Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Downloaded Codec-C & ZeroAccess! RootKit


  • This topic is locked This topic is locked
65 replies to this topic

#1 Miss__Brittany

Miss__Brittany

  • Members
  • 79 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Montreal
  • Local time:08:17 PM

Posted 27 March 2012 - 05:06 PM

First off - thank you for your help.

I've been coming to your forum for a long time, but this is the first time that I've actually needed to ask for help from you guys.

Late one night, I was trying to watch a tv show online and I agreed to download Codec-C. I knew better, and yet I still did it. That's what I get for using the internet when I'm still half asleep.

For 4-5 days now, I've been trying to get rid of this, and I haven't been able to. I've followed many other members on this site, and tried to do the same steps, but there are still problems lingering on my computer.

Information:
On website pages, there are random words highlighted, and when I put my mouse overtop of them it is a link leading me to get an I-pad or Cheque, etc. Usually these words are things like "purchase" "account" "join". My computer is also a bit slower than it was previously. I haven't had any other problems with Internet Explorer, but I use Tor through Mozilla FireFox and the virus/trojan has changed something so now my proxy server is "refusing connections". I was using Avira, but I found it would never find any viruses, so I removed it. I'm unable to run Norton; when I restart after updating the definitions it pops up saying there was an error and it won't open the main console - so it's being blocked.

My first step was doing a virus scan - nothing came up
Tried Ad-Aware - again, nothing serious
Malwarebytes - found nothing
I then resorted to ComboFix- it took an incredibly long time, over 30 minutes, and it was stopped twice with a message about a freeware program (I forget the file name, I think it started with a C and it ended in .exe) not working. So I said okay, and then continued the scan.
The first time it restarted after scanning it told me that I have the ZeroAccess! Rootkit. It did not go through the 50 steps at that point.
I scanned again, and it did not do the same thing. The two messages did not popup while scanning, and it completed the 50 steps.
After that, I've tried a few other programs, but am now frusterated. Whatever is on my computer is hiding itself very well!!!

I will post some logs for you by the end of the night.

Thanks again!!

BC AdBot (Login to Remove)

 


#2 Miss__Brittany

Miss__Brittany
  • Topic Starter

  • Members
  • 79 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Montreal
  • Local time:08:17 PM

Posted 27 March 2012 - 05:11 PM

Here is DDS:
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.19088 BrowserJavaVersion: 1.6.0_30
Run by Brittany and Aki at 18:07:56 on 2012-03-27
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.2.1033.18.3000.986 [GMT -4:00]
.
AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {9FF26384-70D4-CE6B-3ECB-E759A6A40116}
AV: Norton AntiVirus *Disabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Norton AntiVirus *Disabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
SP: Lavasoft Ad-Watch Live! *Enabled/Updated* {24938260-56EE-C1E5-047B-DC2BDD234BAB}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Norton AntiVirus\Engine\18.6.0.29\ccSvcHst.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\conime.exe
C:\Windows\Explorer.exe
C:\Users\Brittany and Aki\Desktop\i6dqkrss.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://yahoo.com/
uSearch Bar = Preserve
mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=1009&s=2&o=vp32&d=1109&m=aspire_6930
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton antivirus\engine\18.6.0.29\ips\IPSBHO.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Codec-C Class: {eb64d6b0-ea0e-4061-b650-14fe9bad7ad8} - c:\programdata\codec-c\bhoclass.dll
TB: {0BF43445-2F28-4351-9252-17FE6E806AA0} - No File
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
TB: {00000000-0000-0000-0000-000000000000} - No File
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
dRunOnce: [AutoLaunch] c:\program files\lavasoft\ad-aware\AutoLaunch.exe monthly
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} - hxxp://aic.lgservice.com/DjvuViewer/DjVuControl-6.1.4.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {BEA7310D-06C4-4339-A784-DC3804819809} - hxxp://www.walmartphotocentre.ca/upload/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cab
DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{A2C4BCF8-1697-4DC7-8D1B-65BCB298DDDC} : DhcpNameServer = 192.168.0.1
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: intu-tt2011 - {B3B5DAD9-E96D-45b4-B636-B6CF2F773DE1} - c:\program files\turbotax 2011\ic2011pp.dll
Notify: igfxcui - igfxdev.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\brittany and aki\appdata\roaming\mozilla\firefox\profiles\7rc89atx.default\
FF - prefs.js: browser.search.selectedEngine - Search the web (Babylon)
FF - prefs.js: browser.startup.homepage - hxxp://search.babylon.com/?affID=111363&babsrc=HP_ss&mntrId=8ec33ae400000000000000215d797e14
FF - prefs.js: keyword.URL - chrome://browser-region/locale/region.properties
FF - prefs.js: network.proxy.socks - 127.0.0.1
FF - prefs.js: network.proxy.socks_port - 9050
FF - prefs.js: network.proxy.type - 1
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.111\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.1.10111.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\users\brittany and aki\appdata\roaming\facebook\npfbplugin_1_0_1.dll
.
---- FIREFOX POLICIES ----
FF - user.js: extensions.BabylonToolbar_i.babTrack - affID=111363
FF - user.js: extensions.BabylonToolbar_i.babExt -
FF - user.js: extensions.BabylonToolbar_i.srcExt - ss
FF - user.js: extensions.BabylonToolbar_i.id - 8ec33ae400000000000000215d797e14
FF - user.js: extensions.BabylonToolbar_i.hardId - 8ec33ae400000000000000215d797e14
FF - user.js: extensions.BabylonToolbar_i.instlDay - 15424
FF - user.js: extensions.BabylonToolbar_i.vrsn - 1.5.3.17
FF - user.js: extensions.BabylonToolbar_i.vrsni - 1.5.3.17
FF - user.js: extensions.BabylonToolbar_i.vrsnTs - 1.5.3.171:05:33
FF - user.js: extensions.BabylonToolbar_i.prtnrId - babylon
FF - user.js: extensions.BabylonToolbar_i.prdct - BabylonToolbar
FF - user.js: extensions.BabylonToolbar_i.aflt - babsst
FF - user.js: extensions.BabylonToolbar_i.smplGrp - none
FF - user.js: extensions.BabylonToolbar_i.tlbrId - base
FF - user.js: extensions.BabylonToolbar_i.instlRef - sst
.
============= SERVICES / DRIVERS ===============
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2012-3-25 64512]
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nav\1206000.01d\symds.sys [2012-3-27 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nav\1206000.01d\symefa.sys [2012-3-27 744568]
R1 BHDrvx86;BHDrvx86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_18.1.0.37\definitions\bashdefs\20120317.002\BHDrvx86.sys [2012-3-17 820856]
R1 IDSVix86;IDSVix86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_18.1.0.37\definitions\ipsdefs\20120324.004\IDSvix86.sys [2012-3-24 368248]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nav\1206000.01d\ironx86.sys [2012-3-27 136312]
R1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\system32\drivers\nav\1206000.01d\symtdiv.sys [2012-3-27 331384]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2012-3-20 2152152]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-3-26 652360]
R2 NAV;Norton AntiVirus;c:\program files\norton antivirus\engine\18.6.0.29\ccsvchst.exe [2012-3-27 130008]
R3 fwkirpob;fwkirpob;C:\fwkirpob.sys [2012-3-27 100864]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2008-10-14 113664]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-3-26 20464]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2012-3-27 40776]
R3 NETwNv32;___ Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\NETwNv32.sys [2011-8-4 7341568]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [2011-1-18 197224]
R3 winbondcir;Winbond IR Transceiver;c:\windows\system32\drivers\winbondcir.sys [2007-3-28 43008]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-24 135664]
S3 A310;AVerMedia A310 DVB-T;c:\windows\system32\drivers\AVerA310USB.sys [2008-10-14 26752]
S3 BDASwCap;AVerMedia A310 BDA DVBT Capture Device;c:\windows\system32\drivers\AVerA310Cap.sys [2008-10-14 47104]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-1-24 135664]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2012-3-20 15232]
S3 netr28;Ralink 802.11n Wireless Driver for Windows Vista;c:\windows\system32\drivers\netr28.sys [2008-10-14 338432]
S3 NETw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\NETw5v32.sys [2008-11-17 3668480]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2010-9-1 15544]
.
=============== File Associations ===============
.
JSEFile=NOTEPAD.EXE %1
.
=============== Created Last 30 ================
.
2012-03-27 21:36:03 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-03-27 21:04:37 100864 ----a-w- C:\fwkirpob.sys
2012-03-27 20:32:34 -------- d-----w- c:\users\brittany and aki\appdata\local\temp
2012-03-27 20:31:11 -------- d-sh--w- C:\$RECYCLE.BIN
2012-03-27 20:19:25 -------- d-----w- C:\brittany
2012-03-27 20:09:02 744568 ----a-w- c:\windows\system32\drivers\nav\1206000.01d\symefa.sys
2012-03-27 20:09:02 331384 ----a-w- c:\windows\system32\drivers\nav\1206000.01d\symtdiv.sys
2012-03-27 20:09:02 296568 ----a-w- c:\windows\system32\drivers\nav\1206000.01d\symnets.sys
2012-03-27 20:09:01 516216 ----a-w- c:\windows\system32\drivers\nav\1206000.01d\srtsp.sys
2012-03-27 20:09:01 50168 ----a-w- c:\windows\system32\drivers\nav\1206000.01d\srtspx.sys
2012-03-27 20:09:01 340088 ----a-w- c:\windows\system32\drivers\nav\1206000.01d\symds.sys
2012-03-27 20:09:01 136312 ----a-w- c:\windows\system32\drivers\nav\1206000.01d\ironx86.sys
2012-03-27 20:08:47 -------- d-----w- c:\windows\system32\drivers\nav\1206000.01D
2012-03-27 19:57:18 126584 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2012-03-27 19:57:18 -------- d-----w- c:\program files\Symantec
2012-03-27 19:57:18 -------- d-----w- c:\program files\common files\Symantec Shared
2012-03-27 19:57:01 331312 ----a-r- c:\windows\system32\drivers\nav\1201000.025\symtdiv.sys
2012-03-27 19:57:00 666672 ----a-r- c:\windows\system32\drivers\nav\1201000.025\SymEFA.sys
2012-03-27 19:57:00 50096 ----a-r- c:\windows\system32\drivers\nav\1201000.025\srtspx.sys
2012-03-27 19:57:00 489008 ----a-r- c:\windows\system32\drivers\nav\1201000.025\srtsp.sys
2012-03-27 19:57:00 339504 ----a-r- c:\windows\system32\drivers\nav\1201000.025\SymDS.sys
2012-03-27 19:57:00 294448 ----a-r- c:\windows\system32\drivers\nav\1201000.025\symnets.sys
2012-03-27 19:57:00 134704 ----a-r- c:\windows\system32\drivers\nav\1201000.025\Ironx86.sys
2012-03-27 19:56:39 -------- d-----w- c:\windows\system32\drivers\nav\1201000.025
2012-03-27 19:56:39 -------- d-----w- c:\windows\system32\drivers\NAV
2012-03-27 19:56:36 -------- d-----w- c:\program files\Norton AntiVirus
2012-03-27 17:27:10 -------- d-----w- c:\users\brittany and aki\appdata\local\CrashDumps
2012-03-27 05:30:14 -------- d-----w- c:\programdata\Norton
2012-03-27 05:30:07 -------- d-----w- c:\programdata\NortonInstaller
2012-03-27 05:30:07 -------- d-----w- c:\program files\NortonInstaller
2012-03-26 05:48:41 98816 ----a-w- c:\windows\sed.exe
2012-03-26 05:48:41 518144 ----a-w- c:\windows\SWREG.exe
2012-03-26 05:48:41 256000 ----a-w- c:\windows\PEV.exe
2012-03-26 05:48:41 208896 ----a-w- c:\windows\MBR.exe
2012-03-26 05:34:48 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-03-26 03:48:26 -------- d-----w- c:\program files\Enigma Software Group
2012-03-26 03:47:33 -------- d-----w- c:\windows\4E0C6314A8B84026AC15084E8B63AFB5.TMP
2012-03-26 03:47:29 -------- d-----w- c:\program files\common files\Wise Installation Wizard
2012-03-26 03:30:34 16432 ----a-w- c:\windows\system32\lsdelete.exe
2012-03-25 20:35:38 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2012-03-25 20:33:06 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys
2012-03-25 05:05:57 -------- d-----w- c:\programdata\Premium
2012-03-25 05:05:31 -------- d-----w- c:\users\brittany and aki\appdata\local\Babylon
2012-03-25 05:05:30 -------- d-----w- c:\users\brittany and aki\appdata\roaming\Babylon
2012-03-25 05:05:30 -------- d-----w- c:\programdata\Babylon
2012-03-25 05:05:25 -------- d-----w- c:\programdata\Codec-C
2012-03-25 05:05:17 -------- d-----w- c:\programdata\InstallMate
2012-03-20 03:32:59 -------- d-----w- c:\users\brittany and aki\appdata\roaming\tor
2012-03-20 03:32:37 -------- d-----w- c:\users\brittany and aki\appdata\local\Tor
2012-03-20 03:32:36 -------- d-----w- c:\users\brittany and aki\appdata\local\Vidalia
2012-03-20 03:32:36 -------- d-----w- c:\program files\Vidalia Bundle
.
==================== Find3M ====================
.
2012-02-23 23:17:34 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-02-11 08:44:50 319456 ----a-w- c:\windows\DIFxAPI.dll
2012-01-12 22:21:50 74703 ----a-w- c:\windows\system32\mfc45.dll
.
============= FINISH: 18:09:37.51 ===============

#3 Miss__Brittany

Miss__Brittany
  • Topic Starter

  • Members
  • 79 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Montreal
  • Local time:08:17 PM

Posted 27 March 2012 - 05:28 PM

GMER log:

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-03-27 18:27:04
Windows 6.0.6001 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 ST932032 rev.0303
Running: i6dqkrss.exe; Driver: C:\Users\BRITTA~1\AppData\Local\Temp\fwkirpob.sys


---- System - GMER 1.0.15 ----

SSDT 97702A60 ZwAlertResumeThread
SSDT 97702B40 ZwAlertThread
SSDT 947DD508 ZwAllocateVirtualMemory
SSDT 934A5BB8 ZwAlpcConnectPort
SSDT 947A3890 ZwAssignProcessToJobObject
SSDT 947A3E38 ZwCreateMutant
SSDT 9479B310 ZwCreateSymbolicLinkObject
SSDT 947ABC88 ZwCreateThread
SSDT 947A3970 ZwDebugActiveProcess
SSDT 947DD698 ZwDuplicateObject
SSDT 947DD328 ZwFreeVirtualMemory
SSDT 947A3F28 ZwImpersonateAnonymousToken
SSDT 97702980 ZwImpersonateThread
SSDT 934A5B40 ZwLoadDriver
SSDT 947DD228 ZwMapViewOfSection
SSDT 947A3D58 ZwOpenEvent
SSDT 947ABB70 ZwOpenProcess
SSDT 947DD5D8 ZwOpenProcessToken
SSDT 947A3B98 ZwOpenSection
SSDT 947ABAA0 ZwOpenThread
SSDT 947A37A0 ZwProtectVirtualMemory
SSDT 97702C20 ZwResumeThread
SSDT 97702EC0 ZwSetContextThread
SSDT 97702F80 ZwSetInformationProcess
SSDT 947A3A50 ZwSetSystemInformation
SSDT 947A3C78 ZwSuspendProcess
SSDT 97702D00 ZwSuspendThread
SSDT 947ABD68 ZwTerminateProcess
SSDT 97702DE0 ZwTerminateThread
SSDT 947DD148 ZwUnmapViewOfSection
SSDT 947DD418 ZwWriteVirtualMemory
SSDT 947A36A0 ZwCreateThreadEx

