Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan.Zeroaccess!kmem cant be removed


  • This topic is locked This topic is locked
40 replies to this topic

#1 greggersuk

greggersuk

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:04:13 AM

Posted 26 February 2012 - 05:08 PM

Hi

Read a lot of good stuff about this forum, I really hope you can help with my issue. :)

I am having a problem with some Malware i think. Symantec tells me that Trojan.Zeroaccess!kmem is present in NTOS but it cant be fixed/removed. I get alot of web redirects and it messed around with my proxy settings on firefox. I also get the processor running high for some reason.

Below is my DDS log and ATTACH.txt is attached. However everytime i tried to run GMER it crashed my whole computer and i was forced to restart, i couldnt manage to complete the scan. I didn note however that it had found hidden file PING.exe - please advise if i should run the scan in a different way.

Thanks in advance

Greig

DDS.txt

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.7601.17514 BrowserJavaVersion: 1.6.0_26
Run by GRichard at 21:22:22 on 2012-02-26
Microsoft Windows 7 Enterprise 6.1.7601.1.1252.1.1033.18.3062.907 [GMT 0:00]
.
AV: Symantec Endpoint Protection *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Symantec Endpoint Protection *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_1fb74af29935fce6\STacSV.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\Hpservice.exe
C:\Windows\system32\vcsFPService.exe
C:\Windows\system32\nvvsvc.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\System32\svchost.exe -k NetworkService
C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_1fb74af29935fce6\aestsrv.exe
C:\Program Files\Citrix\MetaFrame Password Manager\Sagent.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Intel\Intel® Management Engine Components\LMS\LMS.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\app\product\11.1.0\db_1\bin\OraVSSW.exe
C:\app\product\11.1.0\db_1\bin\OraVSSW.exe
C:\Program Files\PDF Complete\pdfsvc.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe
C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Security Runtime\sntlsrtsrvr.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe
C:\Windows\system32\vmnat.exe
C:\Windows\system32\vmnetdhcp.exe
C:\Windows\system32\CCM\CcmExec.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe
C:\Program Files\VMware\VMware Player\vmware-authd.exe
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\Microsoft Office Communicator\communicator.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCtrl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe
C:\Program Files\VMware\VMware Player\hqtray.exe
C:\Program Files\HTC\HTC Sync\Application Launcher\Application Launcher.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Citrix\ICA Client\concentr.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\VolCtrl.exe
C:\Program Files\Citrix\ReceiverInsideForSSO\Receiver.exe
C:\Program Files\Citrix\MetaFrame Password Manager\ssoshell.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Common Files\Teleca Shared\logger.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\HTC\HTC Sync\ClientInitiatedStarter\ClientInitiatedStarter.exe
C:\Program Files\HTC\HTC Sync\Mobile Phone Monitor\epmworker.exe
C:\Program Files\HTC\HTC Sync\Mobile Phone Monitor\DbgOut.exe
C:\Program Files\HTC\HTC Sync\Mobile Phone Monitor\HTCVBTServer.exe
C:\Program Files\HTC\HTC Sync\Mobile Phone Monitor\FsynSrvStarter.exe
C:\Program Files\Citrix\ICA Client\wfcrun32.exe
C:\Program Files\Intel\Intel® Management Engine Components\UNS\UNS.exe
C:\Program Files\Intel\Intel® Management Engine Components\IMSS\PrivacyIconClient.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SymCorpUI.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SavUI.exe
C:\Program Files\Hewlett-Packard\Shared\hpqToaster.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\conhost.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://search.babylon.com/?babsrc=HP_ss&affID=100488&mntrId=e81bfda1000000000000002314e36d54
uDefault_Page_URL = hxxp://InSite.telcordia.com
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~1\office14\URLREDIR.DLL
BHO: Citrix Single Sign-On Browser Helper Object Class: {c3793308-160c-4b29-b44e-a09ee159dc83} - c:\program files\citrix\metaframe password manager\helper\ie\bho.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [SugarSync] "c:\program files\sugarsync\SugarSyncManager.exe" -startInTray -usedelay=true
mRun: [IMSS] "c:\program files\intel\intel® management engine components\imss\PIconStartup.exe"
mRun: [Communicator] "c:\program files\microsoft office communicator\communicator.exe" /fromrunkey
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [QlbCtrl.exe] c:\program files\hewlett-packard\hp quick launch buttons\QlbCtrl.exe /Start
mRun: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
mRun: [SysTrayApp] c:\program files\idt\wdm\sttray.exe
mRun: [PDF Complete] c:\program files\pdf complete\pdfsty.exe
mRun: [HPWirelessAssistant] c:\program files\hewlett-packard\hp wireless assistant\HPWA_Main.exe /hidden
mRun: [VMware hqtray] "c:\program files\vmware\vmware player\hqtray.exe"
mRun: [Mobile Connectivity Suite] "c:\program files\htc\htc sync\application launcher\Application Launcher.exe" /startoptions
mRun: [DLCJCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\DLCJtime.dll,_RunDLLEntry@16
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [ConnectionCenter] "c:\program files\citrix\ica client\concentr.exe" /startup
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\citrix~1.lnk - c:\program files\citrix\metaframe password manager\ssoshell.exe
uPolicies-system: HideLogonScripts = 0 (0x0)
mPolicies-explorer: HideSCAHealth = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office12\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office12\REFIEBAR.DLL
LSP: mswsock.dll
LSP: c:\program files\vmware\vmware player\vsocklib.dll
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.6.0.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {B94C2238-346E-4C5E-9B36-8CC627F35574}
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {D7F68AA9-870C-4E5E-B938-FD25F2EE59F3} - hxxps://telcordia.hostedtraining.com/activexTunnel.CAB
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://njremote.telcordia.com/dana-cached/sc/JuniperSetupClient.cab
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{3070A08C-84D8-4AFD-939F-CDEB00E7F5DF} : DhcpNameServer = 195.129.12.115 158.43.128.72
TCP: Interfaces\{5D698F46-CCF6-438E-939E-E21238D9849E} : DhcpNameServer = 192.168.42.129
TCP: Interfaces\{6FBD949D-E13C-48C1-B722-4AB2A9D24E86} : DhcpNameServer = 192.168.0.1
TCP: Interfaces\{6FBD949D-E13C-48C1-B722-4AB2A9D24E86}\242716373702E4544574541425 : DhcpNameServer = 192.168.0.1
TCP: Interfaces\{6FBD949D-E13C-48C1-B722-4AB2A9D24E86}\251646963737F6E6F57457563747 : DhcpNameServer = 83.97.120.225 83.97.124.225
TCP: Interfaces\{6FBD949D-E13C-48C1-B722-4AB2A9D24E86}\34F47594D27455543545 : DhcpNameServer = 10.0.0.1 217.13.4.24 217.13.7.140
TCP: Interfaces\{EBE3D9B1-500D-4FC0-BECC-3EE91743FB4D} : DhcpNameServer = 192.4.197.241 128.96.20.33
Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\grichard\appdata\roaming\mozilla\firefox\profiles\s4a0xzp2.default\
FF - prefs.js: browser.startup.homepage - www.google.co.uk
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.type - 1
FF - plugin: c:\progra~1\micros~1\office14\NPAUTHZ.DLL
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.1.10111.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npicaN.dll
FF - plugin: c:\users\grichard\appdata\roaming\mozilla\plugins\npCWAHostPlugin.dll
FF - plugin: c:\users\grichard\appdata\roaming\mozilla\plugins\npCWAVersionPlugin.dll
.
---- FIREFOX POLICIES ----
FF - user.js: network.http.accept-encoding -
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
============= SERVICES / DRIVERS ===============
.
R0 SMR250;Symantec SMR Utility Service 2.5.0;c:\windows\system32\drivers\SMR250.SYS [2012-2-26 83064]
R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [2010-7-14 65584]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\driverstore\filerepository\stwrt.inf_x86_neutral_1fb74af29935fce6\AEstSrv.exe [2010-9-10 81920]
R2 Citrix_Password_Manager_Sagent;Citrix Single Sign-On Sagent;c:\program files\citrix\metaframe password manager\Sagent.exe [2011-7-19 95104]
R2 HP Wireless Assistant Service;HP Wireless Assistant Service;c:\program files\hewlett-packard\hp wireless assistant\HPWA_Service.exe [2009-11-19 102968]
R2 hpsrv;HP Service;c:\windows\system32\hpservice.exe [2010-7-16 26168]
R2 OracleVssWriterNE;Oracle NE VSS Writer Service;c:\app\product\11.1.0\db_1\bin\oravssw.exe ne --> c:\app\product\11.1.0\db_1\bin\OraVSSW.exe NE [?]
R2 OracleVssWriterNEUK;Oracle NEUK VSS Writer Service;c:\app\product\11.1.0\db_1\bin\oravssw.exe neuk --> c:\app\product\11.1.0\db_1\bin\OraVSSW.exe NEUK [?]
R2 pdfcDispatcher;PDF Document Manager;c:\program files\pdf complete\pdfsvc.exe [2010-9-10 635416]
R2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-4-17 11032]
R2 SentinelKeysServer;Sentinel Keys Server;c:\program files\common files\safenet sentinel\sentinel keys server\sntlkeyssrvr.exe [2009-9-17 369952]
R2 SentinelSecurityRuntime;Sentinel Security Runtime;c:\program files\common files\safenet sentinel\sentinel security runtime\sntlsrtsrvr.exe [2009-9-17 292128]
R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2011-7-8 1839888]
R2 UNS;Intel® Management & Security Application User Notification Service;c:\program files\intel\intel® management engine components\uns\UNS.exe [2010-9-10 2320920]
R2 vcsFPService;Validity VCS Fingerprint Service;c:\windows\system32\vcsFPService.exe [2009-10-21 1639728]
R2 VMUSBArbService;VMware USB Arbitration Service;c:\program files\common files\vmware\usb\vmware-usbarbitrator.exe [2010-8-1 539184]
R3 Com4QLBEx;Com4QLBEx;c:\program files\hewlett-packard\hp quick launch buttons\Com4QLBEx.exe [2010-9-10 228408]
R3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\drivers\e1k6232.sys [2010-9-10 214696]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2012-2-5 106104]
R3 NETw5s32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\drivers\NETw5s32.sys [2010-1-13 6755840]
R3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
R3 rismc32;RICOH Smart Card Reader;c:\windows\system32\drivers\rismc32.sys [2010-9-10 49152]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 androidusb;ADB Interface Driver;c:\windows\system32\drivers\androidusb.sys [2010-4-29 26112]
S3 ArcGIS License Manager;ArcGIS License Manager;c:\program files\esri\license\arcgis9x\lmgrd.exe [2011-3-4 1372160]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [2010-4-14 45736]
S3 HTCAND32;HTC Device Driver;c:\windows\system32\drivers\androidusb.sys [2010-4-29 26112]
S3 OracleDBConsoleNE;OracleDBConsoleNE;c:\app\product\11.1.0\db_1\bin\nmesrvc.exe [2011-3-16 25600]
S3 OracleOraDb11g_home1TNSListener;OracleOraDb11g_home1TNSListener;c:\app\product\11.1.0\db_1\bin\tnslsnr --> c:\app\product\11.1.0\db_1\bin\TNSLSNR [?]
S3 OracleServiceNE;OracleServiceNE;c:\app\product\11.1.0\db_1\bin\oracle.exe ne --> c:\app\product\11.1.0\db_1\bin\ORACLE.EXE NE [?]
S3 OracleServiceNEUK;OracleServiceNEUK;c:\app\product\11.1.0\db_1\bin\oracle.exe neuk --> c:\app\product\11.1.0\db_1\bin\ORACLE.EXE NEUK [?]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2011-12-13 15872]
S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [2011-8-19 27192]
S3 RoxMediaDB10;RoxMediaDB10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxMediaDB10.exe [2009-6-13 1120752]
S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-12-13 52224]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\drivers\vwifimp.sys [2009-7-13 14336]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-9-10 1343400]
S4 OracleJobSchedulerNE;OracleJobSchedulerNE;c:\app\product\11.1.0\db_1\bin\extjob.exe ne --> c:\app\product\11.1.0\db_1\bin\extjob.exe NE [?]
S4 OracleJobSchedulerNEUK;OracleJobSchedulerNEUK;c:\app\product\11.1.0\db_1\bin\extjob.exe neuk --> c:\app\product\11.1.0\db_1\bin\extjob.exe NEUK [?]
.
=============== File Associations ===============
.
vbefile\shell\open2\command="%SystemRoot%\System32\CScript.exe" "%1" %*
vbsfile\shell\open2\command="%SystemRoot%\System32\CScript.exe" "%1" %*
jsefile\shell\open2\command=c:\windows\system32\CScript.exe "%1" %*
.
=============== Created Last 30 ================
.
2012-02-26 20:37:26 83064 ----a-w- c:\windows\system32\drivers\SMR250.SYS
2012-02-24 14:10:00 84146 ----a-w- c:\programdata\MrN7XC6s.exe
2012-02-24 11:22:30 -------- d-----w- c:\users\grichard\appdata\local\NPE
2012-02-24 11:22:30 -------- d-----w- c:\programdata\Norton
2012-02-24 11:12:29 -------- d-----w- c:\program files\BFDA1
2012-02-24 10:51:03 84146 ----a-w- c:\windows\system32\iDeQ6Q.com
2012-02-24 08:44:30 -------- d-----w- c:\program files\LP
2012-02-23 23:53:54 84146 ----a-w- c:\windows\system32\iDeQ6Q.com_
2012-02-23 23:44:00 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-02-23 23:43:52 0 --sha-w- c:\windows\system32\dds_trash_log.cmd
2012-02-23 23:35:48 -------- d-----w- c:\users\grichard\appdata\local\AppCore
.
==================== Find3M ====================
.
2012-01-14 03:35:54 2343424 ----a-w- c:\windows\system32\win32k.sys
2012-01-04 08:58:41 442880 ----a-w- c:\windows\system32\ntshrui.dll
2011-12-30 05:27:56 478720 ----a-w- c:\windows\system32\timedate.cpl
2011-12-16 07:54:22 981504 ----a-w- c:\windows\system32\wininet.dll
2011-12-16 07:52:58 690688 ----a-w- c:\windows\system32\msvcrt.dll
2011-12-16 06:09:17 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2011-12-15 12:40:53 152576 ----a-w- c:\windows\system32\msclmd.dll
.
============= FINISH: 21:23:50.18 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:13 AM

Posted 27 February 2012 - 03:07 AM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.
  • Do not run any other tool untill instructed to do so!


Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 greggersuk

greggersuk
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:04:13 AM

Posted 27 February 2012 - 07:46 AM

Hi

Many thanks for the reply Gringo

I followed your instructions and downloaded the program. I disabled ny Symantec S/W and ran the combofix. After its intial scan it said my virus s/w was still running. I ensured it wasnt and even stopped the service.

It detected that i had rootkill problems and said it would restart. However when it logged back in it seemed to load in safe mode and couldnt locate my desktop - i had a message saying that it couldnt locate the desktop.

I now cant seem to get it back and it always restarts in what looks like safe mode. I cant get wireless connectivity either.

Please advise.

Many Thanks

Greig

#4 greggersuk

greggersuk
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:04:13 AM

Posted 27 February 2012 - 07:53 AM

To confirm - Combofix didnt restart when the computer restarted.

I could try and select system restore point that Combofix made, but i will wait on your instruction before doing anything.

Thanks

Greig

#5 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:13 AM

Posted 27 February 2012 - 07:57 AM

can you run combofix from where you are now?


