Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan.ZbotR.Gen removed but not 100% confident it was cleaned


  • This topic is locked This topic is locked
18 replies to this topic

#1 ZippyZapp

ZippyZapp

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:01 PM

Posted 22 March 2012 - 01:24 AM

Hello,

For the first time ever that I can remember my computer had a trojan that was caught by Microsofts scanner they push you every patch tuesday. It informed me that I had the Zbot.gen trojan which is a password stealer. I have no idea how I picked up the virus as I am not a typical computer user. I have been fixing and repairing various versions of Windows for more then 15 years so I know what to look for in emails and websites in order to stay virus free. I don't open attachements I don't go to unsavery websites and I don't used hacked/pirated software so I am at a loss as to how this thing eneded up on my system.

At any rate I used malwarebytes to scan and it found this and fixed it:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|{973A2571-AD68-159E-CAD1-522AD74619EC} (Trojan.ZbotR.Gen) -> Data: C:\Users\Paul\AppData\Roaming\Lepis\ungevei.exe -> Quarantined and deleted successfully.

Upon reading other posts on this forum I ran:
TDSS Killer and it was clean
ATF Cleaner and cleared some junk
Rootkit buster (Latest) and it was clean

I also ran GMER and I don't know what these results are saying. I attached the file as instructed and I hope someone can fill me in on what it all means as virus and malware is not my specialty.

I was freaking out that now some criminals have all my bank login details. I did change my passwords but still the thought of my passwords being jacked is freaking me out.
Thank You!


As requested here is my DDS log:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421
Run by Paul at 22:54:33 on 2012-03-21
Microsoft® Windows Vista™ Business 6.0.6002.2.1252.1.1033.18.2046.728 [GMT -7:00]
.
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\RtHDVCpl.exe
C:\Program Files\Epson Software\Event Manager\EEventManager.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10v_ActiveX.exe
C:\Users\Paul\Downloads\xig12hsh.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.jw.org/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
EB: Developer Tools: {1a6fe369-f28c-4ad9-a3e6-2bcb50807cf1} - c:\program files\internet explorer\iedvtool.dll
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [Skytel] Skytel.exe
mRun: [EEventManager] c:\progra~1\epsons~1\eventm~1\EEventManager.exe
mRun: [FUFAXSTM] "c:\program files\epson software\fax utility\FUFAXSTM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Lookup on Merriam Webster
IE: Lookup on Wikipedia
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{2D522078-91C0-484D-B25B-1DEC65C2B89F} : DhcpNameServer = 192.168.1.1
.
============= SERVICES / DRIVERS ===============
.
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-8-7 21504]
R3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;c:\windows\system32\drivers\l160x86.sys [2009-4-27 47104]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2008-8-5 111616]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 Sony Ericsson PCCompanion;Sony Ericsson PCCompanion;c:\program files\sony ericsson\sony ericsson pc companion\PCCService.exe [2011-11-10 155344]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\microsoft visual studio 8\common7\ide\remote debugger\x86\msvsmon.exe [2007-2-22 2808664]
.
=============== Created Last 30 ================
.
2074-05-08 01:38:48 203576 ------w- c:\program files\microsoft games\age of empires iii\autopatcher2.exe
2012-03-16 17:52:59 613376 ----a-w- c:\windows\system32\rdpencom.dll
2012-03-16 17:52:59 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
2012-03-16 17:52:59 180736 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-03-16 17:52:57 2044416 ----a-w- c:\windows\system32\win32k.sys
2012-03-16 17:52:56 683008 ----a-w- c:\windows\system32\d2d1.dll
2012-03-16 17:52:56 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
2012-03-16 17:52:56 160768 ----a-w- c:\windows\system32\d3d10_1.dll
2012-03-16 17:52:56 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
2012-03-16 17:52:56 1068544 ----a-w- c:\windows\system32\DWrite.dll
2012-03-01 22:26:30 -------- d-----w- c:\users\paul\appdata\roaming\Exboxo
2012-02-23 07:20:46 327432 ----a-w- c:\program files\common files\microsoft shared\vsa\9.0\vsaenv\vsaenv.exe
.
==================== Find3M ====================
.
.
============= FINISH: 22:54:51.48 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:01 PM

Posted 22 March 2012 - 11:57 PM

Hello and Welcome to Bleeping Computer!!

My name is Gringo and I'll be glad to help you with your computer problems.

I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of us

1.Do not run any other tool untill instructed to do so!
doing so will only at best cause you unneeded worry as it finds our backups and may even list our tools
and at worst can cause conficts with our tools and lead to unforseen things to happen2.Please Do not Attach logs or put in code boxes.
besides the time it takes me to open the reports it makes it harder to find something if I need to go back to do more research and putting them in code boxes just makes them so hard to read3. After each step give me a little feedback
It does not need to be long but just something so I know how things are going it can be something like
I am still getting redirected
The computer is running as it should
Don't put things like - it is the same as before or still the same this just makes me go back and look for you last feedback as to how things are4. read every post completely before doing anything
Pay special attention to the Notes** I have put in
These are things I have found that happen allot and can be taken care of easily just by reading the Notes**

Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.


Backup any files that cannot be replaced

If you have not done it yet spend a few minutes to backup any files that cannot be replaced. Removing malware can be unpredictable and this may save you and me allot of grief later.

You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

you may want to backup the whole harddrive there is some good info in the Preparation Guide on how to make full backups and how to restore it back if something goes wrong. Read the tutorial and print it out so you will know what to do in case the unforeseen happens.

When you have the files backed up you may do the following.


Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.



Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 ZippyZapp

ZippyZapp
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:01 PM

Posted 23 March 2012 - 07:58 PM

Hi Gringo, Thanks for the information and help, I appreciate it.

I ran ComboFix as instructed and the log is at the end of the post.

The computer is running fine and was before my post,malware bytes was reporting no infections on full scan but I was concerned and just wanted to be completley sure.
One thing I did notice after running combofix today is that web pages, even ones that are not secure in IE are letting me know that I am using a secure connection, which is clearly wrong. Perhaps the settings were wiped out and initialized to the default?

A couple of questions, if you don't mind.

1. Did my GMER logs show anything that is of concern? I noted a lot of entrie relating to IE and was not sure what it meant.
2. I noticed a lot of entries from the registry that combofix backed up, a lot relating to Visual Studio and MS TCP/IP parameters. Did it remove these entries and, if so will I run into any problems down the road with running VS or. I guess I am concerned about not ony malware but breaking my system and the tools that I need.
3. Does this log show that there is a problem?

Thank You!
-Paul

----
ComboFix 12-03-22.01 - Paul 03/23/2012 17:23:46.1.2 - x86
Microsoft® Windows Vista™ Business 6.0.6002.2.1252.1.1033.18.2046.1036 [GMT -7:00]
Running from: c:\users\Paul\Desktop\ZBot Tools\ComboFix.exe
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Paul\AppData\Local\assembly\tmp
c:\users\Paul\AppData\Roaming\Start
c:\users\Paul\AppData\Roaming\Start\temp_BB40E0B5\flash.10.0.32.18.ocx
c:\users\Paul\AppData\Roaming\Start\temp_BCECE583\flash.10.0.32.18.ocx
c:\windows\system32\drivers\etc\hosts.ics
.
.
((((((((((((((((((((((((( Files Created from 2012-02-24 to 2012-03-24 )))))))))))))))))))))))))))))))
.
.
2074-05-08 01:38 . 2006-11-22 03:48 203576 ------w- c:\program files\Microsoft Games\Age of Empires III\autopatcher2.exe
2012-03-24 00:30 . 2012-03-24 00:30 -------- d-----w- c:\users\Paul\AppData\Local\temp
2012-03-23 01:40 . 2012-03-23 03:24 -------- d-----w- c:\users\Paul\AppData\Local\Adobe
2012-03-22 23:54 . 2012-03-22 23:54 -------- d-----w- c:\program files\Common Files\Java
2012-03-16 17:52 . 2012-01-31 10:59 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2012-03-16 17:52 . 2012-01-09 15:54 613376 ----a-w- c:\windows\system32\rdpencom.dll
2012-03-16 17:52 . 2012-01-09 13:58 180736 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-03-16 17:52 . 2012-02-02 15:16 2044416 ----a-w- c:\windows\system32\win32k.sys
2012-03-16 17:52 . 2012-02-14 15:45 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
2012-03-16 17:52 . 2012-02-14 15:45 160768 ----a-w- c:\windows\system32\d3d10_1.dll
2012-03-16 17:52 . 2012-02-13 14:12 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
2012-03-16 17:52 . 2012-02-13 13:47 683008 ----a-w- c:\windows\system32\d2d1.dll
2012-03-16 17:52 . 2012-02-13 13:44 1068544 ----a-w- c:\windows\system32\DWrite.dll
2012-03-01 22:26 . 2012-03-15 21:58 -------- d-----w- c:\users\Paul\AppData\Roaming\Exboxo
2012-02-23 07:20 . 2012-02-23 07:20 327432 ----a-w- c:\program files\Common Files\Microsoft Shared\VSA\9.0\VsaEnv\vsaenv.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-03-22 23:53 . 2011-05-02 05:14 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-03-16 18:00 . 2008-08-08 04:49 18368 ----a-w- c:\programdata\Microsoft\VSA\9.0\1033\ResourceCache.dll
2012-03-16 18:00 . 2008-08-08 04:49 1195104 ----a-w- c:\programdata\Microsoft\VisualStudio\9.0\1033\ResourceCache.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2007-04-23 4435968]
"Skytel"="Skytel.exe" [2007-04-13 1822720]
"EEventManager"="c:\progra~1\EPSONS~1\EVENTM~1\EEventManager.exe" [2009-01-12 669520]
"FUFAXSTM"="c:\program files\Epson Software\FAX Utility\FUFAXSTM.exe" [2009-02-06 843776]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"AntiSpywareOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.jw.org/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Lookup on Merriam Webster
IE: Lookup on Wikipedia
TCP: DhcpNameServer = 192.168.1.1
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-WudfPf
SafeBoot-WudfRd
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-03-23 17:30
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-187214194-34723586-2597042049-1000\Software\SecuROM\License information*]
"datasecu"=hex:1c,22,fe,df,2b,68,76,e5,fe,32,f7,62,22,27,b2,af,4c,9e,1f,e5,f6,
0b,06,f4,d8,0f,c6,23,87,ce,3b,86,52,d1,86,11,5b,8b,0c,7a,b8,17,f9,ea,11,df,\
"rkeysecu"=hex:c3,b8,98,ec,87,a1,86,6f,5d,46,5e,ce,c4,be,2e,f5
.
Completion time: 2012-03-23 17:33:01
ComboFix-quarantined-files.txt 2012-03-24 00:32
.
Pre-Run: 269,798,686,720 bytes free
Post-Run: 269,733,806,080 bytes free
.
- - End Of File - - 7E8F373BE3CB85F2E556219FE8A70C74

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:01 PM

Posted 23 March 2012 - 08:13 PM

Greetings

about the none secure pages being notified yes that was set back to defaults and there is a checkbox that can be checked to set it back to no notify

combofix makes backups just to be sure in case something goes wronge

your combofix log looks very good but I am still going to run a few more scans to make sure nothing is amis

Greetings

I want you to run these next,

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • it will ask to download extra definitions - ALLOW IT
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

If you have any problems running either one come back and let me know

please reply with the reports from TDSSKiller and aswMBR

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 ZippyZapp

ZippyZapp
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:01 PM

Posted 24 March 2012 - 03:47 PM

Hi, Thank You, here is the info you requested.

I really appreciate your time.