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!KeSetTimerEx + 350 822D3974 8 Bytes [60, 2A, 70, 97, 40, 2B, 70, ...] {PUSHA ; SUB DH, [EAX-0x69]; INC EAX; SUB ESI, [EAX-0x69]}
.text ntkrnlpa.exe!KeSetTimerEx + 364 822D3988 4 Bytes [08, D5, 7D, 94] {OR CH, DL; JGE 0xffffffffffffff98}
.text ntkrnlpa.exe!KeSetTimerEx + 370 822D3994 4 Bytes [B8, 5B, 4A, 93]
.text ntkrnlpa.exe!KeSetTimerEx + 3C4 822D39E8 4 Bytes [90, 38, 7A, 94] {NOP ; CMP [EDX-0x6c], BH}
.text ntkrnlpa.exe!KeSetTimerEx + 428 822D3A4C 4 Bytes [38, 3E, 7A, 94] {CMP [ESI], BH; JP 0xffffffffffffff98}
.text ...
? C:\Users\BRITTA~1\AppData\Local\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Internet Explorer\iexplore.exe[2016] USER32.dll!DialogBoxIndirectParamW 7554BD25 1 Byte [E9]
.text C:\Program Files\Internet Explorer\iexplore.exe[2016] USER32.dll!DialogBoxIndirectParamW 7554BD25 5 Bytes JMP 6EE15329 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2016] USER32.dll!CreateWindowExW 75553D67 5 Bytes JMP 6ED1DB04 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2016] USER32.dll!DialogBoxParamW 75561FD5 5 Bytes JMP 6EC454C5 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2016] USER32.dll!DialogBoxParamA 755880B2 5 Bytes JMP 6EE152C6 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2016] USER32.dll!DialogBoxIndirectParamA 755883DD 5 Bytes JMP 6EE1538C C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2016] USER32.dll!MessageBoxIndirectA 7559D471 5 Bytes JMP 6EE1525B C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2016] USER32.dll!MessageBoxIndirectW 7559D56B 5 Bytes JMP 6EE151F0 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2016] USER32.dll!MessageBoxExA 7559D5D1 5 Bytes JMP 6EE1518E C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2016] USER32.dll!MessageBoxExW 7559D5F5 5 Bytes JMP 6EE1512C C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2696] ntdll.dll!RtlVerifyVersionInfo + 3E6 76EB79AE 10 Bytes JMP 0255003A
.text C:\Program Files\Internet Explorer\iexplore.exe[2696] USER32.dll!SetWindowsHookExW 75547B69 5 Bytes JMP 6ED19A91 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2696] USER32.dll!CallNextHookEx 75548C33 5 Bytes JMP 6ED0D0CD C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2696] USER32.dll!DialogBoxIndirectParamW 7554BD25 1 Byte [E9]
.text C:\Program Files\Internet Explorer\iexplore.exe[2696] USER32.dll!DialogBoxIndirectParamW 7554BD25 5 Bytes JMP 6EE15329 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2696] USER32.dll!CreateWindowExW 75553D67 5 Bytes JMP 6ED1DB04 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2696] USER32.dll!DialogBoxParamW 75561FD5 5 Bytes JMP 6EC454C5 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2696] USER32.dll!UnhookWindowsHookEx 755708BE 5 Bytes JMP 6EC8466E C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2696] USER32.dll!DialogBoxParamA 755880B2 5 Bytes JMP 6EE152C6 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2696] USER32.dll!DialogBoxIndirectParamA 755883DD 5 Bytes JMP 6EE1538C C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2696] USER32.dll!MessageBoxIndirectA 7559D471 5 Bytes JMP 6EE1525B C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2696] USER32.dll!MessageBoxIndirectW 7559D56B 5 Bytes JMP 6EE151F0 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2696] USER32.dll!MessageBoxExA 7559D5D1 5 Bytes JMP 6EE1518E C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2696] USER32.dll!MessageBoxExW 7559D5F5 5 Bytes JMP 6EE1512C C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2696] ole32.dll!OleLoadFromStream 76989794 5 Bytes JMP 6EE15691 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2696] ole32.dll!CoRevokeInitializeSpy + 109 769A6173 7 Bytes JMP 025501A9
.text C:\Program Files\Internet Explorer\iexplore.exe[2696] ole32.dll!CoCreateInstance 769BE2D8 5 Bytes JMP 6ED1DB60 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2696] ole32.dll!CoCreateInstance + 3E 769BE316 7 Bytes JMP 025500F3
.text C:\Program Files\Internet Explorer\iexplore.exe[3444] ntdll.dll!RtlVerifyVersionInfo + 3E6 76EB79AE 10 Bytes JMP 0264003A
.text C:\Program Files\Internet Explorer\iexplore.exe[3444] USER32.dll!SetWindowsHookExW 75547B69 5 Bytes JMP 6ED19A91 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3444] USER32.dll!CallNextHookEx 75548C33 5 Bytes JMP 6ED0D0CD C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3444] USER32.dll!DialogBoxIndirectParamW 7554BD25 1 Byte [E9]
.text C:\Program Files\Internet Explorer\iexplore.exe[3444] USER32.dll!DialogBoxIndirectParamW 7554BD25 5 Bytes JMP 6EE15329 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3444] USER32.dll!CreateWindowExW 75553D67 5 Bytes JMP 6ED1DB04 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3444] USER32.dll!DialogBoxParamW 75561FD5 5 Bytes JMP 6EC454C5 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3444] USER32.dll!UnhookWindowsHookEx 755708BE 5 Bytes JMP 6EC8466E C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3444] USER32.dll!DialogBoxParamA 755880B2 5 Bytes JMP 6EE152C6 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3444] USER32.dll!DialogBoxIndirectParamA 755883DD 5 Bytes JMP 6EE1538C C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3444] USER32.dll!MessageBoxIndirectA 7559D471 5 Bytes JMP 6EE1525B C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3444] USER32.dll!MessageBoxIndirectW 7559D56B 5 Bytes JMP 6EE151F0 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3444] USER32.dll!MessageBoxExA 7559D5D1 5 Bytes JMP 6EE1518E C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3444] USER32.dll!MessageBoxExW 7559D5F5 5 Bytes JMP 6EE1512C C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3444] ole32.dll!OleLoadFromStream 76989794 5 Bytes JMP 6EE15691 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3444] ole32.dll!CoRevokeInitializeSpy + 109 769A6173 7 Bytes JMP 026401A9
.text C:\Program Files\Internet Explorer\iexplore.exe[3444] ole32.dll!CoCreateInstance 769BE2D8 5 Bytes JMP 6ED1DB60 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3444] ole32.dll!CoCreateInstance + 3E 769BE316 7 Bytes JMP 026400F3

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Windows\Explorer.exe[3372] @ C:\Windows\Explorer.exe [gdiplus.dll!GdiplusShutdown] [73A88864] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[3372] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipCloneImage] [73AC9855] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[3372] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipDrawImageRectI] [73A8B984] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[3372] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipSetInterpolationMode] [73A7FB47] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[3372] @ C:\Windows\Explorer.exe [gdiplus.dll!GdiplusStartup] [73A87A29] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[3372] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipCreateFromHDC] [73A7EA65] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[3372] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipCreateBitmapFromStreamICM] [73ABB12D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[3372] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipCreateBitmapFromStream] [73A8BC4A] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[3372] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipGetImageHeight] [73A80756] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[3372] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipGetImageWidth] [73A806BD] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[3372] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipDisposeImage] [73A771B3] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[3372] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipLoadImageFromFileICM] [73B0D9E0] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[3372] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipLoadImageFromFile] [73AA7329] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[3372] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipDeleteGraphics] [73A7E109] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[3372] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipFree] [73A7697E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[3372] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipAlloc] [73A769A9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[3372] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipSetCompositingMode] [73A82475] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[3372] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!CreateThread] [100027E0] C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll (Egis Inc. PSD DragDrop Protection/Egis Inc.)
IAT C:\Windows\Explorer.exe[3372] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!FreeLibraryAndExitThread] [10001D90] C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll (Egis Inc. PSD DragDrop Protection/Egis Inc.)
IAT C:\Windows\Explorer.exe[3372] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [10002B30] C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll (Egis Inc. PSD DragDrop Protection/Egis Inc.)
IAT C:\Windows\Explorer.exe[3372] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [100011D0] C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll (Egis Inc. PSD DragDrop Protection/Egis Inc.)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Tcp SYMTDIV.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\tdx \Device\Udp SYMTDIV.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\tdx \Device\RawIp SYMTDIV.SYS (Network Dispatch Driver/Symantec Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{2D1832BA-89A3-3940-7BF1-7807C19E8712}
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{2D1832BA-89A3-3940-7BF1-7807C19E8712}@mahhdjnmhmfkefjmaclhphknij 0x6F 0x61 0x65 0x6A ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{2D1832BA-89A3-3940-7BF1-7807C19E8712}@abihmnliglnbflkhlndobbnmegiieonjdk 0x69 0x61 0x6A 0x67 ...

---- EOF - GMER 1.0.15 ----

#4 Miss__Brittany

Miss__Brittany
  • Topic Starter

  • Members
  • 79 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Montreal
  • Local time:08:17 PM

Posted 27 March 2012 - 05:32 PM

Here is the log from ComboFix if you'd like to see it:

ComboFix 12-03-27.03 - Brittany and Aki 27/03/2012 16:20:58.4.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.2.1033.18.3000.1693 [GMT -4:00]
Running from: c:\users\Brittany and Aki\Desktop\brittany.exe
AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {9FF26384-70D4-CE6B-3ECB-E759A6A40116}
AV: Norton AntiVirus *Disabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
SP: Lavasoft Ad-Watch Live! *Enabled/Updated* {24938260-56EE-C1E5-047B-DC2BDD234BAB}
SP: Norton AntiVirus *Disabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2012-02-27 to 2012-03-27 )))))))))))))))))))))))))))))))
.
.
2012-03-27 20:29 . 2012-03-27 20:29 -------- d-----w- c:\users\Brittany and Aki\AppData\Local\temp
2012-03-27 20:29 . 2012-03-27 20:29 -------- d-----w- c:\users\Public\AppData\Local\temp
2012-03-27 20:29 . 2012-03-27 20:29 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-03-27 19:57 . 2012-03-27 20:09 126584 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2012-03-27 19:57 . 2012-03-27 20:09 -------- d-----w- c:\program files\Symantec
2012-03-27 19:57 . 2012-03-27 19:57 -------- d-----w- c:\program files\Common Files\Symantec Shared
2012-03-27 19:56 . 2012-03-27 20:08 -------- d-----w- c:\windows\system32\drivers\NAV
2012-03-27 19:56 . 2012-03-27 19:56 -------- d-----w- c:\program files\Norton AntiVirus
2012-03-27 17:27 . 2012-03-27 18:41 -------- d-----w- c:\users\Brittany and Aki\AppData\Local\CrashDumps
2012-03-27 12:51 . 2012-03-27 19:18 -------- d-----w- C:\thedog
2012-03-27 05:30 . 2012-03-27 19:56 -------- d-----w- c:\programdata\Norton
2012-03-27 05:30 . 2012-03-27 20:14 -------- d-----w- c:\program files\NortonInstaller
2012-03-26 05:34 . 2011-12-10 19:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-03-26 03:48 . 2012-03-26 13:17 -------- d-----w- C:\sh4ldr
2012-03-26 03:48 . 2012-03-26 03:48 -------- d-----w- c:\program files\Enigma Software Group
2012-03-26 03:47 . 2012-03-26 13:17 -------- d-----w- c:\windows\4E0C6314A8B84026AC15084E8B63AFB5.TMP
2012-03-26 03:47 . 2012-03-26 03:47 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2012-03-26 03:30 . 2012-03-25 20:35 16432 ----a-w- c:\windows\system32\lsdelete.exe
2012-03-25 20:35 . 2012-03-25 20:35 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2012-03-25 20:33 . 2012-03-20 17:41 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys
2012-03-25 05:05 . 2012-03-25 05:05 -------- d-----w- c:\programdata\Premium
2012-03-25 05:05 . 2012-03-25 05:05 237 ----a-w- C:\user.js
2012-03-25 05:05 . 2012-03-25 05:05 -------- d-----w- c:\users\Brittany and Aki\AppData\Local\Babylon
2012-03-25 05:05 . 2012-03-25 05:05 -------- d-----w- c:\users\Brittany and Aki\AppData\Roaming\Babylon
2012-03-25 05:05 . 2012-03-25 05:05 -------- d-----w- c:\programdata\Babylon
2012-03-25 05:05 . 2012-03-25 05:05 -------- d-----w- c:\programdata\Codec-C
2012-03-25 05:05 . 2012-03-25 05:05 -------- d-----w- C:\codec-info
2012-03-25 05:05 . 2012-03-25 05:05 -------- d-----w- c:\programdata\InstallMate
2012-03-20 03:32 . 2012-03-25 05:05 -------- d-----w- c:\users\Brittany and Aki\AppData\Roaming\tor
2012-03-20 03:32 . 2012-03-20 03:32 -------- d-----w- c:\users\Brittany and Aki\AppData\Local\Tor
2012-03-20 03:32 . 2012-03-25 05:15 -------- d-----w- c:\program files\Vidalia Bundle
2012-03-20 03:32 . 2012-03-20 03:32 -------- d-----w- c:\users\Brittany and Aki\AppData\Local\Vidalia
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-23 23:17 . 2011-05-13 06:37 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-02-11 08:44 . 2008-10-14 20:13 319456 ----a-w- c:\windows\DIFxAPI.dll
2012-01-12 22:21 . 2012-01-12 22:21 74703 ----a-w- c:\windows\system32\mfc45.dll
2011-12-21 07:24 . 2011-08-29 16:30 121816 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EB64D6B0-EA0E-4061-B650-14FE9BAD7AD8}]
2012-03-22 19:30 141312 ----a-w- c:\programdata\Codec-C\bhoclass.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP]
@="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}"
[HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]
2008-07-29 21:52 121392 ----a-w- c:\program files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 460872]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"AutoLaunch"="c:\program files\Lavasoft\Ad-Aware\AutoLaunch.exe" [2012-03-25 654056]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ lsdelete
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sr.sys]
@="FSFilter System Recovery"
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Secunia PSI Tray.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Secunia PSI Tray.lnk
backup=c:\windows\pss\Secunia PSI Tray.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-01-02 15:07 843712 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2012-01-04 03:51 37296 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2009-10-30 11:57 369200 ----a-w- c:\program files\DAEMON Tools Lite\DTLite.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eAudio]
2008-05-30 16:24 544768 ----a-w- c:\program files\Acer\Empowering Technology\eAudio\eAudio.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eDataSecurity Loader]
2008-07-29 21:52 526896 ----a-w- c:\program files\Acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ePower_DMC]
2008-08-01 14:51 405504 ----a-w- c:\program files\Acer\Empowering Technology\ePower\ePower_DMC.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2009-02-26 23:36 30040 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
2008-07-20 09:45 182808 ----a-w- c:\program files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2007-12-14 00:10 1688872 ----a-w- c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LManager]
2008-06-04 12:03 817672 ----a-w- c:\progra~1\LAUNCH~1\QtZgAcer.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2010-04-17 03:12 3872080 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
2007-12-03 19:21 2213160 ----a-w- c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2007-03-01 19:57 153136 ----a-w- c:\program files\Common Files\Nero\Lib\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2011-06-09 18:06 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2010-10-08 23:31 1934632 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
.
R3 A310;AVerMedia A310 DVB-T;c:\windows\system32\DRIVERS\AVerA310USB.sys [2008-07-03 26752]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-25 00:39]
.
2012-03-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-25 00:39]
.
2012-03-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1525939726-772596016-34224432-1000Core.job
- c:\users\Brittany and Aki\AppData\Local\Google\Update\GoogleUpdate.exe [2011-08-29 03:16]
.
2012-03-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1525939726-772596016-34224432-1000UA.job
- c:\users\Brittany and Aki\AppData\Local\Google\Update\GoogleUpdate.exe [2011-08-29 03:16]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://yahoo.com/
mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=1009&s=2&o=vp32&d=1109&m=aspire_6930
TCP: DhcpNameServer = 192.168.0.1
Handler: intu-tt2011 - {B3B5DAD9-E96D-45b4-B636-B6CF2F773DE1} - c:\program files\TurboTax 2011\ic2011pp.dll
FF - ProfilePath - c:\users\Brittany and Aki\AppData\Roaming\Mozilla\Firefox\Profiles\7rc89atx.default\
FF - prefs.js: browser.search.selectedEngine - Search the web (Babylon)
FF - prefs.js: browser.startup.homepage - hxxp://search.babylon.com/?affID=111363&babsrc=HP_ss&mntrId=8ec33ae400000000000000215d797e14
FF - prefs.js: keyword.URL - chrome://browser-region/locale/region.properties
FF - prefs.js: network.proxy.socks - 127.0.0.1
FF - prefs.js: network.proxy.socks_port - 9050
FF - prefs.js: network.proxy.type - 1
FF - user.js: extensions.BabylonToolbar_i.babTrack - affID=111363
FF - user.js: extensions.BabylonToolbar_i.babExt -
FF - user.js: extensions.BabylonToolbar_i.srcExt - ss
FF - user.js: extensions.BabylonToolbar_i.id - 8ec33ae400000000000000215d797e14
FF - user.js: extensions.BabylonToolbar_i.hardId - 8ec33ae400000000000000215d797e14
FF - user.js: extensions.BabylonToolbar_i.instlDay - 15424
FF - user.js: extensions.BabylonToolbar_i.vrsn - 1.5.3.17
FF - user.js: extensions.BabylonToolbar_i.vrsni - 1.5.3.17
FF - user.js: extensions.BabylonToolbar_i.vrsnTs - 1.5.3.171:05
FF - user.js: extensions.BabylonToolbar_i.prtnrId - babylon
FF - user.js: extensions.BabylonToolbar_i.prdct - BabylonToolbar
FF - user.js: extensions.BabylonToolbar_i.aflt - babsst
FF - user.js: extensions.BabylonToolbar_i.smplGrp - none
FF - user.js: extensions.BabylonToolbar_i.tlbrId - base
FF - user.js: extensions.BabylonToolbar_i.instlRef - sst
.
.
------- File Associations -------
.
JSEFile=NOTEPAD.EXE %1
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-03-27 16:29
Windows 6.0.6001 Service Pack 1 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\NAV]
"ImagePath"="\"c:\program files\Norton AntiVirus\Engine\18.6.0.29\ccSvcHst.exe\" /s \"NAV\" /m \"c:\program files\Norton AntiVirus\Engine\18.6.0.29\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1525939726-772596016-34224432-1000\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{2D1832BA-89A3-3940-7BF1-7807C19E8712}*]
"mahhdjnmhmfkefjmaclhphknij"=hex:6f,61,65,6a,69,70,66,64,6f,64,70,6a,67,68,62,
67,6b,66,6e,61,64,70,6b,65,6d,6e,6a,62,64,61,00,00
"abihmnliglnbflkhlndobbnmegiieonjdk"=hex:69,61,6a,67,66,6e,67,6f,6b,6e,6e,6e,
6b,6a,65,6d,67,6a,00,00
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(2872)
c:\program files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll
c:\program files\Acer\Empowering Technology\eDataSecurity\x86\sysenv.dll
c:\program files\Common Files\Nero\Lib\MediaLibraryNSE.dll
c:\program files\Nero\Nero8\Nero BackItUp\NBShell.dll
c:\program files\Norton AntiVirus\Engine\18.6.0.29\EFACli.dll
c:\program files\Acer\Empowering Technology\eDataSecurity\x86\eDSshellExt.dll
c:\progra~1\DISKIN~1\Uneraser\contmenu.dll
.
Completion time: 2012-03-27 16:32:31
ComboFix-quarantined-files.txt 2012-03-27 20:32
ComboFix2.txt 2012-03-27 19:18
.
Pre-Run: 79,387,037,696 bytes free
Post-Run: 79,846,719,488 bytes free
.
- - End Of File - - 08C11A113F5CF5AF9715753FA067C0CB

#5 Miss__Brittany

Miss__Brittany
  • Topic Starter

  • Members
  • 79 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Montreal
  • Local time:08:17 PM

Posted 27 March 2012 - 05:33 PM

MBR log if you want to see it:

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.0.6001 Disk: ST932032 rev.0303 -> Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK

#6 Miss__Brittany

Miss__Brittany
  • Topic Starter

  • Members
  • 79 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Montreal
  • Local time:08:17 PM

Posted 27 March 2012 - 05:35 PM

TDSSKiller report if you want to see it:

18:33:43.0276 0548 TDSS rootkit removing tool 2.7.23.0 Mar 26 2012 13:40:18
18:33:43.0650 0548 ============================================================
18:33:43.0650 0548 Current date / time: 2012/03/27 18:33:43.0650
18:33:43.0650 0548 SystemInfo:
18:33:43.0650 0548
18:33:43.0650 0548 OS Version: 6.0.6001 ServicePack: 1.0
18:33:43.0650 0548 Product type: Workstation
18:33:43.0650 0548 ComputerName: BRITTANYANDA-PC
18:33:43.0650 0548 UserName: Brittany and Aki
18:33:43.0650 0548 Windows directory: C:\Windows
18:33:43.0650 0548 System windows directory: C:\Windows
18:33:43.0650 0548 Processor architecture: Intel x86
18:33:43.0650 0548 Number of processors: 2
18:33:43.0650 0548 Page size: 0x1000
18:33:43.0650 0548 Boot type: Normal boot
18:33:43.0650 0548 ============================================================
18:33:44.0196 0548 Drive \Device\Harddisk0\DR0 - Size: 0x4A85D56000 (298.09 Gb), SectorSize: 0x200, Cylinders: 0x9801, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000050
18:33:44.0212 0548 \Device\Harddisk0\DR0:
18:33:44.0258 0548 MBR used
18:33:44.0258 0548 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x1400800, BlocksNum 0x12016800
18:33:44.0258 0548 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x13417000, BlocksNum 0x11900000
18:33:44.0383 0548 Initialize success
18:33:44.0383 0548 ============================================================
18:33:45.0428 1960 ============================================================
18:33:45.0428 1960 Scan started
18:33:45.0428 1960 Mode: Manual;
18:33:45.0428 1960 ============================================================
18:33:46.0458 1960 A310 (c80ca966ddee3924d5b31a31c84808db) C:\Windows\system32\DRIVERS\AVerA310USB.sys
18:33:46.0458 1960 A310 - ok
18:33:46.0661 1960 ACPI (fcb8c7210f0135e24c6580f7f649c73c) C:\Windows\system32\drivers\acpi.sys
18:33:46.0676 1960 ACPI - ok
18:33:46.0723 1960 adp94xx (04f0fcac69c7c71a3ac4eb97fafc8303) C:\Windows\system32\drivers\adp94xx.sys
18:33:46.0739 1960 adp94xx - ok
18:33:46.0770 1960 adpahci (60505e0041f7751bdbb80f88bf45c2ce) C:\Windows\system32\drivers\adpahci.sys
18:33:46.0786 1960 adpahci - ok
18:33:46.0801 1960 adpu160m (8a42779b02aec986eab64ecfc98f8bd7) C:\Windows\system32\drivers\adpu160m.sys
18:33:46.0801 1960 adpu160m - ok
18:33:46.0832 1960 adpu320 (241c9e37f8ce45ef51c3de27515ca4e5) C:\Windows\system32\drivers\adpu320.sys
18:33:46.0832 1960 adpu320 - ok
18:33:46.0864 1960 AeLookupSvc (9d1fda9e086ba64e3c93c9de32461bcf) C:\Windows\System32\aelupsvc.dll
18:33:46.0864 1960 AeLookupSvc - ok
18:33:46.0910 1960 AFD (48eb99503533c27ac6135648e5474457) C:\Windows\system32\drivers\afd.sys
18:33:46.0926 1960 AFD - ok
18:33:46.0957 1960 agp440 (13f9e33747e6b41a3ff305c37db0d360) C:\Windows\system32\drivers\agp440.sys
18:33:46.0957 1960 agp440 - ok
18:33:46.0973 1960 aic78xx (ae1fdf7bf7bb6c6a70f67699d880592a) C:\Windows\system32\drivers\djsvs.sys
18:33:46.0988 1960 aic78xx - ok
18:33:47.0004 1960 ALG (a1545b731579895d8cc44fc0481c1192) C:\Windows\System32\alg.exe
18:33:47.0004 1960 ALG - ok
18:33:47.0035 1960 aliide (9eaef5fc9b8e351afa7e78a6fae91f91) C:\Windows\system32\drivers\aliide.sys
18:33:47.0035 1960 aliide - ok
18:33:47.0066 1960 amdagp (c47344bc706e5f0b9dce369516661578) C:\Windows\system32\drivers\amdagp.sys
18:33:47.0066 1960 amdagp - ok
18:33:47.0082 1960 amdide (9b78a39a4c173fdbc1321e0dd659b34c) C:\Windows\system32\drivers\amdide.sys
18:33:47.0098 1960 amdide - ok
18:33:47.0129 1960 AmdK7 (18f29b49ad23ecee3d2a826c725c8d48) C:\Windows\system32\drivers\amdk7.sys
18:33:47.0129 1960 AmdK7 - ok
18:33:47.0144 1960 AmdK8 (93ae7f7dd54ab986a6f1a1b37be7442d) C:\Windows\system32\drivers\amdk8.sys
18:33:47.0144 1960 AmdK8 - ok
18:33:47.0191 1960 Appinfo (c6d704c7f0434dc791aac37cac4b6e14) C:\Windows\System32\appinfo.dll
18:33:47.0191 1960 Appinfo - ok
18:33:47.0254 1960 arc (5d2888182fb46632511acee92fdad522) C:\Windows\system32\drivers\arc.sys
18:33:47.0254 1960 arc - ok
18:33:47.0285 1960 arcsas (5e2a321bd7c8b3624e41fdec3e244945) C:\Windows\system32\drivers\arcsas.sys
18:33:47.0285 1960 arcsas - ok
18:33:47.0316 1960 AsyncMac (53b202abee6455406254444303e87be1) C:\Windows\system32\DRIVERS\asyncmac.sys
18:33:47.0316 1960 AsyncMac - ok
18:33:47.0347 1960 atapi (2d9c903dc76a66813d350a562de40ed9) C:\Windows\system32\drivers\atapi.sys
18:33:47.0347 1960 atapi - ok
18:33:47.0378 1960 AudioEndpointBuilder (42076e29aafa0830a2c5d4e310f58dd1) C:\Windows\System32\Audiosrv.dll
18:33:47.0394 1960 AudioEndpointBuilder - ok
18:33:47.0394 1960 Audiosrv (42076e29aafa0830a2c5d4e310f58dd1) C:\Windows\System32\Audiosrv.dll
18:33:47.0394 1960 Audiosrv - ok
18:33:47.0441 1960 BDASwCap (20be361d9b33dd5b36c91c9711434396) C:\Windows\system32\drivers\AVerA310Cap.sys
18:33:47.0441 1960 BDASwCap - ok
18:33:47.0456 1960 Beep (67e506b75bd5326a3ec7b70bd014dfb6) C:\Windows\system32\drivers\Beep.sys
18:33:47.0456 1960 Beep - ok
18:33:47.0519 1960 BFE (8582e233c346aefe759833e8a30dd697) C:\Windows\System32\bfe.dll
18:33:47.0519 1960 BFE - ok
18:33:47.0831 1960 BHDrvx86 (eb7f1f1dfa95c25d762c22d3cf13d4e0) C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.1.0.37\Definitions\BASHDefs\20120317.002\BHDrvx86.sys
18:33:47.0846 1960 BHDrvx86 - ok
18:33:47.0987 1960 BITS (02ed7b4dbc2a3232a389106da7515c3d) C:\Windows\system32\qmgr.dll
18:33:48.0002 1960 BITS - ok
18:33:48.0049 1960 blbdrive (d4df28447741fd3d953526e33a617397) C:\Windows\system32\drivers\blbdrive.sys
18:33:48.0065 1960 blbdrive - ok
18:33:48.0096 1960 bowser (8153396d5551276227fa146900f734e6) C:\Windows\system32\DRIVERS\bowser.sys
18:33:48.0096 1960 bowser - ok
18:33:48.0127 1960 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\drivers\brfiltlo.sys
18:33:48.0127 1960 BrFiltLo - ok
18:33:48.0143 1960 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\drivers\brfiltup.sys
18:33:48.0143 1960 BrFiltUp - ok
18:33:48.0174 1960 Browser (a3629a0c4226f9e9c72faaeebc3ad33c) C:\Windows\System32\browser.dll
18:33:48.0174 1960 Browser - ok
18:33:48.0205 1960 Brserid (b304e75cff293029eddf094246747113) C:\Windows\system32\drivers\brserid.sys
18:33:48.0205 1960 Brserid - ok
18:33:48.0236 1960 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\system32\drivers\brserwdm.sys
18:33:48.0283 1960 BrSerWdm - ok
18:33:48.0314 1960 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\system32\drivers\brusbmdm.sys
18:33:48.0314 1960 BrUsbMdm - ok
18:33:48.0330 1960 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\system32\drivers\brusbser.sys
18:33:48.0330 1960 BrUsbSer - ok
18:33:48.0377 1960 BTHMODEM (ad07c1ec6665b8b35741ab91200c6b68) C:\Windows\system32\drivers\bthmodem.sys
18:33:48.0377 1960 BTHMODEM - ok
18:33:48.0455 1960 catchme - ok
18:33:48.0533 1960 cdfs (7add03e75beb9e6dd102c3081d29840a) C:\Windows\system32\DRIVERS\cdfs.sys
18:33:48.0533 1960 cdfs - ok
18:33:48.0564 1960 cdrom (1ec25cea0de6ac4718bf89f9e1778b57) C:\Windows\system32\DRIVERS\cdrom.sys
18:33:48.0564 1960 cdrom - ok
18:33:48.0642 1960 CertPropSvc (87c2d0377b23e2d8a41093c2f5fb1a5b) C:\Windows\System32\certprop.dll
18:33:48.0642 1960 CertPropSvc - ok
18:33:48.0658 1960 circlass (e5d4133f37219dbcfe102bc61072589d) C:\Windows\system32\DRIVERS\circlass.sys
18:33:48.0658 1960 circlass - ok
18:33:48.0689 1960 CLFS (465745561c832b29f7c48b488aab3842) C:\Windows\system32\CLFS.sys
18:33:48.0689 1960 CLFS - ok
18:33:48.0751 1960 clr_optimization_v2.0.50727_32 (d87acaed61e417bba546ced5e7e36d9c) C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
18:33:48.0751 1960 clr_optimization_v2.0.50727_32 - ok
18:33:48.0845 1960 CmBatt (99afc3795b58cc478fbbbcdc658fcb56) C:\Windows\system32\DRIVERS\CmBatt.sys
18:33:48.0860 1960 CmBatt - ok
18:33:48.0876 1960 cmdide (0ca25e686a4928484e9fdabd168ab629) C:\Windows\system32\drivers\cmdide.sys
18:33:48.0876 1960 cmdide - ok
18:33:48.0907 1960 Compbatt (6afef0b60fa25de07c0968983ee4f60a) C:\Windows\system32\DRIVERS\compbatt.sys
18:33:48.0907 1960 Compbatt - ok
18:33:48.0923 1960 COMSysApp - ok
18:33:48.0938 1960 crcdisk (741e9dff4f42d2d8477d0fc1dc0df871) C:\Windows\system32\drivers\crcdisk.sys
18:33:48.0938 1960 crcdisk - ok
18:33:48.0954 1960 Crusoe (1f07becdca750766a96cda811ba86410) C:\Windows\system32\drivers\crusoe.sys
18:33:48.0970 1960 Crusoe - ok
18:33:49.0001 1960 CryptSvc (6de363f9f99334514c46aec02d3e3678) C:\Windows\system32\cryptsvc.dll
18:33:49.0016 1960 CryptSvc - ok
18:33:49.0048 1960 DcomLaunch (301ae00e12408650baddc04dbc832830) C:\Windows\system32\rpcss.dll
18:33:49.0079 1960 DcomLaunch - ok
18:33:49.0094 1960 DfsC - ok
18:33:49.0204 1960 DFSR (fa3463f25f9cc9c3bcf1e7912feff099) C:\Windows\system32\DFSR.exe
18:33:49.0250 1960 DFSR - ok
18:33:49.0328 1960 Dhcp (43a988a9c10333476cb5fb667cbd629d) C:\Windows\System32\dhcpcsvc.dll
18:33:49.0328 1960 Dhcp - ok
18:33:49.0391 1960 disk (64109e623abd6955c8fb110b592e68b7) C:\Windows\system32\drivers\disk.sys
18:33:49.0391 1960 disk - ok
18:33:49.0422 1960 DKbFltr (73baf270d24fe726b9cd7f80bb17a23d) C:\Windows\system32\DRIVERS\DKbFltr.sys
18:33:49.0422 1960 DKbFltr - ok
18:33:49.0469 1960 Dnscache (4805d9a6d281c7a7defd9094dec6af7d) C:\Windows\System32\dnsrslvr.dll
18:33:49.0469 1960 Dnscache - ok
18:33:49.0484 1960 dot3svc (5af620a08c614e24206b79e8153cf1a8) C:\Windows\System32\dot3svc.dll
18:33:49.0500 1960 dot3svc - ok
18:33:49.0562 1960 Dot4 (4f59c172c094e1a1d46463a8dc061cbd) C:\Windows\system32\DRIVERS\Dot4.sys
18:33:49.0562 1960 Dot4 - ok
18:33:49.0594 1960 Dot4Print (80bf3ba09f6f2523c8f6b7cc6dbf7bd5) C:\Windows\system32\DRIVERS\Dot4Prt.sys
18:33:49.0640 1960 Dot4Print - ok
18:33:49.0687 1960 dot4usb (c55004ca6b419b6695970dfe849b122f) C:\Windows\system32\DRIVERS\dot4usb.sys
18:33:49.0687 1960 dot4usb - ok
18:33:49.0718 1960 DPS (a622e888f8aa2f6b49e9bc466f0e5def) C:\Windows\system32\dps.dll
18:33:49.0718 1960 DPS - ok
18:33:49.0750 1960 drmkaud (97fef831ab90bee128c9af390e243f80) C:\Windows\system32\drivers\drmkaud.sys
18:33:49.0750 1960 drmkaud - ok
18:33:49.0796 1960 DXGKrnl (85f33880b8cfb554bd3d9ccdb486845a) C:\Windows\System32\drivers\dxgkrnl.sys
18:33:49.0812 1960 DXGKrnl - ok
18:33:49.0859 1960 E1G60 (5425f74ac0c1dbd96a1e04f17d63f94c) C:\Windows\system32\DRIVERS\E1G60I32.sys
18:33:49.0859 1960 E1G60 - ok
18:33:49.0906 1960 EapHost (c0b95e40d85cd807d614e264248a45b9) C:\Windows\System32\eapsvc.dll
18:33:49.0906 1960 EapHost - ok
18:33:49.0952 1960 Ecache (dd2cd259d83d8b72c02c5f2331ff9d68) C:\Windows\system32\drivers\ecache.sys
18:33:49.0952 1960 Ecache - ok
18:33:49.0984 1960 ehRecvr (9be3744d295a7701eb425332014f0797) C:\Windows\ehome\ehRecvr.exe
18:33:49.0999 1960 ehRecvr - ok
18:33:49.0999 1960 ehstart (c27c4ee8926e74aa72efcab24c5242c3) C:\Windows\ehome\ehstart.dll
18:33:49.0999 1960 ehstart - ok
18:33:50.0062 1960 elxstor (23b62471681a124889978f6295b3f4c6) C:\Windows\system32\drivers\elxstor.sys
18:33:50.0077 1960 elxstor - ok
18:33:50.0140 1960 EMDMgmt (70b1a86df0c8ead17d2bc332edae2c7c) C:\Windows\system32\emdmgmt.dll
18:33:50.0140 1960 EMDMgmt - ok
18:33:50.0171 1960 ErrDev (3db974f3935483555d7148663f726c61) C:\Windows\system32\drivers\errdev.sys
18:33:50.0171 1960 ErrDev - ok
18:33:50.0202 1960 EventSystem (3cb3343d720168b575133a0a20dc2465) C:\Windows\system32\es.dll
18:33:50.0202 1960 EventSystem - ok
18:33:50.0296 1960 EvtEng (54b6e150bff4a47eb0d204119d262e46) C:\Program Files\Intel\WiFi\bin\EvtEng.exe
18:33:50.0327 1960 EvtEng - ok
18:33:50.0420 1960 exfat (0d858eb20589a34efb25695acaa6aa2d) C:\Windows\system32\drivers\exfat.sys
18:33:50.0436 1960 exfat - ok
18:33:50.0452 1960 fastfat (3c489390c2e2064563727752af8eab9e) C:\Windows\system32\drivers\fastfat.sys
18:33:50.0467 1960 fastfat - ok
18:33:50.0498 1960 fdc (afe1e8b9782a0dd7fb46bbd88e43f89a) C:\Windows\system32\DRIVERS\fdc.sys
18:33:50.0498 1960 fdc - ok
18:33:50.0530 1960 fdPHost (6629b5f0e98151f4afdd87567ea32ba3) C:\Windows\system32\fdPHost.dll
18:33:50.0530 1960 fdPHost - ok
18:33:50.0545 1960 FDResPub (89ed56dce8e47af40892778a5bd31fd2) C:\Windows\system32\fdrespub.dll
18:33:50.0545 1960 FDResPub - ok
18:33:50.0592 1960 FileInfo (a8c0139a884861e3aae9cfe73b208a9f) C:\Windows\system32\drivers\fileinfo.sys
18:33:50.0608 1960 FileInfo - ok
18:33:50.0639 1960 Filetrace (0ae429a696aecbc5970e3cf2c62635ae) C:\Windows\system32\drivers\filetrace.sys
18:33:50.0639 1960 Filetrace - ok
18:33:50.0654 1960 flpydisk (85b7cf99d532820495d68d747fda9ebd) C:\Windows\system32\DRIVERS\flpydisk.sys
18:33:50.0654 1960 flpydisk - ok
18:33:50.0686 1960 FltMgr (05ea53afe985443011e36dab07343b46) C:\Windows\system32\drivers\fltmgr.sys
18:33:50.0701 1960 FltMgr - ok
18:33:50.0764 1960 FontCache3.0.0.0 (c9be08664611ddaf98e2331e9288b00b) C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
18:33:50.0764 1960 FontCache3.0.0.0 - ok
18:33:50.0795 1960 Fs_Rec (65ea8b77b5851854f0c55c43fa51a198) C:\Windows\system32\drivers\Fs_Rec.sys
18:33:50.0795 1960 Fs_Rec - ok
18:33:50.0826 1960 gagp30kx (34582a6e6573d54a07ece5fe24a126b5) C:\Windows\system32\drivers\gagp30kx.sys
18:33:50.0826 1960 gagp30kx - ok
18:33:50.0857 1960 gpsvc (d9f1113d9401185245573350712f92fc) C:\Windows\System32\gpsvc.dll
18:33:50.0873 1960 gpsvc - ok
18:33:50.0951 1960 gupdate (8f0de4fef8201e306f9938b0905ac96a) C:\Program Files\Google\Update\GoogleUpdate.exe
18:33:50.0951 1960 gupdate - ok
18:33:50.0966 1960 gupdatem (8f0de4fef8201e306f9938b0905ac96a) C:\Program Files\Google\Update\GoogleUpdate.exe
18:33:50.0966 1960 gupdatem - ok
18:33:51.0060 1960 HdAudAddService (cb04c744be0a61b1d648faed182c3b59) C:\Windows\system32\drivers\HdAudio.sys
18:33:51.0060 1960 HdAudAddService - ok
