Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Not sure.


  • This topic is locked This topic is locked
27 replies to this topic

#1 niteman69

niteman69

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:04:58 PM

Posted 27 March 2012 - 10:58 AM

Hello, I have a very old Dell Dimm4700 running WinXP home. I use IE8 and Chrome 17.0.963.83. here is my Piriform Speccy summery:

Summary
Operating System
MS Windows XP Home 32-bit SP3
CPU
Intel Pentium 4 520
Prescott 90nm Technology
RAM
3.00 GB Dual-Channel DDR2 @ 266MHz (4-4-4-12)
Motherboard
Dell Inc. 0M3918 (Microprocessor)
Graphics
SYLVANIA (1600x900@60Hz)
512MB ATI Radeon HD 4350 (VISIONTEK)
Hard Drives
39.1GB Seagate ST340014AS (SATA) 35 °C
Optical Drives
HL-DT-ST DVD-ROM GDR8163B
HL-DT-ST DVD-RAM GH22LP20
Audio
ATI Function Driver for High Definition Audio - ATI AA01

I have read many of the post here since late Jan. 2012 looking to learn since I am just a bit paranoid about spyware, virus and such. I have DLed many of the programs mentioned here and used them with mixed results. List of a few that are still on my system:
SmithfraudFix, Auslogics Disk Defrag and Registry Cleaner, avast Free, CCleaner, Malwarebytes, SUPERAntiSpyware, TDSKiller, TFC, UnHackMe, System Mechanic and HiJackThis.

I have done run these all in safe mode as well. My system is running very very slow I have had a huge increase in spam as well as both browsers crashing about every 20 mints or so. Even after a full restore and update of all drivers. Can anyone please look at my HiJackThis report and let me know if I am OK as far as that goes or not.

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:17:39, on 3/27/2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iolo\Common\Lib\ioloServiceManager.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\AVAST Software\Avast\avastUI.exe
C:\Documents and Settings\niteman69\Local Settings\Application Data\Google\Update\1.3.21.111\GoogleCrashHandler.exe
C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\niteman69\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1331014780125
O16 - DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} (DellSystemLite.Scanner) - http://support.dell.com/systemprofiler/DellSystemLite.CAB
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: SAS Core Service (!SASCORE) - SUPERAntiSpyware.com - C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\AVAST Software\Avast\AvastSvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: iolo System Service (ioloSystemService) - iolo technologies, LLC - C:\Program Files\iolo\Common\Lib\ioloServiceManager.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Rapport Management Service (RapportMgmtService) - Trusteer Ltd. - C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe

--
End of file - 4524 bytes

Hope I have given enough info here. If you need more please ask.

Edited by hamluis, 27 March 2012 - 11:21 AM.
Moved from XP to Malware Removal Logs.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,256 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:58 PM

Posted 30 March 2012 - 09:13 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

Your HijackThis log is clean.

Third party programs if not up to date can be an open door for an infection

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===

Please let me know of any issues with this computer.

#3 niteman69

niteman69
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:04:58 PM

Posted 01 April 2012 - 02:37 AM

First let me say thank you for this help nasdaq. Glad my HijackThis log was OK. I ran and am posting my Security Check report. If you need any more info please ask. BTW my Adobe Reader is outdated PC world says there are better and safer readers out there and I am looking at them tonight.

Results of screen317's Security Check version 0.99.32
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Enabled!
avast! Free Antivirus
iolo technologies' System Mechanic
```````````````````````````````
Anti-malware/Other Utilities Check:

SUPERAntiSpyware
CCleaner
Auslogics Registry Cleaner
Java™ 6 Update 31
Adobe Reader 9 Adobe Reader out of date!
````````````````````````````````
Process Check:
objlist.exe by Laurent