---

11:49:48.0657 3404 TDSS rootkit removing tool 2.7.22.0 Mar 21 2012 17:40:00
11:49:49.0172 3404 ============================================================
11:49:49.0172 3404 Current date / time: 2012/03/24 11:49:49.0172
11:49:49.0172 3404 SystemInfo:
11:49:49.0172 3404
11:49:49.0172 3404 OS Version: 6.0.6002 ServicePack: 2.0
11:49:49.0172 3404 Product type: Workstation
11:49:49.0172 3404 ComputerName: ZZC2DV
11:49:49.0172 3404 UserName: Paul
11:49:49.0172 3404 Windows directory: C:\Windows
11:49:49.0172 3404 System windows directory: C:\Windows
11:49:49.0172 3404 Processor architecture: Intel x86
11:49:49.0172 3404 Number of processors: 2
11:49:49.0172 3404 Page size: 0x1000
11:49:49.0172 3404 Boot type: Normal boot
11:49:49.0172 3404 ============================================================
11:49:49.0936 3404 Drive \Device\Harddisk0\DR0 - Size: 0x25433D6000 (149.05 Gb), SectorSize: 0x200, Cylinders: 0x4C01, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000050
11:49:49.0936 3404 Drive \Device\Harddisk1\DR1 - Size: 0x7470C06000 (465.76 Gb), SectorSize: 0x200, Cylinders: 0xED81, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000050
11:49:49.0936 3404 \Device\Harddisk0\DR0:
11:49:49.0936 3404 MBR used
11:49:49.0936 3404 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x12A14BC1
11:49:49.0936 3404 \Device\Harddisk1\DR1:
11:49:49.0936 3404 MBR used
11:49:49.0936 3404 \Device\Harddisk1\DR1\Partition0: MBR, Type 0x7, StartLBA 0x800, BlocksNum 0x3A385000
11:49:49.0983 3404 Initialize success
11:49:49.0983 3404 ============================================================
11:49:55.0084 2984 ============================================================
11:49:55.0084 2984 Scan started
11:49:55.0084 2984 Mode: Manual;
11:49:55.0084 2984 ============================================================
11:49:55.0646 2984 ACPI (82b296ae1892fe3dbee00c9cf92f8ac7) C:\Windows\system32\drivers\acpi.sys
11:49:55.0646 2984 ACPI - ok
11:49:55.0693 2984 adp94xx (2edc5bbac6c651ece337bde8ed97c9fb) C:\Windows\system32\drivers\adp94xx.sys
11:49:55.0693 2984 adp94xx - ok
11:49:55.0739 2984 adpahci (b84088ca3cdca97da44a984c6ce1ccad) C:\Windows\system32\drivers\adpahci.sys
11:49:55.0739 2984 adpahci - ok
11:49:55.0817 2984 adpu160m (7880c67bccc27c86fd05aa2afb5ea469) C:\Windows\system32\drivers\adpu160m.sys
11:49:55.0817 2984 adpu160m - ok
11:49:55.0833 2984 adpu320 (9ae713f8e30efc2abccd84904333df4d) C:\Windows\system32\drivers\adpu320.sys
11:49:55.0833 2984 adpu320 - ok
11:49:55.0880 2984 AeLookupSvc (9d1fda9e086ba64e3c93c9de32461bcf) C:\Windows\System32\aelupsvc.dll
11:49:55.0895 2984 AeLookupSvc - ok
11:49:55.0973 2984 AFD (3911b972b55fea0478476b2e777b29fa) C:\Windows\system32\drivers\afd.sys
11:49:55.0973 2984 AFD - ok
11:49:56.0005 2984 agp440 (ef23439cdd587f64c2c1b8825cead7d8) C:\Windows\system32\drivers\agp440.sys
11:49:56.0005 2984 agp440 - ok
11:49:56.0020 2984 aic78xx (ae1fdf7bf7bb6c6a70f67699d880592a) C:\Windows\system32\drivers\djsvs.sys
11:49:56.0020 2984 aic78xx - ok
11:49:56.0051 2984 ALG (a1545b731579895d8cc44fc0481c1192) C:\Windows\System32\alg.exe
11:49:56.0067 2984 ALG - ok
11:49:56.0083 2984 aliide (90395b64600ebb4552e26e178c94b2e4) C:\Windows\system32\drivers\aliide.sys
11:49:56.0083 2984 aliide - ok
11:49:56.0114 2984 amdagp (2b13e304c9dfdfa5eb582f6a149fa2c7) C:\Windows\system32\drivers\amdagp.sys
11:49:56.0114 2984 amdagp - ok
11:49:56.0129 2984 amdide (0577df1d323fe75a739c787893d300ea) C:\Windows\system32\drivers\amdide.sys
11:49:56.0129 2984 amdide - ok
11:49:56.0145 2984 AmdK7 (dc487885bcef9f28eece6fac0e5ddfc5) C:\Windows\system32\drivers\amdk7.sys
11:49:56.0145 2984 AmdK7 - ok
11:49:56.0161 2984 AmdK8 (0ca0071da4315b00fc1328ca86b425da) C:\Windows\system32\drivers\amdk8.sys
11:49:56.0161 2984 AmdK8 - ok
11:49:56.0192 2984 Appinfo (c6d704c7f0434dc791aac37cac4b6e14) C:\Windows\System32\appinfo.dll
11:49:56.0192 2984 Appinfo - ok
11:49:56.0254 2984 AppMgmt (0fe769cae5855b53c90e23f85e7e89ff) C:\Windows\System32\appmgmts.dll
11:49:56.0254 2984 AppMgmt - ok
11:49:56.0270 2984 arc (5f673180268bb1fdb69c99b6619fe379) C:\Windows\system32\drivers\arc.sys
11:49:56.0270 2984 arc - ok
11:49:56.0301 2984 arcsas (957f7540b5e7f602e44648c7de5a1c05) C:\Windows\system32\drivers\arcsas.sys
11:49:56.0301 2984 arcsas - ok
11:49:56.0410 2984 aspnet_state (776acefa0ca9df0faa51a5fb2f435705) C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe
11:49:56.0410 2984 aspnet_state - ok
11:49:56.0441 2984 AsyncMac (53b202abee6455406254444303e87be1) C:\Windows\system32\DRIVERS\asyncmac.sys
11:49:56.0441 2984 AsyncMac - ok
11:49:56.0473 2984 atapi (1f05b78ab91c9075565a9d8a4b880bc4) C:\Windows\system32\drivers\atapi.sys
11:49:56.0473 2984 atapi - ok
11:49:56.0504 2984 AtcL001 (c480fcc90662a571f8a905369e467b2e) C:\Windows\system32\DRIVERS\l160x86.sys
11:49:56.0504 2984 AtcL001 - ok
11:49:56.0535 2984 AudioEndpointBuilder (68e2a1a0407a66cf50da0300852424ab) C:\Windows\System32\Audiosrv.dll
11:49:56.0535 2984 AudioEndpointBuilder - ok
11:49:56.0551 2984 Audiosrv (68e2a1a0407a66cf50da0300852424ab) C:\Windows\System32\Audiosrv.dll
11:49:56.0551 2984 Audiosrv - ok
11:49:56.0582 2984 Beep (67e506b75bd5326a3ec7b70bd014dfb6) C:\Windows\system32\drivers\Beep.sys
11:49:56.0582 2984 Beep - ok
11:49:56.0613 2984 BFE (c789af0f724fda5852fb9a7d3a432381) C:\Windows\System32\bfe.dll
11:49:56.0629 2984 BFE - ok
11:49:56.0675 2984 BITS (93952506c6d67330367f7e7934b6a02f) C:\Windows\system32\qmgr.dll
11:49:56.0675 2984 BITS - ok
11:49:56.0707 2984 blbdrive - ok
11:49:56.0738 2984 bowser (35f376253f687bde63976ccb3f2108ca) C:\Windows\system32\DRIVERS\bowser.sys
11:49:56.0738 2984 bowser - ok
11:49:56.0800 2984 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\drivers\brfiltlo.sys
11:49:56.0800 2984 BrFiltLo - ok
11:49:56.0816 2984 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\drivers\brfiltup.sys
11:49:56.0816 2984 BrFiltUp - ok
11:49:56.0847 2984 Browser (a3629a0c4226f9e9c72faaeebc3ad33c) C:\Windows\System32\browser.dll
11:49:56.0863 2984 Browser - ok
11:49:56.0894 2984 Brserid (b304e75cff293029eddf094246747113) C:\Windows\system32\drivers\brserid.sys
11:49:56.0894 2984 Brserid - ok
11:49:56.0925 2984 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\system32\drivers\brserwdm.sys
11:49:56.0925 2984 BrSerWdm - ok
11:49:56.0956 2984 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\system32\drivers\brusbmdm.sys
11:49:56.0956 2984 BrUsbMdm - ok
11:49:56.0987 2984 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\system32\drivers\brusbser.sys
11:49:56.0987 2984 BrUsbSer - ok
11:49:57.0019 2984 BTHMODEM (ad07c1ec6665b8b35741ab91200c6b68) C:\Windows\system32\drivers\bthmodem.sys
11:49:57.0019 2984 BTHMODEM - ok
11:49:57.0159 2984 catchme - ok
11:49:57.0221 2984 cdfs (7add03e75beb9e6dd102c3081d29840a) C:\Windows\system32\DRIVERS\cdfs.sys
11:49:57.0221 2984 cdfs - ok
11:49:57.0268 2984 cdrom (6b4bffb9becd728097024276430db314) C:\Windows\system32\DRIVERS\cdrom.sys
11:49:57.0268 2984 cdrom - ok
11:49:57.0315 2984 CertPropSvc (312ec3e37a0a1f2006534913e37b4423) C:\Windows\System32\certprop.dll
11:49:57.0315 2984 CertPropSvc - ok
11:49:57.0362 2984 circlass (da8e0afc7baa226c538ef53ac2f90897) C:\Windows\system32\drivers\circlass.sys
11:49:57.0362 2984 circlass - ok
11:49:57.0393 2984 CLFS (d7659d3b5b92c31e84e53c1431f35132) C:\Windows\system32\CLFS.sys
11:49:57.0393 2984 CLFS - ok
11:49:57.0455 2984 clr_optimization_v2.0.50727_32 (8ee772032e2fe80a924f3b8dd5082194) C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
11:49:57.0455 2984 clr_optimization_v2.0.50727_32 - ok
11:49:57.0533 2984 clr_optimization_v4.0.30319_32 (c5a75eb48e2344abdc162bda79e16841) C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
11:49:57.0533 2984 clr_optimization_v4.0.30319_32 - ok
11:49:57.0565 2984 cmdide (45201046c776ffdaf3fc8a0029c581c8) C:\Windows\system32\drivers\cmdide.sys
11:49:57.0565 2984 cmdide - ok
11:49:57.0596 2984 Compbatt (82b8c91d327cfecf76cb58716f7d4997) C:\Windows\system32\drivers\compbatt.sys
11:49:57.0596 2984 Compbatt - ok
11:49:57.0611 2984 COMSysApp - ok
11:49:57.0611 2984 crcdisk (2a213ae086bbec5e937553c7d9a2b22c) C:\Windows\system32\drivers\crcdisk.sys
11:49:57.0611 2984 crcdisk - ok
11:49:57.0643 2984 Crusoe (22a7f883508176489f559ee745b5bf5d) C:\Windows\system32\drivers\crusoe.sys
11:49:57.0643 2984 Crusoe - ok
11:49:57.0674 2984 CryptSvc (fb27772beaf8e1d28ccd825c09da939b) C:\Windows\system32\cryptsvc.dll
11:49:57.0674 2984 CryptSvc - ok
11:49:57.0689 2984 CSC (9bdb2e89be8d0ef37b1f25c3d3fc192c) C:\Windows\system32\drivers\csc.sys
11:49:57.0705 2984 CSC - ok
11:49:57.0736 2984 CscService (0a2095f92f6ae4fe6484d911b0c21e95) C:\Windows\System32\cscsvc.dll
11:49:57.0752 2984 CscService - ok
11:49:57.0783 2984 DcomLaunch (3b5b4d53fec14f7476ca29a20cc31ac9) C:\Windows\system32\rpcss.dll
11:49:57.0783 2984 DcomLaunch - ok
11:49:57.0830 2984 DfsC (622c41a07ca7e6dd91770f50d532cb6c) C:\Windows\system32\Drivers\dfsc.sys
11:49:57.0830 2984 DfsC - ok
11:49:57.0892 2984 DFSR (2cc3dcfb533a1035b13dcab6160ab38b) C:\Windows\system32\DFSR.exe
11:49:57.0939 2984 DFSR - ok
11:49:57.0986 2984 Dhcp (9028559c132146fb75eb7acf384b086a) C:\Windows\System32\dhcpcsvc.dll
11:49:58.0001 2984 Dhcp - ok
11:49:58.0033 2984 disk (5d4aefc3386920236a548271f8f1af6a) C:\Windows\system32\drivers\disk.sys
11:49:58.0033 2984 disk - ok
11:49:58.0079 2984 Dnscache (57d762f6f5974af0da2be88a3349baaa) C:\Windows\System32\dnsrslvr.dll
11:49:58.0079 2984 Dnscache - ok
11:49:58.0111 2984 dot3svc (324fd74686b1ef5e7c19a8af49e748f6) C:\Windows\System32\dot3svc.dll
11:49:58.0111 2984 dot3svc - ok
11:49:58.0142 2984 DPS (a622e888f8aa2f6b49e9bc466f0e5def) C:\Windows\system32\dps.dll
11:49:58.0142 2984 DPS - ok
11:49:58.0173 2984 drmkaud (97fef831ab90bee128c9af390e243f80) C:\Windows\system32\drivers\drmkaud.sys
11:49:58.0189 2984 drmkaud - ok
11:49:58.0267 2984 DXGKrnl (c68ac676b0ef30cfbb1080adce49eb1f) C:\Windows\System32\drivers\dxgkrnl.sys
11:49:58.0267 2984 DXGKrnl - ok
11:49:58.0298 2984 E1G60 (f88fb26547fd2ce6d0a5af2985892c48) C:\Windows\system32\DRIVERS\E1G60I32.sys