18:33:51.0091 1960 HDAudBus (c87b1ee051c0464491c1a7b03fa0bc99) C:\Windows\system32\DRIVERS\HDAudBus.sys
18:33:51.0091 1960 HDAudBus - ok
18:33:51.0122 1960 HidBth (1338520e78d90154ed6be8f84de5fceb) C:\Windows\system32\drivers\hidbth.sys
18:33:51.0122 1960 HidBth - ok
18:33:51.0154 1960 HidIr (d8df3722d5e961baa1292aa2f12827e2) C:\Windows\system32\DRIVERS\hidir.sys
18:33:51.0154 1960 HidIr - ok
18:33:51.0200 1960 hidserv (8fa640195279ace21bea91396a0054fc) C:\Windows\System32\hidserv.dll
18:33:51.0200 1960 hidserv - ok
18:33:51.0232 1960 HidUsb (854ca287ab7faf949617a788306d967e) C:\Windows\system32\DRIVERS\hidusb.sys
18:33:51.0247 1960 HidUsb - ok
18:33:51.0278 1960 hkmsvc (d8ad255b37da92434c26e4876db7d418) C:\Windows\system32\kmsvc.dll
18:33:51.0278 1960 hkmsvc - ok
18:33:51.0310 1960 HpCISSs (16ee7b23a009e00d835cdb79574a91a6) C:\Windows\system32\drivers\hpcisss.sys
18:33:51.0310 1960 HpCISSs - ok
18:33:51.0356 1960 HSFHWAZL (46d67209550973257601a533e2ac5785) C:\Windows\system32\DRIVERS\VSTAZL3.SYS
18:33:51.0356 1960 HSFHWAZL - ok
18:33:51.0419 1960 HSF_DPV (ec36f1d542ed4252390d446bf6d4dfd0) C:\Windows\system32\DRIVERS\VSTDPV3.SYS
18:33:51.0419 1960 HSF_DPV - ok
18:33:51.0466 1960 HTTP (96e241624c71211a79c84f50a8e71cab) C:\Windows\system32\drivers\HTTP.sys
18:33:51.0466 1960 HTTP - ok
18:33:51.0497 1960 i2omp (c6b032d69650985468160fc9937cf5b4) C:\Windows\system32\drivers\i2omp.sys
18:33:51.0497 1960 i2omp - ok
18:33:51.0544 1960 i8042prt (22d56c8184586b7a1f6fa60be5f5a2bd) C:\Windows\system32\DRIVERS\i8042prt.sys
18:33:51.0544 1960 i8042prt - ok
18:33:51.0622 1960 IAANTMON (3e42c4691aad4b1e8d0466f9cbf05cbe) C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
18:33:51.0684 1960 IAANTMON - ok
18:33:51.0778 1960 iaStor (e64665e2a6caeb52c8ae6e5eb6f3fd7c) C:\Windows\system32\DRIVERS\iaStor.sys
18:33:51.0778 1960 iaStor - ok
18:33:51.0809 1960 iaStorV (54155ea1b0df185878e0fc9ec3ac3a14) C:\Windows\system32\drivers\iastorv.sys
18:33:51.0809 1960 iaStorV - ok
18:33:51.0934 1960 IDriverT (6f95324909b502e2651442c1548ab12f) C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
18:33:51.0949 1960 IDriverT - ok
18:33:52.0043 1960 idsvc (7b630acaed64fef0c3e1cf255cb56686) C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
18:33:52.0074 1960 idsvc - ok
18:33:52.0308 1960 IDSVix86 (b6662611e8fa3a71473c4a9bd0d23755) C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.1.0.37\Definitions\IPSDefs\20120324.004\IDSvix86.sys
18:33:52.0308 1960 IDSVix86 - ok
18:33:52.0620 1960 igfx (8266ae06df974e5ba047b3e9e9e70b3f) C:\Windows\system32\DRIVERS\igdkmd32.sys
18:33:52.0854 1960 igfx - ok
18:33:52.0885 1960 iirsp (2d077bf86e843f901d8db709c95b49a5) C:\Windows\system32\drivers\iirsp.sys
18:33:52.0885 1960 iirsp - ok
18:33:52.0948 1960 IKEEXT (a3bc480a2bf8aa8e4dabd2d5dce0afac) C:\Windows\System32\ikeext.dll
18:33:52.0948 1960 IKEEXT - ok
18:33:52.0994 1960 int15 (c6e5276c00ebdeb096bb5ef4b797d1b6) C:\Windows\system32\drivers\int15.sys
18:33:52.0994 1960 int15 - ok
18:33:53.0135 1960 IntcAzAudAddService (0dbef9cd5a2cd71240dd5afcee56d073) C:\Windows\system32\drivers\RTKVHDA.sys
18:33:53.0166 1960 IntcAzAudAddService - ok
18:33:53.0275 1960 IntcHdmiAddService (ab8b0206bcdff0ed03cec500fa03a32a) C:\Windows\system32\drivers\IntcHdmi.sys
18:33:53.0275 1960 IntcHdmiAddService - ok
18:33:53.0322 1960 intelide (83aa759f3189e6370c30de5dc5590718) C:\Windows\system32\drivers\intelide.sys
18:33:53.0322 1960 intelide - ok
18:33:53.0369 1960 intelppm (224191001e78c89dfa78924c3ea595ff) C:\Windows\system32\DRIVERS\intelppm.sys
18:33:53.0369 1960 intelppm - ok
18:33:53.0400 1960 IPBusEnum (9ac218c6e6105477484c6fdbe7d409a4) C:\Windows\system32\ipbusenum.dll
18:33:53.0400 1960 IPBusEnum - ok
18:33:53.0431 1960 IpFilterDriver (62c265c38769b864cb25b4bcf62df6c3) C:\Windows\system32\DRIVERS\ipfltdrv.sys
18:33:53.0431 1960 IpFilterDriver - ok
18:33:53.0478 1960 iphlpsvc (6a35d233693edc29a12742049bc5e37f) C:\Windows\System32\iphlpsvc.dll
18:33:53.0494 1960 iphlpsvc - ok
18:33:53.0509 1960 IpInIp - ok
18:33:53.0525 1960 IPMIDRV (b25aaf203552b7b3491139d582b39ad1) C:\Windows\system32\drivers\ipmidrv.sys
18:33:53.0525 1960 IPMIDRV - ok
18:33:53.0556 1960 IPNAT (8793643a67b42cec66490b2a0cf92d68) C:\Windows\system32\DRIVERS\ipnat.sys
18:33:53.0556 1960 IPNAT - ok
18:33:53.0587 1960 IRENUM (109c0dfb82c3632fbd11949b73aeeac9) C:\Windows\system32\drivers\irenum.sys
18:33:53.0587 1960 IRENUM - ok
18:33:53.0618 1960 isapnp (6c70698a3e5c4376c6ab5c7c17fb0614) C:\Windows\system32\drivers\isapnp.sys
18:33:53.0618 1960 isapnp - ok
18:33:53.0712 1960 iScsiPrt (f247eec28317f6c739c16de420097301) C:\Windows\system32\DRIVERS\msiscsi.sys
18:33:53.0712 1960 iScsiPrt - ok
18:33:53.0743 1960 iteatapi (bced60d16156e428f8df8cf27b0df150) C:\Windows\system32\drivers\iteatapi.sys
18:33:53.0743 1960 iteatapi - ok
18:33:53.0774 1960 iteraid (06fa654504a498c30adca8bec4e87e7e) C:\Windows\system32\drivers\iteraid.sys
18:33:53.0774 1960 iteraid - ok
18:33:53.0806 1960 kbdclass (37605e0a8cf00cbba538e753e4344c6e) C:\Windows\system32\DRIVERS\kbdclass.sys
18:33:53.0821 1960 kbdclass - ok
18:33:53.0852 1960 kbdhid (18247836959ba67e3511b62846b9c2e0) C:\Windows\system32\DRIVERS\kbdhid.sys
18:33:53.0852 1960 kbdhid - ok
18:33:53.0884 1960 KeyIso (a911ecac81f94adeafbe8e3f7873edb0) C:\Windows\system32\lsass.exe
18:33:53.0884 1960 KeyIso - ok
18:33:53.0946 1960 KSecDD (7a0cf7908b6824d6a2a1d313e5ae3dca) C:\Windows\system32\Drivers\ksecdd.sys
18:33:53.0946 1960 KSecDD - ok
18:33:54.0008 1960 KtmRm (8078f8f8f7a79e2e6b494523a828c585) C:\Windows\system32\msdtckrm.dll
18:33:54.0024 1960 KtmRm - ok
18:33:54.0071 1960 L1E (3f0b9076a349da925bf33610beb3ad17) C:\Windows\system32\DRIVERS\L1E60x86.sys
18:33:54.0071 1960 L1E - ok
18:33:54.0118 1960 LanmanServer (1925e63c91cf1610ae41bfd539062079) C:\Windows\System32\srvsvc.dll
18:33:54.0118 1960 LanmanServer - ok
18:33:54.0180 1960 LanmanWorkstation (2ae2e1628c5d3f1c0a46a67c9fa1df15) C:\Windows\System32\wkssvc.dll
18:33:54.0180 1960 LanmanWorkstation - ok
18:33:54.0320 1960 Lavasoft Ad-Aware Service (ea38136981c61c571d52c380daad46ef) C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
18:33:54.0336 1960 Lavasoft Ad-Aware Service - ok
18:33:54.0383 1960 Lavasoft Kernexplorer (6c4a3804510ad8e0f0c07b5be3d44ddb) C:\Program Files\Lavasoft\Ad-Aware\KernExplorer.sys
18:33:54.0383 1960 Lavasoft Kernexplorer - ok
18:33:54.0476 1960 Lbd (336abe8721cbc3110f1c6426da633417) C:\Windows\system32\DRIVERS\Lbd.sys
18:33:54.0476 1960 Lbd - ok
18:33:54.0508 1960 lltdio (d1c5883087a0c3f1344d9d55a44901f6) C:\Windows\system32\DRIVERS\lltdio.sys
18:33:54.0508 1960 lltdio - ok
18:33:54.0539 1960 lltdsvc (2d5a428872f1442631d0959a34abff63) C:\Windows\System32\lltdsvc.dll
18:33:54.0554 1960 lltdsvc - ok
18:33:54.0570 1960 lmhosts (35d40113e4a5b961b6ce5c5857702518) C:\Windows\System32\lmhsvc.dll
18:33:54.0586 1960 lmhosts - ok
18:33:54.0617 1960 LSI_FC (c7e15e82879bf3235b559563d4185365) C:\Windows\system32\drivers\lsi_fc.sys
18:33:54.0617 1960 LSI_FC - ok
18:33:54.0648 1960 LSI_SAS (ee01ebae8c9bf0fa072e0ff68718920a) C:\Windows\system32\drivers\lsi_sas.sys
18:33:54.0648 1960 LSI_SAS - ok
18:33:54.0695 1960 LSI_SCSI (912a04696e9ca30146a62afa1463dd5c) C:\Windows\system32\drivers\lsi_scsi.sys
18:33:54.0710 1960 LSI_SCSI - ok
18:33:54.0742 1960 luafv (8f5c7426567798e62a3b3614965d62cc) C:\Windows\system32\drivers\luafv.sys
18:33:54.0742 1960 luafv - ok
18:33:54.0804 1960 MBAMProtector (b7ca8cc3f978201856b6ab82f40953c3) C:\Windows\system32\drivers\mbam.sys
18:33:54.0804 1960 MBAMProtector - ok
18:33:54.0913 1960 MBAMService (056b19651bd7b7ce5f89a3ac46dbdc08) C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
18:33:54.0913 1960 MBAMService - ok
18:33:55.0007 1960 Mcx2Svc (aef9babb8a506bc4ce0451a64aaded46) C:\Windows\system32\Mcx2Svc.dll
18:33:55.0007 1960 Mcx2Svc - ok
18:33:55.0054 1960 mdmxsdk - ok
18:33:55.0100 1960 megasas (0001ce609d66632fa17b84705f658879) C:\Windows\system32\drivers\megasas.sys
18:33:55.0100 1960 megasas - ok
18:33:55.0147 1960 MegaSR (c252f32cd9a49dbfc25ecf26ebd51a99) C:\Windows\system32\drivers\megasr.sys
18:33:55.0163 1960 MegaSR - ok
18:33:55.0178 1960 MMCSS (1076ffcffaae8385fd62dfcb25ac4708) C:\Windows\system32\mmcss.dll
18:33:55.0194 1960 MMCSS - ok
18:33:55.0210 1960 Modem (e13b5ea0f51ba5b1512ec671393d09ba) C:\Windows\system32\drivers\modem.sys
18:33:55.0210 1960 Modem - ok
18:33:55.0241 1960 monitor (0a9bb33b56e294f686abb7c1e4e2d8a8) C:\Windows\system32\DRIVERS\monitor.sys
18:33:55.0241 1960 monitor - ok
18:33:55.0256 1960 mouclass (5bf6a1326a335c5298477754a506d263) C:\Windows\system32\DRIVERS\mouclass.sys
18:33:55.0256 1960 mouclass - ok
18:33:55.0288 1960 mouhid (93b8d4869e12cfbe663915502900876f) C:\Windows\system32\DRIVERS\mouhid.sys
18:33:55.0288 1960 mouhid - ok
18:33:55.0319 1960 MountMgr (bdafc88aa6b92f7842416ea6a48e1600) C:\Windows\system32\drivers\mountmgr.sys
18:33:55.0319 1960 MountMgr - ok
18:33:55.0350 1960 mpio (511d011289755dd9f9a7579fb0b064e6) C:\Windows\system32\drivers\mpio.sys
18:33:55.0350 1960 mpio - ok
18:33:55.0381 1960 mpsdrv (22241feba9b2defa669c8cb0a8dd7d2e) C:\Windows\system32\drivers\mpsdrv.sys
18:33:55.0381 1960 mpsdrv - ok
18:33:55.0444 1960 MpsSvc (d1639ba315b0d79dec49a4b0e1fb929b) C:\Windows\system32\mpssvc.dll
18:33:55.0444 1960 MpsSvc - ok
18:33:55.0506 1960 Mraid35x (4fbbb70d30fd20ec51f80061703b001e) C:\Windows\system32\drivers\mraid35x.sys
18:33:55.0506 1960 Mraid35x - ok
18:33:55.0522 1960 MRxDAV (ae3de84536b6799d2267443cec8edbb9) C:\Windows\system32\drivers\mrxdav.sys
18:33:55.0537 1960 MRxDAV - ok
18:33:55.0568 1960 mrxsmb (5734a0f2be7e495f7d3ed6efd4b9f5a1) C:\Windows\system32\DRIVERS\mrxsmb.sys
18:33:55.0568 1960 mrxsmb - ok
18:33:55.0615 1960 mrxsmb10 (6b5fa5adfacac9dbbe0991f4566d7d55) C:\Windows\system32\DRIVERS\mrxsmb10.sys
18:33:55.0615 1960 mrxsmb10 - ok
18:33:55.0631 1960 mrxsmb20 (5c80d8159181c7abf1b14ba703b01e0b) C:\Windows\system32\DRIVERS\mrxsmb20.sys
18:33:55.0631 1960 mrxsmb20 - ok
18:33:55.0678 1960 msahci (28023e86f17001f7cd9b15a5bc9ae07d) C:\Windows\system32\drivers\msahci.sys
18:33:55.0678 1960 msahci - ok
18:33:55.0709 1960 msdsm (4468b0f385a86ecddaf8d3ca662ec0e7) C:\Windows\system32\drivers\msdsm.sys
18:33:55.0709 1960 msdsm - ok
18:33:55.0771 1960 MSDTC (fd7520cc3a80c5fc8c48852bb24c6ded) C:\Windows\System32\msdtc.exe
18:33:55.0787 1960 MSDTC - ok
18:33:55.0818 1960 Msfs (a9927f4a46b816c92f461acb90cf8515) C:\Windows\system32\drivers\Msfs.sys
18:33:55.0818 1960 Msfs - ok
18:33:55.0865 1960 msisadrv (0f400e306f385c56317357d6dea56f62) C:\Windows\system32\drivers\msisadrv.sys
18:33:55.0865 1960 msisadrv - ok
18:33:55.0896 1960 MSiSCSI (85466c0757a23d9a9aecdc0755203cb2) C:\Windows\system32\iscsiexe.dll
18:33:55.0896 1960 MSiSCSI - ok
18:33:55.0927 1960 msiserver - ok
18:33:55.0990 1960 MSKSSRV (d8c63d34d9c9e56c059e24ec7185cc07) C:\Windows\system32\drivers\MSKSSRV.sys
18:33:55.0990 1960 MSKSSRV - ok
18:33:56.0021 1960 MSPCLOCK (1d373c90d62ddb641d50e55b9e78d65e) C:\Windows\system32\drivers\MSPCLOCK.sys
18:33:56.0021 1960 MSPCLOCK - ok
18:33:56.0052 1960 MSPQM (b572da05bf4e098d4bba3a4734fb505b) C:\Windows\system32\drivers\MSPQM.sys
18:33:56.0052 1960 MSPQM - ok
18:33:56.0083 1960 MsRPC (b5614aecb05a9340aa0fb55bf561cc63) C:\Windows\system32\drivers\MsRPC.sys
18:33:56.0099 1960 MsRPC - ok
18:33:56.0114 1960 mssmbios (e384487cb84be41d09711c30ca79646c) C:\Windows\system32\DRIVERS\mssmbios.sys
18:33:56.0114 1960 mssmbios - ok
18:33:56.0146 1960 MSTEE (7199c1eec1e4993caf96b8c0a26bd58a) C:\Windows\system32\drivers\MSTEE.sys
18:33:56.0146 1960 MSTEE - ok
18:33:56.0177 1960 Mup (6dfd1d322de55b0b7db7d21b90bec49c) C:\Windows\system32\Drivers\mup.sys
18:33:56.0177 1960 Mup - ok
18:33:56.0208 1960 napagent (c43b25863fbd65b6d2a142af3ae320ca) C:\Windows\system32\qagentRT.dll
18:33:56.0224 1960 napagent - ok
18:33:56.0239 1960 NativeWifiP (3c21ce48ff529bb73dadb98770b54025) C:\Windows\system32\DRIVERS\nwifi.sys
18:33:56.0255 1960 NativeWifiP - ok
18:33:56.0442 1960 NAV (e78a365cc3e0fbfc018a33dce01909f8) C:\Program Files\Norton AntiVirus\Engine\18.6.0.29\ccSvcHst.exe
18:33:56.0442 1960 NAV - ok
18:33:56.0582 1960 NAVENG (862f55824ac81295837b0ab63f91071f) C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.1.0.37\Definitions\VirusDefs\20120327.008\NAVENG.SYS
18:33:56.0598 1960 NAVENG - ok
18:33:56.0660 1960 NAVEX15 (529d571b551cb9da44237389b936f1ae) C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.1.0.37\Definitions\VirusDefs\20120327.008\NAVEX15.SYS
18:33:56.0707 1960 NAVEX15 - ok
18:33:56.0801 1960 NDIS (9bdc71790fa08f0a0b5f10462b1bd0b1) C:\Windows\system32\drivers\ndis.sys
18:33:56.0816 1960 NDIS - ok
18:33:56.0848 1960 NdisTapi (0e186e90404980569fb449ba7519ae61) C:\Windows\system32\DRIVERS\ndistapi.sys
18:33:56.0848 1960 NdisTapi - ok
18:33:56.0863 1960 Ndisuio (d6973aa34c4d5d76c0430b181c3cd389) C:\Windows\system32\DRIVERS\ndisuio.sys
18:33:56.0879 1960 Ndisuio - ok
18:33:56.0910 1960 NdisWan (3d14c3b3496f88890d431e8aa022a411) C:\Windows\system32\DRIVERS\ndiswan.sys
18:33:56.0910 1960 NdisWan - ok
18:33:56.0926 1960 NDProxy (71dab552b41936358f3b541ae5997fb3) C:\Windows\system32\drivers\NDProxy.sys
18:33:56.0926 1960 NDProxy - ok
18:33:56.0972 1960 Net Driver HPZ12 (19715a9a573dad2521348abc74266a48) C:\Windows\system32\HPZinw12.dll
18:33:56.0972 1960 Net Driver HPZ12 - ok
18:33:56.0988 1960 NetBIOS (bcd093a5a6777cf626434568dc7dba78) C:\Windows\system32\DRIVERS\netbios.sys
18:33:56.0988 1960 NetBIOS - ok
18:33:57.0019 1960 netbt (7c5fee5b1c5728507cd96fb4a13e7a02) C:\Windows\system32\DRIVERS\netbt.sys
18:33:57.0019 1960 netbt - ok