AVAST Software Avast AvastSvc.exe
AVAST Software Avast avastUI.exe
iolo Common Lib ioloServiceManager.exe
``````````End of Log````````````

#4 nasdaq

nasdaq

  • Malware Response Team
  • 40,256 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:58 PM

Posted 01 April 2012 - 07:41 AM

Until you find something you like update Reader.

Get the latest version of the Adobe Reader.
http://get.adobe.com/reader/
Before your download I suggest you unckeck the box on the top right "Include in your download" this is not required. While the installation is in progress you can also deny the installation of any other programs that may be suggested.

When installed remove your old version of the Reader using the Add/Remove Programs applet if present.

#5 niteman69

niteman69
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:04:58 PM

Posted 01 April 2012 - 03:45 PM

Attached File  regrunlog.txt   287.49KB   1 downloads

I got home from work today and my avast was shut off as was my firewall so I unhooked from internet went to safe mode and re-ran all reports. Here they are. I am running slow once more and wanted to give you these when I was having the problem.

Attached Files



#6 nasdaq

nasdaq

  • Malware Response Team
  • 40,256 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:58 PM

Posted 02 April 2012 - 08:39 AM

Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Java™ Plug-In 2 SSV Helper - {2B5006B7-2135-5542-67F4-37134F340B6B} - C:\WINDOWS\system32\slbcssp.dll
O2 - BHO: Windows Live ID Sign-in Helper - {750B24D9-4473-0FE9-652E-3F116E425935} - C:\WINDOWS\system32\jscriipt.dll


Click on Fix Checked when finished and exit HijackThis.

Delete these files in bold.

C:\WINDOWS\system32\slbcssp.dl
C:\WINDOWS\system32\jscriipt.dll
p.s. make sure you are delete the exact files.

Restart the computer normally.

This time will check deeper.

Please download and run this DDS Scanning Tool. Nothing will be deleted. It will just give me some additional information about your system.

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
Please note: You may have to disable any script protection running if the scan fails to run.

Please just paste the contents of the DDS.txt log in your next post. DO NOT attach the log.

===

Please Download
TDSSKiller.zip

>>> Double-click on TDSSKiller.exe to run the application.
  • Click on the Start Scan button and wait for the scan and disinfection process to be over.
  • If an infected file is detected, the default action will be Cure, click on Continue
    Posted Image
  • If a suspicious file is detected, the default action will be Skip, click on Continue
    Posted Image
  • If you are asked to reboot the computer to complete the process, click on the Reboot Now button. A report will be automatically saved at the root of the System drive ((usually C:\) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt" (for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt). Please copy and paste the contents of that file here.
  • If no reboot is required, click on Report. A log file will appear. Please copy and paste the contents of that file in your next reply.

===

Download http://public.avast.com/~gmerek/aswMBR.exe (aswMBR.exe) to your desktop. Double click the aswMBR.exe to run it

  • Click the "Scan" button to start scan.
  • Upon completion of the scan, click Save log, and save it to your desktop. (Note - do not select any Fix at this time) <- IMPORTANT
  • Please post the contents of that log in your next reply.
There shall also be a file on your desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) folder. Please attach that zipped file in your next reply.

Note: You may be asked if you want to download Avast Free Antivirus I suggest you deny this download unless you do not have any Antivirus protection on the computer.

Please post the logs and let me know what problem persists.

#7 niteman69

niteman69
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:04:58 PM

Posted 05 April 2012 - 05:34 PM

Hello and once more thank you much for the help here. Sorry that some times it takes a few days when I get the chance to work I take it.

OK Printed out your last reply and did or tried to do all you asked in the way you asked. Could not find C:\WINDOWS\system32\slbcssp.dl. I have tried three times to run DDS tool every time I do I get something very new for me a sort of dark blue screen comes on and it says:

IRQL_NOT_LESS_OR_EQUAL

With a bunch of stuff about new hardware/software and safe mode it ends with:

Stop: 0x0000000A (0x00000028, 0x00000002, 0x00000000, 0x8051F777)

This is a new one...

So, I ran TDSS here is that log:


18:17:17.0000 3472 TDSS rootkit removing tool 2.7.25.0 Apr 3 2012 13:42:32
18:17:17.0015 3472 ============================================================
18:17:17.0015 3472 Current date / time: 2012/04/05 18:17:17.0015
18:17:17.0015 3472 SystemInfo:
18:17:17.0015 3472
18:17:17.0015 3472 OS Version: 5.1.2600 ServicePack: 3.0
18:17:17.0015 3472 Product type: Workstation
18:17:17.0015 3472 ComputerName: NITEMAN
18:17:17.0015 3472 UserName: niteman69
18:17:17.0015 3472 Windows directory: C:\WINDOWS
18:17:17.0015 3472 System windows directory: C:\WINDOWS
18:17:17.0015 3472 Processor architecture: Intel x86
18:17:17.0015 3472 Number of processors: 1
18:17:17.0015 3472 Page size: 0x1000
18:17:17.0015 3472 Boot type: Normal boot
18:17:17.0015 3472 ============================================================
18:17:18.0187 3472 Drive \Device\Harddisk0\DR0 - Size: 0x9502F9000 (37.25 Gb), SectorSize: 0x200, Cylinders: 0x12FF, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
18:17:18.0187 3472 Drive \Device\Harddisk1\DR3 - Size: 0xF600000 (0.24 Gb), SectorSize: 0x200, Cylinders: 0x1F, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'W'
18:17:18.0187 3472 Drive \Device\Harddisk2\DR4 - Size: 0x1DD71E000 (7.46 Gb), SectorSize: 0x200, Cylinders: 0x3CD, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'W'
18:17:18.0187 3472 Drive \Device\Harddisk3\DR5 - Size: 0x3B9C00000 (14.90 Gb), SectorSize: 0x200, Cylinders: 0x799, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'W'
18:17:18.0187 3472 \Device\Harddisk0\DR0:
18:17:18.0187 3472 MBR used
18:17:18.0187 3472 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x1B747, BlocksNum 0x4A61E37
18:17:18.0187 3472 \Device\Harddisk1\DR3:
18:17:18.0187 3472 MBR used
18:17:18.0187 3472 \Device\Harddisk1\DR3\Partition0: MBR, Type 0xE, StartLBA 0x20, BlocksNum 0x7AFE0
18:17:18.0187 3472 \Device\Harddisk2\DR4:
18:17:18.0187 3472 MBR used
18:17:18.0187 3472 \Device\Harddisk2\DR4\Partition0: MBR, Type 0xB, StartLBA 0x3F, BlocksNum 0xEEB5C1
18:17:18.0187 3472 \Device\Harddisk3\DR5:
18:17:18.0187 3472 MBR used
18:17:18.0187 3472 \Device\Harddisk3\DR5\Partition0: MBR, Type 0xC, StartLBA 0x1F80, BlocksNum 0x1DCC080
18:17:18.0250 3472 Initialize success
18:17:18.0250 3472 ============================================================
18:17:23.0125 3520 ============================================================
18:17:23.0125 3520 Scan started
18:17:23.0125 3520 Mode: Manual;
18:17:23.0125 3520 ============================================================
18:17:23.0656 3520 18556201 - ok
18:17:23.0703 3520 Aavmker4 (473f97edc5a5312f3665ab2921196c0c) C:\WINDOWS\system32\drivers\Aavmker4.sys
18:17:23.0703 3520 Aavmker4 - ok
18:17:23.0765 3520 Abiosdsk - ok
18:17:23.0796 3520 abp480n5 - ok
18:17:23.0859 3520 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
18:17:23.0859 3520 ACPI - ok
18:17:23.0937 3520 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
18:17:23.0937 3520 ACPIEC - ok
18:17:23.0984 3520 adpu160m - ok
18:17:24.0046 3520 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
18:17:24.0046 3520 aec - ok
18:17:24.0125 3520 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
18:17:24.0125 3520 AFD - ok
18:17:24.0171 3520 Aha154x - ok
18:17:24.0203 3520 aic78u2 - ok
18:17:24.0250 3520 aic78xx - ok
18:17:24.0296 3520 Alerter (a9a3daa780ca6c9671a19d52456705b4) C:\WINDOWS\system32\alrsvc.dll
18:17:24.0296 3520 Alerter - ok
18:17:24.0359 3520 ALG (8c515081584a38aa007909cd02020b3d) C:\WINDOWS\System32\alg.exe
18:17:24.0359 3520 ALG - ok
18:17:24.0421 3520 AliIde - ok
18:17:24.0453 3520 amsint - ok
18:17:24.0468 3520 AppMgmt - ok
18:17:24.0500 3520 asc - ok
18:17:24.0531 3520 asc3350p - ok
18:17:24.0562 3520 asc3550 - ok
18:17:24.0640 3520 aspnet_state (0e5e4957549056e2bf2c49f4f6b601ad) C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
18:17:24.0640 3520 aspnet_state - ok
18:17:24.0718 3520 aswFsBlk (0ae43c6c411254049279c2ee55630f95) C:\WINDOWS\system32\drivers\aswFsBlk.sys
18:17:24.0734 3520 aswFsBlk - ok
18:17:24.0796 3520 aswMon2 (8c30b7ddd2f1d8d138ebe40345af2b11) C:\WINDOWS\system32\drivers\aswMon2.sys
18:17:24.0796 3520 aswMon2 - ok
18:17:24.0875 3520 AswRdr (da12626fd9a67f4e917e2f2fbe1e1764) C:\WINDOWS\system32\drivers\AswRdr.sys
18:17:24.0875 3520 AswRdr - ok