11:49:58.0298 2984 E1G60 - ok
11:49:58.0329 2984 EapHost (c0b95e40d85cd807d614e264248a45b9) C:\Windows\System32\eapsvc.dll
11:49:58.0329 2984 EapHost - ok
11:49:58.0360 2984 Ecache (7f64ea048dcfac7acf8b4d7b4e6fe371) C:\Windows\system32\drivers\ecache.sys
11:49:58.0360 2984 Ecache - ok
11:49:58.0391 2984 elxstor (e8f3f21a71720c84bcf423b80028359f) C:\Windows\system32\drivers\elxstor.sys
11:49:58.0391 2984 elxstor - ok
11:49:58.0438 2984 EMDMgmt (4e6b23dfc917ea39306b529b773950f4) C:\Windows\system32\emdmgmt.dll
11:49:58.0438 2984 EMDMgmt - ok
11:49:58.0922 2984 EpsonBidirectionalService (abdd5ad016affd34ad40e944ce94bf59) C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
11:49:58.0922 2984 EpsonBidirectionalService - ok
11:49:59.0140 2984 EventSystem (67058c46504bc12d821f38cf99b7b28f) C:\Windows\system32\es.dll
11:49:59.0140 2984 EventSystem - ok
11:49:59.0171 2984 exfat (22b408651f9123527bcee54b4f6c5cae) C:\Windows\system32\drivers\exfat.sys
11:49:59.0171 2984 exfat - ok
11:49:59.0203 2984 fastfat (1e9b9a70d332103c52995e957dc09ef8) C:\Windows\system32\drivers\fastfat.sys
11:49:59.0203 2984 fastfat - ok
11:49:59.0218 2984 Fax (dfba0f60fa301e5b1bfb1403a93ee23e) C:\Windows\system32\fxssvc.exe
11:49:59.0234 2984 Fax - ok
11:49:59.0249 2984 fdc (afe1e8b9782a0dd7fb46bbd88e43f89a) C:\Windows\system32\DRIVERS\fdc.sys
11:49:59.0249 2984 fdc - ok
11:49:59.0281 2984 fdPHost (6629b5f0e98151f4afdd87567ea32ba3) C:\Windows\system32\fdPHost.dll
11:49:59.0281 2984 fdPHost - ok
11:49:59.0312 2984 FDResPub (89ed56dce8e47af40892778a5bd31fd2) C:\Windows\system32\fdrespub.dll
11:49:59.0312 2984 FDResPub - ok
11:49:59.0343 2984 FileInfo (a8c0139a884861e3aae9cfe73b208a9f) C:\Windows\system32\drivers\fileinfo.sys
11:49:59.0343 2984 FileInfo - ok
11:49:59.0374 2984 Filetrace (0ae429a696aecbc5970e3cf2c62635ae) C:\Windows\system32\drivers\filetrace.sys
11:49:59.0374 2984 Filetrace - ok
11:49:59.0390 2984 flpydisk (85b7cf99d532820495d68d747fda9ebd) C:\Windows\system32\DRIVERS\flpydisk.sys
11:49:59.0390 2984 flpydisk - ok
11:49:59.0421 2984 FltMgr (01334f9ea68e6877c4ef05d3ea8abb05) C:\Windows\system32\drivers\fltmgr.sys
11:49:59.0421 2984 FltMgr - ok
11:49:59.0515 2984 FontCache (8ce364388c8eca59b14b539179276d44) C:\Windows\system32\FntCache.dll
11:49:59.0530 2984 FontCache - ok
11:49:59.0577 2984 FontCache3.0.0.0 (c7fbdd1ed42f82bfa35167a5c9803ea3) C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
11:49:59.0577 2984 FontCache3.0.0.0 - ok
11:49:59.0608 2984 Fs_Rec (65ea8b77b5851854f0c55c43fa51a198) C:\Windows\system32\drivers\Fs_Rec.sys
11:49:59.0608 2984 Fs_Rec - ok
11:49:59.0639 2984 gagp30kx (4e1cd0a45c50a8882616cae5bf82f3c5) C:\Windows\system32\drivers\gagp30kx.sys
11:49:59.0639 2984 gagp30kx - ok
11:49:59.0686 2984 gpsvc (cd5d0aeee35dfd4e986a5aa1500a6e66) C:\Windows\System32\gpsvc.dll
11:49:59.0702 2984 gpsvc - ok
11:49:59.0749 2984 HdAudAddService (cb04c744be0a61b1d648faed182c3b59) C:\Windows\system32\drivers\HdAudio.sys
11:49:59.0749 2984 HdAudAddService - ok
11:49:59.0795 2984 HDAudBus (062452b7ffd68c8c042a6261fe8dff4a) C:\Windows\system32\DRIVERS\HDAudBus.sys
11:49:59.0795 2984 HDAudBus - ok
11:49:59.0811 2984 HidBth (1338520e78d90154ed6be8f84de5fceb) C:\Windows\system32\drivers\hidbth.sys
11:49:59.0811 2984 HidBth - ok
11:49:59.0842 2984 HidIr (ff3160c3a2445128c5a6d9b076da519e) C:\Windows\system32\drivers\hidir.sys
11:49:59.0842 2984 HidIr - ok
11:49:59.0873 2984 hidserv (84067081f3318162797385e11a8f0582) C:\Windows\System32\hidserv.dll
11:49:59.0873 2984 hidserv - ok
11:49:59.0889 2984 HidUsb (cca4b519b17e23a00b826c55716809cc) C:\Windows\system32\DRIVERS\hidusb.sys
11:49:59.0889 2984 HidUsb - ok
11:49:59.0920 2984 hkmsvc (d8ad255b37da92434c26e4876db7d418) C:\Windows\system32\kmsvc.dll
11:49:59.0920 2984 hkmsvc - ok
11:49:59.0920 2984 HpCISSs (df353b401001246853763c4b7aaa6f50) C:\Windows\system32\drivers\hpcisss.sys
11:49:59.0936 2984 HpCISSs - ok
11:49:59.0983 2984 HTTP (f870aa3e254628ebeafe754108d664de) C:\Windows\system32\drivers\HTTP.sys
11:49:59.0983 2984 HTTP - ok
11:50:00.0014 2984 i2omp (324c2152ff2c61abae92d09f3cca4d63) C:\Windows\system32\drivers\i2omp.sys
11:50:00.0014 2984 i2omp - ok
11:50:00.0061 2984 i8042prt (22d56c8184586b7a1f6fa60be5f5a2bd) C:\Windows\system32\DRIVERS\i8042prt.sys
11:50:00.0061 2984 i8042prt - ok
11:50:00.0107 2984 iaStorV (c957bf4b5d80b46c5017bf0101e6c906) C:\Windows\system32\drivers\iastorv.sys
11:50:00.0107 2984 iaStorV - ok
11:50:00.0185 2984 IDriverT (1cf03c69b49acb70c722df92755c0c8c) C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
11:50:00.0185 2984 IDriverT - ok
11:50:00.0263 2984 idsvc (98477b08e61945f974ed9fdc4cb6bdab) C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
11:50:00.0279 2984 idsvc - ok
11:50:00.0326 2984 iirsp (2d077bf86e843f901d8db709c95b49a5) C:\Windows\system32\drivers\iirsp.sys
11:50:00.0326 2984 iirsp - ok
11:50:00.0373 2984 IKEEXT (9908d8a397b76cd8d31d0d383c5773c9) C:\Windows\System32\ikeext.dll
11:50:00.0388 2984 IKEEXT - ok
11:50:00.0451 2984 IntcAzAudAddService (389f5d4859f4300d52ead838f1a17131) C:\Windows\system32\drivers\RTKVHDA.sys
11:50:00.0466 2984 IntcAzAudAddService - ok
11:50:00.0497 2984 IntcHdmiAddService (98d303ccb3415e9202e82043b37d66dc) C:\Windows\system32\drivers\IntcHdmi.sys
11:50:00.0497 2984 IntcHdmiAddService - ok
11:50:00.0529 2984 intelide (97469037714070e45194ed318d636401) C:\Windows\system32\drivers\intelide.sys
11:50:00.0529 2984 intelide - ok
11:50:00.0575 2984 intelppm (224191001e78c89dfa78924c3ea595ff) C:\Windows\system32\DRIVERS\intelppm.sys
11:50:00.0575 2984 intelppm - ok
11:50:00.0607 2984 IPBusEnum (9ac218c6e6105477484c6fdbe7d409a4) C:\Windows\system32\ipbusenum.dll
11:50:00.0607 2984 IPBusEnum - ok
11:50:00.0622 2984 IpFilterDriver (62c265c38769b864cb25b4bcf62df6c3) C:\Windows\system32\DRIVERS\ipfltdrv.sys
11:50:00.0622 2984 IpFilterDriver - ok
11:50:00.0685 2984 iphlpsvc (1998bd97f950680bb55f55a7244679c2) C:\Windows\System32\iphlpsvc.dll
11:50:00.0685 2984 iphlpsvc - ok
11:50:00.0716 2984 IpInIp - ok
11:50:00.0747 2984 IPMIDRV (40f34f8aba2a015d780e4b09138b6c17) C:\Windows\system32\drivers\ipmidrv.sys
11:50:00.0747 2984 IPMIDRV - ok
11:50:00.0794 2984 IPNAT (8793643a67b42cec66490b2a0cf92d68) C:\Windows\system32\DRIVERS\ipnat.sys
11:50:00.0794 2984 IPNAT - ok
11:50:00.0825 2984 IRENUM (109c0dfb82c3632fbd11949b73aeeac9) C:\Windows\system32\drivers\irenum.sys
11:50:00.0825 2984 IRENUM - ok
11:50:00.0841 2984 isapnp (350fca7e73cf65bcef43fae1e4e91293) C:\Windows\system32\drivers\isapnp.sys
11:50:00.0841 2984 isapnp - ok
11:50:00.0887 2984 iScsiPrt (232fa340531d940aac623b121a595034) C:\Windows\system32\DRIVERS\msiscsi.sys
11:50:00.0887 2984 iScsiPrt - ok
11:50:00.0919 2984 iteatapi (bced60d16156e428f8df8cf27b0df150) C:\Windows\system32\drivers\iteatapi.sys
11:50:00.0919 2984 iteatapi - ok
11:50:00.0965 2984 iteraid (06fa654504a498c30adca8bec4e87e7e) C:\Windows\system32\drivers\iteraid.sys
11:50:00.0965 2984 iteraid - ok
11:50:01.0028 2984 kbdclass (37605e0a8cf00cbba538e753e4344c6e) C:\Windows\system32\DRIVERS\kbdclass.sys
11:50:01.0028 2984 kbdclass - ok
11:50:01.0043 2984 kbdhid (d2600cb17b7408b4a83f231dc9a11ac3) C:\Windows\system32\drivers\kbdhid.sys
11:50:01.0043 2984 kbdhid - ok
11:50:01.0106 2984 KeyIso (a3e186b4b935905b829219502557314e) C:\Windows\system32\lsass.exe
11:50:01.0106 2984 KeyIso - ok
11:50:01.0199 2984 KSecDD (2b2f1638466e8cb091400c9019cc730e) C:\Windows\system32\Drivers\ksecdd.sys
11:50:01.0199 2984 KSecDD - ok
11:50:01.0246 2984 KtmRm (8078f8f8f7a79e2e6b494523a828c585) C:\Windows\system32\msdtckrm.dll
11:50:01.0246 2984 KtmRm - ok
11:50:01.0324 2984 LanmanServer (1bf5eebfd518dd7298434d8c862f825d) C:\Windows\System32\srvsvc.dll
11:50:01.0324 2984 LanmanServer - ok
11:50:01.0371 2984 LanmanWorkstation (1db69705b695b987082c8baec0c6b34f) C:\Windows\System32\wkssvc.dll
11:50:01.0371 2984 LanmanWorkstation - ok
11:50:01.0418 2984 lltdio (d1c5883087a0c3f1344d9d55a44901f6) C:\Windows\system32\DRIVERS\lltdio.sys
11:50:01.0418 2984 lltdio - ok
11:50:01.0449 2984 lltdsvc (2d5a428872f1442631d0959a34abff63) C:\Windows\System32\lltdsvc.dll
11:50:01.0449 2984 lltdsvc - ok
11:50:01.0480 2984 lmhosts (35d40113e4a5b961b6ce5c5857702518) C:\Windows\System32\lmhsvc.dll
11:50:01.0480 2984 lmhosts - ok
11:50:01.0511 2984 LSI_FC (a2262fb9f28935e862b4db46438c80d2) C:\Windows\system32\drivers\lsi_fc.sys
11:50:01.0511 2984 LSI_FC - ok
11:50:01.0527 2984 LSI_SAS (30d73327d390f72a62f32c103daf1d6d) C:\Windows\system32\drivers\lsi_sas.sys
11:50:01.0527 2984 LSI_SAS - ok
11:50:01.0558 2984 LSI_SCSI (e1e36fefd45849a95f1ab81de0159fe3) C:\Windows\system32\drivers\lsi_scsi.sys
11:50:01.0558 2984 LSI_SCSI - ok
11:50:01.0574 2984 luafv (8f5c7426567798e62a3b3614965d62cc) C:\Windows\system32\drivers\luafv.sys
11:50:01.0574 2984 luafv - ok
11:50:01.0605 2984 megasas (d153b14fc6598eae8422a2037553adce) C:\Windows\system32\drivers\megasas.sys
11:50:01.0605 2984 megasas - ok
11:50:01.0621 2984 MMCSS (1076ffcffaae8385fd62dfcb25ac4708) C:\Windows\system32\mmcss.dll
11:50:01.0621 2984 MMCSS - ok
11:50:01.0652 2984 Modem (e13b5ea0f51ba5b1512ec671393d09ba) C:\Windows\system32\drivers\modem.sys
11:50:01.0652 2984 Modem - ok
11:50:01.0714 2984 monitor (0a9bb33b56e294f686abb7c1e4e2d8a8) C:\Windows\system32\DRIVERS\monitor.sys
11:50:01.0714 2984 monitor - ok
11:50:01.0745 2984 mouclass (5bf6a1326a335c5298477754a506d263) C:\Windows\system32\DRIVERS\mouclass.sys
11:50:01.0745 2984 mouclass - ok
11:50:01.0761 2984 mouhid (a3a6dff7e9e757db3df51a833bc28885) C:\Windows\system32\drivers\mouhid.sys
11:50:01.0777 2984 mouhid - ok
11:50:01.0792 2984 MountMgr (bdafc88aa6b92f7842416ea6a48e1600) C:\Windows\system32\drivers\mountmgr.sys
11:50:01.0792 2984 MountMgr - ok
11:50:01.0823 2984 mpio (583a41f26278d9e0ea548163d6139397) C:\Windows\system32\drivers\mpio.sys
11:50:01.0823 2984 mpio - ok
11:50:01.0855 2984 mpsdrv (22241feba9b2defa669c8cb0a8dd7d2e) C:\Windows\system32\drivers\mpsdrv.sys
11:50:01.0855 2984 mpsdrv - ok
11:50:01.0901 2984 MpsSvc (5de62c6e9108f14f6794060a9bdecaec) C:\Windows\system32\mpssvc.dll