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#6 greggersuk

greggersuk
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:04:13 AM

Posted 27 February 2012 - 08:32 AM

Hi

I have copied the combifix prog across on a stick and run. This time the restart did see the program start.

It completed upto stage_50 and then deleted some files

C:/install.exe
C:/users/grichard/desktop/internet explorer.lnk
C:/users/grichard/documents/WRL3684.tmp
c:7windows/$NtUninstallllkb3807$/172336633/@
(Then a whole load like the last one)
C:/windows/system32/regobj.dll

Then it says deleting Folders

C:/program files/LP

But its now hung and it no longing processing and the hard drive is idle.

Should i turn the computer on and off again?

Thanks

#7 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:13 AM

Posted 27 February 2012 - 12:46 PM

Yes restart the computer and come back and let me know what is going on


Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#8 greggersuk

greggersuk
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:04:13 AM

Posted 27 February 2012 - 01:18 PM

Hi

I crashed out and the re-ran Combi. It sorted out my desktop issue but hung again. I eventually managed to finish Combifix and it produced the first log copied below. It warned me that i had rootkit.zeroaccess and that it had inserted itself into the tcp/ip stack. It told me that if i didnt have internet connectivity when i restarted to rerun combifix. I restarted and found that connectivity was down and re ran combifix several times. It seems to have been restored eventually. Below the first log is the results of the final log that worked.

The computer 'seems' to be running better now. but the processor still seems very active.

What are my next steps?

Thanks again.

Greig

First log created

ComboFix 12-02-25.02 - GRichard 02/27/2012 18:09:41.3.4 - x86
Microsoft Windows 7 Enterprise 6.1.7601.1.1252.1.1033.18.3062.2231 [GMT 1:00]
Running from: c:\users\grichard\Desktop\ComboFix.exe
AV: Symantec Endpoint Protection *Disabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Symantec Endpoint Protection *Disabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\$NtUninstallKB38070$\1651848572
c:\windows\$NtUninstallKB38070$\1723396622\@
c:\windows\$NtUninstallKB38070$\1723396622\cfg.ini
c:\windows\$NtUninstallKB38070$\1723396622\Desktop.ini
c:\windows\$NtUninstallKB38070$\1723396622\L\xadqgnnk
.
Infected copy of c:\windows\system32\drivers\csc.sys was found and disinfected
Restored copy from - The cat found it :)
c:\windows\system32\drivers\afd.sys was missing
Restored copy from - c:\windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7601.21712_none_da774a9ad5cea29e\afd.sys
.
c:\windows\system32\drivers\Serial.sys was missing
Restored copy from - c:\windows\System32\DriverStore\FileRepository\msports.inf_x86_neutral_c1a802e06677f73f\serial.sys
.
.
((((((((((((((((((((((((( Files Created from 2012-01-27 to 2012-02-27 )))))))))))))))))))))))))))))))
.
.
2012-02-27 17:17 . 2012-02-27 17:20 -------- d-----w- c:\users\grichard\AppData\Local\temp
2012-02-27 17:17 . 2012-02-27 17:17 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-02-27 17:17 . 2012-02-27 17:17 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2012-02-27 17:17 . 2009-07-13 23:45 83456 ----a-w- c:\windows\system32\drivers\Serial.sys
2012-02-27 17:17 . 2011-04-25 03:24 338944 ----a-w- c:\windows\system32\drivers\afd.sys
2012-02-27 16:02 . 2010-11-20 08:44 388096 ----a-w- c:\windows\system32\drivers\csc.sys
2012-02-27 15:32 . 2010-11-20 08:42 78336 ----a-w- c:\windows\system32\drivers\dfsc.sys
2012-02-27 15:02 . 2010-11-20 08:39 187904 ----a-w- c:\windows\system32\drivers\netbt.sys
2012-02-27 12:15 . 2012-02-27 12:15 -------- d-----w- c:\users\Default\AppData\Local\Symantec
2012-02-26 21:48 . 2012-02-27 15:54 -------- d-----w- c:\users\grichard\AppData\Local\CrashDumps
2012-02-26 21:47 . 2012-02-26 21:47 100864 ----a-w- C:\awliipog.sys
2012-02-24 11:22 . 2012-02-26 20:49 -------- d-----w- c:\users\grichard\AppData\Local\NPE
2012-02-24 11:22 . 2012-02-24 11:22 -------- d-----w- c:\programdata\Norton
2012-02-24 11:12 . 2012-02-24 11:12 -------- d-----w- c:\program files\BFDA1
2012-02-23 23:44 . 2012-02-23 23:44 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-02-23 23:43 . 2012-02-26 22:03 0 --sha-w- c:\windows\system32\dds_trash_log.cmd
2012-02-23 23:35 . 2012-02-24 11:39 -------- d-----w- c:\users\grichard\AppData\Local\AppCore
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-15 12:40 . 2009-07-14 02:05 152576 ----a-w- c:\windows\system32\msclmd.dll
2010-10-12 15:33 . 2010-10-12 15:33 124344 ----a-w- c:\program files\mozilla firefox\plugins\CCMSDK.dll
2010-10-12 17:15 . 2010-10-12 17:15 13240 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
2010-10-12 15:37 . 2010-10-12 15:37 70592 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
2010-10-12 15:35 . 2010-10-12 15:35 91576 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
2010-10-12 15:34 . 2010-10-12 15:34 22464 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll
2010-10-12 15:32 . 2010-10-12 15:32 255416 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
2010-10-12 15:35 . 2010-10-12 15:35 31672 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll
2010-10-12 15:34 . 2010-10-12 15:34 40384 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
2010-07-14 11:42 . 2010-07-14 11:42 898480 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2010-10-12 15:37 . 2010-10-12 15:37 24000 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
2012-02-17 12:38 . 2011-03-28 13:22 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C3793308-160C-4b29-B44E-A09EE159DC83}]
2011-07-20 01:15 501120 ----a-w- c:\program files\Citrix\MetaFrame Password Manager\Helper\IE\bho.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncBackedUp]
@="{0C4A258A-3F3B-4FFF-80A7-9B3BEC139472}"
[HKEY_CLASSES_ROOT\CLSID\{0C4A258A-3F3B-4FFF-80A7-9B3BEC139472}]
2011-12-22 12:52 323584 ----a-w- c:\program files\SugarSync\SugarSyncShellExt.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncPending]
@="{62CCD8E3-9C21-41E1-B55E-1E26DFC68511}"
[HKEY_CLASSES_ROOT\CLSID\{62CCD8E3-9C21-41E1-B55E-1E26DFC68511}]
2011-12-22 12:52 323584 ----a-w- c:\program files\SugarSync\SugarSyncShellExt.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncRoot]
@="{A759AFF6-5851-457D-A540-F4ECED148351}"
[HKEY_CLASSES_ROOT\CLSID\{A759AFF6-5851-457D-A540-F4ECED148351}]
2011-12-22 12:52 323584 ----a-w- c:\program files\SugarSync\SugarSyncShellExt.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncShared]
@="{1574C9EF-7D58-488F-B358-8B78C1538F51}"
[HKEY_CLASSES_ROOT\CLSID\{1574C9EF-7D58-488F-B358-8B78C1538F51}]
2011-12-22 12:52 323584 ----a-w- c:\program files\SugarSync\SugarSyncShellExt.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2009-06-17 2363392]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1174016]
"SugarSync"="c:\program files\SugarSync\SugarSyncManager.exe" [2011-12-22 12214272]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMSS"="c:\program files\Intel\Intel® Management Engine Components\IMSS\PIconStartup.exe" [2009-11-04 111640]
"Communicator"="c:\program files\Microsoft Office Communicator\communicator.exe" [2009-03-14 5731152]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2011-07-08 115624]
"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2009-11-11 287800]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2010-06-04 1791272]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2009-11-18 495708]
"PDF Complete"="c:\program files\PDF Complete\pdfsty.exe" [2009-10-23 563736]
"HPWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe" [2009-11-19 363064]
"VMware hqtray"="c:\program files\VMware\VMware Player\hqtray.exe" [2010-08-01 64048]
"Mobile Connectivity Suite"="c:\program files\HTC\HTC Sync\Application Launcher\Application Launcher.exe" [2009-05-27 598016]
"DLCJCATS"="c:\windows\system32\spool\DRIVERS\W32X86\3\DLCJtime.dll" [2005-08-15 73728]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"ConnectionCenter"="c:\program files\Citrix\ICA Client\concentr.exe" [2010-10-12 304568]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Citrix Single Sign-On Background Process.lnk - c:\program files\Citrix\MetaFrame Password Manager\ssoshell.exe [2011-7-20 3955584]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLogonScripts"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"HideSCAHealth"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3723720265-2704198192-2039677084-58562\Scripts\Logon\0\0]
"Script"=%SystemRoot%\system32\cscript.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3723720265-2704198192-2039677084-58562\Scripts\Logon\1\0]
"Script"=%SystemRoot%\system32\cscript.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3723720265-2704198192-2039677084-58562\Scripts\Logon\2\0]
"Script"=%SystemRoot%\system32\cscript.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3723720265-2704198192-2039677084-58562\Scripts\Logon\3\0]
"Script"=\\dte.telcordia.com\netlogon\Customer\FRM\FRM_Main.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3723720265-2704198192-2039677084-58562\Scripts\Logon\4\0]
"Script"=%SystemRoot%\System32\cscript.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3723720265-2704198192-2039677084-58562\Scripts\Logon\5\0]
"Script"=%SystemRoot%\system32\cscript.exe
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\DRIVERS\ctxusbm.sys [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 androidusb;ADB Interface Driver;c:\windows\system32\Drivers\androidusb.sys [2010-04-29 26112]
R3 ArcGIS License Manager;ArcGIS License Manager;c:\program files\ESRI\License\arcgis9x\lmgrd.exe [2008-01-11 1372160]
R3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [2010-04-14 45736]
R3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2009-05-05 228408]
R3 HTCAND32;HTC Device Driver;c:\windows\system32\Drivers\ANDROIDUSB.sys [2010-04-29 26112]
R3 OracleDBConsoleNE;OracleDBConsoleNE;c:\app\product\11.1.0\db_1\bin\nmesrvc.exe [2007-09-13 25600]
R3 OracleOraDb11g_home1TNSListener;OracleOraDb11g_home1TNSListener;c:\app\product\11.1.0\db_1\BIN\TNSLSNR [x]
R3 OracleServiceNE;OracleServiceNE;c:\app\product\11.1.0\db_1\bin\ORACLE.EXE NE [x]
R3 OracleServiceNEUK;OracleServiceNEUK;c:\app\product\11.1.0\db_1\bin\ORACLE.EXE NEUK [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 15872]
R3 Revoflt;Revoflt;c:\windows\system32\DRIVERS\revoflt.sys [2009-12-30 27192]
R3 RoxMediaDB10;RoxMediaDB10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [2009-06-13 1120752]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-13 14336]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-09-10 1343400]
R4 OracleJobSchedulerNE;OracleJobSchedulerNE;c:\app\product\11.1.0\db_1\Bin\extjob.exe NE [x]
R4 OracleJobSchedulerNEUK;OracleJobSchedulerNEUK;c:\app\product\11.1.0\db_1\Bin\extjob.exe NEUK [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_1fb74af29935fce6\aestsrv.exe [2009-03-03 81920]
S2 Citrix_Password_Manager_Sagent;Citrix Single Sign-On Sagent;c:\program files\Citrix\MetaFrame Password Manager\Sagent.exe [2011-07-19 95104]
S2 HP Wireless Assistant Service;HP Wireless Assistant Service;c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe [2009-11-19 102968]
S2 hpsrv;HP Service;c:\windows\system32\Hpservice.exe [2010-07-16 26168]
S2 OracleVssWriterNE;Oracle NE VSS Writer Service;c:\app\product\11.1.0\db_1\bin\OraVSSW.exe NE [x]
S2 OracleVssWriterNEUK;Oracle NEUK VSS Writer Service;c:\app\product\11.1.0\db_1\bin\OraVSSW.exe NEUK [x]
S2 pdfcDispatcher;PDF Document Manager;c:\program files\PDF Complete\pdfsvc.exe [2009-10-23 635416]
S2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-04-17 11032]
S2 SentinelKeysServer;Sentinel Keys Server;c:\program files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe [2009-09-17 369952]
S2 SentinelSecurityRuntime;Sentinel Security Runtime;c:\program files\Common Files\SafeNet Sentinel\Sentinel Security Runtime\sntlsrtsrvr.exe [2009-09-17 292128]
S2 UNS;Intel® Management & Security Application User Notification Service;c:\program files\Intel\Intel® Management Engine Components\UNS\UNS.exe [2009-11-04 2320920]
S2 vcsFPService;Validity VCS Fingerprint Service;c:\windows\system32\vcsFPService.exe [2009-10-21 1639728]
S2 vmci;VMware vmci;c:\windows\system32\Drivers\vmci.sys [2010-08-01 70704]
S2 VMUSBArbService;VMware USB Arbitration Service;c:\program files\Common Files\VMware\USB\vmware-usbarbitrator.exe [2010-08-01 539184]
S3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\DRIVERS\e1k6232.sys [2009-11-05 214696]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2012-02-16 106104]
S3 NETw5s32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\DRIVERS\NETw5s32.sys [2010-01-13 6755840]
S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-09 4640000]
S3 rismc32;RICOH Smart Card Reader;c:\windows\system32\DRIVERS\rismc32.sys [2009-07-20 49152]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
SE2Cmdm
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2009-06-17 11:11 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-27 c:\windows\Tasks\AutoKMS.job
- c:\windows\AutoKMS\AutoKMS.exe [2011-08-19 11:11]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://search.babylon.com/?babsrc=HP_ss&affID=100488&mntrId=e81bfda1000000000000002314e36d54
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
LSP: mswsock.dll
LSP: c:\program files\VMware\VMware Player\vsocklib.dll
DPF: {B94C2238-346E-4C5E-9B36-8CC627F35574}
DPF: {D7F68AA9-870C-4E5E-B938-FD25F2EE59F3} - hxxps://telcordia.hostedtraining.com/activexTunnel.CAB
FF - ProfilePath - c:\users\grichard\AppData\Roaming\Mozilla\Firefox\Profiles\s4a0xzp2.default\
FF - prefs.js: browser.startup.homepage - www.google.co.uk
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.type - 1
FF - user.js: network.http.accept-encoding -
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
.
------- File Associations -------
.
vbefile\shell\open2\command="%SystemRoot%\System32\CScript.exe" "%1" %*
vbsfile\shell\open2\command="%SystemRoot%\System32\CScript.exe" "%1" %*
jsefile\shell\open2\command=c:\windows\System32\CScript.exe "%1" %*
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\pdfcDispatcher]
"ImagePath"="c:\program files\PDF Complete\pdfsvc.exe /startedbyscm:66B66708-40E2BE4D-pdfcService"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\OracleOraDb11g_home1TNSListener]
"ImagePath"="c:\app\product\11.1.0\db_1\BIN\TNSLSNR "
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(2484)
c:\program files\SugarSync\SugarSyncShellExt.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_1fb74af29935fce6\STacSV.exe
c:\windows\system32\nvvsvc.exe
c:\program files\Symantec\Symantec Endpoint Protection\Smc.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files\Juniper Networks\Common Files\dsNcService.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Intel\Intel® Management Engine Components\LMS\LMS.exe
c:\app\product\11.1.0\db_1\bin\OraVSSW.exe
c:\windows\system32\taskhost.exe
c:\program files\Symantec\Symantec Endpoint Protection\SmcGui.exe
c:\app\product\11.1.0\db_1\bin\OraVSSW.exe
c:\program files\Common Files\Protexis\License Service\PsiService_2.exe
c:\program files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
c:\program files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
c:\windows\system32\vmnat.exe
c:\windows\system32\vmnetdhcp.exe
c:\windows\system32\CCM\CcmExec.exe
c:\program files\VMware\VMware Player\vmware-authd.exe
c:\windows\system32\msiexec.exe
c:\windows\system32\conhost.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\windows\system32\sppsvc.exe
c:\\?\c:\windows\system32\wbem\WMIADAP.EXE
.
**************************************************************************
.
Completion time: 2012-02-27 18:24:15 - machine was rebooted
ComboFix-quarantined-files.txt 2012-02-27 17:24
ComboFix2.txt 2012-02-27 15:49
.
Pre-Run: 50,854,166,528 bytes free
Post-Run: 50,799,484,928 bytes free
.
- - End Of File - - 760FB9038640C7EAF9E310682E4DD209