18:33:57.0066 1960 Netlogon (a911ecac81f94adeafbe8e3f7873edb0) C:\Windows\system32\lsass.exe
18:33:57.0066 1960 Netlogon - ok
18:33:57.0113 1960 Netman (c8052711daecc48b982434c5116ca401) C:\Windows\System32\netman.dll
18:33:57.0113 1960 Netman - ok
18:33:57.0128 1960 netprofm (2ef3bbe22e5a5acd1428ee387a0d0172) C:\Windows\System32\netprofm.dll
18:33:57.0144 1960 netprofm - ok
18:33:57.0206 1960 netr28 (af997b1e67971c5ec34f52962617b55d) C:\Windows\system32\DRIVERS\netr28.sys
18:33:57.0206 1960 netr28 - ok
18:33:57.0269 1960 NetTcpPortSharing (0ad5876ef4e9eb77c8f93eb5b2fff386) C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
18:33:57.0284 1960 NetTcpPortSharing - ok
18:33:57.0456 1960 NETw5v32 (8de67bd902095a13329fd82c85a1fa09) C:\Windows\system32\DRIVERS\NETw5v32.sys
18:33:57.0487 1960 NETw5v32 - ok
18:33:57.0721 1960 NETwNv32 (2605b7e88f4d2303896045d553c90d7a) C:\Windows\system32\DRIVERS\NETwNv32.sys
18:33:57.0768 1960 NETwNv32 - ok
18:33:57.0799 1960 nfrd960 (2e7fb731d4790a1bc6270accefacb36e) C:\Windows\system32\drivers\nfrd960.sys
18:33:57.0799 1960 nfrd960 - ok
18:33:57.0815 1960 NlaSvc (2997b15415f9bbe05b5a4c1c85e0c6a2) C:\Windows\System32\nlasvc.dll
18:33:57.0830 1960 NlaSvc - ok
18:33:57.0846 1960 Npfs (ecb5003f484f9ed6c608d6d6c7886cbb) C:\Windows\system32\drivers\Npfs.sys
18:33:57.0846 1960 Npfs - ok
18:33:57.0877 1960 nsi (8bb86f0c7eea2bded6fe095d0b4ca9bd) C:\Windows\system32\nsisvc.dll
18:33:57.0877 1960 nsi - ok
18:33:57.0893 1960 nsiproxy (609773e344a97410ce4ebf74a8914fcf) C:\Windows\system32\drivers\nsiproxy.sys
18:33:57.0893 1960 nsiproxy - ok
18:33:57.0955 1960 Ntfs (b4effe29eb4f15538fd8a9681108492d) C:\Windows\system32\drivers\Ntfs.sys
18:33:57.0986 1960 Ntfs - ok
18:33:58.0018 1960 NTIDrvr (2757d2ba59aee155209e24942ab127c9) C:\Windows\system32\DRIVERS\NTIDrvr.sys
18:33:58.0018 1960 NTIDrvr - ok
18:33:58.0049 1960 ntrigdigi (e875c093aec0c978a90f30c9e0dfbb72) C:\Windows\system32\drivers\ntrigdigi.sys
18:33:58.0049 1960 ntrigdigi - ok
18:33:58.0080 1960 Null (c5dbbcda07d780bda9b685df333bb41e) C:\Windows\system32\drivers\Null.sys
18:33:58.0080 1960 Null - ok
18:33:58.0111 1960 nvraid (2edf9e7751554b42cbb60116de727101) C:\Windows\system32\drivers\nvraid.sys
18:33:58.0111 1960 nvraid - ok
18:33:58.0142 1960 nvstor (abed0c09758d1d97db0042dbb2688177) C:\Windows\system32\drivers\nvstor.sys
18:33:58.0142 1960 nvstor - ok
18:33:58.0174 1960 nv_agp (18bbdf913916b71bd54575bdb6eeac0b) C:\Windows\system32\drivers\nv_agp.sys
18:33:58.0174 1960 nv_agp - ok
18:33:58.0189 1960 NwlnkFlt - ok
18:33:58.0205 1960 NwlnkFwd - ok
18:33:58.0236 1960 ohci1394 (be32da025a0be1878f0ee8d6d9386cd5) C:\Windows\system32\drivers\ohci1394.sys
18:33:58.0236 1960 ohci1394 - ok
18:33:58.0345 1960 ose (5a432a042dae460abe7199b758e8606c) C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
18:33:58.0345 1960 ose - ok
18:33:58.0439 1960 p2pimsvc (5de1a3972fd3112c75eb17bdcf454169) C:\Windows\system32\p2psvc.dll
18:33:58.0454 1960 p2pimsvc - ok
18:33:58.0486 1960 p2psvc (5de1a3972fd3112c75eb17bdcf454169) C:\Windows\system32\p2psvc.dll
18:33:58.0486 1960 p2psvc - ok
18:33:58.0564 1960 Parport (0fa9b5055484649d63c303fe404e5f4d) C:\Windows\system32\drivers\parport.sys
18:33:58.0564 1960 Parport - ok
18:33:58.0579 1960 partmgr (3b38467e7c3daed009dfe359e17f139f) C:\Windows\system32\drivers\partmgr.sys
18:33:58.0579 1960 partmgr - ok
18:33:58.0610 1960 Parvdm (4f9a6a8a31413180d0fcb279ad5d8112) C:\Windows\system32\drivers\parvdm.sys
18:33:58.0610 1960 Parvdm - ok
18:33:58.0657 1960 PcaSvc (c6276ad11f4bb49b58aa1ed88537f14a) C:\Windows\System32\pcasvc.dll
18:33:58.0657 1960 PcaSvc - ok
18:33:58.0688 1960 pci (01b94418deb235dff777cc80076354b4) C:\Windows\system32\drivers\pci.sys
18:33:58.0688 1960 pci - ok
18:33:58.0720 1960 pciide (fc175f5ddab666d7f4d17449a547626f) C:\Windows\system32\drivers\pciide.sys
18:33:58.0766 1960 pciide - ok
18:33:58.0813 1960 pcmcia (e6f3fb1b86aa519e7698ad05e58b04e5) C:\Windows\system32\drivers\pcmcia.sys
18:33:58.0813 1960 pcmcia - ok
18:33:58.0860 1960 PEAUTH (6349f6ed9c623b44b52ea3c63c831a92) C:\Windows\system32\drivers\peauth.sys
18:33:58.0891 1960 PEAUTH - ok
18:33:58.0969 1960 pla (b1689df169143f57053f795390c99db3) C:\Windows\system32\pla.dll
18:33:59.0000 1960 pla - ok
18:33:59.0047 1960 PlugPlay (78f975cb6d18265be6f492edb2d7bc7b) C:\Windows\system32\umpnpmgr.dll
18:33:59.0047 1960 PlugPlay - ok
18:33:59.0078 1960 Pml Driver HPZ12 (b36cd3f2eca751c0ca8b8868bd1c5449) C:\Windows\system32\HPZipm12.dll
18:33:59.0094 1960 Pml Driver HPZ12 - ok
18:33:59.0141 1960 PNRPAutoReg (5de1a3972fd3112c75eb17bdcf454169) C:\Windows\system32\p2psvc.dll
18:33:59.0141 1960 PNRPAutoReg - ok
18:33:59.0172 1960 PNRPsvc (5de1a3972fd3112c75eb17bdcf454169) C:\Windows\system32\p2psvc.dll
18:33:59.0172 1960 PNRPsvc - ok
18:33:59.0219 1960 PolicyAgent (47b8f37aa18b74d8c2e1bc1a7a2c8f8a) C:\Windows\System32\ipsecsvc.dll
18:33:59.0219 1960 PolicyAgent - ok
18:33:59.0281 1960 PptpMiniport (ecfffaec0c1ecd8dbc77f39070ea1db1) C:\Windows\system32\DRIVERS\raspptp.sys
18:33:59.0297 1960 PptpMiniport - ok
18:33:59.0312 1960 Processor (2027293619dd0f047c584cf2e7df4ffd) C:\Windows\system32\drivers\processr.sys
18:33:59.0328 1960 Processor - ok
18:33:59.0359 1960 ProfSvc (b627e4fc8585e8843c5905d4d3587a90) C:\Windows\system32\profsvc.dll
18:33:59.0375 1960 ProfSvc - ok
18:33:59.0406 1960 ProtectedStorage (a911ecac81f94adeafbe8e3f7873edb0) C:\Windows\system32\lsass.exe
18:33:59.0406 1960 ProtectedStorage - ok
18:33:59.0453 1960 PSched (bfef604508a0ed1eae2a73e872555ffb) C:\Windows\system32\DRIVERS\pacer.sys
18:33:59.0453 1960 PSched - ok
18:33:59.0484 1960 PSDFilter (628321c8dd76ad369b362b202e655a68) C:\Windows\system32\DRIVERS\psdfilter.sys
18:33:59.0484 1960 PSDFilter - ok
18:33:59.0515 1960 PSDNServ (79d7117e62709c7690cf3dd55acead37) C:\Windows\system32\DRIVERS\PSDNServ.sys
18:33:59.0515 1960 PSDNServ - ok
18:33:59.0531 1960 psdvdisk (cae5e82827990cf4bd4a49576bde3a43) C:\Windows\system32\DRIVERS\PSDVdisk.sys
18:33:59.0531 1960 psdvdisk - ok
18:33:59.0609 1960 PSI (d24dfd16a1e2a76034df5aa18125c35d) C:\Windows\system32\DRIVERS\psi_mf.sys
18:33:59.0609 1960 PSI - ok
18:33:59.0687 1960 ql2300 (0a6db55afb7820c99aa1f3a1d270f4f6) C:\Windows\system32\drivers\ql2300.sys
18:33:59.0687 1960 ql2300 - ok
18:33:59.0718 1960 ql40xx (81a7e5c076e59995d54bc1ed3a16e60b) C:\Windows\system32\drivers\ql40xx.sys
18:33:59.0718 1960 ql40xx - ok
18:33:59.0780 1960 QWAVE (e9ecae663f47e6cb43962d18ab18890f) C:\Windows\system32\qwave.dll
18:33:59.0780 1960 QWAVE - ok
18:33:59.0843 1960 QWAVEdrv (9f5e0e1926014d17486901c88eca2db7) C:\Windows\system32\drivers\qwavedrv.sys
18:33:59.0843 1960 QWAVEdrv - ok
18:33:59.0874 1960 RasAcd (147d7f9c556d259924351feb0de606c3) C:\Windows\system32\DRIVERS\rasacd.sys
18:33:59.0874 1960 RasAcd - ok
18:33:59.0905 1960 RasAuto (f6a452eb4ceadbb51c9e0ee6b3ecef0f) C:\Windows\System32\rasauto.dll
18:33:59.0905 1960 RasAuto - ok
18:33:59.0921 1960 Rasl2tp (a214adbaf4cb47dd2728859ef31f26b0) C:\Windows\system32\DRIVERS\rasl2tp.sys
18:33:59.0936 1960 Rasl2tp - ok
18:33:59.0952 1960 RasMan (6e7c284fc5c4ec07ad164d93810385a6) C:\Windows\System32\rasmans.dll
18:33:59.0968 1960 RasMan - ok
18:33:59.0983 1960 RasPppoe (3e9d9b048107b40d87b97df2e48e0744) C:\Windows\system32\DRIVERS\raspppoe.sys
18:33:59.0983 1960 RasPppoe - ok
18:33:59.0999 1960 RasSstp (a7d141684e9500ac928a772ed8e6b671) C:\Windows\system32\DRIVERS\rassstp.sys
18:33:59.0999 1960 RasSstp - ok
18:34:00.0030 1960 rdbss (6e1c5d0457622f9ee35f683110e93d14) C:\Windows\system32\DRIVERS\rdbss.sys
18:34:00.0030 1960 rdbss - ok
18:34:00.0061 1960 RDPCDD (89e59be9a564262a3fb6c4f4f1cd9899) C:\Windows\system32\DRIVERS\RDPCDD.sys
18:34:00.0061 1960 RDPCDD - ok
18:34:00.0108 1960 rdpdr (fbc0bacd9c3d7f6956853f64a66e252d) C:\Windows\system32\drivers\rdpdr.sys
18:34:00.0108 1960 rdpdr - ok
18:34:00.0124 1960 RDPENCDD (9d91fe5286f748862ecffa05f8a0710c) C:\Windows\system32\drivers\rdpencdd.sys
18:34:00.0124 1960 RDPENCDD - ok
18:34:00.0155 1960 RDPWD (e1c18f4097a5abcec941dc4b2f99db7e) C:\Windows\system32\drivers\RDPWD.sys
18:34:00.0155 1960 RDPWD - ok
18:34:00.0280 1960 RegSrvc (3ff45b7f17d5837216abae652cc61540) C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
18:34:00.0280 1960 RegSrvc - ok
18:34:00.0342 1960 RemoteAccess (bcdd6b4804d06b1f7ebf29e53a57ece9) C:\Windows\System32\mprdim.dll
18:34:00.0358 1960 RemoteAccess - ok
18:34:00.0389 1960 RemoteRegistry (cc4e32400f3c7253400cf8f3f3a0b676) C:\Windows\system32\regsvc.dll
18:34:00.0389 1960 RemoteRegistry - ok
18:34:00.0420 1960 RimUsb - ok
18:34:00.0467 1960 RimVSerPort (2c4fb2e9f039287767c384e46ee91030) C:\Windows\system32\DRIVERS\RimSerial.sys
18:34:00.0467 1960 RimVSerPort - ok
18:34:00.0514 1960 ROOTMODEM (75e8a6bfa7374aba833ae92bf41ae4e6) C:\Windows\system32\Drivers\RootMdm.sys
18:34:00.0514 1960 ROOTMODEM - ok
18:34:00.0529 1960 RpcLocator (5123f83cbc4349d065534eeb6bbdc42b) C:\Windows\system32\locator.exe
18:34:00.0545 1960 RpcLocator - ok
18:34:00.0592 1960 RpcSs (301ae00e12408650baddc04dbc832830) C:\Windows\System32\rpcss.dll
18:34:00.0592 1960 RpcSs - ok
18:34:00.0607 1960 rspndr (9c508f4074a39e8b4b31d27198146fad) C:\Windows\system32\DRIVERS\rspndr.sys
18:34:00.0623 1960 rspndr - ok
18:34:00.0670 1960 RSUSBSTOR (c5acb4d2ca623f678257b0844bd1ac8a) C:\Windows\system32\Drivers\RtsUStor.sys
18:34:00.0685 1960 RSUSBSTOR - ok
18:34:00.0732 1960 RTSTOR (7a4f79df3793160b280cde152b61fe33) C:\Windows\system32\drivers\RTSTOR.SYS
18:34:00.0732 1960 RTSTOR - ok
18:34:00.0779 1960 SamSs (a911ecac81f94adeafbe8e3f7873edb0) C:\Windows\system32\lsass.exe
18:34:00.0779 1960 SamSs - ok
18:34:00.0826 1960 sbp2port (3ce8f073a557e172b330109436984e30) C:\Windows\system32\drivers\sbp2port.sys
18:34:00.0826 1960 sbp2port - ok
18:34:00.0857 1960 SCardSvr (11387e32642269c7e62e8b52c060b3c6) C:\Windows\System32\SCardSvr.dll
18:34:00.0857 1960 SCardSvr - ok
18:34:00.0919 1960 Schedule (7b587b8a6d4a99f79d2902d0385f29bd) C:\Windows\system32\schedsvc.dll
18:34:00.0919 1960 Schedule - ok
18:34:00.0950 1960 SCPolicySvc (87c2d0377b23e2d8a41093c2f5fb1a5b) C:\Windows\System32\certprop.dll
18:34:00.0950 1960 SCPolicySvc - ok
18:34:00.0982 1960 SDRSVC (716313d9f6b0529d03f726d5aaf6f191) C:\Windows\System32\SDRSVC.dll
18:34:00.0997 1960 SDRSVC - ok
18:34:01.0060 1960 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys
18:34:01.0060 1960 secdrv - ok
18:34:01.0075 1960 seclogon (fd5199d4d8a521005e4b5ee7fe00fa9b) C:\Windows\system32\seclogon.dll
18:34:01.0075 1960 seclogon - ok
18:34:01.0106 1960 SENS (a9bbab5759771e523f55563d6cbe140f) C:\Windows\system32\sens.dll
18:34:01.0106 1960 SENS - ok
18:34:01.0169 1960 Serenum (68e44e331d46f0fb38f0863a84cd1a31) C:\Windows\system32\drivers\serenum.sys
18:34:01.0184 1960 Serenum - ok
18:34:01.0200 1960 Serial (c70d69a918b178d3c3b06339b40c2e1b) C:\Windows\system32\drivers\serial.sys
18:34:01.0200 1960 Serial - ok
18:34:01.0231 1960 sermouse (8af3d28a879bf75db53a0ee7a4289624) C:\Windows\system32\drivers\sermouse.sys
18:34:01.0231 1960 sermouse - ok
18:34:01.0278 1960 SessionEnv (d2193326f729b163125610dbf3e17d57) C:\Windows\system32\sessenv.dll
18:34:01.0278 1960 SessionEnv - ok
18:34:01.0309 1960 sffdisk (3efa810bdca87f6ecc24f9832243fe86) C:\Windows\system32\drivers\sffdisk.sys
18:34:01.0309 1960 sffdisk - ok
18:34:01.0325 1960 sffp_mmc (e95d451f7ea3e583aec75f3b3ee42dc5) C:\Windows\system32\drivers\sffp_mmc.sys
18:34:01.0325 1960 sffp_mmc - ok
18:34:01.0340 1960 sffp_sd (3d0ea348784b7ac9ea9bd9f317980979) C:\Windows\system32\drivers\sffp_sd.sys
18:34:01.0340 1960 sffp_sd - ok
18:34:01.0372 1960 sfloppy (46ed8e91793b2e6f848015445a0ac188) C:\Windows\system32\drivers\sfloppy.sys
18:34:01.0372 1960 sfloppy - ok
18:34:01.0418 1960 SharedAccess (e1499bd0ff76b1b2fbbf1af339d91165) C:\Windows\System32\ipnathlp.dll
18:34:01.0418 1960 SharedAccess - ok
18:34:01.0450 1960 ShellHWDetection (1e3fdb80e40a3ce645f229dfbdfb7694) C:\Windows\System32\shsvcs.dll
18:34:01.0450 1960 ShellHWDetection - ok
18:34:01.0512 1960 sisagp (1d76624a09a054f682d746b924e2dbc3) C:\Windows\system32\drivers\sisagp.sys
18:34:01.0512 1960 sisagp - ok
18:34:01.0543 1960 SiSRaid2 (43cb7aa756c7db280d01da9b676cfde2) C:\Windows\system32\drivers\sisraid2.sys
18:34:01.0543 1960 SiSRaid2 - ok
18:34:01.0559 1960 SiSRaid4 (a99c6c8b0baa970d8aa59ddc50b57f94) C:\Windows\system32\drivers\sisraid4.sys
18:34:01.0559 1960 SiSRaid4 - ok
18:34:01.0668 1960 slsvc (0ba91e1358ad25236863039bb2609a2e) C:\Windows\system32\SLsvc.exe
18:34:01.0730 1960 slsvc - ok
18:34:01.0762 1960 SLUINotify (7c6dc44ca0bfa6291629ab764200d1d4) C:\Windows\system32\SLUINotify.dll
18:34:01.0808 1960 SLUINotify - ok
18:34:01.0871 1960 Smb (031e6bcd53c9b2b9ace111eafec347b6) C:\Windows\system32\DRIVERS\smb.sys
18:34:01.0871 1960 Smb - ok
18:34:01.0886 1960 SNMPTRAP (2a146a055b4401c16ee62d18b8e2a032) C:\Windows\System32\snmptrap.exe
18:34:01.0886 1960 SNMPTRAP - ok
18:34:01.0996 1960 SNP2UVC (c792610f7d2009352721c1ae38da0619) C:\Windows\system32\DRIVERS\snp2uvc.sys
18:34:02.0042 1960 SNP2UVC - ok
18:34:02.0089 1960 spldr (7aebdeef071fe28b0eef2cdd69102bff) C:\Windows\system32\drivers\spldr.sys
18:34:02.0089 1960 spldr - ok
18:34:02.0120 1960 Spooler (3665f79026a3f91fbca63f2c65a09b19) C:\Windows\System32\spoolsv.exe
18:34:02.0120 1960 Spooler - ok
18:34:02.0198 1960 sptd (cdddec541bc3c96f91ecb48759673505) C:\Windows\system32\Drivers\sptd.sys
18:34:02.0230 1960 sptd - ok
18:34:02.0354 1960 SRTSP (83726cf02eced69138948083e06b6eac) C:\Windows\System32\Drivers\NAV\1206000.01D\SRTSP.SYS
18:34:02.0354 1960 SRTSP - ok
18:34:02.0386 1960 SRTSPX (4e7eab2e5615d39cf1f1df9c71e5e225) C:\Windows\system32\drivers\NAV\1206000.01D\SRTSPX.SYS