11:50:01.0901 2984 MpsSvc - ok
11:50:01.0917 2984 Mraid35x (4fbbb70d30fd20ec51f80061703b001e) C:\Windows\system32\drivers\mraid35x.sys
11:50:01.0917 2984 Mraid35x - ok
11:50:01.0964 2984 MRxDAV (82cea0395524aacfeb58ba1448e8325c) C:\Windows\system32\drivers\mrxdav.sys
11:50:01.0964 2984 MRxDAV - ok
11:50:02.0026 2984 mrxsmb (1e94971c4b446ab2290deb71d01cf0c2) C:\Windows\system32\DRIVERS\mrxsmb.sys
11:50:02.0026 2984 mrxsmb - ok
11:50:02.0104 2984 mrxsmb10 (4fccb34d793b116423209c0f8b7a3b03) C:\Windows\system32\DRIVERS\mrxsmb10.sys
11:50:02.0104 2984 mrxsmb10 - ok
11:50:02.0167 2984 mrxsmb20 (c3cb1b40ad4a0124d617a1199b0b9d7c) C:\Windows\system32\DRIVERS\mrxsmb20.sys
11:50:02.0167 2984 mrxsmb20 - ok
11:50:02.0198 2984 msahci (742aed7939e734c36b7e8d6228ce26b7) C:\Windows\system32\drivers\msahci.sys
11:50:02.0213 2984 msahci - ok
11:50:02.0229 2984 msdsm (3fc82a2ae4cc149165a94699183d3028) C:\Windows\system32\drivers\msdsm.sys
11:50:02.0229 2984 msdsm - ok
11:50:02.0260 2984 MSDTC (fd7520cc3a80c5fc8c48852bb24c6ded) C:\Windows\System32\msdtc.exe
11:50:02.0276 2984 MSDTC - ok
11:50:02.0307 2984 Msfs (a9927f4a46b816c92f461acb90cf8515) C:\Windows\system32\drivers\Msfs.sys
11:50:02.0307 2984 Msfs - ok
11:50:02.0369 2984 msisadrv (0f400e306f385c56317357d6dea56f62) C:\Windows\system32\drivers\msisadrv.sys
11:50:02.0369 2984 msisadrv - ok
11:50:02.0416 2984 MSiSCSI (85466c0757a23d9a9aecdc0755203cb2) C:\Windows\system32\iscsiexe.dll
11:50:02.0416 2984 MSiSCSI - ok
11:50:02.0447 2984 msiserver - ok
11:50:02.0463 2984 MSKSSRV (d8c63d34d9c9e56c059e24ec7185cc07) C:\Windows\system32\drivers\MSKSSRV.sys
11:50:02.0463 2984 MSKSSRV - ok
11:50:02.0479 2984 MSPCLOCK (1d373c90d62ddb641d50e55b9e78d65e) C:\Windows\system32\drivers\MSPCLOCK.sys
11:50:02.0479 2984 MSPCLOCK - ok
11:50:02.0510 2984 MSPQM (b572da05bf4e098d4bba3a4734fb505b) C:\Windows\system32\drivers\MSPQM.sys
11:50:02.0510 2984 MSPQM - ok
11:50:02.0572 2984 MsRPC (b49456d70555de905c311bcda6ec6adb) C:\Windows\system32\drivers\MsRPC.sys
11:50:02.0572 2984 MsRPC - ok
11:50:02.0603 2984 mssmbios (e384487cb84be41d09711c30ca79646c) C:\Windows\system32\DRIVERS\mssmbios.sys
11:50:02.0603 2984 mssmbios - ok
11:50:02.0697 2984 MSSQL$SQLEXPRESS - ok
11:50:02.0759 2984 MSSQLServerADHelper (1d89eb4e2a99cabd4e81225f4f4c4b25) c:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe
11:50:02.0759 2984 MSSQLServerADHelper - ok
11:50:02.0791 2984 MSTEE (7199c1eec1e4993caf96b8c0a26bd58a) C:\Windows\system32\drivers\MSTEE.sys
11:50:02.0791 2984 MSTEE - ok
11:50:02.0900 2984 msvsmon80 (211fc58c9dbd1f3a824e34023d16babc) C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe
11:50:02.0915 2984 msvsmon80 - ok
11:50:02.0962 2984 MTsensor (dcdaab8697a47894a554050ce18d0b56) C:\Windows\system32\DRIVERS\ASACPI.sys
11:50:02.0962 2984 MTsensor - ok
11:50:02.0993 2984 Mup (6a57b5733d4cb702c8ea4542e836b96c) C:\Windows\system32\Drivers\mup.sys
11:50:02.0993 2984 Mup - ok
11:50:03.0040 2984 napagent (e4eaf0c5c1b41b5c83386cf212ca9584) C:\Windows\system32\qagentRT.dll
11:50:03.0040 2984 napagent - ok
11:50:03.0087 2984 NativeWifiP (85c44fdff9cf7e72a40dcb7ec06a4416) C:\Windows\system32\DRIVERS\nwifi.sys
11:50:03.0087 2984 NativeWifiP - ok
11:50:03.0134 2984 NDIS (1357274d1883f68300aeadd15d7bbb42) C:\Windows\system32\drivers\ndis.sys
11:50:03.0134 2984 NDIS - ok
11:50:03.0165 2984 NdisTapi (0e186e90404980569fb449ba7519ae61) C:\Windows\system32\DRIVERS\ndistapi.sys
11:50:03.0165 2984 NdisTapi - ok
11:50:03.0196 2984 Ndisuio (d6973aa34c4d5d76c0430b181c3cd389) C:\Windows\system32\DRIVERS\ndisuio.sys
11:50:03.0196 2984 Ndisuio - ok
11:50:03.0227 2984 NdisWan (818f648618ae34f729fdb47ec68345c3) C:\Windows\system32\DRIVERS\ndiswan.sys
11:50:03.0227 2984 NdisWan - ok
11:50:03.0274 2984 NDProxy (71dab552b41936358f3b541ae5997fb3) C:\Windows\system32\drivers\NDProxy.sys
11:50:03.0274 2984 NDProxy - ok
11:50:03.0305 2984 NetBIOS (bcd093a5a6777cf626434568dc7dba78) C:\Windows\system32\DRIVERS\netbios.sys
11:50:03.0305 2984 NetBIOS - ok
11:50:03.0352 2984 netbt (ecd64230a59cbd93c85f1cd1cab9f3f6) C:\Windows\system32\DRIVERS\netbt.sys
11:50:03.0352 2984 netbt - ok
11:50:03.0399 2984 Netlogon (a3e186b4b935905b829219502557314e) C:\Windows\system32\lsass.exe
11:50:03.0399 2984 Netlogon - ok
11:50:03.0446 2984 Netman (c8052711daecc48b982434c5116ca401) C:\Windows\System32\netman.dll
11:50:03.0446 2984 Netman - ok
11:50:03.0524 2984 NetMsmqActivator (d22cd77d4f0d63d1169bb35911bff12d) c:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe
11:50:03.0524 2984 NetMsmqActivator - ok
11:50:03.0539 2984 NetPipeActivator (d22cd77d4f0d63d1169bb35911bff12d) c:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe
11:50:03.0539 2984 NetPipeActivator - ok
11:50:03.0571 2984 netprofm (2ef3bbe22e5a5acd1428ee387a0d0172) C:\Windows\System32\netprofm.dll
11:50:03.0571 2984 netprofm - ok
11:50:03.0571 2984 NetTcpActivator (d22cd77d4f0d63d1169bb35911bff12d) c:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe
11:50:03.0571 2984 NetTcpActivator - ok
11:50:03.0571 2984 NetTcpPortSharing (d22cd77d4f0d63d1169bb35911bff12d) c:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe
11:50:03.0586 2984 NetTcpPortSharing - ok
11:50:03.0602 2984 nfrd960 (2e7fb731d4790a1bc6270accefacb36e) C:\Windows\system32\drivers\nfrd960.sys
11:50:03.0602 2984 nfrd960 - ok
11:50:03.0633 2984 NlaSvc (2997b15415f9bbe05b5a4c1c85e0c6a2) C:\Windows\System32\nlasvc.dll
11:50:03.0633 2984 NlaSvc - ok
11:50:03.0664 2984 Npfs (d36f239d7cce1931598e8fb90a0dbc26) C:\Windows\system32\drivers\Npfs.sys
11:50:03.0664 2984 Npfs - ok
11:50:03.0680 2984 npggsvc - ok
11:50:03.0695 2984 nsi (8bb86f0c7eea2bded6fe095d0b4ca9bd) C:\Windows\system32\nsisvc.dll
11:50:03.0711 2984 nsi - ok
11:50:03.0727 2984 nsiproxy (609773e344a97410ce4ebf74a8914fcf) C:\Windows\system32\drivers\nsiproxy.sys
11:50:03.0727 2984 nsiproxy - ok
11:50:03.0773 2984 Ntfs (6a4a98cee84cf9e99564510dda4baa47) C:\Windows\system32\drivers\Ntfs.sys
11:50:03.0789 2984 Ntfs - ok
11:50:03.0820 2984 ntrigdigi (e875c093aec0c978a90f30c9e0dfbb72) C:\Windows\system32\drivers\ntrigdigi.sys
11:50:03.0820 2984 ntrigdigi - ok
11:50:03.0836 2984 Null (c5dbbcda07d780bda9b685df333bb41e) C:\Windows\system32\drivers\Null.sys
11:50:03.0836 2984 Null - ok
11:50:04.0117 2984 nvlddmkm (4152708c0c24e30dae7fa87d5afe1d7b) C:\Windows\system32\DRIVERS\nvlddmkm.sys
11:50:04.0163 2984 nvlddmkm - ok
11:50:04.0257 2984 nvraid (e69e946f80c1c31c53003bfbf50cbb7c) C:\Windows\system32\drivers\nvraid.sys
11:50:04.0257 2984 nvraid - ok
11:50:04.0257 2984 nvstor (9e0ba19a28c498a6d323d065db76dffc) C:\Windows\system32\drivers\nvstor.sys
11:50:04.0257 2984 nvstor - ok
11:50:04.0335 2984 nvsvc (26db28b32e8d2f57cb5065a4a053801a) C:\Windows\system32\nvvsvc.exe
11:50:04.0335 2984 nvsvc - ok
11:50:04.0351 2984 nv_agp (07c186427eb8fcc3d8d7927187f260f7) C:\Windows\system32\drivers\nv_agp.sys
11:50:04.0351 2984 nv_agp - ok
11:50:04.0366 2984 NwlnkFlt - ok
11:50:04.0366 2984 NwlnkFwd - ok
11:50:04.0507 2984 odserv (785f487a64950f3cb8e9f16253ba3b7b) C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE
11:50:04.0507 2984 odserv - ok
11:50:04.0553 2984 ohci1394 (6f310e890d46e246e0e261a63d9b36b4) C:\Windows\system32\DRIVERS\ohci1394.sys
11:50:04.0553 2984 ohci1394 - ok
11:50:04.0600 2984 ose (5a432a042dae460abe7199b758e8606c) C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
11:50:04.0600 2984 ose - ok
11:50:04.0647 2984 p2pimsvc (0c8e8e61ad1eb0b250b846712c917506) C:\Windows\system32\p2psvc.dll
11:50:04.0663 2984 p2pimsvc - ok
11:50:04.0678 2984 p2psvc (0c8e8e61ad1eb0b250b846712c917506) C:\Windows\system32\p2psvc.dll
11:50:04.0694 2984 p2psvc - ok
11:50:04.0741 2984 Parport (0fa9b5055484649d63c303fe404e5f4d) C:\Windows\system32\drivers\parport.sys
11:50:04.0741 2984 Parport - ok
11:50:04.0756 2984 partmgr (57389fa59a36d96b3eb09d0cb91e9cdc) C:\Windows\system32\drivers\partmgr.sys
11:50:04.0756 2984 partmgr - ok
11:50:04.0772 2984 Parvdm (4f9a6a8a31413180d0fcb279ad5d8112) C:\Windows\system32\drivers\parvdm.sys
11:50:04.0772 2984 Parvdm - ok
11:50:04.0803 2984 PcaSvc (c6276ad11f4bb49b58aa1ed88537f14a) C:\Windows\System32\pcasvc.dll
11:50:04.0803 2984 PcaSvc - ok
11:50:04.0834 2984 pci (941dc1d19e7e8620f40bbc206981efdb) C:\Windows\system32\drivers\pci.sys
11:50:04.0834 2984 pci - ok
11:50:04.0850 2984 pciide (1636d43f10416aeb483bc6001097b26c) C:\Windows\system32\drivers\pciide.sys
11:50:04.0850 2984 pciide - ok
11:50:04.0881 2984 pcmcia (e6f3fb1b86aa519e7698ad05e58b04e5) C:\Windows\system32\drivers\pcmcia.sys
11:50:04.0881 2984 pcmcia - ok
11:50:04.0928 2984 PEAUTH (6349f6ed9c623b44b52ea3c63c831a92) C:\Windows\system32\drivers\peauth.sys
11:50:04.0928 2984 PEAUTH - ok
11:50:05.0021 2984 pla (b1689df169143f57053f795390c99db3) C:\Windows\system32\pla.dll
11:50:05.0131 2984 pla - ok
11:50:05.0146 2984 PlugPlay (c5e7f8a996ec0a82d508fd9064a5569e) C:\Windows\system32\umpnpmgr.dll
11:50:05.0162 2984 PlugPlay - ok
11:50:05.0193 2984 PNRPAutoReg (0c8e8e61ad1eb0b250b846712c917506) C:\Windows\system32\p2psvc.dll
11:50:05.0209 2984 PNRPAutoReg - ok
11:50:05.0209 2984 PNRPsvc (0c8e8e61ad1eb0b250b846712c917506) C:\Windows\system32\p2psvc.dll
11:50:05.0209 2984 PNRPsvc - ok
11:50:05.0255 2984 PolicyAgent (d0494460421a03cd5225cca0059aa146) C:\Windows\System32\ipsecsvc.dll
11:50:05.0255 2984 PolicyAgent - ok
11:50:05.0287 2984 PptpMiniport (ecfffaec0c1ecd8dbc77f39070ea1db1) C:\Windows\system32\DRIVERS\raspptp.sys
11:50:05.0302 2984 PptpMiniport - ok
11:50:05.0318 2984 Processor (0e3cef5d28b40cf273281d620c50700a) C:\Windows\system32\drivers\processr.sys
11:50:05.0318 2984 Processor - ok
11:50:05.0333 2984 ProfSvc (0508faa222d28835310b7bfca7a77346) C:\Windows\system32\profsvc.dll
11:50:05.0333 2984 ProfSvc - ok
11:50:05.0380 2984 ProtectedStorage (a3e186b4b935905b829219502557314e) C:\Windows\system32\lsass.exe
11:50:05.0380 2984 ProtectedStorage - ok
11:50:05.0396 2984 PSched (99514faa8df93d34b5589187db3aa0ba) C:\Windows\system32\DRIVERS\pacer.sys
11:50:05.0396 2984 PSched - ok
11:50:05.0443 2984 ql2300 (ccdac889326317792480c0a67156a1ec) C:\Windows\system32\drivers\ql2300.sys