Last log created

ComboFix 12-02-25.02 - GRichard 02/27/2012 18:53:05.4.4 - x86
Microsoft Windows 7 Enterprise 6.1.7601.1.1252.1.1033.18.3062.2109 [GMT 1:00]
Running from: c:\users\grichard\Desktop\ComboFix.exe
AV: Symantec Endpoint Protection *Disabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Symantec Endpoint Protection *Disabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\$NtUninstallKB38070$\164434658
c:\windows\$NtUninstallKB38070$\1723396622\@
c:\windows\$NtUninstallKB38070$\1723396622\cfg.ini
c:\windows\$NtUninstallKB38070$\1723396622\Desktop.ini
c:\windows\$NtUninstallKB38070$\1723396622\L\xadqgnnk
.
Infected copy of c:\windows\system32\drivers\cdrom.sys was found and disinfected
Restored copy from - The cat found it :)
c:\windows\system32\drivers\tdx.sys was missing
Restored copy from - c:\windows\ERDNT\cache\tdx.sys
.
.
((((((((((((((((((((((((( Files Created from 2012-01-27 to 2012-02-27 )))))))))))))))))))))))))))))))
.
.
2012-02-27 18:00 . 2012-02-27 18:03 -------- d-----w- c:\users\grichard\AppData\Local\temp
2012-02-27 18:00 . 2012-02-27 18:00 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-02-27 18:00 . 2012-02-27 18:00 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2012-02-27 18:00 . 2010-11-20 08:39 74752 ----a-w- c:\windows\system32\drivers\tdx.sys
2012-02-27 17:49 . 2010-11-20 08:38 108544 ----a-w- c:\windows\system32\drivers\cdrom.sys
2012-02-27 17:17 . 2011-04-25 03:24 338944 ----a-w- c:\windows\system32\drivers\afd.sys
2012-02-27 15:32 . 2010-11-20 08:42 78336 ----a-w- c:\windows\system32\drivers\dfsc.sys
2012-02-27 15:02 . 2010-11-20 08:39 187904 ----a-w- c:\windows\system32\drivers\netbt.sys
2012-02-27 12:15 . 2012-02-27 12:15 -------- d-----w- c:\users\Default\AppData\Local\Symantec
2012-02-26 21:48 . 2012-02-27 15:54 -------- d-----w- c:\users\grichard\AppData\Local\CrashDumps
2012-02-26 21:47 . 2012-02-26 21:47 100864 ----a-w- C:\awliipog.sys
2012-02-24 11:22 . 2012-02-26 20:49 -------- d-----w- c:\users\grichard\AppData\Local\NPE
2012-02-24 11:22 . 2012-02-24 11:22 -------- d-----w- c:\programdata\Norton
2012-02-24 11:12 . 2012-02-24 11:12 -------- d-----w- c:\program files\BFDA1
2012-02-23 23:44 . 2012-02-23 23:44 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-02-23 23:43 . 2012-02-26 22:03 0 --sha-w- c:\windows\system32\dds_trash_log.cmd
2012-02-23 23:35 . 2012-02-24 11:39 -------- d-----w- c:\users\grichard\AppData\Local\AppCore
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-15 12:40 . 2009-07-14 02:05 152576 ----a-w- c:\windows\system32\msclmd.dll
2010-10-12 15:33 . 2010-10-12 15:33 124344 ----a-w- c:\program files\mozilla firefox\plugins\CCMSDK.dll
2010-10-12 17:15 . 2010-10-12 17:15 13240 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
2010-10-12 15:37 . 2010-10-12 15:37 70592 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
2010-10-12 15:35 . 2010-10-12 15:35 91576 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
2010-10-12 15:34 . 2010-10-12 15:34 22464 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll
2010-10-12 15:32 . 2010-10-12 15:32 255416 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
2010-10-12 15:35 . 2010-10-12 15:35 31672 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll
2010-10-12 15:34 . 2010-10-12 15:34 40384 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
2010-07-14 11:42 . 2010-07-14 11:42 898480 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2010-10-12 15:37 . 2010-10-12 15:37 24000 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
2012-02-17 12:38 . 2011-03-28 13:22 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C3793308-160C-4b29-B44E-A09EE159DC83}]
2011-07-20 01:15 501120 ----a-w- c:\program files\Citrix\MetaFrame Password Manager\Helper\IE\bho.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncBackedUp]
@="{0C4A258A-3F3B-4FFF-80A7-9B3BEC139472}"
[HKEY_CLASSES_ROOT\CLSID\{0C4A258A-3F3B-4FFF-80A7-9B3BEC139472}]
2011-12-22 12:52 323584 ----a-w- c:\program files\SugarSync\SugarSyncShellExt.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncPending]
@="{62CCD8E3-9C21-41E1-B55E-1E26DFC68511}"
[HKEY_CLASSES_ROOT\CLSID\{62CCD8E3-9C21-41E1-B55E-1E26DFC68511}]
2011-12-22 12:52 323584 ----a-w- c:\program files\SugarSync\SugarSyncShellExt.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncRoot]
@="{A759AFF6-5851-457D-A540-F4ECED148351}"
[HKEY_CLASSES_ROOT\CLSID\{A759AFF6-5851-457D-A540-F4ECED148351}]
2011-12-22 12:52 323584 ----a-w- c:\program files\SugarSync\SugarSyncShellExt.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncShared]
@="{1574C9EF-7D58-488F-B358-8B78C1538F51}"
[HKEY_CLASSES_ROOT\CLSID\{1574C9EF-7D58-488F-B358-8B78C1538F51}]
2011-12-22 12:52 323584 ----a-w- c:\program files\SugarSync\SugarSyncShellExt.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2009-06-17 2363392]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1174016]
"SugarSync"="c:\program files\SugarSync\SugarSyncManager.exe" [2011-12-22 12214272]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMSS"="c:\program files\Intel\Intel® Management Engine Components\IMSS\PIconStartup.exe" [2009-11-04 111640]
"Communicator"="c:\program files\Microsoft Office Communicator\communicator.exe" [2009-03-14 5731152]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2011-07-08 115624]
"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2009-11-11 287800]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2010-06-04 1791272]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2009-11-18 495708]
"PDF Complete"="c:\program files\PDF Complete\pdfsty.exe" [2009-10-23 563736]
"HPWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe" [2009-11-19 363064]
"VMware hqtray"="c:\program files\VMware\VMware Player\hqtray.exe" [2010-08-01 64048]
"Mobile Connectivity Suite"="c:\program files\HTC\HTC Sync\Application Launcher\Application Launcher.exe" [2009-05-27 598016]
"DLCJCATS"="c:\windows\system32\spool\DRIVERS\W32X86\3\DLCJtime.dll" [2005-08-15 73728]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"ConnectionCenter"="c:\program files\Citrix\ICA Client\concentr.exe" [2010-10-12 304568]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Citrix Single Sign-On Background Process.lnk - c:\program files\Citrix\MetaFrame Password Manager\ssoshell.exe [2011-7-20 3955584]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLogonScripts"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"HideSCAHealth"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3723720265-2704198192-2039677084-58562\Scripts\Logon\0\0]
"Script"=%SystemRoot%\system32\cscript.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3723720265-2704198192-2039677084-58562\Scripts\Logon\1\0]
"Script"=%SystemRoot%\system32\cscript.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3723720265-2704198192-2039677084-58562\Scripts\Logon\2\0]
"Script"=%SystemRoot%\system32\cscript.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3723720265-2704198192-2039677084-58562\Scripts\Logon\3\0]
"Script"=\\dte.telcordia.com\netlogon\Customer\FRM\FRM_Main.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3723720265-2704198192-2039677084-58562\Scripts\Logon\4\0]
"Script"=%SystemRoot%\System32\cscript.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3723720265-2704198192-2039677084-58562\Scripts\Logon\5\0]
"Script"=%SystemRoot%\system32\cscript.exe
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\DRIVERS\ctxusbm.sys [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 androidusb;ADB Interface Driver;c:\windows\system32\Drivers\androidusb.sys [2010-04-29 26112]
R3 ArcGIS License Manager;ArcGIS License Manager;c:\program files\ESRI\License\arcgis9x\lmgrd.exe [2008-01-11 1372160]
R3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [2010-04-14 45736]
R3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2009-05-05 228408]
R3 HTCAND32;HTC Device Driver;c:\windows\system32\Drivers\ANDROIDUSB.sys [2010-04-29 26112]
R3 OracleDBConsoleNE;OracleDBConsoleNE;c:\app\product\11.1.0\db_1\bin\nmesrvc.exe [2007-09-13 25600]
R3 OracleOraDb11g_home1TNSListener;OracleOraDb11g_home1TNSListener;c:\app\product\11.1.0\db_1\BIN\TNSLSNR [x]
R3 OracleServiceNE;OracleServiceNE;c:\app\product\11.1.0\db_1\bin\ORACLE.EXE NE [x]
R3 OracleServiceNEUK;OracleServiceNEUK;c:\app\product\11.1.0\db_1\bin\ORACLE.EXE NEUK [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 15872]
R3 Revoflt;Revoflt;c:\windows\system32\DRIVERS\revoflt.sys [2009-12-30 27192]
R3 RoxMediaDB10;RoxMediaDB10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [2009-06-13 1120752]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-13 14336]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-09-10 1343400]
R4 OracleJobSchedulerNE;OracleJobSchedulerNE;c:\app\product\11.1.0\db_1\Bin\extjob.exe NE [x]
R4 OracleJobSchedulerNEUK;OracleJobSchedulerNEUK;c:\app\product\11.1.0\db_1\Bin\extjob.exe NEUK [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_1fb74af29935fce6\aestsrv.exe [2009-03-03 81920]
S2 Citrix_Password_Manager_Sagent;Citrix Single Sign-On Sagent;c:\program files\Citrix\MetaFrame Password Manager\Sagent.exe [2011-07-19 95104]
S2 HP Wireless Assistant Service;HP Wireless Assistant Service;c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe [2009-11-19 102968]
S2 hpsrv;HP Service;c:\windows\system32\Hpservice.exe [2010-07-16 26168]
S2 OracleVssWriterNE;Oracle NE VSS Writer Service;c:\app\product\11.1.0\db_1\bin\OraVSSW.exe NE [x]
S2 OracleVssWriterNEUK;Oracle NEUK VSS Writer Service;c:\app\product\11.1.0\db_1\bin\OraVSSW.exe NEUK [x]
S2 pdfcDispatcher;PDF Document Manager;c:\program files\PDF Complete\pdfsvc.exe [2009-10-23 635416]
S2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-04-17 11032]
S2 SentinelKeysServer;Sentinel Keys Server;c:\program files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe [2009-09-17 369952]
S2 SentinelSecurityRuntime;Sentinel Security Runtime;c:\program files\Common Files\SafeNet Sentinel\Sentinel Security Runtime\sntlsrtsrvr.exe [2009-09-17 292128]
S2 UNS;Intel® Management & Security Application User Notification Service;c:\program files\Intel\Intel® Management Engine Components\UNS\UNS.exe [2009-11-04 2320920]
S2 vcsFPService;Validity VCS Fingerprint Service;c:\windows\system32\vcsFPService.exe [2009-10-21 1639728]
S2 vmci;VMware vmci;c:\windows\system32\Drivers\vmci.sys [2010-08-01 70704]
S2 VMUSBArbService;VMware USB Arbitration Service;c:\program files\Common Files\VMware\USB\vmware-usbarbitrator.exe [2010-08-01 539184]
S3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\DRIVERS\e1k6232.sys [2009-11-05 214696]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2012-02-16 106104]
S3 NETw5s32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\DRIVERS\NETw5s32.sys [2010-01-13 6755840]
S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-09 4640000]
S3 rismc32;RICOH Smart Card Reader;c:\windows\system32\DRIVERS\rismc32.sys [2009-07-20 49152]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
SE2Cmdm
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2009-06-17 11:11 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-27 c:\windows\Tasks\AutoKMS.job
- c:\windows\AutoKMS\AutoKMS.exe [2011-08-19 11:11]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://search.babylon.com/?babsrc=HP_ss&affID=100488&mntrId=e81bfda1000000000000002314e36d54
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
LSP: c:\program files\VMware\VMware Player\vsocklib.dll
DPF: {B94C2238-346E-4C5E-9B36-8CC627F35574}
DPF: {D7F68AA9-870C-4E5E-B938-FD25F2EE59F3} - hxxps://telcordia.hostedtraining.com/activexTunnel.CAB
FF - ProfilePath - c:\users\grichard\AppData\Roaming\Mozilla\Firefox\Profiles\s4a0xzp2.default\
FF - prefs.js: browser.startup.homepage - www.google.co.uk
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.type - 1
FF - user.js: network.http.accept-encoding -
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
.
------- File Associations -------
.
vbefile\shell\open2\command="%SystemRoot%\System32\CScript.exe" "%1" %*
vbsfile\shell\open2\command="%SystemRoot%\System32\CScript.exe" "%1" %*
jsefile\shell\open2\command=c:\windows\System32\CScript.exe "%1" %*
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\pdfcDispatcher]
"ImagePath"="c:\program files\PDF Complete\pdfsvc.exe /startedbyscm:66B66708-40E2BE4D-pdfcService"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\OracleOraDb11g_home1TNSListener]
"ImagePath"="c:\app\product\11.1.0\db_1\BIN\TNSLSNR "
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(5216)
c:\program files\SugarSync\SugarSyncShellExt.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_1fb74af29935fce6\STacSV.exe
c:\windows\system32\nvvsvc.exe
c:\program files\Symantec\Symantec Endpoint Protection\Smc.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files\Juniper Networks\Common Files\dsNcService.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Intel\Intel® Management Engine Components\LMS\LMS.exe
c:\app\product\11.1.0\db_1\bin\OraVSSW.exe
c:\app\product\11.1.0\db_1\bin\OraVSSW.exe
c:\program files\Common Files\Protexis\License Service\PsiService_2.exe
c:\program files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
c:\program files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
c:\windows\system32\vmnat.exe
c:\windows\system32\vmnetdhcp.exe
c:\windows\system32\CCM\CcmExec.exe
c:\program files\VMware\VMware Player\vmware-authd.exe
c:\windows\system32\msiexec.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\windows\system32\sppsvc.exe
c:\windows\system32\taskhost.exe
c:\program files\Symantec\Symantec Endpoint Protection\SmcGui.exe
c:\windows\system32\conhost.exe
.
**************************************************************************
.
Completion time: 2012-02-27 19:06:59 - machine was rebooted
ComboFix-quarantined-files.txt 2012-02-27 18:06
ComboFix2.txt 2012-02-27 15:49
.
Pre-Run: 50,864,033,792 bytes free
Post-Run: 50,572,812,288 bytes free
.
- - End Of File - - 779556B6A4092F1EF0110043A4E0BA07