18:17:24.0968 3520 aswSnx (dcb199b967375753b5019ec15f008f53) C:\WINDOWS\system32\drivers\aswSnx.sys
18:17:24.0968 3520 aswSnx - ok
18:17:25.0046 3520 aswSP (b32873e5a1443c0a1e322266e203bf10) C:\WINDOWS\system32\drivers\aswSP.sys
18:17:25.0046 3520 aswSP - ok
18:17:25.0140 3520 aswTdi (6ff544175a9180c5d88534d3d9c9a9f7) C:\WINDOWS\system32\drivers\aswTdi.sys
18:17:25.0140 3520 aswTdi - ok
18:17:25.0203 3520 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
18:17:25.0203 3520 AsyncMac - ok
18:17:25.0265 3520 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
18:17:25.0265 3520 atapi - ok
18:17:25.0312 3520 Atdisk - ok
18:17:25.0390 3520 Ati HotKey Poller (eca673779ecd27d674953d692fe070f6) C:\WINDOWS\system32\Ati2evxx.exe
18:17:25.0390 3520 Ati HotKey Poller - ok
18:17:25.0468 3520 ATI Smart (1428c586bb318e1404575834e428addd) C:\WINDOWS\system32\ati2sgag.exe
18:17:25.0484 3520 ATI Smart - ok
18:17:25.0640 3520 ati2mtag (15b2fe76e2eceb98c49ed52311a6f26f) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
18:17:25.0671 3520 ati2mtag - ok
18:17:25.0750 3520 AtiHDAudioService (bd9ca8136738040d3257363ed12be693) C:\WINDOWS\system32\drivers\AtihdXP3.sys
18:17:25.0750 3520 AtiHDAudioService - ok
18:17:25.0828 3520 AtiHdmiService (d9bc8892b9440a2551b8148c57aa039e) C:\WINDOWS\system32\drivers\AtiHdmi.sys
18:17:25.0828 3520 AtiHdmiService - ok
18:17:25.0906 3520 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
18:17:25.0921 3520 Atmarpc - ok
18:17:25.0984 3520 AudioSrv (def7a7882bec100fe0b2ce2549188f9d) C:\WINDOWS\System32\audiosrv.dll
18:17:26.0000 3520 AudioSrv - ok
18:17:26.0062 3520 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
18:17:26.0062 3520 audstub - ok
18:17:26.0140 3520 avast! Antivirus (4041d31508a2a084dfb42c595854090f) C:\Program Files\AVAST Software\Avast\AvastSvc.exe
18:17:26.0140 3520 avast! Antivirus - ok
18:17:26.0234 3520 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
18:17:26.0234 3520 Beep - ok
18:17:26.0296 3520 BITS (574738f61fca2935f5265dc4e5691314) C:\WINDOWS\system32\qmgr.dll
18:17:26.0468 3520 BITS - ok
18:17:26.0531 3520 Browser (a06ce3399d16db864f55faeb1f1927a9) C:\WINDOWS\System32\browser.dll
18:17:26.0531 3520 Browser - ok
18:17:26.0578 3520 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
18:17:26.0578 3520 cbidf2k - ok
18:17:26.0656 3520 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
18:17:26.0656 3520 CCDECODE - ok
18:17:26.0703 3520 cd20xrnt - ok
18:17:26.0765 3520 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
18:17:26.0765 3520 Cdaudio - ok
18:17:26.0843 3520 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
18:17:26.0859 3520 Cdfs - ok
18:17:26.0937 3520 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
18:17:26.0937 3520 Cdrom - ok
18:17:27.0015 3520 cercsr6 (84853b3fd012251690570e9e7e43343f) C:\WINDOWS\system32\drivers\cercsr6.sys
18:17:27.0015 3520 cercsr6 - ok
18:17:27.0062 3520 Changer - ok
18:17:27.0109 3520 CiSvc (1cfe720eb8d93a7158a4ebc3ab178bde) C:\WINDOWS\system32\cisvc.exe
18:17:27.0109 3520 CiSvc - ok
18:17:27.0187 3520 ClipSrv (34cbe729f38138217f9c80212a2a0c82) C:\WINDOWS\system32\clipsrv.exe
18:17:27.0187 3520 ClipSrv - ok
18:17:27.0265 3520 clr_optimization_v2.0.50727_32 (d87acaed61e417bba546ced5e7e36d9c) c:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
18:17:27.0265 3520 clr_optimization_v2.0.50727_32 - ok
18:17:27.0390 3520 clr_optimization_v4.0.30319_32 (c5a75eb48e2344abdc162bda79e16841) C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
18:17:27.0390 3520 clr_optimization_v4.0.30319_32 - ok
18:17:27.0453 3520 CmdIde - ok
18:17:27.0468 3520 COMSysApp - ok
18:17:27.0515 3520 Cpqarray - ok
18:17:27.0562 3520 Creative Service for CDROM Access (3c8b6609712f4ff78e521f6dcfc4032b) C:\WINDOWS\system32\CTsvcCDA.exe
18:17:27.0562 3520 Creative Service for CDROM Access - ok
18:17:27.0640 3520 CryptSvc (3d4e199942e29207970e04315d02ad3b) C:\WINDOWS\System32\cryptsvc.dll
18:17:27.0640 3520 CryptSvc - ok
18:17:27.0703 3520 ctsfm2k (8db84de3aab34a8b4c2f644eff41cd76) C:\WINDOWS\system32\DRIVERS\ctsfm2k.sys
18:17:27.0703 3520 ctsfm2k - ok
18:17:27.0750 3520 dac2w2k - ok
18:17:27.0796 3520 dac960nt - ok
18:17:27.0875 3520 DcomLaunch (6b27a5c03dfb94b4245739065431322c) C:\WINDOWS\system32\rpcss.dll
18:17:27.0890 3520 DcomLaunch - ok
18:17:27.0968 3520 Dhcp (5e38d7684a49cacfb752b046357e0589) C:\WINDOWS\System32\dhcpcsvc.dll
18:17:27.0968 3520 Dhcp - ok
18:17:28.0031 3520 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
18:17:28.0031 3520 Disk - ok
18:17:28.0062 3520 dmadmin - ok
18:17:28.0171 3520 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
18:17:28.0187 3520 dmboot - ok
18:17:28.0265 3520 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
18:17:28.0265 3520 dmio - ok
18:17:28.0312 3520 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
18:17:28.0328 3520 dmload - ok
18:17:28.0390 3520 dmserver (57edec2e5f59f0335e92f35184bc8631) C:\WINDOWS\System32\dmserver.dll
18:17:28.0390 3520 dmserver - ok
18:17:28.0468 3520 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
18:17:28.0468 3520 DMusic - ok
18:17:28.0531 3520 Dnscache (5f7e24fa9eab896051ffb87f840730d2) C:\WINDOWS\System32\dnsrslvr.dll
18:17:28.0531 3520 Dnscache - ok
18:17:28.0593 3520 Dot3svc (0f0f6e687e5e15579ef4da8dd6945814) C:\WINDOWS\System32\dot3svc.dll
18:17:28.0593 3520 Dot3svc - ok
18:17:28.0640 3520 dpti2o - ok
18:17:28.0703 3520 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
18:17:28.0703 3520 drmkaud - ok
18:17:28.0796 3520 E100B (d57a8fc800b501ac05b10d00f66d127a) C:\WINDOWS\system32\DRIVERS\e100b325.sys
18:17:28.0796 3520 E100B - ok
18:17:28.0859 3520 EapHost (2187855a7703adef0cef9ee4285182cc) C:\WINDOWS\System32\eapsvc.dll
18:17:28.0859 3520 EapHost - ok
18:17:28.0906 3520 ERSvc (bc93b4a066477954555966d77fec9ecb) C:\WINDOWS\System32\ersvc.dll
18:17:28.0906 3520 ERSvc - ok
18:17:28.0968 3520 Eventlog (65df52f5b8b6e9bbd183505225c37315) C:\WINDOWS\system32\services.exe
18:17:28.0984 3520 Eventlog - ok
18:17:29.0078 3520 EventSystem (d4991d98f2db73c60d042f1aef79efae) C:\WINDOWS\system32\es.dll
18:17:29.0078 3520 EventSystem - ok
18:17:29.0187 3520 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
18:17:29.0187 3520 Fastfat - ok
18:17:29.0250 3520 FastUserSwitchingCompatibility (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
18:17:29.0265 3520 FastUserSwitchingCompatibility - ok
18:17:29.0343 3520 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
18:17:29.0343 3520 Fdc - ok
18:17:29.0421 3520 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
18:17:29.0421 3520 Fips - ok
18:17:29.0468 3520 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
18:17:29.0468 3520 Flpydisk - ok
18:17:29.0546 3520 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
18:17:29.0546 3520 FltMgr - ok
18:17:29.0640 3520 FontCache3.0.0.0 (8ba7c024070f2b7fdd98ed8a4ba41789) c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
18:17:29.0640 3520 FontCache3.0.0.0 - ok
18:17:29.0718 3520 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
18:17:29.0718 3520 Fs_Rec - ok
18:17:29.0796 3520 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
18:17:29.0812 3520 Ftdisk - ok
18:17:29.0875 3520 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
18:17:29.0875 3520 Gpc - ok
18:17:29.0953 3520 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
18:17:29.0953 3520 HDAudBus - ok
18:17:30.0031 3520 helpsvc (4fcca060dfe0c51a09dd5c3843888bcd) C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll
18:17:30.0031 3520 helpsvc - ok
18:17:30.0078 3520 HidServ (deb04da35cc871b6d309b77e1443c796) C:\WINDOWS\System32\hidserv.dll
18:17:30.0078 3520 HidServ - ok
18:17:30.0156 3520 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
18:17:30.0156 3520 hidusb - ok
18:17:30.0218 3520 hkmsvc (8878bd685e490239777bfe51320b88e9) C:\WINDOWS\System32\kmsvc.dll
18:17:30.0218 3520 hkmsvc - ok
18:17:30.0281 3520 hpn - ok
18:17:30.0421 3520 hpqcxs08 (0a3c6aa4a9fc38c20ba4eac2c3351c05) C:\Program Files\HP\Digital Imaging\bin\hpqcxs08.dll
18:17:30.0421 3520 hpqcxs08 - ok
18:17:30.0546 3520 hpqddsvc (f3f72a2a86c22610bca5439fa789dd52) C:\Program Files\HP\Digital Imaging\bin\hpqddsvc.dll
18:17:30.0546 3520 hpqddsvc - ok
18:17:30.0671 3520 HPSLPSVC (7f437a78c5b0105b67b830d00ad719f8) C:\Program Files\HP\Digital Imaging\bin\HPSLPSVC32.DLL
18:17:30.0687 3520 HPSLPSVC - ok
18:17:30.0781 3520 HPZid412 (d03d10f7ded688fecf50f8fbf1ea9b8a) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
18:17:30.0781 3520 HPZid412 - ok
18:17:30.0859 3520 HPZipr12 (89f41658929393487b6b7d13c8528ce3) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
18:17:30.0859 3520 HPZipr12 - ok
18:17:30.0937 3520 HPZius12 (abcb05ccdbf03000354b9553820e39f8) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
18:17:30.0937 3520 HPZius12 - ok
18:17:31.0031 3520 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
18:17:31.0031 3520 HTTP - ok
18:17:31.0093 3520 HTTPFilter (6100a808600f44d999cebdef8841c7a3) C:\WINDOWS\System32\w3ssl.dll