11:50:05.0443 2984 ql2300 - ok
11:50:05.0458 2984 ql40xx (81a7e5c076e59995d54bc1ed3a16e60b) C:\Windows\system32\drivers\ql40xx.sys
11:50:05.0458 2984 ql40xx - ok
11:50:05.0505 2984 QWAVE (e9ecae663f47e6cb43962d18ab18890f) C:\Windows\system32\qwave.dll
11:50:05.0505 2984 QWAVE - ok
11:50:05.0521 2984 QWAVEdrv (9f5e0e1926014d17486901c88eca2db7) C:\Windows\system32\drivers\qwavedrv.sys
11:50:05.0521 2984 QWAVEdrv - ok
11:50:05.0536 2984 RasAcd (147d7f9c556d259924351feb0de606c3) C:\Windows\system32\DRIVERS\rasacd.sys
11:50:05.0536 2984 RasAcd - ok
11:50:05.0552 2984 RasAuto (f6a452eb4ceadbb51c9e0ee6b3ecef0f) C:\Windows\System32\rasauto.dll
11:50:05.0567 2984 RasAuto - ok
11:50:05.0583 2984 Rasl2tp (a214adbaf4cb47dd2728859ef31f26b0) C:\Windows\system32\DRIVERS\rasl2tp.sys
11:50:05.0583 2984 Rasl2tp - ok
11:50:05.0630 2984 RasMan (75d47445d70ca6f9f894b032fbc64fcf) C:\Windows\System32\rasmans.dll
11:50:05.0630 2984 RasMan - ok
11:50:05.0661 2984 RasPppoe (509a98dd18af4375e1fc40bc175f1def) C:\Windows\system32\DRIVERS\raspppoe.sys
11:50:05.0661 2984 RasPppoe - ok
11:50:05.0677 2984 RasSstp (2005f4a1e05fa09389ac85840f0a9e4d) C:\Windows\system32\DRIVERS\rassstp.sys
11:50:05.0677 2984 RasSstp - ok
11:50:05.0708 2984 rdbss (b14c9d5b9add2f84f70570bbbfaa7935) C:\Windows\system32\DRIVERS\rdbss.sys
11:50:05.0708 2984 rdbss - ok
11:50:05.0723 2984 RDPCDD (89e59be9a564262a3fb6c4f4f1cd9899) C:\Windows\system32\DRIVERS\RDPCDD.sys
11:50:05.0723 2984 RDPCDD - ok
11:50:05.0755 2984 rdpdr (943b18305eae3935598a9b4a3d560b4c) C:\Windows\system32\DRIVERS\rdpdr.sys
11:50:05.0755 2984 rdpdr - ok
11:50:05.0770 2984 RDPENCDD (9d91fe5286f748862ecffa05f8a0710c) C:\Windows\system32\drivers\rdpencdd.sys
11:50:05.0770 2984 RDPENCDD - ok
11:50:05.0817 2984 RDPWD (79c6df8477250f5c54f7c5ae1d6b814e) C:\Windows\system32\drivers\RDPWD.sys
11:50:05.0817 2984 RDPWD - ok
11:50:05.0848 2984 RemoteAccess (bcdd6b4804d06b1f7ebf29e53a57ece9) C:\Windows\System32\mprdim.dll
11:50:05.0848 2984 RemoteAccess - ok
11:50:05.0879 2984 RemoteRegistry (9e6894ea18daff37b63e1005f83ae4ab) C:\Windows\system32\regsvc.dll
11:50:05.0879 2984 RemoteRegistry - ok
11:50:05.0911 2984 RpcLocator (5123f83cbc4349d065534eeb6bbdc42b) C:\Windows\system32\locator.exe
11:50:05.0911 2984 RpcLocator - ok
11:50:05.0942 2984 RpcSs (3b5b4d53fec14f7476ca29a20cc31ac9) C:\Windows\system32\rpcss.dll
11:50:05.0942 2984 RpcSs - ok
11:50:05.0957 2984 rspndr (9c508f4074a39e8b4b31d27198146fad) C:\Windows\system32\DRIVERS\rspndr.sys
11:50:05.0957 2984 rspndr - ok
11:50:06.0020 2984 RT25USBAP (d3b4872de758efa9e0740694c4461421) C:\Windows\system32\DRIVERS\rt25usbap.sys
11:50:06.0020 2984 RT25USBAP - ok
11:50:06.0067 2984 SamSs (a3e186b4b935905b829219502557314e) C:\Windows\system32\lsass.exe
11:50:06.0067 2984 SamSs - ok
11:50:06.0113 2984 sbp2port (37ca203f8ccf732cd272a27e55b268c4) C:\Windows\system32\DRIVERS\sbp2port.sys
11:50:06.0113 2984 sbp2port - ok
11:50:06.0145 2984 SCardSvr (77b7a11a0c3d78d3386398fbbea1b632) C:\Windows\System32\SCardSvr.dll
11:50:06.0145 2984 SCardSvr - ok
11:50:06.0207 2984 Schedule (1a58069db21d05eb2ab58ee5753ebe8d) C:\Windows\system32\schedsvc.dll
11:50:06.0207 2984 Schedule - ok
11:50:06.0223 2984 SCPolicySvc (312ec3e37a0a1f2006534913e37b4423) C:\Windows\System32\certprop.dll
11:50:06.0223 2984 SCPolicySvc - ok
11:50:06.0254 2984 SDRSVC (716313d9f6b0529d03f726d5aaf6f191) C:\Windows\System32\SDRSVC.dll
11:50:06.0254 2984 SDRSVC - ok
11:50:06.0285 2984 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys
11:50:06.0285 2984 secdrv - ok
11:50:06.0316 2984 seclogon (fd5199d4d8a521005e4b5ee7fe00fa9b) C:\Windows\system32\seclogon.dll
11:50:06.0316 2984 seclogon - ok
11:50:06.0332 2984 SENS (a9bbab5759771e523f55563d6cbe140f) C:\Windows\system32\sens.dll
11:50:06.0332 2984 SENS - ok
11:50:06.0347 2984 Serenum (68e44e331d46f0fb38f0863a84cd1a31) C:\Windows\system32\drivers\serenum.sys
11:50:06.0347 2984 Serenum - ok
11:50:06.0363 2984 Serial (c70d69a918b178d3c3b06339b40c2e1b) C:\Windows\system32\drivers\serial.sys
11:50:06.0363 2984 Serial - ok
11:50:06.0379 2984 sermouse (8af3d28a879bf75db53a0ee7a4289624) C:\Windows\system32\drivers\sermouse.sys
11:50:06.0379 2984 sermouse - ok
11:50:06.0410 2984 SessionEnv (d2193326f729b163125610dbf3e17d57) C:\Windows\system32\sessenv.dll
11:50:06.0410 2984 SessionEnv - ok
11:50:06.0425 2984 sffdisk (103b79418da647736ee95645f305f68a) C:\Windows\system32\drivers\sffdisk.sys
11:50:06.0425 2984 sffdisk - ok
11:50:06.0441 2984 sffp_mmc (8fd08a310645fe872eeec6e08c6bf3ee) C:\Windows\system32\drivers\sffp_mmc.sys
11:50:06.0441 2984 sffp_mmc - ok
11:50:06.0472 2984 sffp_sd (9cfa05fcfcb7124e69cfc812b72f9614) C:\Windows\system32\drivers\sffp_sd.sys
11:50:06.0472 2984 sffp_sd - ok
11:50:06.0488 2984 sfloppy (46ed8e91793b2e6f848015445a0ac188) C:\Windows\system32\drivers\sfloppy.sys
11:50:06.0488 2984 sfloppy - ok
11:50:06.0503 2984 SharedAccess (e1499bd0ff76b1b2fbbf1af339d91165) C:\Windows\System32\ipnathlp.dll
11:50:06.0503 2984 SharedAccess - ok
11:50:06.0535 2984 ShellHWDetection (c818c44c201898399bf999bb6b35d4e3) C:\Windows\System32\shsvcs.dll
11:50:06.0535 2984 ShellHWDetection - ok
11:50:06.0566 2984 sisagp (d2a595d6eebeeaf4334f8e50efbc9931) C:\Windows\system32\drivers\sisagp.sys
11:50:06.0566 2984 sisagp - ok
11:50:06.0581 2984 SiSRaid2 (cedd6f4e7d84e9f98b34b3fe988373aa) C:\Windows\system32\drivers\sisraid2.sys
11:50:06.0581 2984 SiSRaid2 - ok
11:50:06.0613 2984 SiSRaid4 (df843c528c4f69d12ce41ce462e973a7) C:\Windows\system32\drivers\sisraid4.sys
11:50:06.0613 2984 SiSRaid4 - ok
11:50:06.0722 2984 slsvc (862bb4cbc05d80c5b45be430e5ef872f) C:\Windows\system32\SLsvc.exe
11:50:06.0815 2984 slsvc - ok
11:50:06.0831 2984 SLUINotify (6edc422215cd78aa8a9cde6b30abbd35) C:\Windows\system32\SLUINotify.dll
11:50:06.0847 2984 SLUINotify - ok
11:50:06.0878 2984 Smb (7b75299a4d201d6a6533603d6914ab04) C:\Windows\system32\DRIVERS\smb.sys
11:50:06.0878 2984 Smb - ok
11:50:06.0893 2984 SNMPTRAP (2a146a055b4401c16ee62d18b8e2a032) C:\Windows\System32\snmptrap.exe
11:50:06.0893 2984 SNMPTRAP - ok
11:50:06.0956 2984 Sony Ericsson PCCompanion (1a623f2b69e1f182f995f963c55db935) C:\Program Files\Sony Ericsson\Sony Ericsson PC Companion\PCCService.exe
11:50:06.0971 2984 Sony Ericsson PCCompanion - ok
11:50:06.0987 2984 spldr (7aebdeef071fe28b0eef2cdd69102bff) C:\Windows\system32\drivers\spldr.sys
11:50:06.0987 2984 spldr - ok
11:50:07.0034 2984 Spooler (8554097e5136c3bf9f69fe578a1b35f4) C:\Windows\System32\spoolsv.exe
11:50:07.0034 2984 Spooler - ok
11:50:07.0096 2984 SQLBrowser (86ebd8b1f23e743aad21f4d5b4d40985) c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
11:50:07.0096 2984 SQLBrowser - ok
11:50:07.0127 2984 SQLWriter (d89083c4eb02daca8f944b0e05e57f9d) c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
11:50:07.0127 2984 SQLWriter - ok
11:50:07.0159 2984 srv (41987f9fc0e61adf54f581e15029ad91) C:\Windows\system32\DRIVERS\srv.sys
11:50:07.0159 2984 srv - ok
11:50:07.0190 2984 srv2 (ff33aff99564b1aa534f58868cbe41ef) C:\Windows\system32\DRIVERS\srv2.sys
11:50:07.0190 2984 srv2 - ok
11:50:07.0252 2984 srvnet (7605c0e1d01a08f3ecd743f38b834a44) C:\Windows\system32\DRIVERS\srvnet.sys
11:50:07.0252 2984 srvnet - ok
11:50:07.0268 2984 SSDPSRV (03d50b37234967433a5ea5ba72bc0b62) C:\Windows\System32\ssdpsrv.dll
11:50:07.0268 2984 SSDPSRV - ok
11:50:07.0315 2984 SstpSvc (6f1a32e7b7b30f004d9a20afadb14944) C:\Windows\system32\sstpsvc.dll
11:50:07.0315 2984 SstpSvc - ok
11:50:07.0361 2984 Steam Client Service - ok
11:50:07.0393 2984 stisvc (5de7d67e49b88f5f07f3e53c4b92a352) C:\Windows\System32\wiaservc.dll
11:50:07.0393 2984 stisvc - ok
11:50:07.0455 2984 swenum (7ba58ecf0c0a9a69d44b3dca62becf56) C:\Windows\system32\DRIVERS\swenum.sys
11:50:07.0455 2984 swenum - ok
11:50:07.0486 2984 swprv (f21fd248040681cca1fb6c9a03aaa93d) C:\Windows\System32\swprv.dll
11:50:07.0486 2984 swprv - ok
11:50:07.0517 2984 Symc8xx (192aa3ac01df071b541094f251deed10) C:\Windows\system32\drivers\symc8xx.sys
11:50:07.0517 2984 Symc8xx - ok
11:50:07.0549 2984 Sym_hi (8c8eb8c76736ebaf3b13b633b2e64125) C:\Windows\system32\drivers\sym_hi.sys
11:50:07.0549 2984 Sym_hi - ok
11:50:07.0564 2984 Sym_u3 (8072af52b5fd103bbba387a1e49f62cb) C:\Windows\system32\drivers\sym_u3.sys
11:50:07.0564 2984 Sym_u3 - ok
11:50:07.0611 2984 SysMain (9a51b04e9886aa4ee90093586b0ba88d) C:\Windows\system32\sysmain.dll
11:50:07.0627 2984 SysMain - ok
11:50:07.0673 2984 TabletInputService (2dca225eae15f42c0933e998ee0231c3) C:\Windows\System32\TabSvc.dll
11:50:07.0673 2984 TabletInputService - ok
11:50:07.0705 2984 TapiSrv (d7673e4b38ce21ee54c59eeeb65e2483) C:\Windows\System32\tapisrv.dll
11:50:07.0705 2984 TapiSrv - ok
11:50:07.0720 2984 TBS (cb05822cd9cc6c688168e113c603dbe7) C:\Windows\System32\tbssvc.dll
11:50:07.0720 2984 TBS - ok
11:50:07.0783 2984 Tcpip (814a1c66fbd4e1b310a517221f1456bf) C:\Windows\system32\drivers\tcpip.sys
11:50:07.0783 2984 Tcpip - ok
11:50:07.0798 2984 Tcpip6 (814a1c66fbd4e1b310a517221f1456bf) C:\Windows\system32\DRIVERS\tcpip.sys
11:50:07.0814 2984 Tcpip6 - ok
11:50:07.0829 2984 tcpipreg (608c345a255d82a6289c2d468eb41fd7) C:\Windows\system32\drivers\tcpipreg.sys
11:50:07.0829 2984 tcpipreg - ok
11:50:07.0845 2984 TDPIPE (5dcf5e267be67a1ae926f2df77fbcc56) C:\Windows\system32\drivers\tdpipe.sys
11:50:07.0845 2984 TDPIPE - ok
11:50:07.0876 2984 TDTCP (389c63e32b3cefed425b61ed92d3f021) C:\Windows\system32\drivers\tdtcp.sys
11:50:07.0876 2984 TDTCP - ok
11:50:07.0923 2984 tdx (76b06eb8a01fc8624d699e7045303e54) C:\Windows\system32\DRIVERS\tdx.sys
11:50:07.0923 2984 tdx - ok
11:50:07.0939 2984 TermDD (3cad38910468eab9a6479e2f01db43c7) C:\Windows\system32\DRIVERS\termdd.sys
11:50:07.0939 2984 TermDD - ok
11:50:07.0970 2984 TermService (bb95da09bef6e7a131bff3ba5032090d) C:\Windows\System32\termsrv.dll
11:50:07.0985 2984 TermService - ok
11:50:08.0001 2984 Themes (c818c44c201898399bf999bb6b35d4e3) C:\Windows\system32\shsvcs.dll
11:50:08.0001 2984 Themes - ok
11:50:08.0032 2984 THREADORDER (1076ffcffaae8385fd62dfcb25ac4708) C:\Windows\system32\mmcss.dll
