200) (2aed75e0a586f34cdb7f677699b4239e) \Device\Harddisk0\DR0\Partition0
17:43:35.0873 6248 \Device\Harddisk0\DR0\Partition0 - ok
17:43:35.0889 6248 Boot (0x1200) (098cebaf851376ff17fed8a1ba89224f) \Device\Harddisk0\DR0\Partition1
17:43:35.0889 6248 \Device\Harddisk0\DR0\Partition1 - ok
17:43:35.0889 6248 ============================================================
17:43:35.0889 6248 Scan finished
17:43:35.0889 6248 ============================================================
17:43:35.0904 1032 Detected object count: 0
17:43:35.0904 1032 Actual detected object count: 0

aswMBR version 0.9.9.1649 Copyright© 2011 AVAST Software
Run date: 2012-02-27 17:46:09
-----------------------------
17:46:09.305 OS Version: Windows x64 6.1.7601 Service Pack 1
17:46:09.305 Number of processors: 4 586 0x2502
17:46:09.305 ComputerName: ADAMR64 UserName: adamr
17:46:14.390 Initialize success
17:48:49.175 AVAST engine defs: 12022701
17:48:55.587 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-2
17:48:55.587 Disk 0 Vendor: ST350041 CC46 Size: 476940MB BusType: 8
17:48:55.602 Disk 0 MBR read successfully
17:48:55.602 Disk 0 MBR scan
17:48:55.602 Disk 0 Windows VISTA default MBR code
17:48:55.602 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 39 MB offset 63
17:48:55.618 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 750 MB offset 81920
17:48:55.618 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 476149 MB offset 1617920
17:48:55.649 Disk 0 scanning C:\Windows\system32\drivers
17:49:10.953 Service scanning
17:49:35.180 Modules scanning
17:49:35.180 Disk 0 trace - called modules:
17:49:35.211 ntoskrnl.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll
17:49:35.227 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80095b6060]
17:49:35.227 3 CLASSPNP.SYS[fffff8800180143f] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-2[0xfffffa8008303050]
17:49:40.000 AVAST engine scan C:\Windows
17:49:43.152 AVAST engine scan C:\Windows\system32
17:53:46.237 AVAST engine scan C:\Windows\system32\drivers
17:54:02.586 AVAST engine scan C:\Users\AdamR
17:56:31.378 AVAST engine scan C:\ProgramData
17:59:37.144 Scan finished successfully
18:02:56.089 Disk 0 MBR has been saved successfully to "C:\Users\AdamR\Desktop\dds text\MBR.dat"
18:02:56.089 The log file has been saved successfully to "C:\Users\AdamR\Desktop\dds text\aswMBR.txt"

#9 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:21 AM

Posted 27 February 2012 - 09:09 PM

Greetings

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#10 adamraff

adamraff
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:21 AM

Posted 28 February 2012 - 10:07 AM

Hi,

First I can't get to the file to save there is nothing there the scripet.

Second I found anohter one of those virus this morning when I came in what ever that AntiRoot kit program you had me install dropped something in my system did a full scan looks clear now

Before I do anything else I would like to know what you have found from the last scans has nothing showed up from what I could see. Did you find anything that points to a Root Kit? If so what was it?

thanks
Adam

#11 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:21 AM

Posted 28 February 2012 - 04:55 PM

Hello

First I can't get to the file to save there is nothing there the scripet. - there is no file to download start with the instructions at "Open Notepad"

Second I found anohter one of those virus this morning when I came in what ever that AntiRoot kit program you had me install dropped something in my system did a full scan looks clear now - please give me more details - if the programs that I have you install is a virus i need to warn the 20,000 other people that I have helped

Before I do anything else I would like to know what you have found from the last scans has nothing showed up from what I could see. Did you find anything that points to a Root Kit? If so what was it? you may do what you want - I told you what I have seen and what I was going to do -- and at the very least I told you that I was going to leave you a more secure computer when I finished

You are the one that did come here and ask for my help, If you are going to question why I decide to use a tool or when I decide to use it this could take a very long time to complete

Let me know if you would like to continue or not

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#12 adamraff

adamraff
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:21 AM

Posted 29 February 2012 - 10:22 AM

Gringo,

Thanks for reply back

I did give you more info you may have missed it it, was on top of the last set of logs that I sent you Here is the info on what virus popped up

Thanks for the info I want to let you know that upon downloading aswMBR and I gather downloading its update my AV which I did disable though the service was still running picked up a virus unp170138878.tmp Called Trojan.Gen.2. this file was locatated in Temp\_avast4\ I also ran defrogger too just in case. The next day I picked up another warning I cleaned up that directory and deleted all files in that folder and the other folder that the program created and ran a full scan of system yesterday no issues found and no issues found this morning.

As too your comment I am not trying to argue and I do appreshate what you are doing I am also a Tech not as skilled in virus and malware which is why I came to this board. The reason why I asked was because of the comment about the temp file, and what you think it was or could be. You then asked me to run two other root kit programs and send you the logs. I would perfer not doing something until I have a little more info so I was wondering what you saw as you asked me to run the other program again? That was all. I was wondering if what you so in the logs proved out what you thought.

I got your last post and I understand what you ment about the notepad I will update you on that shortley once I get some work done.

Thanks
Adam Raff

#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:21 AM

Posted 29 February 2012 - 10:55 AM

Hello


So far the reports have been clean but wanted to double check with those other programs - so in my best opinion right now there is no rootkit


the last script from combofix will clear out the java cache before we do some more scans as this will remove unneeded files and clean out a favorite hiding place of other viruses - I like to use combofix for this as I normaly run it twice to make sure it comes back clean


Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#14 adamraff

adamraff
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:21 AM

Posted 29 February 2012 - 02:08 PM

Gringo,

Sorry about this but I was getting ready to work and my EndPoint protection flagged Combofix as Trojan.HDH.2 virus and deleted it.

I am going to redown load should I still use the script or Not?

Is there anything I should do before.

Thanks
Adam

#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:21 AM

Posted 01 March 2012 - 07:43 AM

yes download it again to your desktop and then use the script (shut off the antivirus so it does not remove it)



gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users