18:34:02.0386 1960 SRTSPX - ok
18:34:02.0448 1960 srv (2252aef839b1093d16761189f45af885) C:\Windows\system32\DRIVERS\srv.sys
18:34:02.0448 1960 srv - ok
18:34:02.0479 1960 srv2 (b7ff59408034119476b00a81bb53d5d1) C:\Windows\system32\DRIVERS\srv2.sys
18:34:02.0479 1960 srv2 - ok
18:34:02.0495 1960 srvnet (2accc9b12af02030f531e6cca6f8b76e) C:\Windows\system32\DRIVERS\srvnet.sys
18:34:02.0510 1960 srvnet - ok
18:34:02.0542 1960 SSDPSRV (03d50b37234967433a5ea5ba72bc0b62) C:\Windows\System32\ssdpsrv.dll
18:34:02.0557 1960 SSDPSRV - ok
18:34:02.0588 1960 SstpSvc (6f1a32e7b7b30f004d9a20afadb14944) C:\Windows\system32\sstpsvc.dll
18:34:02.0604 1960 SstpSvc - ok
18:34:02.0651 1960 stisvc (7dd08a597bc56051f320da0baf69e389) C:\Windows\System32\wiaservc.dll
18:34:02.0666 1960 stisvc - ok
18:34:02.0729 1960 swenum (7ba58ecf0c0a9a69d44b3dca62becf56) C:\Windows\system32\DRIVERS\swenum.sys
18:34:02.0729 1960 swenum - ok
18:34:02.0760 1960 swprv (b36c7cdb86f7f7a8e884479219766950) C:\Windows\System32\swprv.dll
18:34:02.0776 1960 swprv - ok
18:34:02.0807 1960 Symc8xx (192aa3ac01df071b541094f251deed10) C:\Windows\system32\drivers\symc8xx.sys
18:34:02.0807 1960 Symc8xx - ok
18:34:02.0900 1960 SymDS (9bbeb8c6258e72d62e7560e6667aad39) C:\Windows\system32\drivers\NAV\1206000.01D\SYMDS.SYS
18:34:02.0916 1960 SymDS - ok
18:34:02.0963 1960 SymEFA (d5c02629c02a820a7e71bca3d44294a3) C:\Windows\system32\drivers\NAV\1206000.01D\SYMEFA.SYS
18:34:02.0978 1960 SymEFA - ok
18:34:03.0041 1960 SymEvent (ab33c3b196197ca467cbdda717860dba) C:\Windows\system32\Drivers\SYMEVENT.SYS
18:34:03.0041 1960 SymEvent - ok
18:34:03.0134 1960 SymIRON (a73399804d5d4a8b20ba60fcf70c9f1f) C:\Windows\system32\drivers\NAV\1206000.01D\Ironx86.SYS
18:34:03.0150 1960 SymIRON - ok
18:34:03.0197 1960 SYMTDIv (5136f99a60ddbdeb1f6fd1eefc44407f) C:\Windows\System32\Drivers\NAV\1206000.01D\SYMTDIV.SYS
18:34:03.0197 1960 SYMTDIv - ok
18:34:03.0228 1960 Sym_hi (8c8eb8c76736ebaf3b13b633b2e64125) C:\Windows\system32\drivers\sym_hi.sys
18:34:03.0228 1960 Sym_hi - ok
18:34:03.0244 1960 Sym_u3 (8072af52b5fd103bbba387a1e49f62cb) C:\Windows\system32\drivers\sym_u3.sys
18:34:03.0259 1960 Sym_u3 - ok
18:34:03.0353 1960 SynTP (31b6b2d25fcff1b71ae225000d656cd0) C:\Windows\system32\DRIVERS\SynTP.sys
18:34:03.0368 1960 SynTP - ok
18:34:03.0415 1960 SysMain (8710a92d0024b03b5fb9540df1f71f1d) C:\Windows\system32\sysmain.dll
18:34:03.0431 1960 SysMain - ok
18:34:03.0478 1960 TabletInputService (2dca225eae15f42c0933e998ee0231c3) C:\Windows\System32\TabSvc.dll
18:34:03.0478 1960 TabletInputService - ok
18:34:03.0493 1960 TapiSrv (680916bb09ee0f3a6aca7c274b0d633f) C:\Windows\System32\tapisrv.dll
18:34:03.0509 1960 TapiSrv - ok
18:34:03.0540 1960 TBS (cb05822cd9cc6c688168e113c603dbe7) C:\Windows\System32\tbssvc.dll
18:34:03.0540 1960 TBS - ok
18:34:03.0618 1960 Tcpip (782568ab6a43160a159b6215b70bcce9) C:\Windows\system32\drivers\tcpip.sys
18:34:03.0649 1960 Tcpip - ok
18:34:03.0680 1960 Tcpip6 (782568ab6a43160a159b6215b70bcce9) C:\Windows\system32\DRIVERS\tcpip.sys
18:34:03.0696 1960 Tcpip6 - ok
18:34:03.0727 1960 tcpipreg (d4a2e4a4b011f3a883af77315a5ae76b) C:\Windows\system32\drivers\tcpipreg.sys
18:34:03.0727 1960 tcpipreg - ok
18:34:03.0758 1960 TcUsb (72b9e77565da5fa564581976e000d29b) C:\Windows\system32\Drivers\tcusb.sys
18:34:03.0758 1960 TcUsb - ok
18:34:03.0790 1960 TDPIPE (5dcf5e267be67a1ae926f2df77fbcc56) C:\Windows\system32\drivers\tdpipe.sys
18:34:03.0821 1960 TDPIPE - ok
18:34:03.0852 1960 TDTCP (389c63e32b3cefed425b61ed92d3f021) C:\Windows\system32\drivers\tdtcp.sys
18:34:03.0852 1960 TDTCP - ok
18:34:03.0883 1960 tdx (d09276b1fab033ce1d40dcbdf303d10f) C:\Windows\system32\DRIVERS\tdx.sys
18:34:03.0883 1960 tdx - ok
18:34:03.0914 1960 TermDD (a048056f5e1a96a9bf3071b91741a5aa) C:\Windows\system32\DRIVERS\termdd.sys
18:34:03.0930 1960 TermDD - ok
18:34:03.0961 1960 TermService (d605031e225aaccbceb5b76a4f1603a6) C:\Windows\System32\termsrv.dll
18:34:03.0977 1960 TermService - ok
18:34:04.0008 1960 Themes (1e3fdb80e40a3ce645f229dfbdfb7694) C:\Windows\system32\shsvcs.dll
18:34:04.0024 1960 Themes - ok
18:34:04.0039 1960 THREADORDER (1076ffcffaae8385fd62dfcb25ac4708) C:\Windows\system32\mmcss.dll
18:34:04.0055 1960 THREADORDER - ok
18:34:04.0070 1960 TrkWks (ec74e77d0eb004bd3a809b5f8fb8c2ce) C:\Windows\System32\trkwks.dll
18:34:04.0086 1960 TrkWks - ok
18:34:04.0117 1960 TrustedInstaller (16613a1bad034d4ecf957af18b7c2ff5) C:\Windows\servicing\TrustedInstaller.exe
18:34:04.0117 1960 TrustedInstaller - ok
18:34:04.0180 1960 tssecsrv (dcf0f056a2e4f52287264f5ab29cf206) C:\Windows\system32\DRIVERS\tssecsrv.sys
18:34:04.0180 1960 tssecsrv - ok
18:34:04.0211 1960 tunmp (caecc0120ac49e3d2f758b9169872d38) C:\Windows\system32\DRIVERS\tunmp.sys
18:34:04.0211 1960 tunmp - ok
18:34:04.0242 1960 tunnel (6042505ff6fa9ac1ef7684d0e03b6940) C:\Windows\system32\DRIVERS\tunnel.sys
18:34:04.0242 1960 tunnel - ok
18:34:04.0273 1960 uagp35 (7d33c4db2ce363c8518d2dfcf533941f) C:\Windows\system32\drivers\uagp35.sys
18:34:04.0273 1960 uagp35 - ok
18:34:04.0304 1960 udfs (8b5088058fa1d1cd897a2113ccff6c58) C:\Windows\system32\DRIVERS\udfs.sys
18:34:04.0304 1960 udfs - ok
18:34:04.0336 1960 UI0Detect (ecef404f62863755951e09c802c94ad5) C:\Windows\system32\UI0Detect.exe
18:34:04.0351 1960 UI0Detect - ok
18:34:04.0367 1960 uliagpkx (b0acfdc9e4af279e9116c03e014b2b27) C:\Windows\system32\drivers\uliagpkx.sys
18:34:04.0367 1960 uliagpkx - ok
18:34:04.0398 1960 uliahci (9224bb254f591de4ca8d572a5f0d635c) C:\Windows\system32\drivers\uliahci.sys
18:34:04.0414 1960 uliahci - ok
18:34:04.0429 1960 UlSata (8514d0e5cd0534467c5fc61be94a569f) C:\Windows\system32\drivers\ulsata.sys
18:34:04.0429 1960 UlSata - ok
18:34:04.0460 1960 ulsata2 (38c3c6e62b157a6bc46594fada45c62b) C:\Windows\system32\drivers\ulsata2.sys
18:34:04.0460 1960 ulsata2 - ok
18:34:04.0492 1960 umbus (32cff9f809ae9aed85464492bf3e32d2) C:\Windows\system32\DRIVERS\umbus.sys
18:34:04.0492 1960 umbus - ok
18:34:04.0523 1960 upnphost (68308183f4ae0be7bf8ecd07cb297999) C:\Windows\System32\upnphost.dll
18:34:04.0523 1960 upnphost - ok
18:34:04.0570 1960 usbccgp (caf811ae4c147ffcd5b51750c7f09142) C:\Windows\system32\DRIVERS\usbccgp.sys
18:34:04.0570 1960 usbccgp - ok
18:34:04.0601 1960 usbcir (e9476e6c486e76bc4898074768fb7131) C:\Windows\system32\drivers\usbcir.sys
18:34:04.0601 1960 usbcir - ok
18:34:04.0632 1960 usbehci (cebe90821810e76320155beba722fcf9) C:\Windows\system32\DRIVERS\usbehci.sys
18:34:04.0648 1960 usbehci - ok
18:34:04.0679 1960 usbhub (cc6b28e4ce39951357963119ce47b143) C:\Windows\system32\DRIVERS\usbhub.sys
18:34:04.0679 1960 usbhub - ok
18:34:04.0694 1960 usbohci (38dbc7dd6cc5a72011f187425384388b) C:\Windows\system32\drivers\usbohci.sys
18:34:04.0694 1960 usbohci - ok
18:34:04.0726 1960 usbprint (e75c4b5269091d15a2e7dc0b6d35f2f5) C:\Windows\system32\DRIVERS\usbprint.sys
18:34:04.0741 1960 usbprint - ok
18:34:04.0757 1960 USBSTOR (87ba6b83c5d19b69160968d07d6e2982) C:\Windows\system32\DRIVERS\USBSTOR.SYS
18:34:04.0757 1960 USBSTOR - ok
18:34:04.0804 1960 usbuhci (814d653efc4d48be3b04a307eceff56f) C:\Windows\system32\DRIVERS\usbuhci.sys
18:34:04.0835 1960 usbuhci - ok
18:34:04.0866 1960 usbvideo (e67998e8f14cb0627a769f6530bcb352) C:\Windows\system32\Drivers\usbvideo.sys
18:34:04.0866 1960 usbvideo - ok
18:34:04.0897 1960 UxSms (032a0acc3909ae7215d524e29d536797) C:\Windows\System32\uxsms.dll
18:34:04.0897 1960 UxSms - ok
18:34:04.0928 1960 vds (b13bc395b9d6116628f5af47e0802ac4) C:\Windows\System32\vds.exe
18:34:04.0928 1960 vds - ok
18:34:04.0960 1960 vga (87b06e1f30b749a114f74622d013f8d4) C:\Windows\system32\DRIVERS\vgapnp.sys
18:34:04.0960 1960 vga - ok
18:34:04.0975 1960 VgaSave (2e93ac0a1d8c79d019db6c51f036636c) C:\Windows\System32\drivers\vga.sys
18:34:04.0975 1960 VgaSave - ok
18:34:05.0006 1960 viaagp (5d7159def58a800d5781ba3a879627bc) C:\Windows\system32\drivers\viaagp.sys
18:34:05.0006 1960 viaagp - ok
18:34:05.0038 1960 ViaC7 (c4f3a691b5bad343e6249bd8c2d45dee) C:\Windows\system32\drivers\viac7.sys
18:34:05.0038 1960 ViaC7 - ok
18:34:05.0069 1960 viaide (aadf5587a4063f52c2c3fed7887426fc) C:\Windows\system32\drivers\viaide.sys
18:34:05.0069 1960 viaide - ok
18:34:05.0084 1960 volmgr (69503668ac66c77c6cd7af86fbdf8c43) C:\Windows\system32\drivers\volmgr.sys
18:34:05.0084 1960 volmgr - ok
18:34:05.0131 1960 volmgrx (98f5ffe6316bd74e9e2c97206c190196) C:\Windows\system32\drivers\volmgrx.sys
18:34:05.0131 1960 volmgrx - ok
18:34:05.0162 1960 volsnap (d8b4a53dd2769f226b3eb374374987c9) C:\Windows\system32\drivers\volsnap.sys
18:34:05.0178 1960 volsnap - ok
18:34:05.0225 1960 vsmraid (587253e09325e6bf226b299774b728a9) C:\Windows\system32\drivers\vsmraid.sys
18:34:05.0225 1960 vsmraid - ok
18:34:05.0287 1960 VSS (d5fb73d19c46ade183f968e13f186b23) C:\Windows\system32\vssvc.exe
18:34:05.0287 1960 VSS - ok
18:34:05.0318 1960 W32Time (1cf9206966a8458cda9a8b20df8ab7d3) C:\Windows\system32\w32time.dll
18:34:05.0334 1960 W32Time - ok
18:34:05.0396 1960 WacomPen (48dfee8f1af7c8235d4e626f0c4fe031) C:\Windows\system32\drivers\wacompen.sys
18:34:05.0396 1960 WacomPen - ok
18:34:05.0412 1960 Wanarp (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
18:34:05.0428 1960 Wanarp - ok
18:34:05.0428 1960 Wanarpv6 (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
18:34:05.0428 1960 Wanarpv6 - ok
18:34:05.0474 1960 wcncsvc (f3a5c2e1a6533192b070d06ecf6be796) C:\Windows\System32\wcncsvc.dll
18:34:05.0474 1960 wcncsvc - ok
18:34:05.0506 1960 WcsPlugInService (11bcb7afcdd7aadacb5746f544d3a9c7) C:\Windows\System32\WcsPlugInService.dll
18:34:05.0506 1960 WcsPlugInService - ok
18:34:05.0521 1960 Wd (78fe9542363f297b18c027b2d7e7c07f) C:\Windows\system32\drivers\wd.sys
18:34:05.0521 1960 Wd - ok
18:34:05.0568 1960 Wdf01000 (9950e3d0f08141c7e89e64456ae7dc73) C:\Windows\system32\drivers\Wdf01000.sys
18:34:05.0584 1960 Wdf01000 - ok
18:34:05.0615 1960 WdiServiceHost (abfc76b48bb6c96e3338d8943c5d93b5) C:\Windows\system32\wdi.dll
18:34:05.0615 1960 WdiServiceHost - ok
18:34:05.0630 1960 WdiSystemHost (abfc76b48bb6c96e3338d8943c5d93b5) C:\Windows\system32\wdi.dll
18:34:05.0630 1960 WdiSystemHost - ok
18:34:05.0662 1960 WebClient (cf9a5f41789b642db967021de06a2713) C:\Windows\System32\webclnt.dll
18:34:05.0662 1960 WebClient - ok
18:34:05.0693 1960 Wecsvc (905214925a88311fce52f66153de7610) C:\Windows\system32\wecsvc.dll
18:34:05.0693 1960 Wecsvc - ok
18:34:05.0724 1960 wercplsupport (670ff720071ed741206d69bd995ea453) C:\Windows\System32\wercplsupport.dll
18:34:05.0724 1960 wercplsupport - ok
18:34:05.0771 1960 WerSvc (fd1965aaa112c6818a30ab02742d0461) C:\Windows\System32\WerSvc.dll
18:34:05.0771 1960 WerSvc - ok
18:34:05.0864 1960 winachsf (5c7bdcf5864db00323fe2d90fa26a8a2) C:\Windows\system32\DRIVERS\VSTCNXT3.SYS
18:34:05.0864 1960 winachsf - ok
18:34:05.0896 1960 winbondcir (3fa87d56769838aac82fafc3e78fc732) C:\Windows\system32\DRIVERS\winbondcir.sys
18:34:05.0896 1960 winbondcir - ok
18:34:05.0958 1960 WinDefend (4575aa12561c5648483403541d0d7f2b) C:\Program Files\Windows Defender\mpsvc.dll
18:34:05.0974 1960 WinDefend - ok
18:34:05.0974 1960 WinHttpAutoProxySvc - ok
18:34:06.0067 1960 Winmgmt (00b79a7c984678f24cf052e5beb3a2f5) C:\Windows\system32\wbem\WMIsvc.dll
18:34:06.0067 1960 Winmgmt - ok
18:34:06.0114 1960 WinRM (20fc93fdc916843cfdfcaa7a1b0db16f) C:\Windows\system32\WsmSvc.dll
18:34:06.0145 1960 WinRM - ok
18:34:06.0192 1960 Wlansvc (275f4346e569df56cfb95243bd6f6ff0) C:\Windows\System32\wlansvc.dll
18:34:06.0208 1960 Wlansvc - ok
18:34:06.0254 1960 WmiAcpi (2e7255d172df0b8283cdfb7b433b864e) C:\Windows\system32\DRIVERS\wmiacpi.sys
18:34:06.0254 1960 WmiAcpi - ok
18:34:06.0332 1960 wmiApSrv (aba4cf9f856d9a3a25f4ddd7690a6e9d) C:\Windows\system32\wbem\WmiApSrv.exe
18:34:06.0332 1960 wmiApSrv - ok
18:34:06.0364 1960 WPCSvc (5d94cd167751294962ba238d82dd1bb8) C:\Windows\System32\wpcsvc.dll
18:34:06.0379 1960 WPCSvc - ok
18:34:06.0395 1960 WPDBusEnum (396d406292b0cd26e3504ffe82784702) C:\Windows\system32\wpdbusenum.dll
18:34:06.0395 1960 WPDBusEnum - ok
18:34:06.0473 1960 WpdUsb (0cec23084b51b8288099eb710224e955) C:\Windows\system32\DRIVERS\wpdusb.sys
18:34:06.0473 1960 WpdUsb - ok
18:34:06.0504 1960 ws2ifsl (e3a3cb253c0ec2494d4a61f5e43a389c) C:\Windows\system32\drivers\ws2ifsl.sys
18:34:06.0504 1960 ws2ifsl - ok
18:34:06.0566 1960 wscsvc (683dd16b590372f2c9661d277f35e49c) C:\Windows\system32\wscsvc.dll
18:34:06.0566 1960 wscsvc - ok
18:34:06.0644 1960 wuauserv (6298277b73c77fa99106b271a7525163) C:\Windows\system32\wuaueng.dll
18:34:06.0707 1960 wuauserv - ok
18:34:06.0754 1960 WUDFRd (ac13cb789d93412106b0fb6c7eb2bcb6) C:\Windows\system32\DRIVERS\WUDFRd.sys
18:34:06.0754 1960 WUDFRd - ok
18:34:06.0816 1960 wudfsvc (575a4190d989f64732119e4114045a4f) C:\Windows\System32\WUDFSvc.dll
18:34:06.0816 1960 wudfsvc - ok
18:34:06.0832 1960 MBR (0x1B8) (bb9d3a6a13c5010348da7c900bb6af50) \Device\Harddisk0\DR0
18:34:07.0456 1960 \Device\Harddisk0\DR0 - ok
18:34:07.0502 1960 Boot (0x1200) (8fbbf0340ebe099d7c9c5c94bc92210e) \Device\Harddisk0\DR0\Partition0
18:34:07.0518 1960 \Device\Harddisk0\DR0\Partition0 - ok
18:34:07.0549 1960 Boot (0x1200) (c702b0abb9a191d1b7bce59dd48a51f5) \Device\Harddisk0\DR0\Partition1
18:34:07.0549 1960 \Device\Harddisk0\DR0\Partition1 - ok
18:34:07.0549 1960 ============================================================
18:34:07.0549 1960 Scan finished
18:34:07.0549 1960 ============================================================
18:34:07.0565 3872 Detected object count: 0
18:34:07.0565 3872 Actual detected object count: 0