18:17:31.0125 3520 HTTPFilter - ok
18:17:31.0187 3520 i2omgmt - ok
18:17:31.0250 3520 i2omp - ok
18:17:31.0328 3520 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\drivers\i8042prt.sys
18:17:31.0328 3520 i8042prt - ok
18:17:31.0437 3520 idsvc (c01ac32dc5c03076cfb852cb5da5229c) c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
18:17:31.0468 3520 idsvc - ok
18:17:31.0546 3520 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
18:17:31.0546 3520 Imapi - ok
18:17:31.0625 3520 ImapiService (30deaf54a9755bb8546168cfe8a6b5e1) C:\WINDOWS\system32\imapi.exe
18:17:31.0625 3520 ImapiService - ok
18:17:31.0671 3520 ini910u - ok
18:17:31.0734 3520 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
18:17:31.0734 3520 IntelIde - ok
18:17:31.0812 3520 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
18:17:31.0812 3520 intelppm - ok
18:17:31.0890 3520 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
18:17:31.0906 3520 Ip6Fw - ok
18:17:31.0968 3520 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
18:17:31.0968 3520 IpFilterDriver - ok
18:17:32.0046 3520 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
18:17:32.0046 3520 IpInIp - ok
18:17:32.0109 3520 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
18:17:32.0109 3520 IpNat - ok
18:17:32.0203 3520 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
18:17:32.0203 3520 IPSec - ok
18:17:32.0296 3520 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
18:17:32.0296 3520 IRENUM - ok
18:17:32.0359 3520 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
18:17:32.0375 3520 isapnp - ok
18:17:32.0453 3520 JavaQuickStarterService (0a5709543986843d37a92290b7838340) C:\Program Files\Java\jre6\bin\jqs.exe
18:17:32.0453 3520 JavaQuickStarterService - ok
18:17:32.0531 3520 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
18:17:32.0531 3520 Kbdclass - ok
18:17:32.0593 3520 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
18:17:32.0593 3520 kbdhid - ok
18:17:32.0671 3520 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
18:17:32.0671 3520 kmixer - ok
18:17:32.0750 3520 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
18:17:32.0750 3520 KSecDD - ok
18:17:32.0828 3520 lanmanserver (3a7c3cbe5d96b8ae96ce81f0b22fb527) C:\WINDOWS\System32\srvsvc.dll
18:17:32.0828 3520 lanmanserver - ok
18:17:32.0890 3520 lanmanworkstation (a8888a5327621856c0cec4e385f69309) C:\WINDOWS\System32\wkssvc.dll
18:17:32.0937 3520 lanmanworkstation - ok
18:17:32.0984 3520 lbrtfdc - ok
18:17:33.0031 3520 LmHosts (a7db739ae99a796d91580147e919cc59) C:\WINDOWS\System32\lmhsvc.dll
18:17:33.0031 3520 LmHosts - ok
18:17:33.0109 3520 Messenger (986b1ff5814366d71e0ac5755c88f2d3) C:\WINDOWS\System32\msgsvc.dll
18:17:33.0125 3520 Messenger - ok
18:17:33.0171 3520 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
18:17:33.0171 3520 mnmdd - ok
18:17:33.0250 3520 mnmsrvc (d18f1f0c101d06a1c1adf26eed16fcdd) C:\WINDOWS\system32\mnmsrvc.exe
18:17:33.0250 3520 mnmsrvc - ok
18:17:33.0328 3520 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
18:17:33.0328 3520 Modem - ok
18:17:33.0406 3520 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
18:17:33.0421 3520 Mouclass - ok
18:17:33.0484 3520 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
18:17:33.0484 3520 mouhid - ok
18:17:33.0562 3520 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
18:17:33.0562 3520 MountMgr - ok
18:17:33.0609 3520 mraid35x - ok
18:17:33.0671 3520 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
18:17:33.0671 3520 MRxDAV - ok
18:17:33.0750 3520 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
18:17:33.0765 3520 MRxSmb - ok
18:17:33.0843 3520 MSCamSvc (d98350792a7ce82e7459a7c36481beda) C:\Program Files\Microsoft LifeCam\MSCamS32.exe
18:17:33.0843 3520 MSCamSvc - ok
18:17:33.0921 3520 MSDTC (a137f1470499a205abbb9aafb3b6f2b1) C:\WINDOWS\system32\msdtc.exe
18:17:33.0921 3520 MSDTC - ok
18:17:34.0000 3520 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
18:17:34.0000 3520 Msfs - ok
18:17:34.0046 3520 MSIServer - ok
18:17:34.0093 3520 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
18:17:34.0093 3520 MSKSSRV - ok
18:17:34.0171 3520 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
18:17:34.0171 3520 MSPCLOCK - ok
18:17:34.0218 3520 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
18:17:34.0234 3520 MSPQM - ok
18:17:34.0296 3520 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
18:17:34.0312 3520 mssmbios - ok
18:17:34.0375 3520 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
18:17:34.0375 3520 MSTEE - ok
18:17:34.0453 3520 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
18:17:34.0453 3520 Mup - ok
18:17:34.0515 3520 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
18:17:34.0531 3520 NABTSFEC - ok
18:17:34.0593 3520 napagent (0102140028fad045756796e1c685d695) C:\WINDOWS\System32\qagentrt.dll
18:17:34.0609 3520 napagent - ok
18:17:34.0687 3520 NBVol (e240f3204e86b7b6ccf266b2a2ad32b4) C:\WINDOWS\system32\DRIVERS\NBVol.sys
18:17:34.0687 3520 NBVol - ok
18:17:34.0781 3520 NBVolUp (c0cf3cccce3c75f7280c89029ab47866) C:\WINDOWS\system32\DRIVERS\NBVolUp.sys
18:17:34.0781 3520 NBVolUp - ok
18:17:34.0859 3520 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
18:17:34.0875 3520 NDIS - ok
18:17:34.0937 3520 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
18:17:34.0937 3520 NdisIP - ok
18:17:35.0015 3520 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
18:17:35.0015 3520 NdisTapi - ok
18:17:35.0093 3520 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
18:17:35.0093 3520 Ndisuio - ok
18:17:35.0187 3520 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
18:17:35.0187 3520 NdisWan - ok
18:17:35.0250 3520 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
18:17:35.0250 3520 NDProxy - ok
18:17:35.0328 3520 Net Driver HPZ12 (510c138564486ff926a3f773205c63d1) C:\WINDOWS\system32\HPZinw12.dll
18:17:35.0328 3520 Net Driver HPZ12 - ok
18:17:35.0406 3520 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
18:17:35.0406 3520 NetBIOS - ok
18:17:35.0484 3520 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
18:17:35.0484 3520 NetBT - ok
18:17:35.0562 3520 NetDDE (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe
18:17:35.0562 3520 NetDDE - ok
18:17:35.0578 3520 NetDDEdsdm (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe
18:17:35.0578 3520 NetDDEdsdm - ok
18:17:35.0640 3520 Netlogon (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
18:17:35.0640 3520 Netlogon - ok
18:17:35.0734 3520 Netman (13e67b55b3abd7bf3fe7aae5a0f9a9de) C:\WINDOWS\System32\netman.dll
18:17:35.0734 3520 Netman - ok
18:17:35.0828 3520 NetTcpPortSharing (d34612c5d02d026535b3095d620626ae) c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
18:17:35.0828 3520 NetTcpPortSharing - ok
18:17:35.0906 3520 Nla (943337d786a56729263071623bbb9de5) C:\WINDOWS\System32\mswsock.dll
18:17:35.0921 3520 Nla - ok
18:17:36.0000 3520 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
18:17:36.0000 3520 Npfs - ok
18:17:36.0078 3520 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
18:17:36.0093 3520 Ntfs - ok
18:17:36.0156 3520 NtLmSsp (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
18:17:36.0171 3520 NtLmSsp - ok
18:17:36.0250 3520 NtmsSvc (156f64a3345bd23c600655fb4d10bc08) C:\WINDOWS\system32\ntmssvc.dll
18:17:36.0265 3520 NtmsSvc - ok
18:17:36.0359 3520 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
18:17:36.0359 3520 Null - ok
18:17:36.0437 3520 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
18:17:36.0437 3520 NwlnkFlt - ok
18:17:36.0515 3520 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
18:17:36.0515 3520 NwlnkFwd - ok
18:17:36.0609 3520 OMCI (cec7e2c6c1fa00c7ab2f5434f848ae51) C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS
18:17:36.0609 3520 OMCI - ok
18:17:36.0687 3520 ossrv (103a9b117a7d9903111955cdafe65ac6) C:\WINDOWS\system32\DRIVERS\ctoss2k.sys
18:17:36.0687 3520 ossrv - ok
18:17:36.0781 3520 P17 (a3e46e5b49e3240f52dfd6d9c8ee4bc5) C:\WINDOWS\system32\drivers\P17.sys
18:17:36.0781 3520 Suspicious file (Forged): C:\WINDOWS\system32\drivers\P17.sys. Real md5: a3e46e5b49e3240f52dfd6d9c8ee4bc5, Fake md5: df886ffed69aead0cf608b89b18c3f6f
18:17:36.0796 3520 P17 ( ForgedFile.Multi.Generic ) - warning
18:17:36.0796 3520 P17 - detected ForgedFile.Multi.Generic (1)
18:17:36.0875 3520 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
18:17:36.0875 3520 Parport - ok
18:17:36.0921 3520 Partizan - ok
18:17:36.0984 3520 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
18:17:36.0984 3520 PartMgr - ok
18:17:37.0062 3520 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
18:17:37.0062 3520 ParVdm - ok
18:17:37.0140 3520 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
18:17:37.0140 3520 PCI - ok
18:17:37.0171 3520 PCIDump - ok
18:17:37.0250 3520 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
18:17:37.0250 3520 PCIIde - ok
18:17:37.0328 3520 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
18:17:37.0328 3520 Pcmcia - ok