11:50:08.0032 2984 THREADORDER - ok
11:50:08.0048 2984 TrkWks (ec74e77d0eb004bd3a809b5f8fb8c2ce) C:\Windows\System32\trkwks.dll
11:50:08.0048 2984 TrkWks - ok
11:50:08.0079 2984 TrustedInstaller (97d9d6a04e3ad9b6c626b9931db78dba) C:\Windows\servicing\TrustedInstaller.exe
11:50:08.0079 2984 TrustedInstaller - ok
11:50:08.0110 2984 tssecsrv (dcf0f056a2e4f52287264f5ab29cf206) C:\Windows\system32\DRIVERS\tssecsrv.sys
11:50:08.0110 2984 tssecsrv - ok
11:50:08.0141 2984 tunmp (caecc0120ac49e3d2f758b9169872d38) C:\Windows\system32\DRIVERS\tunmp.sys
11:50:08.0141 2984 tunmp - ok
11:50:08.0188 2984 tunnel (300db877ac094feab0be7688c3454a9c) C:\Windows\system32\DRIVERS\tunnel.sys
11:50:08.0188 2984 tunnel - ok
11:50:08.0235 2984 uagp35 (c3ade15414120033a36c0f293d4a4121) C:\Windows\system32\drivers\uagp35.sys
11:50:08.0235 2984 uagp35 - ok
11:50:08.0282 2984 udfs (d9728af68c4c7693cb100b8441cbdec6) C:\Windows\system32\DRIVERS\udfs.sys
11:50:08.0282 2984 udfs - ok
11:50:08.0329 2984 UI0Detect (ecef404f62863755951e09c802c94ad5) C:\Windows\system32\UI0Detect.exe
11:50:08.0329 2984 UI0Detect - ok
11:50:08.0344 2984 uliagpkx (75e6890ebfce0841d3291b02e7a8bdb0) C:\Windows\system32\drivers\uliagpkx.sys
11:50:08.0344 2984 uliagpkx - ok
11:50:08.0375 2984 uliahci (3cd4ea35a6221b85dcc25daa46313f8d) C:\Windows\system32\drivers\uliahci.sys
11:50:08.0391 2984 uliahci - ok
11:50:08.0422 2984 UlSata (8514d0e5cd0534467c5fc61be94a569f) C:\Windows\system32\drivers\ulsata.sys
11:50:08.0422 2984 UlSata - ok
11:50:08.0453 2984 ulsata2 (38c3c6e62b157a6bc46594fada45c62b) C:\Windows\system32\drivers\ulsata2.sys
11:50:08.0453 2984 ulsata2 - ok
11:50:08.0500 2984 umbus (32cff9f809ae9aed85464492bf3e32d2) C:\Windows\system32\DRIVERS\umbus.sys
11:50:08.0500 2984 umbus - ok
11:50:08.0547 2984 UmRdpService (8a66360f38f81e960e2367b428cbd5d9) C:\Windows\System32\umrdp.dll
11:50:08.0547 2984 UmRdpService - ok
11:50:08.0594 2984 upnphost (68308183f4ae0be7bf8ecd07cb297999) C:\Windows\System32\upnphost.dll
11:50:08.0594 2984 upnphost - ok
11:50:08.0641 2984 usbccgp (8bd3ae150d97ba4e633c6c5c51b41ae1) C:\Windows\system32\drivers\usbccgp.sys
11:50:08.0641 2984 usbccgp - ok
11:50:08.0656 2984 usbcir (e9476e6c486e76bc4898074768fb7131) C:\Windows\system32\drivers\usbcir.sys
11:50:08.0656 2984 usbcir - ok
11:50:08.0703 2984 usbehci (79e96c23a97ce7b8f14d310da2db0c9b) C:\Windows\system32\DRIVERS\usbehci.sys
11:50:08.0703 2984 usbehci - ok
11:50:08.0719 2984 usbhub (4673bbcb006af60e7abddbe7a130ba42) C:\Windows\system32\DRIVERS\usbhub.sys
11:50:08.0719 2984 usbhub - ok
11:50:08.0734 2984 usbohci (38dbc7dd6cc5a72011f187425384388b) C:\Windows\system32\drivers\usbohci.sys
11:50:08.0734 2984 usbohci - ok
11:50:08.0781 2984 usbprint (e75c4b5269091d15a2e7dc0b6d35f2f5) C:\Windows\system32\DRIVERS\usbprint.sys
11:50:08.0781 2984 usbprint - ok
11:50:08.0828 2984 usbser (d575246188f63de0accf6eac5fb59e6a) C:\Windows\system32\DRIVERS\usbser.sys
11:50:08.0828 2984 usbser - ok
11:50:08.0843 2984 USBSTOR (be3da31c191bc222d9ad503c5224f2ad) C:\Windows\system32\DRIVERS\USBSTOR.SYS
11:50:08.0843 2984 USBSTOR - ok
11:50:08.0875 2984 usbuhci (814d653efc4d48be3b04a307eceff56f) C:\Windows\system32\DRIVERS\usbuhci.sys
11:50:08.0875 2984 usbuhci - ok
11:50:08.0906 2984 UxSms (1509e705f3ac1d474c92454a5c2dd81f) C:\Windows\System32\uxsms.dll
11:50:08.0906 2984 UxSms - ok
11:50:08.0937 2984 vds (cd88d1b7776dc17a119049742ec07eb4) C:\Windows\System32\vds.exe
11:50:08.0937 2984 vds - ok
11:50:08.0984 2984 vga (87b06e1f30b749a114f74622d013f8d4) C:\Windows\system32\DRIVERS\vgapnp.sys
11:50:08.0984 2984 vga - ok
11:50:08.0999 2984 VgaSave (2e93ac0a1d8c79d019db6c51f036636c) C:\Windows\System32\drivers\vga.sys
11:50:08.0999 2984 VgaSave - ok
11:50:09.0046 2984 viaagp (045d9961e591cf0674a920b6ba3ba5cb) C:\Windows\system32\drivers\viaagp.sys
11:50:09.0046 2984 viaagp - ok
11:50:09.0062 2984 ViaC7 (56a4de5f02f2e88182b0981119b4dd98) C:\Windows\system32\drivers\viac7.sys
11:50:09.0062 2984 ViaC7 - ok
11:50:09.0077 2984 viaide (fd2e3175fcada350c7ab4521dca187ec) C:\Windows\system32\drivers\viaide.sys
11:50:09.0077 2984 viaide - ok
11:50:09.0109 2984 vmm (817da66b1b889fad1dbf669e0e2f3228) C:\Windows\system32\Drivers\vmm.sys
11:50:09.0109 2984 vmm - ok
11:50:09.0155 2984 volmgr (69503668ac66c77c6cd7af86fbdf8c43) C:\Windows\system32\drivers\volmgr.sys
11:50:09.0155 2984 volmgr - ok
11:50:09.0187 2984 volmgrx (23e41b834759917bfd6b9a0d625d0c28) C:\Windows\system32\drivers\volmgrx.sys
11:50:09.0187 2984 volmgrx - ok
11:50:09.0233 2984 volsnap (147281c01fcb1df9252de2a10d5e7093) C:\Windows\system32\drivers\volsnap.sys
11:50:09.0233 2984 volsnap - ok
11:50:09.0280 2984 VPCNetS2 (2abe8281db609d8bb1bd1b2f93800d5f) C:\Windows\system32\DRIVERS\VMNetSrv.sys
11:50:09.0280 2984 VPCNetS2 - ok
11:50:09.0327 2984 vsmraid (d984439746d42b30fc65a4c3546c6829) C:\Windows\system32\drivers\vsmraid.sys
11:50:09.0327 2984 vsmraid - ok
11:50:09.0389 2984 VSS (db3d19f850c6eb32bdcb9bc0836acddb) C:\Windows\system32\vssvc.exe
11:50:09.0405 2984 VSS - ok
11:50:09.0436 2984 W32Time (96ea68b9eb310a69c25ebb0282b2b9de) C:\Windows\system32\w32time.dll
11:50:09.0436 2984 W32Time - ok
11:50:09.0467 2984 WacomPen (48dfee8f1af7c8235d4e626f0c4fe031) C:\Windows\system32\drivers\wacompen.sys
11:50:09.0467 2984 WacomPen - ok
11:50:09.0483 2984 Wanarp (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
11:50:09.0483 2984 Wanarp - ok
11:50:09.0483 2984 Wanarpv6 (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
11:50:09.0483 2984 Wanarpv6 - ok
11:50:09.0514 2984 wbengine (20b23332885dfb93fe0185362ee811e9) C:\Windows\system32\wbengine.exe
11:50:09.0577 2984 wbengine - ok
11:50:09.0592 2984 wcncsvc (a3cd60fd826381b49f03832590e069af) C:\Windows\System32\wcncsvc.dll
11:50:09.0608 2984 wcncsvc - ok
11:50:09.0623 2984 WcsPlugInService (11bcb7afcdd7aadacb5746f544d3a9c7) C:\Windows\System32\WcsPlugInService.dll
11:50:09.0623 2984 WcsPlugInService - ok
11:50:09.0639 2984 Wd (afc5ad65b991c1e205cf25cfdbf7a6f4) C:\Windows\system32\drivers\wd.sys
11:50:09.0639 2984 Wd - ok
11:50:09.0717 2984 Wdf01000 (9950e3d0f08141c7e89e64456ae7dc73) C:\Windows\system32\drivers\Wdf01000.sys
11:50:09.0717 2984 Wdf01000 - ok
11:50:09.0748 2984 WdiServiceHost (abfc76b48bb6c96e3338d8943c5d93b5) C:\Windows\system32\wdi.dll
11:50:09.0748 2984 WdiServiceHost - ok
11:50:09.0764 2984 WdiSystemHost (abfc76b48bb6c96e3338d8943c5d93b5) C:\Windows\system32\wdi.dll
11:50:09.0764 2984 WdiSystemHost - ok
11:50:09.0795 2984 WebClient (04c37d8107320312fbae09926103d5e2) C:\Windows\System32\webclnt.dll
11:50:09.0811 2984 WebClient - ok
11:50:09.0857 2984 Wecsvc (ae3736e7e8892241c23e4ebbb7453b60) C:\Windows\system32\wecsvc.dll
11:50:09.0857 2984 Wecsvc - ok
11:50:09.0873 2984 wercplsupport (670ff720071ed741206d69bd995ea453) C:\Windows\System32\wercplsupport.dll
11:50:09.0873 2984 wercplsupport - ok
11:50:09.0904 2984 WerSvc (32b88481d3b326da6deb07b1d03481e7) C:\Windows\System32\WerSvc.dll
11:50:09.0920 2984 WerSvc - ok
11:50:09.0967 2984 WinDefend (4575aa12561c5648483403541d0d7f2b) C:\Program Files\Windows Defender\mpsvc.dll
11:50:09.0982 2984 WinDefend - ok
11:50:09.0982 2984 WinHttpAutoProxySvc - ok
11:50:10.0029 2984 Winmgmt (6b2a1d0e80110e3d04e6863c6e62fd8a) C:\Windows\system32\wbem\WMIsvc.dll
11:50:10.0045 2984 Winmgmt - ok
11:50:10.0107 2984 WinRM (7cfe68bdc065e55aa5e8421607037511) C:\Windows\system32\WsmSvc.dll
11:50:10.0123 2984 WinRM - ok
11:50:10.0154 2984 Wlansvc (c008405e4feeb069e30da1d823910234) C:\Windows\System32\wlansvc.dll
11:50:10.0154 2984 Wlansvc - ok
11:50:10.0185 2984 WmiAcpi (701a9f884a294327e9141d73746ee279) C:\Windows\system32\drivers\wmiacpi.sys
11:50:10.0185 2984 WmiAcpi - ok
11:50:10.0216 2984 wmiApSrv (43be3875207dcb62a85c8c49970b66cc) C:\Windows\system32\wbem\WmiApSrv.exe
11:50:10.0216 2984 wmiApSrv - ok
11:50:10.0294 2984 WMPNetworkSvc (3978704576a121a9204f8cc49a301a9b) C:\Program Files\Windows Media Player\wmpnetwk.exe
11:50:10.0310 2984 WMPNetworkSvc - ok
11:50:10.0325 2984 WPDBusEnum (801fbdb89d472b3c467eb112a0fc9246) C:\Windows\system32\wpdbusenum.dll
11:50:10.0341 2984 WPDBusEnum - ok
11:50:10.0372 2984 WpdUsb (de9d36f91a4df3d911626643debf11ea) C:\Windows\system32\DRIVERS\wpdusb.sys
11:50:10.0372 2984 WpdUsb - ok
11:50:10.0513 2984 WPFFontCache_v0400 (dcf3e3edf5109ee8bc02fe6e1f045795) C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe
11:50:10.0513 2984 WPFFontCache_v0400 - ok
11:50:10.0544 2984 ws2ifsl (e3a3cb253c0ec2494d4a61f5e43a389c) C:\Windows\system32\drivers\ws2ifsl.sys
11:50:10.0544 2984 ws2ifsl - ok
11:50:10.0575 2984 wscsvc (1ca6c40261ddc0425987980d0cd2aaab) C:\Windows\system32\wscsvc.dll
11:50:10.0575 2984 wscsvc - ok
11:50:10.0575 2984 WSearch - ok
11:50:10.0653 2984 wuauserv (6298277b73c77fa99106b271a7525163) C:\Windows\system32\wuaueng.dll
11:50:10.0700 2984 wuauserv - ok
11:50:10.0762 2984 WudfPf (6f9b6c0c93232cff47d0f72d6db1d21e) C:\Windows\system32\drivers\WudfPf.sys
11:50:10.0762 2984 WudfPf - ok
11:50:10.0809 2984 WUDFRd (f91ff1e51fca30b3c3981db7d5924252) C:\Windows\system32\DRIVERS\WUDFRd.sys
11:50:10.0809 2984 WUDFRd - ok
11:50:10.0825 2984 wudfsvc (2c0206ff8d2c75ac027d1096fa2fafda) C:\Windows\System32\WUDFSvc.dll
11:50:10.0840 2984 wudfsvc - ok
11:50:10.0840 2984 MBR (0x1B8) (5c616939100b85e558da92b899a0fc36) \Device\Harddisk0\DR0
11:50:10.0871 2984 \Device\Harddisk0\DR0 - ok
11:50:10.0871 2984 MBR (0x1B8) (5c616939100b85e558da92b899a0fc36) \Device\Harddisk1\DR1
11:50:10.0903 2984 \Device\Harddisk1\DR1 - ok
11:50:10.0903 2984 Boot (0x1200) (785b51c6691ad84de109a51b12dfac6d) \Device\Harddisk0\DR0\Partition0
11:50:10.0903 2984 \Device\Harddisk0\DR0\Partition0 - ok
11:50:10.0918 2984 Boot (0x1200) (d05e324251d3ea0c93814fbd9325aeac) \Device\Harddisk1\DR1\Partition0
11:50:10.0918 2984 \Device\Harddisk1\DR1\Partition0 - ok
11:50:10.0918 2984 ============================================================
11:50:10.0918 2984 Scan finished
11:50:10.0918 2984 ============================================================
11:50:10.0918 3848 Detected object count: 0
11:50:10.0918 3848 Actual detected object count: 0