#7 Miss__Brittany

Miss__Brittany
  • Topic Starter

  • Members
  • 79 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Montreal
  • Local time:08:17 PM

Posted 27 March 2012 - 11:38 PM

MBAM scan results:

Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org

Database version: v2012.03.26.03

Windows Vista Service Pack 1 x86 NTFS
Internet Explorer 8.0.6001.19088
Brittany and Aki :: BRITTANYANDA-PC [administrator]

Protection: Enabled

27/03/2012 6:43:30 PM
mbam-log-2012-03-27 (18-43-30).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 313141
Time elapsed: 1 hour(s), 1 minute(s), 40 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

#8 Miss__Brittany

Miss__Brittany
  • Topic Starter

  • Members
  • 79 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Montreal
  • Local time:08:17 PM

Posted 28 March 2012 - 01:09 AM

I forgot to mention that I also had items disappear from the recently used programs & programs menu - in the start menu. This seems to be a common side-effect with this infection.

Besides that, everything is the same from when I last posted.

Thanks!

#9 Miss__Brittany

Miss__Brittany
  • Topic Starter

  • Members
  • 79 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Montreal
  • Local time:08:17 PM

Posted 29 March 2012 - 08:37 AM

It turns out, I'm also not able to do any Windows Updates on the computer.

#10 ratman

ratman

    Bleepin' gnawing at it!


  • Malware Response Team
  • 1,799 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:02:17 AM

Posted 29 March 2012 - 06:07 PM

Hello Miss__Brittany ,

My name is ratman and and I will be helping you with your computer problems.

Before we begin, I would like to make a few things clear so that we can fix your problem as efficiently as possible:

  • Be sure to follow all my instructions carefully! If there is anything you don't understand, don't hesitate to ask.
  • Please do not do anything or perform other steps unless I have asked you to do so.
  • Please make sure you post all logs I ask you to, and make sure that the entire log gets posted.

====================================================================================

I'd like to see the contents of the log from your original ComboFix run if it made one:

It should be found as C:\qoobox\ComboFix2.txt

====================================================================================

I'd like you to run a scan with aswMBR
Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

====================================================================================

In your next reply, please copy/paste the contents of the following:
  • aswMBR Log
  • ComboFix2.txt
How is your machine running now?

regards, ratman

a proud member of:
Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM

If I have helped and you would like to show your appreciation you may Posted Image to the cause.



#11 Miss__Brittany

Miss__Brittany
  • Topic Starter

  • Members
  • 79 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Montreal
  • Local time:08:17 PM

Posted 30 March 2012 - 01:39 AM

Hi there,

Thanks for the help! :)

I've noticed another strange symptom of this infection. I am not able to use some sites where you need to fill out forms or checkmark boxes. As soon as I complete the page and click "submit" it refreshes and says that I am missing information. I then go to my other computer and do the exact same process and it works. So it is not an issues with webpage(s), rather something is not being processed with my internet.

Besides that, it's pretty much the same as when I first posted. I'm trying to use my other computer mostly, because I go to a lot of sites that are linked to banking & personal information. I only use this computer for browsing, movies, etc. for the moment.


COMBOFIX2.TXT LOG:

ComboFix 12-03-27.03 - Brittany and Aki 27/03/2012 16:20:58.4.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.2.1033.18.3000.1693 [GMT -4:00]
Running from: c:\users\Brittany and Aki\Desktop\brittany.exe
AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {9FF26384-70D4-CE6B-3ECB-E759A6A40116}
AV: Norton AntiVirus *Disabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
SP: Lavasoft Ad-Watch Live! *Enabled/Updated* {24938260-56EE-C1E5-047B-DC2BDD234BAB}
SP: Norton AntiVirus *Disabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2012-02-27 to 2012-03-27 )))))))))))))))))))))))))))))))
.
.
2012-03-27 20:29 . 2012-03-27 20:29 -------- d-----w- c:\users\Brittany and Aki\AppData\Local\temp
2012-03-27 20:29 . 2012-03-27 20:29 -------- d-----w- c:\users\Public\AppData\Local\temp
2012-03-27 20:29 . 2012-03-27 20:29 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-03-27 19:57 . 2012-03-27 20:09 126584 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2012-03-27 19:57 . 2012-03-27 20:09 -------- d-----w- c:\program files\Symantec
2012-03-27 19:57 . 2012-03-27 19:57 -------- d-----w- c:\program files\Common Files\Symantec Shared
2012-03-27 19:56 . 2012-03-27 20:08 -------- d-----w- c:\windows\system32\drivers\NAV
2012-03-27 19:56 . 2012-03-27 19:56 -------- d-----w- c:\program files\Norton AntiVirus
2012-03-27 17:27 . 2012-03-27 18:41 -------- d-----w- c:\users\Brittany and Aki\AppData\Local\CrashDumps
2012-03-27 12:51 . 2012-03-27 19:18 -------- d-----w- C:\thedog
2012-03-27 05:30 . 2012-03-27 19:56 -------- d-----w- c:\programdata\Norton
2012-03-27 05:30 . 2012-03-27 20:14 -------- d-----w- c:\program files\NortonInstaller
2012-03-26 05:34 . 2011-12-10 19:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-03-26 03:48 . 2012-03-26 13:17 -------- d-----w- C:\sh4ldr
2012-03-26 03:48 . 2012-03-26 03:48 -------- d-----w- c:\program files\Enigma Software Group
2012-03-26 03:47 . 2012-03-26 13:17 -------- d-----w- c:\windows\4E0C6314A8B84026AC15084E8B63AFB5.TMP
2012-03-26 03:47 . 2012-03-26 03:47 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2012-03-26 03:30 . 2012-03-25 20:35 16432 ----a-w- c:\windows\system32\lsdelete.exe
2012-03-25 20:35 . 2012-03-25 20:35 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2012-03-25 20:33 . 2012-03-20 17:41 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys
2012-03-25 05:05 . 2012-03-25 05:05 -------- d-----w- c:\programdata\Premium
2012-03-25 05:05 . 2012-03-25 05:05 237 ----a-w- C:\user.js
2012-03-25 05:05 . 2012-03-25 05:05 -------- d-----w- c:\users\Brittany and Aki\AppData\Local\Babylon
2012-03-25 05:05 . 2012-03-25 05:05 -------- d-----w- c:\users\Brittany and Aki\AppData\Roaming\Babylon
2012-03-25 05:05 . 2012-03-25 05:05 -------- d-----w- c:\programdata\Babylon
2012-03-25 05:05 . 2012-03-25 05:05 -------- d-----w- c:\programdata\Codec-C
2012-03-25 05:05 . 2012-03-25 05:05 -------- d-----w- C:\codec-info
2012-03-25 05:05 . 2012-03-25 05:05 -------- d-----w- c:\programdata\InstallMate
2012-03-20 03:32 . 2012-03-25 05:05 -------- d-----w- c:\users\Brittany and Aki\AppData\Roaming\tor
2012-03-20 03:32 . 2012-03-20 03:32 -------- d-----w- c:\users\Brittany and Aki\AppData\Local\Tor
2012-03-20 03:32 . 2012-03-25 05:15 -------- d-----w- c:\program files\Vidalia Bundle
2012-03-20 03:32 . 2012-03-20 03:32 -------- d-----w- c:\users\Brittany and Aki\AppData\Local\Vidalia
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-23 23:17 . 2011-05-13 06:37 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-02-11 08:44 . 2008-10-14 20:13 319456 ----a-w- c:\windows\DIFxAPI.dll
2012-01-12 22:21 . 2012-01-12 22:21 74703 ----a-w- c:\windows\system32\mfc45.dll
2011-12-21 07:24 . 2011-08-29 16:30 121816 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EB64D6B0-EA0E-4061-B650-14FE9BAD7AD8}]
2012-03-22 19:30 141312 ----a-w- c:\programdata\Codec-C\bhoclass.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP]
@="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}"
[HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]
2008-07-29 21:52 121392 ----a-w- c:\program files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 460872]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"AutoLaunch"="c:\program files\Lavasoft\Ad-Aware\AutoLaunch.exe" [2012-03-25 654056]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ lsdelete
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sr.sys]
@="FSFilter System Recovery"
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Secunia PSI Tray.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Secunia PSI Tray.lnk
backup=c:\windows\pss\Secunia PSI Tray.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-01-02 15:07 843712 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2012-01-04 03:51 37296 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2009-10-30 11:57 369200 ----a-w- c:\program files\DAEMON Tools Lite\DTLite.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eAudio]
2008-05-30 16:24 544768 ----a-w- c:\program files\Acer\Empowering Technology\eAudio\eAudio.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eDataSecurity Loader]
2008-07-29 21:52 526896 ----a-w- c:\program files\Acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ePower_DMC]
2008-08-01 14:51 405504 ----a-w- c:\program files\Acer\Empowering Technology\ePower\ePower_DMC.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2009-02-26 23:36 30040 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
2008-07-20 09:45 182808 ----a-w- c:\program files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2007-12-14 00:10 1688872 ----a-w- c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LManager]
2008-06-04 12:03 817672 ----a-w- c:\progra~1\LAUNCH~1\QtZgAcer.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2010-04-17 03:12 3872080 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
2007-12-03 19:21 2213160 ----a-w- c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2007-03-01 19:57 153136 ----a-w- c:\program files\Common Files\Nero\Lib\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2011-06-09 18:06 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2010-10-08 23:31 1934632 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
.
R3 A310;AVerMedia A310 DVB-T;c:\windows\system32\DRIVERS\AVerA310USB.sys [2008-07-03 26752]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-25 00:39]
.
2012-03-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-25 00:39]
.
2012-03-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1525939726-772596016-34224432-1000Core.job
- c:\users\Brittany and Aki\AppData\Local\Google\Update\GoogleUpdate.exe [2011-08-29 03:16]
.
2012-03-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1525939726-772596016-34224432-1000UA.job
- c:\users\Brittany and Aki\AppData\Local\Google\Update\GoogleUpdate.exe [2011-08-29 03:16]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://yahoo.com/
mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=1009&s=2&o=vp32&d=1109&m=aspire_6930
TCP: DhcpNameServer = 192.168.0.1
Handler: intu-tt2011 - {B3B5DAD9-E96D-45b4-B636-B6CF2F773DE1} - c:\program files\TurboTax 2011\ic2011pp.dll
FF - ProfilePath - c:\users\Brittany and Aki\AppData\Roaming\Mozilla\Firefox\Profiles\7rc89atx.default\
FF - prefs.js: browser.search.selectedEngine - Search the web (Babylon)
FF - prefs.js: browser.startup.homepage - hxxp://search.babylon.com/?affID=111363&babsrc=HP_ss&mntrId=8ec33ae400000000000000215d797e14
FF - prefs.js: keyword.URL - chrome://browser-region/locale/region.properties
FF - prefs.js: network.proxy.socks - 127.0.0.1
FF - prefs.js: network.proxy.socks_port - 9050
FF - prefs.js: network.proxy.type - 1
FF - user.js: extensions.BabylonToolbar_i.babTrack - affID=111363
FF - user.js: extensions.BabylonToolbar_i.babExt -
FF - user.js: extensions.BabylonToolbar_i.srcExt - ss
FF - user.js: extensions.BabylonToolbar_i.id - 8ec33ae400000000000000215d797e14
FF - user.js: extensions.BabylonToolbar_i.hardId - 8ec33ae400000000000000215d797e14
FF - user.js: extensions.BabylonToolbar_i.instlDay - 15424
FF - user.js: extensions.BabylonToolbar_i.vrsn - 1.5.3.17
FF - user.js: extensions.BabylonToolbar_i.vrsni - 1.5.3.17
FF - user.js: extensions.BabylonToolbar_i.vrsnTs - 1.5.3.171:05
FF - user.js: extensions.BabylonToolbar_i.prtnrId - babylon
FF - user.js: extensions.BabylonToolbar_i.prdct - BabylonToolbar
FF - user.js: extensions.BabylonToolbar_i.aflt - babsst
FF - user.js: extensions.BabylonToolbar_i.smplGrp - none
FF - user.js: extensions.BabylonToolbar_i.tlbrId - base
FF - user.js: extensions.BabylonToolbar_i.instlRef - sst
.
.
------- File Associations -------
.
JSEFile=NOTEPAD.EXE %1
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-03-27 16:29
Windows 6.0.6001 Service Pack 1 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\NAV]
"ImagePath"="\"c:\program files\Norton AntiVirus\Engine\18.6.0.29\ccSvcHst.exe\" /s \"NAV\" /m \"c:\program files\Norton AntiVirus\Engine\18.6.0.29\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1525939726-772596016-34224432-1000\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{2D1832BA-89A3-3940-7BF1-7807C19E8712}*]
"mahhdjnmhmfkefjmaclhphknij"=hex:6f,61,65,6a,69,70,66,64,6f,64,70,6a,67,68,62,
67,6b,66,6e,61,64,70,6b,65,6d,6e,6a,62,64,61,00,00
"abihmnliglnbflkhlndobbnmegiieonjdk"=hex:69,61,6a,67,66,6e,67,6f,6b,6e,6e,6e,
6b,6a,65,6d,67,6a,00,00
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(2872)
c:\program files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll
c:\program files\Acer\Empowering Technology\eDataSecurity\x86\sysenv.dll
c:\program files\Common Files\Nero\Lib\MediaLibraryNSE.dll
c:\program files\Nero\Nero8\Nero BackItUp\NBShell.dll
c:\program files\Norton AntiVirus\Engine\18.6.0.29\EFACli.dll
c:\program files\Acer\Empowering Technology\eDataSecurity\x86\eDSshellExt.dll
c:\progra~1\DISKIN~1\Uneraser\contmenu.dll
.
Completion time: 2012-03-27 16:32:31
ComboFix-quarantined-files.txt 2012-03-27 20:32
ComboFix2.txt 2012-03-27 19:18
.
Pre-Run: 79,387,037,696 bytes free
Post-Run: 79,846,719,488 bytes free
.
- - End Of File - - 08C11A113F5CF5AF9715753FA067C0CB