18:17:37.0390 3520 pcouffin (5b6c11de7e839c05248ced8825470fef) C:\WINDOWS\system32\Drivers\pcouffin.sys
18:17:37.0390 3520 pcouffin - ok
18:17:37.0437 3520 PDCOMP - ok
18:17:37.0468 3520 PDFRAME - ok
18:17:37.0500 3520 PDRELI - ok
18:17:37.0531 3520 PDRFRAME - ok
18:17:37.0562 3520 perc2 - ok
18:17:37.0593 3520 perc2hib - ok
18:17:37.0656 3520 PlugPlay (65df52f5b8b6e9bbd183505225c37315) C:\WINDOWS\system32\services.exe
18:17:37.0656 3520 PlugPlay - ok
18:17:37.0718 3520 Pml Driver HPZ12 (37e5e8ffbad35605daeec3224ea0e465) C:\WINDOWS\system32\HPZipm12.dll
18:17:37.0718 3520 Pml Driver HPZ12 - ok
18:17:37.0781 3520 PolicyAgent (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
18:17:37.0781 3520 PolicyAgent - ok
18:17:37.0859 3520 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
18:17:37.0859 3520 PptpMiniport - ok
18:17:37.0937 3520 ProtectedStorage (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
18:17:37.0937 3520 ProtectedStorage - ok
18:17:38.0031 3520 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
18:17:38.0031 3520 PSched - ok
18:17:38.0093 3520 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
18:17:38.0093 3520 Ptilink - ok
18:17:38.0140 3520 ql1080 - ok
18:17:38.0171 3520 Ql10wnt - ok
18:17:38.0203 3520 ql12160 - ok
18:17:38.0234 3520 ql1240 - ok
18:17:38.0265 3520 ql1280 - ok
18:17:38.0328 3520 RapportCerberus_34302 - ok
18:17:38.0343 3520 RapportEI - ok
18:17:38.0359 3520 RapportIaso - ok
18:17:38.0421 3520 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
18:17:38.0437 3520 RasAcd - ok
18:17:38.0500 3520 RasAuto (ad188be7bdf94e8df4ca0a55c00a5073) C:\WINDOWS\System32\rasauto.dll
18:17:38.0500 3520 RasAuto - ok
18:17:38.0562 3520 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
18:17:38.0562 3520 Rasl2tp - ok
18:17:38.0625 3520 RasMan (76a9a3cbeadd68cc57cda5e1d7448235) C:\WINDOWS\System32\rasmans.dll
18:17:38.0640 3520 RasMan - ok
18:17:38.0718 3520 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
18:17:38.0718 3520 RasPppoe - ok
18:17:38.0781 3520 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
18:17:38.0781 3520 Raspti - ok
18:17:38.0843 3520 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
18:17:38.0859 3520 Rdbss - ok
18:17:38.0921 3520 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
18:17:38.0921 3520 RDPCDD - ok
18:17:39.0000 3520 RDPWD (5b3055daa788bd688594d2f5981f2a83) C:\WINDOWS\system32\drivers\RDPWD.sys
18:17:39.0000 3520 RDPWD - ok
18:17:39.0062 3520 RDSessMgr (3c37bf86641bda977c3bf8a840f3b7fa) C:\WINDOWS\system32\sessmgr.exe
18:17:39.0078 3520 RDSessMgr - ok
18:17:39.0140 3520 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
18:17:39.0140 3520 redbook - ok
18:17:39.0187 3520 RemoteAccess (7e699ff5f59b5d9de5390e3c34c67cf5) C:\WINDOWS\System32\mprdim.dll
18:17:39.0187 3520 RemoteAccess - ok
18:17:39.0234 3520 RpcLocator (aaed593f84afa419bbae8572af87cf6a) C:\WINDOWS\system32\locator.exe
18:17:39.0250 3520 RpcLocator - ok
18:17:39.0296 3520 RpcSs (6b27a5c03dfb94b4245739065431322c) C:\WINDOWS\system32\rpcss.dll
18:17:39.0312 3520 RpcSs - ok
18:17:39.0375 3520 RSVP (471b3f9741d762abe75e9deea4787e47) C:\WINDOWS\system32\rsvp.exe
18:17:39.0375 3520 RSVP - ok
18:17:39.0437 3520 SamSs (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
18:17:39.0453 3520 SamSs - ok
18:17:39.0515 3520 SCardSvr (86d007e7a654b9a71d1d7d856b104353) C:\WINDOWS\System32\SCardSvr.exe
18:17:39.0531 3520 SCardSvr - ok
18:17:39.0593 3520 Schedule (0a9a7365a1ca4319aa7c1d6cd8e4eafa) C:\WINDOWS\system32\schedsvc.dll
18:17:39.0609 3520 Schedule - ok
18:17:39.0687 3520 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
18:17:39.0687 3520 Secdrv - ok
18:17:39.0750 3520 seclogon (cbe612e2bb6a10e3563336191eda1250) C:\WINDOWS\System32\seclogon.dll
18:17:39.0765 3520 seclogon - ok
18:17:39.0828 3520 SENS (7fdd5d0684eca8c1f68b4d99d124dcd0) C:\WINDOWS\system32\sens.dll
18:17:39.0828 3520 SENS - ok
18:17:39.0890 3520 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
18:17:39.0890 3520 serenum - ok
18:17:39.0984 3520 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
18:17:39.0984 3520 Serial - ok
18:17:40.0078 3520 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
18:17:40.0078 3520 Sfloppy - ok
18:17:40.0171 3520 SharedAccess (83f41d0d89645d7235c051ab1d9523ac) C:\WINDOWS\System32\ipnathlp.dll
18:17:40.0187 3520 SharedAccess - ok
18:17:40.0265 3520 ShellHWDetection (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
18:17:40.0265 3520 ShellHWDetection - ok
18:17:40.0328 3520 Simbad - ok
18:17:40.0375 3520 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
18:17:40.0375 3520 SLIP - ok
18:17:40.0468 3520 Sparrow - ok
18:17:40.0515 3520 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
18:17:40.0515 3520 splitter - ok
18:17:40.0578 3520 Spooler (60784f891563fb1b767f70117fc2428f) C:\WINDOWS\system32\spoolsv.exe
18:17:40.0578 3520 Spooler - ok
18:17:40.0656 3520 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
18:17:40.0656 3520 sr - ok
18:17:40.0718 3520 srservice (3805df0ac4296a34ba4bf93b346cc378) C:\WINDOWS\system32\srsvc.dll
18:17:40.0734 3520 srservice - ok
18:17:40.0796 3520 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
18:17:40.0812 3520 Srv - ok
18:17:40.0890 3520 SSDPSRV (0a5679b3714edab99e357057ee88fca6) C:\WINDOWS\System32\ssdpsrv.dll
18:17:40.0890 3520 SSDPSRV - ok
18:17:40.0968 3520 stisvc (8bad69cbac032d4bbacfce0306174c30) C:\WINDOWS\system32\wiaservc.dll
18:17:40.0984 3520 stisvc - ok
18:17:41.0046 3520 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
18:17:41.0062 3520 streamip - ok
18:17:41.0125 3520 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
18:17:41.0125 3520 swenum - ok
18:17:41.0171 3520 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
18:17:41.0171 3520 swmidi - ok
18:17:41.0234 3520 SwPrv - ok
18:17:41.0281 3520 symc810 - ok
18:17:41.0296 3520 symc8xx - ok
18:17:41.0328 3520 sym_hi - ok
18:17:41.0359 3520 sym_u3 - ok
18:17:41.0406 3520 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
18:17:41.0406 3520 sysaudio - ok
18:17:41.0468 3520 SysmonLog (c7abbc59b43274b1109df6b24d617051) C:\WINDOWS\system32\smlogsvc.exe
18:17:41.0484 3520 SysmonLog - ok
18:17:41.0531 3520 TapiSrv (3cb78c17bb664637787c9a1c98f79c38) C:\WINDOWS\System32\tapisrv.dll
18:17:41.0562 3520 TapiSrv - ok
18:17:41.0640 3520 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
18:17:41.0656 3520 Tcpip - ok
18:17:41.0718 3520 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
18:17:41.0718 3520 TDPIPE - ok
18:17:41.0796 3520 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
18:17:41.0796 3520 TDTCP - ok
18:17:41.0859 3520 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
18:17:41.0875 3520 TermDD - ok
18:17:41.0953 3520 TermService (ff3477c03be7201c294c35f684b3479f) C:\WINDOWS\System32\termsrv.dll
18:17:41.0968 3520 TermService - ok
18:17:42.0046 3520 Themes (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
18:17:42.0046 3520 Themes - ok
18:17:42.0078 3520 TosIde - ok
18:17:42.0125 3520 TrkWks (55bca12f7f523d35ca3cb833c725f54e) C:\WINDOWS\system32\trkwks.dll
18:17:42.0140 3520 TrkWks - ok
18:17:42.0203 3520 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
18:17:42.0218 3520 Udfs - ok
18:17:42.0265 3520 ultra - ok
18:17:42.0343 3520 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
18:17:42.0359 3520 Update - ok
18:17:42.0437 3520 upnphost (1ebafeb9a3fbdc41b8d9c7f0f687ad91) C:\WINDOWS\System32\upnphost.dll
18:17:42.0437 3520 upnphost - ok
18:17:42.0515 3520 UPS (05365fb38fca1e98f7a566aaaf5d1815) C:\WINDOWS\System32\ups.exe
18:17:42.0515 3520 UPS - ok
18:17:42.0593 3520 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
18:17:42.0593 3520 usbaudio - ok
18:17:42.0656 3520 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
18:17:42.0656 3520 usbccgp - ok
18:17:42.0718 3520 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
18:17:42.0718 3520 usbehci - ok
18:17:42.0781 3520 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
18:17:42.0781 3520 usbhub - ok
18:17:42.0859 3520 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
18:17:42.0859 3520 usbprint - ok
18:17:42.0937 3520 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
18:17:42.0937 3520 usbscan - ok
18:17:43.0000 3520 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
18:17:43.0000 3520 USBSTOR - ok
18:17:43.0062 3520 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
18:17:43.0062 3520 usbuhci - ok
18:17:43.0140 3520 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
18:17:43.0140 3520 VgaSave - ok
18:17:43.0187 3520 ViaIde - ok
18:17:43.0234 3520 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
18:17:43.0234 3520 VolSnap - ok
18:17:43.0312 3520 VSS (7a9db3a67c333bf0bd42e42b8596854b) C:\WINDOWS\System32\vssvc.exe
18:17:43.0328 3520 VSS - ok
18:17:43.0437 3520 VX3000 (e26744e5dd71a16e80d4dd5a286b8423) C:\WINDOWS\system32\DRIVERS\VX3000.sys
18:17:43.0453 3520 VX3000 - ok
18:17:43.0531 3520 W32Time (54af4b1d5459500ef0937f6d33b1914f) C:\WINDOWS\system32\w32time.dll