#9 greggersuk

greggersuk
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:04:13 AM

Posted 27 February 2012 - 01:35 PM

Further update

Symantec has found 6 issues

Scan type: Auto-Protect Scan
Event: Risk Found!
Security risk detected: Trojan.Gen.2
File: C:\Users\grichard\AppData\Local\temp\DWH951D.tmp
Location: C:\Users\grichard\AppData\Local\temp
Computer: GRICH-EB8440P
User: SYSTEM
Action taken: Pending Side Effects Analysis : Access denied
Date found: Monday, February 27, 2012 7:27:36 PM

Scan type: Auto-Protect Scan
Event: Risk Found!
Security risk detected: Trojan.ADH.2
File: C:\Users\grichard\Desktop\ComboFix.exe
Location: C:\Users\grichard\Desktop
Computer: GRICH-EB8440P
User: SYSTEM
Action taken: Pending Side Effects Analysis : Access denied
Date found: Monday, February 27, 2012 7:27:44 PM

Scan type: Auto-Protect Scan
Event: Risk Found!
Security risk detected: Trojan.ADH.2
File: C:\Users\grichard\Desktop\ComboFix.exe
Location: C:\Users\grichard\Desktop
Computer: GRICH-EB8440P
User: GRichard
Action taken: Pending Side Effects Analysis : Access denied
Date found: Monday, February 27, 2012 7:28:09 PM

Scan type: Auto-Protect Scan
Event: Security Risk Found!
Security risk detected: Trojan.Gen.2
File: C:\Users\grichard\AppData\Local\temp\DWH951D.tmp
Location: Unknown Storage
Computer: GRICH-EB8440P
User: SYSTEM
Action taken: Clean failed : Quarantine failed : Access denied
Date found: Monday, February 27, 2012 7:28:47 PM

Scan type: Auto-Protect Scan
Event: Security Risk Found!
Security risk detected: Trojan.ADH.2
File: C:\Users\grichard\Desktop\ComboFix.exe
Location: Unknown Storage
Computer: GRICH-EB8440P
User: SYSTEM
Action taken: Clean failed : Quarantine failed : Access denied
Date found: Monday, February 27, 2012 7:29:10 PM

Scan type: Auto-Protect Scan
Event: Security Risk Found!
Security risk detected: Trojan.ADH.2
File: C:\Users\grichard\Desktop\ComboFix.exe
Location: Unknown Storage
Computer: GRICH-EB8440P
User: GRichard
Action taken: Cleaned by Deletion
Date found: Monday, February 27, 2012 7:29:35 PM

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:13 AM

Posted 27 February 2012 - 10:21 PM

Hello

Scan type: Auto-Protect Scan
Event: Risk Found!
Security risk detected: Trojan.Gen.2
File: C:\Users\grichard\AppData\Local\temp\DWH951D.tmp
Location: C:\Users\grichard\AppData\Local\temp
Computer: GRICH-EB8440P
User: SYSTEM
Action taken: Pending Side Effects Analysis : Access denied
Date found: Monday, February 27, 2012 7:27:36 PM


would you beleive that it is symantic finding itself?
http://www.google.com/search?q=symantec+dwh*.tmp&rls=com.microsoft:en-us:IE-SearchBox&ie=UTF-8&oe=UTF-8&sourceid=ie7&rlz=1I7ADFA_enUS386

The other is combofix and it is NOT a virus


I want you to run these next,

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • it will ask to download extra definitions - ALLOW IT
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

If you have any problems running either one come back and let me know

please reply with the reports from TDSSKiller and aswMBR

Gringo

Edited by gringo_pr, 27 February 2012 - 10:22 PM.

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 greggersuk

greggersuk
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:04:13 AM

Posted 28 February 2012 - 03:15 AM

Hi

Thanks once again.

Both tools found issues.