----aswMBR Log ---------------------------------------------------------------------------------

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-03-24 11:52:00
-----------------------------
11:52:00.782 OS Version: Windows 6.0.6002 Service Pack 2
11:52:00.782 Number of processors: 2 586 0xF0B
11:52:00.782 ComputerName: ZZC2DV UserName: Paul
11:52:02.014 Initialize success
11:52:43.983 AVAST engine defs: 12032400
11:52:59.021 Disk 0 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-2
11:52:59.021 Disk 0 Vendor: WDC_WD1600JS-00NCB1 10.02E02 Size: 152627MB BusType: 3
11:52:59.021 Disk 1 (boot) \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP3T0L0-3
11:52:59.021 Disk 1 Vendor: MAXTOR_STM3500630AS 3.AAE Size: 476940MB BusType: 3
11:52:59.037 Disk 1 MBR read successfully
11:52:59.037 Disk 1 MBR scan
11:52:59.037 Disk 1 Windows VISTA default MBR code
11:52:59.052 Disk 1 Partition 1 80 (A) 07 HPFS/NTFS NTFS 476938 MB offset 2048
11:52:59.052 Disk 1 scanning sectors +976771072
11:52:59.115 Disk 1 scanning C:\Windows\system32\drivers
11:53:06.431 Service scanning
11:53:24.293 Modules scanning
11:53:28.505 Disk 1 trace - called modules:
11:53:28.536 ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll ataport.SYS pciide.sys PCIIDEX.SYS atapi.sys
11:53:28.536 1 nt!IofCallDriver -> \Device\Harddisk1\DR1[0x852924c8]
11:53:28.536 3 CLASSPNP.SYS[87fc28b3] -> nt!IofCallDriver -> [0x84c4fa70]
11:53:28.536 5 acpi.sys[806966bc] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP3T0L0-3[0x84c31b98]
11:53:29.613 AVAST engine scan C:\Windows
11:53:32.795 AVAST engine scan C:\Windows\system32
11:57:05.907 AVAST engine scan C:\Windows\system32\drivers
11:57:17.872 AVAST engine scan C:\Users\Paul
12:04:40.849 AVAST engine scan C:\ProgramData
12:05:38.507 Scan finished successfully
13:43:04.506 Disk 1 MBR has been saved successfully to "C:\Users\Paul\Desktop\ZBot Tools\MBR.dat"
13:43:04.506 The log file has been saved successfully to "C:\Users\Paul\Desktop\ZBot Tools\aswMBR.txt"