18:17:43.0531 3520 W32Time - ok
18:17:43.0609 3520 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
18:17:43.0609 3520 Wanarp - ok
18:17:43.0671 3520 WDICA - ok
18:17:43.0718 3520 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
18:17:43.0718 3520 wdmaud - ok
18:17:43.0781 3520 WebClient (77a354e28153ad2d5e120a5a8687bc06) C:\WINDOWS\System32\webclnt.dll
18:17:43.0796 3520 WebClient - ok
18:17:43.0875 3520 winmgmt (2d0e4ed081963804ccc196a0929275b5) C:\WINDOWS\system32\wbem\WMIsvc.dll
18:17:43.0875 3520 winmgmt - ok
18:17:43.0968 3520 WinRM (18f347402da544a780949b8fdf83351b) C:\WINDOWS\system32\WsmSvc.dll
18:17:44.0031 3520 WinRM - ok
18:17:44.0125 3520 WmdmPmSN (051b1bdecd6dee18c771b5d5ec7f044d) C:\WINDOWS\system32\MsPMSNSv.dll
18:17:44.0125 3520 WmdmPmSN - ok
18:17:44.0218 3520 WmiApSrv (e0673f1106e62a68d2257e376079f821) C:\WINDOWS\system32\wbem\wmiapsrv.exe
18:17:44.0218 3520 WmiApSrv - ok
18:17:44.0296 3520 WMPNetworkSvc (6bab4dc65515a098505f8b3d01fb6fe5) C:\Program Files\Windows Media Player\WMPNetwk.exe
18:17:44.0328 3520 WMPNetworkSvc - ok
18:17:44.0484 3520 WPFFontCache_v0400 (dcf3e3edf5109ee8bc02fe6e1f045795) C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe
18:17:44.0515 3520 WPFFontCache_v0400 - ok
18:17:44.0593 3520 wscsvc (7c278e6408d1dce642230c0585a854d5) C:\WINDOWS\system32\wscsvc.dll
18:17:44.0593 3520 wscsvc - ok
18:17:44.0640 3520 WSearch - ok
18:17:44.0703 3520 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
18:17:44.0703 3520 WSTCODEC - ok
18:17:44.0765 3520 wuauserv (35321fb577cdc98ce3eb3a3eb9e4610a) C:\WINDOWS\system32\wuauserv.dll
18:17:44.0781 3520 wuauserv - ok
18:17:44.0859 3520 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
18:17:44.0859 3520 WudfPf - ok
18:17:44.0937 3520 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
18:17:44.0937 3520 WudfRd - ok
18:17:45.0000 3520 WudfSvc (05231c04253c5bc30b26cbaae680ed89) C:\WINDOWS\System32\WUDFSvc.dll
18:17:45.0000 3520 WudfSvc - ok
18:17:45.0062 3520 WZCSVC (81dc3f549f44b1c1fff022dec9ecf30b) C:\WINDOWS\System32\wzcsvc.dll
18:17:45.0093 3520 WZCSVC - ok
18:17:45.0156 3520 xmlprov (295d21f14c335b53cb8154e5b1f892b9) C:\WINDOWS\System32\xmlprov.dll
18:17:45.0171 3520 xmlprov - ok
18:17:45.0203 3520 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
18:17:45.0328 3520 \Device\Harddisk0\DR0 - ok
18:17:45.0328 3520 MBR (0x1B8) (671b81004fdd1588fa9ed1331c9ceca9) \Device\Harddisk1\DR3
18:17:56.0328 3520 \Device\Harddisk1\DR3 - ok
18:17:56.0343 3520 MBR (0x1B8) (ddae9d649db12f6aff24483f2c298989) \Device\Harddisk2\DR4
18:17:56.0343 3520 \Device\Harddisk2\DR4 - ok
18:17:56.0359 3520 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk3\DR5
18:17:59.0578 3520 \Device\Harddisk3\DR5 - ok
18:17:59.0593 3520 Boot (0x1200) (d154b0ff879fc9b4c7151f32aeaeec2b) \Device\Harddisk0\DR0\Partition0
18:17:59.0593 3520 \Device\Harddisk0\DR0\Partition0 - ok
18:17:59.0593 3520 Boot (0x1200) (189561741b6b6fffee41513e7d6817ea) \Device\Harddisk1\DR3\Partition0
18:17:59.0593 3520 \Device\Harddisk1\DR3\Partition0 - ok
18:17:59.0609 3520 Boot (0x1200) (782553c1da3fe67a05da134e9bbc5bde) \Device\Harddisk2\DR4\Partition0
18:17:59.0609 3520 \Device\Harddisk2\DR4\Partition0 - ok
18:17:59.0609 3520 Boot (0x1200) (9fc327b8a1b3ab97313d34564ff30025) \Device\Harddisk3\DR5\Partition0
18:17:59.0609 3520 \Device\Harddisk3\DR5\Partition0 - ok
18:17:59.0609 3520 ============================================================
18:17:59.0609 3520 Scan finished
18:17:59.0609 3520 ============================================================
18:17:59.0625 3512 Detected object count: 1
18:17:59.0625 3512 Actual detected object count: 1
18:19:27.0281 3512 P17 ( ForgedFile.Multi.Generic ) - skipped by user
18:19:27.0281 3512 P17 ( ForgedFile.Multi.Generic ) - User select action: Skip


The third one I will run now and get back ASAP. With the Holiday coming up I will be working more so that those with families can take the time off. And please take your time and have a great Holiday.

#8 niteman69

niteman69
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:04:58 PM

Posted 06 April 2012 - 02:31 AM

It seems I can not attache the DAT file I am not permitted to upload this type of file. her is the log though:

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-04-05 21:34:10
-----------------------------
21:34:10.906 OS Version: Windows 5.1.2600 Service Pack 3
21:34:10.906 Number of processors: 1 586 0x401
21:34:10.906 ComputerName: NITEMAN UserName:
21:34:11.484 Initialize success
21:34:11.593 AVAST engine defs: 12040501
21:34:18.734 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-17
21:34:18.734 Disk 0 Vendor: ST340014AS 8.12 Size: 38146MB BusType: 3
21:34:18.750 Disk 0 MBR read successfully
21:34:18.750 Disk 0 MBR scan
21:34:18.765 Disk 0 Windows XP default MBR code
21:34:18.765 Disk 0 Partition 1 00 DE Dell Utility Dell 4.1 54 MB offset 63
21:34:18.765 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 38083 MB offset 112455
21:34:18.781 Disk 0 scanning sectors +78108030
21:34:18.843 Disk 0 scanning C:\WINDOWS\system32\drivers
21:34:27.296 Service scanning
21:34:42.859 Modules scanning
21:34:50.671 Disk 0 trace - called modules:
21:34:50.687 ntkrnlpa.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS
21:34:50.703 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a4a8ab8]
21:34:51.015 3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP1T0L0-17[0x8a4f3d98]
21:34:51.265 AVAST engine scan C:\
21:36:23.171 File: C:\Documents and Settings\niteman69\Local Settings\Application Data\Google\Chrome\Application\18.0.1025.142\Installer\setup.exe **INFECTED** Win32:Malware-gen
22:24:07.968 Scan finished successfully
03:21:06.765 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\niteman69\Desktop\MBR.dat"
03:21:06.765 The log file has been saved successfully to "C:\Documents and Settings\niteman69\Desktop\aswMBR.txt"

#9 nasdaq

nasdaq

  • Malware Response Team
  • 40,256 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:58 PM

Posted 06 April 2012 - 09:15 AM

We have to look in to this error message.

18:17:36.0781 3520 P17 (a3e46e5b49e3240f52dfd6d9c8ee4bc5) C:\WINDOWS\system32\drivers\P17.sys
18:17:36.0781 3520 Suspicious file (Forged): C:\WINDOWS\system32\drivers\P17.sys. Real md5: a3e46e5b49e3240f52dfd6d9c8ee4bc5, Fake md5: df886ffed69aead0cf608b89b18c3f6f


Let see if we can find a good copy.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2


If your operating system is 64 bit download this tool:
SystemLook_x64.exe
  • Double-click SystemLook.exe to run it.
  • Copy and paste the content of the following bold text into the main textfield:


    :filefind
    P17.sys

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
===

This one may be a false/positive. If you have any difficulties with Chrome I would remove it using the Add/Remove Programs list and reinstall it.

21:36:23.171 File: C:\Documents and Settings\niteman69\Local Settings\Application Data\Google\Chrome\Application\18.0.1025.142\Installer\setup.exe **INFECTED** Win32:Malware-gen


===

Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your Anti-Virus and Anti-Spyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Some Rookit infection may damage your boot sector. The Windows Recovery Console may be needed to restore it. Do not bypass this installation. You may regret it.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Note: If you have difficulty properly disabling your protection programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html

Do not mouse click ComboFix's window while it's running. That may cause it to stall
===

Please post the logs and let me know what problem persists.

#10 nasdaq

nasdaq

  • Malware Response Team
  • 40,256 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:58 PM

Posted 12 April 2012 - 07:53 AM

Are you still with me?

#11 niteman69

niteman69
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:04:58 PM

Posted 13 April 2012 - 02:13 AM

Yes thank you and sorry been working. Over the weekend I did reinstall chrome, java, adobe flash and shockwave. I also cleaned out some files and made sure all drivers and programs were updated as best I could. I am still getting the same blue screen about once every other day. Avast and Malwarebytes take two or three tries to up date.

Here is the report for System Look:

SystemLook 30.07.11 by jpshortstuff
Log created at 03:20 on 13/04/2012 by niteman69
Administrator - Elevation successful

========== filefind ==========

Searching for "P17.sys"
C:\WINDOWS\system32\drivers\P17.sys --a---- 1127936 bytes [08:14 07/07/2005] [06:47 15/06/2007] DF886FFED69AEAD0CF608B89B18C3F6F
C:\WINDOWS\system32\ReinstallBackups\0042\DriverFiles\i386\P17.sys -ra---- 1389056 bytes [21:19 15/03/2012] [08:14 07/07/2005] 1DB419CB76493F6292CCFBDC3466F5FF

-= EOF =-

Will do the other next!

Edited by niteman69, 13 April 2012 - 02:29 AM.


#12 niteman69

niteman69