08:51:01.0153 7816 TDSS rootkit removing tool 2.7.15.0 Feb 27 2012 12:59:02
08:51:01.0173 7816 ============================================================
08:51:01.0173 7816 Current date / time: 2012/02/28 08:51:01.0173
08:51:01.0173 7816 SystemInfo:
08:51:01.0173 7816
08:51:01.0173 7816 OS Version: 6.1.7601 ServicePack: 1.0
08:51:01.0173 7816 Product type: Workstation
08:51:01.0173 7816 ComputerName: GRICH-EB8440P
08:51:01.0173 7816 UserName: GRichard
08:51:01.0173 7816 Windows directory: C:\Windows
08:51:01.0173 7816 System windows directory: C:\Windows
08:51:01.0173 7816 Processor architecture: Intel x86
08:51:01.0173 7816 Number of processors: 4
08:51:01.0173 7816 Page size: 0x1000
08:51:01.0173 7816 Boot type: Normal boot
08:51:01.0173 7816 ============================================================
08:51:02.0633 7816 Drive \Device\Harddisk0\DR0 - Size: 0x3A38B2E000 (232.89 Gb), SectorSize: 0x200, Cylinders: 0x76C1, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000050
08:51:02.0643 7816 \Device\Harddisk0\DR0:
08:51:02.0643 7816 MBR used
08:51:02.0643 7816 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x800, BlocksNum 0xC800000
08:51:02.0643 7816 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0xC800800, BlocksNum 0x10929000
08:51:02.0643 7816 \Device\Harddisk0\DR0\Partition2: MBR, Type 0x7, StartLBA 0x1D129800, BlocksNum 0x96000
08:51:02.0883 7816 Initialize success
08:51:02.0883 7816 ============================================================
08:51:05.0243 7864 ============================================================
08:51:05.0243 7864 Scan started
08:51:05.0243 7864 Mode: Manual;
08:51:05.0243 7864 ============================================================
08:51:07.0113 7864 1394ohci (1b133875b8aa8ac48969bd3458afe9f5) C:\Windows\system32\drivers\1394ohci.sys
08:51:07.0123 7864 1394ohci - ok
08:51:07.0353 7864 Accelerometer (465b6baaba53a628f7252846d0e900ee) C:\Windows\system32\DRIVERS\Accelerometer.sys
08:51:07.0353 7864 Accelerometer - ok
08:51:07.0623 7864 ACPI (cea80c80bed809aa0da6febc04733349) C:\Windows\system32\drivers\ACPI.sys
08:51:07.0633 7864 ACPI - ok
08:51:07.0913 7864 AcpiPmi (1efbc664abff416d1d07db115dcb264f) C:\Windows\system32\drivers\acpipmi.sys
08:51:07.0923 7864 AcpiPmi - ok
08:51:08.0233 7864 adp94xx (21e785ebd7dc90a06391141aac7892fb) C:\Windows\system32\DRIVERS\adp94xx.sys
08:51:08.0283 7864 adp94xx - ok
08:51:08.0633 7864 adpahci (0c676bc278d5b59ff5abd57bbe9123f2) C:\Windows\system32\DRIVERS\adpahci.sys
08:51:08.0663 7864 adpahci - ok
08:51:08.0973 7864 adpu320 (7c7b5ee4b7b822ec85321fe23a27db33) C:\Windows\system32\DRIVERS\adpu320.sys
08:51:08.0993 7864 adpu320 - ok
08:51:09.0453 7864 AFD (c427f91a748cd342a2b3f9278d9fd6a5) C:\Windows\system32\drivers\afd.sys
08:51:09.0453 7864 AFD - ok
08:51:09.0773 7864 AgereSoftModem (7e10e3bb9b258ad8a9300f91214d67b9) C:\Windows\system32\DRIVERS\AGRSM.sys
08:51:09.0813 7864 AgereSoftModem - ok
08:51:10.0123 7864 agp440 (507812c3054c21cef746b6ee3d04dd6e) C:\Windows\system32\drivers\agp440.sys
08:51:10.0143 7864 agp440 - ok
08:51:10.0473 7864 aic78xx (8b30250d573a8f6b4bd23195160d8707) C:\Windows\system32\DRIVERS\djsvs.sys
08:51:10.0483 7864 aic78xx - ok
08:51:10.0703 7864 aliide (0d40bcf52ea90fc7df2aeab6503dea44) C:\Windows\system32\drivers\aliide.sys
08:51:10.0713 7864 aliide - ok
08:51:10.0873 7864 amdagp (3c6600a0696e90a463771c7422e23ab5) C:\Windows\system32\drivers\amdagp.sys
08:51:10.0883 7864 amdagp - ok
08:51:11.0023 7864 amdide (cd5914170297126b6266860198d1d4f0) C:\Windows\system32\drivers\amdide.sys
08:51:11.0033 7864 amdide - ok
08:51:11.0263 7864 AmdK8 (00dda200d71bac534bf56a9db5dfd666) C:\Windows\system32\DRIVERS\amdk8.sys
08:51:11.0283 7864 AmdK8 - ok
08:51:11.0533 7864 AmdPPM (3cbf30f5370fda40dd3e87df38ea53b6) C:\Windows\system32\DRIVERS\amdppm.sys
08:51:11.0543 7864 AmdPPM - ok
08:51:12.0413 7864 amdsata (d320bf87125326f996d4904fe24300fc) C:\Windows\system32\drivers\amdsata.sys
08:51:12.0423 7864 amdsata - ok
08:51:13.0043 7864 amdsbs (ea43af0c423ff267355f74e7a53bdaba) C:\Windows\system32\DRIVERS\amdsbs.sys
08:51:13.0083 7864 amdsbs - ok
08:51:13.0713 7864 amdxata (46387fb17b086d16dea267d5be23a2f2) C:\Windows\system32\drivers\amdxata.sys
08:51:13.0713 7864 amdxata - ok
08:51:14.0413 7864 androidusb (db0feb51dfa00543bf381d2014550fa3) C:\Windows\system32\Drivers\androidusb.sys
08:51:14.0423 7864 androidusb - ok
08:51:14.0823 7864 AppID (aea177f783e20150ace5383ee368da19) C:\Windows\system32\drivers\appid.sys
08:51:14.0833 7864 AppID - ok
08:51:15.0203 7864 arc (2932004f49677bd84dbc72edb754ffb3) C:\Windows\system32\DRIVERS\arc.sys
08:51:15.0213 7864 arc - ok
08:51:15.0403 7864 arcsas (5d6f36c46fd283ae1b57bd2e9feb0bc7) C:\Windows\system32\DRIVERS\arcsas.sys
08:51:15.0413 7864 arcsas - ok
08:51:15.0873 7864 AsyncMac (add2ade1c2b285ab8378d2daaf991481) C:\Windows\system32\DRIVERS\asyncmac.sys
08:51:15.0883 7864 AsyncMac - ok
08:51:16.0473 7864 atapi (338c86357871c167a96ab976519bf59e) C:\Windows\system32\drivers\atapi.sys
08:51:16.0483 7864 atapi - ok
08:51:16.0973 7864 b06bdrv (1a231abec60fd316ec54c66715543cec) C:\Windows\system32\DRIVERS\bxvbdx.sys
08:51:17.0073 7864 b06bdrv - ok
08:51:17.0675 7864 b57nd60x (bd8869eb9cde6bbe4508d869929869ee) C:\Windows\system32\DRIVERS\b57nd60x.sys
08:51:17.0685 7864 b57nd60x - ok
08:51:17.0785 7864 Beep (505506526a9d467307b3c393dedaf858) C:\Windows\system32\drivers\Beep.sys
08:51:17.0785 7864 Beep - ok
08:51:17.0915 7864 blbdrive (2287078ed48fcfc477b05b20cf38f36f) C:\Windows\system32\DRIVERS\blbdrive.sys
08:51:17.0915 7864 blbdrive - ok
08:51:18.0005 7864 bowser (8f2da3028d5fcbd1a060a3de64cd6506) C:\Windows\system32\DRIVERS\bowser.sys
08:51:18.0005 7864 bowser - ok
08:51:18.0055 7864 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\DRIVERS\BrFiltLo.sys
08:51:18.0055 7864 BrFiltLo - ok
08:51:18.0125 7864 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\DRIVERS\BrFiltUp.sys
08:51:18.0135 7864 BrFiltUp - ok
08:51:18.0265 7864 BridgeMP (77361d72a04f18809d0efb6cceb74d4b) C:\Windows\system32\DRIVERS\bridge.sys
08:51:18.0275 7864 BridgeMP - ok
08:51:18.0415 7864 Brserid (845b8ce732e67f3b4133164868c666ea) C:\Windows\System32\Drivers\Brserid.sys
08:51:18.0425 7864 Brserid - ok
08:51:18.0475 7864 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\System32\Drivers\BrSerWdm.sys
08:51:18.0485 7864 BrSerWdm - ok
08:51:18.0525 7864 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\System32\Drivers\BrUsbMdm.sys
08:51:18.0535 7864 BrUsbMdm - ok
08:51:18.0585 7864 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\System32\Drivers\BrUsbSer.sys
08:51:18.0585 7864 BrUsbSer - ok
08:51:18.0665 7864 BthEnum (2865a5c8e98c70c605f417908cebb3a4) C:\Windows\system32\drivers\BthEnum.sys
08:51:18.0665 7864 BthEnum - ok
08:51:18.0715 7864 BTHMODEM (ed3df7c56ce0084eb2034432fc56565a) C:\Windows\system32\DRIVERS\bthmodem.sys
08:51:18.0725 7864 BTHMODEM - ok
08:51:18.0775 7864 BthPan (ad1872e5829e8a2c3b5b4b641c3eab0e) C:\Windows\system32\DRIVERS\bthpan.sys
08:51:18.0785 7864 BthPan - ok
08:51:18.0835 7864 BTHPORT (c2fbf6d271d9a94d839c416bf186ead9) C:\Windows\System32\Drivers\BTHport.sys
08:51:19.0105 7864 BTHPORT - ok
08:51:19.0295 7864 BTHUSB (c81e9413a25a439f436b1d4b6a0cf9e9) C:\Windows\System32\Drivers\BTHUSB.sys
08:51:19.0295 7864 BTHUSB - ok
08:51:19.0395 7864 btusbflt (f549c3fb145a4928e40bb1518b2034dc) C:\Windows\system32\drivers\btusbflt.sys
08:51:19.0405 7864 btusbflt - ok
08:51:19.0635 7864 catchme - ok
08:51:19.0815 7864 cdfs (77ea11b065e0a8ab902d78145ca51e10) C:\Windows\system32\DRIVERS\cdfs.sys
08:51:19.0825 7864 cdfs - ok
08:51:19.0905 7864 cdrom (7e760417e9b17d6faecf49ed815610f4) C:\Windows\system32\drivers\cdrom.sys
08:51:19.0915 7864 Suspicious file (Forged): C:\Windows\system32\drivers\cdrom.sys. Real md5: 7e760417e9b17d6faecf49ed815610f4, Fake md5: be167ed0fdb9c1fa1133953c18d5a6c9
08:51:19.0925 7864 cdrom ( Virus.Win32.ZAccess.c ) - infected
08:51:19.0925 7864 cdrom - detected Virus.Win32.ZAccess.c (0)
08:51:19.0995 7864 circlass (3fe3fe94a34df6fb06e6418d0f6a0060) C:\Windows\system32\DRIVERS\circlass.sys
08:51:19.0995 7864 circlass - ok
08:51:20.0085 7864 CLFS (635181e0e9bbf16871bf5380d71db02d) C:\Windows\system32\CLFS.sys
08:51:20.0095 7864 CLFS - ok
08:51:20.0185 7864 CmBatt (dea805815e587dad1dd2c502220b5616) C:\Windows\system32\DRIVERS\CmBatt.sys
08:51:20.0185 7864 CmBatt - ok
08:51:20.0245 7864 cmdide (c537b1db64d495b9b4717b4d6d9edbf2) C:\Windows\system32\drivers\cmdide.sys
08:51:20.0255 7864 cmdide - ok
08:51:20.0355 7864 CNG (6427525d76f61d0c519b008d3680e8e7) C:\Windows\system32\Drivers\cng.sys
08:51:20.0355 7864 CNG - ok
08:51:20.0435 7864 Compbatt (a6023d3823c37043986713f118a89bee) C:\Windows\system32\DRIVERS\compbatt.sys
08:51:20.0435 7864 Compbatt - ok
08:51:20.0505 7864 CompositeBus (cbe8c58a8579cfe5fccf809e6f114e89) C:\Windows\system32\drivers\CompositeBus.sys
08:51:20.0505 7864 CompositeBus - ok
08:51:20.0565 7864 crcdisk (2c4ebcfc84a9b44f209dff6c6e6c61d1) C:\Windows\system32\DRIVERS\crcdisk.sys
08:51:20.0575 7864 crcdisk - ok
08:51:20.0675 7864 CSC - ok
08:51:20.0735 7864 ctxusbm - ok
08:51:20.0815 7864 DfsC - ok
08:51:20.0935 7864 discache (1a050b0274bfb3890703d490f330c0da) C:\Windows\system32\drivers\discache.sys
08:51:20.0935 7864 discache - ok
08:51:21.0055 7864 Disk (565003f326f99802e68ca78f2a68e9ff) C:\Windows\system32\DRIVERS\disk.sys
08:51:21.0055 7864 Disk - ok
08:51:21.0455 7864 drmkaud (b918e7c5f9bf77202f89e1a9539f2eb4) C:\Windows\system32\drivers\drmkaud.sys
08:51:21.0465 7864 drmkaud - ok
08:51:21.0625 7864 dsNcAdpt (b2c3f71b86e25c3df78339ddb40a7562) C:\Windows\system32\DRIVERS\dsNcAdpt.sys
08:51:21.0625 7864 dsNcAdpt - ok
08:51:21.0945 7864 DXGKrnl (23f5d28378a160352ba8f817bd8c71cb) C:\Windows\System32\drivers\dxgkrnl.sys
08:51:21.0955 7864 DXGKrnl - ok
08:51:22.0075 7864 e1kexpress (034fa3a00fff4f68dd9f6d3793392274) C:\Windows\system32\DRIVERS\e1k6232.sys
08:51:22.0075 7864 e1kexpress - ok
08:51:22.0445 7864 ebdrv (024e1b5cac09731e4d868e64dbfb4ab0) C:\Windows\system32\DRIVERS\evbdx.sys
08:51:22.0575 7864 ebdrv - ok
08:51:22.0685 7864 eeCtrl (579a6b6135d32b857faf0e3a974535d8) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
08:51:22.0685 7864 eeCtrl - ok
08:51:22.0965 7864 elxstor (0ed67910c8c326796faa00b2bf6d9d3c) C:\Windows\system32\DRIVERS\elxstor.sys
08:51:23.0135 7864 elxstor - ok
08:51:23.0265 7864 EraserUtilRebootDrv (028d50f059bd0d2ccb209e9011b9a9a4) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
08:51:23.0265 7864 EraserUtilRebootDrv - ok
08:51:23.0375 7864 ErrDev (8fc3208352dd3912c94367a206ab3f11) C:\Windows\system32\drivers\errdev.sys
08:51:23.0385 7864 ErrDev - ok
08:51:23.0495 7864 exfat (2dc9108d74081149cc8b651d3a26207f) C:\Windows\system32\drivers\exfat.sys
08:51:23.0515 7864 exfat - ok
08:51:23.0585 7864 fastfat (7e0ab74553476622fb6ae36f73d97d35) C:\Windows\system32\drivers\fastfat.sys
08:51:23.0595 7864 fastfat - ok
08:51:23.0675 7864 fdc (e817a017f82df2a1f8cfdbda29388b29) C:\Windows\system32\DRIVERS\fdc.sys
08:51:23.0675 7864 fdc - ok
08:51:23.0725 7864 FileInfo (6cf00369c97f3cf563be99be983d13d8) C:\Windows\system32\drivers\fileinfo.sys
08:51:23.0725 7864 FileInfo - ok
08:51:23.0765 7864 Filetrace (42c51dc94c91da21cb9196eb64c45db9) C:\Windows\system32\drivers\filetrace.sys
08:51:23.0775 7864 Filetrace - ok
08:51:23.0845 7864 flpydisk (87907aa70cb3c56600f1c2fb8841579b) C:\Windows\system32\DRIVERS\flpydisk.sys
08:51:23.0855 7864 flpydisk - ok
08:51:23.0905 7864 FltMgr (7520ec808e0c35e0ee6f841294316653) C:\Windows\system32\drivers\fltmgr.sys
08:51:23.0905 7864 FltMgr - ok
08:51:23.0945 7864 FsDepends (1a16b57943853e598cff37fe2b8cbf1d) C:\Windows\system32\drivers\FsDepends.sys
08:51:23.0955 7864 FsDepends - ok
08:51:23.0995 7864 Fs_Rec (a574b4360e438977038aae4bf60d79a2) C:\Windows\system32\drivers\Fs_Rec.sys
08:51:23.0995 7864 Fs_Rec - ok
08:51:24.0065 7864 fvevol (8a73e79089b282100b9393b644cb853b) C:\Windows\system32\DRIVERS\fvevol.sys
08:51:24.0065 7864 fvevol - ok
08:51:24.0125 7864 gagp30kx (65ee0c7a58b65e74ae05637418153938) C:\Windows\system32\DRIVERS\gagp30kx.sys
08:51:24.0135 7864 gagp30kx - ok
08:51:24.0215 7864 hcmon (5e01dbaeee09122a758a1f818cf13e3a) C:\Windows\system32\drivers\hcmon.sys
08:51:24.0215 7864 hcmon - ok
08:51:24.0255 7864 hcw85cir (c44e3c2bab6837db337ddee7544736db) C:\Windows\system32\drivers\hcw85cir.sys
08:51:24.0265 7864 hcw85cir - ok
08:51:24.0345 7864 HdAudAddService (a5ef29d5315111c80a5c1abad14c8972) C:\Windows\system32\drivers\HdAudio.sys
08:51:24.0355 7864 HdAudAddService - ok
08:51:24.0435 7864 HDAudBus (9036377b8a6c15dc2eec53e489d159b5) C:\Windows\system32\drivers\HDAudBus.sys
08:51:24.0445 7864 HDAudBus - ok
08:51:24.0545 7864 HECI (a88485dc6a7136c10d9a6c7e38fdfe3c) C:\Windows\system32\DRIVERS\HECI.sys
08:51:24.0555 7864 HECI - ok
08:51:24.0595 7864 HidBatt (1d58a7f3e11a9731d0eaaaa8405acc36) C:\Windows\system32\DRIVERS\HidBatt.sys
08:51:24.0605 7864 HidBatt - ok
08:51:24.0655 7864 HidBth (89448f40e6df260c206a193a4683ba78) C:\Windows\system32\DRIVERS\hidbth.sys
08:51:24.0665 7864 HidBth - ok
08:51:24.0745 7864 HidIr (cf50b4cf4a4f229b9f3c08351f99ca5e) C:\Windows\system32\DRIVERS\hidir.sys
08:51:24.0755 7864 HidIr - ok
08:51:24.0855 7864 HidUsb (10c19f8290891af023eaec0832e1eb4d) C:\Windows\system32\drivers\hidusb.sys
08:51:24.0855 7864 HidUsb - ok
08:51:24.0925 7864 hpdskflt (d5c35e6416a379c445cda826b9fe452f) C:\Windows\system32\DRIVERS\hpdskflt.sys
08:51:24.0925 7864 hpdskflt - ok
08:51:24.0975 7864 HpqKbFiltr (1210960ff8928950d2a786895b0c424a) C:\Windows\system32\DRIVERS\HpqKbFiltr.sys
08:51:24.0985 7864 HpqKbFiltr - ok
08:51:25.0075 7864 HpSAMD (295fdc419039090eb8b49ffdbb374549) C:\Windows\system32\drivers\HpSAMD.sys
08:51:25.0085 7864 HpSAMD - ok
08:51:25.0185 7864 HTCAND32 (db0feb51dfa00543bf381d2014550fa3) C:\Windows\system32\Drivers\ANDROIDUSB.sys
08:51:25.0185 7864 HTCAND32 - ok
08:51:25.0285 7864 HTTP (871917b07a141bff43d76d8844d48106) C:\Windows\system32\drivers\HTTP.sys
08:51:25.0295 7864 HTTP - ok
08:51:25.0355 7864 hwpolicy (0c4e035c7f105f1299258c90886c64c5) C:\Windows\system32\drivers\hwpolicy.sys
08:51:25.0355 7864 hwpolicy - ok
08:51:25.0465 7864 i8042prt (f151f0bdc47f4a28b1b20a0818ea36d6) C:\Windows\system32\drivers\i8042prt.sys
08:51:25.0475 7864 i8042prt - ok
08:51:25.0535 7864 iaStor (26541a068572f650a2fa490726fe81be) C:\Windows\system32\DRIVERS\iaStor.sys
08:51:25.0535 7864 iaStor - ok
08:51:25.0615 7864 iaStorV (5cd5f9a5444e6cdcb0ac89bd62d8b76e) C:\Windows\system32\drivers\iaStorV.sys
08:51:25.0625 7864 iaStorV - ok
08:51:25.0675 7864 iirsp (4173ff5708f3236cf25195fecd742915) C:\Windows\system32\DRIVERS\iirsp.sys
08:51:25.0685 7864 iirsp - ok
08:51:25.0785 7864 intelide (a0f12f2c9ba6c72f3987ce780e77c130) C:\Windows\system32\drivers\intelide.sys
08:51:25.0785 7864 intelide - ok
08:51:25.0885 7864 intelppm (3b514d27bfc4accb4037bc6685f766e0) C:\Windows\system32\DRIVERS\intelppm.sys
08:51:25.0885 7864 intelppm - ok
08:51:25.0935 7864 IpFilterDriver (709d1761d3b19a932ff0238ea6d50200) C:\Windows\system32\DRIVERS\ipfltdrv.sys
08:51:25.0945 7864 IpFilterDriver - ok
08:51:26.0045 7864 IPMIDRV (4bd7134618c1d2a27466a099062547bf) C:\Windows\system32\drivers\IPMIDrv.sys
08:51:26.0055 7864 IPMIDRV - ok
08:51:26.0105 7864 IPNAT (a5fa468d67abcdaa36264e463a7bb0cd) C:\Windows\system32\drivers\ipnat.sys
08:51:26.0115 7864 IPNAT - ok
08:51:26.0175 7864 IRENUM (42996cff20a3084a56017b7902307e9f) C:\Windows\system32\drivers\irenum.sys
08:51:26.0185 7864 IRENUM - ok
08:51:26.0235 7864 isapnp (1f32bb6b38f62f7df1a7ab7292638a35) C:\Windows\system32\drivers\isapnp.sys
08:51:26.0245 7864 isapnp - ok
08:51:26.0295 7864 iScsiPrt (cb7a9abb12b8415bce5d74994c7ba3ae) C:\Windows\system32\drivers\msiscsi.sys
08:51:26.0325 7864 iScsiPrt - ok
08:51:26.0415 7864 kbdclass (adef52ca1aeae82b50df86b56413107e) C:\Windows\system32\drivers\kbdclass.sys
08:51:26.0415 7864 kbdclass - ok
08:51:26.0485 7864 kbdhid (9e3ced91863e6ee98c24794d05e27a71) C:\Windows\system32\drivers\kbdhid.sys
08:51:26.0495 7864 kbdhid - ok
08:51:26.0585 7864 KSecDD (f4647bb23db9038a7536cf6b68f4207f) C:\Windows\system32\Drivers\ksecdd.sys
08:51:26.0585 7864 KSecDD - ok
08:51:26.0635 7864 KSecPkg (e73cae53bbb72ba26918492c6b4c229d) C:\Windows\system32\Drivers\ksecpkg.sys
08:51:26.0635 7864 KSecPkg - ok
08:51:26.0795 7864 lltdio (f7611ec07349979da9b0ae1f18ccc7a6) C:\Windows\system32\DRIVERS\lltdio.sys
08:51:26.0795 7864 lltdio - ok
08:51:26.0885 7864 LSI_FC (eb119a53ccf2acc000ac71b065b78fef) C:\Windows\system32\DRIVERS\lsi_fc.sys
08:51:26.0895 7864 LSI_FC - ok
08:51:26.0935 7864 LSI_SAS (8ade1c877256a22e49b75d1cc9161f9c) C:\Windows\system32\DRIVERS\lsi_sas.sys
08:51:26.0945 7864 LSI_SAS - ok
08:51:27.0015 7864 LSI_SAS2 (dc9dc3d3daa0e276fd2ec262e38b11e9) C:\Windows\system32\DRIVERS\lsi_sas2.sys
08:51:27.0025 7864 LSI_SAS2 - ok
08:51:27.0085 7864 LSI_SCSI (0a036c7d7cab643a7f07135ac47e0524) C:\Windows\system32\DRIVERS\lsi_scsi.sys
08:51:27.0095 7864 LSI_SCSI - ok
08:51:27.0155 7864 luafv (6703e366cc18d3b6e534f5cf7df39cee) C:\Windows\system32\drivers\luafv.sys
08:51:27.0155 7864 luafv - ok
08:51:27.0195 7864 megasas (0fff5b045293002ab38eb1fd1fc2fb74) C:\Windows\system32\DRIVERS\megasas.sys
08:51:27.0205 7864 megasas - ok
08:51:27.0255 7864 MegaSR (dcbab2920c75f390caf1d29f675d03d6) C:\Windows\system32\DRIVERS\MegaSR.sys
08:51:27.0285 7864 MegaSR - ok
08:51:27.0325 7864 Modem (f001861e5700ee84e2d4e52c712f4964) C:\Windows\system32\drivers\modem.sys
08:51:27.0335 7864 Modem - ok
08:51:27.0425 7864 monitor (79d10964de86b292320e9dfe02282a23) C:\Windows\system32\DRIVERS\monitor.sys
08:51:27.0425 7864 monitor - ok
08:51:27.0505 7864 mouclass (fb18cc1d4c2e716b6b903b0ac0cc0609) C:\Windows\system32\drivers\mouclass.sys
08:51:27.0505 7864 mouclass - ok
08:51:27.0585 7864 mouhid (2c388d2cd01c9042596cf3c8f3c7b24d) C:\Windows\system32\DRIVERS\mouhid.sys
08:51:27.0585 7864 mouhid - ok
08:51:27.0675 7864 mountmgr (fc8771f45ecccfd89684e38842539b9b) C:\Windows\system32\drivers\mountmgr.sys
08:51:27.0675 7864 mountmgr - ok
08:51:27.0725 7864 mpio (2d699fb6e89ce0d8da14ecc03b3edfe0) C:\Windows\system32\drivers\mpio.sys
08:51:27.0735 7864 mpio - ok
08:51:27.0775 7864 mpsdrv (ad2723a7b53dd1aacae6ad8c0bfbf4d0) C:\Windows\system32\drivers\mpsdrv.sys
08:51:27.0775 7864 mpsdrv - ok
08:51:27.0885 7864 MRxDAV (ceb46ab7c01c9f825f8cc6babc18166a) C:\Windows\system32\drivers\mrxdav.sys
08:51:27.0895 7864 MRxDAV - ok
08:51:27.0975 7864 mrxsmb (5d16c921e3671636c0eba3bbaac5fd25) C:\Windows\system32\DRIVERS\mrxsmb.sys
08:51:27.0975 7864 mrxsmb - ok
08:51:28.0015 7864 mrxsmb10 (6d17a4791aca19328c685d256349fefc) C:\Windows\system32\DRIVERS\mrxsmb10.sys
08:51:28.0025 7864 mrxsmb10 - ok
08:51:28.0065 7864 mrxsmb20 (b81f204d146000be76651a50670a5e9e) C:\Windows\system32\DRIVERS\mrxsmb20.sys
08:51:28.0075 7864 mrxsmb20 - ok
08:51:28.0125 7864 msahci (012c5f4e9349e711e11e0f19a8589f0a) C:\Windows\system32\drivers\msahci.sys
08:51:28.0135 7864 msahci - ok
08:51:28.0205 7864 msdsm (55055f8ad8be27a64c831322a780a228) C:\Windows\system32\drivers\msdsm.sys
08:51:28.0215 7864 msdsm - ok
08:51:28.0315 7864 Msfs (daefb28e3af5a76abcc2c3078c07327f) C:\Windows\system32\drivers\Msfs.sys
08:51:28.0315 7864 Msfs - ok
08:51:28.0355 7864 mshidkmdf (3e1e5767043c5af9367f0056295e9f84) C:\Windows\System32\drivers\mshidkmdf.sys
08:51:28.0365 7864 mshidkmdf - ok
08:51:28.0405 7864 msisadrv (0a4e5757ae09fa9622e3158cc1aef114) C:\Windows\system32\drivers\msisadrv.sys
08:51:28.0405 7864 msisadrv - ok
08:51:28.0525 7864 MSKSSRV (8c0860d6366aaffb6c5bb9df9448e631) C:\Windows\system32\drivers\MSKSSRV.sys
08:51:28.0525 7864 MSKSSRV - ok
08:51:28.0605 7864 msloop (ade6270c1003923e92a9bbba272133a9) C:\Windows\system32\DRIVERS\loop.sys
08:51:28.0615 7864 msloop - ok
08:51:28.0655 7864 MSPCLOCK (3ea8b949f963562cedbb549eac0c11ce) C:\Windows\system32\drivers\MSPCLOCK.sys
08:51:28.0665 7864 MSPCLOCK - ok
08:51:28.0705 7864 MSPQM (f456e973590d663b1073e9c463b40932) C:\Windows\system32\drivers\MSPQM.sys
08:51:28.0705 7864 MSPQM - ok
08:51:28.0755 7864 MsRPC (0e008fc4819d238c51d7c93e7b41e560) C:\Windows\system32\drivers\MsRPC.sys
08:51:28.0755 7864 MsRPC - ok
08:51:28.0805 7864 mssmbios (fc6b9ff600cc585ea38b12589bd4e246) C:\Windows\system32\drivers\mssmbios.sys
08:51:28.0815 7864 mssmbios - ok
08:51:28.0855 7864 MSTEE (b42c6b921f61a6e55159b8be6cd54a36) C:\Windows\system32\drivers\MSTEE.sys
08:51:28.0855 7864 MSTEE - ok
08:51:28.0905 7864 MTConfig (33599130f44e1f34631cea241de8ac84) C:\Windows\system32\DRIVERS\MTConfig.sys
08:51:28.0905 7864 MTConfig - ok
08:51:28.0955 7864 Mup (159fad02f64e6381758c990f753bcc80) C:\Windows\system32\Drivers\mup.sys
08:51:28.0955 7864 Mup - ok
08:51:29.0035 7864 NativeWifiP (26384429fcd85d83746f63e798ab1480) C:\Windows\system32\DRIVERS\nwifi.sys
08:51:29.0035 7864 NativeWifiP - ok
08:51:29.0145 7864 NAVENG (862f55824ac81295837b0ab63f91071f) C:\PROGRA~2\Symantec\DEFINI~1\VIRUSD~1\20120227.002\NAVENG.SYS
08:51:29.0145 7864 NAVENG - ok
08:51:29.0195 7864 NAVEX15 (529d571b551cb9da44237389b936f1ae) C:\PROGRA~2\Symantec\DEFINI~1\VIRUSD~1\20120227.002\NAVEX15.SYS
08:51:29.0205 7864 NAVEX15 - ok
08:51:29.0335 7864 NDIS (e7c54812a2aaf43316eb6930c1ffa108) C:\Windows\system32\drivers\ndis.sys
08:51:29.0335 7864 NDIS - ok
08:51:29.0465 7864 NdisCap (0e1787aa6c9191d3d319e8bafe86f80c) C:\Windows\system32\DRIVERS\ndiscap.sys
08:51:29.0465 7864 NdisCap - ok
08:51:29.0555 7864 NdisTapi (e4a8aec125a2e43a9e32afeea7c9c888) C:\Windows\system32\DRIVERS\ndistapi.sys
08:51:29.0555 7864 NdisTapi - ok
08:51:29.0895 7864 Ndisuio (d8a65dafb3eb41cbb622745676fcd072) C:\Windows\system32\DRIVERS\ndisuio.sys
08:51:29.0905 7864 Ndisuio - ok
08:51:30.0005 7864 NdisWan (38fbe267e7e6983311179230facb1017) C:\Windows\system32\DRIVERS\ndiswan.sys
08:51:30.0005 7864 NdisWan - ok
08:51:30.0075 7864 NDProxy (a4bdc541e69674fbff1a8ff00be913f2) C:\Windows\system32\drivers\NDProxy.sys
08:51:30.0075 7864 NDProxy - ok
08:51:30.0205 7864 NetBIOS (80b275b1ce3b0e79909db7b39af74d51) C:\Windows\system32\DRIVERS\netbios.sys
08:51:30.0205 7864 NetBIOS - ok
08:51:30.0285 7864 NetBT (280122ddcf04b378edd1ad54d71c1e54) C:\Windows\system32\DRIVERS\netbt.sys
08:51:30.0285 7864 NetBT - ok
08:51:30.0625 7864 NETw5s32 (5b2dfa9c5c02ddf2a113cc0f551b59df) C:\Windows\system32\DRIVERS\NETw5s32.sys
08:51:30.0745 7864 NETw5s32 - ok
08:51:30.0835 7864 nfrd960 (1d85c4b390b0ee09c7a46b91efb2c097) C:\Windows\system32\DRIVERS\nfrd960.sys
08:51:30.0845 7864 nfrd960 - ok
08:51:30.0895 7864 Npfs (1db262a9f8c087e8153d89bef3d2235f) C:\Windows\system32\drivers\Npfs.sys
08:51:30.0895 7864 Npfs - ok
08:51:30.0935 7864 nsiproxy (e9a0a4d07e53d8fea2bb8387a3293c58) C:\Windows\system32\drivers\nsiproxy.sys
08:51:30.0935 7864 nsiproxy - ok
08:51:31.0025 7864 Ntfs (81189c3d7763838e55c397759d49007a) C:\Windows\system32\drivers\Ntfs.sys
08:51:31.0035 7864 Ntfs - ok
08:51:31.0135 7864 Null (f9756a98d69098dca8945d62858a812c) C:\Windows\system32\drivers\Null.sys
08:51:31.0135 7864 Null - ok
08:51:31.0455 7864 nvlddmkm (78820933f6dfb4aee6aa8889e6750634) C:\Windows\system32\DRIVERS\nvlddmkm.sys
08:51:31.0515 7864 nvlddmkm - ok
08:51:31.0685 7864 nvraid (b3e25ee28883877076e0e1ff877d02e0) C:\Windows\system32\drivers\nvraid.sys
08:51:31.0695 7864 nvraid - ok
08:51:31.0745 7864 nvstor (4380e59a170d88c4f1022eff6719a8a4) C:\Windows\system32\drivers\nvstor.sys
08:51:31.0755 7864 nvstor - ok
08:51:31.0825 7864 nv_agp (5a0983915f02bae73267cc2a041f717d) C:\Windows\system32\drivers\nv_agp.sys
08:51:31.0845 7864 nv_agp - ok
08:51:31.0945 7864 ohci1394 (08a70a1f2cdde9bb49b885cb817a66eb) C:\Windows\system32\drivers\ohci1394.sys
08:51:31.0955 7864 ohci1394 - ok
08:51:32.0205 7864 Parport (2ea877ed5dd9713c5ac74e8ea7348d14) C:\Windows\system32\DRIVERS\parport.sys
08:51:32.0205 7864 Parport - ok
08:51:32.0265 7864 partmgr (bf8f6af06da75b336f07e23aef97d93b) C:\Windows\system32\drivers\partmgr.sys
08:51:32.0265 7864 partmgr - ok
08:51:32.0335 7864 Parvdm (eb0a59f29c19b86479d36b35983daadc) C:\Windows\system32\DRIVERS\parvdm.sys
08:51:32.0345 7864 Parvdm - ok
08:51:32.0415 7864 pci (673e55c3498eb970088e812ea820aa8f) C:\Windows\system32\drivers\pci.sys
08:51:32.0415 7864 pci - ok
08:51:32.0485 7864 pciide (afe86f419014db4e5593f69ffe26ce0a) C:\Windows\system32\drivers\pciide.sys
08:51:32.0495 7864 pciide - ok
08:51:32.0575 7864 pcmcia (f396431b31693e71e8a80687ef523506) C:\Windows\system32\DRIVERS\pcmcia.sys
08:51:32.0575 7864 pcmcia - ok
08:51:32.0625 7864 pcw (250f6b43d2b613172035c6747aeeb19f) C:\Windows\system32\drivers\pcw.sys
08:51:32.0625 7864 pcw - ok
08:51:32.0805 7864 PEAUTH (9e0104ba49f4e6973749a02bf41344ed) C:\Windows\system32\drivers\peauth.sys
08:51:32.0815 7864 PEAUTH - ok
08:51:32.0995 7864 PptpMiniport (631e3e205ad6d86f2aed6a4a8e69f2db) C:\Windows\system32\DRIVERS\raspptp.sys
08:51:33.0005 7864 PptpMiniport - ok
08:51:33.0125 7864 prepdrvr (19505c4134f3181fc2203e087140c192) C:\Windows\system32\CCM\prepdrv.sys
08:51:33.0125 7864 prepdrvr - ok
08:51:33.0205 7864 Processor (85b1e3a0c7585bc4aae6899ec6fcf011) C:\Windows\system32\DRIVERS\processr.sys
08:51:33.0215 7864 Processor - ok
08:51:33.0295 7864 Psched (6270ccae2a86de6d146529fe55b3246a) C:\Windows\system32\DRIVERS\pacer.sys
08:51:33.0295 7864 Psched - ok
08:51:33.0405 7864 PxHelp20 (40fedd328f98245ad201cf5f9f311724) C:\Windows\system32\Drivers\PxHelp20.sys
08:51:33.0405 7864 PxHelp20 - ok
08:51:33.0615 7864 ql2300 (ab95ecf1f6659a60ddc166d8315b0751) C:\Windows\system32\DRIVERS\ql2300.sys
08:51:33.0715 7864 ql2300 - ok
08:51:33.0825 7864 ql40xx (b4dd51dd25182244b86737dc51af2270) C:\Windows\system32\DRIVERS\ql40xx.sys
08:51:33.0835 7864 ql40xx - ok
08:51:33.0895 7864 QWAVEdrv (584078ca1b95ca72df2a27c336f9719d) C:\Windows\system32\drivers\qwavedrv.sys
08:51:33.0915 7864 QWAVEdrv - ok
08:51:33.0955 7864 RasAcd (30a81b53c766d0133bb86d234e5556ab) C:\Windows\system32\DRIVERS\rasacd.sys
08:51:33.0965 7864 RasAcd - ok
08:51:34.0045 7864 RasAgileVpn (57ec4aef73660166074d8f7f31c0d4fd) C:\Windows\system32\DRIVERS\AgileVpn.sys
08:51:34.0045 7864 RasAgileVpn - ok
08:51:34.0115 7864 Rasl2tp (d9f91eafec2815365cbe6d167e4e332a) C:\Windows\system32\DRIVERS\rasl2tp.sys
08:51:34.0115 7864 Rasl2tp - ok
08:51:34.0185 7864 RasPppoe (0fe8b15916307a6ac12bfb6a63e45507) C:\Windows\system32\DRIVERS\raspppoe.sys
08:51:34.0195 7864 RasPppoe - ok
08:51:34.0275 7864 RasSstp (44101f495a83ea6401d886e7fd70096b) C:\Windows\system32\DRIVERS\rassstp.sys
08:51:34.0275 7864 RasSstp - ok
08:51:34.0345 7864 rdbss (d528bc58a489409ba40334ebf96a311b) C:\Windows\system32\DRIVERS\rdbss.sys
08:51:34.0345 7864 rdbss - ok
08:51:34.0405 7864 rdpbus (0d8f05481cb76e70e1da06ee9f0da9df) C:\Windows\system32\DRIVERS\rdpbus.sys
08:51:34.0415 7864 rdpbus - ok
08:51:34.0475 7864 RDPCDD (23dae03f29d253ae74c44f99e515f9a1) C:\Windows\system32\DRIVERS\RDPCDD.sys
08:51:34.0475 7864 RDPCDD - ok
08:51:34.0565 7864 RDPDR (b973fcfc50dc1434e1970a146f7e3885) C:\Windows\system32\drivers\rdpdr.sys
08:51:34.0575 7864 RDPDR - ok
08:51:34.0685 7864 RDPENCDD (5a53ca1598dd4156d44196d200c94b8a) C:\Windows\system32\drivers\rdpencdd.sys
08:51:34.0685 7864 RDPENCDD - ok
08:51:34.0795 7864 RDPREFMP (44b0a53cd4f27d50ed461dae0c0b4e1f) C:\Windows\system32\drivers\rdprefmp.sys
08:51:34.0795 7864 RDPREFMP - ok
08:51:34.0905 7864 RdpVideoMiniport (68a0387f58e226deee23d9715955572a) C:\Windows\system32\drivers\rdpvideominiport.sys
08:51:34.0915 7864 RdpVideoMiniport - ok
08:51:34.0985 7864 RDPWD (288b06960d78428ff89e811632684e20) C:\Windows\system32\drivers\RDPWD.sys
08:51:34.0995 7864 RDPWD - ok
08:51:35.0095 7864 rdyboost (518395321dc96fe2c9f0e96ac743b656) C:\Windows\system32\drivers\rdyboost.sys
08:51:35.0095 7864 rdyboost - ok
08:51:35.0195 7864 regi (001b4278407f4303efc902a2b16f2453) C:\Windows\system32\drivers\regi.sys
08:51:35.0195 7864 regi - ok
08:51:35.0285 7864 Revoflt (b9bb8e2093c1615ad6ea55ad96214354) C:\Windows\system32\DRIVERS\revoflt.sys
08:51:35.0295 7864 Revoflt - ok
08:51:35.0385 7864 RFCOMM (cb928d9e6daf51879dd6ba8d02f01321) C:\Windows\system32\DRIVERS\rfcomm.sys
08:51:35.0395 7864 RFCOMM - ok
08:51:35.0465 7864 rimmptsk (df672613fbbcd58c38bb0bc2694bcfb0) C:\Windows\system32\DRIVERS\rimmptsk.sys
08:51:35.0465 7864 rimmptsk - ok
08:51:35.0505 7864 rismc32 (470fc46e2989f6606043c1c5365b15fd) C:\Windows\system32\DRIVERS\rismc32.sys
08:51:35.0505 7864 rismc32 - ok
08:51:35.0645 7864 rspndr (032b0d36ad92b582d869879f5af5b928) C:\Windows\system32\DRIVERS\rspndr.sys
08:51:35.0655 7864 rspndr - ok
08:51:35.0737 7864 s3cap (7fa7f2e249a5dcbb7970630e15e1f482) C:\Windows\system32\drivers\vms3cap.sys
08:51:35.0737 7864 s3cap - ok
08:51:35.0817 7864 sbp2port (05d860da1040f111503ac416ccef2bca) C:\Windows\system32\DRIVERS\sbp2port.sys
08:51:35.0817 7864 sbp2port - ok
08:51:35.0977 7864 scfilter (0693b5ec673e34dc147e195779a4dcf6) C:\Windows\system32\DRIVERS\scfilter.sys
08:51:35.0987 7864 scfilter - ok
08:51:36.0257 7864 sdbus (0328be1c7f1cba23848179f8762e391c) C:\Windows\system32\drivers\sdbus.sys
08:51:36.0257 7864 sdbus - ok
08:51:36.0357 7864 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys
08:51:36.0357 7864 secdrv - ok
08:51:36.0597 7864 Sentinel (a2cc81c30bef6ac9f27055490eef6de3) C:\Windows\System32\Drivers\SENTINEL.SYS
08:51:36.0597 7864 Sentinel - ok
08:51:36.0697 7864 Serenum (9ad8b8b515e3df6acd4212ef465de2d1) C:\Windows\system32\DRIVERS\serenum.sys
08:51:36.0707 7864 Serenum - ok
08:51:36.0727 7864 Serial - ok
08:51:36.0787 7864 sermouse (79bffb520327ff916a582dfea17aa813) C:\Windows\system32\DRIVERS\sermouse.sys
08:51:36.0797 7864 sermouse - ok
08:51:36.0887 7864 sffdisk (9f976e1eb233df46fce808d9dea3eb9c) C:\Windows\system32\drivers\sffdisk.sys
08:51:36.0897 7864 sffdisk - ok
08:51:36.0937 7864 sffp_mmc (932a68ee27833cfd57c1639d375f2731) C:\Windows\system32\drivers\sffp_mmc.sys
08:51:36.0947 7864 sffp_mmc - ok
08:51:36.0997 7864 sffp_sd (6d4ccaedc018f1cf52866bbbaa235982) C:\Windows\system32\drivers\sffp_sd.sys
08:51:37.0007 7864 sffp_sd - ok
08:51:37.0067 7864 sfloppy (db96666cc8312ebc45032f30b007a547) C:\Windows\system32\DRIVERS\sfloppy.sys
08:51:37.0077 7864 sfloppy - ok
08:51:37.0177 7864 sisagp (2565cac0dc9fe0371bdce60832582b2e) C:\Windows\system32\drivers\sisagp.sys
08:51:37.0187 7864 sisagp - ok
08:51:37.0287 7864 SiSRaid2 (a9f0486851becb6dda1d89d381e71055) C:\Windows\system32\DRIVERS\SiSRaid2.sys
08:51:37.0297 7864 SiSRaid2 - ok
08:51:37.0347 7864 SiSRaid4 (3727097b55738e2f554972c3be5bc1aa) C:\Windows\system32\DRIVERS\sisraid4.sys
08:51:37.0357 7864 SiSRaid4 - ok
08:51:37.0437 7864 Smb (3e21c083b8a01cb70ba1f09303010fce) C:\Windows\system32\DRIVERS\smb.sys
08:51:37.0447 7864 Smb - ok
08:51:37.0587 7864 SNTNLUSB (ce724fc3ef8468bbab146ca1793c66dc) C:\Windows\system32\DRIVERS\SNTNLUSB.SYS
08:51:37.0597 7864 SNTNLUSB - ok
08:51:37.0687 7864 SPBBCDrv (e87cf104f12c92401c4d33c50a3d5dc8) C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys
08:51:37.0707 7864 SPBBCDrv - ok
08:51:37.0817 7864 spldr (95cf1ae7527fb70f7816563cbc09d942) C:\Windows\system32\drivers\spldr.sys
08:51:37.0817 7864 spldr - ok
08:51:37.0917 7864 SRTSP (14389e87d0d2e25b12bf2cc74cfaee07) C:\Windows\system32\Drivers\SRTSP.SYS
08:51:37.0927 7864 SRTSP - ok
08:51:37.0987 7864 SRTSPL (aed0f68c185fe698a21cefcd76f0b8a4) C:\Windows\system32\Drivers\SRTSPL.SYS
08:51:38.0007 7864 SRTSPL - ok
08:51:38.0057 7864 SRTSPX (0e2ca6326726477fe29863808bbad413) C:\Windows\system32\Drivers\SRTSPX.SYS
08:51:38.0067 7864 SRTSPX - ok
08:51:38.0137 7864 srv (e4c2764065d66ea1d2d3ebc28fe99c46) C:\Windows\system32\DRIVERS\srv.sys
08:51:38.0147 7864 srv - ok
08:51:38.0197 7864 srv2 (03f0545bd8d4c77fa0ae1ceedfcc71ab) C:\Windows\system32\DRIVERS\srv2.sys
08:51:38.0197 7864 srv2 - ok
08:51:38.0257 7864 srvnet (be6bd660caa6f291ae06a718a4fa8abc) C:\Windows\system32\DRIVERS\srvnet.sys
08:51:38.0257 7864 srvnet - ok
08:51:38.0357 7864 stexstor (db32d325c192b801df274bfd12a7e72b) C:\Windows\system32\DRIVERS\stexstor.sys
08:51:38.0367 7864 stexstor - ok
08:51:38.0457 7864 STHDA (b205de6202b6a019403cf6395d047ca8) C:\Windows\system32\DRIVERS\stwrt.sys
08:51:38.0467 7864 STHDA - ok
08:51:38.0587 7864 storflt (472af0311073dceceaa8fa18ba2bdf89) C:\Windows\system32\drivers\vmstorfl.sys
08:51:38.0587 7864 storflt - ok
08:51:38.0647 7864 storvsc (dcaffd62259e0bdb433dd67b5bb37619) C:\Windows\system32\drivers\storvsc.sys
08:51:38.0657 7864 storvsc - ok
08:51:38.0727 7864 swenum (e58c78a848add9610a4db6d214af5224) C:\Windows\system32\drivers\swenum.sys
08:51:38.0727 7864 swenum - ok
08:51:38.0837 7864 SymEvent (e42a34e6f5ca71a84d4c2de620aad13d) C:\Windows\system32\Drivers\SYMEVENT.SYS
08:51:38.0847 7864 SymEvent - ok
08:51:38.0957 7864 SYMREDRV (394b2368212114d538316812af60fddd) C:\Windows\System32\Drivers\SYMREDRV.SYS
08:51:38.0957 7864 SYMREDRV - ok
08:51:38.0987 7864 SYMTDI (d46676bb414c7531bdffe637a33f5033) C:\Windows\System32\Drivers\SYMTDI.SYS
08:51:38.0987 7864 SYMTDI - ok
08:51:39.0077 7864 Synth3dVsc - ok
08:51:39.0187 7864 SynTP (0e8676fb3bb95aa40fdf7a4a31018c8b) C:\Windows\system32\DRIVERS\SynTP.sys
08:51:39.0197 7864 SynTP - ok
08:51:39.0337 7864 Tcpip (65d10b191c59c5501a1263fc33f6894b) C:\Windows\system32\drivers\tcpip.sys
08:51:39.0367 7864 Tcpip - ok
08:51:39.0517 7864 TCPIP6 (65d10b191c59c5501a1263fc33f6894b) C:\Windows\system32\DRIVERS\tcpip.sys
08:51:39.0517 7864 TCPIP6 - ok
08:51:39.0597 7864 tcpipreg (cca24162e055c3714ce5a88b100c64ed) C:\Windows\system32\drivers\tcpipreg.sys
08:51:39.0597 7864 tcpipreg - ok
08:51:39.0627 7864 TDPIPE (1cb91b2bd8f6dd367dfc2ef26fd751b2) C:\Windows\system32\drivers\tdpipe.sys
08:51:39.0637 7864 TDPIPE - ok
08:51:39.0677 7864 TDTCP (2c10395baa4847f83042813c515cc289) C:\Windows\system32\drivers\tdtcp.sys
08:51:39.0687 7864 TDTCP - ok
08:51:39.0747 7864 tdx (b459575348c20e8121d6039da063c704) C:\Windows\system32\DRIVERS\tdx.sys
08:51:39.0747 7864 tdx - ok
08:51:39.0817 7864 TermDD (04dbf4b01ea4bf25a9a3e84affac9b20) C:\Windows\system32\drivers\termdd.sys
08:51:39.0817 7864 TermDD - ok
08:51:39.0917 7864 TPM (5ad05191dc8b444a7ba4d79b76c42a30) C:\Windows\system32\drivers\tpm.sys
08:51:39.0927 7864 TPM - ok
08:51:39.0997 7864 tssecsrv (254bb140eee3c59d6114c1a86b636877) C:\Windows\system32\DRIVERS\tssecsrv.sys
08:51:40.0007 7864 tssecsrv - ok
08:51:40.0067 7864 TsUsbFlt (fd1d6c73e6333be727cbcc6054247654) C:\Windows\system32\drivers\tsusbflt.sys
08:51:40.0067 7864 TsUsbFlt - ok
08:51:40.0137 7864 tsusbhub - ok
08:51:40.0237 7864 tunnel (b2fa25d9b17a68bb93d58b0556e8c90d) C:\Windows\system32\DRIVERS\tunnel.sys
08:51:40.0237 7864 tunnel - ok
08:51:40.0297 7864 uagp35 (750fbcb269f4d7dd2e420c56b795db6d) C:\Windows\system32\DRIVERS\uagp35.sys
08:51:40.0307 7864 uagp35 - ok
08:51:40.0387 7864 udfs (ee43346c7e4b5e63e54f927babbb32ff) C:\Windows\system32\DRIVERS\udfs.sys
08:51:40.0397 7864 udfs - ok
08:51:40.0497 7864 uliagpkx (44e8048ace47befbfdc2e9be4cbc8880) C:\Windows\system32\drivers\uliagpkx.sys
08:51:40.0507 7864 uliagpkx - ok
08:51:40.0557 7864 umbus (d295bed4b898f0fd999fcfa9b32b071b) C:\Windows\system32\drivers\umbus.sys
08:51:40.0557 7864 umbus - ok
08:51:40.0627 7864 UmPass (7550ad0c6998ba1cb4843e920ee0feac) C:\Windows\system32\DRIVERS\umpass.sys
08:51:40.0637 7864 UmPass - ok
08:51:40.0717 7864 usbccgp (bd9c55d7023c5de374507acc7a14e2ac) C:\Windows\system32\DRIVERS\usbccgp.sys
08:51:40.0717 7864 usbccgp - ok
08:51:40.0777 7864 usbcir (04ec7cec62ec3b6d9354eee93327fc82) C:\Windows\system32\drivers\usbcir.sys
08:51:40.0777 7864 usbcir - ok
08:51:40.0847 7864 usbehci (f92de757e4b7ce9c07c5e65423f3ae3b) C:\Windows\system32\drivers\usbehci.sys
08:51:40.0857 7864 usbehci - ok
08:51:40.0917 7864 usbhub (8dc94aec6a7e644a06135ae7506dc2e9) C:\Windows\system32\DRIVERS\usbhub.sys
08:51:40.0917 7864 usbhub - ok
08:51:40.0967 7864 usbohci (e185d44fac515a18d9deddc23c2cdf44) C:\Windows\system32\drivers\usbohci.sys
08:51:40.0967 7864 usbohci - ok
08:51:41.0057 7864 usbprint (797d862fe0875e75c7cc4c1ad7b30252) C:\Windows\system32\DRIVERS\usbprint.sys
08:51:41.0067 7864 usbprint - ok
08:51:41.0177 7864 usbscan (576096ccbc07e7c4ea4f5e6686d6888f) C:\Windows\system32\DRIVERS\usbscan.sys
08:51:41.0187 7864 usbscan - ok
08:51:41.0237 7864 USBSTOR (f991ab9cc6b908db552166768176896a) C:\Windows\system32\DRIVERS\USBSTOR.SYS
08:51:41.0247 7864 USBSTOR - ok
08:51:41.0287 7864 usbuhci (68df884cf41cdada664beb01daf67e3d) C:\Windows\system32\drivers\usbuhci.sys
08:51:41.0297 7864 usbuhci - ok
08:51:41.0357 7864 usbvideo (45f4e7bf43db40a6c6b4d92c76cbc3f2) C:\Windows\System32\Drivers\usbvideo.sys
08:51:41.0357 7864 usbvideo - ok
08:51:41.0437 7864 usb_rndisx (d82f43d15fdaa666856c0190cb73e7c9) C:\Windows\system32\DRIVERS\usb8023x.sys
08:51:41.0447 7864 usb_rndisx - ok
08:51:41.0547 7864 vdrvroot (a059c4c3edb09e07d21a8e5c0aabd3cb) C:\Windows\system32\drivers\vdrvroot.sys
08:51:41.0547 7864 vdrvroot - ok
08:51:41.0627 7864 vga (17c408214ea61696cec9c66e388b14f3) C:\Windows\system32\DRIVERS\vgapnp.sys
08:51:41.0627 7864 vga - ok
08:51:41.0687 7864 VgaSave (8e38096ad5c8570a6f1570a61e251561) C:\Windows\System32\drivers\vga.sys
08:51:41.0687 7864 VgaSave - ok
08:51:41.0737 7864 VGPU - ok
08:51:41.0797 7864 vhdmp (5461686cca2fda57b024547733ab42e3) C:\Windows\system32\drivers\vhdmp.sys
08:51:41.0807 7864 vhdmp - ok
08:51:41.0887 7864 viaagp (c829317a37b4bea8f39735d4b076e923) C:\Windows\system32\drivers\viaagp.sys
08:51:41.0897 7864 viaagp - ok
08:51:41.0967 7864 ViaC7 (e02f079a6aa107f06b16549c6e5c7b74) C:\Windows\system32\DRIVERS\viac7.sys
08:51:41.0977 7864 ViaC7 - ok
08:51:42.0067 7864 viaide (e43574f6a56a0ee11809b48c09e4fd3c) C:\Windows\system32\drivers\viaide.sys
08:51:42.0077 7864 viaide - ok
08:51:42.0167 7864 vmbus (c2f2911156fdc7817c52829c86da494e) C:\Windows\system32\drivers\vmbus.sys
08:51:42.0167 7864 vmbus - ok
08:51:42.0267 7864 VMBusHID (d4d77455211e204f370d08f4963063ce) C:\Windows\system32\drivers\VMBusHID.sys
08:51:42.0277 7864 VMBusHID - ok
08:51:42.0347 7864 vmci (ad6a72896778dfce0a499fe97dce93ef) C:\Windows\system32\Drivers\vmci.sys
08:51:42.0347 7864 vmci - ok
08:51:42.0407 7864 vmkbd (43e2019a879d2e923a3b09a60b904c8d) C:\Windows\system32\drivers\VMkbd.sys
08:51:42.0407 7864 vmkbd - ok
08:51:42.0487 7864 VMnetAdapter (e41704d8149992107b333cc7a52c07cc) C:\Windows\system32\DRIVERS\vmnetadapter.sys
08:51:42.0497 7864 VMnetAdapter - ok
08:51:42.0537 7864 VMnetBridge (462f2a31ea8b87a28962aca998df1869) C:\Windows\system32\DRIVERS\vmnetbridge.sys
08:51:42.0537 7864 VMnetBridge - ok
08:51:42.0577 7864 VMnetuserif (a34e24c04619a92a464116a2341a7627) C:\Windows\system32\drivers\vmnetuserif.sys
08:51:42.0577 7864 VMnetuserif - ok
08:51:42.0617 7864 VMparport (7e8a035b0904eddac532d60dec5bd2df) C:\Windows\system32\Drivers\VMparport.sys
08:51:42.0617 7864 VMparport - ok
08:51:42.0647 7864 vmusb (afb10ad9aa91d2f70c9f0e6bda0d119b) C:\Windows\system32\Drivers\vmusb.sys
08:51:42.0657 7864 vmusb - ok
08:51:42.0737 7864 vmx86 (5e9dce3b007cf3ca9e768ea885934c55) C:\Windows\system32\Drivers\vmx86.sys
08:51:42.0747 7864 vmx86 - ok
08:51:42.0807 7864 volmgr (4c63e00f2f4b5f86ab48a58cd990f212) C:\Windows\system32\drivers\volmgr.sys
08:51:42.0807 7864 volmgr - ok
08:51:42.0837 7864 volmgrx (b5bb72067ddddbbfb04b2f89ff8c3c87) C:\Windows\system32\drivers\volmgrx.sys
08:51:42.0847 7864 volmgrx - ok
08:51:42.0887 7864 volsnap (f497f67932c6fa693d7de2780631cfe7) C:\Windows\system32\drivers\volsnap.sys
08:51:42.0887 7864 volsnap - ok
08:51:42.0987 7864 vsmraid (9dfa0cc2f8855a04816729651175b631) C:\Windows\system32\DRIVERS\vsmraid.sys
08:51:42.0997 7864 vsmraid - ok
08:51:43.0097 7864 vstor2-ws60 (c40598b7708c6af55a629a4d349e33bb) C:\Program Files\VMware\VMware Player\vstor2-ws60.sys
08:51:43.0097 7864 vstor2-ws60 - ok
08:51:43.0207 7864 vwifibus (90567b1e658001e79d7c8bbd3dde5aa6) C:\Windows\system32\DRIVERS\vwifibus.sys
08:51:43.0207 7864 vwifibus - ok
08:51:43.0257 7864 vwififlt (7090d3436eeb4e7da3373090a23448f7) C:\Windows\system32\DRIVERS\vwififlt.sys
08:51:43.0257 7864 vwififlt - ok
08:51:43.0327 7864 vwifimp (a3f04cbea6c2a10e6cb01f8b47611882) C:\Windows\system32\DRIVERS\vwifimp.sys
08:51:43.0337 7864 vwifimp - ok
08:51:43.0377 7864 WacomPen (de3721e89c653aa281428c8a69745d90) C:\Windows\system32\DRIVERS\wacompen.sys
08:51:43.0387 7864 WacomPen - ok
08:51:43.0467 7864 WANARP (3c3c78515f5ab448b022bdf5b8ffdd2e) C:\Windows\system32\DRIVERS\wanarp.sys
08:51:43.0467 7864 WANARP - ok
08:51:43.0477 7864 Wanarpv6 (3c3c78515f5ab448b022bdf5b8ffdd2e) C:\Windows\system32\DRIVERS\wanarp.sys
08:51:43.0477 7864 Wanarpv6 - ok
08:51:43.0547 7864 Wd (1112a9badacb47b7c0bb0392e3158dff) C:\Windows\system32\DRIVERS\wd.sys
08:51:43.0557 7864 Wd - ok
08:51:43.0607 7864 Wdf01000 (9950e3d0f08141c7e89e64456ae7dc73) C:\Windows\system32\drivers\Wdf01000.sys
08:51:43.0607 7864 Wdf01000 - ok
08:51:43.0717 7864 WfpLwf (8b9a943f3b53861f2bfaf6c186168f79) C:\Windows\system32\DRIVERS\wfplwf.sys
08:51:43.0727 7864 WfpLwf - ok
08:51:43.0777 7864 WIMMount (5cf95b35e59e2a38023836fff31be64c) C:\Windows\system32\drivers\wimmount.sys
08:51:43.0787 7864 WIMMount - ok
08:51:43.0937 7864 WinUSB (a67e5f9a400f3bd1be3d80613b45f708) C:\Windows\system32\DRIVERS\WinUSB.sys
08:51:43.0947 7864 WinUSB - ok
08:51:44.0037 7864 WmiAcpi (0217679b8fca58714c3bf2726d2ca84e) C:\Windows\system32\drivers\wmiacpi.sys
08:51:44.0047 7864 WmiAcpi - ok
08:51:44.0157 7864 ws2ifsl (6db3276587b853bf886b69528fdb048c) C:\Windows\system32\drivers\ws2ifsl.sys
08:51:44.0167 7864 ws2ifsl - ok
08:51:44.0267 7864 WudfPf (e714a1c0354636837e20ccbf00888ee7) C:\Windows\system32\drivers\WudfPf.sys
08:51:44.0277 7864 WudfPf - ok
08:51:44.0337 7864 WUDFRd (1023ee888c9b47178c5293ed5336ab69) C:\Windows\system32\DRIVERS\WUDFRd.sys
08:51:44.0357 7864 WUDFRd - ok
08:51:44.0447 7864 MBR (0x1B8) (a36c5e4f47e84449ff07ed3517b43a31) \Device\Harddisk0\DR0
08:51:44.0607 7864 \Device\Harddisk0\DR0 - ok
08:51:44.0647 7864 Boot (0x1200) (38e1c44ef3c24a47e1807248bc48cc71) \Device\Harddisk0\DR0\Partition0
08:51:44.0647 7864 \Device\Harddisk0\DR0\Partition0 - ok
08:51:44.0667 7864 Boot (0x1200) (28cbefb34cb20e852caef06827d9770b) \Device\Harddisk0\DR0\Partition1
08:51:44.0667 7864 \Device\Harddisk0\DR0\Partition1 - ok
08:51:44.0667 7864 Boot (0x1200) (afdc87f7fdec6c7ac57c736621e65b97) \Device\Harddisk0\DR0\Partition2
08:51:44.0667 7864 \Device\Harddisk0\DR0\Partition2 - ok
08:51:44.0677 7864 ============================================================
08:51:44.0677 7864 Scan finished
08:51:44.0677 7864 ============================================================
08:51:44.0687 7856 Detected object count: 1
08:51:44.0687 7856 Actual detected object count: 1
08:52:38.0497 7856 C:\Windows\system32\drivers\cdrom.sys - copied to quarantine
08:52:39.0107 7856 Backup copy found, using it..
08:52:39.0207 7856 C:\Windows\system32\drivers\cdrom.sys - will be cured on reboot
08:52:46.0307 7856 cdrom ( Virus.Win32.ZAccess.c ) - User select action: Cure
08:52:50.0567 7800 Deinitialize success