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:01 PM

Posted 24 March 2012 - 10:35 PM

Greetings

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 ZippyZapp

ZippyZapp
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:01 PM

Posted 25 March 2012 - 05:36 PM

Hi gringo, here is the info you requested.

The computer seems to be running fine. I didn't really notie any problems even before the malware was detected. Any ideas how it got on my system? I know for a fact I did not install some stupid scam app or attachement or some other fake web page or advert as I know enough to not get tricked into socially engineered malware. I don't think anyone else has used my computer. I guess it is possible it may have came through a java or flash app? I do run minecraft, which is the only reason I have Java installed. Flash was not the most recent version. I am at a loss to figure it out...

Anyway here is the log you asked for and thank you again:

ComboFix 12-03-22.01 - Paul 03/25/2012 15:17:21.2.2 - x86
Microsoft® Windows Vista™ Business 6.0.6002.2.1252.1.1033.18.2046.1103 [GMT -7:00]
Running from: c:\users\Paul\Desktop\ZBot Tools\ComboFix.exe
Command switches used :: c:\users\Paul\Desktop\ZBot Tools\CFScript.txt
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2012-02-25 to 2012-03-25 )))))))))))))))))))))))))))))))
.
.
2074-05-08 01:38 . 2006-11-22 03:48 203576 ------w- c:\program files\Microsoft Games\Age of Empires III\autopatcher2.exe
2012-03-25 22:26 . 2012-03-25 22:26 -------- d-----w- c:\users\Evan\AppData\Local\temp
2012-03-25 22:26 . 2012-03-25 22:26 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-03-24 00:33 . 2012-03-25 22:26 -------- d-----w- c:\users\Paul\AppData\Local\temp
2012-03-23 01:40 . 2012-03-23 03:24 -------- d-----w- c:\users\Paul\AppData\Local\Adobe
2012-03-22 23:54 . 2012-03-22 23:54 -------- d-----w- c:\program files\Common Files\Java
2012-03-16 17:52 . 2012-01-31 10:59 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2012-03-16 17:52 . 2012-01-09 15:54 613376 ----a-w- c:\windows\system32\rdpencom.dll
2012-03-16 17:52 . 2012-01-09 13:58 180736 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-03-16 17:52 . 2012-02-02 15:16 2044416 ----a-w- c:\windows\system32\win32k.sys
2012-03-16 17:52 . 2012-02-14 15:45 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
2012-03-16 17:52 . 2012-02-14 15:45 160768 ----a-w- c:\windows\system32\d3d10_1.dll
2012-03-16 17:52 . 2012-02-13 14:12 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
2012-03-16 17:52 . 2012-02-13 13:47 683008 ----a-w- c:\windows\system32\d2d1.dll
2012-03-16 17:52 . 2012-02-13 13:44 1068544 ----a-w- c:\windows\system32\DWrite.dll
2012-03-01 22:26 . 2012-03-15 21:58 -------- d-----w- c:\users\Paul\AppData\Roaming\Exboxo
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-03-22 23:53 . 2011-05-02 05:14 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-03-16 18:00 . 2008-08-08 04:49 18368 ----a-w- c:\programdata\Microsoft\VSA\9.0\1033\ResourceCache.dll
2012-03-16 18:00 . 2008-08-08 04:49 1195104 ----a-w- c:\programdata\Microsoft\VisualStudio\9.0\1033\ResourceCache.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2007-04-23 4435968]
"Skytel"="Skytel.exe" [2007-04-13 1822720]
"EEventManager"="c:\progra~1\EPSONS~1\EVENTM~1\EEventManager.exe" [2009-01-12 669520]
"FUFAXSTM"="c:\program files\Epson Software\FAX Utility\FUFAXSTM.exe" [2009-02-06 843776]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"AntiSpywareOverride"=dword:00000001
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.jw.org/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Lookup on Merriam Webster
IE: Lookup on Wikipedia
TCP: DhcpNameServer = 192.168.1.1
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-03-25 15:26
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-187214194-34723586-2597042049-1000\Software\SecuROM\License information*]
"datasecu"=hex:1c,22,fe,df,2b,68,76,e5,fe,32,f7,62,22,27,b2,af,4c,9e,1f,e5,f6,
0b,06,f4,d8,0f,c6,23,87,ce,3b,86,52,d1,86,11,5b,8b,0c,7a,b8,17,f9,ea,11,df,\
"rkeysecu"=hex:c3,b8,98,ec,87,a1,86,6f,5d,46,5e,ce,c4,be,2e,f5
.
Completion time: 2012-03-25 15:29:37
ComboFix-quarantined-files.txt 2012-03-25 22:29
ComboFix2.txt 2012-03-24 00:33
.
Pre-Run: 266,622,623,744 bytes free
Post-Run: 266,737,061,888 bytes free
.
- - End Of File - - 35AA04ADD6B2A23B30460B354333E956

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:01 PM

Posted 25 March 2012 - 08:43 PM

Hello

Just going to an infected web site is good enough

These logs are looking allot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs

NOTE** Because of the cleanup process some of the programs I have listed may not be in add/remove anymore this is fine just move to the next item on the list.

You can remove these programs using add/remove or you can use the free uninstaller from Revo (Revo does allot better of a job)

Programs to remove

Adobe Reader 9.4.4
Java™ 6 Update 29
[/list]


  • Please download and install Revo Uninstaller Free
  • Double click Revo Uninstaller to run it.
  • From the list of programs double click on The Program to remove
  • When prompted if you want to uninstall click Yes.
  • Be sure the Moderate option is selected then click Next.
  • The program will run, If prompted again click Yes
  • when the built-in uninstaller is finished click on Next.
  • Once the program has searched for leftovers click Next.
  • Check/tick the bolded items only on the list then click Delete
  • when prompted click on Yes and then on next.
  • put a check on any folders that are found and select delete
  • when prompted select yes then on next
  • Once done click Finish.
.

Update Adobe Reader

Recently there have been vulnerabilities detected in older versions of Adobe Reader. It is strongly suggested that you update to the current version.

You can download it from http://www.adobe.com/products/acrobat/readstep2.html
After installing the latest Adobe Reader, uninstall all previous versions.
If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

If you don't like Adobe Reader (53 MB), you can download Foxit PDF Reader(7 MB) from here. It's a much smaller file to download and uses a lot less resources than Adobe Reader.

Note: When installing FoxitReader, be careful not to install anything to do with AskBar.
[/list]

Install Java:

Please go here to install Java

  • click on the Free Java Download Button
  • click on Agree and start Free download
  • click on Run
  • click on run again
  • click on install
  • when install is complete click on close

Clean Out Temp Files

  • This small application you may want to keep and use once a week to keep the computer clean.

    Download CCleaner from here http://www.ccleaner.com/

  • Run the installer to install the application.
  • When it gives you the option to install Yahoo toolbar uncheck the box next to it.
  • Run CCleaner. (make sure under Windows tab all the boxes of Internet Explorer and Windows explorer are checked. Under System check Empty Recycle Bin and Temporary Files. Under Application tab all the boxes should be checked).
  • Click Run Cleaner.
  • Close CCleaner.

: Malwarebytes' Anti-Malware :

  • I would like you to rerun MBAM
  • Double-click mbam icon
  • go to the update tab at the top
  • click on check for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidentally close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Download HijackThis

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a log file button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the Analyze This button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

"information and logs"

  • In your next post I need the following

  • Log From MBAM
  • report from Hijackthis
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 ZippyZapp

ZippyZapp
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:01 PM

Posted 26 March 2012 - 12:22 AM

Hi, Thanks. Here is the logs you requested.

As for the problems I am seeing I am getting a message when I try to launch a GOG.COM installer for a game I purchased. I installed them before without a problem so Im not sure if it is related:

ShellExecuteEX failed code 267
the directory name is invalid.

It could be something funky with these two installers. I'll try downloading them again.

MBAM Log:

Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org

Database version: v2012.03.26.02

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
Paul :: ZZC2DV [administrator]

3/25/2012 9:33:05 PM
mbam-log-2012-03-25 (21-33-05).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 214848
Time elapsed: 3 minute(s), 57 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)


Hijack This Log:
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10:21:35 PM, on 3/25/2012
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v9.00 (9.00.8112.16421)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Epson Software\Event Manager\EEventManager.exe
C:\Program Files\Epson Software\FAX Utility\FUFAXSTM.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\Explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10v_ActiveX.exe
C:\Program Files\HiJack\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.jw.org/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [Skytel] Skytel.exe
O4 - HKLM\..\Run: [EEventManager] C:\PROGRA~1\EPSONS~1\EVENTM~1\EEventManager.exe
O4 - HKLM\..\Run: [FUFAXSTM] "C:\Program Files\Epson Software\FAX Utility\FUFAXSTM.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: EpsonBidirectionalService - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\Windows\system32\GameMon.des.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: Sony Ericsson PCCompanion - Avanquest Software - C:\Program Files\Sony Ericsson\Sony Ericsson PC Companion\PCCService.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe

--
End of file - 3554 bytes

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:01 PM

Posted 26 March 2012 - 08:11 AM

Greetings

These logs are looking very good, we are almost done!!! Just one more scan to go.

:Remove unneeded start-up entries:

This part of the fix is purely optional
These are programs that start up when you turn on your computer but don't need to be, any of these programs you can click on their icons (or start from the control panel) and start the program when you need it. By stopping these programs you will boot up faster and your computer will work faster.

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Run HijackThis
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):

    • O4 - HKLM\..\Run: [Skytel] Skytel.exe
      O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application.

    NOTE**You can research each of those lines >here< and see if you want to keep them or not
    just copy the name between the brackets and paste into the search space
    O4 - HKLM\..\Run: [IntelliPoint]


NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

Eset Online Scanner

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

Go Eset web page to run an online scanner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
  • When asked, allow the ActiveX control to install
    • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options
    Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • Click on copy to clipboard or copy and paste the results here in this topic

Copy and paste that log as a reply to this topic

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:01 PM

Posted 28 March 2012 - 11:21 PM

Hello


Just checking in on you as it has been a couple of days since I have heard from you.

Are you having any troubles or just need more time?




Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#12 ZippyZapp

ZippyZapp
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:01 PM

Posted 30 March 2012 - 08:07 PM

Hi thanks for the reply I am going to run the scan tonight, I have been crazy busy the last couple days.

I'll reply with the logs a bit later.

Thank You again for your help!

#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:01 PM

Posted 30 March 2012 - 09:11 PM

no problem I will be around for the 7 hours


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:01 PM

Posted 01 April 2012 - 11:24 PM

Hello


Just checking in on you as it has been a couple of days since I have heard from you.

Are you having any troubles or just need more time?




Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 ZippyZapp

ZippyZapp
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:01 PM

Posted 04 April 2012 - 06:23 PM

Sorry about the delay. Just been extremley busy. I appreciate your patience and your help.

My system is running well but apparently a few files are infected. Here is the log that you requested:

C:\Users\Paul\Documents\VMShare\LG5tool.rar a variant of Win32/TrojanProxy.VB.NAH trojan
C:\Users\Paul\Documents\VMShare\LG5tool\LG5tool.exe a variant of Win32/TrojanProxy.VB.NAH trojan
D:\Documents and Settings\Paul\Desktop\Downloads\Updates\Nero-6.6.1.15a.exe Win32/Toolbar.AskSBar application

Fortunatley the LG5tool was only run in a VM and it was checked at the time, a year or so back and I thought it was clean, but who knows.

Also the LG5Tool is a proxy tool that enabled a proxy tool for PS3 online gaming without updating to a forced firmware. I think I experimented with it but I believe it was only in a VM.


Thanks!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users