ASWMBR log:

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-03-30 02:22:59
-----------------------------
02:22:59.001 OS Version: Windows 6.0.6001 Service Pack 1
02:22:59.001 Number of processors: 2 586 0xF0D
02:22:59.001 ComputerName: BRITTANYANDA-PC UserName:
02:23:26.441 Initialize success
02:24:35.573 AVAST engine defs: 12033000
02:24:58.768 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
02:24:58.783 Disk 0 Vendor: ST932032 0303 Size: 305245MB BusType: 3
02:24:58.814 Disk 0 MBR read successfully
02:24:58.814 Disk 0 MBR scan
02:24:58.814 Disk 0 unknown MBR code
02:24:58.830 Disk 0 Partition 1 00 27 Hidden NTFS WinRE NTFS 10240 MB offset 2048
02:24:58.846 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 147501 MB offset 20973568
02:24:58.877 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 143872 MB offset 323055616
02:24:58.939 Disk 0 Partition 4 00 12 Compaq diag NTFS 3630 MB offset 617705472
02:24:58.939 Disk 0 scanning sectors +625139712
02:24:59.017 Disk 0 scanning C:\Windows\system32\drivers
02:25:11.326 Service scanning
02:25:34.243 Modules scanning
02:25:40.282 Disk 0 trace - called modules:
02:25:40.312 ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll iaStor.sys
02:25:40.312 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x87a579f8]
02:25:40.322 3 CLASSPNP.SYS[8aba6745] -> nt!IofCallDriver -> [0x856ce958]
02:25:40.332 5 acpi.sys[806906a0] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0x856a1028]
02:25:41.082 AVAST engine scan C:\Windows
02:25:45.387 AVAST engine scan C:\Windows\system32
02:28:46.145 AVAST engine scan C:\Windows\system32\drivers
02:29:02.915 AVAST engine scan C:\Users\Brittany and Aki
02:35:06.817 AVAST engine scan C:\ProgramData
02:37:05.204 Scan finished successfully
02:37:12.835 Disk 0 MBR has been saved successfully to "C:\Users\Brittany and Aki\Desktop\MBR.dat"
02:37:12.835 The log file has been saved successfully to "C:\Users\Brittany and Aki\Desktop\aswMBR.txt"


Thanks ratman!

Edited by Miss__Brittany, 30 March 2012 - 01:40 AM.


#12 ratman

ratman

    Bleepin' gnawing at it!


  • Malware Response Team
  • 1,799 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:02:17 AM

Posted 30 March 2012 - 04:57 AM

Hello Miss__Brittany ,

Do you have the ComboFix log from the first time it ran that you can send me?

I'm also waiting for your aswMBR log.
regards, ratman

a proud member of:
Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM

If I have helped and you would like to show your appreciation you may Posted Image to the cause.



#13 Miss__Brittany

Miss__Brittany
  • Topic Starter

  • Members
  • 79 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Montreal
  • Local time:08:17 PM

Posted 30 March 2012 - 02:33 PM

Hi,

I did post the aswmbr log...

ASWMBR log:

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-03-30 02:22:59
-----------------------------
02:22:59.001 OS Version: Windows 6.0.6001 Service Pack 1
02:22:59.001 Number of processors: 2 586 0xF0D
02:22:59.001 ComputerName: BRITTANYANDA-PC UserName:
02:23:26.441 Initialize success
02:24:35.573 AVAST engine defs: 12033000
02:24:58.768 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
02:24:58.783 Disk 0 Vendor: ST932032 0303 Size: 305245MB BusType: 3
02:24:58.814 Disk 0 MBR read successfully
02:24:58.814 Disk 0 MBR scan
02:24:58.814 Disk 0 unknown MBR code
02:24:58.830 Disk 0 Partition 1 00 27 Hidden NTFS WinRE NTFS 10240 MB offset 2048
02:24:58.846 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 147501 MB offset 20973568
02:24:58.877 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 143872 MB offset 323055616
02:24:58.939 Disk 0 Partition 4 00 12 Compaq diag NTFS 3630 MB offset 617705472
02:24:58.939 Disk 0 scanning sectors +625139712
02:24:59.017 Disk 0 scanning C:\Windows\system32\drivers
02:25:11.326 Service scanning
02:25:34.243 Modules scanning
02:25:40.282 Disk 0 trace - called modules:
02:25:40.312 ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll iaStor.sys
02:25:40.312 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x87a579f8]
02:25:40.322 3 CLASSPNP.SYS[8aba6745] -> nt!IofCallDriver -> [0x856ce958]
02:25:40.332 5 acpi.sys[806906a0] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0x856a1028]
02:25:41.082 AVAST engine scan C:\Windows
02:25:45.387 AVAST engine scan C:\Windows\system32
02:28:46.145 AVAST engine scan C:\Windows\system32\drivers
02:29:02.915 AVAST engine scan C:\Users\Brittany and Aki
02:35:06.817 AVAST engine scan C:\ProgramData
02:37:05.204 Scan finished successfully
02:37:12.835 Disk 0 MBR has been saved successfully to "C:\Users\Brittany and Aki\Desktop\MBR.dat"
02:37:12.835 The log file has been saved successfully to "C:\Users\Brittany and Aki\Desktop\aswMBR.txt"

#14 Miss__Brittany

Miss__Brittany
  • Topic Starter

  • Members
  • 79 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Montreal
  • Local time:08:17 PM

Posted 30 March 2012 - 10:57 PM

I'm sorry, but there is no combofix from the first time. I don't know why? I didn't delete it...

I have a file that is called combofix-quarantined-files.txt - I don't know if this can help?

2012-03-27 19:16:47 . 2012-03-27 19:16:47 970 ----a-w- C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-RoxWatchTray.reg.dat
2012-03-27 19:16:47 . 2012-03-27 19:16:47 830 ----a-w- C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-PLFSetI.reg.dat
2012-03-27 19:16:46 . 2012-03-27 19:16:46 950 ----a-w- C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-Messenger (Yahoo!).reg.dat
2012-03-27 19:16:46 . 2012-03-27 19:16:46 954 ----a-w- C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-ISUSPM.reg.dat
2012-03-27 19:16:46 . 2012-03-27 19:16:46 1,024 ----a-w- C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-BlackBerryAutoUpdate.reg.dat
2012-03-27 19:16:46 . 2012-03-27 19:16:46 934 ----a-w- C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-BkupTray.reg.dat
2012-03-27 19:16:45 . 2012-03-27 19:16:45 998 ----a-w- C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-Adobe Acrobat Speed Launcher.reg.dat
2012-03-27 19:16:45 . 2012-03-27 19:16:45 966 ----a-w- C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-Acrobat Assistant 8.reg.dat
2012-03-27 19:16:35 . 2012-03-27 19:16:35 171 ----a-w- C:\Qoobox\Quarantine\Registry_backups\WebBrowser-{8BDEA9D6-6F62-45EB-8EE9-8A81AF0D2F94}.reg.dat
2012-03-27 19:16:34 . 2012-03-27 19:16:35 171 ----a-w- C:\Qoobox\Quarantine\Registry_backups\WebBrowser-{30F9B915-B755-4826-820B-08FBA6BD249D}.reg.dat
2012-03-27 19:16:34 . 2012-03-27 19:16:34 171 ----a-w- C:\Qoobox\Quarantine\Registry_backups\WebBrowser-{88C7F2AA-F93F-432C-8F0E-B7D85967A527}.reg.dat
2012-03-27 19:16:34 . 2012-03-27 19:16:34 171 ----a-w- C:\Qoobox\Quarantine\Registry_backups\WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440}.reg.dat
2012-03-27 19:16:31 . 2012-03-27 19:16:32 118 ----a-w- C:\Qoobox\Quarantine\Registry_backups\URLSearchHooks-{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}.reg.dat
2012-03-27 19:08:15 . 2012-03-27 20:26:09 4,570 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2012-03-26 05:48:38 . 2012-03-27 20:20:58 328 ----a-w- C:\Qoobox\Quarantine\catchme.log
2012-01-10 02:03:21 . 2012-01-10 03:45:11 282 -c--a-w- C:\Qoobox\Quarantine\C\Windows\$NtUninstallKB55849$\2729867423\keywords.vir
2012-01-10 02:02:17 . 2012-01-10 02:02:17 223,744 -c--a-w- C:\Qoobox\Quarantine\C\Windows\$NtUninstallKB55849$\2729867423\kwrd.dll.vir
2012-01-10 02:02:15 . 2012-01-10 03:27:04 862 -c--a-w- C:\Qoobox\Quarantine\C\Windows\$NtUninstallKB55849$\2729867423\bckfg.tmp.vir
2012-01-10 02:02:10 . 2012-01-10 02:06:18 176 -c--a-w- C:\Qoobox\Quarantine\C\Windows\$NtUninstallKB55849$\2729867423\cfg.ini.vir
2012-01-10 02:02:10 . 2012-01-10 02:02:10 2,048 -c--a-w- C:\Qoobox\Quarantine\C\Windows\$NtUninstallKB55849$\2729867423\@.vir
2012-01-10 02:02:10 . 2012-01-10 02:02:10 75,264 -c--a-w- C:\Qoobox\Quarantine\C\Windows\$NtUninstallKB55849$\2729867423\L\qnbwvoto.vir
2012-01-10 02:02:10 . 2012-01-10 02:02:10 4,608 -c--a-w- C:\Qoobox\Quarantine\C\Windows\$NtUninstallKB55849$\2729867423\Desktop.ini.vir
2012-01-10 02:02:04 . 2012-01-10 02:02:04 0 -c--a-we C:\Qoobox\Quarantine\C\Windows\$NtUninstallKB55849$\3141864562.vir
2012-01-09 07:52:45 . 2012-01-10 02:02:14 2,048 -c--a-w- C:\Qoobox\Quarantine\C\Windows\$NtUninstallKB55849$\2729867423\U\00000001.@.vir
2012-01-05 11:32:16 . 2012-01-10 02:02:14 11,264 -c--a-w- C:\Qoobox\Quarantine\C\Windows\$NtUninstallKB55849$\2729867423\U\80000000.@.vir
2012-01-05 11:19:31 . 2012-01-10 02:02:15 77,312 -c--a-w- C:\Qoobox\Quarantine\C\Windows\$NtUninstallKB55849$\2729867423\U\80000032.@.vir
2011-12-02 12:07:49 . 2012-01-10 02:02:17 224,768 -c--a-w- C:\Qoobox\Quarantine\C\Windows\$NtUninstallKB55849$\2729867423\U\00000002.@.vir
2011-11-29 13:10:08 . 2012-01-10 02:02:14 12,800 -c--a-w- C:\Qoobox\Quarantine\C\Windows\$NtUninstallKB55849$\2729867423\U\80000004.@.vir
2011-11-02 17:48:14 . 2012-01-10 02:02:14 1,024 -c--a-w- C:\Qoobox\Quarantine\C\Windows\$NtUninstallKB55849$\2729867423\U\00000004.@.vir

Thanks for the help, and please let me know what you'd like me to do next :)

Brittany

#15 ratman

ratman

    Bleepin' gnawing at it!


  • Malware Response Team
  • 1,799 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:02:17 AM

Posted 31 March 2012 - 08:40 AM

Hello Miss__Brittany ,

Thanks for the Quarantine Log. It shows ComboFix cleared out ZeroAccess on it's first run which is good. Still a few things need taking care off.

I need you to run a CFScript:.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

ClearJavaCache::

KillAll::

File::
C:\user.js

Folder::
c:\users\Brittany and Aki\AppData\Local\Babylon
c:\users\Brittany and Aki\AppData\Roaming\Babylon
c:\programdata\Babylon
c:\programdata\Codec-C
C:\codec-info
c:\programdata\InstallMate

Firefox::
FF - ProfilePath - c:\users\Brittany and Aki\AppData\Roaming\Mozilla\Firefox\Profiles\7rc89atx.default\
FF - prefs.js: browser.search.selectedEngine - Search the web (Babylon)
FF - prefs.js: browser.startup.homepage - hxxp://search.babylon.com/?affID=111363&babsrc=HP_ss&mntrId=8ec33ae400000000000000215d797e14
FF - prefs.js: keyword.URL - chrome://browser-region/locale/region.properties
FF - user.js: extensions.BabylonToolbar_i.babTrack - affID=111363
FF - user.js: extensions.BabylonToolbar_i.babExt -
FF - user.js: extensions.BabylonToolbar_i.srcExt - ss
FF - user.js: extensions.BabylonToolbar_i.id - 8ec33ae400000000000000215d797e14
FF - user.js: extensions.BabylonToolbar_i.hardId - 8ec33ae400000000000000215d797e14
FF - user.js: extensions.BabylonToolbar_i.instlDay - 15424
FF - user.js: extensions.BabylonToolbar_i.vrsn - 1.5.3.17
FF - user.js: extensions.BabylonToolbar_i.vrsni - 1.5.3.17
FF - user.js: extensions.BabylonToolbar_i.vrsnTs - 1.5.3.171:05
FF - user.js: extensions.BabylonToolbar_i.prtnrId - babylon
FF - user.js: extensions.BabylonToolbar_i.prdct - BabylonToolbar
FF - user.js: extensions.BabylonToolbar_i.aflt - babsst
FF - user.js: extensions.BabylonToolbar_i.smplGrp - none
FF - user.js: extensions.BabylonToolbar_i.tlbrId - base
FF - user.js: extensions.BabylonToolbar_i.instlRef - sst

RegNull::
[HKEY_USERS\S-1-5-21-1525939726-772596016-34224432-1000\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{2D1832BA-89A3-3940-7BF1-7807C19E8712}*]


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

==============================================================================



In your next reply, please copy/paste the contents of the following:
  • C:\ComboFix.txt
How's your machine running now?

regards, ratman

a proud member of:
Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM

If I have helped and you would like to show your appreciation you may Posted Image to the cause.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users