aswMBR version 0.9.9.1649 Copyright© 2011 AVAST Software
Run date: 2012-02-28 08:57:12
-----------------------------
08:57:12.462 OS Version: Windows 6.1.7601 Service Pack 1
08:57:12.462 Number of processors: 4 586 0x2502
08:57:12.462 ComputerName: GRICH-EB8440P UserName: GRichard
08:57:31.022 Initialize success
08:58:13.302 AVAST engine defs: 12022701
08:58:33.762 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
08:58:33.772 Disk 0 Vendor: ST925041 0006 Size: 238475MB BusType: 3
08:58:33.772 Disk 0 MBR read successfully
08:58:33.782 Disk 0 MBR scan
08:58:33.782 Disk 0 Windows 7 default MBR code
08:58:33.792 Disk 0 Partition 1 00 07 HPFS/NTFS NTFS 102400 MB offset 2048
08:58:33.812 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 135762 MB offset 209717248
08:58:33.852 Disk 0 Partition 3 80 (A) 07 HPFS/NTFS NTFS 300 MB offset 487757824
08:58:33.862 Disk 0 scanning sectors +488372224
08:58:33.952 Disk 0 scanning C:\Windows\system32\drivers
08:58:39.312 File: C:\Windows\system32\drivers\cdrom.sys **INFECTED** Win32:Sirefef-JQ [Trj]
08:58:53.252 Disk 0 trace - called modules:
08:58:53.262 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0xa53b9fc0]<<
08:58:53.592 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x88300a80]
08:58:53.602 3 CLASSPNP.SYS[8b80459e] -> nt!IofCallDriver -> [0x8ad2bb50]
08:58:53.612 \Driver\00004075[0x8aecead8] -> IRP_MJ_CREATE -> 0xa53b9fc0
08:58:54.322 AVAST engine scan C:\Windows
08:58:58.902 AVAST engine scan C:\Windows\system32
09:06:13.773 AVAST engine scan C:\Windows\system32\drivers
09:06:18.833 File: C:\Windows\system32\drivers\cdrom.sys **INFECTED** Win32:Sirefef-JQ [Trj]
09:06:34.873 AVAST engine scan C:\Users\grichard
09:07:55.993 Disk 0 MBR has been saved successfully to "C:\MBR.dat"
09:07:56.003 The log file has been saved successfully to "C:\aswMBR.txt"