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:04:58 PM

Posted 13 April 2012 - 03:01 AM

Ok so here is the ComboFix Log and I re-ran the hijackthis and here is that as well. Man am I glad you are here to help because I look at these and have not a clue...


ComboFix 12-04-12.03 - niteman69 04/13/2012 3:35.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3070.2573 [GMT -4:00]
Running from: c:\documents and settings\niteman69\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users.WINDOWS\Application Data\TEMP
c:\documents and settings\niteman69\Application Data\vso_ts_preview.xml
C:\drvrtmp
c:\windows\settings.reg
c:\windows\system32\tmp.reg
c:\windows\system32\usp10(2).dll
.
Infected copy of c:\windows\system32\sysocmgr.exe was found and disinfected
Restored copy from - c:\windows\$NtServicePackUninstall$\sysocmgr.exe
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_NPF
.
.
((((((((((((((((((((((((( Files Created from 2012-03-13 to 2012-04-13 )))))))))))))))))))))))))))))))
.
.
2012-04-12 07:18 . 2012-04-12 07:18 388096 ----a-r- c:\documents and settings\niteman69\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2012-04-12 05:39 . 2012-04-12 05:39 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-04-10 17:51 . 2012-04-10 17:51 -------- d-----w- C:\2445236f410244c06c4f59d993
2012-04-10 01:45 . 2012-04-10 01:45 -------- d-----w- c:\windows\system32\Adobe
2012-04-06 19:47 . 2012-04-06 20:05 -------- d-----w- c:\documents and settings\niteman69\Application Data\HP
2012-04-06 19:47 . 2012-04-06 19:47 -------- d-----w- c:\documents and settings\niteman69\Local Settings\Application Data\HP
2012-04-06 19:45 . 2009-06-01 23:36 966656 ----a-r- c:\windows\system32\hpwtiop5.dll
2012-04-06 19:45 . 2009-06-01 23:36 749568 ----a-r- c:\windows\system32\hpwwiax6.dll
2012-04-06 19:45 . 2009-06-01 23:36 315392 ----a-r- c:\windows\system32\hpwvst01.dll
2012-04-06 19:43 . 2012-04-06 19:43 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\HP Product Assistant
2012-04-06 19:41 . 2012-04-06 19:43 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\HP
2012-04-06 19:40 . 2012-04-06 19:40 -------- d-----w- c:\program files\Common Files\HP
2012-04-06 19:38 . 2012-04-08 04:55 -------- d-----w- c:\program files\HP
2012-04-06 19:30 . 2009-05-18 21:33 372736 ----a-r- c:\windows\system32\hppldcoi.dll
2012-04-06 19:30 . 2009-05-18 21:33 309760 ----a-r- c:\windows\system32\difxapi.dll
2012-04-06 18:40 . 2012-04-06 18:41 -------- d-----w- c:\documents and settings\niteman69\Local Settings\Application Data\Google
2012-04-04 05:53 . 2012-04-04 05:53 -------- d-----w- c:\documents and settings\niteman69\Local Settings\Application Data\Temp
2012-04-04 04:58 . 2007-03-15 20:57 443752 ----a-w- c:\windows\system32\d3dx10_33.dll
2012-04-01 08:05 . 2012-04-01 08:05 -------- d-----w- c:\program files\BillP Studios
2012-04-01 07:55 . 2012-04-01 07:55 -------- d-----w- c:\documents and settings\niteman69\Application Data\WinPatrol
2012-04-01 07:55 . 2012-04-01 08:19 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\InstallMate
2012-03-31 20:33 . 2012-03-31 20:33 -------- d-----w- C:\Backreg
2012-03-31 09:32 . 2012-03-31 09:32 -------- d-----w- c:\windows\system32\1064
2012-03-31 09:16 . 2012-03-31 09:16 -------- d-----w- c:\windows\system32\1076
2012-03-30 06:33 . 2012-03-30 06:33 -------- d-----w- c:\windows\system32\2034
2012-03-30 05:36 . 2012-03-30 05:36 -------- d-----w- c:\windows\system32\1032
2012-03-29 00:00 . 2012-03-29 00:00 -------- d-----w- c:\documents and settings\My Documents
2012-03-25 21:49 . 2012-03-25 21:49 -------- d-----w- c:\documents and settings\NetworkService.NT AUTHORITY\Application Data\iolo
2012-03-25 21:19 . 2012-03-25 21:19 -------- d-----w- c:\documents and settings\LocalService.NT AUTHORITY\Application Data\iolo
2012-03-25 21:19 . 2010-09-23 16:29 511328 ----a-w- c:\program files\Common Files\Microsoft Shared\CAPICOM\CAPICOM.DLL
2012-03-25 21:17 . 2012-03-25 21:17 74703 ----a-w- c:\windows\system32\mfc45.dll
2012-03-25 20:04 . 2012-04-13 06:04 -------- d-----w- c:\documents and settings\niteman69\Application Data\vlc
2012-03-25 14:53 . 2012-03-25 14:53 -------- d-----w- c:\documents and settings\niteman69\Application Data\Windows Search
2012-03-25 08:16 . 2012-03-25 08:16 -------- d-----w- c:\documents and settings\niteman69\Local Settings\Application Data\Help
2012-03-25 08:16 . 2012-03-25 08:16 -------- d-----r- C:\comment.htt
2012-03-25 03:40 . 2012-03-25 03:40 2 --shatr- c:\windows\winstart.bat
2012-03-25 03:31 . 2012-03-25 03:31 -------- d-----w- c:\program files\Trend Micro
2012-03-23 17:50 . 2012-03-23 18:01 -------- d-----w- c:\documents and settings\niteman69\Application Data\Coby Media Manager
2012-03-23 17:50 . 2012-03-23 17:50 -------- d-----w- c:\program files\Coby
2012-03-21 18:46 . 2012-03-28 17:27 -------- d-----w- c:\program files\CCleaner
2012-03-19 05:38 . 2012-03-19 05:38 -------- d-----w- c:\documents and settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Trusteer
2012-03-17 21:59 . 2012-03-06 23:01 20696 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2012-03-17 21:59 . 2012-03-06 23:03 337880 ----a-w- c:\windows\system32\drivers\aswSP.sys
2012-03-17 21:59 . 2012-03-06 23:02 35672 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2012-03-17 21:59 . 2012-03-06 23:01 53848 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2012-03-17 21:59 . 2012-03-06 23:03 612184 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-03-17 21:59 . 2012-03-06 23:01 95704 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2012-03-17 21:59 . 2012-03-06 23:01 89048 ----a-w- c:\windows\system32\drivers\aswmon.sys
2012-03-17 21:59 . 2012-03-06 22:58 24920 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2012-03-17 21:59 . 2012-03-06 23:15 41184 ----a-w- c:\windows\avastSS.scr
2012-03-17 21:59 . 2012-03-06 23:15 201352 ----a-w- c:\windows\system32\aswBoot.exe
2012-03-17 19:31 . 2012-03-17 21:58 -------- d--h--w- c:\documents and settings\All Users.WINDOWS\Application Data\AVAST Software
2012-03-17 19:31 . 2012-03-17 21:58 -------- d-----w- c:\program files\AVAST Software
2012-03-16 18:28 . 2012-03-16 18:41 -------- d-----w- c:\program files\Prey
2012-03-16 18:27 . 2005-04-04 02:59 5632 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\DotNetInstaller.exe
2012-03-15 23:40 . 2012-03-15 23:40 -------- d--h--w- c:\documents and settings\All Users.WINDOWS\Application Data\ATI
2012-03-15 23:31 . 2008-12-01 18:35 593920 ------w- c:\windows\system32\ati2sgag.exe
2012-03-15 23:31 . 2009-01-05 14:09 307200 ----a-r- c:\windows\system32\atiiiexx.dll
2012-03-15 23:31 . 2009-01-05 14:08 425984 ----a-r- c:\windows\system32\ATIDEMGX.dll
2012-03-15 23:30 . 2012-03-15 23:34 -------- d-----w- c:\program files\ATI Technologies
2012-03-15 22:41 . 2012-03-15 22:41 -------- d-----w- c:\windows\system32\wbem\Repository
2012-03-15 21:38 . 2011-12-20 07:39 100368 ----a-w- c:\windows\system32\drivers\AtihdXP3.sys
2012-03-15 18:15 . 2012-03-15 18:15 -------- d-----w- c:\program files\ATI
2012-03-15 18:02 . 2012-03-15 18:02 -------- d-----w- C:\AMD
2012-03-15 15:25 . 2012-03-15 15:25 98304 ----a-w- c:\windows\system32\CmdLineExt.dll
2012-03-15 15:07 . 2005-04-04 03:02 69714 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\ctor.dll
2012-03-15 15:07 . 2005-04-04 03:01 274432 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\iscript.dll
2012-03-15 15:07 . 2005-04-04 03:00 184320 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\iuser.dll
2012-03-15 15:07 . 2005-04-04 03:02 753664 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\iKernel.dll
2012-03-15 15:07 . 2012-03-15 15:07 200836 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\iGdi.dll
2012-03-15 15:07 . 2012-03-15 15:07 331908 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\setup.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-12 05:39 . 2012-03-06 12:16 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-04-04 19:56 . 2012-03-07 02:03 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-03-11 17:48 . 2012-03-11 17:48 56208 ----a-w- c:\windows\system32\drivers\RapportKELL.sys
2012-03-10 03:05 . 2012-03-06 15:15 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys
2012-03-10 03:05 . 2012-03-06 15:15 47360 ----a-w- c:\documents and settings\niteman69\Application Data\pcouffin.sys
2012-03-01 11:01 . 2012-03-05 23:44 916992 ----a-w- c:\windows\system32\wininet.dll
2012-03-01 11:01 . 2012-03-05 23:43 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-03-01 11:01 . 2012-03-05 23:43 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-02-29 14:10 . 2012-03-05 23:44 177664 ----a-w- c:\windows\system32\wintrust.dll
2012-02-29 14:10 . 2012-03-05 23:43 148480 ----a-w- c:\windows\system32\imagehlp.dll
2012-02-29 12:17 . 2012-03-05 23:43 385024 ----a-w- c:\windows\system32\html.iec