aswMBR version 0.9.9.1649 Copyright© 2011 AVAST Software
Run date: 2012-02-28 08:57:12
-----------------------------
08:57:12.462 OS Version: Windows 6.1.7601 Service Pack 1
08:57:12.462 Number of processors: 4 586 0x2502
08:57:12.462 ComputerName: GRICH-EB8440P UserName: GRichard
08:57:31.022 Initialize success
08:58:13.302 AVAST engine defs: 12022701
08:58:33.762 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
08:58:33.772 Disk 0 Vendor: ST925041 0006 Size: 238475MB BusType: 3
08:58:33.772 Disk 0 MBR read successfully
08:58:33.782 Disk 0 MBR scan
08:58:33.782 Disk 0 Windows 7 default MBR code
08:58:33.792 Disk 0 Partition 1 00 07 HPFS/NTFS NTFS 102400 MB offset 2048
08:58:33.812 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 135762 MB offset 209717248
08:58:33.852 Disk 0 Partition 3 80 (A) 07 HPFS/NTFS NTFS 300 MB offset 487757824
08:58:33.862 Disk 0 scanning sectors +488372224
08:58:33.952 Disk 0 scanning C:\Windows\system32\drivers
08:58:39.312 File: C:\Windows\system32\drivers\cdrom.sys **INFECTED** Win32:Sirefef-JQ [Trj]
08:58:53.252 Disk 0 trace - called modules:
08:58:53.262 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0xa53b9fc0]<<
08:58:53.592 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x88300a80]
08:58:53.602 3 CLASSPNP.SYS[8b80459e] -> nt!IofCallDriver -> [0x8ad2bb50]
08:58:53.612 \Driver\00004075[0x8aecead8] -> IRP_MJ_CREATE -> 0xa53b9fc0
08:58:54.322 AVAST engine scan C:\Windows
08:58:58.902 AVAST engine scan C:\Windows\system32
09:06:13.773 AVAST engine scan C:\Windows\system32\drivers
09:06:18.833 File: C:\Windows\system32\drivers\cdrom.sys **INFECTED** Win32:Sirefef-JQ [Trj]
09:06:34.873 AVAST engine scan C:\Users\grichard
09:07:55.993 Disk 0 MBR has been saved successfully to "C:\MBR.dat"
09:07:56.003 The log file has been saved successfully to "C:\aswMBR.txt"
09:10:31.269 AVAST engine scan C:\ProgramData
09:12:38.253 Scan finished successfully
09:15:02.706 Disk 0 MBR has been saved successfully to "C:\MBR.dat"
09:15:02.720 The log file has been saved successfully to "C:\aswMBR.txt"

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:13 AM

Posted 28 February 2012 - 03:18 AM

I want you to reboot the computer and rerun aswMBR please


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 greggersuk

greggersuk
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:04:13 AM

Posted 28 February 2012 - 03:33 AM

OK. its re-running now.

FYI - i didnt run the fix on the previous aswMBR scan - was i supposed to?

#14 greggersuk

greggersuk
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:04:13 AM

Posted 28 February 2012 - 03:48 AM

aswMBR version 0.9.9.1649 Copyright© 2011 AVAST Software
Run date: 2012-02-28 09:31:18
-----------------------------
09:31:18.979 OS Version: Windows 6.1.7601 Service Pack 1
09:31:18.979 Number of processors: 4 586 0x2502
09:31:18.979 ComputerName: GRICH-EB8440P UserName: GRichard
09:31:28.839 Initialize success
09:31:36.399 AVAST engine defs: 12022701
09:31:40.299 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
09:31:40.309 Disk 0 Vendor: ST925041 0006 Size: 238475MB BusType: 3
09:31:40.419 Disk 0 MBR read successfully
09:31:40.429 Disk 0 MBR scan
09:31:40.439 Disk 0 Windows 7 default MBR code
09:31:40.459 Disk 0 Partition 1 00 07 HPFS/NTFS NTFS 102400 MB offset 2048
09:31:40.509 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 135762 MB offset 209717248
09:31:42.059 Disk 0 Partition 3 80 (A) 07 HPFS/NTFS NTFS 300 MB offset 487757824
09:31:42.139 Disk 0 scanning sectors +488372224
09:31:43.909 Disk 0 scanning C:\Windows\system32\drivers
09:31:54.599 File: C:\Windows\system32\drivers\cdrom.sys **INFECTED** Win32:Sirefef-JQ [Trj]
09:32:21.849 Disk 0 trace - called modules:
09:32:21.899 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x90603fc0]<<
09:32:21.899 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x88300798]
09:32:21.909 3 CLASSPNP.SYS[8bdca59e] -> nt!IofCallDriver -> [0x88524138]
09:32:21.909 \Driver\00000380[0x88524030] -> IRP_MJ_CREATE -> 0x90603fc0
09:32:22.689 AVAST engine scan C:\Windows
09:32:29.419 AVAST engine scan C:\Windows\system32
09:38:26.624 AVAST engine scan C:\Windows\system32\drivers
09:38:31.734 File: C:\Windows\system32\drivers\cdrom.sys **INFECTED** Win32:Sirefef-JQ [Trj]
09:39:01.539 AVAST engine scan C:\Users\grichard
09:42:13.020 AVAST engine scan C:\ProgramData
09:43:28.589 Scan finished successfully
09:48:29.622 Disk 0 MBR has been saved successfully to "C:\Users\grichard\Desktop\MBR.dat"
09:48:29.632 The log file has been saved successfully to "C:\Users\grichard\Desktop\aswMBR2.txt"

#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:13 AM

Posted 28 February 2012 - 03:54 AM

SystemLook:

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
:filefind
cdrom.sys
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users