2012-02-23 14:18 . 2012-03-06 10:10 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-02-03 09:22 . 2012-03-05 23:44 1860096 ----a-w- c:\windows\system32\win32k.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-03-06 23:15 123536 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Creative Detector"="c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 102400]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-29 61440]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-03-06 4241512]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\WinPatrol.exe" [2012-03-25 329312]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"CTSysVol"="c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-10-31 57344]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLinkedConnections"= 1 (0x1)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater6
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\P17Helper]
2005-05-03 15:38 64512 ----a-w- c:\windows\system32\P17.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VX3000]
2010-05-20 20:27 762736 ----a-w- c:\windows\vVX3000.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeEnC2.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeTray.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxs08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqfxt08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\smart web printing\\SmartWebPrintExe.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
.
R0 NBVol;Nero Backup Volume Filter Driver;c:\windows\system32\drivers\NBVol.sys [3/7/2012 09:05 PM 56496]
R0 NBVolUp;Nero Backup Volume Upper Filter Driver;c:\windows\system32\drivers\NBVolUp.sys [3/7/2012 09:05 PM 12464]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [3/17/2012 05:59 PM 337880]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [3/17/2012 05:59 PM 20696]
R3 pcouffin;VSO Software pcouffin;c:\windows\system32\drivers\pcouffin.sys [3/6/2012 11:15 AM 47360]
S0 18556201;18556201; [x]
S1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [3/17/2012 05:59 PM 612184]
S1 RapportCerberus_34302;RapportCerberus_34302;\??\c:\documents and settings\All Users.WINDOWS\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\baseline\RapportCerberus32_34302.sys --> c:\documents and settings\All Users.WINDOWS\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\baseline\RapportCerberus32_34302.sys [?]
S1 RapportEI;RapportEI;\??\c:\program files\Trusteer\Rapport\bin\RapportEI.sys --> c:\program files\Trusteer\Rapport\bin\RapportEI.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 02:16 PM 130384]
S3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdXP3.sys [3/15/2012 05:38 PM 100368]
S3 RapportIaso;RapportIaso;\??\c:\documents and settings\all users.windows\application data\trusteer\rapport\store\exts\rapportms\baseline\rapportiaso.sys --> c:\documents and settings\all users.windows\application data\trusteer\rapport\store\exts\rapportms\baseline\rapportiaso.sys [?]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [3/5/2012 07:43 PM 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 02:16 PM 753504]
S4 AdvancedSystemCareService5;Advanced SystemCare Service 5; [x]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2012-04-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-602162358-412668190-725345543-1004Core.job
- c:\documents and settings\niteman69\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-04-06 18:40]
.
2012-04-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-602162358-412668190-725345543-1004UA.job
- c:\documents and settings\niteman69\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-04-06 18:40]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
TCP: DhcpNameServer = 75.75.76.76 75.75.75.75
DPF: {E705A591-DA3C-4228-B0D5-A356DBA42FBF} - hxxp://ccfiles.creative.com/Web/softwareupdate/su2/ocx/20015/CTSUEng.cab
.
- - - - ORPHANS REMOVED - - - -
.
ShellIconOverlayIdentifiers-{FB314ED9-A251-47B7-93E1-CDD82E34AF8B} - (no file)
ShellIconOverlayIdentifiers-{FB314EDA-A251-47B7-93E1-CDD82E34AF8B} - (no file)
ShellIconOverlayIdentifiers-{FB314EDB-A251-47B7-93E1-CDD82E34AF8B} - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-04-13 03:41
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Creative Detector = "c:\program files\Creative\MediaSource\Detector\CTDetect.exe" /R???? ???/???????? >w8??????????????|???|????\??|a??|???|???|???????????|0??? ??|h??|????????????????0??? ??|`??|???????w??????A~H?g???????A~???????w??A~???????w??????D~??A~??????A~???w*??????????
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(760)
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'explorer.exe'(3484)
c:\windows\system32\WININET.dll
c:\program files\BillP Studios\WinPatrol\PATROLPRO.DLL
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\windows\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
c:\windows\system32\CTsvcCDA.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
.
**************************************************************************
.
Completion time: 2012-04-13 03:46:16 - machine was rebooted
ComboFix-quarantined-files.txt 2012-04-13 07:46
.
Pre-Run: 19,044,155,392 bytes free
Post-Run: 18,926,936,064 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - FEDB5AE645B7A952B9FC624B4A702824


Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 03:50:05, on 4/13/2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVAST Software\Avast\avastUI.exe
C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe -expressboot
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1331014780125
O16 - DPF: {D4B68B83-8710-488B-A692-D74B50BA558E} (Creative Software AutoUpdate Support Package 2) - http://ccfiles.creative.com/Web/softwareupdate/ocx/15113/CTPIDPDE.cab
O16 - DPF: {E705A591-DA3C-4228-B0D5-A356DBA42FBF} (Creative Software AutoUpdate 2) - http://ccfiles.creative.com/Web/softwareupdate/su2/ocx/20015/CTSUEng.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://ccfiles.creative.com/Web/softwareupdate/ocx/110926/CTPID.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\AVAST Software\Avast\AvastSvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--
End of file - 4447 bytes

#13 nasdaq

nasdaq

  • Malware Response Team
  • 40,256 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:58 PM

Posted 13 April 2012 - 09:26 AM

Looking better.

Open notepad and copy/paste the text in the quote box below into it:

Driver::
18556201
AdvancedSystemCareService5


Save this as CFScript on your desktop.

Posted Image

Referring to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log and let me know what problem persists.

#14 niteman69

niteman69
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:04:58 PM

Posted 13 April 2012 - 10:01 AM

S1 RapportCerberus_34302;RapportCerberus_34302;\??\c:\documents and settings\All Users.WINDOWS\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\baseline\RapportCerberus32_34302.sys --> c:\documents and settings\All Users.WINDOWS\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\baseline\RapportCerberus32_34302.sys [?]
S1 RapportEI;RapportEI;\??\c:\program files\Trusteer\Rapport\bin\RapportEI.sys --> c:\program files\Trusteer\Rapport\bin\RapportEI.sys [?]
S3 RapportIaso;RapportIaso;\??\c:\documents and settings\all users.windows\application data\trusteer\rapport\store\exts\rapportms\baseline\rapportiaso.sys --> c:\documents and settings\all users.windows\application data\trusteer\rapport\store\exts\rapportms\baseline\rapportiaso.sys [?]
S4 AdvancedSystemCareService5;Advanced SystemCare Service 5; [x]

I saw these last night. But, I do not think they should be there. I did the start, control and add remove for both of these Trusteer right after we started and Advanced System Care in late Feb, or early March. So, do you know why they are still there? Are they part of my problem since I do see I had an infection if I read the combofix report right. ASCS 5 was there free DL from CNET and I did not see it helping anymore than the other things I use. Trusteer was not a need that I could see for me either. I looked in the files where this report says they are and do not see them... I did find a few of these that I had never seen before lpt3.Drive_is_protected_against_flash_viruses_by_RegRun

Edited by niteman69, 13 April 2012 - 10:15 AM.


#15 nasdaq

nasdaq

  • Malware Response Team
  • 40,256 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:58 PM

Posted 13 April 2012 - 12:41 PM

These are normaly good. If you have removed this application then lets remove the remnant items in the registry.

refer to my previous post and paste the following in the Combofix script. Execute as suggested.

Driver::
18556201
AdvancedSystemCareService5
RapportCerberus_34302
RapportEI;RapportEI
RapportIaso



I did find a few of these that I had never seen before lpt3.Drive_is_protected_against_flash_viruses_by_RegRun

Nothing to worry about. Leave them alone.
http://greatis.com/webhelp/regrun___detailed_instructions/usb_flash_stick_protection/usb_flash_stick_protection.htm




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users